Patch Management - OS Patch & Security Updates

OS Patch & Security Updates

Operating System (OS) patches and security updates deploy as they become available from the vendor and have completed quality assurance testing. An operating system restart is commonly required to apply the system update.

 

Release Cycle

OS patches and security updates undergo a pre-release period on a subset of production endpoints, before scaled release into the baseline. The pre-release cycle enables ITS to verify the compatibility and functionality of the latest software version.

  • Windows pre-release starts on the second Friday of each month. The production installation starts on the third Tuesday of each month.
  • macOS pre-release starts on the Friday following release. The production installation starts on the second Friday following release.

 

Update Methods

Private Endpoints (Faculty/Staff)

Any desktop, laptop, or tablet assigned to a single user for their private use. Examples include Faculty, Staff, and Students.

  • Required – Endpoints will download available updates every day and automatically restart based on their classification.

 

Shared Endpoints (Lab/Classroom/Conference Rooms) or Kiosks (Digital Signage/Walk-up Stations)

Any desktop, laptop, or tablet that is not assigned to a single user but instead has multiple users. Examples include research or business workstations, lab computers, appliances, kiosks, and digital signs.

  • Scheduled – Endpoints will download available updates every day and automatically restart on a pre-defined weekly schedule or during an established maintenance window.

 

Update Process - Windows

Private Endpoints (Faculty/Staff)

Initial Installation Behavior

Windows Updates are coordinated through Configuration Manager (SCCM / MECM) via Software Center. Configuration Manager will begin offering to install Windows Updates on endpoint devices beginning on the third Tuesday of every month at 2:00 pm, ± 2 hours. Computers that are powered off during this period will begin offering installation of Windows Updates the next time they are powered on. Endpoint devices will then have a period of 7 days to install updates and restart. It is highly recommended that endpoint device users select the option to apply the changes "Right now (recommended)" or select a time of their choice as shown below. Once the Windows Updates have been installed, endpoint device users will have until the deadline to restart their computer.

  • Update reminders will appear every 4 hours before the deadline.
  • Updates may be installed at any time through Software Center using the Updates tab.
Software Center prompt with the text "Required software changes will be applied to your computer. The changes will be applied after 1/27/2022 at 11:52 AM, or you can apply the changes with the following options: Right now (recommended), outside my business hours, snooze and remind me later, restart my computer automatically if needed.
Software Center prompt with the text "Restart your computer" and the options to "Restart now" and "Snooze and remind me again in 1 hour".

Installation and Restart Deadline

Once the installation and restart deadline is reached on the fourth Tuesday of every month at 2:00 pm, ± 2 hours. Configuration Manager will automatically install any needed Windows Updates and then prompt the endpoint device user to restart within 6 hours. Multiple restart notices will be sent during this 6-hour restart window. When 60 minutes remain, a non-dismissible message will be displayed informing any logged-on endpoint device users that the required restart will be occurring soon.

Software Center prompt with the text "Your computer is about to restart."

 

Shared Endpoints (Lab/Classroom/Conference Rooms) or Kiosks (Digital Signage/Walk-up Stations)

Installation and Restart Behavior

Windows Updates are coordinated through Configuration Manager (SCCM / MECM) via Software Center and are largely automated for endpoint devices in this classification. Configuration Manager will begin installing Windows Updates on shared endpoints on the second Friday of every month at 10:00 pm. A restart will then be scheduled and completed 6 hours later, at 4:00 am. Computers that are powered off during this period will wait until their next maintenance window and not prompt endpoint device users for action.

Maintenance Windows

Shared endpoint devices running Windows will have a maintenance window from 10:00 pm to 7:00 am daily by default. An alternate 12:00 am to 6:00 am daily maintenance window is available by request. Windows Updates will only be installed during this time window unless manually ran via Software Center or Updates and Security (via Windows Settings).

 

 

Update Process - macOS

Software updates for macOS do not occur on a regular schedule. Available macOS updates will generate a Nudge popup for the user to acknowledge.

  • Nudge will direct users to System Preferences / System Settings to install available updates.
  • A user can defer updates until the required installation date, for varying lengths of time ranging from 1 hour to a user-defined custom date and time.
  • A user can start a software update at any time through Self Service or System Preferences.
  • Once the required installation deadline has passed, users will not be able to defer update notifications. Users can click away from the Nudge popup to other applications to save their work before installation, but Nudge will present itself again every few minutes. The only way to fully close the Nudge popup after the deadline has passed is to install the available updates.

Nudge popup before the installation deadline:

Nudge popup appearance before the installation deadline has passed.

Nudge popup after the installation deadline has passed:

Nudge popup appearance after installation deadline has passed.