Windows 10 Patch Management and Third-Party Application (In)Compatibility
Unlike previous releases of Windows, Windows 10 continues to evolve from month to month and update to update. With the January 2016 Patch Tuesday release, we see some very interesting challenges for customers, due to the cumulative update model and the impact on third-party applications.
Chris Goettl, senior product manager for Shavlik, and resident patch expert, noted in his January 2016 Patch Tuesday blog an impact to Citrix XenDesktop. Let’s drill into what happened and what this means for customers.
Stephen: Chris, quickly recap what happened in this month’s update and how it affected Citrix XenDesktop.
Chris: As many in IT are already aware, patches for Windows 10 are all deployed in a “Cumulative Update” model where you can’t choose which individual update to apply. You either apply them all or none of them. Microsoft’s January Windows 10 update will create issues when Citrix XenDesktop is installed.
Stephen: Wow! That’s painful if you are customer using Citrix on Windows 10. Has Microsoft responded to the issue?
Chris: Microsoft’s noted the following in bulletin MS16-007:
“Customers running Windows 10 or Windows 10 Version 1511 who have Citrix XenDesktop installed will not be offered the update. Because of a Citrix issue with the XenDesktop software, users who install the update will be prevented from logging on. To stay protected, Microsoft recommends uninstalling the incompatible software and installing this update. Customers should contact Citrix for more information and help with this XenDesktop software issue.”
Stephen: Did Microsoft do anything to help prevent the incompatibility?
Chris: Microsoft’s detection logic now detects if Citrix XenDesktop is installed on an endpoint. If it is, the entire cumulative update simply will not be available for the endpoint.
Stephen: What does that mean for the rest of the cumulative update? Will part of the update apply except for the components that have conflict with Citrix?
Chris: None of the cumulative update will apply if Citrix XenDesktop is installed.
Stephen: What does this mean from a security perspective?
Chris: Customers have a difficult choice to make. They either need to uninstall Citrix XenDesktop and install the Windows 10 update or keep Citrix and be vulnerable to everything fixed in the January Update.
Stephen: How many vulnerabilities were in the January 2016 update?
Chris: 14 vulnerabilities were resolved across Windows 10, Edge, and Internet Explorer. Four of those were publicly disclosed, which puts them as significantly higher risk of exploit.
Stephen: So customers will not get Microsoft Edge and Internet Explorer updates without applying this cumulative update?
Chris: That’s correct. With Windows 10, all of those updates are bundled into the single cumulative update.
Stephen: What do you expect will happen with with Citrix XenDesktop?
Chris: We can’t speak for Citrix, but I would expect that they will come out with a patch that makes XenDesktop compatible with the latest Windows 10 update. Users will then need to deploy both the Citrix update and then the Windows 10 update.
Stephen: So this reinforces the need for third-party application patching?
Chris: Absolutely. This is just one example that illustrates the need to have a comprehensive patch management solution for operating system updates and third-party applications. Going a step further, it reinforces the need to patch client systems more frequently. We don't know when the Citrix update will be available, but when it is, customers are going to want to know ASAP, so hey will then be able to update Citrix and push the cumulative update for Windows 10.
Stephen: One last question. How does this illustrate the need for an enterprise patch management solution with Windows 10?
Chris: To reiterate and emphasize my earlier point, customers must decide whether to install the cumulative update or remove Citrix. Most likely, they will need to update both in the order I specified earlier. Neither Windows Update or Windows-only patch solutions give the flexibility to address these type of scenarios.
To summarize:
- Patch Tuesday is no longer a single event, if it ever really was. If an enterprise starts their patch process and runs Citrix XenDesktop, they won’t have a choice: running the update will not apply patches and those systems will be exposed to known security vulnerabilities.
- We expect Citrix will come out with a patch. Enterprises will need to be able to detect and distribute that patch to get that third-party patch updated. Windows Update, Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM) are not enough here.
- After the enterprise patches Citrix XenDesktop, they then will be eligible for the cumulative update for Windows 10. They then need to be able to rescan the system as soon as possible after the Citrix update to realize they are missing the Microsoft January 2016 Update, and are eligible to apply it. They then need to deploy and install the update.
- Patching isn’t a once-a-month event: updates are becoming more complex and sometimes out of band. This is even more the case with third-party applications, vendors of which sometimes release multiple updates in a month.
- Windows 10 does not simplify patching for enterprises. Enterprise need solutions that handle the new complexities with the Windows 10 update model.
Bottom line, third-party patching and flexible Windows 10 patch management is a must for all enterprises.