Skip to content

Control 2.10: Patch Management and System Updates

Overview

Control ID: 2.10 Control Name: Patch Management and System Updates Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, SEC 17a-4 Setup Time: 1-2 hours initial setup, ongoing monitoring

Purpose

This control establishes patch management and update procedures for AI agents and the underlying platform infrastructure in financial institutions. While Microsoft manages core platform updates for SaaS services (Power Platform, Microsoft 365), organizations remain responsible for monitoring platform changes, managing custom component updates, testing compatibility, and ensuring update documentation for audit purposes. This control defines processes to track Microsoft service updates, manage custom connector/component patches, and maintain change documentation for regulatory compliance.

Prerequisites

Primary Owner Admin Role: Power Platform Admin Supporting Roles: None

Required Licenses

  • Microsoft 365 E3/E5 (for Service Health access)
  • Power Platform per-user or per-app licenses
  • Azure DevOps or equivalent for pipeline management

Required Permissions

  • Global Reader or Service Health Administrator (M365 Admin)
  • Power Platform Administrator (platform management)
  • Azure DevOps Project Administrator (if using Azure DevOps)

Dependencies

  • Control 2.3 (Change Management)
  • Control 2.4 (Business Continuity)
  • Control 2.5 (Testing and Validation)

Pre-Setup Checklist

  • [ ] Patch management policy approved
  • [ ] Notification recipients identified
  • [ ] Testing environments established
  • [ ] Rollback procedures documented

Governance Levels

Baseline (Level 1)

Stay current with Microsoft security patches; document patch schedule.

Automated patching for non-production; scheduled patching for production (minimal disruption).

Regulated/High-Risk (Level 4)

Patches applied within 30 days of release; critical patches within 7 days; all updates logged.

Setup & Configuration

Step 1: Configure Service Health Notifications

Microsoft 365 Admin Center:

  1. Navigate to admin.microsoft.com
  2. Go to HealthService health
  3. Click CustomizeEmail
  4. Configure notifications:
  5. Send email notifications: Enabled
  6. Services: Power Platform, Microsoft 365, SharePoint, Teams
  7. Event types: Incidents, Advisories, Planned Maintenance
  8. Recipients: IT operations, AI governance team

Message Center Notifications:

  1. Go to HealthMessage center
  2. Click Preferences
  3. Configure:
  4. Email digest: Weekly
  5. Major updates: Immediate notification
  6. Data privacy updates: Immediate notification

Step 2: Monitor Power Platform Updates

Power Platform Admin Center:

  1. Navigate to admin.powerplatform.microsoft.com
  2. Go to SettingsProduct updates
  3. Review:
  4. Current version: Document baseline
  5. Upcoming updates: Note scheduled changes
  6. Release wave: Identify impacting features

Subscribe to Release Notes:

  1. Bookmark: https://learn.microsoft.com/en-us/power-platform/released-versions/
  2. Subscribe to Power Platform Blog: https://powerapps.microsoft.com/blog/
  3. Follow Microsoft 365 Roadmap: https://www.microsoft.com/microsoft-365/roadmap

Step 3: Create Patch Tracking System

Build SharePoint list to track all updates affecting agents.

Create SharePoint List: Patch Tracking Log

Column Type Purpose
Update ID Text Microsoft KB or update ID
Update Title Text Description of update
Service Choice Power Platform, M365, Azure, Custom
Severity Choice Critical, High, Medium, Low
Release Date Date When update was released
Target Apply Date Date When to apply (based on severity)
Actual Apply Date Date When actually applied
Environment Choice Dev, Test, UAT, Prod
Testing Status Choice Pending, In Progress, Passed, Failed
Applied By Person Who applied the update
Notes Multi-line text Testing results, issues
Rollback Required Yes/No Did update need rollback

Step 4: Define Patch Application Schedule

Establish timeline requirements based on severity.

Patch Timeline Matrix:

Severity Description Timeline (Tier 1/2) Timeline (Tier 3)
Critical Security vulnerability, active exploit 7 days 72 hours
High Security patch, no known exploit 14 days 7 days
Medium Feature update with breaking change 30 days 14 days
Low Feature update, non-breaking 90 days 30 days
Advisory Information only, no action required Document only Document only

Step 5: Configure Custom Component Update Process

For custom connectors, PCF controls, and plugins.

Custom Component Inventory:

  1. Navigate to Power Platform Admin Center
  2. Go to Solutions in each environment
  3. Document all custom components:
  4. Custom connectors (version, owner)
  5. PCF controls (version, dependencies)
  6. Plugins/custom workflow activities
  7. Power Automate custom actions

Update Process for Custom Components:

  1. Monitor dependencies (NuGet, npm packages)
  2. Schedule quarterly dependency reviews
  3. Test updates in Dev environment
  4. Promote through pipeline after validation
  5. Document all updates in patch log

Step 6: Implement Pre-Production Testing

Test all updates before production deployment.

Testing Workflow:

  1. Dev Environment: Apply update immediately on release
  2. Test Environment: Apply after 48 hours (initial bugs surface)
  3. UAT Environment: Apply after 7 days with user validation
  4. Production: Apply after UAT sign-off

Automated Testing Checklist:

  • [ ] Agent responds to baseline test scenarios
  • [ ] All connectors authenticate successfully
  • [ ] Performance within baseline thresholds
  • [ ] No new errors in error log
  • [ ] CSAT survey still functional

Step 7: Create Update Communication Plan

Notify stakeholders of upcoming and completed updates.

Communication Templates:

Pre-Update Notification (3 days before): 

Subject: [Scheduled] Platform Update - [Environment] - [Date]

Team,

The following update will be applied to [Environment] on [Date]:

Update: [Title]
Service: [Power Platform/M365/etc.]
Expected Impact: [Description]
Downtime: [Expected duration or "None"]

Please complete any critical work before [maintenance window].

For questions, contact [IT Operations].

Post-Update Notification: 

Subject: [Complete] Platform Update Applied - [Environment]

Team,

The following update has been applied to [Environment]:

Update: [Title]
Applied: [Date/Time]
Status: Successful / Successful with Notes / Rollback Required
Notes: [Any issues or observations]

If you experience issues, report to [IT Operations].

Step 8: Document Rollback Procedures

Ensure every update has a rollback plan.

Rollback Decision Matrix:

Scenario Action Timeline
Critical agent failure after update Immediate rollback < 1 hour
Performance degradation > 20% Rollback after investigation < 4 hours
Minor bugs, workaround available Monitor, schedule fix 24-48 hours
Cosmetic issues only Document for vendor Next patch cycle

Rollback Procedure:

  1. Document current state (error logs, symptoms)
  2. Notify stakeholders of rollback decision
  3. For solution updates: Import previous solution version
  4. For platform updates: Open Microsoft support case
  5. Validate rollback successful
  6. Post-incident review within 48 hours

PowerShell Configuration

# ============================================================
# Control 2.10: Patch Management and System Updates
# ============================================================

# Connect to required services
Connect-MgGraph -Scopes "ServiceHealth.Read.All", "ServiceMessage.Read.All"
Import-Module Microsoft.PowerApps.Administration.PowerShell

# -------------------------------------------------------------
# Section 1: Retrieve Service Health Status
# -------------------------------------------------------------

Write-Host "Retrieving Microsoft 365 Service Health..." -ForegroundColor Cyan

# Get service health issues
$ServiceHealth = Get-MgServiceAnnouncementHealthOverview -All

Write-Host "Service Health Status:" -ForegroundColor Yellow
$ServiceHealth | ForEach-Object {
    $StatusColor = switch ($_.Status) {
        "ServiceOperational" { "Green" }
        "ServiceDegradation" { "Yellow" }
        "ServiceInterruption" { "Red" }
        default { "White" }
    }
    Write-Host "  $($_.Service): $($_.Status)" -ForegroundColor $StatusColor
}

# Get active issues
$ActiveIssues = Get-MgServiceAnnouncementIssue -Filter "isResolved eq false"

if ($ActiveIssues.Count -gt 0) {
    Write-Host "`nActive Service Issues:" -ForegroundColor Red
    $ActiveIssues | ForEach-Object {
        Write-Host "  [$($_.Classification)] $($_.Title)" -ForegroundColor Yellow
        Write-Host "    Service: $($_.Service)"
        Write-Host "    Start: $($_.StartDateTime)"
    }
} else {
    Write-Host "`n✅ No active service issues" -ForegroundColor Green
}

# -------------------------------------------------------------
# Section 2: Retrieve Message Center Updates
# -------------------------------------------------------------

Write-Host "`nRetrieving Message Center updates..." -ForegroundColor Cyan

# Get recent message center posts
$RecentMessages = Get-MgServiceAnnouncementMessage -Top 50 |
    Where-Object { $_.Services -contains "Power Platform" -or $_.Services -contains "Microsoft 365" }

$RelevantUpdates = $RecentMessages | Select-Object `
    Title,
    @{N="Category";E={$_.Category}},
    @{N="Severity";E={$_.Severity}},
    @{N="Published";E={$_.StartDateTime}},
    @{N="ActionRequired";E={$_.ActionRequiredByDateTime}},
    @{N="Services";E={$_.Services -join ", "}}

Write-Host "Recent Platform Updates:" -ForegroundColor Yellow
$RelevantUpdates | Format-Table -AutoSize

# Export to CSV
$RelevantUpdates | Export-Csv "MessageCenter_Updates_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# -------------------------------------------------------------
# Section 3: Check Power Platform Environment Versions
# -------------------------------------------------------------

Write-Host "`nChecking Power Platform environment versions..." -ForegroundColor Cyan

$Environments = Get-AdminPowerAppEnvironment

$EnvVersions = foreach ($Env in $Environments) {
    [PSCustomObject]@{
        EnvironmentName = $Env.DisplayName
        Location = $Env.Location
        Type = $Env.EnvironmentType
        Created = $Env.CreatedTime
        # Note: Detailed version info requires Dataverse API
        Status = $Env.States.Management.Id
    }
}

$EnvVersions | Format-Table -AutoSize

# -------------------------------------------------------------
# Section 4: Identify Custom Components for Update Review
# -------------------------------------------------------------

Write-Host "`nIdentifying custom components requiring review..." -ForegroundColor Cyan

$CustomComponents = @()

foreach ($Env in $Environments) {
    # Get custom connectors
    $Connectors = Get-AdminPowerAppConnector -EnvironmentName $Env.EnvironmentName -ErrorAction SilentlyContinue |
        Where-Object { $_.ConnectorId -like "*shared_*" }

    foreach ($Connector in $Connectors) {
        $CustomComponents += [PSCustomObject]@{
            Environment = $Env.DisplayName
            ComponentType = "Custom Connector"
            Name = $Connector.DisplayName
            Id = $Connector.ConnectorId
            Created = $Connector.CreatedTime
            NeedsReview = $true
        }
    }
}

if ($CustomComponents.Count -gt 0) {
    Write-Host "Custom components identified for update review:" -ForegroundColor Yellow
    $CustomComponents | Format-Table -AutoSize
    $CustomComponents | Export-Csv "Custom_Components_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
} else {
    Write-Host "No custom components found" -ForegroundColor Green
}

# -------------------------------------------------------------
# Section 5: Generate Patch Compliance Report
# -------------------------------------------------------------

Write-Host "`nGenerating patch management compliance report..." -ForegroundColor Cyan

# Identify updates requiring action
$ActionRequired = $RecentMessages | Where-Object {
    $_.ActionRequiredByDateTime -ne $null -and
    $_.ActionRequiredByDateTime -gt (Get-Date)
}

$PatchReport = @"
===============================================================================
PATCH MANAGEMENT COMPLIANCE REPORT
Generated: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')
===============================================================================

SERVICE HEALTH SUMMARY
----------------------
Total Services Monitored: $($ServiceHealth.Count)
Operational: $(($ServiceHealth | Where-Object { $_.Status -eq "ServiceOperational" }).Count)
Degraded: $(($ServiceHealth | Where-Object { $_.Status -eq "ServiceDegradation" }).Count)
Interrupted: $(($ServiceHealth | Where-Object { $_.Status -eq "ServiceInterruption" }).Count)

MESSAGE CENTER UPDATES
----------------------
Recent Platform Updates: $($RelevantUpdates.Count)
Updates Requiring Action: $($ActionRequired.Count)

$(if ($ActionRequired.Count -gt 0) {
"UPDATES REQUIRING ACTION:
$(($ActionRequired | ForEach-Object { "- $($_.Title) (Due: $($_.ActionRequiredByDateTime))" }) -join "`n")
"
} else {
"✅ No updates currently requiring action"
})

CUSTOM COMPONENTS
-----------------
Total Custom Components: $($CustomComponents.Count)
Connectors: $(($CustomComponents | Where-Object { $_.ComponentType -eq "Custom Connector" }).Count)

POWER PLATFORM ENVIRONMENTS
---------------------------
$(($EnvVersions | ForEach-Object { "- $($_.EnvironmentName) ($($_.Type))" }) -join "`n")

COMPLIANCE STATUS
-----------------
[?] Service health notifications configured
[?] Message center notifications enabled
[?] Patch tracking SharePoint list created
[?] Testing workflow established
[?] Rollback procedures documented
[?] Communication templates ready

NEXT ACTIONS
------------
1. Review all updates requiring action above
2. Schedule testing for applicable updates
3. Update patch tracking log
4. Complete monthly patch compliance review

===============================================================================
"@

$PatchReport | Out-File "Patch_Compliance_Report_$(Get-Date -Format 'yyyyMMdd').txt"
Write-Host $PatchReport

# -------------------------------------------------------------
# Section 6: Create Patch Calendar Events
# -------------------------------------------------------------

Write-Host "`nPatch calendar events to create:" -ForegroundColor Cyan

$UpcomingPatches = $ActionRequired | ForEach-Object {
    [PSCustomObject]@{
        Title = "Review: $($_.Title)"
        DueDate = $_.ActionRequiredByDateTime
        Priority = switch ($_.Severity) {
            "High" { "Critical" }
            "Normal" { "Medium" }
            default { "Low" }
        }
        Services = $_.Services -join ", "
    }
}

if ($UpcomingPatches.Count -gt 0) {
    Write-Host "Add these to your patch management calendar:" -ForegroundColor Yellow
    $UpcomingPatches | Format-Table -AutoSize
} else {
    Write-Host "No upcoming patch deadlines" -ForegroundColor Green
}

Write-Host "`nPatch management review complete" -ForegroundColor Green

Financial Sector Considerations

Regulatory Alignment

Regulation Patch Requirement Control Implementation
GLBA 501(b) Protect against anticipated threats Timely security patches
SOX 404 IT general controls for financial systems Documented patch process
FINRA 4511 Maintain systems and records Patch activity logging
SEC 17a-4 Preserve records and audit trail Patch decision documentation
FFIEC CAT Vulnerability and patch management Risk-based patching timeline
PCI DSS 6.2 Install security patches within 30 days Critical patches within timeline

Zone-Specific Configuration

Zone Patch Timeline Testing Requirement Documentation
Zone 1 - Personal Follow Microsoft auto-updates None Acknowledge only
Zone 2 - Team 14-30 days based on severity Functional testing Change log entry
Zone 3 - Enterprise 7-14 days based on severity Full regression testing CAB approval, full audit

FSI Patch Considerations

Trading Hours Impact:

  • No patches during market hours (9:30 AM - 4:00 PM ET)
  • Weekend maintenance windows preferred
  • Holiday schedule awareness (exchange calendars)

Regulatory Reporting Systems:

  • Coordinate with reporting deadlines
  • Avoid patches during month-end close
  • Extra validation for calculation changes

Customer-Facing Systems:

  • Low-usage windows for customer portals
  • Communication to customers for planned maintenance
  • Rollback capability within SLA

Verification & Testing

Verification Steps

  1. Notification Configuration
  2. Microsoft 365 Admin Center → Health → Service health → Email settings
  3. Verify recipients configured

  4. Confirm test email received

  5. Message Center Subscriptions

  6. Check Message Center preferences
  7. Verify Power Platform updates appearing

  8. Confirm weekly digest received

  9. Patch Tracking Active

  10. Review SharePoint patch log
  11. Verify recent updates documented

  12. Confirm responsible parties assigned

  13. Testing Workflow Functional

  14. Recent patch applied to Dev first
  15. Test results documented
  16. Production deployment followed process

Compliance Checklist

  • [ ] Service Health email notifications enabled
  • [ ] Message Center preferences configured
  • [ ] Patch tracking SharePoint list created
  • [ ] Patch timeline matrix documented
  • [ ] Testing workflow defined
  • [ ] Rollback procedures documented
  • [ ] Communication templates created
  • [ ] Custom component inventory maintained
  • [ ] Monthly patch review scheduled

Troubleshooting & Validation

Issue: Not Receiving Service Health Notifications

Symptoms: No emails for platform issues Solution:

  1. Check notification settings in M365 Admin Center
  2. Verify email addresses are valid
  3. Check spam/junk folders
  4. Confirm user has Global Reader role minimum
  5. Test with manual notification send

Issue: Platform Update Broke Agent Functionality

Symptoms: Agent fails after Microsoft update Solution:

  1. Check Microsoft Service Health for known issues
  2. Review Message Center for breaking changes
  3. Test in lower environment to isolate issue
  4. Open Microsoft support case if platform issue
  5. Implement workaround while awaiting fix
  6. Document incident for future reference

Issue: Custom Connector Stops Working After Update

Symptoms: Connector authentication or calls fail Solution:

  1. Check connector API provider for changes
  2. Review connector logs for error details
  3. Update connector definition if API changed
  4. Re-authenticate connection if tokens expired
  5. Test in isolation to identify root cause

Issue: Patch Testing Delayed Production Deployment

Symptoms: Security patch not applied within timeline Solution:

  1. Expedite testing with focused scope
  2. Document risk and obtain approval for timeline extension
  3. Implement compensating controls if needed
  4. Escalate to CAB for priority decision
  5. Post-incident review of process improvement

Additional Resources

Control Relationship
2.3 - Change Management Patches follow change process
2.4 - BC/DR Rollback part of DR
2.5 - Testing and Validation Test before production
1.8 - Runtime Protection Security patches reduce threats
3.1 - Agent Inventory Track agent versions

Support & Questions

For implementation support or questions about this control, contact:

  • AI Governance Lead (governance direction)
  • Compliance Officer (regulatory requirements)
  • Technical Implementation Team (platform setup)

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification