What are Monthly Software Updates?
Monthly Software Updates are Microsoft's monthly release of security fixes for the Windows operating system and other Microsoft software. It is also referred to as Patch Tuesday.
Most Patch Tuesday updates correct vulnerabilities in the Windows desktop and server operating systems. They also fix issues in Microsoft Office applications, Azure hybrid cloud applications and the Visual Studio code editor. The updates cover supported Windows systems, including Windows operating systems that have reached end of life but have protection through Microsoft's Extended Security Update program.
Microsoft releases most of its security patches on Patch Tuesdays. Fixes for more serious vulnerabilities, called out-of-band patches, are the exception.
Patch Tuesday occurs on the second Tuesday of each month at about 10 a.m. Pacific Standard Time. Microsoft releases its monthly software updates at that time. The company selected the Tuesday schedule to give administrators a dedicated day to prepare to deploy updates.
How are these updates scheduled at Chico State?
At Chico State, the ITSS department of the Division of IT manages and deploys these and other updates with the Microsoft Endpoint Configuration Manager.
The Configuration Manager synchronizes its list of updates with Microsoft, then downloads and prepares the updates to be delivered to campus on the following schedules:
- A Pilot group of computers has the updates available for installation from Software Center as soon as they are prepared on Tuesday, usually mid afternoon. The Pilots are required to install the updates by 5 pm that same day. If any of the updates require a computer restart to fully apply (and most security updates DO need a restart) then a restart is also required after a 24 hour grace period.Pilots are monitored for unexpected negative effects, which if noticed, are traced to an applicable updates, and the update is withheld from production. (This is rare.)
- The Production group of computers also has the updates available for installation from Software Center as soon as they are prepared on Tuesday, usually mid afternoon. The Production group is required to install the updates by 5 pm two days later, on the Thursday after Patch Tuesday. If any of the updates require a computer restart to fully apply (and most security updates DO need a restart) then a restart is also required after a 24 hour grace period, on the Friday after Patch Tuesday at 5 pm.
- While most updates will fall into the standard Patch Tuesday deployment cycle, ITSS also monitors Microsoft Security Bulletins and Microsoft Defender Console for high and critical severity vulnerabilities and will prioritize patching as needed. Should high and critical vulnerabilities be reported, out-of-band patching may result if immediate prioritization becomes required.
Do I have to follow this schedule?
ITSS recommends that you install the updates as soon after they become available in Software Center as convenient. To minimize the disruption of an enforced restart, try installing the updates on Wednesday afternoon, then restarting the PC when you leave for the day. There's no need to wait for the forced install Thursday or the enforced restart Friday.
Choose a day and time that suits you.
Why is patching important?
Regular patching provides the following advantages:
- corrects software problems, including vulnerabilities, bugs and compatibility issues;
- keeps software updated and functioning properly; and
- introduces features.
Microsoft urges its customers to patch as soon as it releases these security updates. Malicious actors constantly scrutinize the code in Microsoft's patches to gather clues to develop malware variants.
What are out-of-band patches?
An out-of-band patch is a software fix released outside of the Patch Tuesday schedule. These patches are released to stop the spread of critical vulnerabilities.
For example, Microsoft would release such a patch for a zero-day exploit that was considered a threat to many systems. It would release an out-of-band patch and an advisory to prompt users to take immediate action. If the patch applied to Windows OS, Microsoft would include it in the next Patch Tuesday as part of its cumulative update servicing model.
When an out-of-band patch is released, ITSS prepares the update, and deploys it through Software Center first to Pilots, and then to Production groups of computers.
Do I have to receive Software Updates?
Yes. In order to comply with minimum workstation standards policies published by our Chancellor's Office at https://calstate.policystat.com/policy/11773867/latest/#autoid-6w2ve "Workstation computers must be configured to allow automatic application of software updates through a patch management system."