Windows Update Patch Policies and Schedules
This page outlines the default categories within the briteCITY Patch Management Policy for all Windows Workstations and Servers managed by briteCITY.
Categories with a policy of “Severity-based” are installed depending on the SEVERITY level indicated by Microsoft for that patch, and the SEVERITY categories’ approval settings themselves, indicated near the bottom of the table below.
See also: Daytime Patching
Windows Update Schedules & Policies
| Machine Category | Schedule | Reboot Policy | Daytime Patching Enabled | Windows Update Assistant Mode | Install Missing Baseline Patches | Create Windows Restore Point | Windows 10 Service Branch | Defer Feature/Quality Updates |
|---|---|---|---|---|---|---|---|---|
| Workstations | Nightly, 1-3 AM | During WU, Ask then Deny | Yes | Managed Mode – UI Disabled | Yes | Yes | Semi-Annual Channel | 15/7 Days |
| Servers (Host) | Sat, 1-3 AM | During WU, Ask then Allow | No | Managed Mode | Yes | Yes | Semi-Annual Channel | 15/7 Days |
| Servers (VMs, “bare metal”) | Sun, 1-3 AM | During WU, Ask then Allow | No | Managed Mode | Yes | Yes | Semi-Annual Channel | 15/7 Days |
Windows Update Approval Policies
| Windows Patch Category | Workstations | Servers |
| Active Directory Rights Management Services Client 2.0 | Deny | Severity-based |
| ASP.Net Web Frameworks | Approve | Severity-based |
| Bing Bar | Deny | Deny |
| Bing Desktop | Deny | Deny |
| Bing IME | Deny | Deny |
| CAPICOM | Deny | Approve |
| Critical Updates | Approve | Approve |
| Definition Updates | Approve | Approve |
| Drivers | Deny | Deny |
| Exchange Server | Deny | Approve |
| Feature Packs | Deny | Deny |
| Microsoft Dynamics | Deny | Severity-based |
| Microsoft Lync Server | Deny | Severity-based |
| Microsoft SQL Server | Deny | Approve |
| Microsoft Works | Deny | Approve |
| Microsoft Office | Approve | Approve |
| Report Viewer | Approve | Approve |
| Security Updates | Approve | Approve |
| Silverlight | Approve | Severity-based |
| Service Packs | Approve | Severity-based |
| Skype for Windows | Approve | Deny |
| System Center | Deny | Severity-based |
| Tools | Approve | Approve |
| Update Rollups | Approve | Severity-based |
| Updates | Approve | Severity-based |
| Upgrades | Approve | Deny |
| SEVERITY | – | – |
| Unspecified | Approve | Approve |
| Low | Approve | Approve |
| Moderate | Approve | Approve |
| Important | Approve | Approve |
| Critical | Approve | Approve |
| Common Vulnerability Scoring System (CVSS) | Approve > 1 | Approve > 1 |