Click on the video below for an introduction to managing Microsoft patches:
Managing Microsoft patches involves acquiring, testing, and installing updates on a managed computer.
The goal of managing Microsoft patches is to create a consistently configured environment that is secure against known vulnerabilities in Microsoft operating system and application software.
By using patch management, you can
- control updates to Microsoft applications and operating systems
- increase security on the client-side network against known vulnerabilities in Microsoft operating system and application software
- ensure standard patch levels across managed systems
- automate Microsoft updates to ensure security
You can set up Microsoft patch management so that it's completely automated, or you can set up controls so that you can test patches before approving them. The decision is up to you about how automatic or manual you want Microsoft patch management to be.
Understanding Microsoft Patch Management
Barracuda Managed Workplace duplicates the management model of Windows Server Update Services (WSUS) for all Microsoft updates. When you make decisions about what to do with patches for groups of computers, the native Windows functionality handles the installation based on rules you set in the Patch policies (see What is a Patch Policy?).
Computers with Device Manager installed receive information about patches from Service Center and download the files from Microsoft Update directly (see). End users will see notifications and messages from Service Center.
Patching Non-Microsoft Applications
All non-Microsoft software updates are handled through automation. For example, to update Adobe products, you can use the built-in Ninite scripts. Go to Automation > Library and search for "Install or Update" for a list of scripts provided with Barracuda Managed Workplace for updating software.
Microsoft updates are differentiated by product (or product family) and classification.
Product A product is a specific product or product family from which the individual product is derived. For example, Microsoft Windows is a product family from which Windows Server 2016 is a member. You can get updates for current and future versions of the product.
Classification A classification is the type of update. For any given product or product family, updates could be available among multiple update classifications (for example, Windows XP family Critical Updates and Security Updates). Microsoft provides critical and security-related patches on the second Tuesday of the month and non-security patches on the fourth Tuesday.
What is a Patch Policy?
A patch policy is a collection of rules that manages Microsoft updates on devices or groups.
When a Microsoft patch policy is first applied to a device, it will check into the Onsite Manager to download a cookie, download an agent and upload its patch status. The device will check in with patch management in under an hour, if there are no communication or configuration issues.
Once patch management is enabled, a device will check in for any new instructions with the Onsite Manager or Service Center at least once every 22 hours.
What is a Windows Update Agent?
A Windows Update Agent is included on all modern Microsoft operating systems so that updates can be managed by users or administrators. On an unmanaged device, the rules are provided through the Windows Control Panel. Using Barracuda Managed Workplace, the rules are provided through patch policies.
What is Microsoft Update?
Microsoft Update is a repository that provides downloadable updates for Microsoft operating systems and applications. Microsoft Update works with updating software in Windows. The updating software identifies which version of Windows and other Microsoft products is being used on the device.
Prerequisites for Patch Management
Devices that you want to patch manage must be WMI-enabled.
On Domain networks, WSUS-related Group Policy Object (GPO) must be set to Not Configured since Barracuda Managed Workplace does not use GPO settings to define the update server for managed clients. Any WSUS policies that are in place on the Domain will interfere with the normal operations of patch management.