When’s the Right Time for IT to Allow Windows Updates?

Status
Not open for further replies.

USAFRet

Titan
Moderator
It should be pushed out to the client desktops only after full testing on sample systems by the IT dept.

For absolute critical systems and issues, this testing should start on Day 1 of the patch release.
 

stdragon

Admirable
Unless it's a critical zero-day exploit being patched, I wait at least two weeks after initial release. The same KB update might undergo six or more revision in that span of time. And yes, the newest build of the patch will supersede the oldest sitting in the update cache once checked again.

The QAQC process sucks bad in Microsoft!!!
 


Absolutely agree.
When we had 10,000 clients their systems were "locked down" and all updates were pushed to the clients after rigorous testing.
 

taz-nz

Distinguished
Apr 27, 2006
35
26
18,535
>>>> "There was a situation where the update actually patched a security hole that a vendor was using to allow access to the portal," he explains. "An update came through and closed that gap, and [then] users that previously had access to that software could no longer get into the portal <<<<

That's a classic example of the problem, software written so badly it uses a security flaw to make a feature work, instead of doing it right the first time, just do bodge job after bodge job and blame Mircosoft when it breaks.

There are so many applications where the code base of the latest Windows 10 ready version is barely Windows XP complaint and relies entirely on Windows backwards compatibility to function, meaning even the most minor of security fixes brings down the whole house of cards.

With Windows 7 going end of life in fifteen months well see another wave of lazy or under funded developer telling their customers we don't support Windows 10, and saying you have to stick to Windows 7 to use our product, despite the fact Windows 10 will have been around for four and a half years by that point, and disregarding Windows 8 has been around even longer, because they didn't bother support it either because no one liked it. In the same way they did with the shift from 32bit Windows XP to 64bit Windows 7, hey ignored Vista and because XP was still supported they did bother updating their code to be Window 7 compatible let alone 64bit compatible until it was too late.
 

spdragoo

Expert
Ambassador
You beat me to it, @taz-nz. When your clients are relying on security holes to make their software work, you have to start wondering how shady your clients are, or at least how secure that data was.
 
It's a bit scary to find out that your software vendor had to rely on an exploit to get a feature to "work." It's a dangerous precedence in software development, no matter the industry or even for the home. It's also a scary thing when your corporate level IT pushes policy changes and it cause all sorts of issues, including trust issues. (This same IT department also pushed for an older version, but considerably newer, of Chrome recently. The new version was still about three versions behind the one that patched toe "20 questions" issue, and shortly thereafter another version behind.) There is a balance to be had.
 

stdragon

Admirable
Security, both the implementation and maintenance thereof is reliant upon funding. Being that IT is inherently a cost center, it's not uncommon that it doesn't get the funds it needs to maintain and enforce security.

More often than not, you get what you pay for. You want cheap, you get cheap and unreliable results.
 


We have a patch management system that we use, ManageEngine. The nice thing is they test all the patches and have an "Approved" list, ones that don't show any major issues. If we come across one we can tell it to remove it and then block the patch so it wont install again, even on Windows 10. This is how we stopped the Spring and Fall updates from self deploying as people would just get angry at us for the systems starting on their own.

That said it is normally 1-2 weeks behind patch Tuesday and as well we stay one version behind on the Spring/Fall updates. we are currently discussing it further though to see if we want to push the Spring or Fall since now we wouldn't have to push 1803 then 1809 for example we can just go to 1809.

This sucks for us though because half of our systems are field systems which may or may not connect to the internet often. However this new management system has made that quite a bit easier for us minus the big updates.

We like to keep updates as up to date as possible and once a year we do a cleaning of all systems, we have field people bring them in. If this system works the way I want it to it should make it so I don't have to do a 80 hour plus week when we do that.

@stdragon, you have no idea how true that is. We have a hard time enforcing basic policy when trying to keep things safe. And when something goes wrong we get blamed even when we try and try. Its hardest to get backing and support from top level management really.
 

mlee 2500

Honorable
Oct 20, 2014
298
6
10,785
Yeah, so MY companies preference is to wait and only install Massive Windows Updates right before you have an important meeting and need your laptop, so that you're totally skrewd.
 

stdragon

Admirable


It depends on the business and its owners, but many are competent these days to value the need of IT services. That said however, many have cynical views of IT in general. Either you're doing a fantastic job being proactive and get the following response "Everything is working fine, why do I need to be spending so much money on support and IT staff". Or, if you're underfunded it can be responded to as "The entire IT dept is busy, why can't you just fix it right and be more responsive. What are we paying you guys for?!" .

My immediate response would simply just find another job, because you won't be valued no matter what in that sitution. But the responsible attitude would be to show ways of proving value and report on the items of prevention and showing responsiveness to empower the rest of the business.

Oh, and never use machines that are older than 6 years old. Plan and budget a refresh cycles. Be proactive. Don't just drop hot unexpected expenses on the laps of those with fiscal responsibilities. Management really hates that! It goes much smoother when the decision makers have been given a heads-up months to a year/s in advanced.
 

stdragon

Admirable


Correct. A test environment is an exception rather then the rule. If all you do is work IT in an enterprise environment, then your experience is very myopic to how the majority of the world works.
 

spdragoo

Expert
Ambassador


Exactly. A larger business, especially a big corporation (or the equivalent) has the budget to spend for a couple of PCs to be used for nothing but testing...& they also tend to a) buy the Enterprise licenses for Windows & b) rely on imaging the user profiles to prevent the installation of "unauthorized" software & make it easy to roll out patches. Small businesses, especially ones where you truly could operate on the purchase model of, "we'll buy a replacement PC at the local brick-and-mortar store if 1 goes bad"? They often don't have the budget to have spare PCs lying around "just in case one breaks", let alone to use exclusively for patch/OS testing. Doesn't mean they shouldn't at least attempt testing -- & plan to spend time backing data up prior to the updates just in case something does break -- but that's just how things tend to be.
 
Status
Not open for further replies.