Just like a lot of us, Microsoft has an internal team of IT Pros that are tasked with keeping endpoints monitored, managed, and secure. I've known several people on this internal team over the years, and I've always considered them to be extremely smart techies. Many of these have gone on to manage their own consulting companies, or work for some top-notch consulting businesses. The team is called the Microsoft Information Technology Group (MSIT).
As you can guess, though, MSIT utilizes Microsoft's own endpoint management technologies to serve the environment. MSIT is usually the first group to start deploying software that is untested and not meant yet for public consumption. There's definitely some risks that go along with that, but it also keeps them on the cutting edge and gives the Microsoft product groups a better perspective of what customers might experience when they are able to roll out the finished products.
Way back, when Microsoft first initiated their program to improve product security, I was on the team that wrote the original MSFT whitepaper on patching, developing a solid process along the way. At the time, patch management was an evolving concept and there wasn't any real industry guidance for best practices available. Patches were applied usually only after an outbreak had occurred. Over time organizations caught on to developing their own patching processes and its now commonplace.
But still, even today, many organizations have different patching guidelines for PCs than servers. And, it makes a lot of sense, considering servers in the datacenter need to be highly available. In critical situations a PC can be rebooted despite complaints from the end-user, but a server delivering essential business applications can't.
In a recently released document, Microsoft outlines the differences between their server patching processes in 2010 and now. In 2010 Microsoft worked through a 30-day patching cycle for servers, which basically meant that as soon as all servers had been fully patched, it was time to start all over again due to the next Patch Tuesday arriving. In 2010, patching compliance was around 70%, but through the use of System Center Configuration Manager and System Center Orchestrator, Microsoft has been able to ensure a 96% rate. The patching cycle is now down to 19 days. MSIT currently manages close to 34,000 servers.
You can read through their changes here: Security Patch Management Evolution for Data-Center Servers at Microsoft
Of course, what Microsoft does, doesn't always equate equally with diverse customer environments. Many organizations will not be able to take Microsoft's own processes and deploy in the exact same manner, but, the document can be used to get ideas for improving the current processes.
