Windows Update Team

Bharat Shah, Ken Showman, Mazhar Mohammed, David Kays, Edward Reus, Mario Goertzel, Farzana Rahman

2010 Outstanding Technical Achievement
The foundation of Trustworthy Computing, Windows Update helps maintain the security of Microsoft products and services.

In awarding the 2010 Outstanding Technical Achievement Award to the Windows Update Team of Mario Goertzel, David Kays, Farzana Rahman, Edward Reus, Mazhar Mohammed, Bharat Shah and Ken Showman, Microsoft honors a multi-year effort that has achieved nothing less than transitioning patch management from what was once a corporate liability into a strategic asset. This foundational element of Microsoft's efforts in Trustworthy Computing is responsible for helping keep hundreds of millions of Microsoft users updated and secure.

The success of Windows Update was born from adversity, primarily encountered in 2003 and 2004. Prior to that time, Microsoft updates were released to a website for download, leaving many customers unsure as to whether their systems were up-to-date and secure. But after a series of malware attacks (notably the Nimda and Sasser worms) exploited vulnerabilities in the operating system that had already been identified and fixed for more than 100 days, it became clear the company needed a faster and more thorough method for distributing system updates.

The situation illustrates the paradox of performing security updates in general. Everyone understands (or ought to understand) that the overwhelming success of Microsoft software and its broad usage is primarily what makes it the target of security attacks. Fewer, however, realize that the very act of providing security updates serves to alert hackers to potential vulnerabilities that they can exploit. Once a patch is released, the clock starts ticking.

"That pattern still exists today," explains Mario Goertzel, General Manager of Online Management Platform and Solutions. "Until we release the update, usually nobody is exploiting any of the vulnerabilities of the software. After we release the update, the vulnerability becomes known."

With the 2004 introduction of Windows Update V5 in conjunction with Windows XP Service Pack, followed by the 2005 release of the Software Update Services tool (now Windows Server Update Services), the team dramatically increased the reach and speed of its updates. "The number one change we made to improve the speed was to switch people by default to the scheduled installation, and also add the ability to install updates when you shut down your computer," explains Goertzel. "That got our install rate up from somewhere between 60 to 65 percent after a three-week period, to over 95 percent over that same period of time. These were fantastic results—something most businesses have trouble achieving within their own internal networks, and yet we were able to manage it across our whole user base."

At the time, that user base was 130 million. Today it's over 700 million monthly unique users, receiving about 10 billion updates per month. Update services are built on a federated platform which is shared across the Windows Update service and Windows Server Updated Services. Despite this enormous scale, the service is rated as one of the most reliable on the Internet today.

In 2005, the service expanded with Microsoft Update, with enhancements to support patching for all Microsoft software products. Unlike Windows Update, Microsoft Update is not an automatic service (meaning users must opt to utilize it); nevertheless, Goertzel notes, "this year we crossed the 60 percent mark of Windows Update users who are also Microsoft Update users."

Ultimately, the success of any cutting-edge venture lies in how quickly it becomes routine. Windows Update's automatic updates were seen as risky and controversial at the time. "That sounds really strange today, five years later, because it's the expected behavior at this point," says Goertzel. "I think that's one of the good things about technology shifts–one of the ways you measure its success is if it becomes common sense. It starts out as a crazy idea, and becomes something that's everyday and expected."