This chapter covers software patch management, a critical security practice for maintaining system integrity and protecting against vulnerabilities. It is part of CompTIA A+ Core 2 (220-1102) Domain 3.0 (Security) under Objective 2.2: Given a scenario, manage and configure security settings. Patch management appears in roughly 10-15% of exam questions, often integrated with scenarios about system updates, security policies, and software maintenance. Understanding how to plan, test, deploy, and verify patches is essential for both desktop support and system administration roles.
Jump to a section
Think of a car's engine control unit (ECU) like the operating system on a computer. The manufacturer periodically releases software updates that fix bugs, improve fuel efficiency, or address safety recalls. If you ignore these updates, your car might run poorly or even fail emissions tests. A mechanic (the patch management system) checks for updates, downloads them, and installs them, often scheduling the work when you won't need the car. Without a proper schedule, you might bring the car in only when a problem occurs, risking a breakdown. Similarly, patch management ensures your OS and applications receive updates in a controlled, timely manner to prevent security vulnerabilities and system instability. Just as a recall notice demands immediate attention, critical security patches must be applied quickly to protect against exploits.
What is Software Patch Management?
Software patch management is the process of identifying, acquiring, testing, deploying, and verifying software updates (patches) for operating systems, applications, and firmware. Patches address security vulnerabilities, fix bugs, improve performance, or add features. Without a structured patch management process, systems remain exposed to known exploits, leading to data breaches, compliance violations, and operational downtime.
Why Patch Management Exists
Software is complex and inevitably contains flaws. Vendors release patches to close security holes, resolve stability issues, or ensure compatibility. Attackers actively scan for unpatched systems; the 2021 Microsoft Exchange Server vulnerabilities (ProxyLogon) were exploited against unpatched servers worldwide. Patch management ensures that updates are applied consistently and promptly, reducing the attack surface.
How Patch Management Works Internally
Inventory and Discovery: A patch management tool (e.g., WSUS, SCCM, or a third-party solution) scans endpoints to identify installed software versions and missing patches. It compares the installed versions against a database of available updates.
Patch Acquisition: The tool downloads patches from the vendor's update server. For Windows, this is typically Microsoft Update; for Linux, it's the distribution's repository. Patches are stored in a local repository (e.g., WSUS) for controlled distribution.
Testing: Patches are applied to a test group (ring) of non-production systems. Testing verifies that the patch does not break critical applications or cause system instability. This is often done in a staging environment that mirrors production.
Approval and Deployment: After testing, patches are approved for deployment. Deployment can be scheduled during maintenance windows to minimize disruption. The tool pushes patches to clients, either by forcing installation or making them available for user-initiated installation.
Verification and Reporting: Post-deployment, the tool verifies that patches were successfully installed. Reports show compliance status, failed installations, and systems that missed the update.
Key Components, Values, Defaults, and Timers
Patch Classification: Microsoft defines update classifications: Critical Updates, Security Updates, Update Rollups, Service Packs, Feature Packs, Definition Updates, Tools, and Drivers. Security and Critical updates are highest priority.
Update Channels: Windows uses several servicing channels: General Availability Channel (semi-annual), Long-Term Servicing Channel (LTSC, for specialized devices), and Insider Program. For Windows 10/11, feature updates are released twice a year.
Default Update Settings: Windows Update default is automatic download and install (Windows 10/11 Home and Pro). Group Policy can override: Configure Automatic Updates (set to 2 - Notify for download and notify for install, 3 - Auto download and notify for install, 4 - Auto download and schedule install, 5 - Allow local admin to choose).
WSUS (Windows Server Update Services): Default sync schedule is every 22 hours (configurable). Client targeting can be manual or via Group Policy. Approval state: Install, Approve, Decline, or Remove.
SCCM (System Center Configuration Manager): Software update point synchronizes with WSUS. Deployment templates define settings like deadline, user experience, and restart behavior.
Patch Management Lifecycle: Typically 30 days for standard patches, 7 days for important, 48 hours for critical, and 0-24 hours for emergency (zero-day) patches.
Configuration and Verification Commands
Windows Update (GUI): Settings > Update & Security > Windows Update > Check for updates.
Command-Line: wuauclt /detectnow (legacy) or UsoClient Scan (Windows 10/11). Get-WindowsUpdate (PowerShell module PSWindowsUpdate).
WSUS Administration Console: View update status, approve updates, generate reports.
SCCM Console: Software Library > Software Updates > All Software Updates; deploy with right-click.
Linux: apt update && apt upgrade (Debian/Ubuntu), yum update (RHEL/CentOS), dnf update (Fedora).
Verification: Check installed patches: Windows – wmic qfe list or Get-Hotfix (PowerShell). Linux – apt list --upgradable or yum check-update.
Interaction with Related Technologies
Group Policy: Controls Windows Update settings (e.g., specify intranet Microsoft update service location, configure automatic update, enable client-side targeting).
Active Directory: Used for client targeting in WSUS and SCCM. Computers are organized into OUs, and Group Policy applies update policies.
Network Access Protection (NAP): Legacy; could enforce patch compliance before allowing network access (not common in modern environments).
Endpoint Protection: Antivirus definitions are updated via patch management. Many EDR solutions integrate with patch management to prioritize patches based on threat intelligence.
Change Management: Patch deployment should follow change management processes, including RFC (Request for Change), approval, and rollback planning.
Best Practices
Test before deploying: Use a pilot group (e.g., IT staff) before broad rollout.
Schedule maintenance windows: Apply patches during low-usage periods.
Prioritize critical and security patches: Use CVSS scores to determine urgency.
Maintain a patch baseline: Ensure all systems meet a minimum patch level.
Automate where possible: Use tools like WSUS, SCCM, or third-party solutions (e.g., ManageEngine Patch Manager Plus, Ivanti).
Have a rollback plan: Uninstall patches if they cause issues (Windows: Programs and Features > Installed Updates).
Monitor compliance: Generate regular reports of missing patches and failed installations.
Common Pitfalls
Applying patches without testing: Can break critical applications.
Delaying critical patches: Leaves systems vulnerable to known exploits.
Inconsistent patch levels: Some systems may be missed, creating security gaps.
Ignoring firmware updates: BIOS/UEFI updates often fix hardware security issues.
Not updating offline systems: Air-gapped systems need manual patching or offline update media.
Patch Management in Different Environments
Enterprise: Centralized patch management with WSUS/SCCM, automated deployment rings, and strict change control.
Small Business: Windows Update automatic or manual; possibly a simple patch management tool.
Cloud: Cloud providers manage hypervisor patches; customer is responsible for guest OS and application patches (shared responsibility model).
Mobile Devices: MDM (Mobile Device Management) pushes updates to iOS/Android devices; users may defer updates.
Security Implications
Unpatched systems are the leading cause of data breaches. The 2017 WannaCry ransomware exploited an unpatched SMB vulnerability (MS17-010). Patch management is a fundamental security control required by compliance frameworks like PCI DSS, HIPAA, and NIST. Regular patching reduces the window of exposure and is a key indicator of a mature security posture.
Inventory and Discovery
The patch management tool (e.g., WSUS, SCCM) scans all managed endpoints to identify the operating system version, installed software, and current patch level. This is typically done via agent-based or agentless methods. For Windows, the Windows Update Agent reports to WSUS. The tool compares the installed patches against a known list of available updates from the vendor. This step ensures you know exactly what needs patching.
Patch Acquisition and Testing
Patches are downloaded from the vendor's update server (e.g., Microsoft Update) to a local repository. In a test environment (staging), patches are applied to non-production systems that mirror production workloads. Testing verifies that the patch does not cause application compatibility issues or system instability. This step is critical to avoid deploying a faulty patch that could disrupt operations.
Approval and Deployment
After successful testing, an administrator approves the patch for deployment to production systems. Patches are grouped into deployment rings (e.g., pilot, fast, broad). The tool pushes patches to clients according to a schedule, often during a maintenance window. Windows Update can be configured to download and install automatically or notify the user. The deployment can be forced with a deadline.
Verification and Reporting
Post-deployment, the patch management tool verifies that the patch was successfully installed on each target system. Reports show compliance rate, failed installations, and systems that were offline during deployment. Administrators can generate compliance reports for auditing purposes. Any failed installations are flagged for manual remediation.
Rollback and Remediation
If a patch causes issues, an administrator can uninstall it from affected systems. In Windows, this is done via 'Programs and Features' > 'Installed Updates' or using the command `wusa /uninstall /kb:xxxxxx`. For critical issues, the rollback should be performed immediately. After rollback, the patch can be investigated and possibly re-approved with additional testing.
In a large enterprise with 10,000 Windows workstations, patch management is often centralized using Microsoft SCCM or a third-party solution like Ivanti. The IT team creates deployment rings: first, a pilot group of 100 IT staff and test machines; then a fast ring of 1,000 early adopters; finally, a broad ring for the remaining systems. Patches are approved after a 7-day testing period. The team schedules deployments for Thursday nights to allow weekend troubleshooting. Compliance reports are generated weekly. A common issue is that some systems are offline during the deployment window, requiring a re-deployment or manual patching. Another challenge is third-party applications (e.g., Java, Adobe Reader) that have their own update mechanisms. The team configures SCCM to manage these updates as well, using custom update catalogs. Without proper testing, a patch that breaks a critical line-of-business application could cause significant downtime. For example, a security update for .NET Framework might cause a legacy accounting application to fail. The rollback process must be documented and tested. In a smaller business with 50 computers, the IT generalist might rely on Windows Update automatic settings and manually approve updates after a quick test on a spare machine. They might use a free tool like PDQ Deploy to push updates to remote offices. The key difference from the enterprise is the lack of formal change management and the higher risk of missing critical patches. In both scenarios, the goal is to maintain a consistent patch level to reduce vulnerability exposure.
The 220-1102 exam tests patch management primarily under Objective 2.2 (manage and configure security settings). Expect scenario-based questions where you must choose the correct procedure, tool, or setting. Common wrong answers include: 1. 'Always install patches immediately' – While critical patches should be applied quickly, immediate deployment without testing can break systems. The correct approach is to test in a staging environment first. 2. 'Disable automatic updates to prevent interruptions' – This is a security risk. The correct action is to schedule updates during maintenance windows. 3. 'Use Windows Update for all patches' – In an enterprise, WSUS or SCCM provides centralized control; Windows Update is for individual users. 4. 'Patches are only for operating systems' – The exam emphasizes patching applications and firmware too.
Key values to remember:
WSUS default sync interval: every 22 hours.
Windows Update Group Policy settings: 2 (Notify), 3 (Auto download), 4 (Scheduled install), 5 (Local admin choice).
Patch classifications: Critical, Security, Update Rollup, Service Pack, Feature Pack, Definition Update, Tool, Driver.
Maintenance windows: Typically outside business hours.
Rollback command: wusa /uninstall /kb:xxxxxx.
Edge cases: - Offline systems: Must be patched via USB or offline media. - Zero-day exploits: Emergency patching without full testing; use virtual patching (IDS/IPS) as temporary mitigation. - End-of-life (EOL) software: No patches available; must upgrade or isolate. - Patch Tuesday: Microsoft releases patches on the second Tuesday of each month. Plan deployments after this.
How to eliminate wrong answers: Understand the mechanism. If a question involves a large network, look for centralized management options (WSUS, SCCM). If it's about a single user, Windows Update is correct. If testing is mentioned, the answer should include a test group. If rollback is needed, know the command. Always consider the principle of least privilege and change management.
Patch management is a security control that reduces vulnerabilities by keeping software up to date.
Always test patches in a non-production environment before broad deployment.
Use centralized tools like WSUS or SCCM for enterprise environments; Windows Update for individual users.
Prioritize critical and security patches; schedule standard patches during maintenance windows.
Verify patch installation and generate compliance reports regularly.
Have a rollback plan: use wusa /uninstall for Windows patches.
Patch management applies to OS, applications, firmware, and drivers.
Microsoft releases patches on Patch Tuesday (second Tuesday of the month).
These come up on the exam all the time. Here's how to tell them apart.
WSUS (Windows Server Update Services)
Free with Windows Server (additional CALs required).
Manages only Windows updates; no third-party patch support natively.
Simple deployment; syncs with Microsoft Update.
Reports basic compliance; limited reporting capabilities.
Best for small to medium environments (up to ~10,000 clients).
SCCM (System Center Configuration Manager)
Licensed product; part of Microsoft Endpoint Configuration Manager.
Manages Windows, third-party, and custom updates via catalogs.
Complex deployment; requires SQL Server and additional infrastructure.
Rich reporting, integration with other SCCM features (OS deployment, software distribution).
Scalable to hundreds of thousands of clients; enterprise-grade.
Mistake
Patches are only for security fixes.
Correct
Patches also fix bugs, improve performance, add features, and update drivers. Security patches are a subset, but not the only type.
Mistake
Automatic updates should always be enabled.
Correct
In enterprises, automatic updates can cause disruptions if not tested. They should be controlled via WSUS/SCCM with testing rings.
Mistake
Once a patch is installed, it can't be removed.
Correct
Most patches can be uninstalled via Programs and Features or using `wusa /uninstall`. Some cumulative updates may require a system restore point.
Mistake
Patch management is only for Windows.
Correct
Patch management applies to all operating systems (Linux, macOS, iOS, Android) and applications (browsers, Office, Java, etc.). The exam covers Windows primarily but mentions others.
Mistake
You only need to patch servers, not workstations.
Correct
Workstations are equally vulnerable and must be patched regularly. Attackers often target user endpoints as entry points.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A security update addresses a security vulnerability, while a critical update fixes a critical non-security bug. Both are high priority, but security updates are directly related to vulnerabilities. The exam expects you to know that security updates are for security fixes, and critical updates are for stability issues.
Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update. Enable 'Configure Automatic Updates' and set the option: 2 (Notify for download and notify for install), 3 (Auto download and notify for install), 4 (Auto download and schedule install), or 5 (Allow local admin to choose). Also configure 'Specify intranet Microsoft update service location' to point to a WSUS server.
A deployment ring is a group of systems that receive patches at different stages. For example, ring 1 (pilot) gets patches first for testing; ring 2 (fast) gets them after successful testing; ring 3 (broad) gets them last. This phased approach allows you to catch issues before affecting all users.
Go to Control Panel > Programs and Features > View installed updates, select the update, and click Uninstall. Alternatively, use command `wusa /uninstall /kb:KBXXXXXX`. You may need to reboot. Note that cumulative updates might require uninstalling the entire cumulative update.
Patch Tuesday is the second Tuesday of each month when Microsoft releases security updates for its products. It is a predictable schedule that allows IT administrators to plan deployments. The exam may ask you to identify the correct day for patch release.
Yes, servers should not have automatic updates enabled to prevent unexpected reboots. Instead, use WSUS or SCCM to control updates, and schedule installations during maintenance windows. This ensures uptime and allows testing.
The default synchronization interval for WSUS is every 22 hours. You can change this in the WSUS console under Options > Synchronization Schedule. This interval determines how often WSUS downloads new patches from Microsoft Update.
You've just covered Software Patch Management — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?