Patching with Windows Server 2016


UPDATED – 1/25/2017

 

There are exciting changes in Windows Server 2016 which simplifies and streamlines patching.  I think you will find Windows Server 2016 will be easier to maintain and help reduce OpEx costs.  Let’s discuss some of these key changes.

 

Update Consolidation

In Windows Server 2016 the sea of updates will be streamlined and simplified into a single package.  All updates released over a given month will be rolled up in a single package.  This will remove the guess work and burden to sort through the large number of hot-fixes released through the breadth of different channels trying to identify the ones you need.  It will also simplify the test matrix, making your internal verification processes easier as well as increasing quality by ensuring all changes are verified together to confirm interoperability.

 

Cumulative

The complexity and uncertainty of trying to figure out which updates you may have installed or missed will be gone with Windows Server 2016.  The monthly packages will be cumulative, meaning they will include all previous updates.  When you install a new server, no more having to install a long list of updates.  If you have the latest monthly update installed, you have all the updates you need… it’s just that simple!

 

Predictable Cadence

On the second Tuesday of every month (aka. Patch Tuesday) during the mainstream support phase a cumulative update which includes new security and quality fixes will be released for Windows Server 2016.  Being cumulative this update will include all the previously released security and quality fixes.

Having a predictable cadence for when you can expect updates, enables you to build patch maintenance processes.  Being able to plan ahead will simplify and streamline your ability to manage Windows Server.

 

Proactive Patch Discovery

Windows Server 2016 will help you keep it up to date better than it has ever before.  Automatic Updates (AU) is enabled by default on Windows Server 2016 and configured to:

Download updates for me, but let me choose when to install them

Windows Server will automatically check Windows Update or a Windows Server Update Services (WSUS) for any relevant updates, and when it finds updates they will be downloaded and you will be notified that there are updates ready to be applied.  Updates will not be installed and servers will not be rebooted automatically, as avoiding production downtime is critical for a server.  You control scheduling a maintenance window and installing the updates when it is best for your business.  The key improvement is that Windows Update will automatically check and proactively notify you when there are updates you should apply.  This helps you get the fixes before you encounter issues and avoid downtime before it ever happens.

Automatic Updates is not enabled on Nano Server.  Additionally, for customers who prefer the behavior of previous releases Automatic Updates can be easily configured, including being disabled with group policies.

 

Reduced Footprint with Nano Server

In Windows Server 2016 a new installation type called Nano has been introduced which delivers the smallest Windows Server footprint ever!  Having a smaller operating system footprint results in fewer binaries to patch.  Having less to patch simplifies keeping your servers current.  See this blog for more information about Nano Server: 
https://blogs.technet.microsoft.com/windowsserver/2016/07/12/windows-server-2016-new-current-branch-for-business-servicing-option/

 

Key Takeaways

Windows Server 2016 will reduce costs by delivering:

  Predicable monthly update cadence you can plan for

  Fewer updates to manage

  Cumulative updates that have everything you need

  Proactive notification of updates before they cause downtime

  Simplified test matrix and streamlined verification process

  Reduced updating with Nano Server

 

In Windows Server 2016 you will be able to build a simple maintenance plan: One update…  once a month… That’s it!

 

Written by: Elden Christensen, Microsoft


Comments (16)

  1. jobc says:

    What happens when a single cumulative update causes a problem with a server application.
    What are the contingency plans to get the security updates to those users as soon as possible?
    What is MS commitment to its corporate users?

  2. Michal_F says:

    I have mixed feelings about this approach. What about zero-day vulnerability patches, they will need to wait one month ?
    This is ok for Desktop OS, but enterprise system are different. I prefer specialized solution over universal that fit all but are not so good in many situations. I am ok with CBB update model for Home users, but LTSB is must have for Enterprise (Desktop and Systems).

  3. Erik says:

    I’m late to this party, but yes, I agree with the two prior comments. This has bad news written all over it. A business with even a policy that even remotely resembles maintaining a secure environment will be running security patches asap. Not once a month.

    When you can tout only needing to update once a month because nobody’s finding more vulnerabilities (I’m looking at you, devs) and they’re all just QOL updates, then this will be good news.

    Until then, a little more focus on providing secure software and a little less focus on making it more secure would be good. It’s 2016, secure coding practices should be second nature by now. Yet on a daily/weekly basis, new vulnerabilities are discovered.

  4. Vilius Šumskas says:

    So what happens if one of the updates causes issues? In the past, we could just simply ignore it indefinitely. Now we won’t be able to install ALL cumulative updates that goes after current month since the same update will be included in all of them.

    I have no idea why you changed the model. It worked just fine before. And all these “takeaways” are more like marketing bullshit.

  5. Amos says:

    I have Server 2016 configured with a GPO to check my WSUS for updates. This is confirmed in the registry settings and in the client list on the WSUS. However, checking for updates fails when the server cannot connect to the internet. By default servers on my network do not have access to the internet, they have to be whitelisted. Once I whitelist the Server 2016, the update check works. Does Server 2016 require an internet connection to check for updates even when it is configured to use a WSUS?

    1. You should only need a connection to the network on which the WSUS server is connected to.

      1. Amos says:

        That’s what I assumed as well, but unfortunately it is not working that way. Without an internet connection the “Checking for updates” process errors out with “We couldn’t connect to the update service. We’ll try again later, or you can check now. If it still doesn’t work, make sure you’re connected to the Internet.”
        I’m not expecting you to troubleshoot this for me, just confirming whether this is expected behavior. I should also mention this is our first server 2016; we have thirty server 2012R2 & 2008R2 that have been updating fine for years.

        1. Jamal Blink says:

          Like Amos, I am also unable to check for updates without internet connection. With internet enabled, I can see in the logs that it attempts to connect to the MS site to check for the updates “ProtocolTalker ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL = https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx“.
          Downloading is done thought WSUS which is fine, but is this an expected behavior when it comes to checking for updates?

  6. Nonsense. I do not find a program or app, which hears on the name ‘update’. So I do not know, if the update worked at all. You can not leave medium experienced users completely alone. If I key in Update, there should be a better response than: No answer found.

  7. emikulic007 says:

    We have 2012R2 WSUS server. Will that be fully capable to patch 2016 Servers/systems? We are just starting our rollout to 2016. In the past we found we had issues with our 2008 WSUS server patching 2012R2 Servers/systems , where we could not get all patches for 2012R2 systems until we replaced our 2008WUSS server with 2012R2 WSUS.

    1. For the richest possible driver management and the smoothest feature update experience, then Windows Server 2016 is recommended, but certainly Windows Server 2012R2 will do the job.

  8. Philip Elder says:

    Elden,

    Could we get this post updated with links to an updates list for Windows Server 2016 please? My search foo seems to be a bit weak as it’s a bear to figure out where the most current CU is.

  9. Bill says:

    Update Consolidation

    In Windows Server 2016 the sea of updates will be streamlined and simplified into a single package. All updates released over a given month will be rolled up in a single package. This will remove the guess work and burden to sort through the large number of hot-fixes released through the breadth of different channels trying to identify the ones you need. It will also simplify the test matrix, making your internal verification processes easier as well as increasing quality by ensuring all changes are verified together to confirm interoperability.

    “remove the guess work..” By denying me the ability to forego an individual update? This nanny nonsense – we know better than you about how to manage your servers, is not a good thing. So far, everything I’ve seen about managing updates on Windows Server 2016 is a downgrade from previous versions.

  10. Todd says:

    I’m amazed at Microsoft’s arrogance to think any of this is acceptable to corporate customers. It comes down to taking no updates at all or taking whatever Microsoft shoves down companies throats. No updates, or no control over production servers – or setting up even further Microsoft complication with WSUS. And of course it does not work at all with our automated roll-out tools. None of those alternatives are acceptable. SO after months of debate and gnashing of teeth it has been decided we will convert our 2,600+ servers to Linux, except for 8-10 needed by management. It’s a better platform for Apple support anyway. And we’re not the only company to make the switch. Microsoft is obviously abandoning corporate customers in favor of their “one size fits all, take it or leave it” mentality.

  11. Alex says:

    Removes the guess work with updates? Recent years of MS patches surely has shown that it means you’ll get 1 bad apple in the basket of patches you might need, ruining all the apples, instead of being able to selectively install the updates that -work- and avoiding the broken patches until MS reissue a fixed version.

  12. M Robinson says:

    How would you go about updating Windows Server 2016 that is offline and not intended for internet access.

Skip to main content