PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Windows 10 Ditches Patch Tuesday for Security's Sake

Neil J. Rubenking
 & Neil J. Rubenking Principal Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

With roughly 50 million lines of code, Windows is bound to have some bugs, and some of those bugs are bound to affect security. When flaws are found, Microsoft issues patches as fast as possible, but those patches do no good if you fail to apply them. Even if you're diligent, Patch Tuesday comes just once a month, so a vulnerability discovered the day after Patch Tuesday won't be patched until the next Patch Tuesday rolls around. At Microsoft's Ignite conference in Chicago, Microsoft Executive VP Terry Myerson surprised his audience with the news that in Windows 10, Patch Tuesday will no longer exist (for consumers, anyway).

Microsoft plans to push out patches to Windows 10 users as soon as the fixes are ready, on a 24/7 basis, potentially reducing the time that PCs might vulnerable to threats by as much as a month. This new system includes all devices running Windows 10, be they PCs, tablets, or smartphones. Myerson noted that Windows 10's update system "will also be regularly delivering ongoing Windows innovation in addition to security updates."

Myerson also took a swipe at Google, noting that the software giant ships "piles" of Android code without committing to any kind of follow-through when vulnerabilities turn up. As a result, there are thousands of slightly different Android installations, depending on who manufactured the device and how the provider handles updates. This fragmentation makes applying a patch to all Android devices nearly impossible.

Is It Safe?
It's true that Microsoft has occasionally released faulty patches. A couple of years ago, one patch triggered the dreaded Blue Screen of Death on some Windows systems. Other problem patches have affected Microsoft Office and Windows 2000 (remember Windows 2000?).

More recently, a buggy patch for root certificate issues ended up causing update problems for Windows 7 users. And a kernel-mode driver update last summer put some Windows 7 systems into an endless BSOD loop.

I have to hope that quality control for the coming 24/7 updates will be extremely thorough. Some prudent users currently set Windows Update to download updates automatically but install them manually. It's not clear as yet whether this will be possible under the new system.

Recommended by Our Editors

Apple May Tweak Liquid Glass With macOS 27 to Improve Readability
Apple May Tweak Liquid Glass With macOS 27 to Improve Readability
France Kicks Windows to the Curb, Pivots to Linux OS
France Kicks Windows to the Curb, Pivots to Linux OS
Your iPhone’s Next Update Fixes a Decade-Old Problem With Family Sharing
Your iPhone’s Next Update Fixes a Decade-Old Problem With Family Sharing

Windows Update for Business
If a bad patch does come through, it will certainly be an annoyance to the average consumer. But a bad patch that affects a business's systems and servers could be utterly disastrous. Never fear; Windows Update for Business allows business IT departments to retain control of the patching process. In fact, IT managers will have more control than ever over the update process.

Given that every now and then a buggy patch comes out, IT departments always want some time to evaluate patches before deploying them companywide. Under the new plan, consumers will get patches first, and any bugs will probably shake out during this initial release. (Sorry guys, but it does seem that we'll be the guinea pigs in this scenario.) Businesses will receive a monthly bundle of patches, just as with the existing Windows Update.

According to Myerson's post, Windows Update for Business will allow IT pros to define which devices will receive updates first, and which will wait for later on, after any problems have been worked out. They'll also be able to define business-critical times when no updates should be applied, and times that are safe for maintenance.

Inside the company network, the IT department can monitor all Windows 10 devices and push out updates as needed. Ensuring that remote employees or branch offices get all necessary updates isn't always as simple, especially given that some may have limited bandwidth. A new system of peer-to-peer update delivery aims to ensure that even these remote systems receive all updates.

Serious About Security
Windows 10 won't allow applications to run unless they're digitally signed with a trusted certificate. This change alone means a vast number of malicious apps won't run on Windows 10. Identity protection and phishing detection will be built in, along with options for two-factor authentication.

All of these new security features are as susceptible as any other Windows component to the possibility of a coding error, though. In Windows 10, when a security patch is available, we'll get it right away, without waiting for the next Patch Tuesday. And if the patch itself needs to be patched, well, at least you'll get the fix the moment it's ready.

About Our Expert

Neil J. Rubenking

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio