Changes to Software Updates on Down Level Operating Systems for ConfigMgr Admins

Back in May, Microsoft started on a journey of simplifying and improving servicing for Operating Systems prior to Windows 10. These changes apply to Windows 7 SP1, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2.

References:

What's changing?

Since the original announcement in May up until now, Microsoft has released individual security updates and a monthly rollup pack with non-security updates. Individual security updates allowed organisations to apply only security updates that they believed were applicable based on internal processes. In reality, most organisations applied all security updates to meet compliance requirements.

From Patch Tuesday in October 2016, there will be 3 update types released for each Windows version and architecture. The updates are described in the table below:

Update Type Description Release Time Classification Windows Update WSUS Windows Update Catalog
Monthly Rollup Includes security fixes, reliability fixes, bug fixes, etc. Supersedes and includes all updates provided previously. 2nd Tuesday Security Required Yes Yes
Security only Security fixes released this month 2nd Tuesday Security No Yes Yes
Monthly Rollup Preview Includes all previous security updates, and new reliability fixes, bug fixes, etc. Does not include new security fixes on top of the Monthly Rollup. 3rd Tuesday Updates Optional Yes Yes

Graphically, this is how updates are changing (a lock is a security fix and a settings cog is a reliability or bug fix).

[caption id="attachment_3825" align="alignnone" width="879"]Graphical Representation of Changes to Servicing Graphical Representation of Changes to Servicing[/caption]

The updates will have names of the format:

Update Type Name Format Example
Monthly Rollup [Month, Year] Security Monthly Quality Rollup for [OS] [architecture] (KB #) October, 2016 Security Monthly Quality Rollup for Windows Server 2012 R2 (KB3185331)
Security Only [Month, Year] Security Only Quality Update for [OS] [architecture] (KB #) October, 2016 Security Only Quality Update for Windows Server 2012 R2 (KB3192392)
Monthly Rollup Preview [Month, Year] Preview of Monthly Quality Rollup for [OS] [architecture] (KB #)

Here is a screenshot of the updates released this month for Windows 7:
[caption id="attachment_3835" align="alignnone" width="828"]October 2016 Windows 7 Updates October 2016 Windows 7 Updates[/caption]

What does this mean for you as a Configuration Manager admin?

There are no updates required for Configuration Manager or WSUS. For organisations or groups within organisations that only want to apply security updates, security-only updates can continue to be applied. As before, if the update causes a problem the update can be removed until the issue is resolved. If the issue is related to the fix itself, a case should be logged with Microsoft.

The Configuration Manager and Simplified Windows Servicing on Down Level Operating Systems post on the Enterprise Mobility + Security blog gives a great explanation of how to modify ADRs to cater for the new update format.

What does the future hold? (Other than consistently patched Windows devices everywhere)

Over the next 18 months, Microsoft will continue to evaluate previous security and non-security updates and include them in then monthly hotfixes. Any update added to the rollups will be documented in the corresponding KB article.

While this all sounds very scary, it's actually really great. Simplifying servicing is a win for everyone. Less complexity, less updates, faster installation and Operating System build times.

Call to Action

  1. Review and change ADRs as relevant.
  2. Implement processes to test the new rollup updates and fit them into your patching cycles.
  3. Follow Enterprise Mobilty + Security and Windows 10 for IT Pros for updates.