With Windows 10, Microsoft is ending its longstanding approach to patching. For most users, updates will now be...
automatically downloaded and installed. This poses a dilemma for business customers on how to delay installation of Windows 10 patches until they've been properly vetted.
Patching buggy or vulnerable software is essential to maintaining system security, yet enterprises need to control the upgrade process. A Windows 10 patch may remove a critical system vulnerability, but at the same time, render a legacy application inoperable; some updates may bring new vulnerabilities themselves.
"Updates. The software periodically checks for system and app updates, and downloads and installs them for you. You may obtain updates only from Microsoft or authorized sources, and Microsoft may need to update your system to provide you with those updates. By accepting this agreement, you agree to receive these types of automatic updates without any additional notice."
Two provisions of this new update policy jump out. First, what does "You may obtain updates only from Microsoft or authorized sources" mean? Does it mean, for example, that downloading a utility that prevents Microsoft Update from installing updates and new apps automatically -- many of which may emerge in the next year -- is a violation of the licensing terms?
And second, what will happen if a buggy Windows 10 update takes down a customer's PC for an extended time or conflicts with a critical custom application? The EULA gives Microsoft a pass on legal claims for "any damages" but business users will need to consider how to manage liability in the event of damages that result from a Windows update.
Windows 10 patching security issues
Simultaneous with the new Windows 10 patching protocol, Microsoft has told customers it will no longer deliver full details about patches it provides. As a consequence, customers may be unable to distinguish between a security and an update issue.
For example: Is a blue screen or a startup loop the result of a malware attack or of an official Windows 10 patch -- responsible for such problems during the Windows 10 Insider program? Is erasure of Word's default Normal.dot template, in which many organizations store macros, default configurations and other parameters, a virus or a Microsoft patch gone awry? Should problems with using or installing applications in Windows 10 be blamed on hackers or on Microsoft's software updates?
Some enterprises need complete control over every element of the Windows OS because their PCs are connected to special equipment or software that must be certified as providing performance, stability and features that a manufacturer or a regulatory agency like the Food and Drug Administration will approve. Even a benign change -- an updated DLL, for example -- may require a costly recertification exercise.
Given the experience of many Windows 10 early adopters, problems like startup loops or blue screens show that not every Windows 10 update is benign. A flawed update could put many employees on paid furlough for hours or force upgrades or recoding of other applications, though those risks must be balanced against the risks that result from running unpatched software, which may have its own vulnerabilities.
Windows update in the enterprise
With Windows 8.1 and earlier versions, customers can control which updates are applied. They have the option to automatically install all updates; download updates, but not install them automatically; or get no updates unless they run Windows Update and download them selectively.
The most common practice in enterprises is to turn off automatic updating of any kind and to set up an internal Windows Server Update Services server that collects all Microsoft updates. The organization's IT staff then reviews and tests all updates before rolling any out to their PCs.
Many enterprises don't permit automatic updates because they have thousands of applications -- many of which are very specialized or custom-built -- that a bad patch or update can crash.
Windows 10 Update Servicing Branches
Microsoft's new upgrade model offers three servicing branches for Windows 10 updates. The default, "Current Branch" or "Consumer Update," is the only option for PCs using the consumer version of Windows 10. Microsoft will update the operating system and any Microsoft applications on it, if and when it wants, without notification.
Microsoft offers enterprise, business and education edition customers more choice for patch management. The Current Branch for Business, available for business and education editions of Windows, allows organizations to delay OS upgrades for up to eight months, giving them time for testing, but ultimately the upgrades will be installed. The primary virtue of this approach is that if Microsoft releases a bad Windows 10 patch, the company can pull, or patch, the patch and release a reliable version before the customer must install it.
The Long Term Servicing Branch (LTSB) gives customers the ability to suspend all updates, but it is available only with Windows Enterprise edition and requires the purchase of Software Assurance -- priced from $30 to $50 per PC per year, depending on volume discounts.
Windows 10 patching security options and strategies
Since Windows 10 has mandatory patches, some organizations may prefer to stay with Windows 7 until they can upgrade legacy applications to be compatible with Windows 10. Microsoft will continue to provide free security patches for Windows 7 through January 14, 2020, and customers can expect patches for a given vulnerability to be rolled out simultaneously for Windows 7, 8 and 10 until that time.
Because Windows 10 could break legacy applications without notice, business and enterprise customers will want to use the Current Branch for Business to stall updates from Microsoft for up to eight months. In some cases they may want to avoid Windows 10 entirely in favor of a Windows 7 image, which they have more control over.
Even then, customers unwilling to pay Microsoft a premium for the LTSB have no guarantee that any custom or third-party applications are safe from breaking under a Microsoft update or patch. The best solution for many organizations is to trend away from applications with OS dependencies. The vast majority of new enterprise applications are written to be run on servers and accessed via a Web browser. This allows an application to be written once and be accessed from a multitude of devices and OSes, undisturbed by surprise alterations to device operating systems.
Organizations that permit BYOD to be upgraded at will while using the LTSB on enterprise-owned devices will still have to deal with a heterogeneous OS environment. In general, this is the rule in the enterprise, since no enterprise can cut over all of its PCs to a new OS in less than a few months. Global enterprises may take more than a year to migrate, and even then most continue to run every flavor of Windows, from Windows XP to Windows 10, on at least some of their computers.
It is possible that the reduction in choice over installing patches could stall Windows 10 updates among enterprise customers who find the risks real and are prepared to stick with Windows 7 as long as possible. The hope is that Microsoft will back away from an upgrade policy that could have unexpected consequences.
Find out more about whether your business should upgrade to Windows 10.
Learn more about how Windows Update for Business works.
Take this test to find out how well you know Windows security features.