“The patch is dead! Long live the update…”
...This is roughly how the change in Windows and other product updates can be summarized. But no matter what we call it – the bottom line is still, don’t neglect update management, proceed in an orderly fashion and consider your company’s requirements.
In short
- Update management has evolved continuously with cooperation between software manufacturers and IT departments.
- Microsoft’s ring concept, in which different end device groups are updated in phases depending on their criticality, has become established.
- Automation solutions such as the baramundi Management Suite (bMS) enable secure and efficient distribution of updates based on the ring concept.
- The bMS supports a clear update process with update profiles, staggered rollouts, blocking of individual applications and various overview pages.
IT departments have been well conditioned over the past two decades to regularly update deployed software. Software manufacturers first provided patches for
individual security vulnerabilities without clear guidance. Later, many vendors released a wide and expanding range of security patches on so-called Patch Days
each month. IT departments in turn drew their own conclusions about setting priorities. Particularly critical patches were tested and installed, while less critical patches and functional
or features updates were often skipped.
Microsoft’s then developed cumulative updates. These monthly update packages contain the latest security patches and functional updates as well as patches and updates from
previous packages. This saves time, but it also removes the option to “cherry pick” or install individual patches selectively.
What this brief historical review makes clear is that software manufacturers are continuously changing the ways they provide patches and updates, with the best methods taking account of
typical IT admin working methods. it’s also clear that most IT departments adapt their update management practices to fit their company’s needs.
From Microsoft Update to Windows Update to WSUS
Microsoft provides relevant updates in various ways, each with its own advantages and disadvantages. On the one hand, they use their own “Microsoft Update” and “Windows
Update” services. While “Microsoft Update” includes updates for all supported Microsoft products (Exchange Server, MSSQL Server, etc.), “Windows Update” only provides updates for
the actual operating system. On the other hand, Microsoft offers software components via its “Windows Server Update Services” (WSUS), which can be used to mirror Microsoft
online services in your own company network. This means that data required for updating can be provided locally.
IT specialists have a range of options for obtaining updates depending on availability, storage requirements, internet connectivity and other factors. There’s a lot to
consider and no one right way, so the method selected should fit specific company needs.
Why the ring concept is indispensable
For most companies, not all endpoints can or should be provided with the same updates at the same time. After all, there are always endpoints that are more critical than others. Microsoft’s widely used ring concept comprises groups of devices that will receive an update simultaneously. These groups should represent as broad and representative a cross-section of the company as possible categorized according to criticality. In large companies, it is also advisable to consider helpdesk capacity when determining the size of the rings.
Blacklists and automatic releases
Automation is particularly helpful for distributing updates to devices within a ring in a consistent and efficient manner. It saves time and reduces errors
usually associated with manual methods. Automation used in baramundi Management Suite’s Update
Management, consistently applies Microsoft’s ring concept with the help of update profiles.
It also makes it possible to exclude individual updates as well as entire product lines and even device categories from the update process. With the help of a blacklist,
manual distribution of updates is no longer necessary. New updates are released automatically and are installed in phases after pre-determined intervals set by the IT team, starting with
the least critical ring.
Update profiles vs. Windows standard ring configurations
In order to be able to use the full potential of the ring concept and baramundi update profiles, the Windows standard configuration must first be changed:
- Online sources and WSUS: deactivate automatic updates, otherwise the baramundi management system will no longer have control.
- WSUS: Deactivate dual scan, otherwise the delay of updates and other factors will not work properly; specify the URL to the corresponding system via the group policy.
A detailed list of the required and recommended settings as well as instructions for configuration can be found in the baramundi Knowledge Base.
Define rings and create update profiles
The first step is to define the rings relevant to your company based on your own criteria and create the required update profiles in the baramundi Management Suite. Meaningful names and any additional comments are helpful, as is information on the delay of the updates in days.
It should be noted here that definition updates are not delayed by the baramundi Management Suite as this would impair the function of the Windows Defender Antivirus.
Release of classifications and blocking of individual updates
In the next step, you determine the classifications to be generally released. All classifications should be released if possible to ensure security and timeliness.
Depending on requirements, complete products or individual updates can be blocked in the update profile. For example, if “Microsoft Silverlight” should not be installed and updated on company computers, it can be marked as blocked in the update profile and excluded from distribution.
Of course, these releases not only have an effect on distribution, but also directly on the inventory. You can see at any time for each endpoint whether updates are missing and whether they are delayed or blocked.
No mixed operation with online and offline sources
All relevant actions on the endpoint are summarized in the “Manage Microsoft updates” job step. Both an inventory and an update can be selected there. An inventory should
be on the to-do list regularly (at least once a week). This simply determines the current update status of the endpoint without installing updates.
In both cases, you can choose from the three sources mentioned above (Microsoft Update Online, Windows Update Online and WSUS). This allows the greatest possible
flexibility. However, it is advisable to choose one source in advance and stick with it. Mixed operation with online and offline sources is strongly discouraged. This is
because the data from the WSUS sometimes differ from the data from online sources, resulting in inconsistencies. This is particularly problematic regarding the release date and the delayed
roll-out will not work.
Final inventory? A must
The “Distribute Microsoft updates” action is then used to install the updates. Be sure to select the same source that was previously used for the inventory. In special
cases, it is possible to suppress the restart normally required for updates. However, this is not recommended as it means that some updates cannot be
recognized correctly until after the next restart. System updates in particular are usually not fully installed until the restart.
The final inventory, on the other hand, is strongly recommended. This is because it ensures that the current update status is also correctly reported to the baramundi
Management Server and considered in the evaluations.
Update profiles are essential
In the next step, update specifications can be defined:
- Manual configuration: All settings such as classification, included and excluded products/updates and time delay can be set granularly.
- Update profile: The update process is based on the settings in the update profile assigned to the endpoint. If no update profile is assigned, the job step is aborted and the endpoint is not updated.
Using update profiles is highly recommended for a consistent and predictable update strategy. Manual configuration is only recommended in individual cases or for test purposes.
Update status at a glance
A multi-colored status bar illustrates the current update status of an endpoint. The detailed list of relevant updates provides an additional overview. The evaluation of the update status is based on the associated update profile – if assigned. An endpoint is only considered up-to-date if the required updates are installed, blocked or delayed. Without an update profile, neither the blocking nor the delay of updates can be taken into account.
Update profiles offer more than just release functions
Update profiles are not only used to release/block and delay updates. They can also be used to evaluate the update status, e.g., whether an endpoint fulfills the
requirements of the update profile, whether all endpoints assigned to the update profile are compliant, or whether there is a need for action.
The display of the update status of the endpoints according to group affiliation makes it easy to evaluate individual groups (e.g. departments) as well as nested branches
(e.g. locations). You can see at a glance whether the devices meet the requirements of the update profile, whether and how many updates are missing and when they were last inventoried or
updated. Of course, it is also possible to filter by status and update profile.
Clear processes mean efficient update management
In the ever-changing world of software updates, it is essential to customize update management as described above. The ring concept introduced by Microsoft and the use of automation tools offer efficient ways to manage updates in a secure and standardized manner. Clear guidelines, regular inventories and the strategic use of update profiles are crucial for successful and well-controlled update processes.