Best practices for Patch Management

Run the Windows Update Toolkit component

Running the component against a device will place data into a user-defined field (UDF), if configured, which can then be filtered against to catch devices with specific configurations. Refer to User-defined fields and Device filters.

To run Windows Update Toolkit on a device or devices, complete the following steps:

1. From the ComStore, download the Windows Update Toolkit component. Refer to Component Library.
2. Select a device to run the component against. Depending on your use case, you may select multiple, an entire site, or the output of a filter. Refer to Device filters.
3. Instruct the devices to run a quick job or scheduled job with the Windows Update Toolkit component as its payload. Refer to Scheduled jobs and Quick jobs.
   • This component writes a summarized output to a UDF so it can be used to filter against.
     Ensure you select a UDF from 1-30 to write this data to and remember which one you selected.
   • You shouldn’t need to enable any of the other options (Clear WSUS, Reset WUA, and so forth) yet.
4. Leave some time for the job to complete.
5. Once your devices have run the component, you will be able to filter on the summary UDF.

Identify devices requiring attention

The aim of this exercise is to round up devices with specific configurations that will require closer attention. To do this, you will need to know how the toolkit responds to what it finds.

Review the following table to learn how to craft your filters to catch the devices warranting closer inspection.

NOTE  Only some of these flags indicate an issue with the device. Most are provided as a point of reference.

Once you have produced a filter looking for devices outside of your accepted margins (for example, WSUS or Bad WUA or Patch Policy present), run the filter to find the devices that match its criteria.

If you find no devices, or if the devices found are known to you, you can proceed knowing that Datto RMM Patch Management should be adequate to use for your devices.

Disable automatic updates

Patch Management operates as a lift-in replacement to Windows’s own handling of updates. To prevent Windows from updating itself out of schedule and confusing matters, we suggest disabling automatic updates by selecting Turn off automatic updates from the Update Options drop-down menu.

Disabling automatic updates does not stop Windows from updating itself like it did for Windows XP-8.1 but rather introduces a long delay before the system updates by force. By introducing updates via a separate stream during this delay, Datto RMM keeps the system up to date and mitigates the need for the OS to update itself out of schedule.

Configure active hours

Active hours denote the hours of the day when you expect the device to be in use and it should not be forcibly rebooted, even when an important update requires a reboot to be applied. It is recommended to select Configure active hours check box and set them to the working hours of your operation.

When configuring a Patch Management policy (later in this guide), you will be able to configure reboot reminders that appear as part of the Datto RMM Agent and are displayed to active users. This way, you can operate a dual-prong strategy where users in front of the device will receive Datto RMM’s interactive reboot reminders, and users who are not (because the device is on outside of working hours) will be rebooted automatically as part of Windows Update.

Configure update channels and deferrals

To configure update deferral, the device must have Windows Update for Business enabled. To do this, select the Configure update channel check box (or Use Windows Update for Business) option.

NOTE  Semi-Annual Channel (Targeted) and Semi-Annual Channel serve the same purpose. The parent option may read Configure update channel or Use Windows Update for Business.

Defer feature updates: Feature updates (which update Windows to a year scheme, for example 22H2) can be deferred to the user’s preference, especially if Windows Update components are preferred for this task.

Defer quality updates: Datto recommends setting a deferral period of between one and two weeks for quality updates. This option causes updates that have been available for less than the stated time to not appear in patch scans, which allows the community at large to test them before they filter down to mission-critical systems.

Other options

• Receive updates for other Microsoft products when Windows is updated should be enabled to ensure all updates are delivered.
• Configure Windows Server Update Services (WSUS) settings should be configured only if you need your devices to use a WSUS server.

NOTE  Leaving this blank will not remove an existing WSUS configuration. You will need to use the Windows Update Toolkit component to do that.

• Allow devices to share updates within(/outside) the local network can be configured to save some internal bandwidth and allow devices to share update data between each other.
• Disable Windows Fast Startup to allow update installation on shutdown as well as reboot should be enabled, as it permits devices to install updates when shutting down.

IMPORTANT  Save your policy and then create a new one for the next step of this guide. Switching policy types from the Type drop-down menu will overwrite any configured settings.

A Patch Management policy can be configured as Scheduled or Audit only. The latter type will only perform patch scans to provide a summary of a device’s patching status.

Scheduling a policy allows it to not only perform patch scans but to download and install those updates on a schedule predefined by the administrator.

Datto recommends using separate policies for workstations and servers with the same approval criteria but different scheduling options:

• For servers, it is recommended to run the policy at a time when the device can be taken offline and to configure the policy to reboot the device immediately after it is finished to minimize downtime. Ideally, this cadence would be weekly; it should not be any longer than monthly.
• For workstations, our team often recommends partners schedule patch runs daily at noon, as this roughly corresponds to lunchtime. Employees will leave their computers for a break, during which time the device can download and process updates. Later that day (provided the device has been left on after working hours), the policy or active hours can gracefully reboot the device to apply them.

The daily cadence allows devices to receive updates very quickly after their release (or their cleared release if you are using deferrals); it is also easier to formalize a schedule around.

Of course, you will need to arrive at a schedule which best accommodates both your and your customers' schedules. These recommended times are proposed as a best-fit only.

A common use case is to install typical updates on a schedule but to formalize separate approval behaviors for Critical and Security updates. Historically, this was a sensible solution, but its effectiveness is severely reduced in the Windows-as-a-Service era.

Microsoft is generally unreliable at properly tagging updates with a valid criticality metric, rendering any policy leaning on this as a deciding factor fragile. As updates are no longer divided separately but rather delivered cumulatively, it is no longer possible to segregate updates by criticality and install them earlier unless they are released out of band, in which case they may not appear as part of a patch scan at all.

An additional optional step is included in the following template for users who wish to allow properly tagged updates to leapfrog the time-release process.

NOTE  There is no guarantee that an update will be properly tagged in order to trigger this additional criterion.

To install a critical or out-of-band update outside of a policy, Datto recommends using the Download and Apply Windows Update File components from the ComStore. By running the relevant component with a download link for the desired update sourced from the Windows Update Catalog, updates can be pushed proactively to devices en masse without using or adjusting a Patch Management policy.

This can be used for out-of-band updates that do not show in patch scans or would normally be blocked because they have not been available long enough.

Automatic approval is the first approval phase of a Patch Management policy. We recommend using the later Manual approval section to block individual updates. Refer to Manual update approval.

Datto recommends automatically approving the bulk of updates a system indicates it requires, provided that many updates are cumulative, and only filtering out drivers and previews.

Installation of drivers via Windows Update is generally not recommended. Tools such as Dell Command | Update and HP Support Assistant will generally do a much better job of keeping drivers updated.

NOTE  Microsoft Surface devices are treated separately, as they receive all their drivers from the same source creating them, making them generally more accurate. Refer to Device filters to learn how to set up a filter to catch Microsoft Surface devices.

Preview updates should be avoided, as they amount to beta software.

Non-Microsoft Surface devices

Approve patches that match the following criteria:

Release date / older than 7 days (or older than 14 days, depending on how you configured your Windows Update policy)

(Optional) [OR] Category / contains / Security Update OR Critical Update

Do not approve patches that match the following criteria:

Type / equal to / Driver

[OR] Category / contains / Drivers

[OR] Title / contains / Preview

[OR] Description / contains / Preview

Microsoft Surface devices

Approve patches that match the following criteria:

Release date / older than 7 days (or older than 14 days, depending on how you configured your Windows Update policy)

(Optional) [OR] Category / contains / Security Update OR Critical Update

Do not approve patches that match the following criteria:

Title / contains / Preview

[OR] Description / contains / Preview

NOTE  As noted, there is no guarantee that an update deserving of Critical status will receive it.

The best practice when configuring automatic approval is to assume no update will be tagged for severity and to treat all updates the same.

The above optional condition will permit properly tagged updates to leapfrog the minimum-age limit for updates, provided it has been given the correct metadata.

Localization of update titles

Windows update titles are often, but not consistently, localized against the device’s OS language. To aid users who may receive updates with titles in languages besides English, the following table will help you craft more accurate policy configurations. When using these phrases, we recommend including them in addition to their English-language analogues (as opposed to in place of them), as Microsoft does not reliably localize the titles of every update released and because certain terms (like Driver) are recognized internationally.

The Manual approval section lists all updates that have been discovered from patch scans and gives users the opportunity to manually cherry-pick updates and handle them outside of how the automatic filters defined in the preceding section would have. The list is neither dynamic nor filtered.

This section should be used to ensure patches that would otherwise pass through the automatic filter do not get through to your devices. It is populated by the patch scans performed by devices with active Patch Management policies; it does not accept textual input. In the instance where a bad update is released, wait for devices to register it in their patch scans and then use this section to move it to Do not approve to ensure it is not pushed through.

Datto recommends keeping abreast of updates from sites like BleepingComputer or AskWoody to find out about issues with recent Windows Updates, the news from which can be translated as required to this section to work alongside patch deferral.

Datto does not recommend attempting to remove Windows Updates once they have been installed. In most cases, this option is not supported and can cause system instability.

Generally speaking, using Patch Management properly can ensure no update that has not been properly vetted gets installed on a system.

More information: Best practices for uninstallation of Windows updates

Installing via Patch Management

Feature updates have historically used a different schema and therefore require special treatment, which Datto RMM is only partially able to provide.

If the update comes as an enablement package, it is generally suitable for installation via Datto RMM. These typically small-sized packages simply enable functionality which had been drip-fed in as part of prior quality updates but not yet enabled. The last few updates to Windows 10, before it was discontinued, came in the enablement package form.

Larger non-enablement package updates are generally not recommended for installation via Datto RMM. Instead, we recommend installation via a ComStore component. In addition to providing more visibility over the update process than via a policy, this allows users to schedule the exact time at which they want their devices to process a large, system-changing update.

Installing via a component

Refer to Windows 11 and feature updates.

NOTE  Windows 10 is no longer receiving feature updates.

Configuring a targeted release version

Using the Configure Windows Targeted Release Version ComStore component, administrators can configure a targeted release version on Windows devices. This ensures a device will never update beyond a specific release version (for example, Windows 10 23H2) until the blocker, a series of registry values, is subsequently removed.

The component can be used to set or revert a release target. The Windows Update Toolkit component will note in a UDF if a targeted release version is set.