OS Patching Guidance for Windows 8.x and Windows Server 2012 R.x
The Windows 8x/Server 2012x OS family has a different patching method than previous versions of Windows. There are basically three forms of updates for Windows 8x/2012x:
- Monthly rollup
- Globally released update
- Limited released update
Monthly Rollup
Windows 8x and Windows Server 2012x were being serviced mainly through monthly rollups, which usually correspond to the time when security updates are released. For the most part, these rollups were NOT cumulative since the last milestone. They were essentially cumulative since the previous rollup, with an occasional exception (April 2014 & November 2014).
NOTE: The monthly rollups are sometimes listed as "Optional" or "Recommended", but should be evaluated and applied as soon as practical. These rollups often contain fixes to address performance, reliability, feature, or role updates (ex. Hyper-V, Failover Clustering, etc.).
Our "ASKPFEPLAT" group has a great blog post on this topic:
Update Rollups For Windows Server 2012 and Windows 8 Explained
NOTE: Per the Ignite 2015 conference, and this presentation specifically, Microsoft has announced that there will be no more monthly rollups. There may be an occasional "convenience" rollup.
Global Distribution Release (GDR) Update
GDR updates are available through Windows Update, Microsoft Update Catalog, or Windows Server Update Services (WSUS). GDR updates are usually localized in various languages, and are tested as widely as possible before public release. In the past we might have seen these show up in a list of fixes available on "Patch Tuesday". With the rollup mechanism being used in Window 8x/2012x, there are likely to be fewer standalone updates than previous operating systems.
Limited Distribution Released (LDR) Update
Limited released patches, also known as "hotfixes", "QFEs", or "LDR", are fixes that are generated most often as the result of a critical customer support incident. These fixes generally need to be created, tested, and delivered to customers in a condensed timeline. Limited release fixes that can be discovered through a published KB article, and obtained by the public, are fully supported by Microsoft. These types of fixes are available for public download, but usually only available through direct download, not through Windows Update or the Windows Update Catalog.
LDR fixes were historically intended to be included in the next milestone, whether that is service pack or new OS version. There is a great blog post on the "NTDebugging" blog that goes into this topic in greater detail:
Windows Hotfixes and Updates - How do they work?
"Unofficial" Operating System Patching Guidance (Windows 8x/Server 2012 Rx)
PLEASE NOTE:
I am offering this guidance, to aid in keeping operating systems as up to date as possible, with all fixes, not just security, and with as little effort as possible. I provide these recommendations in the context of a Microsoft PFE that works on site with customers, and experiences the various challenges of Windows servicing in general. I am making no official guidance statements with regard to Windows servicing, only my general guidance for enterprise customers. Any official guidance on Windows servicing will be posted on a top level Microsoft blog site, such as the Windows Blog
Install all rollups available since the previous "milestone". A milestone would be from Windows 8 to Windows 8.1, or from Windows Server 2012 to Windows Server 2012 R2.
NOTE: One rollup in particular, KB2919355, is cumulative since the Windows 8.1 and Windows Server 2012 R2 respective milestones. This rollup IS cumulative since those milestones, and should be applied first after a new OS installation.
KB2919355, "Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update: April 2014", has a prerequisite as well; 2919442, "A servicing stack update is available for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2: March 2014". If you have installed your operating system some number of months after 2919442 was released, and have installed all offered updates, then you may receive a message that 2919442 is not applicable. This may happen if you have a later version of KB2919442 installed, such as KB2989647. Related error codes are 2149842967, or 0x80240017h, and translate as WU_E_NOT_APPLICABLE (wuerror.h).
If KB2919355 is installed manually, there are 7 files in all to download, and must be installed in a specific order. From the installation notes of KB2919355 download page: "These KB's must be installed in the following order: clearcompressionflag.exe, KB2919355, KB2932046, KB2959977, KB2937592, KB2938439, and KB2934018.
KB2919355 has a "Known Issues" section for both pre and post installation issues. It is important to review the Known Issues section of this, and other KBs, before proceeding.
If available, use Windows Update, or Windows Server Update Services (WSUS). Windows Update, and Automatic Updates in Windows, will evaluate what updates are currently installed on the operating system, what updates are available, comb the list, evaluate superseded patches, and offer the most condensed list of currently available updates.
Critical Updates should be tested and installed as soon as possible with high priority.
NOTE: This blog post does NOT change any existing security guidance.Important updates should be tested as soon as practical, and installed as soon as practical. The "Important" class of updates can address security, performance, or reliability issues.
Recommended updates should be reviewed, tested, and installed as applicable. The monthly rollups are sometimes categorized as "Optional", such as the October 2014 Rollup. These rollups should be evaluated as soon as possible, as they often contain fixes for components in Windows Server Features and Roles. The default setting for Windows 8x/2012x is to install Recommended updates the same as Important updates. For systems that are serviced through Windows Update, this setting will ensure that nearly all available updates are installed and those systems are running up-to-date code.
Optional updates should be reviewed, and installed possibly in a pilot group. The Optional updates are either just published new updates, or updates that don't fall into one of the other categories. Per the Ignite 2015 conference, Optional updates are evaluated periodically and their category ranking could be promoted to Recommended. There is no setting available in the Windows Update client that will automatically install Optional updates. Optional updates have to be installed manually, or through some other means such as SCCM.
The following page has good general patching guidance with respect to security updates:
Stay up-to-date for more secure web browsing
There is also a security guide available that goes into some of the topics discussed in this blog post, in great detail:
Microsoft Security Update Guide, Second Edition
The Windows Update component makes it simple to install all available updates automatically. If all settings are set to "automatic", the only user intervention would be to reboot when notified, which is very important. Windows will prompt when a reboot is needed, and will automatically reboot after a period of several days. The reason is that patches may contain updated components that are "in-use", and cannot be replaced while the operating system is running. These components are "staged" to be replaced during the next full computer restart. During the time that there are pending reboots necessary, some functions in Windows are not available, such as adding or removing Roles or Features, and/or installing further operating system patches. If you attempt to perform one of these operations, you will likely receive a prompt to restart your computer first, to handle to the pending changes.
This guidance is subject to change in the current releases, or in future releases. This blog post makes no recommendation to change any setting or practice with respect to operating system security or hardening.
Thank you and safe, reliable computing.
Robert M. Smith, Sr. PFE, Platforms