Applying patches to the Windows operating system and applications is very important. Patches are issued for a number of reasons, and not all patches are equally important. Many patches address security shortcomings (“holes”) in the software and need to be applied as soon as possible. This should be the primary defence against malware attacks. Some other patches address less critical issues such as fixing non-security bugs, adding or improving functionality or providing support for new hardware devices. Windows Update will install patches released by Microsoft, but it tends to take a one size fits all approach that is difficult to control and can sometimes cause problems. Our Managed IT Services approach takes a somewhat different approach. The first thing that happens is that we turn Windows Update off! Instead we control patching using patching policies that are implemented by our Managed IT Services agent that runs on every managed device.
Patching Using Policies
We create and implement automated patching policies as part of a Manged IT Services plan. These policies are customised to make sure that appropriate patches are applied to the computer system at the least disruptive time. The policies control many aspects of the patching process. Some of the major ones are listed below.
Servers require a different patching approach to desktop computers. Some smaller businesses use desktop computers as file servers. These also need a different patching regime to a general use business desktop. The patching policies we use target computers that are performing similar roles. Most business will need at least two patching policies, one for servers and one for desktop computers. Some businesses will need a more granular design to take account of their specific requirement. An example might be a hotel that has operates 24×7, limiting the hours available for patching.
Most patching cycles will require the computer to reboot once patches have been applied. Patching policies included a sophisticated scheduler to help us time the patching so that computers do not reboot at inconvenient times.
Patch policies can be configured to automatically approve patches for installation. Non-approved patches are then approved at a later date if required.
Our standard patching policy configuration automatically approve patches in the following categories.
3. Critical Updates
4. Definition Updates
5. Security Updates
6. Update Rollups
Our standard configuration policies do not automatically approve patches in the following categories
2. Feature Packs
3. Service Packs
Non approved patches can be manually approved for installation at a convenient time. For example, one feature pack for Windows 10 can take up to a couple of hours to install. This would be a significant productivity loss if every desktop computer in the business attempted to install this patch at the same time. This is a good example of issues that can be introduced by the limited control available within Windows Update.
Different device groups require different reboot behaviours. For example, a server needs to automatically reboot at the end of its patching cycle as there is generally nobody logged in to the computer to manually perform the reboot. A desktop computer patched during the night also needs to be automatically rebooted. A desktop computer patched during the day should not automatically reboot but tell the logged in user that a reboot is required. This gives the user a chance to save their work and reboot when convenient.
Local Caching of Patches
Some patches will be common to many computers within a business. Our patching system can cache those patches in a storage area within the local area network to avoid downloading the same patch multiple times from the internet.
All the above shows how much more control is available with a Managed IT Services approach to patching. I’ve left the most important difference until last. Windows Update is normally left under the control of the user of the computer. Some users who have experienced a problem due to a patch installation will turn off Windows Update completely. This will result in the computer becoming a possible entry point for malware within a short period of time.