The process for patch management is being updated on all Windows-based Niagara College employee computers to ensure all security and administrative updates are installed in a more intuitive and timely manner. Maintaining patch compliance has never been more important, as we continue the migration toward laptops and with remote work practices where on campus security measures are no longer able to assist in keeping less compliant computers protected. The new patch process has been thoroughly tested on newly deployed computers over the past several months, and the next phase of the rollout is to implement the process on all remaining employee computers over a two to three month timeline.
What to expect from the patch process:
The new patch process will leverage a Microsoft tool called Windows Update for Business (WUfB). This tool will manage the entire patch process including compliance enforcement and reporting. Our implementation approach will include a number of notifications and prompts throughout the patch process, designed to offer employees as much control of patch timing as possible to minimize disruption on other activities, while ensuring patches are installed reliably by the end of the cycle.
Patches are released by Microsoft on the second Tuesday of every month – this recurring date will be the starting point for our new monthly patch process. Our patch process will include three distinct groups called “rings” to ensure all new patches are tested in a controlled environment before they are widely distributed to employee computers.
Ring 1 – will comprise of a small group of primarily technical staff who will receive patches immediately upon release, with installation required within two days before a mandatory computer reboot is required to finalize the patch application.
Ring 2 – will comprise of a larger number of employee computers, which will assist in further verifying the released patches. This group will receive patches five days after the patch Tuesday release date and will have five days to complete patch installation and reboot proactively before a forced restart occurs at the end of the patch cycle.
Ring 3 – will comprise of all remaining Niagara College non-lab computers. This group will receive patches 15 days after patch Tuesday and will be given approximately six days to complete installation and reboot proactively before enforced forced restart occurs at the end of the patch cycle.
The new patch process will provide the following timely notifications and reminders to staff:
Step 1 – Patches will download and install in the background while you work. Once complete the notification below is presented to advise you of patch installation and provide options to complete the process.
You are presented with four options: pick a time, restart tonight, restart now, or you can ignore or cancel the notification.
The date or duration included on the notification, clearly identifies how much time you have to reboot your computer and complete the process, if you don’t reboot proactively your computer will force restart after a final warning message described below. Proactive reboot is the recommended option to avoid disruption or potential loss of unsaved data.
Caution is recommended when scheduling a restart, make sure you have adequately prepared for the restart, particularly, if you will be away from your desk, as the reboot will occur whether you are there or not.
Step 2 – Additional reminder notifications will be presented, depending on your choice in step 1. If you cancelled the notification, you will be reminded again with a similar notification over subsequent days.
If you chose to pick a time, you will see this notification 15 minutes prior to the forced restart, with options to further delay the restart if required, or restart immediately.
Step 3 – If you ignored previous messages the following will be displayed 12 hours before the end of the patch cycle and a forced restart.
The notification clearly identifies the exact time of the forced reboot. If you close this notification, it will return periodically offering you a further chance to close applications and perform a user-initiated restart.
Step 4 – If you have not already taken proactive steps to restart your system and complete the patch process, a final notification shown here will be presented warning you of the imminent restart of your computer.
Note that once again the time is identified, however there is no count down timer or other obviously visual indicator of time remaining. Also, a “Confirm” button has replaced the previous “Ok” used to clear/ignore the message, which draws further attention to the importance of any decision to further delay the mandatory restart. If you ignore this final message, your computer will shut down with no further warning and any unsaved work will be lost.
Patch management and the requirement for all users of technology to play a part in device security has been a reality for years. Patch cycles apply to most modern electronic equipment, for both personal and work-related devices, and have become an expected element of technology use.
The above process follows industry practice and is critical to ensure that Niagara College computers and network systems remain safe for all users. The process was designed to balance the need for timely patching while understanding the need of college employees to coordinate the impact of patch installation around important and time sensitive work activities.
ITS strongly encourages all employees to apply patches proactively, and as soon as possible after the first notification is received. This not only ensures your computer is as secure as possible, it also gives you the most control over the reboot step. For those required to delay the reboot for whatever reason, the notifications provide timely reminders to ensure there are no surprises at the end of each patch cycle.