Windows 10's aching Achilles' heel: Patches

Two recent beta patching problems illustrate congenital defects in Microsoft's Windows 10 patching strategy

achilles heel
Tasoskessaris (Creative Commons BY or BY-SA)

Last Friday, Windows enterprise program manager Jim Alkove posted a detailed view of Microsoft's intended Windows 10 patching process for enterprises. There are at least three fundamental flaws in that process, two of which have already been demonstrated by patches to the current version of Windows 10 (variously called the January Technical Preview, Technical Preview 2, and build 9926).

Alkove outlined two different enterprise patching paces:

To support Windows 10 devices in ... mission-critical customer environments we will provide long-term servicing branches at the appropriate time intervals. On these branches, customer devices will receive the level of enterprise support expected for the mission-critical systems, keeping systems more secure with the latest security and critical updates, while minimizing change by not delivering new features. ... As we introduce new enterprise features over time, we expect to provide new long-term servicing branches at appropriate time intervals, which will incorporate new functionality. Customers will be able to move devices easily from the long-term servicing branches they are currently on, to the next long-term servicing branch, as well as be able to skip one -- using in-place upgrade technology in Windows 10…

By putting devices on the current branch for business, enterprises will be able to receive feature updates after their quality and application compatibility has been assessed in the consumer market, while continuing to receive security updates on a regular basis. This gives IT departments time to start validating updates in their environments the day changes are shipped broadly to consumers, or in some cases earlier, if they have users enrolled in the Windows Insider program. By the time current branch for business machines are updated, the changes will have been validated by millions of Insiders, consumers, and customers' internal test processes for several months, allowing updates to be deployed with this increased assurance of validation.

Computerworld's Gregg Keizer connected the dots when he posted:

What's interesting about Alkove's post is the frankness used to pitch the benefits of Windows 10 radical update process to businesses. In a clear attempt to assure enterprises that a faster cadence would be reliable, Alkove said that the delayed deployment of the current branch would be safe because consumers had served as guinea pigs.

Although details have yet to emerge, it now appears as if Windows 10 will have three patching paces:

  • Long-term servicing branches, which get security patches to volume licensees in real time, but feature changes only occasionally. Keizer suggests, based on a Gartner analysis, that the feature/interface changes would roll out three times a year or so.
  • Current branch for business, which also gets security patches to volume licensees in real time, but rolls out feature changes "after their quality and application compatibility has been assessed in the consumer market."
  • Consumer branch. All indications at this point come to a disturbing conclusion: It looks like those who use the free consumer versions of Windows 10 will get automatic updates, whether they want them or not. Windows 10 builds no longer include the ability to block specific patches, or to "notify but don't download”" when new patches arrive on the scene.

The new universal Settings app has no capability for uninstalling specific patches, nor does it have the ability to “uncheck” or temporarily or permanently block a patch. There's only a setting to require Windows to notify before restarting. The old Control Panel Windows Update applet has been removed, all of which have led industry observers such as ZDnet's Mary Jo Foley to conclude:

Microsoft is expected to provide customers who take advantage of the free Windows 10 promotion with regular, free feature and security updates on an ongoing basis via Windows Update, most likely with little or no opportunity to decline or delay either.

From my point of view, there are three problems with that approach, two of which have already nipped at the heels of Windows 10 beta testers.

First is the inability to uninstall a patch. If Microsoft were very fast on its feet and rolled out substitute Windows patches the minute they were found to be bad, this would be a much simpler world. Sadly, that isn't and hasn't been the case for years. Recently, it's grown even worse.

It's quite possible that Windows 10, with a single consumer version, will be easier to patch. We're all banking on it. But Windows 10 testers have already been exposed to one bad patch that hasn't been fixed: the KB 3035129 patch that's still triggering error 0x80246017, nearly a week after it was released. The problem was identified almost immediately and, after a bit of confusion, tweeted by Windows 10 guru Gabe Aul. The side effects are merely annoying, not crucial. But many people have wasted a lot of time trying to run the bug down, and some (in spite of Aul's admonitions) have tweaked their registries to get rid of the error message.

Second is the inability to block a patch. I've seen this play out in several different ways over the past few weeks, usually with drivers. Windows testers have a piece of hardware -- typically a video card -- that they've set up with the latest driver from the manufacturer. Several people have complained that, when Windows 10 reboots, the user-installed driver gets overwritten by the “latest” Microsoft driver -- which frequently isn't the manufacturer's latest driver. That, in itself, is a good thing, as rapid-release manufacturers' drivers are notoriously unstable. But it's a real pain in the neck for someone who's paid for a feature that isn't supported by an older Microsoft-approved driver, and gone the extra mile to get the feature working.

We saw a similar situation play out with the Surface Pro graphics driver in build 9926. It took Microsoft a couple of days to get the new Surface Pro driver pushed out, but in the interim Surface Pro 3 owners who installed build 9926 had lots of video problems. The problem with the Surface Pro 3 driver is a typical beta blues problem, but the underlying cause -- the inability to block specific patches or updates -- remains.

Third is a timing question. Presumably, long-term servicing and current branch for business circles will receive key security patches at the same time they roll out to the consumer branch. What we've seen in recent months (actually going back several years) is that some of the most important security patches are the ones that break systems.

Thus, the consumer-branch-as-cannon-fodder approach isn't going to work -- at least, not for the most dire patches. We're basically back to the status quo, where savvy admins wait on the WSUS release trigger, seeing what kind of problems appear with newly released patches. They get to cobble together remediations while waiting and praying that the cure isn't worse than the disease.

For the most important segment of the enterprise patching conundrum -- fast patches for major security breaches -- I don't see where the new Windows 10 technique is any different than the old Windows 7 approach.

Windows 10 patching experiences to date have not been overly comforting.

Copyright © 2015 IDG Communications, Inc.