Patch management is the process of identifying, testing and applying software updates, known as patches, that fix security vulnerabilities and bugs across an organisation's devices, servers and applications. Unpatched software is one of the most common ways attackers gain access to business systems, since vulnerabilities become public knowledge once a vendor releases a fix, making it straightforward for attackers to target systems that have not yet applied it.
How patch management works
A structured patch management process involves identifying available patches across all systems, assessing the severity and urgency of each one, testing patches where appropriate to avoid disrupting business operations, and deploying them according to a defined schedule. Tools such as Microsoft Intune can automate much of this process for managed devices, applying patches on a schedule and reporting on compliance across the device fleet.
Patch management in practice for UK businesses
- An IT team uses Microsoft Intune to automatically deploy critical security patches to all company laptops within 48 hours of release, while less urgent updates follow a weekly schedule.
- A business avoids a major ransomware outbreak that exploited a known vulnerability, because its patch management process had already applied the relevant fix before the attack reached the organisation.
- An MSP monitors patch compliance across all client devices, flagging any that have fallen behind on critical updates for follow-up.
- A company with legacy line-of-business software carefully tests patches in a staging environment before wider rollout, balancing security against the risk of breaking a critical application.
How Advantage manages patching for clients
Advantage manages patch deployment and compliance monitoring as a core part of its managed IT service, using Microsoft Intune and other tools to keep client devices and servers up to date without relying on manual, ad hoc updates.
Frequently asked questions
Why are unpatched systems considered a major security risk?
Software vendors regularly release patches to fix known security vulnerabilities. Once a patch is published, the vulnerability it fixes becomes public knowledge, making unpatched systems an easy and well-documented target for attackers. Many major cyber security incidents have exploited vulnerabilities for which a patch had been available for months.
How quickly should critical security patches be applied?
For critical security vulnerabilities, especially those being actively exploited, best practice is to apply patches within days rather than weeks. Less urgent patches can follow a more measured testing and rollout schedule, but a structured patch management process should define target timeframes based on severity.
Can patch management be fully automated?
Much of patch management can be automated through tools like Microsoft Intune or dedicated patch management software, which can deploy patches automatically on a defined schedule. However, testing and monitoring for issues after patches are applied still benefits from human oversight, particularly for critical business systems.
