News

Microsoft MVP: Microsoft's Windows Patching Model Is Too Fast

• By Kurt Mackie
• August 09, 2018

A prominent Microsoft Most Valuable Professional (MVP) had this advice for Microsoft regarding its rather convoluted Windows 10 and Office patching process: Slow down, and only deliver new feature updates once per year.

Susan Bradley, the MVP and moderator of the Patchmangement.org list-serve discussion forum for IT pros, came to that conclusion from experience, as well as an informal survey she conducted of more than 1,000 IT pro consultants and 862 consumer users of Windows 10. The survey was conducted shortly before Microsoft's problematic July 10 updates to Windows and .NET Framework, which caused multiple problems for users of Microsoft's business software. Those July 10 patches came with 47 "known issues" listed in the security section, Bradley noted.

After the July patch problems arose, Bradley wrote an open letter to Microsoft executives about the Windows updating process, which was published in a July 30 Computerworld article. The response from Microsoft was "disappointing," Bradley explained, in an Aug. 8 RunAsRadio interview with Richard Campbell. The interview offers insights about the kind of hoops she's jumped through to tell Microsoft that its patching approach just isn't working for its customers.

Bradley's letter was addressed to Satya Nadella, Carlos Picoto and Scott Guthrie. The response from Microsoft, though, came from Microsoft's technical support, which opened a case as if she had an individual technical problem to resolve. A day later, she got a more official response from Microsoft that explained the Windows update process to her and suggested that she could use the Microsoft feedback hub next time. Bradley, an 18-times-awarded MVP and Windows patch expert, explained that she had used the usual feedback approach three months before sending her letter to Microsoft executives.

Ironically, the only Microsoft executive who may have taken notice, in an oblique way, was ex-Microsoft executive Steven Sinofsky, who complained in a Tuesday Twitter post that a Windows update had "bricked my Surface RT." He had to conduct a full reset. Sinofsky formerly served as president of the Windows Division during its Windows 7 and Windows 8 days.

Bradley had been hearing discontent from the field regarding Windows patching. Consultants were saying that they were turning off Windows updates. Enterprises were saying they were waiting longer, perhaps two weeks, to apply patches. As a consultant to small businesses, Bradley found that she couldn't always advise her clients to apply Windows patches, especially if they weren't confident about being able to back up and restore their machines.

"Why make it hard for the enterprises?" Bradley said during the RunAsRadio talk. She noted that many companies are mandated by compliance criteria to keep their software updated.

Bradley was asked by Campbell if her MVP status makes a difference in communicating with Microsoft. She explained that she has tried to go through Microsoft's MVP channels, but starting about January, these communications slid downhill. She started seeing errors in the Knowledge Base articles describing the updates. Bradley surmised that MVP exposure into the Microsoft security team isn't there as it used to be.

In composing her suggestions to Microsoft's executives, Bradley said she used the rules given to her by an ex-Microsoft employee -- that is, don't complain but give Microsoft actionable items. She suggested that organizations also could try talking with their Microsoft technical account managers. In which case, it would be good to offer ideas and some actions to take, rather than complain.

Bradley actually prefers Microsoft's cumulative update approach with Windows 10, as it avoids the update delays that can happen with Windows 7 machines. But she noted that Microsoft's patch testing doesn't seem to be happening, even for its own software products. There are too many "side effects," she explained.

Bradley said that Microsoft used to have a Security Update Validation Program, and it seems to still exist "because I saw they were hiring for it." The team would typically test updates and release them if they were OK. However, Microsoft these days explains that it has the Windows Insider Program for testing. Bradley, though, noted that the Windows Insider Program is for testing future features, not for patch testing. "They're not focused on a .NET security patch," she added.

The problems associated with Microsoft's patch quality likely are due to a combination of testing and communication failures, Bradley surmised. In addition, Microsoft's faster releases with Windows 10 aren't helping. She noted that there are four versions of Windows 10 released that are currently supported.

When clients have problems, Bradley has to ask which Windows 10 version they're using. Organizations don't all get feature releases at the same time anymore. While Microsoft uses artificial intelligence, as well as telemetry, to determine when a Windows 10 release is ready for an organization, there are just too many Windows 10 versions out there, Bradley said. She noted that Microsoft even had to block updates to its own Surface devices because of issues with SSD drives, but it totally controls the whole ecosystem in that case.

"Clearly, the fact that you have this mismatched patching is causing problems with Microsoft's infrastructure," Bradley said, suggesting that such patch problems could even be affecting Microsoft Azure infrastructure, as well.

Bradley admitted during the RunAsRadio talk that her efforts were like "trying to move a mountain" and "tilting at windmills." However, she said that "we have to make it better. We can't have people waiting 30 days to install patches."