Skip to main content

Windows Update and Third-Party Application Patching Setup

Customer Experience Overview

Technology Services strives to ensure a smooth and minimally disruptive update experience across all centrally managed Windows devices. Here’s what you can expect as updates are deployed:

  • Automatic Updates: Most updates happen automatically in the background. However, for updates to install, your computer must remain on, connected to the internet, and plugged in if on battery.
    info

    This can happen from any location, whether at home, the office, or traveling, as updates are managed through Microsoft Intune which is internet-based.

  • Notifications for Major Updates: For significant updates or new applications, you’ll receive notifications ahead of time to close any affected applications or restart your device, with options to delay for up to 48 hours.
  • Active Hours Protection: Updates will not automatically restart your device between 8 AM and 5 PM, so you can work uninterrupted. Outside these hours, restarts may occur if required.
  • Phased Deployment: Updates are deployed in phases (“rings”) to ensure stability, beginning with a small group and gradually rolling out to all devices. This approach minimizes potential disruptions and ensures a stable experience across the board.

For urgent security updates, you may see quicker notifications or restart prompts to protect your system and data. Rest assured that these updates are rigorously tested to ensure minimal disruption.

Business-Critical Applications with User Notifications Enabled

Some essential applications receive special update handling to avoid disrupting your work. When these applications are running, you’ll be prompted to close them before updates proceed, ensuring that your experience with these tools remains uninterrupted.

The following applications are configured to prompt you to close them if running during updates:

  1. 1Password
  2. Adobe Acrobat
  3. Adobe Digital Editions
  4. AWS SAM Command Line Interface
  5. Bitwarden
  6. Blender
  7. Bloomberg Terminal
  8. Cisco AnyConnect
  9. Cisco Webex Meetings
  10. Cisco Webex Recorder and Player
  11. Zoom Outlook Plugin
  12. Zoom VDI Workplace
  13. Zoom Workplace
  14. Zulu JDK 8

What to Expect with Conflicting Processes

Important

If one of these applications is open during an update, you’ll receive a notification prompting you to close it. This allows you to finish your work before closing the application for the update to proceed.

If the application isn’t closed within the allowed deferral time, the update will continue to prompt you, potentially leading to the application automatically closing after reaching the maximum deferral limit. Keeping these applications closed during scheduled update times ensures a smoother update experience.

Example Scenario:
David is in the middle of editing a document in Adobe Acrobat Reader DC when a scheduled update begins. He receives a prompt to close the application but chooses to defer it since he needs more time. David can defer the update up to the maximum limit (typically 48 hours), after which he must close the application for the update to proceed. If he reaches the deferral limit and doesn’t close the application, he will see a final notification, after which the application will close automatically.

Update and Patch Management Process

1. Testing and Approval

Patch Testing

Testing Process
  • Scope: Windows and third-party updates are first deployed to a small First Ring group (1% of devices) to ensure initial stability before broader rollout.
  • Customer Note: As a part of this phased deployment, only a small group of early adopters initially receive updates, minimizing risks to the broader population.

Example Scenario:
John, an IT staff member, is part of the First Ring. He receives a feature update immediately, so he can test its functionality on his device. After a week of stable results, the update progresses to the Fast Ring, where more users receive it.

Approval Process

Approval Steps

  • Auto-Approval: Regular Windows security/quality updates and minor application updates are automatically approved.
  • Governance Review: Major application updates and critical out-of-band patches are reviewed by the Governance Board before deployment.
Customer Note

You may experience a delay for major updates, as these undergo further testing and approvals to ensure minimal disruption.

Example Scenario:
Sarah, a faculty member, notices that a new version of a third-party application (e.g., Zoom) takes a bit longer to appear on her device. This delay is because the Governance Board reviewed the update to ensure it doesn’t cause any issues that could disrupt her work.

2. Patch Deployment

Windows Updates

  • Types of Updates:
    • Security/Quality Updates: Applied according to the specified ring deployment structure.
    • Feature Updates: Deployed following recommended ring settings.
    • Hardware Drivers: Delivered either via Microsoft or directly from vendors, depending on configuration.
Important Reminder

For updates to install, your device must remain on, connected to the internet, and (if on battery) plugged in to avoid disruptions. Since Intune is internet-based, updates can install from any location with internet access.

Example Scenario:
Mark, an administrative assistant, leaves his laptop on overnight, connected to his home Wi-Fi, so that Windows can install an essential security update without interrupting his workday. When he returns in the morning, the update has completed, and his device is ready for use.

Third-Party Application Updates

  • Deployment Flow: Minor updates deploy daily, moving from First Ring (1%) to Fast Ring (9%) after 24 hours, then to Broad Ring (90%) over five days.
  • Manual Deployment: Major versions or unique updates may be manually deployed by support teams, following TAMU Control Catalog guidelines.
Customer Note

You’ll receive a 48-hour countdown notification if you need to close an application to complete an update. If a reboot is required, you’ll have up to 48 hours to restart, with reminders every two hours.

Example Scenario:
Anna is prompted to close her web browser to complete a third-party update. She decides to finish her work first, snoozing the update until later in the evening. When she returns in the morning, the update has completed without requiring further action.

Out-of-Band Updates

  • Zero-Day Updates: Critical zero-day updates are deployed immediately to pilot groups.
  • Standard Deployment: Non-urgent patches follow typical ring settings.
Customer Note

For urgent security updates, users in the affected rings may see quicker deployments and are prompted for necessary actions, such as rebooting.

Example Scenario:
David receives a prompt to install a critical security patch that addresses a zero-day vulnerability. Since this patch is urgent, he is required to restart his computer immediately after installing the update to ensure his device’s security.

Windows Update Ring Structure

To ensure stability, updates are deployed progressively across different user groups in phases, or "rings."

RingDevicesQuality DeferralFeature DeferralReboot Grace PeriodAuto RebootActive Hours
First Ring1%0 days0 days1 dayNo8 AM - 5 PM
Fast Ring9%3 days3 days3 daysYes8 AM - 5 PM
Broad Ring90%6 days20 days7 daysNo8 AM - 5 PM

Ring Definitions and Active Hours

Active Hours are times when updates are configured not to automatically restart your device to minimize work disruption. During these hours (8 AM - 5 PM), any update requiring a reboot will only prompt you to restart manually. If you don’t restart during Active Hours, the system will defer the reboot until Active Hours end.

Outside Active Hours (after 5 PM), any pending updates may initiate an automatic restart if required, based on your reboot grace period and auto-reboot settings.

Example of Active Hours Impact

If a critical update installs at 3 PM and requires a restart, you will be prompted to restart manually. However, if you haven’t restarted by 5 PM, the system may proceed with an automatic reboot outside Active Hours if the grace period allows it.

Example Scenario:
Mike is notified of an update that requires a restart. Since he’s busy with a project, he delays the restart. The update will automatically reboot his device after 5 PM if he hasn’t done it himself, minimizing disruption to his work.