For years patch management for Windows desktops has been a relatively straightforward process. In corporate environments either a WSUS server or a third party patch management solution downloads patches from Microsoft as the patches become available and then deploys the patches to designated Windows computers. However, this tried and true practice might be changing.
With its latest operating system releases, Microsoft seems to have thrown a monkey wrench into the patch management process. My purpose in writing this blog post is not to bash Microsoft, but rather to explain what you can realistically expect with regard to patch management should you choose to deploy Windows 8.
Some things stay the same
As you have probably heard, Windows 7 and Windows 8 have a lot in common. In fact, some have even gone so far as to say that when Microsoft created Windows 8 they more or less just bolted the Metro interface on top of Windows 7. In reality, there is more to Windows 8 than just a new GUI. Even so, the similarities between Windows 7 and Windows 8 are undeniable.
Given how similar the two operating systems are to one another, it should be no surprise that patch management works more or less the same way in Windows 8 as it did in Windows 7. Windows 8 is able to download operating system patches from a WSUS server or from a third party patch management system. That’s the good news.
But Metro complicates it
The bad news is that Metro complicates things. Even though WSUS can be used to patch the core operating system, it is not currently being used to patch Metro apps (which Microsoft says we now have to refer to as Windows Store apps).
At first this might not be seem like such a big deal. After all, the Windows Store is used primarily for downloading third-party apps. WSUS has never been used for patching third-party apps. The problem is that from the perspective of patch management, Windows 8 does not really differentiate between third-party Windows Store apps and native applets that are designed to run through the Metro interface.
To show you why this is a problem, consider a situation that happened recently. The Windows Store tile indicated that updates were available. When I selected the tile, I expected the updates to be for third-party apps. However, the updates were actually for operating system components (People, Calendar, etc.). In other words, Windows 8 seems to have developed a split brain syndrome when it comes to patch management. The operating system kernel and desktop items seem to still be patched through WSUS, but anything Metro related is being patched (at least for right now) through the Windows Store. This is bound to result in some frustration for Windows administrators.
Documentation is also an issue
Another issue is the way that the previously mentioned update was rolled out. Normally, when Microsoft provides an operating system update, there is a corresponding KB article that details what the update does and which files are affected. To the best of my knowledge, no such KB article exists for the December update which updated the Mail, Calendar, People, and messaging apps. Personally, I find the idea of undocumented updates to be a bit unnerving.
WSUS does not do Windows RT
Another issue that you need to be aware of with regard to patch management is that currently WSUS is not able to update devices running Windows RT. That isn’t to say that Windows RT devices can’t be updated, it’s just that WSUS is incapable of providing updates to these devices. Rumor has it that WSUS will eventually be retrofitted to support Windows RT, but in the meantime Windows RT updates must come directly from Microsoft Update and from the Windows Store.
The fact that Microsoft uses a different update method for Windows Store apps is likely going to prove to be frustrating for network administrators. Hopefully Microsoft will eventually release a new version of WSUS that is capable of providing updates to Windows Store apps and to Windows RT devices.