Preparing for Life Beyond Patch Tuesday with Windows Update for Business
May 14, 2015 Leave a comment
• Microsoft’s Windows Update for Business will provide software updates for Windows 10 enterprise, end-user devices in a more fluid, flexible manner.
• Patch Tuesday isn’t ending tomorrow, but vulnerability management vendors should begin preparing now for Windows Update for Business, particularly in regard to system classification, distribution and auditing.
Microsoft last week introduced Windows Update for Business, a new software-update mechanism for its upcoming Windows 10 operating system.
With Windows Update for Business, Microsoft hopes to provide software updates for Windows 10 enterprise, end-user devices in a more fluid, flexible manner. Key features include distribution rings that will offer more flexibility regarding when and how quickly software updates are deployed. This includes maintenance windows to better align update distribution with mission-critical uptime requirements as well as other planned maintenance and configuration periods; peer-to-peer delivery to reduce bandwidth utilization at branch offices and remote sites; and integration with existing tools like System Center and Windows Server Update Services.
Despite the media hype that Windows Update for Business will end Patch Tuesday as we know it, this is far from the case.
First, the upcoming Windows 10 release will be client-only. The software giant typically releases both client and server versions together when debuting a new version of Windows, but Microsoft announced in January that the next version of Windows Server has been delayed until 2016. The initial Windows Server technical preview codenamed Windows Next released last fall included the underpinnings to support Windows Update for Business, but even early adopters are likely 18 months away from dealing with these changes; most Windows Server customers may be years away.
Additionally, this week’s announcement has no impact on legacy Windows clients and servers. It remains to be seen whether a more fluid update mechanism can or will be added to previous releases, but for now monthly bulletins will continue to be released on the second Tuesday of each month, and critical bulletins will be provided on an as-needed basis.
However, this announcement signals the beginning of a feeling-out period. Microsoft is clearly transitioning to a more rapid, iterative software update paradigm that isn’t tied to a monthly cycle. Over the long term, this is a good thing. Competitors like Google and Amazon Web Services have proven for years that rapid, iterative releases deliver security updates faster and just as smoothly as Microsoft’s monthly waterfall update cycle.
This transition period should serve as an opportunity for all Windows stakeholders. Microsoft, smartly, is formally soliciting feedback from enterprise customers regarding the development of Windows Update for Business via its Windows 10 Insider Program. Enterprise buyers may have a new incentive to not only accelerate their Windows 10 implementations, but also to begin the long-range planning process in regard to classifying client systems into update classes and aligning software update periods with business requirements.
Vulnerability management vendors should look to get out in front of these changes by assessing how their products align with Windows Update for Business, particularly in regard to system classification, distribution and auditing. Windows Update for Business will provide enterprises using Windows 10 with greater flexibility and an opportunity to align Windows software updates with other third-party software and system updates like never before. Doing so creates an opportunity for vulnerability management vendors to serve as that “single pane of glass” for Windows 10 organizations. While Patch Tuesday isn’t going away tomorrow, vendors should begin strategizing now for the implications of its slow but sure demise.
Eric Parizo is Senior Analyst, Enterprise Security in the Business Technology and Software group at Current Analysis. Contact him at firstname.lastname@example.org.