Hey everyone Mike here with the SysAdmin School and in this post I want to go over Microsoft Windows Patching. You can see in my previous post (Supported Versions of Windows). I created a table of all the different Microsoft Windows Operating Systems and when they will be supported until.
As long as a version of Windows is still supported Microsoft will continue to release patches for it. These patches include security patches as well as updates to the Operating System. Once a version of Windows is no longer support Microsoft will stop releasing updates for it, more importantly, they stop releasing security updates for it. Now in rare cases when a vulnerability is found that is especially bad Microsoft will sometimes release a security fix for unsupported Operating Systems.
Why is Windows Patching so Important?
From above I think you probably understand why Windows Patching is so important. Whenever vulnerabilities are discovered that apply to Windows Microsoft works on creating a security patch to fix the vulnerability. But all of that does no good unless you apply the security patches. So applying Windows patches is super important to keep your servers and desktop computers secure.
Ideally you want to apply patches within 30 days of them being released from Microsoft. This gives you time to test the patches first and make sure they do no break anything in your production environment. It is not unheard of for a Microsoft Patch to break.
How do we patch a server?
There are multiple ways to patch a Windows server. From within the OS itself, we can initiate an update to download and install Windows patches. The first and one of the easiest ways is to go into settings within Windows.
From there we click on “Update & Security” and we will be taken to the Windows Update screen. From here you can see the last time that windows checked for updates and you can even see your update history if you want.
From here it is pretty self-explanatory and we just click “Check for Updates” and it will start looking for updates. Now depending on your internet connection, this could take a couple of minutes to upwards to 20 or 30 minutes.
Once Windows determines what updates it needs, it will start to download the updates and then install them. This isn’t the only way we can install updates on a server. We can use a cool tool calls sconfig.
To use this tool we simply open an elevated command prompt, so open command prompt as an administrator. Once the command prompt loads simply type sconfig.
From here you can see option 6 will go to download and install updates. So if we select option 6 we get a new Window and we can choose to search for all updates or just the recommended ones. Once the search is down we have the option to install all or a single update.
In this case we are going to install ALL updates so we will press A.
Updates will now be downloaded and automatically installed. If a reboot is needed afterwards you will be prompted for one.
Can Patching be Automated?
A big question you may be asking is can patching be automated? It absolutely can, I couldn’t imagine doing this process for every server in an environment that has more than 50 servers.
The best way to automate patching is with an application called SCCM. This is System Center Config Manager which is an application from Microsoft. With SCCM you can automate that patching process as well as the reboots if it is needed. But to be honest you can get pretty creative here and you can actually write a PowerShell script to automatically pull patches and install them on every server.
There are other options for Patch management by third party companies. Solarwinds is a great company that makes some great products and one of those products is “SolarWinds Patch Manager”. Now as of this post I have never used this application so I am not going to directly recommend it. But I have used other SolarWinds products and they are all easy to setup and very intuitive to use. I hope to get a copy of SolarWinds Patch Manager in the future to create a tutorial for you.
I would love to know if there are any tools you have found for for patch management that you love. Let me know in the comments below.