by Scott Jack
Content Contributor, E-N Computers
7+ years experience in healthcare IT and tech support.
As an IT manager or business analyst, you know that failing to keep your systems patched and up to date can lead to huge financial and legal problems or can even destroy your business.
But updating and patching is time consuming and rarely goes smoothly. Can you trust an outsourced IT provider to do this work for you?
At ENC, we perform both automatic and manual updates to systems and software. Failed updates are followed on. Business software updates are tested before being applied to all computers. Users are warned before updates are installed.
We automate most Windows desktop and server patching, drivers, firmware, and a long list of popular applications. Automatic updates follow a regular schedule and end with a prompt to reboot.
We manually update any automatic updates that fail, mobile devices, Unix and Linux systems, BIOS, line of business software and network equipment. Some manual updates can be handled during your normal onsite time, but others may need to be scheduled separately and billed accordingly.
And there are a few things we don’t touch.
We’ll cover a detailed explanation of everything we automatically patch, manually patch, or don’t patch.
How do you handle patch management for your IT managed service clients?
At E-N Computers, we use a detailed patch management process that provides both automatic and manual updates, as well as time for testing and follow through if an update fails.
Your role in successful patching
Automatic updates require that your computers are powered on and connected to the internet. Manual updates require an agreed-upon maintenance window where your staff and our technician will be available at the same time.
You can help by planning for this downtime and making sure your staff will be available to test the software. Often, this can be planned as part of your onsite support day.
We try to accommodate the client with our patching schedule, when necessary, but the process goes better when clients follow our time-tested procedures.
We use ConnectWise Automate remote monitoring and management software to manage automatic updates for Windows and other select software. We monitor for critical out-of-cycle patches from Microsoft.
Workstations running Windows 10 or 11 are automatically patched with Windows feature and quality updates. (Quality updates include security, critical, and driver updates provided by Microsoft.) This includes Windows 10 or 11 virtual desktops running on top of Hyper-V, Azure, and AWS. We install feature updates two versions behind the latest version; you will always receive the most recent quality updates. This helps make sure your workstations remain stable and that the new version does not conflict with your other applications.
We schedule workstations to install updates daily between 12:00 PM and 3:00 PM to maximize the likelihood each computer will be online to complete the update.
Once updates are installed, the user will be prompted to reboot the computer. The prompt is labeled “E-N Computers System Message” and says:
Your workstation has had system or security updates installed and must be rebooted. Please save your work and restart your computer.
The prompt can be dismissed for three hours at a time, up to 72 hours. The user will be notified once the deadline is reached with another prompt labeled “E-N Computers System Message” that reads:
Your PC has reached its patch reboot deadline. A reboot is necessary to complete the application of patches and close related vulnerabilities. Please save all your work to ensure nothing is lost during the reboot. Thank you!
The user will have 15 minutes to save any work.
Servers running Windows Server 2008 or newer are automatically patched with feature and quality updates once they have been approved by our engineers. This includes virtual servers running Windows Server on Hyper-V, Azure, and AWS. They also apply to Remote Desktop terminal servers. Critical security updates for SQL, Exchange, and SharePoint are also installed. Server updates are installed on Tuesday evenings from 9 to 11 PM. Clients with a name starting with A to N are scheduled for the 1st and 3rd week of each month. Clients with a name starting with O to Z are scheduled for the 2nd and 4th week of each month. Servers reboot after installing updates.
The following third-party applications are automatically updated using a combination of ConnectWise Automate and Ninite.
- Adobe Acrobat Standard/Pro
- Adobe Reader
- Google Chrome
- Citrix Receiver
- Foxit PDF Reader
- Google Drive
- Google Earth
- Microsoft .NET 3.5 and up
- Microsoft Edge
- Microsoft OneDrive
Drivers and firmware
In some cases, we may automatically update drivers or firmware (but not BIOS). There is no reboot deadline for these updates. The “E-N Computers System Message” will read:
Your computer has received BIOS, driver, and/or firmware updates and requires a reboot. Please reboot at your convenience.
Meraki network equipment
We configure your Meraki network equipment to auto-update. Meraki notifies us of upcoming patches one to three weeks in advance. We will notify you about when the update is scheduled and ask that you inform us of any network issues that happen post-update.
When automatic updates fail
Automatic updates occasionally fail. This can be because:
- The device was off.
- The device was not connected to the internet.
- The device does not have enough available storage.
- The device is not configured correctly or there is a software conflict.
- The device is not running our management software.
We run weekly reports on workstations and servers that are out-of-date, or non-compliant. Your account manager and on-site technician receive this report of non-compliant devices and will work with you to make sure all devices are updated. Engineers will work to resolve patch failures on servers. Some of your regular onsite time may be needed to determine why updates could not be installed and to manually install them, if necessary.
Some software must be manually patched due to operating system limitations, a requirement for a physical non-network connection like USB or serial cable, or failed automatic updates.
Manual updates may incur billed change management time because they require more planning, coordination, and technician time. We will work with your liaison to determine which updates can realistically be accomplished during your on-site support day, and which will require additional time.
macOS, iOS, and Android
Devices running macOS, iOS, and Android are administered using web-based mobile device management (MDM) software like Meraki Systems Manager or Microsoft InTune. The MDM will tell your managed devices to automatically download updates but, due to limitations imposed by these operating systems, can only ask users to install the update.
In many cases, these devices must be manually updated by a technician who must have a report showing which devices are not updated, coordinate with your liaison to make sure those devices will be available during the on-site day, and then update each one. Because this can take a significant amount of time, we may recommend that other items be prioritized for the on-site day and that mobile device updates be done during billed change management time.
With your buy-in and support, the amount of time required to keep these devices updated can be reduced. You can work with employees to make sure they are setting aside time to update their managed mobile devices when prompted.
Unix and Linux systems are manually updated by engineers with more advanced skills. They usually incur billed change management time.
BIOS is a low-level firmware that runs between the hardware and operating system of a computer. Because updating the BIOS presents a higher risk of “bricking” a device, these updates are performed manually.
Line of business applications
Line of business (LOB) applications are those that are critical to the function of your business. They include software for accounting, customer relationship management (CRM), electronic resource planning (ERP), and electronic health records (EHR).
Some software vendors include patching as part of your maintenance contract with them. If they do not, we can update the application manually. Because of the critical and complex nature of these updates, we charge them as change management time.
To make sure that a LOB update is successful, users must test the application after it is updated. Therefore, these updates must be scheduled so that their regular users are available to test and are prepared for downtime.
Network equipment and VoIP phone system
Network equipment — including switches, wireless access points (APs), network attached storage (NAS), network printers, and internet of things (IOT) devices — must be manually updated. A technician must be physically present because often these devices require a physical connection to a laptop, or their updates disrupt the network connection.
Your VoIP phone system must be manually updated for the same reason. This also allows us to make sure that your phones are functional immediately after the update.
Systems like VMware vSphere and Microsoft Hyper-V, which allow the creation and management of virtual machines (abstracted computers within a computer), must be updated manually. As mentioned above, the Windows VMs on top of them are auto-updated.
Systems and software we do not update
Websites. The security of your website is critical and requires keeping your content management systems updated. Please work with your marketing agency or web host to update any website-related systems.
Web-based software. Web applications are provided by software vendors on a subscription basis. As long as you pay the subscription, you will be able to access the latest version of the software. The vendor has full control over changes to the software; neither you nor we have any control over these updates. However, you may have to use a specific web browser or browser plug-in for the web app to work correctly. Examples of web-based software include Microsoft 365, Meraki Dashboard, Google Workspace, Salesforce, and HubSpot.
Bring Your Own Device. Your employees are responsible for updating equipment that they own. We do not manage updates for employee-owned devices such as smartphones, tablets, or personal computers, even if they are used for work. Also, we do not manage updates on company-owned devices that do not have our management tools installed.
Your patience is always appreciated when we work on your computer systems. Our goal is to make sure your systems are backed up, up to date, and secure. We want to make sure the job is done right the first time; a rush job may save a few minutes now but cost your workers more time and productivity down the line.
If you are a client with questions about the patching process, your account manager will be happy to assist. If you’re not a client but have an interest in outsourcing your patching, please schedule a meeting with one of our engineers.
Take the IT Maturity Assessment
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.
215 Fifth St.
Waynesboro, VA 22980
1126 11th ST. NW
Washington, DC 20001-4366
VA DCJS # 11-6604
45 Newman Ave.
Harrisonburg, VA 22801
3026A W. Cary St.
Richmond, VA 23221