Client Devices‎ > ‎Laptops‎ > ‎Microsoft‎ > ‎

Microsoft Updates

Microsoft Automatic Updates is a service that automatically downloads and installs critical updates to the Windows operating system. It can be configured to update most Microsoft applications also.

One must accept that a client device, particularly with access to the internet, cannot survive without timely and comprehensive patching and updates. One must also accept that sensitive data services and repositories cannot be protected when client devices are not up to date. These are laws of nature that cannot be defied for long.

Traditionally, centralized teams and infrastructure is put in place to manage updates. In theory, these teams test each patch in all the organization's environments and, once satisfied, push them out to properly configured devices. In practice this approach has been a failure.

First off, many of the devices that access enterprise data are no longer configured by a centralized team, many are never "on site" and some are not even owned by the enterprise. Centralized patches cannot be pushed to a visiting or BYOD laptop.

Generally, a system that can be patched by in-house systems requires the system belong to your Microsoft domain. This is becoming increasingly ridiculous.  Will we try to make home machines a member of our domain? what about laptops that are rarely on site? An update plan that only concerns itself with a shrinking population of unmovable Microsoft devices, tethered to a controlled inside network and configured to give administrative control to a centralized Microsoft domain is doomed to failure.

Also, the cost of building an on-premise update infrastructure has little return. There are dozens of updates to test, on dozens of possible devices, on a handful of operating systems, in hundreds of environments and using dozens of applications. No team can provide 100% coverage and a minimal team of 5 to 10 would be required for SMB or larger organizations. That means a cost of more than $500,000 per year at minimum. All this for what advantage over Microsoft  Automatic Updates?

Therefore, It is strongly recommended that Microsoft Automatic Updates be configured to automatically update on centrally managed devices and required by policy on all other devices accessing enterprise data.

It could be argued that there is an unlikely but catastrophic risk with accepting  this recommendation. "Black Swan" risks, those unlikely, but catastrophic events, should never be swept under the rug but, instead thought of carefully.

First, we should consider the likeliness of Microsoft Automatic Update pushing an update that brings down the client devices of a significant portion of the organization or causes the failure of a critical application or process. Microsoft Automatic Updates is an extremely robust process and service. It is used by many, many people and has not had a catastrophic multiple organizational failure in many years. Smaller events have been managed quickly and are recoverable.

We should also understand that some portion of these type failures would not be avoidable even with a on-premise solution, particularly so if funding the service is insufficient. 

We should conclude that a significant Microsoft Automatic Updates failure is extremely unlikely but may be unavoidable. In other words, the catastrophic failure of the updates services, whether on-premise or outsourced to Microsoft's Automatic Updates, should have a thought out disaster plan. But, automatic updates should not be avoided because of this risk.