Windows 7 & Windows 8 Servicing Changes

All supported versions of Windows will now follow a similar update servicing model, bringing a more consistent and simplified servicing experience. For those of you who manage Windows updates within your organization, it’s important that you understand the choices that will be available.

First, let’s review what we will release each month:

A security-only quality update

  • A single update containing all new security fixes for that month
  • This will be published only to Windows Server Update Services (WSUS), where it can be consumed by other tools like ConfigMgr, and the Windows Update Catalog, where it can be downloaded for use with other tools or processes. You won’t see this package offered to PCs that talk to Windows Update.
  • This will be published to WSUS using the “Security Updates” classification, with the severity set to the highest level of any of the security fixes included in the update.
  • This (like all updates) will have a unique KB number.
  • This security-only update will be released on Update Tuesday (commonly referred to as “Patch Tuesday”), the second Tuesday of the month.  (This is also referred to as a “B week” update.)

A security monthly quality rollup

  • A single update containing all new security fixes for that month (the same ones included in the security-only update released at the same time), as well as fixes from all previous monthly rollups.  This can also be called the “monthly rollup.”
  • This will be published to Windows Update (where all consumer PCs will install it), WSUS, and the Windows Update Catalog.  The initial monthly rollup released in October will only have new security updates from October, as well as the non-security updates from September.
  • This will be published to WSUS using the “Security Updates” classification.  Since this monthly rollup will contain the same new security fixes as the security-only update, it will have the same severity as the security-only update for that month.
  • With WSUS, you can enable support for “express installation files” to ensure that client PCs only download the pieces of a particular monthly rollup that they haven’t already installed, to minimize the network impact.
  • This (like all updates) will have a unique KB number.
  • This monthly rollup will be released on Update Tuesday (also known as “Patch Tuesday), the second Tuesday of the month.  (This is also referred to as a “B week” update.)

A preview of the monthly quality rollup

  • An additional monthly rollup containing a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollup.  This can also be called the “preview rollup.”
  • This preview rollup will be released on the third Tuesday of the month (also referred to as the “C week”).
  • This will be published to WSUS using the “Updates” classification as an optional update.  It will also be available via Windows Update (where all consumer PCs will install it) and on the Windows Update Catalog.
  • With WSUS, you can enable support for “express installation files” to ensure that client PCs only download the pieces of a particular monthly rollup that they haven’t already installed, to minimize the network impact.
  • Starting in early 2017 and continuing for several months, older fixes will also be added to the preview rollup, so it will eventually become fully cumulative; installing the latest monthly rollup will then get your PC completely up to date.
  • This (like all updates) will have a unique KB number.

100616_2357_1.png

Each month there will be separate updates released for a variety of reasons (e.g. DST time zone changes, out-of-band security fixes). Many of these will be rolled into the next monthly rollup, although some will remain separate- including Office, Flash and Silverlight updates.

Internet Explorer updates

The security-only and monthly rollups will contain fixes for the Internet Explorer version supported for each operating system.  For Windows 7, Windows 8.1, Windows Server 2008 R2, and Windows Server 2012 R2, that is Internet Explorer 11; for Windows Server 2012, that is Internet Explorer 10.  The security-only, monthly rollup, and preview rollup will not install or upgrade to these versions of Internet Explorer if they are not already present.

.NET Framework monthly rollup

The .NET Framework will also follow the monthly rollup model with a monthly release known as the .NET Framework monthly rollup. The.NET Framework monthly rollup will deliver both security and reliability updates to all versions of the .NET Framework as a single monthly release, targeting the same timing and cadence as Windows. It is important to note that the rollup for the .NET Framework will only deliver security and quality updates to the .NET Framework versions currently installed on your machine. It will not automatically upgrade the base version of the .NET Framework that is installed. Additionally, the .NET Framework team will also release a security-only update on Microsoft Update Catalog and Windows Server Update Services every month.

See https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/ for more information on the changes to .NET Framework updates.

Update strategy choices

Operationally, this means that you now have some choices for updating Windows 7 and Windows 8.1 PCs.  These choices closely correspond to the way you update Windows today, as discussed in the following sections.

You install all security and non-security fixes as we release them

100616_2357_2.png

This is our recommended updating strategy, as it ensures that all fixes for Windows are deployed on the PCs that you manage.  To implement this, you should deploy the monthly rollup.  For those using WSUS, the following steps are recommended:

  • Ensure that you have selected the “Security Updates” classification in the WSUS “Products and Classifications” options page, so that the both the security-only update and monthly rollup on Update Tuesday are synchronized.  To synchronize the optional preview rollup, also ensure the “Updates” classification is selected.
  • Ensure that you have enabled support for “express installation files” in the WSUS “Update Files and Languages” options page:
    100616_2357_3.png
  • Existing automatic approval rules for Windows 7 or Windows 8.1 will continue to work as is.  Note that since both the security-only update and monthly rollup are both classified as “Security Updates,” rules that specify this classification will approve both.  See the What’s expected if you install both updates? section below for details.  You may also manually approve just the monthly rollup.
  • To preview the next month’s non-security fixes on the third Tuesday of the month, you can set up an automatic approval rule for “Updates”, targeting all computers or a subset of them, as appropriate.

If using ConfigMgr, you can perform similar steps:

  • Ensure you have the “Security Updates” classification selected in the “Software Update Point” properties for the site.  To synchronize the optional third Tuesday monthly rollup, also ensure the “Updates” classification is selected.
    100616_2357_4.png
  • Existing Automatic Deployment Rules (ADRs) for Windows 7 or Windows 8.1 will continue to work as is.  Note that since both the security-only update and monthly rollup are both classified as “Security Updates,” rules that specify this classification will approve both.  See the What’s expected if you install both updates? section below for details.  You may also manually approve just the monthly rollup.  Alternatively, you can filter based on the title of the update (taking into account the different localized strings when deploying non-English updates):

    Suggested English title search strings (which must be adjusted for other languages and could be different for .NET Framework updates) include:
    “Security Only”
    “Security Monthly Quality Rollup”
    “Preview of Monthly Quality Rollup”
  • Note that Configuration Manager does not support express updates, so the entire monthly rollup will be downloaded to each PC each month.

With these small adjustments, the overall update management process will be very similar to what was used previously.

You install all security fixes, but no other fixes

100616_2357_6.png

For organizations that typically deploy only security fixes, you will now find that instead of approving or deploying a set of fixes each Update Tuesday, you will approve or deploy just a single update.

Since the security-only update and the monthly rollup both are published using the “Security Updates” classification, existing automatic approval rules in WSUS would approve both the security-only and the monthly rollup each month.  The same is also true with Configuration Manager automatic deployment rules.  This will require either manually approving or deploying updates each month, or in the case of Configuration Manager, adjusting existing automatic deployment rules.  See the previous section for details.

You install all security updates as we release them, and some non-security fixes to address specific problems

Since the organization will typically be deploying only the security-only fix, see the previous section for full details.  In cases where there is a need to deploy one or more non-security fixes, manually approve the latest monthly rollup that contains the needed fixes.  This monthly rollup will contain other fixes as well, so the entire package must be installed.

What’s expected if you install both updates?

Since all the new security fixes for a given month are available in both the security-only update and the monthly rollup, it’s important to understand the behavior that may been seen if you deploy both updates in the same month.

For example, assume you approve and deploy the security-only update and the monthly rollup that are both released on Update Tuesday (a.k.a. “Patch Tuesday,” the second Tuesday of the month).  This isn’t necessary, since the security fixes are also included in the monthly rollup, and it would generate additional network traffic since both would be downloaded to the PC.  But what would happen?  It depends on the installation sequence:

  • If the monthly rollup fix installs first, the security-only update would then no longer be applicable to the PC, since the entire content of that security-only update would already be installed.
  • If the security-only update installs first, the monthly rollup will still be applicable as it contains additional fixes (both non-security fixes and older security fixes) that are needed by the PC.

Depending on the management tool you are using to deploy these updates, this may be represented differently in the compliance reports provided by those tools.

As long as you install one or the other (security-only update or monthly rollup), the PCs will have the needed security fixes released that month.

The common concern:  What if an update causes an issue?

Every Windows update is extensively tested with our OEMs and ISVs, and by customers – all before these updates are released to the general population.

Your organization may also be interested in validating updates before they are publicly released, by participating in the Security Update Validation Program (SUVP).  This program enables organizations to establish an additional early validation ring within the organization, while also providing a direct channel back to Microsoft for any issues encountered.  For more information on SUVP, see https://msdn.microsoft.com/en-us/gg309155.aspx; contact your Technical Account Manager or Microsoft account team to discuss this further.

To minimize the potential impact on an organization, we recommend that you always have a “ringed” deployment approach for all updates, starting with the IT organization, expanding to one or more pilot groups, followed by one or more broad deployment groups.  Allow sufficient time between rings for users to report any issues that they might see.

If any issues are encountered, we recommend stopping or pausing deployment of the update and contacting Microsoft Support as soon as possible.  Based on our analysis of the issue, we may recommend different courses of action, such as:

  • Rolling back the update on affected machines while the issue is being investigated.
  • Installation of other updates known to resolve the issue observed.
  • Working with the publisher (ISV) for an affected application.

The specific action is determined on a case-by-case basis, and could be different for each customer based on the specific impact to the organization.  Regardless of the action, be assured that any issues with an update are considered top priority and that we will work hard to resolve these as quickly as possible.

Use peer-to-peer technologies to help with update distribution

While express installation files can help greatly reduce the amount of content needed to patch each PC, it is still useful to implement peer-to-peer sharing technologies like BranchCache or Delivery Optimization to reduce the overall impact on the network by allowing PCs to obtain the updates they need from other PCs on the network that have already obtained them from WSUS or ConfigMgr.

You can deploy BranchCache by enabling the feature on each WSUS or ConfigMgr server, then configuring the client PCs using Group Policy to use a distributed cache.  See https://technet.microsoft.com/en-us/itpro/windows/manage/waas-branchcache for more information.  While the full BranchCache functionality is only available in the Windows Enterprise SKU, BITS support (all that’s needed for caching updates) is also available in the Windows Pro SKU.  See https://technet.microsoft.com/en-us/library/mt613461.aspx#bkmk_os for more information.

Summary

These changes will further simplify your updating of Windows 7 SP1, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 computers, while also improving scanning and installation times and providing flexibility depending on how you typically manage Windows updates today.

, ,

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *