Best practices for Patch Management

VIDEO  Datto RMM Patch Management Webinar
View this video in Datto Academy (via Datto Partner Portal) where you can get credit toward maintaining your certification and you can also view other courses. If you do not have Partner Portal access, you can view the video here.

Overview of Microsoft Patching

Since October 2016, Microsoft has changed the way patches are released. They have moved to a rollup model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 updates. A rollup is simply multiple patches combined into a single update. Each monthly rollup supersedes the previous month's rollup. The goal is for these monthly rollups to become fully cumulative, which will happen as Microsoft adds previously released patches, so that users need only to install the latest single rollup.

There are three core rollups released monthly:

  1. Security-only Quality Update. Includes all new security fixes for the month and will only be published to Windows Server Update Services (WSUS) and the Windows Update Catalog. It is released on Patch Tuesday, which is the second Tuesday of every month.
  2. NOTE  This update does not contain fixes from previous months, and it is not available to administrators who do not use WSUS.

  3. Security Monthly Quality Update (also known as the Monthly Rollup). Contains all new security fixes for the month (i.e. the same ones in the Security-only Quality Update) plus all security and non-security fixes from all previous Monthly Rollups. This update gets published to Windows Update as well as WSUS and the Windows Update Catalog. It is released on Patch Tuesday.
  4. Preview of Monthly Quality Update (also known as the Preview Rollup). Contains a preview of any new, non-security fixes that will be included in the next Monthly Rollup plus all security and non-security fixes from all previous Monthly Rollups. It is released on the third Tuesday of every month.

Patching Strategy

NOTE  For those who use WSUS, we recommend a session with an Implementation Engineer to discuss your patching strategy.

Microsoft updates with individual KB numbers no longer exist and, therefore, cannot be approved or installed individually. The Monthly Rollup replaces them all. It includes all security and non-security fixes from the month and all previous months since October 2016. In addition, since February 2017, these rollups also include patches prior to October 2016. This simplifies the job of Windows patch management; however, it means that you cannot selectively withhold or deny patches, so it is recommended that you start simple and build out from there, that is, install the updates on a few devices to check for compatibility and then roll the updates out to the rest of your devices.