You're the patch manager. A critical zero-day (simulated) has been announced affecting your OS. This capstone provides a scenario: identify affected systems, test the patch in a safe environment, deploy it to canary hosts, and roll out to production—all within a tight timeline. You'll use WSUS or apt/dnf, deal with a failed patch, and document the entire process.
CVE-2025-12345: A remote code execution vulnerability in the kernel networking stack affects all Windows 10 and Ubuntu 22.04 systems. Your production fleet includes 50 Windows servers and 20 Ubuntu web servers. You have 72 hours to achieve 100% patch compliance. One of the test Windows VMs blue-screens after patching.
# On Windows, install a specific KB
wusa.exe C:\patches\windows10.0-kb5021234-x64.msu /quiet /norestart
# Check status
Get-HotFix -Id KB5021234After the blue-screen, you must roll back the patch (uninstall KB5021234), analyze the crash dump, and discover a driver incompatibility. You work around it by updating the driver first, then reapplying the patch. This simulates the real-world chaos of patch management.
💡 Always have a rollback plan: for Windows, the 'Uninstall' option in update history; for Linux, revert to the previous kernel via GRUB menu or 'apt purge linux-image-<version>'.
| Phase | Action | Time Allocated |
|---|---|---|
| Identification | Scan all systems for vulnerability | 2 hours |
| Testing | Apply patch to 5% canary; monitor for 4 hours | 6 hours |
| Deployment | Push to all remaining systems in waves | 48 hours |
| Verification | Scan for compliance, handle failures | Remaining time |
Submit a patch management report including: inventory of affected systems, testing results, the workaround for the driver issue, deployment schedule, and final compliance scan output. This exercise mimics a real-world emergency change.
⚠️ Patching without a rollback plan is reckless. Always have an uninstall path or snapshot before pushing.
Verify exercises to earn ★ 250 XP and unlock next lab level.