Quick Links: | Overview | Schedule |
Overview
What are Monthly Software Updates?
Monthly Software Updates, also known as Patch Tuesday, are Microsoft's monthly release of security fixes for the Windows operating system and other Microsoft software.
Patch Tuesday occurs on the second Tuesday of each month at approximately 10 a.m. Pacific Standard Time. Microsoft chose this schedule to give administrators a dedicated day to prepare for and deploy updates.
Most Patch Tuesday updates address vulnerabilities in Windows desktop and server operating systems. They also resolve issues in Microsoft Office applications, Azure hybrid cloud services, and the Visual Studio code editor. These updates cover all supported Windows systems, including those that have reached end of life but still receive protection through Microsoft's Extended Security Update program.
Why is patching important?
Regular patching offers several key advantages:
- Correct Software Issues: Addresses vulnerabilities, bugs, and compatibility problems
- Maintains Software Functionality: Ensures that software remains updated and operates smoothly
- Introduces New Features: Provides enhancements and new functionalities
Microsoft strongly advises its customers to apply these security updates as soon as they are released. Malicious actors often examine Microsoft's patches to find clues for developing malware variants, making timely patching crucial for security.
What are out-of-band patches?
While most security patches are released on Patch Tuesday, Microsoft occasionally issues out-of-band patches to address more serious vulnerabilities.
An out-of-band patch is a software fix released outside of the regular Patch Tuesday schedule. These patches are deployed to stop the spread of critical vulnerabilities.
For example, Microsoft would release such a patch for a zero-day exploit that was considered a threat to many systems. Along with the patch, Microsoft would issue an advisory urging users to take immediate action. If the patch applies to the Windows OS, it will also be included in the next Patch Tuesday as part of the cumulative update servicing model.
When an out-of-band patch is released, ITSS prepares the update and deploys it through Software Center first to Pilots, and then to Production groups of computers.
Do I have to receive Software Updates?
Yes. This is required to comply with the minimum workstation standards policies published by our Chancellor's Office. You can read more here: https://calstate.policystat.com/policy/11773867/latest/#autoid-6w2ve
"Workstation computers must be configured to allow automatic application of software updates through a patch management system."
Update Schedule
How are these updates scheduled at Chico State?
At Chico State, IT Support Services manages and deploys these and other updates with the Microsoft Endpoint Configuration Manager.
The Configuration Manager synchronizes its list of updates with Microsoft, then downloads and prepares the updates for campus deployment according to the following schedule:
Pilot Group Development
- Updates are available for installation from the Software Center as soon as they are prepared on Tuesday, typically by mid-afternoon
- Pilots must install the updates by 5 pm that same day
- If any updates require a computer restart to fully apply (most security updates do), a restart is required after a 24-hour grace period
- Pilots are monitored for unexpected negative effects. If issues are found and traced to specific updates, those updates are withheld from production (though this is rare)
Production Group Deployment
- Updates are available for installation from the Software Center as soon as they are prepared on Tuesday, typically by mid-afternoon
- The Production group must install the updates by 5 pm on the Thursday following Patch Tuesday
- If any updates require a computer restart to fully apply (most security updates do), a restart is required after a 24-hour grace period, on the Friday after Patch Tuesday at 5 pm
While most updates follow the standard Patch Tuesday deployment cycle, ITSS also monitors Microsoft Security Bulletins and the Microsoft Defender Console for high and critical severity vulnerabilities. If such vulnerabilities are reported, patching is prioritized accordingly, and out-of-band patching may be implemented if immediate action is required.
Do I have to follow this schedule?
ITSS recommends that you install updates as soon as they become available in the Software Center. To minimize disruption from an enforced restart, consider installing the updates on Wednesday afternoon and restarting your PC before leaving for the day. This way, you can avoid the forced installation on Thursday and the enforced restart on Friday.
Feel free to choose a day and time that best suits your schedule.