Microsoft patch management can be a time-consuming, labor-intensive, and disruptive process. As a result, many SMBs neglect it—introducing considerable risk to their businesses. A recent study conducted by the Ponemon Institute found that 60% of security breaches can be traced to a known but unpatched vulnerability. A good patch management strategy can minimize the risk associated with these vulnerabilities and prevent attacks.
Microsoft patch management presents a clear opportunity for MSPs and MSSPs. However, to deliver Microsoft patch management as a service, it is crucial to develop an effective strategy and use tools that can automate patch management tasks. Many IT providers use remote monitoring and management (RMM) software, alone or in tandem with additional third-party tools, to deliver patch management services.
Patch Management Challenges
Simply applying Microsoft updates as they are released can actually create more problems than it solves—a quick Google search will reveal how common buggy Microsoft updates can be. Because of this, administrators often wait to patch until they are certain that Microsoft has resolved issues, and even exclude some updates entirely.
For example, many IT providers choose to exclude what Microsoft calls “Preview of Monthly Quality Updates.” These updates contain new, non-security fixes that will be included in the following month’s update. By installing preview updates, you essentially opt-in to beta testing for Microsoft. So, it's easy to understand why IT providers do not install them on their clients’ systems.
Of course, the longer you wait before patching known vulnerabilities, the more you run the risk of attacks. The key to successful patch management is striking a balance between keeping systems as stable and secure as possible, while preventing issues with buggy updates.
Automating patch management with RMM
RMM tools enable IT providers to automate much of the patching process. Let’s take a look at an example workflow using Datto RMM:
- Disable Automatic Windows Update: To use Datto patch management you first need to disable Automatic Windows Update on your devices.
- Set up a patch management policy: A patch management policy allows you to pre-approve patches to be installed on your Windows devices on an ongoing basis, based on conditions you define. You can set up account-level or site-level policies that target multiple devices, define when patching occurs, set automatic approval rules, and define reboot behavior.
- Device audit and patch installations: Once an active patch management policy is in place, devices submit their Windows audit data to the platform on a set schedule. Datto RMM runs the Windows update against your predefined policy filters. Patches are approved or denied and a final approval list is sent back to the devices. The approved updates are automatically downloaded and installed.
Patch Management Best Practices
Obviously, every client has unique needs that you’ll need to account for and this is by no means an exhaustive list of what should be included in your patch management strategy. However, the following five items are a good place to start:
- Create patching and reboot strategy that suits your client’s requirements. For example, you might patch workstations during lunch hours and allow end users to defer updates for a specified time period (e.g., until tomorrow) to avoid impacting productivity.
- Create separate policies for workstations and servers. For example, you might patch desktops and laptops during the day when you know they are likely to be powered up, while patching servers at night since they are typically on 24x7.
- Approve/deny by update type. For example, automatically denying patches that include the word “Preview” (see above).
- Identify and exclude patches that should not be installed to avoid possible hardware or software issues. For example, many IT providers choose to exclude driver software from automated updates.
- Identify devices that cannot be automatically rebooted and create reboot tickets that ensure that those patches will be installed manually.
So, yes, patch management can be challenging. However, there are tools available that enable IT providers to deliver patch management as an effective and profitable service. To learn more about how Datto RMM fits into your patch management strategy, schedule a demo today.
Andrew Burton is senior technical content manager at Datto. Read more Datto guest blogs here.
