Freedom from Patch Management!

warrior holds up stick. freedom from patch management.

How long have you stayed up late night catching computers up on updates? How many times have you implored users to leave their computers on, only to be ignored? Dying in your beds, many years from now, would you be willing to trade all the days, from this day to that, for one chance – just one chance – to be free from chasing unpatched computers?

Solutions for Patch Management: No more chasing unpatched computers

Let me tell you about the biggest pain in patch management: Getting users to leave their computers on overnight. No matter how many times you ask, when it turns 5 o’clock, it’s lights out and they’re outta there! 

But what if there was a way to make it hurt a little if they don’t update their computers? What if through Conditional Access, they were blocked from accessing Office until they update? Wouldn’t that make everyone patch like their job depended on it? (Because, it kind of would!)

No more patch reports. No more begging. No more late nights. Oh, how the tables have turned!

A Boy Can Dream: Windows Compliance Policy

Windows 10/11 compliance policy in Microsoft Endpoint Manager offers a Minimum OS version setting that can enforce update compliance, but the version number has to be manually updated each month. If you’re an MSP with multiple clients, you’ll want a way to automate this.

windows 10/11 compliance policy screenshot showing where to find minimum OS version

You can also require Microsoft Defender for Endpoint’s risk score to be above a certain threshold, but there, again, Microsoft swings and misses. The risk score measures whether there were recent infections, not whether a device has unpatched vulnerabilities – that would be the exposure level in the next column of device inventory. Until Microsoft adds a check for exposure level, the only option left is to create a custom compliance policy.

Windows 10/11 Compliance Policy screenshot showing where to find Microsoft Defender for Endpoint Risk Score
Windows 10/11 Compliance Policy screenshot showing where to find Microsoft Defender for Endpoint Exposure Level

Custom Compliance Policy: Automating Patch Management

Custom compliance policy is a feature in preview, so let’s get the disclaimer out of the way that this is an unproven concept. If you’re the adventurous type, I invite you to come along with me on this journey. If not, check back in a few months to see if I still have my job.

Having said that…

The promise of custom compliance policy is that you can test for any condition you want, if you know your way around PowerShell. 

You can find a great post explaining how to set up a custom compliance policy here: https://www.petervanderwoude.nl/post/working-with-custom-compliance-settings/

Below is my script for testing whether a computer has a pending cumulative update:

  1. Script returns a count of pending updates with “cumulative” in the title. The computer fails compliance if the number is greater than 0.
  2. I added an IF statement to bypass the test one week following Patch Tuesday. This is to give users enough time to update their computers after a new update is released.
# Set $StrtMonth to 1st day of the month
[datetime]$Today=[datetime]::NOW
$todayM=$Today.Month.ToString()
$todayY=$Today.Year.ToString()
[datetime]$StrtMonth=$todayM+'/1/'+$todayY
# Keep adding 1 day until you reach 1st Tuesday
while ($StrtMonth.DayofWeek -ne 'Tuesday') {$StrtMonth=$StrtMonth.AddDays(1)}
# Calculate Second and Third Tuesday of the month
$SecondTuesday = $StrtMonth.AddDays(7)
$ThirdTuesday = $StrtMonth.AddDays(14)

if ([datetime]::NOW -lt $SecondTuesday -or [datetime]::NOW -ge $ThirdTuesday) {
    # Get count of pending cumulative updates
    $UpdateSession = New-Object -ComObject Microsoft.Update.Session
    $UpdateSearcher = $UpdateSession.CreateupdateSearcher()
    $Updates = @($UpdateSearcher.Search("IsHidden=0 and IsInstalled=0").Updates)
    $CumulativeUpdateCount = @{"CumulativeUpdateCount" = ($Updates | Where-Object {$_.title -like "*cumulative*"}).count}
    # Return result as JSON for custom conditional access processing
    return $CumulativeUpdateCount | ConvertTo-Json -Compress
} else {
    #Bypass test 1 week following Patch Tuesday
    $CumulativeUpdateCount = @{"CumulativeUpdateCount" = 0}
    return $CumulativeUpdateCount | ConvertTo-Json -Compress
}

Here’s the JSON for custom setting:

{
"Rules":[ 
    { 
       "SettingName":"CumulativeUpdateCount",
       "Operator":"IsEquals",
       "DataType":"Int64",
       "Operand":"0",
       "MoreInfoUrl":"https://yourdomain.com",
       "RemediationStrings":[ 
          { 
             "Language":"en_US",
             "Title":"Please run Windows Update.",
             "Description": "Please make sure that Windows is up-to-date. Outdated computers will lose access to emails in 3 days.  If you need assistance, please contact support."
          }
       ]
    }
 ]
}

Don’t Forget: Conditional Access

Marking a computer not compliant doesn’t prevent access until you pair it with Conditional Access. It’s a good idea to test your Conditional Access policy in “Report-only” mode before deploying in production.

GRANT compliant desktop access, Conditional Access, screenshot

In Conclusion

I must admit, the idea of blocking access to unpatched computers to force users to update has been a bit of a personal crusade. Either this is a really good idea, or I’ll be run down by an angry mob. Time will tell.

warriors get ready to fight against unpatched computers and users who refuse to update them

In the meantime, read my last post, “Password Theft, MFA, and the Evolving Cleverness of Hackers

Shwetha SunilShwetha Sunil
20:59 16 Sep 24
eren fernandezeren fernandez
18:58 10 Sep 24
Excellent Customer Service.
Jennifer JohnstonJennifer Johnston
18:46 10 Sep 24
Michelle McGinnisMichelle McGinnis
20:04 22 Aug 24
Brian was awesome, as usual. Highly recommended!!
Grace AttwaterGrace Attwater
21:25 20 Aug 24
We’ve been with Relion for quite a few years. They are professional, knowledgeable and prompt. We highly recommend using Relion for all your IT needs.
Wayne Lee (LEWAYHUN)Wayne Lee (LEWAYHUN)
20:24 21 Jun 24
Relion & their team has always been great about responding quickly, even on wkends.Friendly & knowledgeable, we frequently invite them to our Co events as they are so integrated into our Co as experts in their field.
Todd CTodd C
18:56 07 May 24
Hi all, This IT support company knows what they are doing.I was in IT support for many years, and I can tell you these guys know their stuff.They are friendly and never make you feel bad for your level of knowledge.Manny was able to get me set up and going.We had lots of challenges as my PC was not set up right by others. He found the right resources to get me all fixed in 1 Call.I will call back and ask for Manny again.Have a great day all.Rember to update your OS and Anti-Virus programs each week
Katherine TwomeyKatherine Twomey
21:43 01 May 24
Relion is an amazing IT company! They are super quick to answer both phone and email inquiries, they are kind, courteous, and knowledgeable! All of the techs are amazing, but I have dealt with Zach the most, and he is a pleasure to do business with!
Jacklyn WaltersJacklyn Walters
22:29 19 Apr 24
The Relion team is the best! No matter the problem, big or small or as simple as restarting your computer, they will help you solve it. I've worked directly with each member of the team and every one of them is a delight. They are patient, kind, and really know their stuff. After nearly three years working with them, I highly recommend Relion for all of your IT needs.Update: Two months since leaving my initial review, I have worked with Manny countless times on everything from setting up new devices to adding employee access to our company drives. He is always a pleasure to work with and solves any problems quickly and efficiently. Thanks Manny! (And the entire Relion team!)
David WalkerDavid Walker
22:26 08 Feb 24
Relion has been amazing! They have saved us from protential problems, helped us convert our entire network, phone lines, and mobile apps flawlessly. I have worked with them for at least 10 years now and would not have grown our our company with out them. Relion has helped us grow from 15 to 700 plus people.They have reduce our stress and allowed us to understand and grow with the constant changes in IT environment. They are one of our best partners in our business! Their entire team cares and are easy to work with.Dave WalkerWalker Brothers Machinery moving.
js_loader

BUSINESS

STARTING AT $1,000 PER MONTH

NON-PROFIT

STARTING AT $750 PER MONTH

Get a free consultation

Scroll to Top