Business workers face a persistent wave of online threats -- from malicious hacking techniques to ransomware --...
and it's up to the administrator to lock down Microsoft systems and protect the company.
Administrators who apply Microsoft's security updates in a timely fashion thwart many attacks effectively. IT departments use both System Center Configuration Manager and Windows Server Update Services to roll out patches, but the Configuration Manager tool's scheduling and deployment options make it the preferred utility for this task. Admins gain control and automation over software updates to all managed systems with the Configuration Manager tool, which also monitors compliance and reporting.
Why we wait to update
An organization bases its security update deployment timeline on several factors, including internal policies, strategies, staff and skill sets. Some businesses roll patches out to production servers as soon as Microsoft makes them available on Patch Tuesday, the second Tuesday each month. Other companies wait a week or even a couple months to do the same, due to stringent testing procedures.
The five-week deployment scenario depicted in the graphic leaves many endpoints unpatched and vulnerable to security risks for several weeks. Microsoft has a cumulative update model for all supported Windows OSes; the company packages each month's patches and supersedes the previous month's release. In some cases, systems won't be fully patched -- or will remain unpatched -- if a business fails to deploy the previous month's security fixes before Microsoft releases the new updates. To avoid this situation, IT organizations should roll out the current month's updates before the next Patch Tuesday arrives just a few weeks later.
Automatic deployment rule organizes the patch process
An automatic deployment rule (ADR) in the Configuration Manager tool coordinates the patch rollout process. An ADR provides settings to download updates, package them into software update groups, create deployments of the updates for a collection of devices and roll out the updates when it's most appropriate.
Find the ADR feature in the Configuration Manager tool under the Software Updates menu within the Software Library module. Figure 1 shows its options.
Settings to configure specific update criteria
The admin sets the ADR options to download and package software updates with the following criteria, which is also shown in Figure 2:
- released or revised within the last month;
- only updates that are required by systems evaluated at the last scan;
- updates that are not superseded; and
- updates classified as Critical Updates, Security Updates, Feature Packs, Service Packs, Update Rollups or Updates.
The property filter -- also seen in Figure 2 -- packages software updates on a granular scale to best suit the organization's needs. In the example shown, the admin uses the property filter to only deploy updates released in the last month.
In the evaluation schedule shown in Figure 3, the admin configures an ADR to assess and package software updates at 11 p.m. on the second Tuesday of each month.
Set a maintenance window to assist users
To patch servers, use maintenance windows, which control the deployment of software updates to clients in a collection at a specific time. This meets the preferences of server owners, who cannot take certain machines down at particular times for a software update and the consequent reboot. In most cases, admins set maintenance windows to run updates overnight to minimize disruption and effects on end users.
Admins can set the deployment schedule in a maintenance window to As soon as possible since the maintenance window controls the actual rollout time. For example, assume the IT staff configured the following maintenance windows for a collection of servers:
- Servers-Updates-GroupA: maintenance window from 12 a.m. to 2 a.m.
- Servers-Updates-GroupB: maintenance window from 2 a.m. to 4 a.m.
- Servers-Updates-GroupC: maintenance window from 4 a.m. to 6 a.m.
If the admin sets these collections to deploy software updates with the As soon as possible flag, the servers download the Microsoft updates when they become available -- it could be right in the middle of a busy workday. Instead, the update process waits until 12 a.m. for Servers-Updates-GroupA, 2 a.m. for the next group and so on. Without any deployment schedule, collections install the software updates as soon as possible and reboot if necessary based on the client settings in the Configuration Manager tool.
To create a maintenance window for a collection, click on the starburst icon under the Maintenance Windows tab in the collection properties. Figure 4 shows a maintenance window that runs daily from 2 a.m. to 4 a.m.
In this situation, admins should configure an ADR to deploy updates with the Available flag at a specific date and time, but not make the installation mandatory until later. Users apply patches and reboot the system at their convenience. Always impress upon users why they should implement the updates quickly.
Microsoft refines features to maximize uptime
Microsoft added more flexibility to coordinate maintenance and control server uptime in version 1606 of the Configuration Manager tool. The server group settings feature the following controls:
- the percentage of machines that update at the same time;
- the number of the machines that update at the same time;
- the maintenance sequence; and
- PowerShell scripts that run before and after deployments.
A server group uses a lock mechanism to ensure only the machines in the collection execute and complete the update before the process moves to the next set of servers. An admin can release the deployment lock manually if a patch gets stuck before it completes. Microsoft provides more information on updates to server groups.
To develop server group settings, select the All devices are part of the same server group option in the collection properties, and then click on Settings, as seen in Figure 5.
Select the preferred option for the group. In Figure 6, the admin sets the maintenance sequence. Finally, click OK, and the server group is ready.
For additional guidance on software update best practices, Microsoft offers pointers for the deployment process.
The five-week deployment scenario depicted in the graphic leaves many endpoints unpatched and vulnerable to security risks for several weeks.
Secret Service: Culture change needed to boost security
Reduce patching headaches with these tools
Find the right patching software