Best practices for Patch Management
Overview of Microsoft Patching
Since October 2016, Microsoft has changed the way patches are released. They have moved to a rollup model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 updates. A rollup is simply multiple patches combined into a single update. Each monthly rollup supersedes the previous month's rollup. The goal is for these monthly rollups to become fully cumulative, which will happen as Microsoft adds previously released patches, so that users need only to install the latest single rollup.
There are three core rollups released monthly:
- Security-only Quality Update. Includes all new security fixes for the month and will only be published to Windows Server Update Services (WSUS) and the Windows Update Catalog. It is released on Patch Tuesday, which is the second Tuesday of every month.
- Security Monthly Quality Update (also known as the Monthly Rollup). Contains all new security fixes for the month (that is, the same ones in the Security-only Quality Update) plus all security and non-security fixes from all previous Monthly Rollups. This update gets published to Windows Update as well as WSUS and the Windows Update Catalog. It is released on Patch Tuesday.
- Preview of Monthly Quality Update (also known as the Preview Rollup). Contains a preview of any new, non-security fixes that will be included in the next Monthly Rollup plus all security and non-security fixes from all previous Monthly Rollups. It is released on the third Tuesday of every month.
NOTE This update does not contain fixes from previous months, and it is not available to administrators who do not use WSUS.
|Update||Classification||Contents||Includes IE||Not Applicable||Release|
|Security Monthly Quality Update (aka the monthly Rollup)||Security Updates||New security fixes plus non-security fixes from latest Preview Rollup plus all previous Monthly Rollups||Yes||If a later Monthly Rollup is installed||Patch Tuesday (2nd Tuesday)|
|Security Only Quality Update (aka the Security Only update)||Security Updates||New security fixes (not including IE fixes)||No||If a Monthly Rollup (current or later month) is installed||Patch Tuesday (2nd Tuesday)|
|Preview of Monthly Quality Update (aka the Preview Rollup)||Updates||New non-security fixes plus all previous Monthly Rollups||Yes||If a later Monthly Rollup or Preview Rollup is installed||3rd Tuesday|
|Cumulative Security Update for Internet Explorer||Security Updates||Fixes for IE11 (IE10 on Windows Server 2012)||Yes||If a Monthly Rollup (current or later month) or IE Update (later month) is installed||Patch Tuesday (2nd Tuesday)|
As of December 2016, a Security-only Quality Update is not offered on a PC where a Monthly or Preview Rollup from the same month or later is already installed. For example, if a PC attempts to install the February 2017 Security-only Update and the February 2017 or later Monthly or Preview Rollup is already installed, the Windows Update client will report the Security-only Update as not applicable.
NOTE This affects WSUS users only, as Security-only Updates are not offered on Windows Update.
As of February 2017, the Security-only Update does not include updates for Internet Explorer (IE); the IE update is available as a separate update. Again, this affects WSUS users only, as Security-only Updates are not offered on Windows Update. The Monthly Rollup includes updates for IE as a single additive update that provides all security and reliability fixes since the beginning of the new servicing model in October 2016. Users of the Monthly Rollup will not need to install the separate IE update. To simplify installation for Monthly Rollup users, the new IE update leverages the same installation applicability definition as the Security-only Update, meaning that it will not install on a PC that has already installed the Monthly or Preview Rollup from the same or later month. Months with no new Windows security or reliability fixes will not have a Security-only or Monthly Rollup release. For example, January 2017 for Windows 8.1, Windows Server 2012, and 2012 R2.
NOTE For those who use WSUS, we recommend a session with an Implementation Engineer to discuss your patching strategy.
Microsoft updates with individual KB numbers no longer exist and, therefore, cannot be approved or installed individually. The Monthly Rollup replaces them all. It includes all security and non-security fixes from the month and all previous months since October 2016. In addition, since February 2017, these rollups also include patches prior to October 2016. This simplifies the job of Windows Patch Management; however, it means that you cannot selectively withhold or deny patches, so it is recommended that you start simple and build out from there, that is, install the updates on a few devices to check for compatibility and then roll the updates out to the rest of your devices.
The following are some guidelines to consider when creating your Patch Management policy rules. Each customer is different, and some of these recommendations may not apply to your specific scenario.
- Decide on a schedule and reboot strategy that suits your customer's requirements.
- Identify servers that cannot be automatically rebooted and log a reboot ticket for a manual restart (this can be monitored using the Reboot Required Monitor component).
- Approve only patches that contain criteria that cover the patches required in the title, such as Rollup or Security, and deny any patches that include the word Preview.
- Remove all your individual approval rules based on severity, classification, KB number, and so forth as they are no longer applicable.
- Identify KBs that should not be installed for various customers (possible 3rd party software issues).
- Keep any Do Not Approve rules you may have in place, as individual patches released prior to October 2016 are still available, although they will be removed over time.
- Do not approve anything else until you have rolled out the latest Monthly Rollup. Remember that subsequent Monthly Rollups are cumulative and supersede the previous one, so there will only ever be the latest Monthly Rollup available.
- Create one policy for desktops and one for servers at the account level and, if needed, implement overrides at the site level.
- Keep it simple by targeting Operating Systems for policies. If further granularity is needed, enter the word Patch in one of the device User Defined Fields (UDFs) and target a policy by filtering on this word. You may need separate Legacy Desktop and Legacy Server policies if you still have XP or Windows Server 2003.
- Once you have rolled out the latest Monthly Rollup, consider also approving Critical patches. This will install any pre-October 2016 Critical patches missing from any of your devices.
- Set the start of your patch window at a time when you would expect devices to be online; so long as the device comes online anytime in the patch window, the Patch Management policy will run. Consider a daily desktop and laptop schedule to ensure patches roll out quickly until you get all of your devices up to speed. Even though the schedule is daily, devices will still only install once. Set a reboot reminder if necessary.
- Make your patch window at least four hours long, as some devices are slow.
- If you have Microsoft Office in your environment, you'll need to add a rule to approve anything with the word Office in the title. If you do this, consider adding an explicit Driver denial rule to prevent HP Officejet driver updates from being deployed unexpectedly.
- Remember to check the Reboot Required filter for devices that may have escaped the reboot process. A shutdown at the end of the day and startup in the morning is not a reboot, and patches will not install even though users may think they do. Windows must be explicitly rebooted for this to happen. If you have user devices requiring reboots, consider sending a message using the message feature in the Action Bar.
- You have the option of delaying updates. If you have concerns that Microsoft may release a bad patch, it may be a good idea to set a delay in the Patch Management policy. To receive necessary patches, ensure the delay you set does not exceed the release cycle for patches.
- Installing drivers via Patch Management is not recommended, as some drivers may fail to install if user interaction is required during the installation process.
- Due to the Windows requirement that some drivers must be installed as 'current user', it is not possible to install drivers via Patch Management on Windows 7 machines.
- It is recommended to deny driver installations in Patch Management policies, as the driver types can include network and display drivers, which could render a device unusable if an installation fails.
NOTE For some devices, such as Microsoft Surface devices, drivers can only be installed via Windows Update. In such cases, we recommend setting up a separate Patch Management policy in which you specify the installation of drivers. This will avoid conflicts with other devices and drivers being installed incorrectly.
NOTE Driver patches may show as available to devices but they do not show as installed in the patch information once deployed. This is because patch audits echo what is presented by the Windows Update API, which typically displays available driver updates for convenience but does not show them in the installed group after they have been applied.