Patch Lady – Get back to a schedule

Lately I’ve noticed that Windows patches have stopped being consistent.  No I’m not talking about bugs, I’m talking about timing.  Once upon a time updates came out any day, any time and if you were an admin at a firm you had to rush around and determine if you needed to apply the update.

Then came the era of the “Second Tuesday”.  Microsoft made the commitment of releasing security updates on the Second Tuesday.  If updates came out any other day, we all knew that the update was an “out of band” or “out of cycle” update that meant it was a needed security patch that needed to be installed immediately.  Then we had the fourth Tuesday where non security Office updates were released or any other update that didn’t kick a reboot.  Any update that kicked a reboot was released on Second Tuesday to minimize the amount of rebooting.

And now we have the new era of updating.

Here’s what it’s supposed to be:

First Tuesday of the month is reserved for non security Office updates.

Second Tuesday of the month is supposed to be security updates and any update that kicks a reboot.

Third Tuesday of the month is supposed to be preview updates for the following month’s Windows 7 and 8.1 releases

Fourth Tuesday of the month is supposed to be for “clean up” updates for Windows 10 especially for Semi annual targeted (the old CB) to fix issues during the early release.

Here’s our reality:

https://support.microsoft.com/en-us/help/4093105 Windows 10 1709 released on fourth Monday.

https://support.microsoft.com/en-us/help/4093112 Windows 10 1709 (main security update released on Second Tuesday)

https://support.microsoft.com/en-us/help/4089848 Windows 10 1709 – released on fourth Thursday

https://support.microsoft.com/en-us/help/4088776 Windows 10 1709 (main security update released on Second Tuesday)

https://support.microsoft.com/en-us/help/4090913/march5-2018kb4090913osbuild16299-251 Windows 10 1709 released on first Monday

https://support.microsoft.com/en-us/help/4074588 Windows 10 1709 (main security update released on Second Tuesday)

https://support.microsoft.com/en-us/help/4058258 Windows 10 1709 released on fourth Wednesday

https://support.microsoft.com/en-us/help/4073291/windows-10-update-kb4073291 Windows 10 1709 released on third Thursday

https://support.microsoft.com/en-us/help/4056892 Windows 10 1709 released on first Wednesday

It’s to the point where I see consultants disabling Windows 10 update services by setting up a task that runs daily to shut off the windows update service.  It’s to the point that I see consultants talk about “there was an out of band update yesterday” and I cringe because we’re becoming so numb to release cadence that we can’t tell when an update is an out of band for security purposes versus out of band because Microsoft released another fix.

I applaud Microsoft for fixing bugs, but….. given this release cadence we are causing people to take drastic steps to control updating.

Recently on twitter an image was posted about how Microsoft got feedback and made sure that everyone on campus understood customer pain.  But that image doesn’t fully encompass the true pain of Windows updating.

1. People don’t trust that their machine will recover from updating.  Look at the drastic measures we are doing to ensure we can control updates.
2. People don’t trust that their machine will get good solid notifications when a major update will occur.
3. People don’t trust that updates do exactly what they say they do and nothing else.
4. People don’t trust in the telemetry collection process.  [This is one that I respectfully disagree that telemetry is a bad thing.  I WANT Microsoft to get all the data points of how updates are good or bad.  Unfortunately telemetry is too much aligned with the forced updating problem and thus is getting a bad rap.]

So Microsoft, with all the new emphasis on privacy and data collection in 1803, with all the push on GDPR,  please start by rebuilding the trust of Windows Updates.  Start with going back to consistent days.  Start by going back to specific days of release.

We still have a long way to go.