Patches are in the air – pretty much all month long these days. With recent news that Microsoft is adding yet another Tuesday during the month to its patching scheme, there’s literally no respite for IT staff tasked with keeping the environment both secure and up-to-date. For most I’ve talked to this is not good news. It’s pushing IT Pros to the point of patch fatigue and forcing many organizations to ignore what Microsoft is delivering.
Obviously, Microsoft wants everyone to be on the high-speed update rail introduced in Office 365 and Windows 10, but many companies just can’t. Microsoft seems to be overlooking customer requirements while at the same time suggesting it is listening to customer requests.
Let’s take a quick look at the current monthly patching mechanism from Microsoft.
- As noted recently, there’s the 1st Tuesday of each month for non-security related Office patches.
- 2nd Tuesday of the month is the regular Patch Tuesday when Microsoft delivers security fixes to its product line.
- The days following Patch Tuesday are filled with patch retractions due to bugs and then fixed patches that are reintroduced.
- The week after Patch Tuesday we might see additional rereleased updates to solve remaining bugs, but also there’s the delivery of Surface firmware. Not every customer uses Surface devices, but for those that do it adds to the overall patching burden.
- And, all along the way – all month long – additional updates seem to trickle out with no rhyme or reason.
Think about this from the patching admin’s perspective. How much more of a burden is unstructured patch delivery?
I was part of the team that developed the plan for Patch Tuesday and then wrote the original Patch Management Guide from Microsoft. We spent long hours putting a mechanism into place that was logical, functional, and something the customer was comfortable adopting. And, it worked for the longest time. Granted, it would be nice if a world existed where no one needed to patch software, but that’s not our reality. We have to patch to keep the environment current and safe. But, the frequency and the way updates are delivered now, many companies are holding back patches. Patch fatigue is becoming a very real thing. Who knows? Maybe it will join the ranks of qualified physical ailments covered by workman’s compensation like Blackberry thumb.
How about your organization? How are you handling the increased onslaught of updates? Are you delaying update delivery? Are you waiting until you can rollout updated corporate PC images? Does it make you consider handing patching over to Microsoft (automated through Windows Update)? Have you just given up?