Changes to Software Updates on Down Level Operating Systems for ConfigMgr Admins
Back in May, Microsoft started on a journey of simplifying and improving servicing for Operating Systems prior to Windows 10. These changes apply to Windows 7 SP1, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2.
References:
- More on Windows 7 and Windows 8.1 servicing changes
- A Bit About the Windows Servicing Model
- Configuration Manager and Simplified Windows Servicing on Down Level Operating Systems
- Simplified servicing for Windows 7 and Windows 8.1: the latest improvements (Jan 2017)
What's changing?
Since the original announcement in May up until now, Microsoft has released individual security updates and a monthly rollup pack with non-security updates. Individual security updates allowed organisations to apply only security updates that they believed were applicable based on internal processes. In reality, most organisations applied all security updates to meet compliance requirements.
From Patch Tuesday in October 2016, there will be 3 update types released for each Windows version and architecture. The updates are described in the table below:
Update Type | Description | Release Time | Classification | Windows Update | WSUS | Windows Update Catalog |
---|---|---|---|---|---|---|
Monthly Rollup | Includes security fixes, reliability fixes, bug fixes, etc. Supersedes and includes all updates provided previously. | 2nd Tuesday | Security | Required | Yes | Yes |
Security only | Security fixes released this month | 2nd Tuesday | Security | No | Yes | Yes |
Monthly Rollup Preview | Includes all previous security updates, and new reliability fixes, bug fixes, etc. Does not include new security fixes on top of the Monthly Rollup. | 3rd Tuesday | Updates | Optional | Yes | Yes |
Graphically, this is how updates are changing (a lock is a security fix and a settings cog is a reliability or bug fix).
[caption id="attachment_3825" align="alignnone" width="879"] Graphical Representation of Changes to Servicing[/caption]
The updates will have names of the format:
Update Type | Name Format | Example |
---|---|---|
Monthly Rollup | [Month, Year] Security Monthly Quality Rollup for [OS] [architecture] (KB #) | October, 2016 Security Monthly Quality Rollup for Windows Server 2012 R2 (KB3185331) |
Security Only | [Month, Year] Security Only Quality Update for [OS] [architecture] (KB #) | October, 2016 Security Only Quality Update for Windows Server 2012 R2 (KB3192392) |
Monthly Rollup Preview | [Month, Year] Preview of Monthly Quality Rollup for [OS] [architecture] (KB #) |
Here is a screenshot of the updates released this month for Windows 7:
[caption id="attachment_3835" align="alignnone" width="828"] October 2016 Windows 7 Updates[/caption]
What does this mean for you as a Configuration Manager admin?
There are no updates required for Configuration Manager or WSUS. For organisations or groups within organisations that only want to apply security updates, security-only updates can continue to be applied. As before, if the update causes a problem the update can be removed until the issue is resolved. If the issue is related to the fix itself, a case should be logged with Microsoft.
The Configuration Manager and Simplified Windows Servicing on Down Level Operating Systems post on the Enterprise Mobility + Security blog gives a great explanation of how to modify ADRs to cater for the new update format.
What does the future hold? (Other than consistently patched Windows devices everywhere)
Over the next 18 months, Microsoft will continue to evaluate previous security and non-security updates and include them in then monthly hotfixes. Any update added to the rollups will be documented in the corresponding KB article.
While this all sounds very scary, it's actually really great. Simplifying servicing is a win for everyone. Less complexity, less updates, faster installation and Operating System build times.
Call to Action
- Review and change ADRs as relevant.
- Implement processes to test the new rollup updates and fit them into your patching cycles.
- Follow Enterprise Mobilty + Security and Windows 10 for IT Pros for updates.
Comments
- Anonymous
October 11, 2016
The comment has been removed- Anonymous
October 12, 2016
That's a great question. Honestly I've mostly been focusing on the way it works with ConfigMgr. Based on my limited understanding of Auto Approval rules in WSUS I'm not actually sure it's possible to choose one or the other. This is potentially possible using a script or some other process. Alternatively you could use Configuration Manager ;)
- Anonymous
- Anonymous
October 12, 2016
Congrat, Crystal clear graphic that will make history. Will use it for my customers. Thanks a million - Anonymous
October 25, 2016
It would appear your information about the "preview" patches not being rolled out to Windows Update does not match information from other MS sources. You say they won't, but others say they will. So which is correct?https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/https://blogs.technet.microsoft.com/enterprisemobility/2016/10/07/configuration-manager-and-simplified-windows-servicing-on-down-level-operating-systems/- Anonymous
October 25, 2016
Hi Kevin, you are correct, I'll adjust my wording. The preview updates are made available as optional to Windows Update.
- Anonymous