Microsoft has confirmed that it will use security updates -- or more accurately, the refusal to serve them to customers -- as the stick to keep businesses in line with Windows 10's accelerated tempo of feature and functionality upgrades.
Experts had assumed that the Redmond, Wash. company would threaten Windows 10 users with a no-patches policy if they didn't keep up with the OS's constant updates and upgrades. Microsoft has often told customers that if they didn't do A or B or Y or Z -- like migrate to Windows 8.1 Update or dump Internet Explorer 8 -- they would not receive future vulnerability fixes.
"I think any vendor will find it's to their advantage to get users to upgrade, and they will also find a stick when time comes to get people to move," predicted Andrew Storms, vice president of security services at New Context, a San Francisco-based security consultancy, in a recent interview.
According to Helen Harmetz, a Microsoft senior product marketing manager who spoke during a 20-minute webinar on Windows 10 -- initially made available to registered partners on April 30 -- Microsoft will let customers who adopt the Current Branch for Business (CBB) postpone deployment of a specific build no more than eight months. Failure to meet that deadline will mean a patch cutoff.
WindowsITPro obtained a copy of the webinar, and first reported on Harmetz's comments.
"Customers who are embracing Current Branch for Business do need to consume that feature update within the allotted time period of approximately eight months or they will not be able to see and consume the next security update. So there is a consumption that has to happen here," Harmetz said.
Harmetz filled in some of the blank spots that exist in the execution of Microsoft's update and upgrade practice for Windows 10, which will be radically different than prior editions, like Windows 7 or even Windows 8.
Microsoft will offer several update tracks -- it calls them "branches" -- rather than the one-size-fits-all approach of the past, when it presented updates to everyone, whether consumers or massive corporations, at or almost at the same time.
The first to get feature and functionality changes will be devices on the Current Branch, the speediest of the three and aimed at consumers, although businesses can also select the track for some or all systems if they want to live on the edge. Microsoft has not said how frequently it will issue a new Current Branch, but most analysts have assumed that it could be as often as monthly.
At more-or-less regular intervals Microsoft will declare a Current Branch for Business release, which will follow the same-named Current Branch release by about four months, Harmetz said. During that four-month lag, consumers will be Microsoft's lab rats, testing the updates and filing complaints, which Microsoft will address.
Because of that consumer testing -- which in turn will be preceded by testing by the adventurous Windows Insider participants -- the CBB release should be of better quality, "validated" in Harmetz's terminology. Devices that draw updates using the new Windows Update for Business (WUB) will automatically receive the CBB after Microsoft declares it.
Some devices on CBB will immediately get the latest feature update; those will be the ones businesses tag as on the fast "ring" -- another Microsoft term indicating a subset of a branch. Other devices may be on a "slow" ring that delays the update's roll-out for a still-unspecified length of time.
Harmetz's slide deck, however, showed that all rings would deliver the updates via WUB within a four-month span.
Companies and organizations that continue to rely on WSUS (Windows Server Update Service) and other update/patch management software will be able to delay the CBB even more than a slow ring: Up to eight months from when that update was declared "business ready," or suitable for CBB.
"If customers are using their infrastructure to deploy feature updates, they actually have a total of eight months to validate and deploy that feature set after it's been declared business ready," said Harmetz.
But not any longer. If companies don't apply a CBB within the maximum of eight months, the devices will no longer receive security patches and bug fixes. Since most businesses loath the idea of running unpatched devices, the security stick Microsoft wields will be a big, big club.
Notable, too, is that CBB does not appear to allow for skipping any individual CBB; each will be required to receive further patches. The only option is when the CBB lands.
According to Harmetz's slides, Microsoft will issue a branch about every four months, or three times in one year. The company had hinted at that interval earlier this year when it said enterprise subscribers to Office 365 would be able to limit the number of Office 2016 updates to three a year.
Much of what Harmetz disclosed in her partner presentation had been pegged by analysts in the months since Microsoft began talking about Windows 10 last fall. In October 2014, for instance, Gartner's Microsoft experts -- Michael Silver and Stephen Kleynhans -- called the four-month span between feature updates, as well as the update-delay rights.
But Harmetz's outline was the first from Microsoft that went public to confirm that educated speculation.