Windows Patch Management: Difference between revisions

From UMIACS
Jump to navigation Jump to search
← Older edit
No edit summary
No edit summary
 
(21 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''Note: As of version 2017 LANDesk has rebranded to Ivanti. Some shortcuts/etc. may now be referenced by Ivanti rather than LANDesk.'''
As of Fall 2025, UMIACS uses Windows' built-in Windows Update mechanism to patch the Windows operating system, Windows drivers, and other Microsoft products that Microsoft uses Windows Update to push updates for, in tandem with a software distribution tool called [https://umd-dit.atlassian.net/wiki/spaces/DMS/pages/45285463/Patch+My+PC Patch My PC] that operates through the Division of IT's managed [https://umd-dit.atlassian.net/wiki/spaces/DMS/pages/45285467/Intune Intune] service to patch third party applications.


In order to combat the ever increasing number of 3rd party security vulnerabilities on Windows machines, UMIACS staff has deployed LANDesk Patch Manager. As security threats have evolved from the operating system to applications we have had to take this step in order to maintain operational security for the Institute. Currently the updates are focused on applications that are exposed to the internet such as Firefox, Flash, Acrobat, Java, etc.
Our previous patch management solution, Ivanti Endpoint Manager, may still have agent software installed on UMIACS-supported [[Windows]] desktops, however it operates only in "read-only" mode and does not perform actual patching anymore. It will be removed in the future.


LANDesk is currently deployed on all UMIACS-supported [[Windows]] desktops as well as [[Windows/LaptopSupport#UMIACS_Enterprise_Laptop_Support | Enterprise supported]] laptops and home machines.
==Windows Update==
* '''Desktops''' will run updates available through Windows Update daily between 3am and 4am US Eastern.
* '''Laptops''' will run updates available through Windows Update at any time they are on and connected to the internet.


==Automated Scanning==
The only updates available through Windows Update that should require computer restarts are the Windows operating system monthly rollups, released on [https://en.wikipedia.org/wiki/Patch_Tuesday Microsoft's Patch Tuesday]. After a month's monthly rollup is installed on your computer, you will receive a notification stating that your machine needs to be restarted in the next 8 days. You can choose either to restart immediately or to schedule the restart. If you do not restart by the deadline, your computer will automatically restart no more than a day after the deadline is exceeded.
Patches are deployed during the week leading up to the [[MonthlyMaintenanceWindow|maintenance window]].
*'''Desktops''' will scan for updates to be installed every night between 7:30pm and 9:30pm. If you are not logged in during those times, the system will automatically install the patches and reboot if necessary. If you remain active on your system during those times, you will see a popup with the scan beginning and (once patches are downloaded) a prompt from LANDesk asking to begin installing patches.
*'''Laptops''' will scan for updates to be installed at least once every day (assuming the laptop is powered on). This will only occur when the laptop has an active Internet connection (wired or wireless). You will see a popup with the scan beginning and (once patches are downloaded) a prompt from LANDesk asking to begin installing patches.


Installation can be deferred until lock/logoff if desired. If you do not respond to the prompt within a given amount of time, installation will automatically proceed:
==Patch My PC==
*'''Desktops''': 24 hours
Patches are deployed as they come out for the Patch My PC catalog. They should install automatically and require little to no input.
*'''Laptops''': 3 hours
 
If a reboot is required after installation finishes, you will receive another pop up. It is highly suggested to reboot right away due to system instability and vulnerability. However, reboot can be deferred for up to 6 days if desired. If you do not respond to the prompt within a given amount of time, the machine will automatically reboot:
*'''Desktops''': 24 hours
*'''Laptops''': 9 hours
 
==Manual Scanning==
This should only need to be done on laptops or home machines in the event that LANDesk has not had a large enough time window to scan your computer since last month's patches were released. '''Please note you will need an active Internet connection for this to work, however you do not need to be on the UMIACS [[VPN]].'''
 
# Search for "Security Scan" from the Start menu and click it. The scan will begin. Patches will be detected and downloaded.
#* '''Note''': The scan may fail on the "Checking for other running scanners" step if LANDesk is already running an invisible scan in the background. If this occurs, wait 10-15 minutes and then retry the scan.
#: [[File:Landesk1.png]][[File:Landesk2.png]]
# After all patches have been downloaded, you will be prompted to allow the install to begin.
#: [[File:Landesk3.png]]
# After all patches have been installed, you may be prompted to reboot.
#: [[File:Landesk4.png]]

Latest revision as of 20:55, 15 October 2025

As of Fall 2025, UMIACS uses Windows' built-in Windows Update mechanism to patch the Windows operating system, Windows drivers, and other Microsoft products that Microsoft uses Windows Update to push updates for, in tandem with a software distribution tool called Patch My PC that operates through the Division of IT's managed Intune service to patch third party applications.

Our previous patch management solution, Ivanti Endpoint Manager, may still have agent software installed on UMIACS-supported Windows desktops, however it operates only in "read-only" mode and does not perform actual patching anymore. It will be removed in the future.

Windows Update

  • Desktops will run updates available through Windows Update daily between 3am and 4am US Eastern.
  • Laptops will run updates available through Windows Update at any time they are on and connected to the internet.

The only updates available through Windows Update that should require computer restarts are the Windows operating system monthly rollups, released on Microsoft's Patch Tuesday. After a month's monthly rollup is installed on your computer, you will receive a notification stating that your machine needs to be restarted in the next 8 days. You can choose either to restart immediately or to schedule the restart. If you do not restart by the deadline, your computer will automatically restart no more than a day after the deadline is exceeded.

Patch My PC

Patches are deployed as they come out for the Patch My PC catalog. They should install automatically and require little to no input.

Retrieved from "https://wiki.umiacs.umd.edu/umiacs/index.php?title=Windows_Patch_Management&oldid=12859"