TL;DR: Most IT problems that cause business disruption are preventable with consistent maintenance. This calendar gives you a month-by-month schedule of the recurring tasks that keep your IT environment healthy - from monthly backup testing and patch review to annual licence audits and hardware lifecycle planning.
Why Scheduled Maintenance Matters
IT environments degrade without maintenance. Patches that are not applied become vulnerabilities. Licences that are not reviewed accumulate and cost money. Hardware that is not replaced on schedule fails at the worst possible time. Backups that are not tested provide false confidence.
None of this is controversial. Everyone agrees that IT maintenance is important. The reason it does not happen consistently is the same reason house maintenance does not happen consistently: it requires scheduling, and “we’ll get around to it” means it does not happen.
This calendar gives you the schedule. Your IT provider does the work.
Monthly Tasks (Every Month)
These tasks happen every month without exception. They are the heartbeat of a healthy IT environment.
Security and Patching
Patch review and deployment:
- Review Microsoft 365 Admin centre for any outstanding critical updates
- Review Microsoft Defender portal for any high-severity alerts requiring investigation
- Confirm that Windows Update is running successfully on all managed devices (check via Intune)
- Confirm that server patching has occurred as scheduled
- Check for any vendor-critical security patches announced that month (via ACSC alerts)
Action if patches are behind: Prioritise critical (CVSS 9.0+) patches within 48 hours. High priority patches within 14 days.
Backup Verification
- Check that all backup jobs completed successfully (no failed jobs)
- Review the most recent backup logs for any warnings
- Restore test: Once per month, restore at least one file or folder from backup to verify it works
- Check that backup copies are current in off-site or cloud storage location
- Review Microsoft 365 backup status (email, SharePoint, OneDrive)
Action if a backup job is failing: Treat this as a priority issue - a failing backup is a time-critical risk.
Accounts Review
- Review new user accounts created in the month - are they correctly configured?
- Review departed users - are their accounts disabled and licences recovered?
- Review guest accounts in Microsoft Teams and Entra ID - any that should be removed?
- Check for any accounts showing anomalous sign-in activity in Entra ID sign-in logs
Helpdesk Review
- Review helpdesk ticket volumes and trends
- Identify any recurring issues that indicate a systemic problem
- Escalate any unresolved issues older than 30 days
- Review user satisfaction with IT support
Quarterly Tasks (Every 3 Months)
These tasks happen four times a year. They provide a deeper review that monthly checks cannot.
Quarter 1 (January–March)
Quarterly Business Review (QBR):
- IT provider and management review technology roadmap progress
- Review security posture changes since last QBR
- Review upcoming hardware lifecycle events
- Review software contracts with upcoming renewals
- Review new technology available that might benefit the business
Post-holiday security review:
- Review sign-in logs for any suspicious activity over the holiday period
- Check that all staff have returned devices
- Confirm all scheduled patch deployments ran during the holiday period
Quarter 2 (April–June)
End of financial year IT audit:
- Complete software licence audit - are you over or under licenced?
- Review all IT-related subscriptions and contracts
- Ensure IT asset register is current
- Document any changes to IT infrastructure in the past year
Security posture review:
- Run Microsoft Secure Score review and document improvement actions
- Review Conditional Access Policies - any users or applications that need updating?
- Review privileged access - is everyone who has admin rights still supposed to have them?
Quarter 3 (July–September)
Hardware lifecycle review:
- Identify any devices turning 4 years old in the next 12 months (plan replacement)
- Review server hardware health reports
- Check UPS batteries - replace if approaching 3 years old
- Review network equipment firmware versions
Staff security training:
- Run quarterly phishing simulation via Microsoft Attack Simulator
- Review click rate results and identify staff requiring additional training
- Schedule security awareness briefing if click rate is above target
Quarter 4 (October–December)
End of year preparation:
- Confirm extra backup coverage for holiday period (backup monitoring coverage when IT staff are on leave)
- Confirm IT support coverage over Christmas/New Year period
- Run full backup test and document results before holiday shutdown
- Brief staff on security awareness during the holiday period (increased phishing activity)
Annual planning:
- Finalise technology roadmap for coming year
- Confirm IT budget for new financial year
- Review all vendor contracts expiring in the coming year
- Identify hardware refresh requirements for the coming year
Annual Tasks (Once Per Year)
These are annual reviews and activities that provide strategic oversight.
IT Asset Register Review (Annually, recommend July)
- Audit all IT assets against the register: workstations, laptops, servers, phones, network equipment
- Update asset status (in service, spare, decommissioned)
- Update assigned user for each device
- Record any new devices procured during the year
- Identify any assets that cannot be located (risk flag)
Software Licence Audit (Annually, recommend June)
- Export list of all software installed on company devices
- Compare against licenced software list
- Identify: over-licenced (paying for more than needed), under-licenced (licences short of actual installs), unlicenced (software with no licence)
- Address compliance gaps before EOFY
- Cancel unused licences
IT Policy Review (Annually, recommend July)
- Review all IT policies against current technology environment and regulatory requirements
- Update Acceptable Use Policy, Password Policy, Remote Work Policy, and BYOD Policy
- Issue updated policies to all staff with read-and-sign acknowledgement
- Archive previous versions
- See Top 10 IT Policies Template for all policies to review
Penetration Testing / Vulnerability Assessment (Annually, recommend Q2)
For businesses with higher security requirements (regulated industries, cyber insurance requirements):
- External vulnerability scan of internet-facing systems
- Internal vulnerability assessment
- Phishing simulation campaign
- Review findings and implement remediation
- Document results for cyber insurance renewal
Disaster Recovery Test (Annually, recommend Q1)
- Full tabletop exercise: walk through the incident response plan for a ransomware scenario
- Test recovery from backup: simulate full server failure and document recovery time
- Update incident response plan based on findings
- Update IT provider emergency contact details
- Confirm cyber insurance contacts and coverage details
Vendor Review (Annually, recommend June)
- Review performance of all IT vendors against agreed service levels
- Confirm contract terms, renewal dates, and pricing for next year
- Assess whether current vendors remain the best option
- Confirm managed IT provider is meeting its SLA commitments
- See 20 Questions to Ask Your IT Provider for evaluation criteria
Seasonal IT Considerations
Pre-Summer / Holiday Period (November–December)
- Extra server and network monitoring while staff numbers are lower
- Confirm backup coverage for holiday shutdown
- Brief staff on holiday period phishing awareness (scammers increase activity)
- Ensure after-hours IT support contacts are distributed to key staff
Tax Season / EOFY (May–July)
For accounting firms, legal practices, and businesses with heavy EOFY workloads:
- Confirm all systems are patched before peak period begins
- Test performance of accounting software and file servers under load
- Schedule any maintenance during low-activity periods, not during peak
- Confirm backup capacity for increased data volumes
Back to School / New Year (January–February)
For businesses hiring at the start of the year:
- Process IT onboarding requests promptly
- Confirm hardware stock is available for new staff
- Review and update onboarding process based on previous year experience
Maintenance Calendar Template
Print this template and post it in your server room or share it with your IT provider as the annual schedule:
| Month | Monthly Tasks | Special Tasks |
|---|---|---|
| January | Patches, Backup, Accounts | QBR; Post-holiday review |
| February | Patches, Backup, Accounts | - |
| March | Patches, Backup, Accounts | - |
| April | Patches, Backup, Accounts | QBR; DR Test |
| May | Patches, Backup, Accounts | Pen test / vulnerability scan |
| June | Patches, Backup, Accounts | Software licence audit; Vendor review |
| July | Patches, Backup, Accounts | QBR; Asset register; Policy review |
| August | Patches, Backup, Accounts | Security training |
| September | Patches, Backup, Accounts | Hardware lifecycle review |
| October | Patches, Backup, Accounts | QBR; Holiday prep begins |
| November | Patches, Backup, Accounts | Holiday period preparation |
| December | Patches, Backup, Accounts | End-of-year backup test |
For a complete technology roadmap framework, see Technology Roadmap Canvas and the Technology Roadmap page.
If you would like to discuss how CX IT Services manages these maintenance tasks as part of a managed IT service, book a Right Fit Call.
For related resources:
