Mention the second Tuesday of every month to any IT professional who is responsible for Windows computers, and one thing consistently and instantly comes to mind: patches. Microsoft has been releasing its security updates on a regular monthly schedule for almost 12 years now, since introducing the “Patch Tuesday” concept in October of 2003.
Some months, the company releases only three or four security updates. Other months, we might have as many as 17. Along with the security updates, some of which are critical and others “merely” important, there are generally a number of non-security updates that are designed to improve performance and reliability, resolve bugs and even sometimes add new features. These are normally released on the same second-Tuesday cycle.
This bucket full of updates isn’t something that IT professionals particularly look forward to each month. Because I write the Patch Tuesday Roundup articles, I hear from many of you who say you dread this date. That dread has grown even sharper since the beginning of this year, when Microsoft stopped releasing the Advance Notification to the general public on the Thursday prior to Patch Tuesday.
Microsoft Premium customers still get the “sneak preview” information that briefly summarizes the number of updates and to which operating systems or applications they apply. The rest of us have to wait until Patch Tuesday itself before we know just how big of a job we’re looking at, so it’s more difficult to plan for that time we’ll need to spend on applying – and possibly troubleshooting – the patches.
Another reason to dread Patch Tuesday are the all-too-often undesirable results that occur when patches are installed. Numerous times this year, we’ve found ourselves spending that Wednesday rolling back patches that we rolled out on Tuesday, because they caused some sort of loss of functionality or crashes on our operating systems or applications. Sometimes the problems are so widespread and so severe that Microsoft revokes the patch(es) in question and in fact, the company has pulled a number of patches over the past year.
Much as we might hate Patch Tuesday, we’ve grown used to the routine and there is comfort in that familiarity. Now we’re hearing that – as with many other Microsoft traditions – the times, they are a’changing. At the company’s first annual Ignite conference (which was, itself, a big change, having replaced the TechEd event that the company had held annually for 22 years), it was revealed that when Windows 10 comes out, Microsoft is planning to change the update system. Instead of releasing a big chunk of updates all at once on a pre-set date every month, the company plans to make them available to users throughout the month as they’re ready.
How will this impact network admins and users? I can see both good and bad impacts resulting from such a change. The monthly patch release schedule was put in place for a reason: to make it easier for users and network admins to update their systems. This way, you can apply all the patches at once, reboot if necessary (and sadly, it usually is) and be done with it – assuming, of course, that all goes smoothly. There is less total downtime and interruption of productivity than if you had to stop and apply a new patch every few days.
It’s nice to have some predictability, so that you can plan in advance and warn users that systems may be undergoing reboots on a certain day, although some of that predictability disappeared with the removal of the Advance Notification.
There are several downsides to doing it this way, though. Zero Day exploits are becoming more and more common, as attackers take advantage of the gap between the time a vulnerability becomes known and the time updates are released to fix it. In extreme cases, Microsoft eschews the schedule and releases an “out of band” patch to address a critical Zero Day bug, since waiting a few weeks for Patch Tuesday to roll around could expose millions of computers to unnecessary risk.
Another problem with saving up a month’s worth of patches and throwing them all at us together is that it can make for some very long days (and nights) on a heavy patch day, when you have a large number of computers to update. Installing many updates at the same time also makes it more difficult to troubleshoot when something goes wrong, since you don’t know immediately which update might have caused it.
Nonetheless, not everybody is happy with the news that in the future, updates will be delivered as a “steady stream of innovation over time each month,” according to Microsoft’s vice president Terry Myerson. The company obviously anticipated this, and plans to offer options. Apparently, we will be able to select whether we want a “fast ring” or “slow ring” update cycle, although exactly what those terms mean hasn’t yet been defined.
Of course, many companies already apply patches on their own schedule, downloading and trying them out on non-production machines in a test environment before rolling them out to the production network. You can continue to do that; even if the updates are released daily, you can download them and then apply as many at once as you want. For many larger companies, then, this change might not have a significant impact.
In fact, the update process might just get easier. During the same week that they announced the impending end of Patch Tuesday, Microsoft also introduced a new service called Windows Update for Business for updating the end-user devices in the business environment. This service is aimed at giving IT pros more flexibility to specify which devices are updated first, in “waves,” specify maintenance windows – time frames within which updates should or should not happen – and peer-to-peer delivery for more efficient delivery of updates to remote sites with limited bandwidth. Update for Business will integrate with System Center and Enterprise Mobility Suite.
Keeping our Windows systems updated will be a different process in the future from what it is today. For many of us, that’s not necessarily a bad thing.