Endpoint management teams are often overwhelmed by the volume of applications requiring patches, the frequency of updates, and the critical need to apply patches promptly to mitigate vulnerabilities. Outdated, labour-intensive patching processes that rely on extensive testing and monolithic rollout strategies are too slow to counter the increasing number of cyberattacks effectively. Additionally, these teams frequently lack the necessary tools to identify and resolve performance and stability issues caused by patching.
Organizations continue to struggle with the rapid pace of Windows and third-party application updates, compounded by the significant rise in cyber threats. Traditional on-premises patching strategies have proven ineffective for hybrid or remote devices, where constant connectivity to VPN or LAN is no longer guaranteed. End-user services leaders can enhance both efficiency and security by adopting a modern approach to patching Windows and third-party applications on endpoints. The following steps outline how to improve endpoint patching through modern methods, including Unified Endpoint Management (UEM), a risk-based approach to testing, and the use of Digital Experience (DEX) and automated testing tools.
Adopt Modern Management and UEM
Most endpoint management teams are actively transitioning from traditional, agent-based management to modern Windows management using Unified Endpoint Management (UEM) tools. Shifting control from endpoint agents to native Windows OS capabilities eliminates common failure points in the patching process, such as malfunctioning agents or lost communications. To accelerate remote device patching, enterprises are distributing updates via the internet, a common UEM feature. This approach enables patching and provides full visibility of devices that are not on the LAN or VPN. It increases the availability window for patching and facilitates enhanced posture reporting for use in conditional access strategies. Additionally, it reduces the risks associated with patching delays or failures due to congestion within the VPN, internet circuit, and LAN. Furthermore, this method improves the speed and consistency of device patching, ultimately enhancing both the employee experience and the device’s security posture.
Enterprises are also leveraging Windows Update for Business, which allows endpoints to connect directly to the Microsoft content delivery network over the public internet, bypassing intermediary servers that require IT management. Windows Autopatch takes this a step further by offering a service where Microsoft staff handle the entire patch deployment process for Windows OS, Office, Edge, and Teams.
Adopt a Risk-Based Approach to Testing and Deployment
All patches and updates require some level of basic testing, even when using modern endpoint management approaches. The key is determining which applications necessitate more extensive user acceptance testing (UAT). Gartner identifies several key risk factors to consider:
- Business Criticality:
- Disrupting revenue generation
- Introducing customer impact
- Impairing internal operations
- Application Complexity:
- The number of software components and external applications on which the application relies
- Other OS or hardware dependencies
- Historical update success
The result of this evaluation is a list of applications and their testing requirements. To gain stakeholder consensus, this list should be evaluated at least annually and published broadly.
For updates requiring UAT, Gartner recommends a ring-based deployment strategy. An effective ring-based strategy significantly reduces incidents arising from patching failures by detecting and responding to issues earlier in the deployment process.
Start with a small subset (ring) of IT employees who receive the updates and can evaluate possible impacts. After initial testing, deployment expands to early adopters (influencers, application owners, or subject matter experts) to gather feedback on their experiences within the context of their business activities. This data will help determine the next steps—whether to progress to the next ring or address technical issues and retest. With each successive ring, the process repeats and the audience expands. The number of subrings will vary based on the size and complexity of your organization.
Use Third-Party Application Patching, DEX, and Automated Testing Tools
The accelerated frequency of third-party application updates increases the overhead required to keep pace and minimize risk. This often necessitates the use of third-party tools and services to monitor, package, and deploy these updates. Most third-party application patching tools integrate directly with UEM tools or can be used on a stand-alone basis. They also include package testing and security scanning features to reduce risk. However, this does not eliminate the need for all testing. Consistent with application testing best practices, it is essential to assess application complexity alongside business criticality to determine which applications can be automatically patched and which will require additional testing.
Leveraging these tools and approaches can streamline the patching process, reduce manual effort, and enhance overall security and performance.
Author Bio: Craig Fisler, Director Analyst at Gartner
Featured image credits: Image by rawpixel.com on Freepik
Read next: IBM accelerates threat detection and response with new gen AI-powered cybersecurity assistant