Along with all of the new features and improvements, Microsoft is introducing changes to how updates will be delivered. There have been growing concerns around these changes and the introduction of Windows Update for Business (WUB). Regardless of what you may have heard, these changes are not all bad.
Microsoft is trying to deliver two important things to the Windows user with these changes: 1) accelerated release of Security Updates while retaining stability and 2) faster delivery of new features for the user. Microsoft is introducing branches, or rings, that will allow machines to receive updates on different intervals.
Depending on your license level, you will have access to either more or fewer of these branches. The fastest of these branches is for those with insider accounts. You can choose to receive the updates before they reach the rest of the market. Now you can evaluate and determine if there will be issues in advance of the updates hitting the rest of your environment. There will be a Current Branch, which consumers will be on. This feature will give little choice as to which updates will be applied, but it will keep machines updated with Security updates, fixes and features regularly (much like the Apple model for Mac).
In a corporate environment this may be too aggressive depending on the existence of legacy apps that may be more sensitive to updates. That is why Microsoft has created the Current Branch for Business. This branch will be updated every four to six months, at which time users would need to take all updates included in the branch to move up to the new Current Branch. While within this branch, companies will have some flexibility to choose which updates they apply. Until they move to the next branch they can choose to push only necessary security and critical updates. The Current Branch for Business is the previous Current Branch. So companies will have more like eight to 12 months to remain on a branch before they would need to move up. This gives administrators time to evaluate the next branch to ensure they have worked out any major issues before pushing the bulk of production systems up.
For large enterprises on the enterprise licensing Microsoft will also have a Long Term Servicing Branch. This branch will be available for several years before you would need to update and take in all changes to move to the next branch. This branch is intended for mission critical systems.
For many companies the changes coming in Windows 10 will mean that their process for updating systems will need to change. The change, however, is overdue. Large companies that have the resources and staff to replicate entire test environments and go through weeks of testing and rollout spend a lot of time and effort. At the same time they are running a lot more risk. Threats today are exploited much quicker than in the past. According to the Verizon 2015 Data Breach Investigations Report, half of the CVEs exploited in 2014 fell within two weeks of release of an update. Adobe Flash Player has released another update just this week to plug 36 CVEs including Zero Day threats discovered after the Hacking Team breach. The speed that hackers can turn around and exploit a vulnerability is startling. This does not give much time for companies to react to security updates.
Change is needed and I believe Microsoft is taking the right steps to help guide us there. I read a Gartner paper, How to deal with Windows 10 accelerated updates on PCs, released July 1st. In this paper, Stephen Kleynhans does an excellent job of presenting the challenges companies will face with the coming changes, but he also outlines how to adapt to these changes. The bottom line is that companies need to create new lighter-weight processes for testing updates and understand which systems need to be on the Long Term Servicing Branch. This should be a minority group and should be separated out from the main workforce, treated as a special group. These updates will take more time and resources to test and apply.
The rest of the user population can be broken out into segments. Admins should have a pilot group to serve as the early adopters. This capable group should comprise of users who can work with IT to ensure the critical apps needed across the enterprise are not impacted by updates. The rest of the users should be broken into segments that will utilise the Current Branch and Current Branch for Business. Users that run less sensitive applications can fall into the Current Branch and move forward to new branches more frequently. Those with applications that are more sensitive to updates can fall into the Current Branch for Business, allowing an extended period of time to ensure any issues have been flushed out.
Kleynhans paper goes into much more detail, but this guidance is not unlike guidance we have given our customers for years. We have looked beyond Microsoft to all of the other applications that reside on systems. Products like Adobe Flash, Oracle Java, Apple iTunes, Google Chrome, Mozilla Firefox and many others.
Shavlik releases updated content at least twice a week for each of our products. Our guidance to Shavlik customers is to patch machines accordingly. Similar to Stephen’s guidance, users should identify those select machines that need the care and testing (critical servers typically). For end user machines, and especially for laptop users and knowledge workers with access to sensitive data, my advice to you is: patch often, patch everything. We recommend patching twice weekly, especially if the machine leaves the network.