Scheduled patch deliveries are so last decade—and thankfully, it looks like they’re over when it comes to Microsoft Patch Tuesday.

Microsoft this week at its Ignite event introduced its new security update scheme called Windows Update for Business, which debuts in Windows 10 with several new features that help IT departments take better control of patch deployments and prioritization. For consumers and businesses not running Windows Pro or Windows Enterprise devices where the service is free, the second-Tuesday-of-every-month procession of updates is over.

“We’re not going to be delivering all of these updates to all of these consumers on one day of the month,” said Terry Myerson, executive vice president of operating systems at Microsoft.

And with that declaration, Patch Tuesday’s 12-year run is essentially done. Companies that have structured all-hands-on-deck patch rollouts will now get patches—and new functionality features—as they’re available. Windows of exposure to attacks against unpatched vulnerabilities close a little tighter. The applause given to Myerson during his keynote at Ignite was likely echoed in server rooms worldwide.

For Windows Update for Business users, patch rollouts will look different. Distribution rings allow Windows admins to designate which machines get updates on a quicker cycle—think remote offices and workers. Admins can also designate maintenance windows for certain machines, and integrate the update mechanism into existing system management tools.

“Consumers will want to be on one of the faster-moving tiers. They may not want to be part of the ‘ludicrous’ tier, but these users will want faster adoption of new features and user experience changes,” said Chris Goettl of Shavlik, a longtime patch management firm. “With this change, businesses will actually be able to take advantage of all tiers. An IT organization with a desire to vet out new updates before they reach the bulk of their user base can put a test group on the ‘ludicrous’ tier. That way they can get a feel for the changes coming, the stability of those changes and potentially block any of those updates that have a negative effect.”

Microsoft said it will offer what it’s calling Long Term Servicing Branches, which offer only security updates to machines on that tier, similar to Patch Tuesday updates as currently structured.

“With these changes, the power of Patch Tuesday will diminish rapidly,” Goettl said.

It’s no secret Microsoft has had an interesting few months with regard to patching. First there was an internal restructuring under new CEO Satya Nadella that resulted in 2,100 layoffs and the integration of the Trustworthy Computing group into Microsoft’s enterprise and cloud computing organizations. In the subsequent months since the September 2014 shakeup, patch quality has been an issue with a couple of important fixes pulled back, and other publicly disclosed and exploited vulnerabilities sitting unpatched for a nerve-racking period of time. And not to mention, Microsoft’s decision to discontinue Advanced Notification of patches on the Thursday prior to Patch Tuesday, leaving it available only to premier support customers.

Now that the dust has settled in Redmond, it’s clear that the plan was to give Patch Tuesday a facelift. For consumers who are indifferent about security updates, this assures a fleet of devices running at current patch levels on a timely basis. For businesses, more choice and control is always welcome.

“Some people want the software right after it finishes our testing,” Microsoft’s Myerson said. “They don’t want to wait a second. Then we have people step back and say they’ll wait until we work out the kinks make sure there are no compatibility issues, no functionality issues. Great, we let the user choose. With this, we have confidence that we have the highest quality patches testing them with an incredibly broad population.”

Slow-moving enterprises, meanwhile, are likely to stick to their current change and configuration management processes for the time being. Some companies just cannot afford the downtime and reliability issues caused by a patch breaking other applications, or updates requiring a reboot to take affect during business hours.

“Imagine the referential integrity issues with some machines accepting patches and others not based on reboots, when services can be restarted, or even if they are offline,” said Morey Haber, vice president of technology at Beyond Trust. “Businesses would no longer have a controlled baseline to measure against when patches are being streamed versus a firm bulk release by date.”

However, with the speed at which vulnerabilities are being found by white and black hats—and disclosed—organizations can no longer afford to sit tight for three to four weeks, or months waiting for a patch. The speed at which attacks are folded into exploit kits should give pause to any critic of automatic rollouts.

“Large enterprises are always slower moving to the adoption of new concepts and risk, especially with IT. The argument for the other side is what if I could cut a third of my patching costs if I don’t have to patch all the time?” Andrew Storms, VP of security services at New Context, told Threatpost in February. “If I were a CIO, I would be drooling.”

Microsoft would not answer questions for this article, instead provided this statement: “Windows Update for Business can take responsibility for the timely distribution of security updates for customers for free. Customers that choose to distribute updates themselves will continue to receive the updates on the second Tuesday of the month.”

This article was updated to include a comment from Microsoft.

Categories: Vulnerabilities, Web Security

Comments (2)

  1. Dennis Aston
    1

    Considering that it takes Microsoft 2 to 4 weeks to own up to an issue with a patch (let alone pull it) I fail to see what this actually buys me. I don’t trust them to get it right the first time, their track record keeps me from doing that. They’ve earned it.
    So, basically I am in the “every 4 week tier” anyways so there is no change.

  2. Jason Walker
    2

    I see this as a very bad move for large businesses. Patch Tuesday came about as a response to customer complaints about not having a predictable update schedule. What’s changed in that regard? Nothing at all except perhaps Microsoft has lost some of that historical knowledge.
    With this change, enterprises are going to need to have staff on call constantly to evaluate new patches and discussing risks is going to be much more problematic.

    -“We need to get last week’s patch out Now”
    – “The one for Expression? I didn’t think we even used that?”
    -“No, that’s last week’s Wednesday patch. I mean last week’s Thursday patch for IIS.”
    – “Aargh, I can never keep them straight. So our requirement is to test all patches and deploy within 5 business days right? Where are we on that?”

    – “Well, Johnson has incorporated last Tuesday’s patches into our 5 content baselines, provisioned 20 VMs to test, and we’ll be ready to deploy on Saturday. Jenkins is testing Wednesday’s patch on another set of machines and it has a problem so we’ll have to exceptioN that one. Hayes was working in the baseline that included the Tuesday, Wednesday, and Thursday patches to deploy for next Friday, but based on Jenkins’ finding he has to start over, minus the Wednesday patch.”

    – “Good grief this is so much to keep straight. why can’t they just put out all the patches at one time?”

    – “Well, they used to do that sir, but then they stopped. They say it gives us more control over the schedule.”

    – “Great. I feel much more in control now. Can we just keep to a once-a-month schedule internally?”

    – “Well, we could, but once Microsoft publishes a patch, that patch is reverse-engineered and within a few hours every script kiddie on the Internet has a working exploit.”

    – “Awesome.”

Comments are closed.