CALS IT Patch Management Overview

Virginia Tech’s Minimum‑Security Standards require that all security patches be installed within 30 days of release.
CALS IT uses three management platforms to keep Windows, macOS, and iPadOS devices updated:

Platform	Applies Updates To
BigFix	Windows: OS & app updates macOS: App updates
Intune	Windows: OS & Microsoft 365/Office updates
Jamf	macOS: OS & app updates iPadOS: OS updates

Only operating system updates normally require a reboot, which makes them the most disruptive for users.  Note that some updates may need to be applied immediately if directed by the IT Security Office or if a vulnerability is actively being exploited.  If this occurs, CALS IT will attempt to send out notification prior to updating.

Windows Operating System Patching

As of November 2025, all newly deployed Windows computers are enrolled into Intune, while older systems will still use BigFix.
Each platform enforces updates on a different schedule.

Windows Patch Management via BigFix

Schedule

• Updates begin Sundays at 10:00 PM Eastern
• Reboot deferral: 6 hours
• If the device is offline at the scheduled time, the update is applied the next time it connects, and the reboot deferral prompt is shown.

Windows Patch Management via Intune

Intune enforces Microsoft updates on a rolling monthly cycle:

1. Microsoft releases updates:
   Second Tuesday of each month ("Patch Tuesday")
2. CALS devices receive updates:
   Seven days later (third Tuesday of the month)
3. Deadline to install & reboot:
   23 days from availability

User Experience

• Windows notification prompts appear starting 7 days before the deadline.
• Users can choose a convenient time to reboot.
• At the end of the deadline, the machine will reboot automatically.

How to Check if Your Device Is Enrolled in Intune

1. Open Start → Settings
2. Select Accounts → Access work or school
3. Look for:
   “Connected to Virginia Tech's Entra ID”

macOS Operating System Patching

Apple does not follow a predictable patch release schedule.
CALS IT enforces macOS updates using the following approach:

• Updates are scheduled for enforcement on Sundays at 10:00 PM, approximately 30 days after release.
• Users receive notifications through macOS's built‑in update prompts.
• Notifications include:
  • The deadline date
  • An option to install earlier
• After the deadline passes, the Mac will automatically reboot in 60 seconds to complete the update.
• If the device is offline at the enforcement time, the reboot occurs immediately at the next login.

Example

• Apple releases a patch on March 1, 2026
• CALS IT enforces installation on Sunday, March 29, 2026 at 10:00 PM