Windows Patching: How Do We Do It?

This is the second in a series of two short articles about Windows Patching: what it is, why it’s nec­es­sary, and how BDPNetworks imple­ments and man­ages it.


In a nut­shell: All Internet-connected sys­tems must be con­tin­u­ously patched.

In the last article we talked about how we got to the present day situation with patching. Today we’re going to talk about how we at BDPNetworks manage this for our clients.

Our Windows-based patching system is a hybrid of manual patch approval and automated patch deployment.

Microsoft issues most of their patches on the second Tuesday of each month (informally known as Patch Tuesday).  These patches are categorized into the following areas: critical updates, definition updates, drivers, feature packs, security updates, tools, service packs, update rollups and updates.  There are usually at least a dozen patches each month for every version of supported operating systems (Vista/7/8 & server 2003, 2008, 2012) and Office (2007, 2010, 2013).

Step 1:

We install all of the new patches except drivers, feature packs and tools on our own internal systems and test them for about a week. This gives us a chance to see if there are any obvious stability problems (and gives Microsoft a chance to either retract or replace faulty patches.)

Step 2:

About a week later we approve these patches for distribution.

Step 3:

Each software agent on a system we manage scans the local computer for missing patches, then attempts to download and install the missing patches from a special computer on the local network called the “Probe.” If the Probe doesn’t have the patch it is downloaded and cached for use by the next computer that needs it.

Our system does not override the local “Windows Update” service: that service may not always accurately report which patches have been installed but it should let you manually download and install patches yourself if you’d like. Our system keeps detailed information about which patches have been installed and which are still needed by each machine and this information is displayed on the Executive Summary Reports our clients receive each month.


Our most common installation schedule (used by most clients) is nightly at 3am. If a computer is turned off during this schedule the system will attempt to install the patches when the machine is next turned on. If the computer needs to be rebooted after the patches are installed the computer will give a logged-in user a 60-minute notice to save their work then the machine is automatically restarted. (Also, why are your employees working at 3am???)

Most of our clients are set to automatically install patches that don’t require a reboot immediately. If you see a pop-up box in the bottom-right corner of your screen that says “Installing ## patches…” that’s us: these are patches that can be installed without disrupting your work. You don’t have to do anything when this happens.

Other Notes:

  • We have occasionally retracted patches that cause conflicts with client software. These patches are automatically removed during the next patch installation schedule.
  • As a rule we do not push out later versions of Internet Explorer (9 and 10) due to multiple conflict with client software. If you know that there are no conflicts with your software you are free to install these on your own. We will eventually push out later versions of Internet Explorer once we have confirmed compatibility with a wider range of applications.
  • We do not automatically update drivers because this can easily break a computer.  If you need to update a driver please open a ticket and we can do it for you.

Have questions? Please e-mail us!