In a recent blog post, Paul Bergson with Microsoft attempts to further explain the company’s reasons for adopting the servicing model that many customers are now upset about. The servicing model strategy adopted with Windows 10, but now being ported to Windows 7 and Windows 8.1, is a strategy around only delivering cumulative updates. In the past, Microsoft would deliver single patches for each flaw or security issue. But, no longer. Instead, a stack of patches that continually accumulate into larger downloads is the only course of action.
The point of rollups is to correct the fragmentation caused by systems containing a mix of individual updates. It will not be possible to uninstall specific KB’s of a rollup. If there is a problem the partner will need to open up a case and provide business justification to drive the discussion with Microsoft.
This might sound like it simplifies things, but Microsoft, unfortunately, has a problem with the quality of the patches it releases – and has had this problem for recent years. IT administrators know this too well. There’s been too many times over the years when updates have rolled out, broken things, and business leaders blamed IT staff when instead the blame should’ve been lofted back at Microsoft’s poor patch quality. Microsoft’s history with bad patches led to an entire professional segment of Patch Administrators whose only job was to review, test, approve/disprove, and deploy patches to ensure business security with continuity.
In September of 2014, as part of Microsoft’s first massive layoff, the company folded its Trustworthy Computing Group. This group was established as part of Bill Gate’s original 2002 initiative to ensure that computers were inherently secure, available, and reliable. Up until a few years ago, this held true. But, even more recently, particularly with this latest servicing model strategy, computers have been quite a bit less than available and reliable. Obviously, with any new strategy, there will be growing pains and gaps that need to be plugged due to oversight. But, Microsoft has yet to get the Windows 10 strategy right and now it wants to implement the same model for Windows 7 and Windows 8.1 customers. This has many customers hot. Why? Because cumulative updates are an all-or-nothing installation. Even if there’s only a single patch inside the huge update that causes a bluescreen or a critical business app not to work, but all other contained patches work just fine, that single patch cannot be rolled back – instead organizations must choose not to deploy the full installation. This also means that by choosing not to deploy a cumulative update, organizations will not be protected against the latest exposed security vulnerabilities.
Just a couple weeks ago I renewed my call for Trustworthy Computing. Does Microsoft need to create something new? No. It just needs to get back to its roots and start to build customer trust again by providing updates and patches that make PCs inherently secure, available, and reliable.
Microsoft’s latest blog post explanation attempts to reassure customers, but the conversation is ongoing. New information helps, but nothing will solve the issue better than renewed trust – which means Microsoft needs to have a few months of perfect patches before customers will start trusting again.
At IT/Dev Connections 2016 in a few weeks, we’re hosting a Birds of a Feather session called 'Microsoft set to change Windows patching in a disastrous way' – discuss! The session is moderated by Susan Bradley (Microsoft MVP, Enterprise Security), Andreas Hammarskjold, and Phil Wilcock. It should be one of the better informal discussions of the week. If you’re attending IT/Dev Connections 2016 add this to your schedule. If you’re not attending, well…BOFs and Workshops are not recorded. We’ll have coverage of the discussions here on Windows IT Pro, but you’re better off just attending the conference.
IT/Dev Connections is unlike any conference you’ve attended in the last few years. It’s not full of marketing fluff, not architected to host 10’s of thousands of attendees like cattle herding, and definitely not vendor owned and operated. IT/Dev Connections is a deep-dive technical conference focused on what matters today for a better tomorrow. We like to think of IT/Dev Connections like a James Bond movie where there’s action from the very start. The week kicks off with all-day workshops on Monday and directly into sessions on Tuesday. There’s no keynote to bog you down and get you distracted by shiny things – only an awesome community event to launch the week’s festivities.
IT/Dev Connections 2016 runs from October 10-13 at the ARIA resort in Las Vegas. Check it out here: http://www.itdevconnections.com
I hope to see you there so you can lend your voice to this hot issue!