Patching

Contents

Components

  • SUP – The Software Update Point (SUP) is an SCCM integrated Windows Software Update Services (WSUS) installation used in the detection of patches on client machines.
  • DP – The Distribution Points are a set of servers that clients call pull software updates from.
  • SCCM Client – Client query the SUP to determine a list of available updates and decides which of those updates are needed then proceeds downloads those updates from the Distribution Points.

Usage Policy

  • University-Owned Computers – All university-owned computers joined to WolfTech active directory are automatically configured to use SCCM to install updates. Departmental OU administrators may configure the timing of when and how patches are applied.

Client Support

All operating systems currently supported by Microsoft will have patches deployed by SCCM.

Operating systems that are no longer supported by Microsoft are not patched and should be upgraded to comply with the Endpoint Protection Standard.

Scheduling

Microsoft “Patch Tuesday” is the 2nd Tuesday of each month.

Note: A Sysnews post will be made to remind people it is Patch Tuesday, and patches are being staged in SCCM for release in accordance to the Early, Normal, Late schedule.

  • Patches will be made available approximately 8:00 PM on Patch Tuesday. After patches are made available users have until the deadline to install patches. If, at the deadline, patches are not installed, SCCM will automatically install all available patches. If departments or colleges have set update maintenance windows, SCCM will install patches at the next available maintenance window following the deadline. Departments and colleges are encouraged to use maintenance windows when needed.
  • If a reboot is needed to complete the installation, logged on users will be notified. By default, SCCM will not auto reboot computers. Departments and colleges may optin to have machines auto rebooted to complete the installation of patches by adding their computers to the following group:
    • <OU>-SC-Microsoft-Update Reboot-OptIn
  • Computer check for patches once per day. This allows sysadmins to troubleshoot issues that patches my be causing.
  • If machines have been off for a period of time, like in the case of laptops, as soon as they are turned on they will check for updates and begin installing.
  • Operating system patches will be released according the Early, Normal, or Late patching schedule:

Early

Computers in the Early group will receive patches as they are made available by Microsoft.

It is recommended colleges and departments add test systems and/or some number of non-critical systems to the Early group to test/verify no issues with the patches. If you do suspect that an update is causing an issue, please submit a ticket to activedirectory_patching@help.ncsu.edu as well as send an email to activedirectory@lists.ncsu.edu. One can also discuss any issues in the NC State Windows Slack channel.
The departmental Early group is:

<OU>-SC-Microsoft-Updates-Early

Normal

If no action is taken by the Departmental OU administrators, client systems will be added to the Normal Patching group. This is the default action.

Late

Client systems in the Late group will have patches made available on the third Tuesday of the month and will become Mandatory on the following Tuesday (the fourth Tuesday) with a deadline of the fourth Wednesday at 2 AM. The departmental Late group is:

<OU>-SC-Microsoft-Updates-Late

Windows 10 Upgrades

Starting with Windows 10, Microsoft developed a servicing model that releases two upgrades of the operating system each year.

When first released Microsoft was calling their releases Current Branch (CB) and Current Branch for Business (CBB). Those names were replaced with Semi-Annual Channel (Targeted) and Semi-Annual Channel.

New version of the operating system are first released to Current Branch/ Semi-Annual Channel (Targeted). When new releases are made available for download, they are usually made available as Upgrades in SCCM a week later. Once available in SCCM Upgrades are deployed to computers in the Early group. The deployments are made Available for two months to allow individual users, groups, or departments time to test the upgrade processes as well as test application compatibility. After the two months, upgrades become mandatory.

Microsoft’s Windows 10 release information.

Example

Windows 10 1904 becomes available on April 1st. The 1904 Upgrade is deployed to the Early group with an available time of “immediate”, and a deadline of June 1st at 3 AM.

On June 1st at 3 AM, if the Early group machine is on, it will begin the install process. To complete the upgrade, the machine will automatically reboot. On average it takes between 30 and 60 minutes for an upgrade to complete. During that time the machine will be unusable.

If on June 1st at 3 AM, the machine is off, the next time the machine is booted, the upgrade process will start. On average it takes between 30 and 60 minutes for an Windows OS upgrade to complete. During the upgrade process, the machine will be unusable.

The time between something being released to Semi-Annual Channel (Targeted) and Semi-Annual Channel is between two to three months. Once something is released to Semi-Annual Channel and it is available in SCCM, Windows OS upgrades are deployed to computers in the Normal and Late groups. The deployments are made available for at least two months prior to allow individual users, groups, or departments time to test the upgrade processes as well as test application compatibility. After the two month testing period, announcements are made and the upgrade becomes mandatory.

Example

Windows 10 1904 becomes available to Semi-Annual Channel on July 1st. The 1904 Windows OS upgrade is deployed to the Normal and Late groups with an available time of “immediate” and a deadline of September 1st at 3 AM.

On September 1st at 3 AM, if a machine is on, it will begin the install process. To complete the Windows OS upgrade, a machine will automatically reboot. On average it takes between 30 and 60 minutes for an upgrade to complete. During the upgrade process, the machine will be unusable.

A SysNews post will be made before deployment to Early and Normal/Late groups. The SysNews post will contain and available time and date as well as a deadline time or date.

Troubleshooting:

  • If your machine in the SCCM console says “client = No”, those machines will need to be patched manually until the SCCM client is installed/repaired.
  • If patches are not installing as anticipated, ensure that you do not have multiple SCCM maintenance windows defined on the system. Often a system ends up with multiple maintenance windows defined on it, causing installations to happen unexpectedly.
  • For further assistance, you can pose your questions in the NC State Windows Slack channel or email activedirectory_patching@help.ncsu.edu

Out-of-Band patches

An out-of-band patch is any patch released by Microsoft outside of it’s normal patching schedule. This typically is a security patch that Microsoft has reports that it is being actively exploited (“in the wild”), and Microsoft deems it necessary to release this security patch immediately, instead of waiting till the next “Patch Tuesday” cycle.

Out-of-band security patches are typically deployed as soon as possible (24-48 hours from the time it is released from the vendor). These can include patches/updates from Microsoft or 3rd party software.

Notifications for Out-of-band patch deployment should utilize standard campus communication channels including a SysNews post including an email to the Active Directory and NAG mailing lists. The SysNews post will include the name of the patch, a link to the patch, a description of the the patch, and its impact to ends users (will a reboot be required to complete the installation?).

Frome time to time, S&C becomes aware of a security patch, and may email the AD service manager & service owner advising them of the need to deploy the patch. However, Sysadmins and/or others in the campus community can request patches, not just security, be considered for out-of-band deployment if the patche fixes a known or perceived threats. Request for patches to be considered for out-of-band deployment should be sent to activedirectory_patching@help.ncsu.edu, and should include the name of the patch, a link to the patch, a description of the the patch, and its impact to ends users (will a reboot be required to complete the installation?). A determination will be made regarding the patch, and it may be deployed out-of-band.

If, after deployment, it is determine that a patch or upgrade is detrimentally affecting a large portion of campus, the AD service manager can have the patch removed or left in place as long as it follows RUL 08.00.14 – System and Software Security Patching Standard (https://policies.ncsu.edu/rule/rul-08-00-14/). These patch deployments should follow the Out-of-Band patching procedure.

Patch Revisions

Once a patch has been approved and release, revisions released under the same KB number are automatically approved. The initial SysNews post will be updated to reflect this.