I guess I have become a convert to Microsoft’s approach on patching, with really only one fundamental disagreement about the administrators abilities to control said patching. More on that at the end of this post.
In our testing of Win 10 for clients we’ve been measuring and comparing the incidences where any specific patch month broke any of our key business processes. We’ve been tracking this (very loose) metric for several years now through most of Windows 7 SP1 and Windows 8.x. (On a side note, almost all of our clients skipped Win 8.x . . . )
Here is the very high level summary, averaged to an annual rough mean, for patches that broke any workstations, or our design (Adobe or AutoDesk products) or accounting software (QB, Deltek or – ironically – MS Dynamics): It’s nothing more than a count of total incidences, divided by test bed machine count, multiplied by the number of months where we applied patches, then averaged and when needed “pro-rated” over the entire time period the metric was taken. These do NOT count instances where patching failed due to the problems last year with Windows 7 and MS Update service. (These were highly irritating to us admins, but had mostly zero impact on end users business applications.)
All percentages are annualized averages.
Windows 7 SP1: 3%
Windows 8.1: 7%
Windows 10 CBB 1511: 2%
Windows 10 CBB 1607: 0% (so far, but this is the youngest data set)
Windows 10 1607 release (before it went CBB): 22% *
* That Windows 1607 release percentage was almost all due to a turbulent time period starting August 2016, through September 2016 . . . I think we already know what went wrong there. Also note that we did not begin testing Win 10 until after 1511 was granted CBB status.
The implications to me are fairly clear:
Lock business critical machines into the Windows 10 Current Branch for Business, and allow monthly updates to keep them completely current to that CBB designation. Avoid new UPGRADES until they are promoted to CBB status. Both options are easily possible in current builds for Pro and up, and will be possible in the upcoming upgrade (April?) via GPO or the regular control panel.
http://windowsitpro.com/windows-10/configure-machine-use-current-branch-business-windows-10
The second conclusion for me is the unified patch release method appears to be helping in terms of stability overall. Yes – it’s hard to let go of the fine control we used to have. And yes, there is potential for problems – but they are mitigated by three factors:
- Microsoft just showed us that they are committed to holding back bad patches this February.
- Admins can still roll back a bad roll-up patch via WSUS and locally on a machine. (We tested rollbacks on WSUS 4.0, but not on 3.2 – and so far no problems with rolling back the new Update and Security roll-ups for Windows 7 and 10 across an entire machine group.)
- As a former software tester, Microsoft’s stance that testing a roll-up patch is far less prone to complex breaking edge cases compared to testing several individual patches in every permutation possible makes sense and fits with my own admittedly anecdotal observations over years in this industry.
Now to my one problem with the controls:
While I do want my workstations on CBB patched regularly, and prefer them patched automatically – we need the ability to control WHEN they are patched on our weekly work schedule. I want our choice of day of the week and time to be respected. We do NOT want machines to reboot overnight except on (for example) Saturday evening at 11 PM.
We had this feature in Windows 7 . . . I’d like it back. And I want it in the UI for casual end users. And it should be available as an option for ALL versions of Windows 10: Home, Pro, Ent and Edu.
Having complained; for larger organizations I do have a solution. If you use WSUS you can change the schedule for when your WSUS server checks for updates. The default is 9 PM nightly. We set ours to check at 11 PM Friday (you can also set this to a monthly date or frequency – say the “third” Friday of each month.)
Your client machines will still check your WSUS server daily (or whatever the random schedule that MS uses for Windows 10) . . . but they will think they are current until the next time your WSUS server syncs and finds the updates from the previous week/month.
~ Group "Weekend" ~