Difference between revisions of "Windows Updates"

From DTP Customer Wiki
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 8: Line 8:


===== Patch Group Classification: =====
===== Patch Group Classification: =====
Your servers are divided into different patch groups based on their criticality and specific requirements(the Practice Management or Imaging software an office uses, for example). Each group may have a different patching window, ensuring that the most critical systems receive patches first.  
Your servers are divided into different patch groups based on their criticality and specific requirements (the Practice Management or Imaging software an office uses, for example). Each group may have a different patching window, ensuring that the most critical systems receive patches first.  


===== Priority on VM Hosts: =====
===== Priority on VM Hosts: =====
Line 14: Line 14:


===== Approval Policy: =====
===== Approval Policy: =====
We understand that not all patches are suitable for every environment, which is why we deploy an Approval Policy. Our team of experts diligently reviews new patches weekly and processes them through the Approval Policy before deployment. This step allows us to filter out any patches that may cause compatibility issues or are not suitable for your specific environment. In cases where a patch is more harmful than helpful(for example if it breaks Practice Management software or prevents sensors/other hardware from working) we are able to blacklist the patch in question and uninstall it from endpoints where it has already been deployed.
We understand that not all patches are suitable for every environment, which is why we deploy an Approval Policy. Our team of experts diligently reviews new patches weekly and processes them through the Approval Policy before deployment. This step allows us to filter out any patches that may cause compatibility issues or are not suitable for your specific environment. In cases where a patch is more harmful than helpful (for example if it breaks Practice Management software or prevents sensors/other hardware from working) we are able to blacklist the patch in question and uninstall it from endpoints where it has already been deployed.


===== Reboot Considerations: =====
===== Reboot Considerations: =====
Line 31: Line 31:


Thank you for entrusting us with your technology needs. We remain committed to delivering exceptional service and safeguarding your valuable data.
Thank you for entrusting us with your technology needs. We remain committed to delivering exceptional service and safeguarding your valuable data.
== Frequently-Asked-Questions ==


===== '''Why are my computers saying that they have updates waiting?''' =====
<br />Though rare, there can be times when patches have been installed, but require a reboot before installation is complete. If enough time passes before the endpoint is rebooted by our 30-day uptime mark, then a prompt from Windows can certainly occur.


=== Frequently-Asked-Questions ===
===== '''Why is my computer missing X patch?''' =====
<br />Because we patch once a week there will be times when patching is behind Microsoft's release schedule. In general, recently released missing patches will be installed within 2 weeks of release. If needed patches are not installed within this window, then please reach out to DTP and we will investigate the issue and make any needed changes to ensure patching is occurring as intended.


# '''My computers are saying that they have updates waiting! I thought you handled all patching!'''<br />Though rare, there can be times when patches have been installed, but require a reboot before installation is complete. If enough time passes before the endpoint is rebooted by our 30 day uptime mark, then a prompt from Windows can certainly occur.
===== '''Why did my computer install patches outside of the scheduled window?''' =====
# '''My computer is missing X patch'''<br />Because we patch once a week there will be times when patching is behind Microsofts release schedule. In general, recently released missing patches will be installed within 2 weeks of release. If needed patches are not installed within this window then please reach out to DTP and we will investigate the issue and make any needed changes to ensure patching is occurring as intended.
<br />Microsoft has control over patching on all modern Windows operating systems. What this means is that they can initiate patching whenever they want. However, this is usually only done for critical vulnerabilities. If you see patching installs occurring during business hours regularly then please reach out to DTP so that we can determine what's going on.
# '''My computer installed patches outside of the window'''<br />Microsoft has control over patching on all modern Windows operating systems. What this means is that they can initiate patching whenever they want, however this is usually only done for critical vulnerabilities. If you see patching installs occurring during business hours regularly then please reach out to DTP so that we can determine what's going on.
 
# '''What all gets patched?'''<br />What doesn't get patched?!? We patch all active Windows OSes. Operating systems that are on End of Life(Windows Server 2008, Windows 7, Windows XP, etc) are generally not getting patches, as Microsoft is no longer developing for those operating systems. On modern operating systems(Windows 10+11, Windows Server 2016/2019/2022) we use the following general criteria: Critical Patches are always approved, as are Feature Packs, Definition Updates, and Critical Updates, among others. Driver updates must be manually installed, but they are not blocked. The only things that are outright blocked are specific patches which we know to have a wide and harmful impact, which are added to a blacklist.
===== '''What all gets patched?''' =====
# '''My vendor says I'm not receiving patches'''<br />In most cases what this means is that you're missing a driver patch for a corresponding piece of hardware. This is usually resolved by reaching out to us and coordinating the installation of the needed patch(es). In the event that no patching is occurring at all then DTP will investigate and ensure that patching is working accordingly.
<br />What doesn't get patched?!? We patch all active Windows OSes. Operating systems that are on End of Life (Windows Server 2008, Windows 7, Windows XP, etc) are generally not getting patches, as Microsoft is no longer developing for those operating systems. On modern operating systems (Windows 10+11, Windows Server 2016/2019/2022) we use the following general criteria: Critical Patches are always approved, as are Feature Packs, Definition Updates, and Critical Updates, among others. Driver updates must be manually installed, but they are not blocked. The only things that are outright blocked are specific patches which we know to have a wide and harmful impact, which are added to a blacklist.
 
===== '''Why did a vendor say I'm not receiving patches?''' =====
<br />In most cases what this means is that you're missing a driver patch for a corresponding piece of hardware. This is usually resolved by reaching out to us and coordinating the installation of the needed patch(es). In the event that no patching is occurring at all then DTP will investigate and ensure that patching is working accordingly.

Latest revision as of 16:57, 6 December 2023

Ensuring Secure and Reliable Windows Patching: A Look into our Process

At Digital Technology Partners we understand the importance of maintaining the security and stability of your IT infrastructure; a critical element of that goal is ensuring that your systems are up-to-date and protected against potential vulnerabilities. In this article, we'll provide insights into our Windows patching process and shed light on our schedule and methodology to keep your servers and virtual machines secure.

Our Patching Schedule:

Our patching operations are carried out through Connectwise Automate, our Remote Management and Monitoring software. We have meticulously designed a schedule to minimize disruption to your operations while ensuring timely installation of critical patches. Patching is scheduled to occur on Friday mornings, between 2:00 AM and 6:00 AM.

Patch Group Classification:

Your servers are divided into different patch groups based on their criticality and specific requirements (the Practice Management or Imaging software an office uses, for example). Each group may have a different patching window, ensuring that the most critical systems receive patches first.

Priority on VM Hosts:

For environments with Virtual Machines, we give priority to VM hosts, patching them two hours before VMs. This methodology ensures that patching virtual environments goes smoothly and that the underlying infrastructure is secure before addressing individual VMs.

Approval Policy:

We understand that not all patches are suitable for every environment, which is why we deploy an Approval Policy. Our team of experts diligently reviews new patches weekly and processes them through the Approval Policy before deployment. This step allows us to filter out any patches that may cause compatibility issues or are not suitable for your specific environment. In cases where a patch is more harmful than helpful (for example if it breaks Practice Management software or prevents sensors/other hardware from working) we are able to blacklist the patch in question and uninstall it from endpoints where it has already been deployed.

Reboot Considerations:

When patches require a reboot, we issue the reboot command during the scheduled patch window. However, if the patches do not require immediate reboot or if there is insufficient time for a reboot, servers will reboot automatically after 30 days of continuous uptime. This approach ensures that servers are rebooted efficiently to apply critical updates while maintaining system stability and minimizing interruptions to your daily operations.

Our Commitment to Your Business:

At every step of the patching process, our dedicated team of experienced technicians closely monitors the operations to ensure the smooth installation of patches without any disruptions to your business.

Constant Vigilance:

Patching is an ongoing process, and we remain vigilant to keep your systems up-to-date with the latest security patches. Our team is always on the lookout for emerging threats and vulnerabilities to proactively protect your infrastructure. We do this through vendor alerts, patch mailing lists, and robust MSP community involvement.

Transparency and Communication:

We value transparency and open communication with our customers. If you have any specific concerns or questions regarding our patching process, please don't hesitate to reach out to our support team.

As your partner in technology, our goal is to provide a safe and secure IT environment for your business. With our careful and well-planned patching process, you can rest assured that your systems are in capable hands.

Thank you for entrusting us with your technology needs. We remain committed to delivering exceptional service and safeguarding your valuable data.

Frequently-Asked-Questions

Why are my computers saying that they have updates waiting?


Though rare, there can be times when patches have been installed, but require a reboot before installation is complete. If enough time passes before the endpoint is rebooted by our 30-day uptime mark, then a prompt from Windows can certainly occur.

Why is my computer missing X patch?


Because we patch once a week there will be times when patching is behind Microsoft's release schedule. In general, recently released missing patches will be installed within 2 weeks of release. If needed patches are not installed within this window, then please reach out to DTP and we will investigate the issue and make any needed changes to ensure patching is occurring as intended.

Why did my computer install patches outside of the scheduled window?


Microsoft has control over patching on all modern Windows operating systems. What this means is that they can initiate patching whenever they want. However, this is usually only done for critical vulnerabilities. If you see patching installs occurring during business hours regularly then please reach out to DTP so that we can determine what's going on.

What all gets patched?


What doesn't get patched?!? We patch all active Windows OSes. Operating systems that are on End of Life (Windows Server 2008, Windows 7, Windows XP, etc) are generally not getting patches, as Microsoft is no longer developing for those operating systems. On modern operating systems (Windows 10+11, Windows Server 2016/2019/2022) we use the following general criteria: Critical Patches are always approved, as are Feature Packs, Definition Updates, and Critical Updates, among others. Driver updates must be manually installed, but they are not blocked. The only things that are outright blocked are specific patches which we know to have a wide and harmful impact, which are added to a blacklist.

Why did a vendor say I'm not receiving patches?


In most cases what this means is that you're missing a driver patch for a corresponding piece of hardware. This is usually resolved by reaching out to us and coordinating the installation of the needed patch(es). In the event that no patching is occurring at all then DTP will investigate and ensure that patching is working accordingly.