Microsoft Ends ‘Pick-a-Patch’: What Should You Do Now?

Big changes are coming to the patching process for Windows 7 and 8.1 this fall. Microsoft recently announced that, starting in October 2016, admins will no longer be able to pick and choose which patches they want to apply. Instead, patching will be conducted using a cumulative, Windows 10-inspired approach. The list of pros far surpasses the cons but, as is always the case with changes ofClose-up of hands of boss at workplace with laptop and hands of two females near by this scale, it has stirred up anxiety.

Under the new approach, rather than receiving dozens of patches from Microsoft every Patch Tuesday, businesses who haven’t migrated off older versions of Windows will receive just one. Contained within that lone patch will be fixes for multiple bugs. From a management standpoint, it’s hard to argue against having one patch for 30 bugs in place of 30 patches for 30 bugs.

From Microsoft’s point of view, the value of this change goes beyond management simplification. They see this move as increasing the quality of the updates they provide to customers, thereby making customers’ environments more secure. Meanwhile, eliminating a grocery store approach to patching (“I want this one and this one,” etc.) saves organizations from sync and dependency errors and reduces testing complexity and scan times.

Concerns drummed up by Microsoft’s announcement

Again, the list of pros is long. What’s troubling IT admins is the perceived inflexibility of this new process. Admins aren’t happy with the prospect of installing every update contained within a pack, as opposed to skipping over those they deem risky or unnecessary. Also, while the peace of mind that comes with proper patching is obviously attractive, there is concern about the time and network resources that would need to be devoted to these larger updates.

Let’s start with that second area of concern. Businesses who use Windows Server Update Services (WSUS), System Center Configuration Manager (SCCM), or the Microsoft Update Catalog as their source for finding and deploying patches will be able to select from one of two types of updates. The first is the full update, called the monthly roll-up or a security-only update. There’s also a security-only option which works exactly like it sounds. Businesses who choose this option will only receive updates directly tied to security. Performance and other fixes will be excluded, minimizing the size of the update without hindering security efforts. This option will not be made available through Windows Update.

What about having to install updates that could cause problems for your environment? This is a rare occurrence according to the Arraya Microsoft team. Rare is reassuring, but it’s not as reassuring as impossible. Even if, say, fewer than 1 out of every 100 updates causes an issue, that won’t do much to reassure the IT pros left dealing with the cleanup.

Preparing for the future of Windows

That’s where our team can help. We can assist organizations still using Windows 7 and 8.1 better understand the risks associated with this change and how it will impact their existing Windows environment, including with SCCM deployments.

This may also be a good time, if you haven’t done so already, to kick start internal conversations surrounding migrating off of aging solutions like Windows 7 and 8.1 and onto the most secure, modern option around: Windows 10. Arraya’s Microsoft team can discuss best practices surrounding this and help draw up migration plans.

To learn more about what the end of pick-a-patch could mean for your organization, or to start a conversation about Windows 10, reach out to us at: www.arrayasolutions.com/contact-us/. Our team can also be contacted through social media: Twitter, LinkedIn, and Facebook.

Arraya Insights