Once upon a time, we didn’t have to worry about patching or software updates. We’d simply buy a computer, use it until it stopped working (or became obsolete), and then upgrade to the next model. And while this approach wasn’t particularly cost-effective, it certainly helped keep things simple.
With the release of Windows 95, Microsoft introduced “Windows Update”—a web-based portal offering additional desktop themes, games, device driver updates, and other optional content that didn’t ship with the operating system (OS) itself. Rather than wait for a hardware refresh or a complete OS upgrade, users could now install incremental updates that helped keep machines up-to-date with all the latest features and capabilities.
Fast forward to the present day, and software updates have become far more complex—and far more important. And for many users, particularly in business environments, the intricacies and inner-workings of a given update don’t really matter—all that matters is that machines are working as they should.
Without question, the most prominent (and most important) patches today are security patches. Cybercriminals and hackers are more dangerous than ever before, and software providers are constantly writing, rewriting and updating code to protect against viruses, threats, and any unwanted exposure of user or machine information.
But just because a new patch is released doesn’t mean businesses should immediately drop everything and install the update. From time to time, patches will contain unseen vulnerabilities, have installation issues, or even prevent machines from successfully rebooting once the installation is complete.
For MSPs and solution providers, there’s a clear message here: If you aren’t taking the time to properly test patches before applying them, you’re putting yourself—and your clients—at risk.
Better Safe Than Sorry
Your clients are looking to you as more than just a vendor—you’re a trusted partner and technology advisor, and your services need to reflect that. By testing and researching patches before pushing them to your clients’ machines, particularly Microsoft security updates and critical Windows patches, you can provide added security and peace of mind for both yourself and your customers.
So what does “testing” actually mean here? For starters, you’ll want to create a testing environment of your own—take a few machines and designate them specifically for this process. Install new updates and patches on these machines, and spend some time tinkering to determine if any unwanted side effects are popping up. Make sure there’s some diversity in the environment, too—take a few servers, a few desktops, and make sure you’re testing updates across multiple operating systems.
You’ll also want to conduct a bit of research to see if others have uncovered any problems you aren’t experiencing in your own testing environment. The Web is your friend here—there’s no shortage of online forums, communities and groups filled with valuable information from others who have done patch testing of their own. Doing this research will not only help you verify your own findings, but can also yield some valuable insights you may not have tested for—i.e. how a new security patch will impact third-party software like Adobe. Yes, this can take some time; but in the end, it’s worth it.
Here are a few additional patch testing considerations and best practices:
Flexibility is Essential
The ability to maintain unique patching policies for various client sites is an absolute must-have. Your customers have varying needs, and office hours can differ significantly from one business to the next—your patch policies need to be flexible enough to support whatever your customers can throw at you.
If a customer employs traditional 9-5 business hours, chances are machines are being switched off overnight—so patches need to be pushed during the day. A client requiring 24x7 uptime, on the other hand, may prefer to push patches at 2am when fewer employees are present (to minimize interruption).
The ability to maintain separate patch policies for desktops and servers in your RMM tool is also essential, as is the ability to identify critical vs. non-critical updates.
White-Listing and Black-Listing
This is a great way to help demonstrate the value of patch testing to your clients. White-listing and black-listing patches is simply a process of identifying those patches that have been tested and approved for installation, as well as those that have been deemed unsafe. Creating lists and sharing this information with your clients not only helps you showcase the effort you’ve put into the testing process, but also serves as a great resource to help you reinforce your value as a managed services provider—particularly for those customers whose offices you aren’t visiting all that often.
Already a partner? We've uploaded the latest Microsoft Security Patch Whitelist and Blacklist PDFs to Collaborate. Get list of safe & unapproved patches here!
Don’t Assume Everything is Working Just Fine
You shouldn’t assume that a given patch has installed successfully—and just because a machine successfully reboots doesn’t necessarily mean everything is working smoothly. Take a moment to double check that the update was actually successful (hint: your RMM tool should be able to produce a report tracking patch success/failure).
There’s no denying the importance of software patches and updates today—and MSPs are uniquely-positioned to act as trusted advisors and gatekeepers when it comes to implementing these updates. Take the time to test critical security patches before pushing them to your clients’ machines—both you and your customers will be glad you did.
By Gretchen Hoffman