How Can We Help?
Windows Update Patch Policies and Schedules
This document outlines BRITECITY’s default patching categories, schedules, and approval policies for all managed Windows Workstations and Servers. The patching strategy balances proactive security with operational stability, using severity- and classification-based rules for deployment.
See also: Daytime Patching
Patch Policy Overview
Patching policies are tailored to device type and structured to control:
- When and how updates are installed
- Reboot logic and whether user interaction is required
- Severity-based installation logic
- Classification-specific rules (e.g., Drivers, Feature Packs)
- Deferred feature and quality updates based on ConnectWise NOC release timing
Windows Update Schedules & Policies
| Machine Category | Download & Install Schedule | Reboot Window | User Notification | Update Assistant Mode | Create Restore Point | Baseline Patch Enforcement | Feature/Quality Update Deferment |
|---|---|---|---|---|---|---|---|
| Workstations | Nightly, 12–4 AM | Sundays 8 PM–12 AM | Ask > 24hr wait → Auto-allow (max 4×4hr snoozes) | Managed – UI Disabled | Yes | Yes | Deferred until released by ConnectWise NOC |
| Server Hosts | Saturdays, 12–4 AM | Saturdays, 5–6 AM | No user notification | Managed | Yes | Yes | Deferred until released by ConnectWise NOC |
| Servers (VMs / Bare Metal) | Sundays, 12–4 AM | Sundays, 5–6 AM | No user notification | Managed | Yes | Yes | Deferred until released by ConnectWise NOC |
Windows Update Approval Matrix
| Patch Category | Workstations | Servers |
|---|---|---|
| Security Updates | Deploy (NOC Approved) | Deploy (NOC Approved) |
| Critical Updates | Deploy All | Deploy Al |
| Updates | Deploy All | Deploy All |
| Feature Updates | Deploy All | Deploy All |
| Drivers | Do Not Deploy | Do Not Deploy |
| Feature Packs | Deploy All | Do Not Deploy |
| Update Rollups | Deploy All | Deploy All |
| Tools | Deploy All | Deploy All |
| OS Upgrade | Off | Off |
| Active Directory Rights Management Client | Deny | Severity-based |
| ASP.Net Web Frameworks | Approve | Severity-based |
| Bing Bar / Desktop / IME | Deny | Deny |
| CAPICOM | Deny | Approve |
| Definition Updates | Approve | Approve |
| Exchange Server | Deny | Approve |
| Microsoft Dynamics / Lync Server | Deny | Severity-based |
| Microsoft SQL Server / Works | Deny | Approve |
| Microsoft Office / Report Viewer | Approve | Approve |
| Silverlight / Service Packs | Approve | Severity-based |
| Skype for Windows | Approve | Deny |
| System Center | Deny | Severity-based |
Severity-Based Settings
| Severity Rating | Workstations | Servers |
|---|---|---|
| Unspecified | Approve | Approve |
| Low | Approve | Approve |
| Moderate | Approve | Approve |
| Important | Approve | Approve |
| Critical | Approve | Approve |
| CVSS Score > 1 | Approve | Approve |