For those of us who watch every month for advance warning of Microsoft security patches -- they appear on the Thursday preceding Black Tuesday, every month -- yesterday came as a slap in the face. Without any warning, Microsoft abruptly stopped its free Advance Notification Service on the day we were all expecting the usual advanced warnings for the January 2015 Black Tuesday patches.
Microsoft Security Response Center senior director Chris Betz posted the official word:
Our Advance Notification Service (ANS) was created more than a decade ago as part of Update Tuesday to broadly communicate in advance, about the security updates being released for Microsoft products and services each month. Over the years, technology environments and customer needs have evolved, prompting us to evaluate our existing information and distribution channels… We are making changes to how we distribute ANS to customers. Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page.
Translation: If you want advanced notice of upcoming security bulletins, you have to become a Premier customer.
ZDNet's Mary Jo Foley reports that a Microsoft spokesperson added:
The reason (for the change) is that the vast majority of customers don't use the ANS; they wait for Update Tuesday, or take no action, allowing updates to occur automatically due to optimized testing and deployment methodologies
It isn't clear if the referenced "optimized testing and deployment methodologies" are those conducted by Microsoft or those endured by the Automatic Update masses.
As you might imagine, the online tech support community has reacted with a big Bronx cheer. Several comments on the patchmanagement.org list are less than complimentary.
If I understand it correctly, here's Microsoft's reasoning:
- Large customers no longer use security bulletin advanced notification in the same way as they did in the past.
- The quality of Black Tuesday patches has, of late, plumbed new depths. The vast majority of customers get the botched patches through Automatic Update or through WSUS admins who aren't sufficiently skeptical.
- Therefore, Microsoft will only provide advanced notification to large, paying customers.
Nobody wants it, so now they're going to charge for it. Can't beat that logic with a stick.
There's a great deal of sound and fury in Betz's post about the myBulletins service, which is a page on the TechNet site. Says Betz, "For customers without a Premier support contract, we recommend taking advantage of myBulletins, which enables customers to tailor security bulletin information based on only those applications running in their environment."
He neglects to mention that the myBulletins filter only applies to Security Bulletins that have already been issued -- you tell the filter which OSes and applications are of interest, and the filter returns a list of Security Bulletins associated with the requested software. It has almost nothing in common with the Thursday Advance Notifications we've known for a decade.
I tend to look at the demise of ANS as a continuation of the trend started two months ago, when Microsoft stopped running the monthly post-Black Tuesday security webcasts. Back then, Dustin Childs, who used to run the webcasts tweeted:
14 bulletins instead of 16-they didn't even renumber. No deployment priority. No overview video. No webcast. I guess things change.
Childs, who quit Microsoft in September, tweeted yesterday:
Wow. Microsoft's #ANS now for premier customers only.
Of course, Black Tuesday itself is going through some changes. Microsoft tosses everything including the kitchen sink into the patching frenzy on the second Tuesday of the month and, of late, dribbles out other security and nonsecurity patches on any random Tuesday.
If this were, as Betz puts it, an "evolving" situation -- where the patching process is working so well that advanced notification is no longer necessary -- we in the patching community would be shouting hosannas and kissing the ground upon which he stands. But it isn't like that. In the past year, Microsoft patching has reached breathtaking new lows, both in quantity and quality of patches delivered. The situation's deteriorated so much that many graybeards are beginning to wonder if Windows is so unwieldy that it's become unusable.
Somehow, I don't think the powers-that-be understand the way decisions like this affect the Windows support community. I can't fathom why Microsoft would so aggressively piss off the people who are trying to keep Windows working, over such a tiny concession.
Windows 10 will bring great new capabilities to the old cash cow. But the patching part is getting kicked in the shins.
Correction: This article as originally posted incorrectly stated Dustin Childs' departure date from Microsoft. The story has been amended.