Patch Tuesday Facelift End of an Era

Microsoft’s introduction of Windows Update for Business puts an end to Patch Tuesday security updates as we know them.

Scheduled patch deliveries are so last decade—and thankfully, it looks like they’re over when it comes to Microsoft Patch Tuesday.

Microsoft this week at its Ignite event introduced its new security update scheme called Windows Update for Business, which debuts in Windows 10 with several new features that help IT departments take better control of patch deployments and prioritization. For consumers and businesses not running Windows Pro or Windows Enterprise devices where the service is free, the second-Tuesday-of-every-month procession of updates is over.

“We’re not going to be delivering all of these updates to all of these consumers on one day of the month,” said Terry Myerson, executive vice president of operating systems at Microsoft.

And with that declaration, Patch Tuesday’s 12-year run is essentially done. Companies that have structured all-hands-on-deck patch rollouts will now get patches—and new functionality features—as they’re available. Windows of exposure to attacks against unpatched vulnerabilities close a little tighter. The applause given to Myerson during his keynote at Ignite was likely echoed in server rooms worldwide.

For Windows Update for Business users, patch rollouts will look different. Distribution rings allow Windows admins to designate which machines get updates on a quicker cycle—think remote offices and workers. Admins can also designate maintenance windows for certain machines, and integrate the update mechanism into existing system management tools.

“Consumers will want to be on one of the faster-moving tiers. They may not want to be part of the ‘ludicrous’ tier, but these users will want faster adoption of new features and user experience changes,” said Chris Goettl of Shavlik, a longtime patch management firm. “With this change, businesses will actually be able to take advantage of all tiers. An IT organization with a desire to vet out new updates before they reach the bulk of their user base can put a test group on the ‘ludicrous’ tier. That way they can get a feel for the changes coming, the stability of those changes and potentially block any of those updates that have a negative effect.”

Microsoft said it will offer what it’s calling Long Term Servicing Branches, which offer only security updates to machines on that tier, similar to Patch Tuesday updates as currently structured.

“With these changes, the power of Patch Tuesday will diminish rapidly,” Goettl said.

It’s no secret Microsoft has had an interesting few months with regard to patching. First there was an internal restructuring under new CEO Satya Nadella that resulted in 2,100 layoffs and the integration of the Trustworthy Computing group into Microsoft’s enterprise and cloud computing organizations. In the subsequent months since the September 2014 shakeup, patch quality has been an issue with a couple of important fixes pulled back, and other publicly disclosed and exploited vulnerabilities sitting unpatched for a nerve-racking period of time. And not to mention, Microsoft’s decision to discontinue Advanced Notification of patches on the Thursday prior to Patch Tuesday, leaving it available only to premier support customers.

Now that the dust has settled in Redmond, it’s clear that the plan was to give Patch Tuesday a facelift. For consumers who are indifferent about security updates, this assures a fleet of devices running at current patch levels on a timely basis. For businesses, more choice and control is always welcome.

“Some people want the software right after it finishes our testing,” Microsoft’s Myerson said. “They don’t want to wait a second. Then we have people step back and say they’ll wait until we work out the kinks make sure there are no compatibility issues, no functionality issues. Great, we let the user choose. With this, we have confidence that we have the highest quality patches testing them with an incredibly broad population.”

Slow-moving enterprises, meanwhile, are likely to stick to their current change and configuration management processes for the time being. Some companies just cannot afford the downtime and reliability issues caused by a patch breaking other applications, or updates requiring a reboot to take affect during business hours.

“Imagine the referential integrity issues with some machines accepting patches and others not based on reboots, when services can be restarted, or even if they are offline,” said Morey Haber, vice president of technology at Beyond Trust. “Businesses would no longer have a controlled baseline to measure against when patches are being streamed versus a firm bulk release by date.”

However, with the speed at which vulnerabilities are being found by white and black hats—and disclosed—organizations can no longer afford to sit tight for three to four weeks, or months waiting for a patch. The speed at which attacks are folded into exploit kits should give pause to any critic of automatic rollouts.

“Large enterprises are always slower moving to the adoption of new concepts and risk, especially with IT. The argument for the other side is what if I could cut a third of my patching costs if I don’t have to patch all the time?” Andrew Storms, VP of security services at New Context, told Threatpost in February. “If I were a CIO, I would be drooling.”

Microsoft would not answer questions for this article, instead provided this statement: “Windows Update for Business can take responsibility for the timely distribution of security updates for customers for free. Customers that choose to distribute updates themselves will continue to receive the updates on the second Tuesday of the month.”

This article was updated to include a comment from Microsoft.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.