Microsoft Windows Patching best practices and guidance

Updates for systems running Windows operating system and its products are identified as Service Packs, Hotfixes and Security patches. These updates offer a fairly quick and prescribed solution or a workaround for a problem in question. However, these updates regardless of their type should be applied only on an “as-needed” basis i.e. only when it is capable of fixing an issue bothering a customer. In addition, the update should first be evaluated before being installed. In short, it is not mandatory to install the updates right away.

Windows Patching best practices

Windows Patching best practices

Security patches minimize security risks and other vulnerabilities. These are analogous to hotfixes. Microsoft, primarily offers different routes for obtaining client software security patches for its products. These are:

  1. Windows Update: Makes use of ActiveX technology to check a PC for the latest security protection, and the best drivers and software installed. Upon completion, displays a list of suggested components that require upgrading
  2. Recent security bulletins: One stop solution for finding security-related patches. It allows searching by product or date.
  3. Product-specific security patch download pages: Provides security patches for specific products. For instance, Internet Explorer (IE) and Office Updates. The IE download page security patches differ from Windows Update in a way that IE download page offers no way for identifying patches that have already been installed as Windows Update does.
  4. Microsoft Download Center (MDC): Allows searches by product name, product category, or operating system.
  5. Email notification subscription: Informs a user about latest security patches via proactive emails. Security patches are required to be installed, that these best practices be followed.

Apart from this, Windows 8, and Windows Server 2012, employ a different patching method in comparison to its earlier versions.

The three forms of updates for these operating systems include,

  1. Global Standalone patch: The patch intends to cover critical operating system issues and is usually released in various languages. It is thoroughly tested before releasing publicly.
  2. Limited release patch: Includes fixes that are generated as the result of a critical customer support incident and hence, required to be released in a stipulated time.
  3. Monthly Rollup: Makes an effort to service the Windows 8/2012 family of operating systems every month via monthly rollups.

Patching Guidance for Windows 8.1 and Windows Server 2012 R2

1] Install all rollups available since the previous milestone, ie from Windows 8 to Windows 8.1, or from Windows Server 2012 to Windows Server 2012 R2.

2] Use Windows Update or Windows Server Update Services. They will evaluate patches  currently installed, what patches are available, examine superseded patches, and offer a list of currently available patches.

3] Critical Updates should be tested and installed as soon as possible with high priority.

4] Important updates should be tested as soon as practical, and installed as soon as practical.

5] Recommended and Optional updates may be reviewed, tested, and installed as applicable, according to convenience.

When should one apply Windows Security Patches

  1. Apply only on exact match: Apply Security Patch only when you are certain that that the update will fix the problem encountered by you.
  2. Apply admin patches to install build areas: The post mentions, Admin patches differ from the client patch and are usually located in a different location to the client-side patches.

So, it is crucial that not only clients are retrospectively updated with security patches, but the client built areas too are updated for any new clients. The majority of security updates released are for client side (often browser) issues. It may be so, they are relevant to a server installation completely or remotely. One should try and obtain both the admin patch and the client patch as the client patch will retroactively update the client base and the admin patch will likely update your client build area on the server.

The blog post from Microsoft lists the best practices for deploying Microsoft service packs and security Patches and offers some valuable  resource links. For more information, see this post on TechNet.

Posted by on , in Category Windows with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.