Just came out of a conference with Microsoft folks… As you know the patching model changed for Windows 10, and we’re going towards ONE patch a month or whatever schedule that is, not individual patches anymore… They are basically telling us it is this way or the highway, no single patch will be capable of being rolled back.
If something breaks an enterprise app, legacy or not so legacy, our fix is to a) test better beforehand b) roll the entire patch back for that month c) stop updating until the vendor fixes the issue… Not very realistic for a big enterprise and 1000s of vendors. While that happens, you are unpatched.
They also actively recommended SCCM as the only way to suspend automatic patching (after the maximum delay time - 4 months ?), and told us to abandon bigfix and switch to SCCM ASAP as “the only way to control and manage Win10”…
WTH ??? What do you guys at IBM think? Are you going to handle the patches as before, except in one giant monthly bundle ? How do you see BF dealing with this change of model ? Are the MS guys we talked to full of it ???
To be clear I meant “you will not be able to roll back a single component of a monthly bundled patch”. Like we do now (removing a single KB or whatever), If you roll back it’s one month worth or nothing… And no salvation until you remediate what’s broken… and sooner of later you get that patch anyway unless you firewall off MS updates ! Sounds lovely !
For 2, this is the way that it will be going forward, Microsoft will release a security-only patch bundle and a security+reliablity patch bundle each month and organizations should apply and test these thoroughly. This is just the way it will be and it is similar to how Apple approaches updates.
For 1, my understanding is that the current branch for business for Windows 10 is that automatic updates are not enforced or automatically applied and having SCCM versus BigFix does not benefit or worsen the situation. Instead, for Current Branch for Business, Microsoft will deliver one cumulative update every 4 months, with security patches released as needed. Security Patches are only available for systems running the most recent and the previous cumulative update.
This essentially means your machines must be running either the current branch for business or the previous branch for business to get security updates.
I understand BF is doing more than just patches, but If we need one tool for patching in this new environment and another for deployment, we will just go back to using only SCCM - which I hate and I would much prefer sticking with Bigfix ! W
I was wondering what if anything we heard from Bigfix about this change in process ! Is Bigfix going to roll out bundled patches like microsoft or is MS going to prevent them from even playing in the new sandbox ? Are they going to attempt unbundling if possible, at least for some rollbacks ? Are they aware that MS themselves is pushing SCCM saying that is the ONLY way to delay or control the application of those patches - I don’t quite believe ths is true but that is what they told us for 1.5 hours? And yes, it’s happening for Win7 as well…
For 1, my understanding is that the current branch for business for Windows 10 is that automatic updates are not enforced or automatically applied and having SCCM versus BigFix does not benefit or worsen the situation. Instead, for Current Branch for Business, Microsoft will deliver one cumulative update every 4 months, with security patches released as needed.
I hear you but the MS engineer we talked about told us that after the 4 month grace period, the update were coming down whether we liked it or not, unless we firewall MSupdates off !!! And only SCCM could prevent that from happening… I think he’s incorrect, but that is what was said…
Still it will be nice ot hear from BF - we’ll be meeting them shortly… We’re escalating with MS too, not happy with their new model… we cannot be the only business who has to rollback the occasional patch individually, or break their environment ! And since we’re a hospital, this new all or nothing model is a bit of a problem !
Greg, thanks for initiating this thread. First let me try to give some context around the perceived risk of an exposure if the bundled patch fails which seems to be a major concern. Vendors have been releasing fragmented patches for a long time and at some point, I expected vendors to consolidate patches. Microsoft is practicing consolidation with Windows 10 and recently they announced a similar model for Windows 7 SP1, 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. I cannot make a comment on Microsoft’s behalf but patching processes and testing practices have matured enough to detect patch conflicts earlier in the cycle before release. BigFix has always focused on efficiently delivering these patches - fragmented or consolidated. Our automation frameworks are aligned with vendor’s content distribution mechanisms. We do not unpack or massage any content but deliver it as is simply because we protect the integrity of the content and provide a channel that can efficiently deploy it to endpoints. BigFix Patch will also ensure that it is easy to identify the relevant patches .
Secondly on Windows 10 as you are aware there are 3 key servicing models: Current Branch (CB), Current Branch for Business (CBB) and Long Term Service Branch (LTSB). They also have Windows Insider as an additional service model. BigFix Patch supports patching Windows 10 endpoints serviced by CB, CBB and LTSB servicing models. We even released an agent for detecting Windows 10 (July 2015) before Microsoft released Windows 10 (Aug 2015) and we started releasing fixlets to patch Windows 10 within 2 days of the release unlike any other patch vendors. Also even though Windows 10 team aimed to release upgrades every 4 months, I don’t think they have been able to keep up with that timeframe. Threshold 2 was released in Nov last year and then the next upgrade was Redstone, an anniversary update in Aug this year. The standard ISOs for these upgrades can be deployed using BigFix Patch and if you are interested in leveraging multicast, then BigFix Lifecycle can help deploy these upgrades. Also I don’t believe SCCM or any other tooling can delay application of patches perpetually or even beyond the mandated deadline specially for CBB servicing model unless they intend to contradict with their own servicing architecture which is extensively documented at Windows 10 servicing options. With CBB servicing option, Windows 10 customers can skip just 1 upgrade but then the other upgrade will be enforced because there is no service track for the deferred upgrade.
The article also says it is for Windows Server 2008 R2 and Windows 2012 R2 (see below the first paragraph from the link that @steini44 mentioned in her post
In our announcement earlier in May, we introduced a Convenience Rollup update for Windows 7 SP1 and a shift to monthly rollups of non-security updates for Windows 7 SP1 and Windows 8.1. Based on your feedback, today we’re announcing some new changes for servicing Windows 7 SP1 and Windows 8.1. These changes also apply to Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2