Windows Patches: A Guide to Awareness

Windows Patches: A Guide to Awareness

Windows Patches are a nuisance which causes frustration to everyone in the IT staff, particularly due to having to reboot servers. Every month, Microsoft releases between 1 and 40 Individual windows patches which are part of security updates, and non-security updates. There are different levels of regression testing that goes on with these patches. For example, some patches are released under LDR, which stands for Limited Distribution Release. LDR packages contain fixes that have not undergone extensive testing, and resolve issues that only a fraction of Windows users may ever encounter. The more thoroughly tested patches are the GDR patches, which stand for General Distribution Release. You will most likely find these in the Windows Update Catalog or Windows Server Update Services, more commonly known as WSUS.

As an organization, you would be wise to deploy the windows patching security fixes immediately. But the non-security fixes, sometimes aren’t deployed at all, especially when we mention LDR non-security fixes. So what is the result? You have each organization with its own set of unique Windows configuration, defined by the set of windows patches being installed.

Windows Patches: Testing

Let’s compare that to the configuration that Microsoft tests in their lab: fully windows patched PCs that have all the updates ever release installed, including LDRs. For each new update, Microsoft verifies that there are no adverse effects on these fully patched PCs. There have been instances where these new updates cause issues on partially patched PCs, which often have specific combinations of updates. If you’re Microsoft, there is no way you can test all possible combinations, no matter how much computing power they have. Next time you wonder why Microsoft didn’t catch the simple issues, this is the reason why.

Let’s take a look at the visual presentation of a typical patched machine of an organization versus Microsoft’s machine in the lab for Windows 7:

Windows 7 Patching Example
Image taken from Reference: Windows 10 for Enterprise Administrators

Windows 7 had more than 4000 fixes since the release of SP1, and about 500 of these are not widespread. Try and calculate all the possible combinations of patches if one or more of these 500 patches are missing.

Next article, we will see what the deal is with cumulative updates in Windows 10.

References

Diver, Richard. “Servicing and Patching” Windows 10 for Enterprise Administrators. Birmingham, UK: Packt Publishing, 2017