Patch Management - OS Patch and Security Updates

Objective

Operating System (OS) patches and security updates deploy as they become available from the vendor and have completed quality assurance testing. An operating system restart is commonly required to apply the system update.

A detailed walk through for the update processes for Windows and macOS endpoints can be found below:

Users

  • All University faculty, staff or students with a University-managed desktop, laptop or tablet
  • Users of University-managed shared endpoints - labs, classrooms, conference rooms or kiosks

Release Cycle

OS patches and security updates undergo a pre-release period on a subset of production endpoints, before scaled release into the baseline. The pre-release cycle enables ITS to verify the compatibility and functionality of the latest software version.

  • Windows pre-release starts on the second Friday of each month. The production installation starts on the third Tuesday of each month.
  • macOS pre-release starts on the Friday following release. The production installation starts on the second Friday following release.

Update Methods

Private Endpoints (Faculty/Staff)

Any desktop, laptop, or tablet assigned to a single user for their private use. Examples include Faculty, Staff, and Students.

  • Required – Endpoints will download available updates every day and automatically restart based on their classification.

 

Shared Endpoints (Lab/Classroom/Conference Rooms) or Kiosks (Digital Signage/Walk-up Stations)

Any desktop, laptop, or tablet that is not assigned to a single user but instead has multiple users. Examples include research or business workstations, lab computers, appliances, kiosks, and digital signs.

  • Scheduled – Endpoints will download available updates every day and automatically restart on a pre-defined weekly schedule or during an established maintenance window.

 

Update Process - Windows

Private Endpoints (Faculty/Staff)

 

Initial Installation Behavior

Windows Updates are coordinated through Configuration Manager (SCCM / MECM) via Software Center. Configuration Manager will begin offering to install Windows Updates on endpoint devices beginning on the third Tuesday of every month at 2:00 pm, ± 2 hours. Computers that are powered off during this period will begin offering installation of Windows Updates the next time they are powered on. Endpoint devices will then have a period of 7 days to install updates and restart. It is highly recommended that endpoint device users select the option to apply the changes "Right now (recommended)" or select a time of their choice as shown below. Once the Windows Updates have been installed, endpoint device users will have until the deadline to restart their computer.

  • Update reminders will appear every 4 hours before the deadline.
  • Updates may be installed at any time through Software Center using the Updates tab.

A notification window that states "required software changes will be applied to your computer" with options to apply changes now, outside business hours, or snooze the notification.

 

A notification window that states "You must restart your computer to complete the installation of applications or software updates by:" with a 5 hour time limit. Options are available to restart now or snooze the reminder for 1 hour.

Installation and Restart Deadline

Once the installation and restart deadline is reached on the fourth Tuesday of every month at 2:00 pm, ± 2 hours, Configuration Manager will automatically install any needed Windows Updates and then prompt the endpoint device user to restart within 6 hours. Multiple restart notices will be sent during this 6-hour restart window. When 60 minutes remain, a non-dismissible message will be displayed informing any logged-on endpoint device users that the required restart will be occurring soon.
A notification window that states "Your computer is about to restart" with a 4 hour countdown. Buttons are available to restart now or to snooze the notification. This does not affect the countdown time.

 

Shared Endpoints (Lab/Classroom/Conference Rooms) or Kiosks (Digital Signage/Walk-up Stations)

 

Installation and Restart Behavior

Windows Updates are coordinated through Configuration Manager (SCCM / MECM) via Software Center and are largely automated for endpoint devices in this classification. Configuration Manager will begin installing Windows Updates on shared endpoints on the second Friday of every month at 10:00 pm. A restart will then be scheduled and completed 6 hours later, at 4:00 am. Computers that are powered off during this period will wait until their next maintenance window and not prompt endpoint device users for action.

Maintenance Windows

Shared endpoint devices running Windows will have a maintenance window from 10:00 pm to 7:00 am daily by default. An alternate 12:00 am to 6:00 am daily maintenance window is available by request. Windows Updates will only be installed during this time window unless manually ran via Software Center or Updates and Security (via Windows Settings).

 

Update Process - macOS

Software updates for macOS do not occur on a regular schedule. Available macOS updates will generate a Nudge popup for the user to acknowledge.

  • Nudge will direct users to System Preferences / System Settings to install available updates.
  • A user can defer updates until the required installation date, for varying lengths of time ranging from 1 hour to a user-defined custom date and time.
  • A user can start a software update at any time through Self Service or System Preferences.
  • Once the required installation deadline has passed, users will not be able to defer update notifications. Users can click away from the Nudge popup to other applications to save their work before installation, but Nudge will present itself again every few minutes. The only way to fully close the Nudge popup after the deadline has passed is to install the available updates.

Nudge popup before the installation deadline:
macOS notification that states "Your device requires a security update" with buttons to open Software Update or defer.

Nudge popup after the installation deadline has passed:
macOS notification that states "Your device requires a security update". The only available button is to Open Software Update.

Print Article

Related Articles (5)

Baseline Security
This article outlines the NU IT Risk Classifications of Low, Medium, and High. These configurations align with National Institute of Standards and Technology (NIST) frameworks (800-53, 800-171), and Center for Internet Security (CIS) Levels 1 & 2.
Installing Software Using Self Service for Mac OS
This will walk you through the process of logging in and install software from the MacOS Self Service application
Installing Software Using Software Center for Windows
This will walk end users through the process of installing something from the Software Center for Windows.
Patch Management - Third Party Application Updates
Third-party application updates involve software patches or upgrades released by developers outside of the original platform provider. These updates enhance functionality, fix bugs, and address security vulnerabilities in applications. This article details the processes for running third-party application updates on Windows and macOS.
Supported Operating Systems
This article details all of the Operating Systems and their respective versions that are supported by the university.

Related Services / Offerings (4)

Executive Memorandum 16 (EM16)
Policy for Responsible Use of University Computers and Information Systems
Patch Management
Patch Management ensures that University endpoints are consistently running the latest approved versions of operating systems, security patches, and common third-party applications. Protecting devices from vulnerabilities and ensuring compatibility with services.
Technology Support
Desktop Support is an area whose primary role is the direct support of end users with their hardware and software needs. Our mission is to provide professional and respectable support of hardware and software needs of Students/Faculty/Staff on each campus.
Vulnerability and Compliance Management
Vulnerability and compliance management creates a secure environment at the university by providing technicians with the necessary tools to quickly identify and mitigate any security risks or potential threats.