How Microsoft could save businesses time & money when it comes to patching Windows

How Microsoft could save businesses time & money when it comes to patching Windows

Summary: A ZDNet reader that goes by the name of R.E. Riker posed an interesting question to me via e-mail the other day.


A ZDNet reader that goes by the name of R.E. Riker posed an interesting question to me via e-mail the other day. He asked if maybe, giving the high frequency of updates that it issues for its operating systems (in his case, Windows XP), if offering more frequent Service Packs or update roll-ups wouldn't be the more sensible thing to do for some of Microsoft's customers.

In my back and forth exchange with Riker, I learned that he maintains about 70 systems in an environment where new updates from Microsoft must be tested before they are deployed. This can't an unusual requirement out there in the business world.

For Riker, Microsoft's monthly issue of such updates (on the second Tuesday of each month) makes such testing impractical. On the other hand, if Riker waits for Microsoft to issue the next Service Pack (which could be years), that's too long for the systems he oversees to go without certain critical updates. Especially security-related ones. In his first e-mail, Riker wrote:

I would like to see Microsoft offer an option for security patch rollups at least on an annual basis (maybe semi-annually). In other words, compile an update containing all of the security patches for the past year (or half-year) that we could download, test, and then apply to our machines. I know ideally it would be better to apply the monthly updates, but that just isn't feasible for many people, myself included. But I don't want to stay completely unpatched or wait years on end for the next service pack. Trying to talk directly to Microsoft is next to impossible for us small fries. Would you be willing to maybe at least broach the topic either directly with them or through a blog? Thank you for your consideration.

I responded to Riker asking why he just doesn't turn off automatic updates and then deploy them on a less frequent basis. Riker responded:

The option to turn off automatic updates and only update manually would be fine if it were only one or two machines. Going beyond that it becomes rather inefficient considering just the bandwidth alone.

And, well, I currently support 30 XP boxes with probably 40 more yet to upgrade (that's right, we have 40+ machines on older OSs) . Of course, MS's solution would be to upgrade all our PCs and set up a [Windows Server Update Services] Server. Ummh, well, first, if I had the resources for that, I probably wouldn't be here begging. Second, I have a problem with a company asking us to shell out even more money to solve coding problems in their software! [DB's note: He has a good point. According to the WSUS requirements page, Windows Server 2003 is required. In other words, keeping XP up-to-date requires additional software licensing and hardware investments, not to mention time].

I guess what I am trying to find is some balance between not patching immediately (which just doesn't work for us for multiple reasons) and going unpatched until a service pack is released (which is too long to go unpatched). I don't feel like that is too much to ask especially in an environment where the hacking has gone professional. It was bad enough trying to cope with the script kiddies. We can't compete with professional hackers as it is, but we don't stand any chance at all with unpatched boxes. As small as we are, we've already seen some spear phishing attacks.

Finally, if he could have it his way, Riker writes:

Realistically, I don't think I could do it more than twice a year. And I am certainly open to some other mechanism as long as it is relatively user friendly and I can download it once (even if it involves multiple files as long at that doesn't get completely out of hand like the update catalog), test it out on a machine, and then apply it to the rest of them.

So, I did what Riker asked. I checked-in with Microsoft and here's the response that was offered by a spokesperson:

Customers have many choices for servicing Windows. Windows Update is designed for customers who want to update individual PCs as Microsoft releases updates – either automatically or when the customer is ready. A second option is Windows Server Update Services, a free server role for Windows Server customers, which allows network administrators to control the distribution of updates across their network. Other options include full-featured software management tools like System Center as well as 3rd party programs.

Microsoft traditionally releases security updates on the second Tuesday of each month and encourages all customers to install them as quickly as possible. The servicing tools mentioned above are designed to make this as seamless as possible. Microsoft is in constant communication with its customers to better understand their needs and desires and builds its products and services to meet those needs.

Unfortunately, Microsoft's response will be of little consolation to Riker who would easily fall behind if he relied on self-patching via Windows Update, but according to a schedule he sets (instead of Microsoft's). Furthermore, I think Riker's subtle point about who should bear the cost associated with patching numerous systems in a business environment is dead-on. After all, a good many of the patches that Microsoft issues are to deal with defects in the operating system.

I'm not saying "defect" in a negative way nor am I derogating Microsoft for the situation. The truth is that no software -- not Windows, nor any of its competitors, nor any applications -- is without its defects. The question is, if software is defective and the customer will require it to be patched and there's a need for something like WSUS in order to manage the that patching according to business requirements (as is proven by the very existence of WSUS), then should the customer be expected to bear additional cost to get that WSUS functionality, or should it be offered for free? Or, should the customer be expected to bear the additional time and expense of aquiring, deploying, and maintaining a server on which to run WSUS? (WSUS is a free download but Windows Server 2003 is not).

While you contemplate that question, perhaps Microsoft will consider this suggestion which I've sent to it through my contacts: If there was ever a great opportunity to leverage the benefits of software-as-as-service, then perhaps this is it. Why, for example, couldn't Microsoft host a multi-tenant WSUS server on the Internet for free? One that system administrators like Riker could turn to for the same WSUS functionality that they'd get if they ran WSUS locally, but without the headaches of running their own WSUS server? Would there be issues (like security) to work through? Sure. But Microsoft is capable of working through them and to the extent that it's always looking for ways to better service its customers -- especially the finicky small to medium businesses that are tough to satisfy -- wouldn't a hosted version of WSUS make sense?

Are you (or should you be) running a WSUS server to better manage the patching of your client systems? If Microsoft offered a cloud-based version of it -- one that was integrated into its Windows Update service in a way that allowed you manage all of Windows' patches on your schedule, would you take it? Or, even if you wouldn't, should you still be asked to bear the cost of running a local WSUS server even though the purpose of it is largely to manage "manufacturer defects?"

What do you think?

Topics: Microsoft, Cloud, Operating Systems, Servers, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And, that is the advantage of open source. You can look for a provider that

    will give you what you want. Here, you can beg, but it won't do you much good.
    • Yeah! absolutely

      with Windows you hav 2 beg 1 guy. how many will you be begging with Open Source?
    • At least you have someone to beg with MS

      Which is a distinct advantage.
      Besides which, WSUS already does what is needed in this case.
      WSUS as a 'cloud' service would be nice also.
    • Yeah right

      I could also beg for good programmers, adequate documentation in a language resembling English and that every upgrade doesn't break the previous one. But then I realise that's unrealistic, because I use open source. If I want a well tested program written by the best programmers, then I'll buy MS.

      I'm now convinced you don't use a computer for anything but whining in these forums Donnie. You certainly have no experience with MS and even less with open source.
    • My - aren't you on the ball..

      The pathetic Linux zealot usually doesn't appear until further into the thread.. but in this case - he was right on the ball, got in the first comment.

      I'm impressed! Do you have open source running that tells you whenever a Windows comment is made on the web?
      • Well, I must say..

        that since I started using windows since 3.1 I haven't found anything more stable and easier to update Than what I use now. and as far as having requests processed. I requested that transgaming technologies add their Cedega package to the PCLinuxOS repositories and viola. An install package for a functional base version appeared in two days.

        It strikes me how you strike down the zealot with such "ZEAL".

        Doesn't that smack of judge not lest ye be judged?
        Hrothgar - PCLinuxOS User
  • I agree with WSUS as SAS

    I gree to the point that providing WSUS as SAS would sound fantastic, but there might be many issues, as there has to be a client software that interacts with this WSUS server in the cloud, that needs to be resolved before we get to that stagge
  • RE: How Microsoft could save businesses time & money when it comes to patching Windows

    I'd have a look at Heise Secuirty's Offline Update tool. It can be setup to download Microsoft Updates automatically via the task scheduler, and these can be packaged, along with an installer, on to an ISO or run directly a from folder. This would allow you to test first then deploy to your machines, via a startup script in group policy or a logon script.

  • There is no Microsoft solution

    If you want to avoid risks with unpatched machines, you have to move to Macs or Linux. Given the cost constraints he should be moving all machines to Linux. Not only will it be even cheaper, but, for the moment, even if he is not up-to-date with his patching, there is little risk.
    • By dog!

      A second Linux zealot in one thread.

      How about the applications the users in this company need that don't run on Macs or Linux? What's your suggestion for that? Perhaps they should restructure their entire business around what DOES run on Macs/Linux?

      That's where the Linux world needs a clue... a computer is only a tool to perform a job. If it can't perform the job, no matter how wonderful or free or open-source the operating system is - it's basically worthless. Which is where I put Linux and for the most part - Mac/Apple.
      • Well dog my cats!

        If it aint another one of them liberals who
        will keep on using a product no matter how
        much the producer cheats, beats, and kicks
        them in the teeth.

        After all, it works, and isn't that all
        people need, or want?

        I'd rather be a zealot, thank you. I don't
        know what you call yourself, but I don't
        wanna be one, whatever it is.
        Ole Man
      • Zealots

        I totally agree with you, but I'm afraid you're preaching practicality in a "Holy Roller Revival" here. I am a partially retired product designer, and a plastics engineer. Too many people in these posts use their computers as toys. If that's their only reference, telling them to go outside to play is not going to be heard.
        • Nail, meet Hammer.

          You just smacked that one half-way through the board.
          Dr. John
  • There are problems with cloud based WSUS

    There are problems with cloud based WSUS. For one thing, the server needs to be tied in to your domain. The other HUGE benefit to a localized WSUS server is that patches are cached locally and you don't need to download the same patch 30 or 100 or 1000 times and use up your Internet bandwidth.

    The easiest thing for a small business to do is to simply put the WSUS service on to one of their existing but lightly loaded servers. That does not require any additional hardware or software licensing so it's essentially free.
    • the challenges you identify are trivial

      1. workstations attach to domains all the time over VPNs. To do it with servers would be trivial.

      2. not everyone cares about bandwidth and it's not like updates are bandwidth killers. Recall, the guy who wrote to me didn't say that bandwidth was a constraint. His problem is frequency.

      3. This assumes they have such a server. Why must they have such a server? Why must that be a given? Isn't it possible George that some shops would never put a Windows Server in? Particularly small ones? Why must someone buy servers to make workstations work? That's completely wrong.

      • Some bad assumptions on your part

        1. It's not just a question of VPN, the hosting service would have to be virtually attached to 10s of thousands of domains. That may be just a software engineering problem but it is a problem that needs to be solved if you wanted to use such a scheme.

        2. You cannot assume bandwidth is not a constraint. 70 computers downloading Windows update will kill even the fattest pipe and it's silly not to use some kind of local caching in this environment.

        3. The EU is complaining that Microsoft has gained a lot of market share in the server space. Depending on how you define the market, Microsoft has 80% of the market share. If you have more than 10 Windows workstations, it makes perfectly good sense to have a small business server license. I'm not sure how you can declare this computing model "completely wrong" since I can give you far worst computing models like Java.
        • A crude remark about assumptions

          When that's all you have yourself.

          Depending on how you define "assumption".
          YDMV (your definition may vary). So may
          anyone else's.
          Ole Man
        • What does you mean by this?

          "I'm not sure how you can declare this computing model "completely wrong" since I can give you far worst computing models like Java."

          I have no idea what you are trying to say here. How is Java's computing model on the desktop any different than .NET's?
          • Doh!

            I obviously meant to say, "What do you mean by this?".

            I was originally going to say, "What does this mean?".
          • Fingers got tongue tied. <nt>

            Dr. John