Layered on top of that, our need for device security exists within a complex matrix of software, hardware, and user interfaces. If our employees are running out-of-date software, they’re leaving their device and our network unsecured and vulnerable.

Every leader understands the extreme importance of keeping their data secure. No enterprise wants to be the next company that gets exposed by one of these hacks that has happened in the past and to lose sensitive business or customer data.

—Biswa Jaysingh, principal product manager, Microsoft Digital Employee Experience

This is especially true when developers use powerful first-party tools like Microsoft Visual Studio and developer platforms like .NET to build new software. With developer platforms like .NET, this becomes even more critical because .NET is not just deployed to developer machines, it is also installed on the computers where the developed application will run.

Here at Microsoft Digital Employee Experience, the organization that powers, protects, and transforms the company, we are committed to holistically improving patching compliance rates across the company. To ensure we are improving security at every level of Microsoft’s infrastructure, from software and devices to the networks themselves, we are utilizing new technology and new approaches that we develop internally within our organization and within our product group partners.

“Every leader understands the extreme importance of keeping their data secure,” says Biswa Jaysingh, a principal product manager with Microsoft Digital Employee Experience. “No enterprise wants to be the next company that gets exposed by one of these hacks that has happened in the past and to lose sensitive business or customer data.”

Recent innovations in first-party patching technology at Microsoft, including in Windows Update for Business, Microsoft Endpoint Manager, and Microsoft Defender for Endpoints, are allowing us to unlock unprecedented levels of security across our network while at the same time reducing costs and speeding the timeline of deployment. From consolidating multiple deployments to reducing the impact of reboots on users, our changes are producing efficiencies across the business.

Within the matrix of network security at Microsoft, there are several critical arenas for security admins to monitor, patch, and secure. Malicious actors are looking at the full tech stack for vulnerabilities, which means our teams must monitor, patch, and secure devices at every level from the operating system and first-party software to hardware and third-party software.

[Discover boosting Windows internally at Microsoft with a transformed approach to patching.]

Reacting to the growing threat to first-party software

In the modern cloud-connected world there is more surface area that we need our IT professionals to protect. With more and more devices, from Internet of Things devices to peripherals having internet access, there is much larger potential for bad actors to break in. It’s more important than ever to stay secure, which means update compliance must be as close to 100 percent as possible across all levels of a device.

“The last thing we want is for Microsoft to ship a fix for a vulnerability, but an enterprise isn’t able to adopt the update. That would leave them insecure,” says Christina Ruana, principal program manager for Microsoft Visual Studio who is responsible for enterprise deployments and updates of Visual Studio.

This passion for effectively securing networks led Microsoft leaders like Ruana to ensure they’re doing everything possible to ease the burden of patching on our teams here at Microsoft and for our external customers. “Visual Studio’s recent Administrator update solution makes it much easier for enterprises to deploy updates through Microsoft Endpoint Manager,” Ruana says.

At the start of the .NET journey we were seeing unacceptable compliance rates as developers were using the software in ways that we hadn’t anticipated. This increased the complexity for maintaining patching compliance. We had to create paths for updating both current builds of .NET through Visual Studio and for keeping older builds compliant through Microsoft Update. This has improved compliance rates considerably.

—Jamshed Damkewala, principal PM manager, Platforms and Languages team

We’re using Microsoft Defender for Endpoints to manage the health of our devices, which is helping us improve the security of our network while also improving the user experience for our employees and our admins. Every efficiency gained along the way makes it more likely for compliance rates to grow. Teams are working around the clock to identify and patch vulnerabilities, but this work is only as effective as the compliance rate is strong.

A better experience for admins and users alike

We in the Microsoft Digital Employee Experience organization began our journey to transform the way we do patching by making it easier for our IT admins to deploy patches across our network.

Until recently, the first-party patching regime at Microsoft required a slew of software solutions to be manually managed, including important software applications like Visual Studio and .NET. But in November 2022, we were able to migrate numerous critical patch deployments to Windows Update for Business, dramatically increasing the timeliness and accuracy of device patching.

“At the start of the .NET journey we were seeing unacceptable compliance rates as developers were using the software in ways that we hadn’t anticipated,” says Jamshed Damkewala, principal PM manager on the Platforms and Languages team responsible for .NET. “This increased the complexity for maintaining patching compliance. We had to create paths for updating both current builds of .NET through Visual Studio and for keeping older builds compliant through Microsoft Update. This has improved compliance rates considerably.”

We gain significant efficiencies as we eliminate manual deployments through automation and streamline the rollout of patches through Windows Update and Windows Update for Business. With these universal sources for patches, we simultaneously reduce time for testing while reducing errors in the deployments.

With more accurate updates meeting user devices more quickly and hitting all builds of first-party software that require patching, our networks are more secure than ever. The ease of patches deploying on devices also reduces the impact on users, so they are more likely to remain compliant while experiencing minimal disruption.

These innovations are not custom built for Microsoft. We are effectively leveraging technology that we already had to make it more efficient and effective for teams to patch their software.

—Harshitha Digumarthi, senior product manager responsible, Microsoft Digital Employee Experience

Furthermore, the technology within Microsoft Defender for Endpoints allows for thorough device scanning to provide effective telemetry for admins to react to, giving them better knowledge to engineer future patches and policies for Windows Update for Business, which further grows compliance rates. We use it to scan and report vulnerabilities, which empowers our admins to respond faster. Microsoft Endpoint Manager also allows our admins to better manage Windows Update for Business policies.

Providing the tools for teams to succeed

Internally here at Microsoft, our updated technology allows us to monitor our networks more efficiently, providing detailed telemetry about device health that we’ve never had before. This visibility allows us to develop new protocols for our networks, including complicated cases of end-of-life devices and end-of-service software.

But the true unlock-for-efficiency comes in how these systems were designed, constructed, and automated.

“These innovations are not custom built for Microsoft,” says Harshitha Digumarthi, a senior product manager responsible for improving the patching experience at Microsoft Digital Employee Experience. “We are effectively leveraging technology that we already had to make it more efficient and effective for teams to patch their software.”

This approach reduces cost, increases the speed of development, and fundamentally improves the efficiencies of teams deploying mission-critical patches for their software. Potential errors caused by manual deployment are eliminated and the single update source on a single day per month improves the user experience considerably. The result is a more secure network through increased device compliance.

These benefits are compounded when it comes to first-party software like Visual Studio and .NET. We’ve seen a rise in patching compliance for internal customers developing new solutions with these products, all attributable to improvements in Visual Studio and .NET. As a result, security dividends can exponentially grow through the company and to the ecosystem at large. Our networks, and yours, are more secure thanks to these developments.

• Ensure your software applications are kept up to date to remain secure. Follow this guidance for Visual Studio.
• By utilizing a common deployment solution in Windows Update for Business and Microsoft Endpoint Manager, efficiency is gained and potential errors from manual updating are mitigated.
• A single update source on a single day per month dramatically improves the user experience.
• Innovations in device scanning provides new telemetry, which leads to new solutions for rare-but-important use cases like end-of-life devices and end-of-service software.

• Unpack our Visual Studio administrator guide.
• Share your deployment experiences and challenges with Visual Studio engineering team.
• Explore .NET Automatic Updates for Server Operating Systems.
• Deploy Visual Studio updates to devices enrolled in Windows Update for Business.
• Discover boosting Windows internally at Microsoft with a transformed approach to patching.

The post Harnessing first-party patching technology to drive innovation at Microsoft appeared first on Inside Track Blog.

That leaves enterprises like ours at risk when our employees don’t update to the latest software version on a timely basis. Bad actors are tirelessly pursuing the smallest of vulnerabilities, so responding quickly will always be essential when it comes securing your organization’s environment.

For us, secure and timely Windows patching is one of our first lines of defense. That’s why we’re using Windows Update for Business to transform how we deploy our updates.

“Securing data is an extremely important priority,” says Biswa Jaysingh, a principal product manager with our Microsoft Digital Employee Experience team, the organization that powers, protects, and transforms the company. “This means responding quickly to vulnerabilities, getting accurate patches out in a timely manner, and helping users install updates using a disruption-free method.”

By making deploying Windows patching updates a better experience for our employees and IT admins who own the process, we’ve decreased the amount of time it takes for us to respond to vulnerabilities, deploy patches, and reach target compliance rates. This approach has strengthened our overall security posture.

A single device left untouched causes the same amount of risk as not doing anything at all. It’s not a choice for the enterprise to patch some, but not all, of their vulnerabilities, and say “Let’s just hope that no one cracks open the one we didn’t patch.”

— Biswa Jaysingh, principal product manager, Microsoft Digital Employee Experience

A big part of our transformed experience is due to Windows Update for Business, which reduces the time and effort it takes us to configure our machines and deploy security updates, which in turn is leading to better, more secure outcomes.

[Take a look at our rich set of content that chronicles our move to Windows 11. Explore the opportunities of Windows Update for Business. Learn how to deploy Visual Studio updates through Windows Update for Business.]

The triple aims of patching

Patching has three parts: completeness, timeliness, and accuracy.

“A single device left untouched causes the same amount of risk as not doing anything at all,” Jaysingh says. “It’s not a choice for the enterprise to patch some, but not all, of their vulnerabilities, and say, ‘Let’s just hope that no one cracks open the one we didn’t patch.’”

That’s where patching compliance comes into play. The goal is always to have a vulnerability patched in the shortest amount of time possible across a large volume of user devices. The third leg, accuracy, is ensuring that all dependencies are also addressed for vulnerabilities.

Of course, a patch only works when correctly installed, which is why Microsoft sets aggressive internal timeliness standards to define how long users have to install the updates.

“We should reach 95 percent compliance within 30 days after a security update is released,” says Harshitha Digumarthi, a senior product manager responsible for improving the security patching experience on our Microsoft Digital Employee Experience team. “Users don’t always treat updates with the same degree of importance, especially if it disrupts their work. Making Windows patching a better experience improves our compliance significantly.”

Automatic forced reboots and a deluge of notifications were not a pleasant update experience. While effective from a brute-force perspective, they caused consternation among users who delayed or avoided updating their devices.

What if, for example, you were in a presentation when your machine automatically shut down for an update? This kind of disruption to productivity is the kind of experience we’re trying to avoid.

Providing a seamless patching experience

Our team in Microsoft Digital Employee Experience has implemented new recommendations which minimizes disruption for users while bolstering the Windows patching security posture. This process begins with adopting advances in Windows Update for Business.

Windows Update for Business automates a significant portion of the deployment process, eliminating the need for our IT admins to complete multiple builds and tests, now allowing them to work more efficiently and accurately.

Overall, this strategy reduces our operational costs and improves our speed of deployment and adoption.

In Windows Update for Business, we can expedite zero-day patching, communicate with users, and easily manage deployment deadlines and notifications. All of this used to be manual.

These efficiencies allow our admins to take on other tasks.

But it also ensures a better update experience for users by having predictable and accurate patches deployed at the same time each month.

“By utilizing Windows Update for Business, we are now routing all software updates for both Windows and other key Microsoft applications like Visual Studio to a single deployment on Patch Tuesday,” Digumarthi says. “This means that we have reduced the impact on users to only a single monthly reboot.”

Our employees appreciate the smoother, less invasive patching experience given by Windows Update for Business and are installing updates more quickly. More complete and timely update compliance means that Microsoft is more secure.

Driving compliance and security

Our Microsoft Digital Employee Experience team continues to make strides in improving our Windows update workflow, creating a better user and admin experience. Windows Update for Business empowers us to close vulnerabilities faster, achieving the triple aim of completeness, timeliness, and accuracy, all while reducing operational cost and achieving our security goals.

“The primary focus is creating a great user experience,” Digumarthi says. “After that it’s about improving operating costs and the admin experience. It’s very expensive to patch and meet compliance goals, but we’re finding ways to become more efficient with automation.”

Creating a predictable Windows update experience, where users know when they’re getting updates, has significantly improved compliance. Once everything is packaged into the smallest number of reboots possible, and notifications cease to be a disruption, patching becomes less of a hassle.

“We worked hard to minimize the impact that updates have on users and teams to encourage more timely compliance,” Jaysingh says. “We are seeing success on all fronts, and the proof is in our compliance rates. We are now more secure than ever.”

• With Windows Update for Business, everything becomes predictable for users: all updates are integrated on Patch Tuesday, and reboots are minimized. You can install the security updates to Windows alongside security updates to other Microsoft applications like Visual Studio, which aligns the timing for when your machines are secure.
• By batching Windows patches in Windows Update for Business, IT admins are seeing reduced workloads through automation.
• Deployment timeframes are compressed with this strategy as testing regimes are automated in Windows Update for Business, and users are adopting updates more quickly.
• Understanding your device population helps admins recognize why compliance rates might be low. If users do not have enough disk space for a patch, for example, they might be delaying and inhibiting your compliance goals.

If you’re looking to learn more about zero trust and how to manifest it in your own environments, check out:

• Windows 11 Pro for Business Security Book
• Advance your security posture with Microsoft Intune from chip to cloud

• Take a look at our rich set of content that chronicles our move to Windows 11.
• Explore the opportunities of Windows Update for Business.
• Learn how to deploy Visual Studio updates through Windows Update for Business.
• Give feedback on your deployment challenges to the Visual Studio team.
• Announcing the Windows Update for Business deployment service – Microsoft Community Hub

The post Boosting Windows internally at Microsoft with a transformed approach to patching appeared first on Inside Track Blog.