Best practices for Patch Management

VIDEO  Datto RMM: Patch Management Best Practices
Datto RMM technical experts Jon North and Aaron Engels explain why Patch Management is such a critical business offering. They cover what Windows updates and Patch Management look like in 2019 and beyond, with Cumulative Updates and Windows as a Service. They explain how you can leverage Datto RMM in the most efficient way for your business and offer their best practices suggestions to improve your current patching and updating strategies. Also refer to the Windows 7 to Windows 10 webinar recording to learn how you can control Feature Updates for Windows 10 with Datto RMM.

Overview of Microsoft Patching

Since October 2016, Microsoft has changed the way patches are released. They have moved to a rollup model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 updates. A rollup is simply multiple patches combined into a single update. Each monthly rollup supersedes the previous month's rollup. The goal is for these monthly rollups to become fully cumulative, which will happen as Microsoft adds previously released patches, so that users need only to install the latest single rollup.

There are three core rollups released monthly:

  1. Security-only Quality Update. Includes all new security fixes for the month and will only be published to Windows Server Update Services (WSUS) and the Windows Update Catalog. It is released on Patch Tuesday, which is the second Tuesday of every month.
  2. NOTE  This update does not contain fixes from previous months, and it is not available to administrators who do not use WSUS.

  3. Security Monthly Quality Update (also known as the Monthly Rollup). Contains all new security fixes for the month (i.e. the same ones in the Security-only Quality Update) plus all security and non-security fixes from all previous Monthly Rollups. This update gets published to Windows Update as well as WSUS and the Windows Update Catalog. It is released on Patch Tuesday.
  4. Preview of Monthly Quality Update (also known as the Preview Rollup). Contains a preview of any new, non-security fixes that will be included in the next Monthly Rollup plus all security and non-security fixes from all previous Monthly Rollups. It is released on the third Tuesday of every month.

Patching Strategy

NOTE  For those who use WSUS, we recommend a session with an Implementation Engineer to discuss your patching strategy.

Microsoft updates with individual KB numbers no longer exist and, therefore, cannot be approved or installed individually. The Monthly Rollup replaces them all. It includes all security and non-security fixes from the month and all previous months since October 2016. In addition, since February 2017, these rollups also include patches prior to October 2016. This simplifies the job of Windows patch management; however, it means that you cannot selectively withhold or deny patches, so it is recommended that you start simple and build out from there, that is, install the updates on a few devices to check for compatibility and then roll the updates out to the rest of your devices.