IT Security | System Administration

Always patch, but test first

26. August 2021, Avatar of Felix ZechFelix Zech

Microsoft releases Windows updates at regular intervals to close security gaps. However – and as most IT admins have learned (sometimes the hard way) -- a simple "install it and forget it" approach is not a strategy for success. All updates should be tested before a company-wide rollout and should not be put directly into production.

To minimize the risk of problems, Windows has developed so-called deployment rings. How exactly do these work?

Running rings around updates

Deployment rings are a method of dividing computers into three groups and providing each group with the new update in sequence. The rings usually only need to be defined once. However, it is up to IT to regularly check the rings to ensure that the sequencing is correct for a given update.

In the first ring, an update is distributed to a few key users. If no problems occur, a manageable number of workstations in the second ring are updated. If no problems occur with those, the remaining systems in the third ring are updated. All employees are assigned to the various deployment rings according to their area of activity or department.

It is important to note that not everyone within a department should be in the same ring, because if an error occurs the entire team is paralyzed. For example, if the entire accounting department is in the key user group and the update results in a BSOD, the entire department does down. This has a domino effect across the company as billing, payments and other critical functions are affected.


Optimizing update management with baramundi

Updates can be very large, so it’s important to know from which sources they’ll be deployed and whether or not WSUS is used as a local update repository. Devices that are rarely accessible via the internal network should obtain patches directly from Microsoft’s servers. This reduces the load on VPN connection to the corporate network and saves a lot of bandwidth.

To further reduce network bandwidth utilization, baramundi and Microsoft both support Delivery Optimization. This improves deployment efficiency by dividing the work of deploying multiple patches.

But beware: If the configuration is incorrect, the patches may be exchanged in public networks (e.g. hotel wifi) that pose increased security risks.

Formation of dynamic groups

In order to determine which devices still require action, you can create universal dynamic groups (UDGs) in bMS to check the patch status of each group. UDGs are nothing more than filters that group devices based on freely configurable criteria. But they give you a flexible, reliable and efficient way to distribute updates to meet your specific requirements.

A central view of Windows security features

The Windows Security Center inventory now displays the status of Windows' own protection mechanisms (firewall, UAC, Defender, etc.). The values can also be filtered via dynamic groups so that security incidents can be responded to automatically.

Keep an eye on patch level

For IT admins, it is important to maintain a current and accurate overview of device status at any given time. This applies both to the patch level and to the versions of the operating system installed. For example, it is important to know how many devices are using the 21H1 Windows version and which ones are still using 1809. There is a risk that older versions will drop out of maintenance and have no patches available.


Admins can optimally control all of these elements using baramundi Update Management. It not only provides a good overview of the current patch status, it also contains the necessary tools to react correctly and quickly to an acute threat situation through Microsoft Anti-Virus Defender definition updates, associated anti-virus scan, and much more.

Read more

Entries 1 to 3 of 3