What the end of Patch Tuesday means for businesses

Microsoft will shake up its long-standing patching process next month, replacing its monthly Patch Tuesday security bulletins (also known as Update Tuesday) with a new database and all-encompassing automatic updates.

For many businesses, the question is how to integrate the new process into their own operations. This article aims to answer those questions and set companies on the right course.

A result of customer feedback

Some welcome the change because automatic updates will make things more seamless for users. They see Microsoft catching up to Google, whose auto update process is practically invisible to those who fire up Chrome each day.

Microsoft says the change is a direct result of customer feedback. “Our customers have asked for better access to update information, as well as easier ways to customize their view to serve a diverse set of needs,” a member of the Microsoft Security Response Center wrote in a post to explain the switch from bulletins to database.

In the FAQ about the database, the software giant said:”By February, information provided in the new Security Updates Guide will be on par with the set of details available in traditional security bulletin webpages.”

But for many enterprises, the change will be jarring after almost 20 years of a Patch Tuesday system they’d build their processes around.

IT shops will lose the ability to deploy some patches while holding back others for network compatibility checks and tweaks. And as any IT admin will tell you, one of their biggest headaches usually comes in the form of a bad patch that breaks other parts of the network.

Reservations aside, companies of all shapes and sizes will have to learn to live with the new system, said Katie Moussouris, CEO, founder and president of Luta Security and a former senior security strategist at Microsoft who drove the creation of the company’s bug bounty program.

Overall, the right direction

As disconcerting as the new process might feel to some, Moussouris thinks Microsoft is doing the right thing.

Overall, they are on the right course with auto updates in the cloud. They need the browser – the gateway to their services – to be as secure as possible. They’re going closer in the Google direction.

But while the change should make things easier for consumers, it does present limitations for business – namely the loss of control enterprises have had in deciding which patches to deploy first and which ones to hold for compatibility testing.

What to expect

To get a sense of direction, IT shops should give have a thorough read of the Security Updates Guide dashboard and API: Frequently Asked Questions article on Microsoft’s TechNet site.

Microsoft told Naked Security:

This new site gives our customers a more relevant and customized experience. It will be the single location for information about our updates from January 2017 onwards.

Questions the FAQ addresses include:

  • Why the security bulletin ID number (e.g. MS16-XXX) is not included in the new Security Updates Guide
  • How soon the Security Updates Guide will replace traditional security bulletins
  • How to use the new guide’s dashboard model to group related updates

Another question is if companies using third-party patch management tools will be impacted. Microsoft says:

We are working with companies that provide management tools to adjust their products to work with the new Security Updates Guide. Microsoft cannot guarantee that all third-party software will work in the future.

The best advice there is for companies to touch base with their patch management providers ASAP to make a plan.

Microsoft did note that its own patch management software – WSUS and SCCM – will be updated as needed to ensure those tools continue to work correctly with the new Security Updates Guide.

Document concerns and give feedback

Moussouris said business owners will need to start taking a serious look at Windows 10 whether they’re ready or not. Her advice:

  • Read every scrap of available documentation Microsoft has to offer, which is actually quite a bit.
  • In reading that documentation, ask support questions early and often.
  • Microsoft has robust support channels. Once the changeover happens, and in the likely event that problems arise, companies must make full use of those channels.
  • Microsoft constantly asks for feedback and companies should offer it liberally.

“Take the time to write down your complaints and list the features you wish were there,” she said. “When dealing with Microsoft, that’s often the only way you get change.”

Microsoft has asked that feedback be sent to portalfback@microsoft.com.