In a system with several thousand servers running the Microsoft Windows operating system, installing software updates and repairs (patches) to the operating system running on each server can be an enormous task. However, installing the patches is necessary in order to maintain the security and integrity of the computing environment. The current options for managing such a task are: (1) send Information Technology (IT) personnel to each machine to perform the operating system updates; (2) open the operating system to auto-updates from the vendor, and then resolve issues that result from patches that cause problems for installed business applications; (3) establish an operating system update service such as Windows Server Update Service (WSUS) system to auto-update the servers, but still resolve the potential conflicts with business software; (4) use a central configuration manager such as System Center Configuration Manager (SCCM) to manage the WSUS content. This fourth option offers more control over when the patches are sent out. In fact, both options 3 and 4 offer more control over the operating system's update path, but the difficulty arises when it is necessary to make absolutely sure that every computer in the system has had the latest security update to prevent access by the latest known intrusion.
There is no method that can guarantee that all machines will have the latest software updates, since it is always possible for someone to insert a machine into the network, potentially infecting every operating system in the network. But if a good inventory of computers on the network is kept up to date, then it is possible to make sure that every machine in the inventory is properly maintained.