When’s the Right Time for IT to Allow Windows Updates?

This April, Microsoft introduced its latest update for the Windows 10 operating system, and in October, it will launch another major new build. With many new features and functions already available to users via the spring update, such as Timeline, Nearby Sharing, Focus Assist and Microsoft Edge, it sounds as though business users would be hard-pressed to not want to bring Windows to its newest, shiniest form. However, propelling an entire business into the latest version of Windows is a big decision, and there are precautions and risks to consider before updating to your heart’s content. So when should IT allow employees to update Windows?

Some IT professionals, like Peter Verlezza, Founder of managed IT and VoIP provider SMB Networks, prefer to avoid the early adopters' list when it comes to jumping on the update bandwagon.

"For my clients, we don’t need to be ‘leading edge," Verlezza tells Tom’s Hardware. "We want to actually lag behind a little because, while all of these updates might look great on paper, they sometimes don’t always [immediately] play well in the sandbox with the other lines-of-business software the client is concurrently running."

This is especially important for Verlezza, as most of his clients are in the healthcare field—specifically doctor offices specializing in women’s health and pediatrics—and any type of hiccups due to upgrades not gelling with other software systems could be disruptive to these offices’ ability to service patients. For instance, if the client isn’t running the most updated version of their Electronic Medical Records (EMR) software, or the EMR company doesn’t have a Windows 10 compatible version out, there could be a problem.

Verlezza is a firm believer in verifying compatibility. He notes that this is not just out of prudence but also because he’s heard of issues with previous Windows 7 updates that led to patients being denied access to a healthcare facility’s web portal due to compatibility issues.

"There was a situation where the update actually patched a security hole that a vendor was using to allow access to the portal," he explains. "An update came through and closed that gap, and [then] users that previously had access to that software could no longer get into the portal … It’s a question of should people update, and how often?"

When it comes to updating for the sake of updating, Verlezza errs on the side of caution. He advises on updating only when absolutely necessary, for instance, when the update is a security concern or a necessary patch for some type of flawed opening.

"You have to be mindful and critical of what is being updated and why," Verlezza says. "It is good to have a currently supported operating system and have critical patches and updates done regularly, but not necessarily that you have to update everything all the time. However, if you do feel this way, then make sure you test first, and that all of the other software is compatible and can play ‘nice.’"

Similar to the healthcare market, which is beholden to HIPAA regulations and high-level security concerns, so is the banking and finance vertical. Raffi Jamgotchian, President and CTO of IT security services firm Triada Networks, knows firsthand the risks updates pose to his clients. Focusing mainly on investment companies, Jamgotchian prefers the patching system over going all in with Windows updates. Like Verlezza, he also has concerns about not being able to predict the effects of Windows changes.

"My philosophy has always been to be aggressive with patching; [update] almost within the week of the patch being released and deployed in as many computers that we have in the fleet," he tells Tom’s Hardware.

With situations like the massive Windows 10 spring update, Jamgotchian remains cautious of the unknown. The IT executive says he’d rather keep things low-risk and take his time with a significant update, rather than launching it hastily.

"We give ourselves an additional 30 days from the update’s release," Jamgotchian says. "But in the meantime, we can do testing, and if there’s a problem that happens with the test machines, we will defer further until we can sort it out."

Jamgotchian says that he’s never been too overzealous when advising clients on updates; however, he says that, after this last spring update, he’s become even more cautious than ever. He credits this to encountering more problems with updates at client sites in recent years, which he attributes to Microsoft disbanding their secure development lifecycle group.

"I’ve definitely noticed a change since they put updates back into their development teams, rather than have a separate team that manages the security development lifecycle, [which] was the pinnacle when they were first putting out Windows XP Service Pack 2; that started the process, and the process was putting out quality updates," Jamgotchian says.

Bottom Line

Even though Windows updates can pose risks, they, of course, can still be beneficial and feature-rich, which helps businesses run on a higher level. Thus, updating can be very tempting. But waiting will be worth it, as time will be saved on the front end.

"The idea is to keep the updates going, but we are a little more conservative in taking more time so that things don’t go sideways when we deploy it," Jamgotchian says. "The best advice I can offer is to use the tools that are available to you, and be smart about it. For instance, if you are going on vacation, it might not be the best idea to do rollouts during that week."

Verlezza offers the same sentiments as Jamgotchian, saying that with updates — especially significant ones — the best thing to do is to guide the client to the point where a new Windows build won’t cause any major disruptions or outages within their business.

"There are a lot of ‘wants’ and a lot of ‘needs’ that we find. We very seldom see anyone that [actually] needs to update, but many ‘want’ to," he says. "Our job as IT professionals is to advise and direct, and we will always do what the client requests, as long as it isn’t going to adversely affect their business. If a client insists, we still test and make sure everything works with all of the moving parts. The last thing you want to have is a situation in a busy doctor’s office on a Monday morning where they can’t get into their EMR system to check patients in."