- Nov 29, 2020
This year marks a very important milestone for the history of Microsoft, the Windows product and for greater computing: 20 years of Patch Tuesday updates. With more than 1.4 billion monthly active Windows devices in service, and billions more devices served along the journey of Windows, our goal is to keep users around the world protected and productive. In today’s security climate, our work across the company and greater industry to keep this critical ecosystem secure is more important than ever. And while we also ship bug fixes and other new features via continuous innovation, in the end security is job one. Monthly Patch Tuesday updates serve as a vehicle for just that. Created from a 2002 company-wide initiative, Patch Tuesday has become a well-known industry standard, keeping not just Windows but the people, companies and institutions that depend on it protected and productive for 20 years. In this article, we’ll share a bit on the history of Patch Tuesday and how it continues to evolve through a principle-based approach.
Patch Tuesday’s origin and historyOn January 12, 2002, Bill Gates published a company-wide email announcing the creation of the Trustworthy Computing (TwC) initiative. It represented a paradigm shift, pushing security teams to shift their thinking toward securing features themselves across the breadth of our products. From this important initiative, we consolidated our security update process into a predictable cadence of monthly Patch Tuesday updates. Highlights from the 20-year tenure of Patch Tuesdays below show the ongoing evolution of this critical, well-established practice:
- Patch Tuesday updates begin. They introduce supporting patch management processes, including Windows Update and Microsoft Update services.
- Windows Vista and later Windows 7 are released. Both incorporate enhanced security features, User Account Control (UAC), Windows Defender and improved firewall capabilities.
- New out-of-band (OOB) updates address imminent threats like the Conficker worm vulnerability.
- Security Development Lifecycle expansion provides a robust set of best practices and guidelines for developing secure software.
- New tools help organizations deploy and assess the status of security updates. These include Windows Server Update Services (WSUS) and the Microsoft Baseline Security Analyzer (MBSA).
- Windows 8 features improve security measures. We welcome Secure Boot, Windows Defender enhancements and further developments in User Account Control (UAC).
- Windows 10 is introduced. It represents a fundamental shift towards a "Windows as a service" model. It’s accompanied by the inaugural release of the Windows update history pages, more commonly known as release notes.
- New security enhancements aim to provide stronger protection against malware, unauthorized access and credential theft. Device Guard, Credential Guard and Windows Hello are developed and released.
- Windows Update for Business goes live. It allows organizations more control over when and how to deploy Windows updates.
- The quality and reliability of security updates continue to be the focus of the conversation. “In each new monthly quality update, we add another layer of security, one that tracks emerging and changing trends in malware and viruses” (John Cable, September 20, 2017).
- We take proactive steps to bolster transparency and align with General Data Protection Regulations (GDPR). Organizations gain the confidence they need to keep devices up to date.
- An industry-wide collaboration begins around proactively patching firmware. It follows a public disclosure of Spectre & Meltdown hardware vulnerabilities. Monthly quality updates serve as a tool to expand microcode updates to devices.
- The use of machine learning optimizes Windows update experiences as proactive measures across Windows updates continue. AI becomes a tool to serve Windows 10 feature updates.
- Rigor and transparency grow: “The scale and diversity of the Windows ecosystem requires us to take a data-driven approach to quality and to leverage automation for testing, validation and distribution" (Mike Fortin, former CVP, December 10, 2018). The discussion of quality validation efforts via Patch Tuesday includes the Pre-release Validation Program (PVP), Depth Test Passes (DTP), Monthly Test Passes (MTP), the Windows Insider Program (WIP) and the Security Update Validation Program (SUVP).
- Windows release health dashboard offers everyone a single pane of glass to view known issues across feature and monthly quality updates.
- In response to 2020's COVID-19 emerging pandemic, remote work-related tools receive greater focus. We address vulnerabilities in Remote Desktop Services and Microsoft Teams, as well as extend End of Support for certain active versions of Windows.
- Known Issue Rollbacks (KIRs) help devices quickly return to a productive state if inadvertently impacted by an update issue.
- In August 2022, the newly announced safeguard holds with Windows Update for Business deployment service help organizations with rolling out updates.
- That same year, Unified Update Platform (UUP) on premises is available for commercial organizations as a public preview. Integrated with Windows Server Update Services (WSUS) and Configuration Manager, it simplifies quality and feature update deployment. It hits General Availability in 2023.
- Windows Autopatch emerges as a growing part of the Patch Tuesday experience.
- Microsoft launches the Secure Future Initiative across Microsoft to pursue our next generation of cybersecurity protection.
Our principle-based Patch Tuesday evolutionThe notions of security and productivity have evolved as drastically as the world of technology. As Brad Smith recently shared in his Nov. 2 blog post A new world of security: Microsoft’s Secure Future Initiative, those efforts are only intensifying. This means great challenges and opportunities for Microsoft’s vision to align on empowering everyone to achieve more through its products, including Windows. Windows is a critical tool and more important than ever to how folks work and play. We will continue to focus on evolving the update experience. Specifically, we’ve raised the quality of learning, adapting and serving our increasingly diverse customer base around the world, adhering to four principles for the monthly Windows servicing process:
- Predictability: The Windows monthly release cadence should align predictably to the second Tuesday of every month.
- Simplicity: Everyone should be able to manage to a simple, regular and consistent patching experience. Doesn’t matter if you’re an individual Windows user or an IT manager overseeing your organization. You shouldn’t need to stop what you're doing to rigorously test an update before deploying it.
- Agility: In today’s computing landscape, security threats demand quick responses. We must provide all Windows users with updates quickly without compromising quality or compatibility.
- Transparency: To simplify the update process for individuals and for businesses large and small, everyone should have access to as much information as they need. You should be able to understand updates in advance. This includes comprehensive yet clear release notes, guides for common servicing tools, access to assistance and a feedback system.