Microsoft will shake up its long-standing patching process next month, replacing its monthly Patch Tuesday security bulletins (also known as Update Tuesday) with a new database and all-encompassing automatic updates.
For many businesses, the question is how to integrate the new process into their own operations. This article aims to answer those questions and set companies on the right course.
A result of customer feedback
Some welcome the change because automatic updates will make things more seamless for users. They see Microsoft catching up to Google, whose auto update process is practically invisible to those who fire up Chrome each day.
Microsoft says the change is a direct result of customer feedback. “Our customers have asked for better access to update information, as well as easier ways to customize their view to serve a diverse set of needs,” a member of the Microsoft Security Response Center wrote in a post to explain the switch from bulletins to database.
In the FAQ about the database, the software giant said:”By February, information provided in the new Security Updates Guide will be on par with the set of details available in traditional security bulletin webpages.”
But for many enterprises, the change will be jarring after almost 20 years of a Patch Tuesday system they’d build their processes around.
IT shops will lose the ability to deploy some patches while holding back others for network compatibility checks and tweaks. And as any IT admin will tell you, one of their biggest headaches usually comes in the form of a bad patch that breaks other parts of the network.
Reservations aside, companies of all shapes and sizes will have to learn to live with the new system, said Katie Moussouris, CEO, founder and president of Luta Security and a former senior security strategist at Microsoft who drove the creation of the company’s bug bounty program.
Overall, the right direction
As disconcerting as the new process might feel to some, Moussouris thinks Microsoft is doing the right thing.
Overall, they are on the right course with auto updates in the cloud. They need the browser – the gateway to their services – to be as secure as possible. They’re going closer in the Google direction.
But while the change should make things easier for consumers, it does present limitations for business – namely the loss of control enterprises have had in deciding which patches to deploy first and which ones to hold for compatibility testing.
What to expect
To get a sense of direction, IT shops should give have a thorough read of the Security Updates Guide dashboard and API: Frequently Asked Questions article on Microsoft’s TechNet site.
Microsoft told Naked Security:
This new site gives our customers a more relevant and customized experience. It will be the single location for information about our updates from January 2017 onwards.
Questions the FAQ addresses include:
- Why the security bulletin ID number (e.g. MS16-XXX) is not included in the new Security Updates Guide
- How soon the Security Updates Guide will replace traditional security bulletins
- How to use the new guide’s dashboard model to group related updates
Another question is if companies using third-party patch management tools will be impacted. Microsoft says:
We are working with companies that provide management tools to adjust their products to work with the new Security Updates Guide. Microsoft cannot guarantee that all third-party software will work in the future.
The best advice there is for companies to touch base with their patch management providers ASAP to make a plan.
Microsoft did note that its own patch management software – WSUS and SCCM – will be updated as needed to ensure those tools continue to work correctly with the new Security Updates Guide.
Document concerns and give feedback
Moussouris said business owners will need to start taking a serious look at Windows 10 whether they’re ready or not. Her advice:
- Read every scrap of available documentation Microsoft has to offer, which is actually quite a bit.
- In reading that documentation, ask support questions early and often.
- Microsoft has robust support channels. Once the changeover happens, and in the likely event that problems arise, companies must make full use of those channels.
- Microsoft constantly asks for feedback and companies should offer it liberally.
“Take the time to write down your complaints and list the features you wish were there,” she said. “When dealing with Microsoft, that’s often the only way you get change.”
Microsoft has asked that feedback be sent to portalfback@microsoft.com.
Jim
“Take time to write down your complaints…”?
She should get more serious about this. Microsoft does not listen when patches break unless you work for a major company.
I used to trust Microsoft, but of late they have proven either incompetent or untrustworthy: take your pick. I installed Windows 10 on one system (a year ago) to test it. It was promised that I would be able to remove it if I didn’t like it. I didn’t, but no, I couldn’t remove it. Their solution? Get my Windows 7 disks, format and reinstall.
And no, even though they knew about the problem (after I told them), they did nothing to fix it. Repeated requests for assistance were ignored from that point on. So, not only did they refuse to fix it, but they blacklisted me so I wouldn’t bother their support teams any more.
And, I’m supposed to trust them? To “write down” issues? And do WHAT with them?
Mahhn
It’s time another company offers a better business OS. It may take years but someone will fill the gap if MS keeps making the hole bigger.
Wants; for most business workstation needs: smaller OS, Less features/vulnerabilities, similar admin controls like Group Policy and AD. Since more and more business applications are cloud based (only need a browser) this shouldn’t be impossible.
ma22709
A better OS is out there is it OS X. I am an MCSE but use a MacBook , and for reliability you can’t beat it. MS patches can cripple a business , just recently wiping out multi homed ip’s,.. so placing your systems on automatic update is sducidal .
MikeP_UK
Microsoft has not listened to customers’ concerns at all. I run W8.1 and W10, I always, but always, check through all the offered updates where possible and reject any that are not concerned with improving the OS, and especially avoid all those that are related to the intrusive telemetry that Microsoft, and others, try to foist upon us unnecessarily. It appears that they are removing that ability to be selective which is a backwards step and unwanted boy all I know who are experienced in the software business but have to use Windows as a development platform.