Test Microsoft Security Patches Early on the Security Update Validation Program

security red hero img

It’s not a secret that Microsoft’s attempts at delivering Windows 10 as a service have hardly been a roaring success. This year alone has seen two bungled feature updates, causing lots of pain for early adopters. Both consumers and enterprises are struggling with the cadence of feature updates, not to mention buggy quality updates that come two or three times a month.

Enterprises have several options when it comes to testing and distributing updates. For those without a third-party patch management system or centralized control via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM), Windows 10 includes Windows Update for Business (WUfB), which can be configured using the Settings app or through Group Policy. WUfB relies on the peer-to-peer technology in Windows 10 to efficiently distribute updates between devices on the local area network, so a local server isn’t required. Although WUfB doesn’t include the reporting facilities provided by WSUS, you can use Windows Analytics update compliance to track your devices.

For more information on WUfB and Windows Analytics, see Understanding Windows Update for Business and Use the Update Compliance in Operations Management Suite to Monitor Windows Updates on Petri.

Windows Server Update Services and System Center Configuration Manager can both be used like in previous versions of Windows to approve and distribute updates from a local server. But you will fall out of support if you put off feature updates forever. The spring releases are supported for 18 months and fall features updates for 30 months. Once the support window has expired, you’ll need to update to continue receiving quality updates.

Creating Deployment Rings to Test Security Updates

Microsoft releases security patches as part of the quality updates and monthly rollups released on the 2nd Tuesday of each month, otherwise known as Patch Tuesday. Each month on Petri I provide a summary of the most important fixes, so you can better evaluate your testing needs.

Instead of rolling out these updates to all devices simultaneously, you can use WSUS, SCCM, or WUfB to create deployment rings to test the updates on a limited number of devices first to validate whether they will cause any problems. Once the updates have passed validation in a deployment ring, you can extend the update to a ring that includes more devices or roll out to all devices if you are confident there won’t be any issues. In other words, you can have as many or as few rings as you need. Using WUfB, quality updates in Windows 10 can be deferred for up to 30 days or paused for 35 days from a given date.

If you’d like to know more about how to set up deployment rings using WUfB, read Create Deployment Rings Using Windows 10 Update for Business on Petri.

Security Update Validation Program

While using deployment rings is something all business should implement as a best practice, you do need to wait until the security patches are made publicly available on Patch Tuesday. But for organizations that have very strict security requirements and need to update as soon as the patches are made available, the Security Update Validation Program (SUVP) allows you to get hold of the patches early for testing.

SUVP provides patches up to three weeks before their official release and encompasses all Microsoft products that are supported for security fixes. The program isn’t for everyone however. To be part of the program your organization must be nominated by a Microsoft representative, you must sign a non-disclosure agreement (NDA), and you’ll need to have Azure Active Directory (Azure AD) to receive content via Microsoft Collaborate.

If you make it on to the program and do find any issues, you can report back to Microsoft and the problem will be escalated quickly and directly to the product teams. As a program participant, Microsoft doesn’t share vulnerability details ahead of Patch Tuesday to protect the confidentiality of privately reported information. Additionally, Microsoft says that participants can’t verify whether the security measures being implemented are effective. The point of the program is to make sure patches don’t break apps or infrastructure, not test their effectiveness.

If you are interested in joining the program, talk to your Microsoft representative or contact SUVP onboarding directly at [email protected].