LAS VEGAS -- In what seems like an entry for the book of Guinness World Records, Roger Wilding and his IT colleagues at CNF Inc., a $4.8 billion freight transport firm, have installed 37,000 Windows patches on company desktops since August.
Wilding, senior technical engineer for desktop infrastructure, dropped this staggering statistic while speaking as part of a customer panel this week at the Microsoft Management Summit. He talked later with SearchWindowsManageability.com about CNF's stringent patch management procedures. That's when Wilding corrected himself and said that, as of Monday morning, the CNF IT department actually had implemented 37,142 patches.
With that kind of patch total, it might seem that Palo Alto, Calif.-based CNF waves every patch through with little care but, in fact, the opposite is true. After Microsoft issues a patch bulletin, Wilding's desktop group decides whether it's necessary. They don't bother with every patch. For instance, CNF passed on a Windows patch for a fax feature, something the company doesn't use.
If a patch is relevant, an engineer in the desktop group tests the software on a workstation using VMware Inc.'s virtual machine software. This might take an hour or two. If the patch doesn't break the workstation, an engineer installs it on each of the IT department's 30 PCs where, during their day-to-day work, engineers in the server and desktop groups watch for problems. Engineers leave the patch alone for several days, sometimes a few weeks. If no issues arise, then the desktop team uses Systems Management Server 2.0 in conjunction with Software Update Services Feature Pack to send the patch to all the company's PCs, Wilding said.
CNF's process of qualifying Microsoft's patches requires constant attention, but it's work time well spent. Wilding's desktop group -- three people, including himself -- are charged with supporting 1,200 PCs running various Windows operating systems, including Windows NT 4, Windows 95 and Windows XP. More stable operating systems mean fewer help desk calls from users, Wilding said.
He didn't claim perfection. "We've had issues, but we haven't broken a machine," he said.
CNF's desktop group wasn't always so up-to-date and proficient. Up until July 2002, Wilding's group installed patches on a quarterly basis or whenever an engineer happened to be working on a machine. The reason CNF has installed 37,000 plus patches in less than a year is because the company had to catch up. The IT department had to sift through a few years' worth of patches.
Because patching Windows is a never-ending job, organizations must have procedures in place to effectively deploy them, Wilding said. CNF got religion last summer and started using the Microsoft Operations Framework, which provides technical and procedural guidance for a range of Windows management issues, including patch management. Wilding constantly tweaks and improves the suggested procedures to better suit CNF.
"If you don't have the process to accept the patch, you're at risk of accepting a patch that could impact your environment," Wilding said. "That control needs to be there."
FOR MORE INFORMATION: