Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Halts Advanced Notification of Patch Tuesday Updates to Public

Microsoft No Longer Making Patch Tuesday Advanced Notification Available for General Public

Microsoft has decided to ditch its tradition of publicly publishing information about upcoming patches the Thursday before Patch Tuesday.

Microsoft No Longer Making Patch Tuesday Advanced Notification Available for General Public

Microsoft has decided to ditch its tradition of publicly publishing information about upcoming patches the Thursday before Patch Tuesday.

The decision represents a drastic change for the company’s Advance Notification Service (ANS), which was created more than a decade ago to communicate information about security updates before they were released.

“Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page,” blogged Chris Betz, senior director of Microsoft Security Response Center. “ANS has always been optimized for large organizations. However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically.”

According to Betz, instead of using ANS to help plan security update deployments, customers today are increasingly turning to Microsoft Update and security update management tools such as Windows Server Update Service to help organize and prioritize deployment. In addition, other customers are using cloud-based systems that provide continuous updating, Betz added.

“For Premier customers who would still like to receive this information, Microsoft will continue to provide ANS through their Technical Account Manager support representatives,” he added. “ANS will also continue to be provided to current organizations that are part of our security programs such as the Microsoft Active Protections Program.  For customers without a Premier support contract, we recommend taking advantage of myBulletins, which enables customers to tailor security bulletin information based on only those applications running in their environment.”

Responses to the move among some appear to be mixed.

“Hmmh, I personally have always thought that our customers were interested in the information contained in ANS, but we will see how that works out,” blogged Qualys CTO Wolfgang Kandek.

“I think for the people responsible for patching, it does cut clutter, as long as you don’t mind keeping Microsoft up-to-date on everything you’re running, and trust them to send all the right Bulletins,” said Jon Rudolph, principal software engineer at Core Security. “And if a customer’s security is to just use Windows Update, I suppose this is already the case. But if Microsoft is reversing the script here and stating ‘There may be new vulnerabilities that don’t concern you’ should that loss of visibility concern the security professional who is looking past the current patch?”

The vulnerabilities, Rudolph added, teach the public something every month about software, security, mistaken assumptions, the quality of the product and the threat landscape.

“I’m glad to see that they are willing to talk about the trends they observe in the existing system, but by making this switch, Microsoft is not just cutting through the clutter, they are hiding their security report card from the general public,” he said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet