Windows Patching
Windows patching is configured by default for endpoints when they are onboarded into Configuration Manager. This is accomplished by automatic membership into three collections:
- A global EPM managed Maintenance Window collection that applies a governance approved global maintenance window for all devices.
- An ITSO controlled 'include' maintenance window collection whose membership is included in the global collection.
- An ITSO Software Update collection where updates are deployed to.
While Windows servers use the same collection structure, servers are opt-in. A server device collection will need to be added to the corresponding software update collection. The same is true for a maintenance window. Add your server collection(s) to a maintenance window. |
Maintenance Window collections
A Maintenance Window collection, that is controlled by EPM, but from which clients can be excluded by ITSOs. Its Maintenance Schedule is "Every Day 0000-0600"
| Collection Name | Schedule |
|---|---|
| EPM - MW - Every Day 0000-0600 | Every Day 12:00 AM - 06:00 AM |
Department specific collections can be found by going to Assets and Compliance, expand Device Collections, your DEPT collection, Software and Update Maintenance and select Maintenance Windows.
- Include: Devices in this collection use the defined maintenance window
- Exclude: Devices in this collection are removed from the "global maintenance window" (include collection) to allow an ITSO to define their own.
| Collection Name | Schedule | Membership |
|---|---|---|
| <DEPT> - MW - Every Day 0000-0600 - Include | Every Day 12:00 AM - 06:00 AM | is defined by including "All <DEPT> Clients" |
| <DEPT> - MW - Every Day 0000-0600 - Exclude | Every Day 12:00 AM - 06:00 AM | is determined by the ITSO |
If devices are "excluded" then an ITSO must define a maintenance window for them, otherwise devices in the exclude collection will install updates and possibly restart as soon as those updates are available. Adding devices to the exclude collection does not exclude them from getting updates.
Inventory collections
A range of "inventory collections" have been created to limit and scope the application of updates and other software. These are located in the "Operating Systems" and "Software Installations" collections.
Software Updates collections
Software Update deployment collections exist in the ITSO Subscription per Operating System major version and for each Office major architecture type, and membership of those is limited to the inventory collections above. Software Update deployments are applied to the collections in the Software Update folder in the ITSO Subscription. Refer to Configuration Manager #1 Glossary of Key Terms and Concepts for definitions for Available vs Required deployments.
By default (Subscriptions setup from 2022 onward), all Windows 10 clients, all Windows 11 clients, all Office MSI clients, and all Office 365 and LTSC clients are included in the "Required" update collections for each of the groups of clients listed. |
This infrastructure creates the necessary framework to automatically patch a client with appropriate OS and Office Updates every day at midnight.
Software Update List
This is a list of products in the "EPM - Microsoft Updates - Required" ADR
Product: "Report Viewer 2005" OR *Report Viewer 2008" OR "Report Viewer 2010* OR "Visual Studio 2005" OR "Visual Studio 2008 OR "Visual Studio 2010 Tools for Office Runtime OR Visual Studio 2010 OR "Microsoft Defender Antivirus OR ASP NET Web Frameworks OR "Microsoft SQL Server Management Studio v17 OR Office 2016" OR Microsoft 365 Apps/Office 2019/Office LTSC OR "Visual Studio 2010 Tools for Office Runtime" OR "Visual Studio 2012" OR Visual Studio 2013 OR "Visual Studio 2015 OR Windows 10LTSB" OR "Windows 10, version 1903 and later OR "Windows 10" OR Windows Server 2016 OR "Windows Server 2019" OR "Windows Server, version 1903 and later" OR "Microsoft SQL Server Management Studio v18" OR. "Visual Studio 2015 Update 3" OR "Azure Connected Machine Agent" OR "Microsoft Edge" OR "Kernel Updates" OR "Azure Connected Machine Agent 2" OR "Azure Connected Machine Agent 2" OR "Azure Connected Machine Agent 3" OR "Visual Studio 2019" OR "Visual Studio 2017* OR *NET 5.0* OR "Windows 10, version 1903 and later" OR "Windows Server 2016 for RS4* OR Windows Server 2016 OR "Windows Server 2019" OR "Windows Server, version 1903 and later" OR "Azure Connected Machine Agent - GA version" OR "NET Core 2,1" OR" NET Core 3.1" OR "Microsoft Server operating system-21H2 OR "Windows 11" OR "Microsoft Defender for Endpoint OR "Server 2022 Hotpatch Category OR"NET 6.0 OR Visual Studio 2022 OR "Power Shell - x64* OR Microsoft Server Operating System-22H2" OR*NET 7.0" OR "Microsoft SQL Server Management Studio v19" OR "Microsoft Server Operating System-23H2 OR *NET 8.0" OR "Microsoft ODBC Driver 17 for SQL Server OR Server Operating System-24H2*
Feature updates (Enablement Package)
Patching as described at the onset of this page will not upgrade Windows to a new build. Deploy a new build when you are ready as old builds that are unsupported will no longer receive patches. The process of deploying an enablement package is similar to deploying a Software Update.
From the Configuration Manager console:
- Go to Software Library \ Windows Servicing \ All Windows Feature Updates
- Use search to filter, for example type in "22H2" and click Search to see just those builds
- Right click and select Deploy
- Step through the wizard to deploy this to the Device Collection you want to target along with your desired settings such as making the deployment required and perhaps hiding user notifications.
You can monitor the deployment in Monitoring \ Deployments.
Servicing Plan
You can alternatively create your own deployment rings to keep Windows up to date when new builds are released.
See:
- Overview of Windows as a service - Windows Deployment | Microsoft Learn
- Manage Windows as a Service - Configuration Manager | Microsoft Learn
3rd Party Updates (Patch My PC)
The update mechanism is the same as is used for Windows patching.
Visit the page CM Deploying 3rd Party Updates to Collections (Patch My PC) for information about custom software update groups.
Related Information
Caution: The Excerpt Include sometimes disappears when editing this template. If it does, copy it from another template or page and paste it here as the last thing you do before saving this template.