Critical Patch Process

Microsoft’s Corporate Security (CorpSecIT) and Global Client Software (GCS) groups work together to keep Microsoft’s client PCs up-to-date on critical patches. CorpSecIT monitors external (such as antivirus vendor sites) and Microsoft sources for security alerts and information about software vulnerabilities. The group also monitors Microsoft’s Windows Update site for the availability of patches. CorpSecIT determines the threat level of vulnerabilities and, for threats deemed critical, sets enforcement guidelines for patching clients (for example, the time given to clients to voluntarily install the patch) and notifies the GCS group.

When notified of a critical threat, the GCS group allows about 72 hours to test the corresponding patch, alert clients to the threat, and distribute the patch to them, using SMS 2003 to reach managed clients and e-mail to notify unmanaged clients (such as PCs managed in product development lab domains). Following patch distribution, GCS monitors patch installation compliance against the guidelines set forth by the CorpSecIT team. The compliance deadline is between zero and 14 days depending on the nature of the threat. When the deadline for voluntary patch installation has passed, GCS and CorpSecIT move to forcibly install the patch on managed client machines and remove noncomplying unmanaged clients from the corporate network.