The realistic answer, unfortunately, is no.
As part of Compuquip’s Managed IT Services program, we provide our clients with standard patch management services. Our agreement covers Microsoft Critical Security Patches related to the operating system on both servers and workstations. We commit to patching our clients’ systems with the latest critical security patches, as defined by Microsoft (the creator of the software) after we have properly tested them in our lab.
It seems that at the end of every month when our clients have had a chance to review the patch reports or during most status meetings we receive the faithful ‘why aren’t the systems fully patched?’, a very fair question…
First, I think it’s important that we level set what’s involved with patching systems and the challenges patch management brings due to several factors:
- Volume – Microsoft releases patches every month. Each of these patches needs to be evaluated, tested and then released.
- Complexity / Compatibility – The operating system is a critical component of any system and therefore any changes (even ones to improve security) can break things.
- Device Changes – Companies are adding computers and servers at a rapid pace and keeping track of them to ensure they are patched is a challenge.
Microsoft releases their patches on a monthly basis unless there is an immediate security flaw discovered and an ‘out of ban’ patch is then released to the public. Ahead of time we set a pre-determined patch window with each of our clients asking them to leave their computers on so we may apply patches and reboot machines as necessary.
We test the patches in our lab once they are released and then, assuming no issues are found after a week, we release the patches internally to our end users for another week of testing. Assuming systems are stable, we roll the patches out to our clients over the following two weeks before the entire cycle starts again.
Seems simple enough, right? Yet it isn’t…
In our experience, amazingly enough, the single largest reason that machines are not fully patched is because of the user. Either the user doesn’t leave their machine on during the preset window or they disable the update when it’s running. It’s no wonder IT professionals have made outsourcing of patch management the most popular managed service!
Patch Management is a never-ending battle but, as with all of our services, we are committed to always improving. In return, all we ask is for you, the user, to leave those machines on!
Together we can work towards patch status of 100%!
