Windows and Application Patching

Table of Contents


Windows Patching

Windows patching is configured by default for endpoints when they are onboarded into Configuration Manager.  This is accomplished by automatic membership into three collections:

  1. A global EPM managed Maintenance Window collection that applies a governance approved global maintenance window for all devices.
  2. An ITSO controlled 'include' maintenance window collection whose membership is included in the global collection.
  3. An ITSO Software Update collection where updates are deployed to.

    

Servers

While Windows servers use the same collection structure, servers are opt-in. A server device collection will need to be added to the corresponding software update collection. The same is true for a maintenance window. Add your server collection(s) to a maintenance window.

Maintenance Window collections

A Maintenance Window collection, that is controlled by EPM, but from which clients can be excluded by ITSOs. Its Maintenance Schedule is "Every Day 0000-0600"

Collection NameSchedule
EPM - MW - Every Day 0000-0600Every Day 12:00 AM - 06:00 AM


Department specific collections can be found by going to Assets and Compliance, expand Device Collections, your DEPT collection, Software and Update Maintenance and select Maintenance Windows.

  • Include: Devices in this collection use the defined maintenance window
  • Exclude: Devices in this collection are removed from the "global maintenance window" (include collection) to allow an ITSO to define their own. 
Collection NameScheduleMembership
<DEPT> - MW - Every Day 0000-0600 - IncludeEvery Day 12:00 AM - 06:00 AMis defined by including "All <DEPT> Clients"
<DEPT> - MW - Every Day 0000-0600 - ExcludeEvery Day 12:00 AM - 06:00 AMis determined by the ITSO


If devices are "excluded" then an ITSO must define a maintenance window for them, otherwise devices in the exclude collection will install updates and possibly restart as soon as those updates are available. Adding devices to the exclude collection does not exclude them from getting updates.

Inventory collections

A range of "inventory collections" have been created to limit and scope the application of updates and other software.  These are located in the "Operating Systems" and "Software Installations" collections.


Software Updates collections

Software Update deployment collections exist in the ITSO Subscription per Operating System major version and for each Office major architecture type, and membership of those is limited to the inventory collections above.  Software Update deployments are applied to the collections in the Software Update folder in the ITSO Subscription.  Refer to Configuration Manager #1 Glossary of Key Terms and Concepts for definitions for Available vs Required deployments. 

Office and Windows updates

By default (Subscriptions setup from 2022 onward), all Windows 10 clients, all Windows 11 clients, all Office MSI clients, and all Office 365 and LTSC clients are included in the "Required" update collections for each of the groups of clients listed.


This infrastructure creates the necessary framework to automatically patch a client with appropriate OS and Office Updates every day at midnight.

Feature updates (Enablement Package)

Patching as described at the onset of this page will not upgrade Windows to a new build. Deploy a new build when you are ready as old builds that are unsupported will no longer receive patches. The process of deploying an enablement package is similar to deploying a Software Update.

From the Configuration Manager console:

  • Go to Software Library \ Windows Servicing \ All Windows Feature Updates
  • Use search to filter, for example type in "22H2" and click Search to see just those builds
  • Right click and select Deploy


      
  • Step through the wizard to deploy this to the Device Collection you want to target along with your desired settings such as making the deployment required and perhaps hiding user notifications.

You can monitor the deployment in Monitoring \ Deployments.

Servicing Plan

You can alternatively create your own deployment rings to keep Windows up to date when new builds are released.
See:

3rd Party Updates (Patch My PC)

The update mechanism is the same as is used for Windows patching. 

Visit the page CM Deploying 3rd Party Updates to Collections (Patch My PC) for information about custom software update groups. 



Related Information