Windows Update Patch Policies and Schedules
This page outlines the default categories within the briteCITY Patch Management Policy for all Windows Workstations and Servers managed by briteCITY.
Categories with a policy of “Severity-based” are installed depending on the SEVERITY level indicated by Microsoft for that patch, and the SEVERITY categories’ approval settings themselves, indicated near the bottom of the table below.
See also: Daytime Patching
Windows Update Schedules & Policies
Machine Category | Schedule | Reboot Policy | Daytime Patching Enabled | Windows Update Assistant Mode | Install Missing Baseline Patches | Create Windows Restore Point | Windows 10 Service Branch | Defer Feature/Quality Updates |
---|---|---|---|---|---|---|---|---|
Workstations | Nightly, 1-3 AM | During WU, Ask then Deny | Yes | Managed Mode – UI Disabled | Yes | Yes | Semi-Annual Channel | 15/7 Days |
Servers (Host) | Sat, 1-3 AM | During WU, Ask then Allow | No | Managed Mode | Yes | Yes | Semi-Annual Channel | 15/7 Days |
Servers (VMs, “bare metal”) | Sun, 1-3 AM | During WU, Ask then Allow | No | Managed Mode | Yes | Yes | Semi-Annual Channel | 15/7 Days |
Windows Update Approval Policies
Windows Patch Category | Workstations | Servers |
Active Directory Rights Management Services Client 2.0 | Deny | Severity-based |
ASP.Net Web Frameworks | Approve | Severity-based |
Bing Bar | Deny | Deny |
Bing Desktop | Deny | Deny |
Bing IME | Deny | Deny |
CAPICOM | Deny | Approve |
Critical Updates | Approve | Approve |
Definition Updates | Approve | Approve |
Drivers | Deny | Deny |
Exchange Server | Deny | Approve |
Feature Packs | Deny | Deny |
Microsoft Dynamics | Deny | Severity-based |
Microsoft Lync Server | Deny | Severity-based |
Microsoft SQL Server | Deny | Approve |
Microsoft Works | Deny | Approve |
Microsoft Office | Approve | Approve |
Report Viewer | Approve | Approve |
Security Updates | Approve | Approve |
Silverlight | Approve | Severity-based |
Service Packs | Approve | Severity-based |
Skype for Windows | Approve | Deny |
System Center | Deny | Severity-based |
Tools | Approve | Approve |
Update Rollups | Approve | Severity-based |
Updates | Approve | Severity-based |
Upgrades | Approve | Deny |
SEVERITY | – | – |
Unspecified | Approve | Approve |
Low | Approve | Approve |
Moderate | Approve | Approve |
Important | Approve | Approve |
Critical | Approve | Approve |
Common Vulnerability Scoring System (CVSS) | Approve > 1 | Approve > 1 |