Explainer · 6 min · For Owners

The short version

Almost every successful attack on a small business uses a vulnerability that had a patch available before the attack. The attacker scanned for unpatched machines, found yours, and walked in through the open window. Patch management is the discipline of closing those windows before someone tries them — on a documented cadence, with evidence files an auditor or cyber-insurance carrier can verify.

What gets patched

  1. Operating systems — Windows, macOS, Linux servers. Microsoft Patch Tuesday is the second Tuesday of every month; Apple releases on their own cadence; Linux distributions stream patches continuously.
  2. Third-party applications — browsers (Chrome, Edge, Firefox, Safari), PDF readers (Adobe Acrobat, Foxit), Office (if not auto-updated), Zoom, Slack, every line-of-business app that has a release channel. This is where most of the real risk lives.
  3. Network and infrastructure firmware — firewall, switches, wireless access points, printers, NAS devices, IP cameras. Firmware patches close router-level exploits that bypass endpoint security entirely.
  4. Server software — SQL Server, IIS, file-server services, hypervisors, backup-system firmware.
  5. Mobile devices — iOS and Android security updates, app store updates on company-owned devices.

The audit-ready cadence

The standard small-business SLA most regulators and cyber-insurance carriers reference:

The cadence isn't the hard part. The hard part is the evidence: a deployment report that says, for every endpoint, what version it's on and when the last update applied.

Ring deployment

Auto-applying a patch to every machine at once is fast but risky — a bad patch can break production line-of-business software across the fleet at the same time. The discipline is ring deployment:

  1. Ring 0 (pilot) — a few IT-owned or low-stakes machines get the patch first. Watch for 24–48 hours.
  2. Ring 1 (broad) — the rest of the fleet gets the patch in waves. Watch for failures.
  3. Ring 2 (servers and critical) — servers and clinical / financial line-of-business endpoints get the patch last, after Ring 0 and Ring 1 confirm no surprises.

Critical security patches sometimes collapse the rings (a known-exploited vulnerability gets pushed to everyone fast). Routine monthly updates use the full ring discipline.

What an auditor or insurance underwriter asks for

  1. The patch-management policy document — cadence, ring structure, exception process.
  2. The deployment report from the last 90 days — coverage of every endpoint, percent patched within SLA.
  3. The exception log — machines that couldn't be patched on schedule and why.
  4. The reboot strategy — how patches that require restart actually get to a restarted state.
  5. The rollback evidence — what happened when a patch was rolled back.

If those five exist as exportable reports from the patch tool, the audit conversation is short. If they don't, the audit conversation gets long.

Microsoft Update vs. a managed patch tool

Microsoft Update (Windows Update, Microsoft Update for Office) is the floor. It patches Windows and Microsoft apps. It does not patch Chrome, Adobe, Zoom, the LOB software, the firmware, or the printer. It does not produce per-device deployment reports across a fleet. It does not let you ring-deploy.

A managed patch tool (Datto RMM, Kaseya VSA, NinjaOne, ConnectWise Automate, or similar) deploys patches for Windows, macOS, Linux, and the hundreds of third-party applications that have a public release channel — on a defined ring schedule, with deployment reporting, exception tracking, and audit-ready evidence files. Cyber-insurance applications increasingly ask "do you have an enterprise patch management system in place?" The honest answer to that question requires the second tool.

The Windows 10 special case

Windows 10 reached end-of-support on October 14, 2025. Patches stopped flowing to the consumer channel; the Extended Security Updates (ESU) program exists as a paid bridge for specific endpoints that can't yet migrate. An unsupported OS in a HIPAA, PCI, or cyber-insured environment is an audit finding waiting to happen. See Windows 10 end-of-life: your migration timeline for the 90-day migration plan.

How a Micro-IT plan handles patching

Every Managed Endpoint device ships with Datto RMM-based patch management on the standard 14-day-critical, 30-day-high cadence, with documented ring deployment, monthly reporting, and an exception log. Third-party application patching covers the standard set (browsers, Adobe, Office, Zoom, etc.) plus any line-of-business software added at onboarding. Server patching gets a separate change-window-based cadence. Firmware on the Managed Site stack (Ubiquiti firewall, switches, wireless) is reviewed quarterly. See Managed Endpoint for the included features.

Frequently asked questions

What is patch management?
Patch management is the discipline of identifying, testing, and deploying software updates across every endpoint, server, and network device in an environment, on a documented cadence — and keeping the evidence that you did it. The scope covers the operating system, third-party applications (browsers, Adobe, Java, Office), firmware on network gear, and line-of-business software.
Why does patch management matter for small businesses?
Unpatched software is the most common entry point in small-business breaches. Most exploits used in real attacks are for vulnerabilities that had a patch available for weeks or months — the attacker is scanning for the patch gap. Closing it within the cyber-insurance carrier's target window (typically 14 days for critical OS patches) prevents almost all of those attacks.
How often should patches be applied?
The audit-ready cadence: critical OS patches within 14 days of release, high-severity within 30, medium within 60, low when convenient. Third-party app patches (browsers, PDF readers, Office) on the same cadence. Firmware on a quarterly cadence with documented testing. Most regulators and cyber-insurance carriers reference a 14- or 30-day SLA explicitly.
What's the risk of automatic patching without management?
Automatic patching is better than no patching, but unmanaged auto-patch can ship a bad update that breaks production line-of-business software. The discipline is: ring deployment (a few pilot devices first, then the broader fleet), monitoring for failure, and the ability to roll back. A managed patch system gives you the speed of auto-patch with the safety of a tested deployment.
What's the difference between Microsoft Update and a managed patch tool?
Microsoft Update handles Windows and Microsoft apps. A managed patch tool (RMM-based) handles those plus every third-party application, ships ring-deployment policies, provides per-device deployment reporting, and produces the audit-ready evidence files. Most cyber-insurance applications ask "do you have an enterprise patch management system in place?" — the honest answer needs the second tool.

Related reading