Windows Patch Management

When we started CentraStage we were in agreement that the platform should support all manner of devices – computers, phones, TV’s, routers, etc. And it would be exclusively cloud based, and it would run on Linux. Then we started taking orders. Quite early in the product lifecycle I might add, although that’s a story on it’s own and best saved for another post. The thing is, all our early orders were for an on premise Windows based solution to manage Windows computers. Our customers were all MSP’s managing Windows, and didn’t have Linux skills to manage an internal Linux server. Having started the company without funding we were not about to turn those orders away and so the focus shifted to Windows exclusively. Now I’m not a Windows basher by any means, it’s a good operating system and I can only imagine the challenge of producing an operating system that is expected to run on just about any box, be it a high end blade server or a build-your-own pc that someone has put together from the bargain bins. But damn, keeping my own devices fully patched is enough of a headache (yes, yes, I need to reboot to complete the update but can’t you see I’m in the middle of something – and probably will be for the foreseeable future..?!?) so providing a neat and painfree way to manage Windows patches via CentraStage was never going to be simple.

Microsoft provides a fairly robust way for users to manage patches themselves via the Windows Update service and so, in line with our early and often policy, we included the ability to manage these settings on behalf of users. Within CentraStage Policies you will find a way to set the Microsoft Update policy for various groups and Windows flavours – plus a few reboot options that we felt they should have included. You can also point devices to a specific WSUS server if thats the way you roll your patch management. This covers the requirements of many of our users but falls short of covering them all. You see the thing with patches is sometimes you don’t want them all, and for those people the only option has been to run your own WSUS server and control which patches are approved and released. That’s a massive task if you are an MSP with a number of customers all fetching updates from your WSUS server. Which sort of rules out WSUS altogether then.

Some of our users like to turn off automatic WSUS/Windows Updates altogether and manage the deployment of patches themselves. There are some very good reasons to do this and it is something that we’re going to provide for within CentraStage. The first step along this path is available in v4.1.1 released today (July 11 2011). V4.1.1 includes Windows Patch Reporting to report which patches are missing from any of the devices you manage. Drill down to a device and have a look at the Software tab. There is a new View called Missing Patches and in there you will find the results of a check for which patches are installed on the device against all patches released by either Windows Updates or the WSUS server the device is configured to use. There is also an extra line item in the Security Center widget on the Profile Summary page that totals up the missing patches across all devices in that Profile. So, not hugely useful on it’s own but at least informative and can be used to identify potential problems. From here (very soon) we are going to provide you with a method to firstly force devices to fetch and install selected patches only, and also to deliver them via CentraStage as an option. We’re not going to become a sort of WSUS server ourselves but we do have some very sneaky plans as to how this can be otherwise be achieved. I won’t spoil the surprise just yet

This means your third option for Windows patch management will be to turn off automatic updates, and then as missing patches are reported you can selectively release or ignore them via the CentraStage CSM. This should cover more bases and hopefully satisfy the requirements of many more users. Missing patches will be reported at the device, profile and system level. Of course this is only needed if you can’t use the Windows Update service and don’t run a WSUS server – that functionality is already catered for.