The WannaCry attack woke the world up to the speed at which modern security threats can spread. What was interesting, reflecting back on the exploit, was that Microsoft made the patch available a month before the ransomware became widespread. Executives demanded to know the impact of the threat to their organization, and IT admins and security teams scrambled over the next several weeks to remediate endpoints with limited visibility from traditional tools and processes.
In addition to dealing with security threats like this, IT is also being charged to deliver great experiences to users. And nothing is more frustrating to end users than IT pushing a non-security-related update right in the middle of a project or presentation.
On one hand, IT admins needs to immediately deploy security- and vulnerability-related patches with real-time visibility, even if a user is off the network. On the other hand, IT can’t impede user productivity when deploying other standard updates.
Introducing Windows Updates as a Service
In the fourth episode of The Redmond Series, we dive into one of the biggest changes in Windows 10: Windows Updates as a Service. We also demonstrate how VMware AirWatch unified endpoint management (UEM) is architected to enable a modern IT approach for Windows updates, such as:
- Apply updates over-the-air to endpoints on any network
- Extend granular management by use case and auto-approval of updates by category
- Get real-time visibility into updates and patches
- Deliver a better experience to end users by minimizing down time
Traditionally, organizations could expect a new operating system from Microsoft every 3–5 years, and IT departments built processes and used tools supporting that model. However, if you look at new security threats and end-user behavior today, legacy tools and processes expose organizations to unnecessary risk.
Microsoft smartly recognized that organizations need a more frequent cadence of updates to combat the onslaught of modern attacks (similar to how mobile operating systems update on a more regular basis). Now, with Windows Updates as a Service, organizations can expect an update to Windows 10 every six months in what Microsoft calls Semi-Annual Channel.
What was formerly called Current Branch is replaced by Semi-Annual Channel Pilot, and what was formerly Current Branch for Business is replaced by Semi-Annual Channel Broad. To learn more about the Microsoft servicing channel model and updates, read this great blog post or watch this video from Michael Niehaus with Microsoft.
Legacy vs. Modern Windows Patch Management
Microsoft offers a modern way to update endpoints, but legacy systems, which haven’t evolved to address this new world, fall short for three reasons: cost, security and experience.
- Cost: As more and more IT organizations seek to transition from a cost center to business driver, the reality is they still spend an inordinate amount of time validating updates, testing application compatibility and updating services and infrastructure to support the latest operating systems.
- Security: At Microsoft Ignite 2016, I heard that it takes 200 days on average for a typical organization to identify a security vulnerability and another 80 days to remediate. It sounds absurd, but after talking with hundreds of customers, by the time they stage servers and users connect to the network, pull the update and reboot, it’s unfortunately commonplace.
- Experience: In the world of Windows, the blue screen of updates is almost as annoying as the blue screen of death. Once a patch is downloaded and is being applied, you might as well take a lunch break because it could be more than an hour before your machine is ready. Without the ability to control when patches are applied, users can be left stranded, especially during important meetings or presentations.
By re-thinking how to approach Windows Update, organizations can spend less time validating patches and more time focusing on business needs.
VMware’s own IT team found that around 80% of the patches they applied were security- or vulnerability-related, which InfoSec required to push down regardless of application compatibility issues. Now with VMware AirWatch, they can auto-approve those patches, automatically receive reports on compliance and spend time—they would have otherwise spent validating and testing—on more important tasks.
With this new approach, organizations can also improve security by having devices updated from the cloud in seconds. A user’s day isn’t impacted by hours of updates, since IT can restrict updates from being applied during office hours.
[Related Study: Total Impact of Modern Windows 10 & Content Management with VMware]
A New Architecture for Windows Updates
Microsoft claims that Windows Updates as a Service will make traditional solutions irrelevant, and Microsoft itself is moving from legacy tools to a modern management approach. We agreed, and after looking at the problem with legacy solutions for the past several years, we think there is a much better way to handle updates moving forward.
Now with VMware Workspace ONE, powered by AirWatch UEM technology, customers can easily approve updates manually or automate approvals by category, quickly get updates to users on or off the network, view a detailed report on the status of updates and enforce compliance policies for devices that haven’t received an update, yet.
Machines now query the Microsoft update service for updates and patches to Windows 10. AirWatch enables organizations to subscribe endpoints to the update service and define which updates are relevant for a particular user.
Instead of the consumer model where machines blindly install the updates, now endpoints under management will first go to AirWatch to see which of the updates IT has approved, and then install only those updates. Once IT has approved an update, the second a machine is connected to the internet, it can start downloading the update and installing based on parameters defined by IT.
Remote users off the company network will download the updates from the content delivery network (CDN). However, as these qualitatively and cumulatively grow in size, every endpoint installing updates would place a major burden on the corporate network. AirWatch allows organizations in corporate and branch offices to leverage peer-to-peer technology to deploy the updates without impacting the network.
See Modern Patch Management in Action
In this fourth episode, we also show live demos of the console and highlight:
- Distribution rings to test and deploy updates within your organization
- Ability to prevent patches from being applied during set office hours
- Auto-approve patches by category (e.g. critical or security)
- Peer-to-peer distribution technology to deliver updates to users without the need for expensive infrastructure or placing a burden on the corporate network
- Granular approval process for patches that are not auto-approved
- Real-time tracking for the status of an any available update
- Dashboard and reports on patch installation and compliance
- Automated compliance on endpoints that haven’t installed a patch
Are you looking to embrace the new Windows Update as a Service in your environment? Leave us a question or comment below, and our experts will respond directly and maybe even cover your question in upcoming episodes.
[To learn more about how VMware can help with your Windows 10 deployment, watch this demo.]