When Microsoft rolled out the “Windows as a Service” tagline for Windows 10, most of us assumed it was just another marketing ploy.
But as we approach Windows 10’s two-year anniversary, it’s becoming apparent that there’s some substance behind the label. And for Windows power users and IT pros, the ramifications are just beginning to become apparent.
Microsoft has published a handful of low-key technical articles covering the new rules, but some of those details have shifted over time. The maximum interval for deferring feature updates, for example, was eight months when the feature debuted in November 2015, but shrank to 180 days in the July 2016 Anniversary Update.
Even for those of us who regularly attend IT-focused conferences and keep up with deployment news, managing a Windows-based organization in this new era can be confusing. For those who are simply using Windows for day-to-day-business, the changes can appear unexpectedly. And the realization that tried-and-true workflows no longer apply isn’t sitting well with some IT pros.
For the past year, I’ve been hearing a steady stream of complaints from longtime Windows admins and users. Consistently, those grumbles all boil down to a single objection: Because of “Windows as a service,” we’re losing control of our desktop PCs.
They have a point.
For the past quarter-century, businesses running Windows have been able to count on a few constants, all of which are now changing. Consider these three major shifts:
Overly aggressive upgrade cycles
It used to be that you could install your preferred version of Windows and stick with it for nearly a decade. If you deployed Windows 7 Service Pack 1 when it was released in February 2011, for example, its feature set has been constant for the past six years and will remain unchanged for the remaining three years of its supported life.
In the new world, that upgrade cycle has shrunk to roughly 18 months, thanks to feature updates (the new term for upgrades) that can be deferred but not refused. This slide from a Microsoft presentation shows the support lifecycle for a Windows 10 feature update:
Here’s how it works in practice: If you upgraded to Windows 10 Pro one year ago, in February 2016, you got the latest release, version 1511. Six months later, Microsoft released the Anniversary Update, version 1607, to the Current Branch (CB). That version was released to the Current Branch for Business (CBB) on November 29, 2016.
An option available only in business versions (Pro/Enterprise/Education) allows you to defer feature updates until they’re released to the Current Branch for Business. Using Group Policy, you can defer those updates by an additional eight months in version 1511. That means you’ll be forced to upgrade to version 1607 or later in July 2017, less than a year and a half after your initial deployment.
And that upgrade cycle is going to get tighter. In version 1607, the Group Policy to defer updates shrinks from eight months to 180 days, with a 60-day grace period at the end. In addition, Microsoft has hinted that it plans to ship two feature updates per year starting in 2017. The upshot is that you should expect to upgrade every PC in your organization roughly once a year.
That’s a big change. For small businesses that don’t have the time or technical expertise to test each new feature update in advance, it can result in major disruptions if an update breaks compatibility with a business-critical third-party app.
In the good old days, each month’s Patch Tuesday collection consisted of an assortment of individual updates from which you could pick and choose. The new Windows Update model packages all those security and reliability fixes into cumulative updates that can’t be unbundled. Here, too, you can only postpone installation for a few weeks. “No, thanks” is not an option for an individual update.
That design has been part of Windows 10 from the start, and in recent months it’s shifted to Windows 7 and Windows 8.1 as well. As a result, checking Windows Update on a Windows 7 PC today no longer returns a lengthy list of individual updates; instead, you get a single rollup like the one shown here.
Microsoft’s justification for this new approach makes sense, at least in theory. When Windows engineers test a new update, they use a fully patched system as the baseline. There’s no way to confirm that an update will work on a PC where you’ve been selectively applying updates. So the new model is designed to drag the entire installed base of Windows PCs, kicking and screaming if necessary, to the same baseline configuration.
This new model will take some careful attention from IT pros, who will no longer have the option to solve a compatibility problem by uninstalling a problematic update. Using Group Policy, you can defer updates for up to 30 days as you test, but if you find a problem the only option is to delay the update for a few weeks, which means you’re also skipping potentially critical security fixes.
The cumulative update model is also causing some teething pains in Redmond, where an undisclosed problem in February 2017 forced Microsoft to skip an entire Patch Tuesday cycle for the first time in history.
The death of the service pack
Windows 7 still has nearly three years left in its support lifecycle, but the one and only service pack was released more than six years ago. If you don’t know the secret recipe of updates to install , a fresh installation of Windows 7 can take several days to be fully updated.
With Windows 10, Microsoft regularly releases new installation media (in ISO format) reflecting the latest feature update. But OEM recovery partitions aren’t automatically updated, which means if you roll back an OEM device to its original factory configuration you have to download several gigabytes for the latest feature update and then another very large cumulative update to bring it current.
The bottom line with all these changes is that IT pros who’ve been used to running Windows in set-it-and-forget-it mode are going to have to begin paying closer attention, not just to what’s in this month’s updates but what’s in the pipeline for the next year.
And don’t expect Microsoft to back down on any of these decisions. There are minor changes in the pipeline to make it easier to schedule updates, but the underlying servicing and deployment models aren’t likely to change.
If you’re not paying attention, be prepared for some surprises.
Source: SANS ISC SecNewsFeed @ February 18, 2017 at 10:57AM