Patch Management - OS Patch & Security Updates

OS Patch & Security Updates

Operating System (OS) patches and security updates deploy as they become available from the vendor and have completed quality assurance testing. An operating system restart is commonly required to apply the system update.

 

Release Cycle

OS patches and security updates undergo a pre-release period on a subset of production endpoints, before scaled release onto all managed endpoints.

  • Pre-release occurs one week before the production release, enabling ITS to verify the compatibility and functionality of the latest software version.
    • Windows pre-release starts on the second Friday of each month. The production installation starts on the third Friday of each month.
    • macOS pre-release starts on the Friday following release. The production installation starts on the second Friday following release.

 

Update Methods

Private Endpoints (Faculty/Staff)

Any desktop, laptop, or tablet assigned to a single user for their private use. Examples include Faculty, Staff, and Students.

  • Required – Endpoints will download available updates every day and automatically restart based on their classification.

 

Shared Endpoints (Lab/Classroom/Conference Rooms) or Kiosks (Digital Signage/Walk-up Stations)

Any desktop, laptop, or tablet that is not assigned to a single user but instead has multiple users. Examples include research or business workstations, lab computers, appliances, kiosks, and digital signs.

Scheduled – Endpoints will download available updates every day and automatically restart on a pre-defined weekly schedule or during an established maintenance window.

 

Update Process - Windows

Private Endpoints (Faculty/Staff)

Initial Installation Behavior

Windows Updates are coordinated through Configuration Manager (SCCM / MECM) via Software Center. Configuration Manager will begin offering to install Windows Updates on endpoint devices beginning on the third Tuesday of every month at 2:00 pm, ± 2 hours. Computers that are powered off during this period will begin offering installation of Windows Updates the next time they are powered on. Endpoint devices will then have a period of 7 days to install updates and restart. It is highly recommended that endpoint device users select the option to apply the changes "Right now (recommended)" or select a time of their choice as shown below. Once the Windows Updates have been installed, endpoint device users will have until the deadline to restart their computer.

  • Update reminders will appear every 4 hours before the deadline.
  • Updates may be installed at any time through Software Center using the Updates tab.
Software Center prompt with the text "Required software changes will be applied to your computer. The changes will be applied after 1/27/2022 at 11:52 AM, or you can apply the changes with the following options: Right now (recommended), outside my business hours, snooze and remind me later, restart my computer automatically if needed.
Software Center prompt with the text "Restart your computer" and the options to "Restart now" and "Snooze and remind me again in 1 hour".

Installation and Restart Deadline

Once the installation and restart deadline is reached on the fourth Tuesday of every month at 2:00 pm, ± 2 hours. Configuration Manager will automatically install any needed Windows Updates and then prompt the endpoint device user to restart within 6 hours. Multiple restart notices will be sent during this 6-hour restart window. When 60 minutes remain, a non-dismissible message will be displayed informing any logged-on endpoint device users that the required restart will be occurring soon.

Software Center prompt with the text "Your computer is about to restart."

 

Shared Endpoints (Lab/Classroom/Conference Rooms) or Kiosks (Digital Signage/Walk-up Stations)

Installation and Restart Behavior

Windows Updates are coordinated through Configuration Manager (SCCM / MECM) via Software Center and are largely automated for endpoint devices in this classification. Configuration Manager will begin installing Windows Updates on shared endpoints on the second Friday of every month at 10:00 pm. A restart will then be scheduled and completed 6 hours later, at 4:00 am. Computers that are powered off during this period will wait until their next maintenance window and not prompt endpoint device users for action.

Maintenance Windows

Shared endpoint devices running Windows will have a maintenance window from 10:00 pm to 7:00 am daily. Windows Updates will only be installed during this time window unless manually ran via Software Center or Updates and Security (via Windows Settings).

 

 

Update Process - macOS

Software updates for macOS do not occur on a regular schedule. Updates for Mac App Store apps or other OS components that do not require a restart will be automatically applied when that specific component is not in use. macOS updates that do require a restart will generate a prompt for the user to acknowledge.

  • A user can defer an update request a total of three times, for varying lengths of time ranging from 1 hour to 1 day.
  • If a user is not present to acknowledge the update prompt, the update will be automatically deferred for one day.
  • A user can start a software update at any time through Self Service or System Preferences.
  • If the user is out of deferrals, the update will be applied automatically, following a 15-minute warning.
  • If the Mac is idle outside of business hours, and at the login screen, updates will install automatically.

Below are two examples of the software update prompts a Mac user will receive.

Software Update Available prompt
Updating macOS prompt

This Guide Applies To: