Device Patching and Security Updates
All IT-managed devices must comply with the CPP Baseline Workstation Standard (PDF) requiring all applicable security patches and software updates. Client device patching schedules and installation deferment options are based on device classification, operating system, and assigned role. "Patching" is the process of updating operating systems (Windows 10/11, Mac OS) and various client device applications such as Chrome, Firefox, and Acrobat. Some patches are minor while other patches may be considered a major upgrade to an operating system or application. Some patches provide feature enhancements while other patches address security vulnerabilities. Please refer to the patching information below for more detail.
Patching Schedules
Upon the review of newly released patches by the IT division, operating system and application updates are published to all faculty and staff Windows OS and Mac OS devices. Faculty and staff members should receive an alert prompting the device to apply a pending patch. Depending upon the type and severity of the patch, users are generally given some time to apply the patch. Please refer to information below for specific OS patching schedules and deferment times. Please note that IT strongly encourages users to apply all pending patches at their next available opportunity. Eventually, after a period of time and/or deferments, the operating system and application patches will be enforced and installed on the computing device. Therefore, to prevent the patching installation and possible reboot of your device at an inconvenient time, please install the pending patches as soon as possible.
Windows OS
OPERATING SYSTEM PATCHES: Under normal circumstances, Windows operating system patches are published to devices and made available for 7 days. During the 7-day time period, users will be alerted of the patch and given the option to apply the patch at their convenience. If the patch is not installed within the initial 7 days, the patch will automatically install at the conclusion of the 7 days. If, after the 7-day period the automatically installed patch requires a reboot, the device will alert the user that the system will automatically restart in 90 minutes. To avoid the automatic 90-minute patching restart enforcement, it is recommended that patches be installed during the initial 7 day published period.
APPLICATION PATCHES: Most software application patches follow the same patching schedules and installation processes as operating system patches. Some software application patches and installation schedules are managed by the vendor and fall outside of normal campus patching schedules. For example, Office and Adobe products may prompt a user for application patches within the software itself. Device reboots are not typically required when installing application patches.
Mac OS
OPERATING SYSTEM PATCHES: Under normal circumstances, Mac operating system patches are published to devices and will alert users of a pending patch installation. Users may defer the installation of the operating system patch for up to 12 hours and as many times as needed for up to 7 days. If the patching alert message is ignored and no deferment option is selected, the operating system patch will automatically be installed after 12 hours. If the patch is continually deferred for up to 7 days, the patch will automatically install at the conclusion of the 7 days. If, after the 7-day deferment period the automatically installed patch requires a reboot, the device will alert the user that the system will automatically restart in 90 minutes. To avoid the automatic 90-minute patching restart enforcement, it is recommended that patches be installed during the initial 7-day period.
APPLICATION PATCHES: Most software application patches are scheduled and released by the vendor. Users should be alerted each time an application needs to install a software patch. Under normal circumstances, after the application patch alerts the device, the application will install the patch after 4 hours. Device reboots are not typically required when installing application patches.
Maintenance Window
Faculty and staff device patches are typically configured to occur during after hour periods. However, given various patching deferral options and the need for the device to be powered on for patching to complete, faculty and staff devices may apply the patch during, after, or just before normal business hours.
To minimize lab and classroom disruptions, major operating system and application patches are generally scheduled for installation during semester breaks if possible.
Windows OS
Upon the review of newly released patches by the IT division, Windows 10/11 lab computers are scheduled to receive operating system and application patches daily between 12am and 6am. Please contact IT if you have any questions about computer lab patching.
Mac OS
Upon the review of newly released patches by the IT division, Mac OS lab computers are scheduled to receive operating system patches daily between 12am and 6am. Although efforts have been made to apply application patches outside of the normal learning space hours, application patches may occasionally be installed outside of the maintenance hours pending patching severity and vendor release dates.
To minimize lab and classroom disruptions, major operating system and application patches are generally scheduled for installation during semester breaks if possible.
Windows OS
Upon the review of newly released patches by the IT division, Windows 10/11 classroom lectern computers are scheduled to receive operating system and application patches daily between 12am and 6am. Please contact IT if you have any questions about classroom computer patching.
Mac OS
Upon the review of newly released patches by the IT division, Mac OS classroom lectern computers are scheduled to receive operating system patches daily between 12am and 6am. Although efforts have been made to apply application patches outside of the normal learning space hours, application patches may occasionally be installed outside of the maintenance hours pending patching severity and vendor release dates.
Best Practices
Although faculty and staff devices are permitted to defer patching when prompted, it is strongly recommended users apply the pending patches as soon as possible. Applying patches quickly maintains the security and operability of the device as well as prevents a forced patching installation during inconvenient times after the deferment period ends.
- Allow pending patches to install as soon as possible
- Avoid continued patching deferments
- Reboot your device at least once a week
- Allow your device to remain powered on during off-hours for patching updates at least once a week
- Ensure your device battery is fully charged and/or connected to a power adapter when patching
Operating System & Software Patching Norms
In general, Windows OS releases operating system build updates with a maximum support length of 18 to 24 months. Therefore, IT must update the Windows OS builds every one to two years. Similar to Windows, Mac OS and iOS is generally supported by Apple for about 2 years. Apple only supports and patches the last two versions of the Mac OS. Therefore, IT must update the Mac OS version every one to two years. Unlike Windows, however, Mac OS also limits the Apple hardware that is allowed to install the last two Mac OS versions. Typically, a 6-year-old Apple device cannot be patched or upgraded to one of the last two supported Mac OS versions. Therefore, older Apple devices that cannot run a supported version of Mac OS must be decommissioned.