This month's Patch Tuesday turned out to be an interesting one, in part because it was the first one ever where Windows 10 finally got to participate in Microsoft's long-standing tradition.
On Tuesday, Microsoft delivered both security and non-security updates for its range of products, but what might have not gotten proper attention was a new normal we should expect. Amid the delivery, was a second Cumulative Update (CU) for Windows 10 available in as many weeks. The first one was reported to cause reboot looping problems for some. This new one comes with a fix for that issue. CU's are, as the name suggests, cumulative – meaning that all previous fixes and patches are included in the most current one. So, if you apply the one (KB3081436) released this week, you're good. No need to go back and apply the one that botched that caused installation woes.
But, what's in the CU is important to understand, particularly for patch administrators, since this batch delivery method seems to be a trend.
KB3081436 not only includes the six security bulletins release this month for Windows 10, but it also provides OS fixes, improvements, and at least one new feature, the Windows Spotlight for the Lockscreen (though its only available for Windows Home editions).
You still may not have caught the significance here. How Microsoft is choosing to deliver updates for Windows 10 will fundamentally change how patch management works.
In the past, Microsoft would release a separate security bulletin and update for each specific security flaw, allowing patch admins to test and validate each one before deploying them throughout the company. It also allowed them to reject and or delay those updates that were deemed to cause problems. Now, Microsoft is choosing to deliver bundles of updates in an all-or-nothing offering, with emphasis on the ALL.
As IT is still trying to wrap their heads around choosing Long Term Servicing Branch or Current Branch for Windows 10, this throws a new wrinkle into the mix.
Mark my words here. Unless Microsoft takes a step back and fixes the QA on its current patch creation and internal testing processes, customers are in for a world of hurt in the future. Grouping patches together into a CU takes management and control away from the customer. If a single patch inside a massive patch stops business apps from working or downs a fleet of computers, customers will eventually just stop patching - leaving its entire environment at risk from attack. When Microsoft tests patches internally, it tests in a pristine environment - one that is 100% patched. Customer environments don't look like this. Due to a various number of reasons, customers cannot, I repeat CANNOT, deploy every patch that is offered. Obviously Microsoft can't test against every customer scenario, so it can't expect customers to deploy every patch. In a perfect world where all patches are perfect, deploying a single CU would make the life of IT Pros much easier. But, believing that will ever happen is just unicorns and pixie dust.
It'll be interesting to see what happens here.