When’s the Right Time for IT to Allow Windows Updates?

This April, Microsoft introduced its latest update for the Windows 10 operating system, and in October, it will launch another major new build. With many new features and functions already available to users via the spring update, such as Timeline, Nearby Sharing, Focus Assist and Microsoft Edge, it sounds as though business users would be hard-pressed to not want to bring Windows to its newest, shiniest form. However, propelling an entire business into the latest version of Windows is a big decision, and there are precautions and risks to consider before updating to your heart’s content. So when should IT allow employees to update Windows?

Some IT professionals, like Peter Verlezza, Founder of managed IT and VoIP provider SMB Networks, prefer to avoid the early adopters' list when it comes to jumping on the update bandwagon.

"For my clients, we don’t need to be ‘leading edge," Verlezza tells Tom’s Hardware. "We want to actually lag behind a little because, while all of these updates might look great on paper, they sometimes don’t always [immediately] play well in the sandbox with the other lines-of-business software the client is concurrently running."

This is especially important for Verlezza, as most of his clients are in the healthcare field—specifically doctor offices specializing in women’s health and pediatrics—and any type of hiccups due to upgrades not gelling with other software systems could be disruptive to these offices’ ability to service patients. For instance, if the client isn’t running the most updated version of their Electronic Medical Records (EMR) software, or the EMR company doesn’t have a Windows 10 compatible version out, there could be a problem.

Verlezza is a firm believer in verifying compatibility. He notes that this is not just out of prudence but also because he’s heard of issues with previous Windows 7 updates that led to patients being denied access to a healthcare facility’s web portal due to compatibility issues.

"There was a situation where the update actually patched a security hole that a vendor was using to allow access to the portal," he explains. "An update came through and closed that gap, and [then] users that previously had access to that software could no longer get into the portal … It’s a question of should people update, and how often?"

When it comes to updating for the sake of updating, Verlezza errs on the side of caution. He advises on updating only when absolutely necessary, for instance, when the update is a security concern or a necessary patch for some type of flawed opening.

"You have to be mindful and critical of what is being updated and why," Verlezza says. "It is good to have a currently supported operating system and have critical patches and updates done regularly, but not necessarily that you have to update everything all the time. However, if you do feel this way, then make sure you test first, and that all of the other software is compatible and can play ‘nice.’"

Similar to the healthcare market, which is beholden to HIPAA regulations and high-level security concerns, so is the banking and finance vertical. Raffi Jamgotchian, President and CTO of IT security services firm Triada Networks, knows firsthand the risks updates pose to his clients. Focusing mainly on investment companies, Jamgotchian prefers the patching system over going all in with Windows updates. Like Verlezza, he also has concerns about not being able to predict the effects of Windows changes.

"My philosophy has always been to be aggressive with patching; [update] almost within the week of the patch being released and deployed in as many computers that we have in the fleet," he tells Tom’s Hardware.

With situations like the massive Windows 10 spring update, Jamgotchian remains cautious of the unknown. The IT executive says he’d rather keep things low-risk and take his time with a significant update, rather than launching it hastily.

"We give ourselves an additional 30 days from the update’s release," Jamgotchian says. "But in the meantime, we can do testing, and if there’s a problem that happens with the test machines, we will defer further until we can sort it out."

Jamgotchian says that he’s never been too overzealous when advising clients on updates; however, he says that, after this last spring update, he’s become even more cautious than ever. He credits this to encountering more problems with updates at client sites in recent years, which he attributes to Microsoft disbanding their secure development lifecycle group.

"I’ve definitely noticed a change since they put updates back into their development teams, rather than have a separate team that manages the security development lifecycle, [which] was the pinnacle when they were first putting out Windows XP Service Pack 2; that started the process, and the process was putting out quality updates," Jamgotchian says.

Bottom Line

Even though Windows updates can pose risks, they, of course, can still be beneficial and feature-rich, which helps businesses run on a higher level. Thus, updating can be very tempting. But waiting will be worth it, as time will be saved on the front end.

"The idea is to keep the updates going, but we are a little more conservative in taking more time so that things don’t go sideways when we deploy it," Jamgotchian says. "The best advice I can offer is to use the tools that are available to you, and be smart about it. For instance, if you are going on vacation, it might not be the best idea to do rollouts during that week."

Verlezza offers the same sentiments as Jamgotchian, saying that with updates — especially significant ones — the best thing to do is to guide the client to the point where a new Windows build won’t cause any major disruptions or outages within their business.

"There are a lot of ‘wants’ and a lot of ‘needs’ that we find. We very seldom see anyone that [actually] needs to update, but many ‘want’ to," he says. "Our job as IT professionals is to advise and direct, and we will always do what the client requests, as long as it isn’t going to adversely affect their business. If a client insists, we still test and make sure everything works with all of the moving parts. The last thing you want to have is a situation in a busy doctor’s office on a Monday morning where they can’t get into their EMR system to check patients in."

Create a new thread in the Reviews comments forum about this subject
This thread is closed for comments
13 comments
Comment from the forums
    Your comment
  • USAFRet
    It should be pushed out to the client desktops only after full testing on sample systems by the IT dept.

    For absolute critical systems and issues, this testing should start on Day 1 of the patch release.
  • stdragon
    Unless it's a critical zero-day exploit being patched, I wait at least two weeks after initial release. The same KB update might undergo six or more revision in that span of time. And yes, the newest build of the patch will supersede the oldest sitting in the update cache once checked again.

    The QAQC process sucks bad in Microsoft!!!
  • gdmaclew
    Anonymous said:
    It should be pushed out to the client desktops only after full testing on sample systems by the IT dept.

    For absolute critical systems and issues, this testing should start on Day 1 of the patch release.


    Absolutely agree.
    When we had 10,000 clients their systems were "locked down" and all updates were pushed to the clients after rigorous testing.
  • taz-nz
    >>>> "There was a situation where the update actually patched a security hole that a vendor was using to allow access to the portal," he explains. "An update came through and closed that gap, and [then] users that previously had access to that software could no longer get into the portal <<<<

    That's a classic example of the problem, software written so badly it uses a security flaw to make a feature work, instead of doing it right the first time, just do bodge job after bodge job and blame Mircosoft when it breaks.

    There are so many applications where the code base of the latest Windows 10 ready version is barely Windows XP complaint and relies entirely on Windows backwards compatibility to function, meaning even the most minor of security fixes brings down the whole house of cards.

    With Windows 7 going end of life in fifteen months well see another wave of lazy or under funded developer telling their customers we don't support Windows 10, and saying you have to stick to Windows 7 to use our product, despite the fact Windows 10 will have been around for four and a half years by that point, and disregarding Windows 8 has been around even longer, because they didn't bother support it either because no one liked it. In the same way they did with the shift from 32bit Windows XP to 64bit Windows 7, hey ignored Vista and because XP was still supported they did bother updating their code to be Window 7 compatible let alone 64bit compatible until it was too late.
  • spdragoo
    You beat me to it, @taz-nz. When your clients are relying on security holes to make their software work, you have to start wondering how shady your clients are, or at least how secure that data was.
  • shrapnel_indie
    It's a bit scary to find out that your software vendor had to rely on an exploit to get a feature to "work." It's a dangerous precedence in software development, no matter the industry or even for the home. It's also a scary thing when your corporate level IT pushes policy changes and it cause all sorts of issues, including trust issues. (This same IT department also pushed for an older version, but considerably newer, of Chrome recently. The new version was still about three versions behind the one that patched toe "20 questions" issue, and shortly thereafter another version behind.) There is a balance to be had.
  • stdragon
    Security, both the implementation and maintenance thereof is reliant upon funding. Being that IT is inherently a cost center, it's not uncommon that it doesn't get the funds it needs to maintain and enforce security.

    More often than not, you get what you pay for. You want cheap, you get cheap and unreliable results.
  • jimmysmitty
    Anonymous said:
    It should be pushed out to the client desktops only after full testing on sample systems by the IT dept.

    For absolute critical systems and issues, this testing should start on Day 1 of the patch release.


    We have a patch management system that we use, ManageEngine. The nice thing is they test all the patches and have an "Approved" list, ones that don't show any major issues. If we come across one we can tell it to remove it and then block the patch so it wont install again, even on Windows 10. This is how we stopped the Spring and Fall updates from self deploying as people would just get angry at us for the systems starting on their own.

    That said it is normally 1-2 weeks behind patch Tuesday and as well we stay one version behind on the Spring/Fall updates. we are currently discussing it further though to see if we want to push the Spring or Fall since now we wouldn't have to push 1803 then 1809 for example we can just go to 1809.

    This sucks for us though because half of our systems are field systems which may or may not connect to the internet often. However this new management system has made that quite a bit easier for us minus the big updates.

    We like to keep updates as up to date as possible and once a year we do a cleaning of all systems, we have field people bring them in. If this system works the way I want it to it should make it so I don't have to do a 80 hour plus week when we do that.

    @stdragon, you have no idea how true that is. We have a hard time enforcing basic policy when trying to keep things safe. And when something goes wrong we get blamed even when we try and try. Its hardest to get backing and support from top level management really.
  • mlee 2500
    Yeah, so MY companies preference is to wait and only install Massive Windows Updates right before you have an important meeting and need your laptop, so that you're totally skrewd.
  • stdragon
    Anonymous said:
    Anonymous said:
    It should be pushed out to the client desktops only after full testing on sample systems by the IT dept.

    For absolute critical systems and issues, this testing should start on Day 1 of the patch release.
    @stdragon, you have no idea how true that is. We have a hard time enforcing basic policy when trying to keep things safe. And when something goes wrong we get blamed even when we try and try. Its hardest to get backing and support from top level management really.


    It depends on the business and its owners, but many are competent these days to value the need of IT services. That said however, many have cynical views of IT in general. Either you're doing a fantastic job being proactive and get the following response "Everything is working fine, why do I need to be spending so much money on support and IT staff". Or, if you're underfunded it can be responded to as "The entire IT dept is busy, why can't you just fix it right and be more responsive. What are we paying you guys for?!" .

    My immediate response would simply just find another job, because you won't be valued no matter what in that sitution. But the responsible attitude would be to show ways of proving value and report on the items of prevention and showing responsiveness to empower the rest of the business.

    Oh, and never use machines that are older than 6 years old. Plan and budget a refresh cycles. Be proactive. Don't just drop hot unexpected expenses on the laps of those with fiscal responsibilities. Management really hates that! It goes much smoother when the decision makers have been given a heads-up months to a year/s in advanced.
  • captaincharisma
    so this article assumes IT guys do not have one or multiple test PC in an isolated network environment in their office to test out windows updates?
  • stdragon
    Anonymous said:
    so this article assumes IT guys do not have one or multiple test PC in an isolated network environment in their office to test out windows updates?


    Correct. A test environment is an exception rather then the rule. If all you do is work IT in an enterprise environment, then your experience is very myopic to how the majority of the world works.
  • spdragoo
    Anonymous said:
    Anonymous said:
    so this article assumes IT guys do not have one or multiple test PC in an isolated network environment in their office to test out windows updates?


    Correct. A test environment is an exception rather then the rule. If all you do is work IT in an enterprise environment, then your experience is very myopic to how the majority of the world works.


    Exactly. A larger business, especially a big corporation (or the equivalent) has the budget to spend for a couple of PCs to be used for nothing but testing...& they also tend to a) buy the Enterprise licenses for Windows & b) rely on imaging the user profiles to prevent the installation of "unauthorized" software & make it easy to roll out patches. Small businesses, especially ones where you truly could operate on the purchase model of, "we'll buy a replacement PC at the local brick-and-mortar store if 1 goes bad"? They often don't have the budget to have spare PCs lying around "just in case one breaks", let alone to use exclusively for patch/OS testing. Doesn't mean they shouldn't at least attempt testing -- & plan to spend time backing data up prior to the updates just in case something does break -- but that's just how things tend to be.