When Windows 10 arrives this summer (and Windows Server 2016 next year), Microsoft is going to be making some noticeable changes to how and when it delivers security fixes, hotfixes and rollups.
What can IT pros do now to prepare for the new Windows world order?
Company officials provided some potentially controversial suggestions and guidance during Microsoft's Ignite conference in Chicago. In a session entitled "Getting Ready for Windows 10: Servicing Windows Client and Server in a Managed Environment Today" (Video and slides available here; a good summary from Microsoft Premier Field Engineer Robert Smith is here), Thierry Paquay, a manager on Microsoft's Customer Experience Engineering team, discussed where Microsoft is and where it's going with its patching and updating process.
The reason Paquay's guidance could be considered controversial is Microsoft's current patching track record leaves quite a bit to be desired on the quality front, as more than a few have noted. At Ignite, Microsoft execs said they believe the company's move to require more users to apply Windows patches in sequential order on a regular basis will help improve the current Patch Tuesday approach.
Microsoft's track record with security fixes is better than many might expect, Paquay told Ignite attendees. He said in 2014, 87 percent of Windows and IE security updates were successful and didn't require a re-release, a percentage he maintained was quite favorable.
Microsoft's guidance on the security update front has been to validate security fixes from Microsoft but deploy them as quickly as possible. Microsoft will continue to advise customers to follow that guidance with Windows 10.But when it comes to non-security updates and rollups, a number of business customers are either delaying "optional" and "recommended" fixes too long, he said. And the failure to apply certain non-security updates can affect negatively the application of security updates over time, Paquay said.
Currently, Microsoft's wording in its guidance around some hotfixes is to only apply them if trying to fix a very specific set of problems. But when there's data corruption, a bug check or a system hang, it's actually more detrimental than not to wait, Paquay argued. He said if more users would apply optional hotfixes and update rollups proactively, Microsoft would be able to gather more telemetry data and fix path and hotfix problems more rapidly, allowing the company to promote tested fixes as "recommended" or "important" updates/rollups for a broader group of customers.
Once an update appears in Windows Update as "recommended," it has already been installed on and deployed to millions of Windows devices already, meaning it has been vetted to a fairly substantial degree (and not just inside Microsoft or by Windows testers only), he said.
"We need more enterprise feedback," Paquay said. We want you to turn on telemetry. We want to know if stuff is enterprise quality."
With Windows 8.1 and Windows Server 2012 R2, Microsoft has been paving the way for its Windows 10 servicing strategy, unbeknown to at least some customers. Fixes that have been promoted from optional to recommended/important are either one fix per package or part of what's informally known as a convenience rollup.
Convenience rollups are a single package, installation and reboot. They're a way of getting more than one fix to a customer with only a single reboot required. (Until the end of December 2014, Microsoft was interspersing these convenience rollups with monthly update rollups, but starting at the end of last year, Microsoft has discontinued delivering monthly updates.)
Microsoft issued a handful of these convenience rollups in 2013 and 2014. The "Slow Boot Slow Login" Hotfix Rollup for Windows 7 and Windows Server 2008 R2, a collection of 90 hotfixes released after SP1 for Windows 7/Windows Server 2008 R2, was one of the first of these.
In November 2014, Microsoft released another of these convenience rollups, which included several new features, including "Defense in Depth for IE" for Windows 8.1, as well as 66 bug fixes. Paquay called this rollup the "baseline" for Microsoft's Cloud Platform System, its private cloud in a box offering.
Internally, Microsoft is calling the November rollup Windows 8.1/Server 2012 R2 "Long Term Servicing Branch" (LTSB), he said. The LTSB concept will carry over to Windows 10 and Windows Server 2016. This option will be available for Windows 10 Enterprise customers only. LTSB means users will get only security updates and critical updates and no new features pushed to their devices running Windows 10 Enterprise.
Microsoft is planning to deliver another convenience rollup to Windows 7 and Windows Server 2008 R2 users in the coming months as a way of helping them prepare to move to Windows 10, Paquay said. He said the delivery timing for this new update was still to be determined.
In summary, Paquay said, Microsoft is asking its IT customers to do the following:
1. Validate optional updates to help Microsoft determine when updates are enterprise-ready
2. Deploy recommended standalone fixes and rollups proactively, as they have been validated while optional.
3. Use convenience rollups to create baselines. Just deploy them; no need to wipe/load/image. This concept will carry over to Windows 10.
"If you do these things, you'll be managing your devices and servers the same way you will when Windows 10 comes out," Paquay said. If you're an IT pro applying security updates only, Windows 10's coming servicing rules are going to look and work very differently, he cautioned.