Managing Risk and the Windows as a Service Cadence

• Supported versions of the Windows client OS editions are entitled to monthly quality (security) updates and an annual feature (nonsecurity) update.
• Interim updates released alongside security updates often include changed features, which require additional effort to manage.
• Attempting to circumvent this cadence in the name of stability may expose an organization to unacceptable security risk.

Since the availability of Windows 10, organizations have struggled with the continual stream of feature and quality updates for the Windows client OS. Although Microsoft states new features will be generally available only once a year, out-of-band feature updates are the norm. However, delaying deployment of updates, in particular security updates, can expose an organization to the risk of malicious attacks using both known and zero-day vulnerabilities. Trying to slow the pace of updates can waste administrator resources that may be better focused on monitoring security management tools and lead an organization to deploy the wrong edition of the OS.