This encompasses the patching of Microsoft operating systems, including both Windows 10 and Windows 11, as well as Windows server versions such as server 2016, 2019 and 2022.
Every month, Microsoft issues its regular batch of patches. In the United States, this event is known as Patch Tuesday, while in Australia, it falls on Patch Wednesday. These patches include updates for both operating systems and security vulnerabilities.
It's crucial to adhere to the Essential Eight recommendations, which advise applying critical patches within 48 hours. Additionally, all other patches should be applied within a minimum of two weeks.
I previously discussed remote monitoring and management (RMM) tools, which encompass options for patching both third-party software and Windows systems.
Users can choose to automatically approve Windows patches or delay them for a week or two based on their preferences. However, it's important to recognise that there is typically a monthly fee per device associated with using RMM tools. While these tools provide valuable features for patch management, it's crucial to consider the financial impact when incorporating them into your infrastructure.
Alternatively, Windows Update is a built-in service included with all versions of Windows. You can ensure it's enabled and configure it to automatically install patches or delay them for a week. Additionally, you can set a specific time for Windows patches to install.
I typically recommend scheduling this for the early morning, such as 1am. This ensures that if it takes time to download the patches and restart the machine, it all occurs during off-peak hours. By the time you're ready to use the device again, it's fully patched, restarted, and ready to go.
Why would one consider delaying Windows patches? Unfortunately, Windows has had a less-than-stellar track record in the past with delivering patches that don't inadvertently crash the system. Such occurrences can be detrimental to production environments. It's essential to exercise caution and avoid deploying updates without proper testing.
I strongly recommend having a dedicated test machine to assess updates before deploying them. Waiting at least a week, or even 48 hours after release, is a prudent option, considering Microsoft's tendency to swiftly withdraw problematic patches from Windows updates.
What should be done with systems that are no longer supported? Unfortunately, these devices will no longer receive patches and will remain vulnerable to any new exploits that emerge after the software's support ends.
With the release of Windows 11, many Windows 10 devices are incompatible and must be replaced by October 2025. Considering that Windows 10 reaches its end of life in October 2025, and due to hardware requirements, a significant number of computers and laptops will need to be replaced. Therefore, it's crucial to assess and plan for the replacement of incompatible Windows 10 devices before this date to ensure continued security and functionality beyond October 2025.
The last topic I'll cover is out-of-band patches, which although rare, are critical occurrences. One notable instance was on May 12, 2017, when the WannaCry virus caused widespread havoc, infecting more than 200,000 computers worldwide. This was due to a vulnerability in SMBv1 (server message block) services, impacting the medical sector significantly by affecting many hospital systems, leading to downtime.
In response, Microsoft swiftly released an out-of-band patch for all systems, including outdated ones like Windows 7, Windows XP and older versions of Windows Server such as Server 2008. This patch was unprecedented for Windows, as it was one of the first patches released for unsupported operating systems.
I hope you found this information helpful, and if you're interested in delving deeper, I recommend further research into the ACSC Essential Eight. As always, if you enjoyed this article or have any suggestions for future topics, feel free to reach out to me at askatech@mmg.com.au