Microsoft Windows Patching best practices and guidance

Updates for systems running Windows operating system and its products are identified as Service Packs, Hotfixes and Security patches. These updates offer a fairly quick and prescribed solution or a workaround for a problem in question. However, these updates regardless of their type should be applied only on an “as-needed” basis i.e. only when it is capable of fixing an issue bothering a customer. In addition, the update should first be evaluated before being installed. In short, it is not mandatory to install the updates right away.

Windows Patching best practices

Windows Patching best practices

Security patches minimize security risks and other vulnerabilities. These are analogous to hotfixes. Microsoft, primarily offers different routes for obtaining client software security patches for its products. These are:

  1. Windows Update: Makes use of ActiveX technology to check a PC for the latest security protection, and the best drivers and software installed. Upon completion, displays a list of suggested components that require upgrading
  2. Recent security bulletins: One stop solution for finding security-related patches. It allows searching by product or date.
  3. Product-specific security patch download pages: Provides security patches for specific products. For instance, Internet Explorer (IE) and Office Updates. The IE download page security patches differ from Windows Update in a way that IE download page offers no way for identifying patches that have already been installed as Windows Update does.
  4. Microsoft Download Center (MDC): Allows searches by product name, product category, or operating system.
  5. Email notification subscription: Informs a user about latest security patches via proactive emails. Security patches are required to be installed, that these best practices be followed.

Apart from this, Windows 8, and Windows Server 2012, employ a different patching method in comparison to its earlier versions.

The three forms of updates for these operating systems include,

  1. Global Standalone patch: The patch intends to cover critical operating system issues and is usually released in various languages. It is thoroughly tested before releasing publicly.
  2. Limited release patch: Includes fixes that are generated as the result of a critical customer support incident and hence, required to be released in a stipulated time.
  3. Monthly Rollup: Makes an effort to service the Windows 8/2012 family of operating systems every month via monthly rollups.

Patching Guidance for Windows 8.1 and Windows Server 2012 R2

1] Install all rollups available since the previous milestone, ie from Windows 8 to Windows 8.1, or from Windows Server 2012 to Windows Server 2012 R2.

2] Use Windows Update or Windows Server Update Services. They will evaluate patches  currently installed, what patches are available, examine superseded patches, and offer a list of currently available patches.

3] Critical Updates should be tested and installed as soon as possible with high priority.

4] Important updates should be tested as soon as practical, and installed as soon as practical.

5] Recommended and Optional updates may be reviewed, tested, and installed as applicable, according to convenience.

When should one apply Windows Security Patches

  1. Apply only on exact match: Apply Security Patch only when you are certain that that the update will fix the problem encountered by you.
  2. Apply admin patches to install build areas: The post mentions, Admin patches differ from the client patch and are usually located in a different location to the client-side patches.

So, it is crucial that not only clients are retrospectively updated with security patches, but the client built areas too are updated for any new clients. The majority of security updates released are for client side (often browser) issues. It may be so, they are relevant to a server installation completely or remotely. One should try and obtain both the admin patch and the client patch as the client patch will retroactively update the client base and the admin patch will likely update your client build area on the server.

The blog post from Microsoft lists the best practices for deploying Microsoft service packs and security Patches and offers some valuable  resource links. For more information, see this post on TechNet.

Posted by on , in Category Windows with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.


  1. Dan

    One thing I find is it’s sometimes difficult to understand just what CVE issue some Windows 7 security update is supposed to address; you note the KB number or whatever else Windows Update slimly tells you about a “critical”, “important”, or especially “recommended” security update or some update that “resolves issues in Windows”, but anything you check it against says no more than that (if taking more sentences to do so).

    This could be why earlier this year MS had at least two updates that they then said were causing havoc on PCs and had to be improved, then recommending they be taken out pending improvements. It was nice that a year ago MS added “Windows Update Cleanup” to the native disk cleaner in my Windows 7; but since there are to be no more cumulative rollups past SP1 it’d be nice to know if I have, say, enough third-party security apps running around I don’t really need this or that Windows update (again, if I could find out more about exactly what many things are trying to prevent instead of hearing words in nature of “some vague privately reported vulnerability” I’d be better off). For example, since the “necessary, that is all” updates of August 2014, I can’t upload even the tiniest PDF to some GoDaddy-hosted sites or use their links; this happens even with everything but Windows switched off, but will I be hurting or helping myself if I take all suspect updates out? Or is the problem some arcane DNS issue(s) on GoDaddy’s end or my ISP? It doesn’t help to not know more exactly what kind(s) of things Windows updates are trying to do.

    Apart from that, thanks for another great article especially tips about Windows 8. Cheers!

  2. jorge correa

    This past December 9 (Tuesday Microsoft Update) we had a blotched and failed Windows update, KB3004394, which affected a few users machines and cause a big havoc around the net. Luckily Microsoft quickly issued a FIX and all is good now. I personally DO NOT USE the “Windows automatic update and install” feature and have avoided these kind of issues. I have the Windows update feature set as “Download updates and let me choose whether to install them” and usually wait a day or two just to make sure that Microsoft hasn’t made a blooper like what happened this last Tuesday with KB3004394. Do you consider this procedure a good idea? It hasn’t caused me any problems and have been doing this for a few years.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 + 6 =