What is a patch catalog?

A patch catalog is a repository of data associated with software patches. It provides a convenient place to store patching data for the primary operating system, as well as other OSes and applications used in the organization. Patch catalogs store metadata and related code about patches and, often, the patches themselves. Having a readily accessible source of current and new patches helps patch administrators and network security administrators prepare and test patches before placing them into production.

Why patch catalogs are important

Most major OS and application vendors release patches when they have updated the software to fix a bug, add new features or enhance security capabilities. Security patches are especially important, given the continuing threat of cyberattacks. Installing patches for cybersecurity software and systems -- e.g., firewalls and intrusion detection systems -- helps ensure that they are effective at detectingattack surfaces, preventing security vulnerabilities and blocking malware, phishing, ransomware, viruses and distributed denial-of-service attacks.

Patch management best practices include making sure patch catalogs are up to date, which ensures that system administrators have the most current data when they need to manage patches. Administrators should also keep an archive of previous patches for reference and possible reinstallation.

Online sources of patch catalogs

IT departments can create patch catalogs using features in the OS, or they can download software update catalogs released by the vendors themselves and by third-party firms that specialize inpatch management process support. Besides metadata and related code about available patches, the catalogs typically contain the code for the actual patches, calledpatchpayloads.

Examples

Microsoft Update Catalog

Microsoft Update Catalog is a centralized resource for managing software updates, drivers andhotfixes, i.e., quickly deployed bug fixes. It can be highly useful for IT administrators and system managers who need to deploy specific updates across their local and enterprise networks.

Key features include the following:

• Update listings. These contain Microsoft software updates, including security patches, feature enhancements and bug fixes.
• Search. Administrators can search for updates using keywords, size in kilobytes or specific terms related to the update.
• Custom deployment. Selected updates can be downloaded and installed on devices as needed.
• Domain deployment. Downloaded updates can be deployed to computers in a specific domain.

BMC Server Automation

BMC Server Automation provides a step-by-step process for setting up and managing an online patch catalog for Microsoft Windows patches.

Key features include the following:

• Patch catalog creation. This facilitates building a patch catalog optimized for specific requirements, e.g., Microsoft Windows 10 or 11.
• Online mode. This obtains patch metadata from the Ivanti (formerly Shavlik) online patch network for use byMicrosoft Configuration Manager.
• Filters. These help to deliver only the most relevant data to the catalog.
• Recurring schedule. This ensures that the latest patch information is available.
• Patch group listing. After the patch catalog is set up, the listing can be assigned a descriptive name based on specific factors, like "Windows Updates newer than 10 days," to help select the correct catalog.

Patch management systems, which automate much of the patch management process, can provide patching data for multiple OSes and applications. They also support creating patch catalogs for greater convenience in managing patches for a large number of systems.Patch management software platforms include Atera, Automox, GFI LanGuard, ITarian, Kaseya VSA, ManageEngine Patch Manager Plus, Microsoft Configuration Manager, NinjaOne Patch Management, SolarWinds Patch Manager and Syxsense.

How to set up a patch catalog

As noted earlier, most major OSes have functions for setting up patch catalogs, though each OS has slightly different steps for building a catalog. Third-party systems are also available that can set up a patch catalog and automate the patching process.

Preparatory steps and tips for setting up a patch catalog include the following:

• Establish a secure andair-gapped environment to test new patches.
• Consider having a proxy server available with access to the internet to use for downloading patches from different vendors.
• Determine which OS or third-party application will be used to set up the catalog.
• If you're not using the catalog creation features in the OS, consider downloading a utility that facilitates patching from third parties, such as the BMC Software TrueSight Server Automation Patch Catalog wizard.
• Load patch data into the catalog.
• Determine the filters that will ensure only relevant patches are listed.
• Prepare a patching schedule.
• Establish a process to test the patches before deploying them.

From a Microsoft perspective, several options are available for creating patch catalogs. Organizations running Windows Server Update Services (WSUS) and Configuration Manager can directly import patches into them. Once the patches have been entered, they can be managed the same as other patches for those systems.

Microsoft Update Catalog provides a current listing of available patches, with data on the patch, applicable systems and applications, and tutorials. Third-party patches can also be imported, which increases the variety of patches available for patch administrators.

Different types of patches can be synchronized with production servers using WSUS and Configuration Manager. They can include, for example, security updates, essential system updates, service packs and criticaldevice drivers. Patch catalogs also work with patching schedules, which indicate when specific patches should be installed.

The decision to establish patch catalogs, whether by using OS-based tools or third-party utilities, can be based on the frequency of patch installations and the specific operating requirements. For example, catalogs with security patches are likely to be high priority, as they help prevent cyberattacks. Patches such as OS and application updates that Microsoft provides on a monthly basis can be more easily managed using patch catalogs.

Apatch management policy is essential for maintaining an effective patch management process. It defines how patches are identified, tested, installed, validated and documented. It should include the option of creating patch catalogs for the primary OS and important applications.