Windows Patching at Expedient

  • Published on Mar 12, 2026
Prev Next

General guidelines for Windows Server patching at Expedient.

Patching is handled by Microsoft’s Configuration Manager. Any existing SCCM/Configuration Manager agent must be replaced with Expedient’s agent.

  • Systems must be managed by Expedient to participate in Expedient patching

  • Certificates are installed on managed servers for authentication to Expedient’s Management Points

    • Expedient’s CA issues the certificates

      • Trusted Root

      • Personal certificate

  • Expedient does not install all patches available from Microsoft; this is by design

Patch Maintenance Windows

The maintenance window for patching is visible from the Expedient support portal https://support.expedient.com/.

  • Resources > Assets; then select the asset

Maintenance Window – Start Time

Start Times are in 24hr designations (aka “military time”) and leverage the local clock on the server. This means that Time Zones will matter in trying to coordinate patch windows between multiple servers.

Maintenance Window – Relative Day

“Relative” to Microsoft’s Patch Tuesday release cycle which is the second Tuesday of the month.

  1. AFTER Patch Tuesday (Patch Tuesday is not included.)

  2. Expedient’s default and most desirable maintenance schedule as servers will patch and restart every month

  3. 1st, 2nd, and 3rd weeks after Patch Tuesday

    1. Relative weeks Start on Wednesday

    2. Relative weeks End on Tuesday

  4. Day of the week (Tues, Wed, Thurs…. Mon)

Maintenance Window – Actual Day

“Actual” matches the monthly calendar.

  1. 1st, 2nd, 3rd, and 4th weeks

  2. Day of the week (Sun, Mon, Tues… Sat)

  3. Depending upon Patch Tuesday, systems may not always patch on a given month

Maintenance Window - Date

Date of the month (i.e. 15th, 25th, etc…)

  1. Limited up to the 28th of the month (due to February)

  2. Depending upon Patch Tuesday, systems may not always patch on a given month

Maintenance Windows – Manual

Patches deployed by Expedient but are installed by the client.

Patching failures for manual maintenance windows are not monitored.

  1. Manual process of installing patches and subsequent restart of the server

    1. Client team members can login then patch and restart at their leisure

  2. Expedient team members do not handle manual patching requests

  3. If special coordination is needed for patching, this would be the recommended method

Update Packages

Expedient offers several different packages (sets of patches) for client systems.

  • Special Requests – Must be available through Microsoft’s update channels.

    • Expedient may be able to accommodate other software updates outside of these that are listed. Not all requests will be honored.

  • End of Life (EoL) software updates are not offered by Expedient. Expedient typically removes EoL software shortly after Microsoft marks software as EoL.

Update Packages - Default

All systems receive default update packages

Operating System Update Package

  1. Monthly security and critical updates only

  2. Cumulative update

  3. Windows Server 2016 only – SSU stack is pushed early due to the monthly OS security patches requiring this update

.Net Framework and .NET Update Package

  1. Security and critical updates only

Update Packages - Optional

Optional Packages can be added upon request.

  • Troubleshooting patch issues for optional update packages is performed by the client

Microsoft Office Update Package

  1. Security and critical updates only

  2. O365 not available due to volume of released patches

Microsoft SQL Update Package

  1. Security and critical updates only

Malicious Software Removal Tool (MSRT) Update Package

  1. Results of scan will need to be handled by client

Client Responsibilities

There are a few requirements to be upheld by the client to be successful with Expedient patching.

Disk Space

Available Free Space

Windows OS patching needs 10+ GBs of free/available space on C: (system drive) at the time of the maintenance window.

  • Windows patches are compressed and will need to decompress prior to installation

  • This space is only consumed during the maintenance window, and is released back to the OS after patching is complete

Patch Cache

Packages are staged on systems prior to the maintenance window. These packages require some space on C: which will be permanently occupied.

  • Typically, 2-3GBs, but could be significantly higher depending upon Microsoft packages released, and patch packages requested

Conflicts with RMM Software

If clients want to retain their own RMM software, it is the client's responsibility to ensure that their RMM software does not interfere with Expedient’s SCCM agent. Please uninstall, block, disable any OS patching configuration items for your RMM software to avoid conflicts.

N-able, Ninja RMM, Datto RMM are just a few of the other RMM software available.

Client Patching

Expedient does allow clients to perform their own patching. However, this does require a patching waiver. Please request a patching waiver from your account manager to halt Expedient patching.