Further simplifying servicing models for Windows 7 and Windows 8.1


In our announcement earlier in May, we introduced a Convenience Rollup update for Windows 7 SP1 and a shift to monthly rollups of non-security updates for Windows 7 SP1 and Windows 8.1. Based on your feedback, today we’re announcing some new changes for servicing Windows 7 SP1 and Windows 8.1. These changes also apply to Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. (Note: A rollup is multiple patches rolled together into a single update.)

Why we’re introducing Windows servicing changes

Historically, we have released individual patches for these platforms, which allowed you to be selective with the updates you deployed. This resulted in fragmentation where different PCs could have a different set of updates installed leading to multiple potential problems:

  • Various combinations caused sync and dependency errors and lower update quality
  • Testing complexity increased for enterprises
  • Scan times increased
  • Finding and applying the right patches became challenging
  • Customers encountered issues where a patch was already released, but because it was in limited distribution it was hard to find and apply proactively

By moving to a rollup model, we bring a more consistent and simplified servicing experience to Windows 7 SP1 and 8.1, so that all supported versions of Windows follow a similar update servicing model. The new rollup model gives you fewer updates to manage, greater predictability, and higher quality updates. The outcome increases Windows operating system reliability, by eliminating update fragmentation and providing more proactive patches for known issues. Getting and staying current will also be easier with only one rollup update required. Rollups enable you to bring your systems up to date with fewer updates, and will minimize administrative overhead to install a large number of updates. (Note: Several update types aren’t included in a rollup, such as those for Servicing Stack and Adobe Flash.)

Monthly Rollup

From October 2016 onwards, Windows will release a single Monthly Rollup that addresses both security issues and reliability issues in a single update. The Monthly Rollup will be published to Windows Update (WU), WSUS, SCCM, and the Microsoft Update Catalog. Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current. i.e. a Monthly Rollup in October 2016 will include all updates for October, while November 2016 will include October and November updates, and so on. Devices that have this rollup installed from Windows Update or WSUS will utilize express packages, keeping the monthly download size small.

Over time, Windows will also proactively add patches to the Monthly Rollup that have been released in the past. Our goal is eventually to include all of the patches we have shipped in the past since the last baseline, so that the Monthly Rollup becomes fully cumulative and you need only to install the latest single rollup to be up to date. We encourage you to move to the Monthly Rollup model to improve reliability and quality of updating all versions of Windows.

We are planning to add these previously shipped patches over the next year and will document each addition so IT admins know which KBs have been included each month.

Security-only updates

Also from October 2016 onwards, Windows will release a single Security-only update. This update collects all of the security patches for that month into a single update. Unlike the Monthly Rollup, the Security-only update will only include new security patches that are released for that month. Individual patches will no longer be available. The Security-only update will be available to download and deploy from WSUS, SCCM, and the Microsoft Update Catalog. Windows Update will publish only the Monthly Rollup – the Security-only update will not be published to Windows Update. The security-only update will allow enterprises to download as small of an update as possible while still maintaining more secure devices.

Update documentation changes 

To bring consistency to the release notes model introduced with Windows 10, we will also be updating our down-level documentation to provide consolidated release notes with the Rollups for all supported versions of Windows. We’ll extend and provide release notes for monthly rollup updates and also the security-only updates that will be introduced from October 2016.  

Microsoft Update Catalog

The Microsoft Update Catalog website is being updated to remove the ActiveX requirement so it can work with any browser. Currently, Microsoft Update Catalog still requires that you use Internet Explorer. We are working to remove the ActiveX control requirement, and expect to launch the updated site soon.

.NET Framework Monthly Rollup

The .NET Framework will also follow the Monthly Rollup model with a monthly release known as the .NET Framework Monthly Rollup. The monthly .NET Framework Monthly Rollup will deliver both security and reliability updates to all versions of the .NET Framework as a single monthly release, targeting the same timing and cadence as Windows. It is important to note that the rollup for the .NET Framework will only deliver security and quality updates to the .NET Framework versions currently installed on your machine. It will not automatically upgrade the base version of the .NET Framework that is installed. Additionally, the .NET Framework team will also release a security-only update on Microsoft Update Catalog and Windows Server Update Services every month.

 

We hope these changes further simply your patching of Windows 7 & 8.1 systems.

Update October 7: More on Windows 7 and Windows 8.1 servicing changes

 

Comments (241)

  1. Hi Nathan, this sounds like it very much simplifies the patching process however will each of these rollup releases show up within a server install as a single patch? If so does this mean that if issues are encountered on servers after applying these rollups that you will have to uninstall the whole rollup, so in effect its all or nothing?

    Also how will end users cater for software that they do not want to apply security or monthly rollup changes to, like for instance SQL, Exchange or Lync updates where their current versions are supporting desktop applications at a previous version of the product?

    1. the rollup patch is a single patch, it installs and uninstalls as a single patch. If you don’t want to apply security or monthly rollup you don’t have to, but Microsoft recommends installing all recommended updates. So that includes both security updates and any non-security updates that are marked as recommended in Windows Update.

  2. Steve says:

    “We encourage you to move to the Monthly Rollup model to improve reliability and quality of updating all versions of Windows.”

    Does this mean the individual patches will still be available and one can opt to either do individual patches or the Rollup model?

    1. Individual patches will no longer be available after October 2016.

  3. Brad Smith says:

    How does Internet Explorer factor into this as Windows 7 originally came with Internet Explorer 8? Will the Monthly Rollup include Internet Explorer 11? This article doesn’t mention Windows Vista and Windows Server 2008 (R1). How will those Operating Systems be updated?

    1. *updated* IE11 will be serviced in both monthly rollup and security-only update starting in October. Although Windows Vista and Windows Server 2008 are also already in Extended Support mode https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet we continue to consider changes to Vista/2008 but technically there are complications that will make any changes on those platforms more challenging

      1. Brad Smith says:

        Thank you for the information. Regarding Windows Vista and Server 2008, I was trying to ask whether there will be Monthly Rollups and Security only rollups for Windows Vista and Windows Server 2008 (R1). Will there be or will updates continue as before for those Operating Systems?

        1. we don’t currently have plans to extend the Rollup servicing model to Windows Vista or Windows Server 2008. We continue to consider changes to Vista/2008 but technically there are complications that will make any changes on those platforms more challenging.

      2. Adrian says:

        What about those enterprises that are unable to move to IE11 just yet. how will they be affected.
        I like the idea of the single rollup, but IE11 in there would break us

        1. IE version upgrades will not happen with Monthly rollup, but we plan to eventually include patches for which ever version of IE you currently have installed in the Monthly rollup, similar to the .NET rollup.

          1. Adrian says:

            Hi Nathan
            Thanks for confirming that.

          2. mohit panwar says:

            Hi Nathan,
            Thanks for many important inputs. But I would like to confirm that if an enterprise has IE8 and upgrading to IE9 or IE11 will impact the system, with monthly security-only updates, it will not be upgraded to IE9 or IE11?

          3. correct, neither Monthly Rollup or Security-only update will upgrade the version of IE you already have installed.

  4. Vitаl says:

    “Devices that have this rollup installed from Windows Update or WSUS will utilize express packages, keeping the monthly download size small.”
    Do I understand correctly that WSUS-connected computers will need Internet access to install these updates? This defies the idea of WSUS and is unacceptable for many enterprise customers.
    Please reconsider and provide full rollup packages to WSUS.

    1. no, WSUS also supports Express packages, you just need to enable it in your WSUS Admin console under Configure Advanced Synchronization Options. https://technet.microsoft.com/en-us/library/cc708456(v=ws.10).aspx

      1. Bohdan Bijecek says:

        I have to enable Express packages in WSUS to get monthly rollup or not?

        1. No, if you want to take advantage of the smaller packages you can enable Express in your WSUS console, but it is not a requirement.

          1. Adrian says:

            Nathan
            Will SCCM eventually support the express packages

  5. James Willmott says:

    I really welcome this – so longs as it’s *only* used to delivery security + stability patches + bugfixes, and not used to delivery unwanted nagware and other such nonsense. Anything that makes the patching progress more predictable and straightforward is a positive move.

  6. Terence says:

    Hi Nathan,

    Could you clarify something for me please.

    Will the security-only updates package also be available to Home and Pro users of Windows 7 and 8.1 via the Microsoft Update Catalog, or it this particular rollup aimed specifically at business users?

    1. Yes, it will be available to everyone and every Windows SKU not just business versions

  7. bhupalan says:

    so the supersede concept applicable only for the Monthly Rollups, but not for Security-only updates? do I need to install all the months security-only updates in order to keep my machine uptodate?

    1. yes, Security-only will use the security category, Monthly Rollup will use the rollup category.
      You may already have security setup for auto-approval in WSUS, so then you can think through when and how to include Monthly Rollup.

      1. bhupalan says:

        having just past the November 2nd patch tuesday. my sccm 2007 machine was not synched quite for a while. but when I synched now I dont see the October 2016 security monthly rollup anymore. but November 2016 security monthly rollups are available in the updates repository. atleast I thought the october patches will showup as superseded (superseded yellow icon). but it didnt.
        where as my wsus shows all of them.
        is there something that I need to do on SCCM 2007. I have tested on the other SCCM 2007 too and its the same (we have multiple environments). earlier I had the folder search option – superseded “No”. I thought this was the cause. but it was not, as I have tried it several times without using using conditions also.
        you wanted to suggest me something? how I do install the October month patches now?

  8. Paul Norman says:

    Can you opt out of a specific patch in the rollup if you need to? or is it all or nothing?

    1. No. You won’t be able to apply individual security updates – they won’t be available from October 2016 as we move to the Rollup model.

  9. Lloyd says:

    We encourage you to move to the Monthly Rollup model to improve reliability and quality of updating all versions of Windows.”
    It’s nice to be encouraged, but what must one do to “move to the Monthly Rollup model”?
    2) What is a WSUS-connected computer? Do I need to know?
    3) What is the Microsoft Update Catalog, ? Do I need to know?
    Usually I just go along minding my own business and discover some mornings that my computer has been restarted. I think Bill Gates sneaks into my house while I’m asleep 😉 PS Win 7 SP1 on a laptop..

    1. It sounds like your PC is just using Windows Update (WU) not WSUS or MU Catalog. From October 2016 your PC will get Monthly rollups from Windows Update, you won’t need to actually do anything differently.

  10. Ben Jackson says:

    Hello – Will this new path include updates for POSREADY9 XP SP3 embedded or will those be obtained with the current method?

    1. This announcement does not effect POSReady 2009

      1. Ed says:

        Will Windows Vista and server 2008 get those montly rollups or cumulative updates in the future and since windows Vista will end support on April 11, 2017 will there be any cumulative updates for Windows Vista until that date or will there just be security updates like over 500 updates for vista and 2008.

        1. nothing to announce currently. we continue to consider servicing changes for Windows Vista & Windows Server 2008, but technically there are complications that will make any changes on those platforms more challenging.

          1. Edward_b says:

            There are always complications. 🙂

  11. John Smith says:

    How did this new process deal with Office patches? Are they included within the rollup patch?

    1. No, Office has its own patches which are separate from Windows and not part of these servicing changes moving to rollups.

      1. Brad says:

        Hmmm … What about products like SQL Server, Exchange Server – Are they taking the roll up approach or are they doing what they’ve always done ?

        1. these announcements only relate to Windows, not other Microsoft products.

          1. Brad says:

            Hi Nathan,

            So using last Month’s patches as an example, what would be included in the “new” method and what will remain the same ?
            MS16-095 – Cumulative Update for Internet Explorer – I’d presume this is an IE patch.
            MS16-096 – Cumulative Update for Microsoft Edge – I’d presume this is a Microsoft Edge Update
            MS16-097 – Security Update for Microsoft Graphics Component – Windows (presumably in the cumulative OS update), Office, Skype for Business and Lync (presumably not in the update).
            MS16-098 – MS16-102 – I’d presume these would be in the OS update.
            MS16-103 – Security Update for ActiveSyncProvider – If this were applicable, would this an ActiveSync update be an OS update, as per Windows 10 ?

  12. Alla says:

    My God,how can simple user understand all this ?
    Could it be as summary, what to do or not to do?

    1. you can just continue to have your PC getting updates directly from WU just as you always have. You won’t need to change anything.

  13. Culbrelai says:

    Wow, fantastic. Now system instability will be a given with almost every update package, due to not being able to deselect known bugged drivers/etc for one’s hardware.

    1. no, this announcement does not effect driver updates. Driver updates are not included in Monthly Rollup or the Security-only rollup

  14. Nate says:

    The monthly security update model seems like it would possibly delay the release of security patches until the monthly release date, instead of as they are completed by dev teams. Doesn’t this introduce a security gap for Windows components / features?

    1. In general we try to release security patches on Patch Tuesday to limit the number of reboots and updates that devices need. In some extreme cases, we will release security updates “out of band”. In the new servicing model we will still be able to release security updates out of band if needed and then they would also be included in the next monthly rollup and security-only update that is released.

  15. Cam L says:

    “Windows Update will publish only the Monthly Rollup – the Security-only update will not be published to Windows Update”

    How does this work for end-users that don’t have WSUS and don’t know or care to know about going to MS update catalog to download patches? Why arnt these critical security updates being included to install from Windows update?

    1. Monthly rollup also includes Security updates

  16. Will says:

    Hi,

    Regarding the changes to updates, moving to monthly rollup.

    1) Will the update space required for rollups on each server increase ?

    2) Will old updates that have been superseded, post the rollup, be able to uninstalled, will tools be available to remove these updates to reclaim disk space ?

    3) What will the average size of each rollup be ?

    1. 1) The monthly rollup will take more space than an individual update. But if you were to install all updates via WU vs just installing the latest monthly rollup (when it is cumulative) the latest monthly rollup would take less space overall than all the combined individual updates. After installing monthly rollups, we recommend running diskclean to clean up older superseded updates

      2) Diskclean.exe is built into Windows 7 and can be used to clean up superseded updates. Windows 8.1 and Windows 10 automatically run clean up

      3) The rollups will start out small, but we expect that these will grow over time to something close to the convenience rollup size. Users connected to WU or WSUS can use Express and only download the deltas each month.

  17. Peter Hamilton says:

    Hi Nathan

    Long time no see. I hope life is treating you well.

    A few questions if I may:

    As you’ll be aware, updates via WSUS have traditionally fallen into one of a range of classifications, including:

    * Critical updates
    * Definition updates
    * Drivers
    * Feature packs
    * Security updates
    * Service packs
    * Tools
    * Update rollups
    * Updates

    Can you advise which of these classifications will be included in these monthly rollup packages?

    This practice does come with some advantages, including simplification, and having everyone on the same ‘level’. It can also cause problems in that if one of the updates included within the package causes problems, which does happen from time to time (We struck this recently), the only way to address the problem would, in theory, to remove the whole rollup(?) Then determining which of the single updates within the rollup is causing the problem will be challenging.

    Historically, we only deploys Critical and Security updates. With the proposal above, we will lose the ability to deploy only these classifications. Concerns over this will depend on the answer to the first question above about what classifications are included in the rollups.

    1. WSUS has both security classifications, and categories.

      1) Monthly Rollup will be classified as Critical or Security depending on the highest level of security fix in the Monthly Rollup

      2) Monthly Rollup will be categorized as Update rollups

      3) Security-only update will be classified as Critical or Security depending on highest level of security fix in the update

      4) Security-only will be categorized as Security updates

      If you only install security and critical updates, then you should use the security-only update rather than Monthly Rollup.

      1. Harris Stewart says:

        Peter Hamilton’s August 22, 2016 comment mentioned “definition updates”. In Windows 8.1, how will updates to Windows Defender (including daily definition updates, and upgrades to Windows Defender itself) be handled? Currently, I can get Windows Defender updates by waiting for them to be offered for download/installation in my Windows Update client, or I can manually check for updates from within the Windows Defender program. Will I continue to have either or both of these options when the new Monthly Rollup procedures are instituted in October 2016?

        1. Yes, Windows Defender definition updates are completely separate from this announcement and not impacted by this change

      2. Russell says:

        Hi Nathan, please can you clarify what you mean by “WSUS has both security classifications, and categories.” in the context of this change?

        In WSUS > Options > Products and Classifications, on the classifications tab it shows the various classifications (including “Security updates” and “critical updates”. Based on your points 1 and 3 of your reply, both the monthly rollup and the security-only update will be classified either as “security updates” or “critical updates” depending on their contents. When configuring automatic approval rules the dialog box also refers to “classification” – so how would I approve the security-only update without also approving the monthly rollup? Can you explain how points 2 and 4 of your reply, referring to “categories”, relates to synchronizing and approving updates please?

        1. Our plan is the monthly rollup will be classified as Update Rollups
          The security-only update will be classified as security updates

    2. Rick Engle says:

      Will the new patching model also be used for Windows Server Core 2012 R2 and Windows 7/8.1 Embedded Editions?

  18. Marko says:

    Last month there was a particular windows update that had detrimental effect on one of our business critical software packages.
    We quickly had to roll the update back to restore the functionality, and block it in WSUS so it doesn’t get installed on any of our computers.
    How will we do this if updates are all rolled up?

    1. Our commitment to keeping Windows secure remains steadfast. We’re making these servicing changes because overtime we have seen that the piecemeal approach to patching has been one of the biggest challenges in achieving high quality servicing.

      In this simplified process our focus on both quality and dealing rapidly with regressions is our highest priority.

      We do perform our own internal validation with a large number of ISV apps to validate patches; some ISVs also receive pre-release access to these updates to perform their own validation. ISVs can also open support cases with us, just like we will open cases with them when we find issues.

      If any issues are encountered by you, we encourage you to open a support case right away; we will work to resolve these as quickly as possible.

      In cases where issues are found, we will evaluate these on a case-by-case basis to determine what appropriate steps should be taken; these could be different for each issue. Organizations can always uninstall offending updates (or stop deploying them more broadly, if they are doing a staged deployment and the issues aren’t too severe) until the issue is resolved.

      We could choose to revise the update package, or provide an additional update that could be installed over the top of the offending update.

      We’ve found over time in our experience on Windows 10 that we’re better able to deliver quality servicing and better able to respond to any issues with this approach.

  19. Mark says:

    So does this mean you are going to force updating Win7 to IE11 with its blur type?

    1. IE version upgrades are not included in the Monthly rollup

  20. Marc St-Georges says:

    Will these update include new features ? New features are nice but some requires a bit of tweaking to make them safer in a managed area.

    1. we aren’t shipping new features on Windows 7 or Windows 8.1

  21. John says:

    Lets put this in clear language.

    Microsoft has decided to eliminate all patches to any home version of windows except where the full update package as total install successfully deploys. Given this if any patch causes an issue its simply too bad, the end user will no longer be able to recover to an older deployment and block the offending patch. This means the next time you deploy a screwed up patch even one which prevents the host from booting the end user will be unable to recover.

    From what I can see the only possible option would be a full install from scratch, and if any hardware is incompatible to the base install the end user will be forced to immediately go out and purchase “compatible” hardware in order to get functional again.

    Any “feature” Microsoft wishes to deploy, any “security patch” any driver update, even those which make the system unable to boot will be installed on every system.

    I don’t see how people can give you this level of control as you have released botched patches which have taken percentages of systems to non-usability over and over. Just last week I had to block a driver update for video which was being forced onto my mothers system with the windows 7 updates. I’m not sure why an Intel video driver was classified as a needed patch.

    John

    1. Driver updates are not included in either Monthly rollup or Security-only rollup updates.

      The rollup model is similar to the cumulative updates being used with Windows 10.
      These CU are improving the overall quality of the OS while also significantly reducing the rate of support calls. So we consider the changes to be very successful and that’s why we are making similar changes with Windows 7 and Windows 8.1.

      We are better able to deliver quality servicing and better able to respond to any issues with this approach.

      1. Harris Stewart says:

        Nathan: Thanks for your detailed answers to John’s August 23, 2016 comment and Marko’s August 22, 2016 comment. I’m still a little unclear on a couple of points. It would be helpful if you could please respond to the following questions (as they apply to a home user, i.e. non-enterprise, running Windows 8.1):

        1. Will the Monthly Rollup be “forced” (i.e. automatically downloaded and installed on a mandatory basis, similar to the way updates are “forced” in Windows 10) or will we be able to delay downloading and installing the Monthly Rollup by temporarily setting our Windows Update client to “Check for updates, but let me choose whether to download and install them”, or by temporarily setting it to “Never check for updates”?

        2. If an installed Monthly Rollup causes problems due to the inclusion of a faulty patch, am I correct that I will be able to remove the entire Monthly Rollup by uninstalling it from the “Installed Updates” page in the Control Panel’s “Programs and Features” category? If so, will that roll back my system to the immediately prior Monthly Rollup?

        3. If an update that is included in a Monthly Rollup depends on the prior installation of an earlier single update which I chose to hide (i.e. not install) long before October 2016, will I be prompted to install that parrticular earlier update (for example, by Microsoft’s identifying the earlier update by its KB number)? Or will Microsoft install the necessary earlier update automatically through Windows Update? Or will the attempted installation of the Monthly Rollup just fail without an explanation as to why?

        1. 1. this will function exactly the same as it does today.

          2. likewise, this will function exactly the same as it does today.

          3. If there are any pre-requisites that are needed to install a monthly rollup we will ensure they are documented in our release notes. In general we try to avoid pre-reqs because it causes complexity for you and for us. Any update with a pre-req is not applicable in Windows Update until the pre-req is installed. So if we did pre-req on an update that you had hidden, it would never show as being applicable to you. The most frequent updates that become pre-reqs are Servicing Stack Updates (SSU) which update the servicing model itself. We would strongly encourage users not to hide those types of updates.

          1. Pete Wilson says:

            Answer 2 does not seem very clear given that today, patches are installed singly and are not cumulative.

            In the new cumulative Monthly Rollup world, how will uninstall work?

          2. uninstalling either the security-only update and Monthly rollup patches will be possible, whats changing is the granularity – the entire patch installs and uninstalls not the individual patches contained within.

  22. Bob van der Ploeg says:

    Will emergency patches / security updates still be released separately? Or do we have to wait a month if a zero-day or other big security risk is found?

    Can KB’s still be removed separately should they cause an issue on our platform?

    1. yes we could still release an “out of band” security patch if necessary.

      Individual fixes contained inside a rollup patch cannot be separately uninstalled, but the rollup patch can be uninstalled.

      In this simplified process our focus on both quality and dealing rapidly with regressions is our highest priority.

      We’ve found over time in our experience on Windows 10 that we’re better able to deliver quality servicing and better able to respond to any issues with this approach.

  23. JonBee says:

    Historically, Microsoft has pushed out KBs that have incidental impact to the systems they are installed on. These then are added to the KB documentation as a known issue, and eventually a fix gets put out. In the past, we’ve been able to work with this by excluding that KB in our updates until we are satisfied it wont cause problems. How will we work around this with this new update model?

    1. If any issues are encountered by you, we encourage you to open a support case right away; we will work to resolve these as quickly as possible.

      In cases where issues are found, we will evaluate these on a case-by-case basis to determine what appropriate steps should be taken; these could be different for each issue. Organizations can always uninstall offending updates (or stop deploying them more broadly, if they are doing a staged deployment and the issues aren’t too severe) until the issue is resolved.

      We could choose to revise the update package, or provide an additional update that could be installed over the top of the offending update.

      We’ve found over time in our experience on Windows 10 that we’re better able to deliver quality servicing and better able to respond to any issues with this new servicing approach.

  24. Joseph says:

    Known issues arise periodically with released security patches. In the past, there are not always solutions immediately available for the issues. The ability to remove/defer specific security patches has, on numerous occasions, been the only way to be allowed to patch various enterprise customers in a given month. If the month’s security patches will now be ‘all in one”, it would seem that a single “known issue” can prohibit deployment of all security patches for the month. How does Microsoft intend to address this with this new patch release model?

    1. Our commitment to keeping Windows secure remains steadfast. We’re making these servicing changes because overtime we have seen that the piecemeal approach to patching has been one of the biggest challenges in achieving high quality servicing.

      In this simplified process our focus on both quality and dealing rapidly with regressions is our highest priority.

      If any issues are encountered by you, we encourage you to open a support case right away; we will work to resolve these as quickly as possible.

      In cases where issues are found, we will evaluate these on a case-by-case basis to determine what appropriate steps should be taken; these could be different for each issue. Organizations can always uninstall offending updates (or stop deploying them more broadly, if they are doing a staged deployment and the issues aren’t too severe) until the issue is resolved.

      We could choose to revise the update package, or provide an additional update that could be installed over the top of the offending update.

      We’ve found over time in our experience on Windows 10 that we’re better able to deliver quality servicing and better able to respond to any issues with this approach.

      1. Joseph says:

        If the approaches you list were working in a timely fashion for our enterprise customers I wouldn’t have asked the original question. Ignoring the time to process a case, even after an issue becomes a “known issue” listed on Microsoft’s website, it can sometimes be days and even weeks until a solution is made available that allows installation of the “offending” patch without impact. Our customers already open cases, and the only saving grace has been that the patch (or patches) with an issue can be removed from the deployment. If I understand your reply correctly, they are going to be forced to choose between leaving their environments in an unsecure state or choosing to accept the business impact from the issue. Is this the case?

  25. Calash_nec says:

    Will individual patches still retain a way of single uninstall? Even if it something to download after, or a DISM command it would be very valuable to be able to remove a patch without removing the rollup.

    1. you can still uninstall a rollup patch, its the entire rollup patch, not individual fixes included in the patch.

      Our commitment to keeping Windows secure remains steadfast. We’re making these servicing changes because overtime we have seen that the piecemeal approach to patching has been one of the biggest challenges in achieving high quality servicing.

      In this simplified process our focus on both quality and dealing rapidly with regressions is our highest priority.

      1. Calash_nec says:

        Thank you for the prompt reply. I do understand the improvement from Microsoft’s point of view, however I feel the impact of this type of change is being lost.

        For example, MS16-098 has a bug in it that crashes printing after a few jobs: https://support.microsoft.com/en-us/kb/3178466

        This may be low-impact to some companies but a good part of our fleet is auto-printing and this would be a function breaking bug. In a post-October world we would have to ether be notified before the roll-up goes out (One of our vendors did notify us of this before it went out), or run a removal job on impacted PC’s. In both of these cases we would be stuck without that month’s roll-up until a fix was issued, putting our fleet at risk.

  26. Marina says:

    Enterprise customers have questions regarding this, are you planning on having a customer briefing to address those?

    1. feel free to post your questions here and we’ll do our best to answer them.

  27. Barb says:

    When is Microsoft going to remove the the ActiveX control so that other browsers can be used to download patches? Don’t use IE at all whilst using the internet.

      1. Barb says:

        The Active X control is apparently still there when I try to access the update catalog with another browser. I do not have IE enabled on my desktop. Why is taking so long to be removed?

  28. Sebastian says:

    Please, Nathan/Microsoft, I’m asking nicely: Will these monthly rollups contain updates that will prompt me to upgrade to Windows 10 or not? I’m feeling ignored here.

    1. No, GWX is not included in these rollups, also the free Windows 10 upgrade offer ended after a year on July 29 just been.

  29. santosh says:

    we have a agreement with customer that dont patches any application related patches, so in that case how we will do the monthly rollup patches???

    1. this announcement only affects the servicing of Windows. You may also choose to only install Security updates by using the Security-only updates rather than Monthly rollup.

  30. Jason says:

    Nathan,

    I have a question and pardon me if its already been asked.

    Since the October monthly rollup will only include that months patches, is there a base set of patches that need to be installed before that monthly rollup will apply? Will simply having Service Pack 1 and the June Convenience Rollup be sufficient to proceed with installing the monthly cumulative updates?

    1. for Windows 7, once the Monthly Rollup goes cumulative, the baseline will be SP1

      1. Jason says:

        Thanks for the quick response.

        Just to clarify your statement “once the Monthly Rollup goes cumulative, the baseline will be SP1” means that in October 2016, there could potentially be prerequisite patches before the Update Rollup is applicable?

        I understand Microsoft is working on adding in previously released patches over the next year at which point the monthly rollup will be considered a cumulative rollup.

        Thanks,

        Jason

  31. Juan Pablo says:

    Hello Nathan

    Just to confirm….

    Non-Security updates will not be included in this new model right? Meaning that MS could release one or more per month.

    Regards

    1. Security-only only contains security patches. Monthly rollup can contain both security and non-security (ie reliability) updates.

  32. santosh says:

    Hi Nathan,

    If I am not using WSUS for patching as in place of that if I am using IEM bigfix for windows servers patching, so in that case are we able to get the monthly patches or individual patches in our IEM bigfix console ???

    1. Monthly rollup will be available thru all the same distribution methods, Security-only rollup the same except not available thru WU.

  33. Prisida M says:

    Hello, for my customer there are MS patches which gets released after 15th of every month with severity of high(30 days) and medium (60 days) but these released patches(high/medium) are assigned with ten days target date. So, will they still be release for the client?

    1. the security-only rollup will have the same severity rating applied to it as the highest rated patch contained inside the rollup.

  34. Haseeb Khan says:

    Information nicely described.

  35. Orvs says:

    Will the old individual hotfixes be still available for download once this gets rolled out this Oct 2016? For example, I wanted to download a specific hotfix released back in 2015. Does Microsoft have any plans of implementing the monthly roll-up on “Security updates only” in the near future? Thanks!

    1. yes those hotfixes will still be available.

      We are purposely releasing Security-only as a rollup but not cumulative like Monthly rollup is.

  36. Dick DeFuria says:

    Hi, Nathan. Will the monthly “single Security-only update” be cumulative, too? That is, will November’s single Security-only update supersede October’s single Security-only update? Thx.

    1. No. Security-only update collects all of the security patches for that month into a single update. Unlike the Monthly Rollup, the Security-only update will only include new security patches that are released for that month.

      1. Dick DeFuria says:

        Got it. Thank you.

  37. Chad says:

    Nathan,

    A few questions.

    1. When the Monthly rollup is installed. Will there be the ability uninstall the Security-Only update for that given month? Let’s say I applied, Oct, Nov and Dec Rollups. Then I choose to uninstall the December Rollup, would this uninstall the Security-Only update for the previous 3 months?

    2. For Windows 2008 R2. Will the Convenience Rollup KB312557 be installed by the October Monthly Rollup? Will it be a prerequisite for updates post October? Can you speak on this in relation to Windows Server 2008 R2?

    1. 1. Monthly rollup and Security-only update are 2 separate releases. If you install Monthly rollup you can uninstall Monthly rollup, but not the individual security patches contained inside the Monthly rollup.

      2. Convenience rollup is not a pre-req for any of these announcements, nor does it get installed by October Monthly rollup.

      1. Chad says:

        Nathan, so to clarify answer to question number 1. When we choose to install the Monthly Rollup we will get 2 seperate KB’s? One for the Monthly Rollup (Realibitly updates) and One for the Security-Only updates?

        1. Monthly rollup and Security-only are 2 separate releases. Monthly Rollup includes both security issues and reliability issues in a single update. Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current.

          If you only want security updates, just install security-only update not monthly rollup

          1. Chad says:

            Ok so I think I’m tracking. Correct me if I am wrong. So lets say I’m currently up to date since I applied the October Rollup. Then I apply the November Rollup and a system has issues. At that point I justt remove the one KB for November it backs off both the Realibity and Security udpates just for that month?

  38. Robert Spinelli says:

    So how does this impact SCCM? The way SCCM works now is if a 20 patches are released (total size 500MB) but only 5 of them are applicable to a machine (total size 50MB) it will only download the 5 patches (50MB) locally to c:\windows\ccmcache. It sounds what you saying is the client will now download all 500MB (as everything would be contained in the Monthly Rollup). Is this correct? Does SCCM use the Monthly Rollup (which contains security and reliability patches) or will it use the Security Only Updates that are added each month.

    Either way it sounds like instead of the client only downloading 5 patches (total of 50Mb) it will end up downloading either the Monthly Rollup or Security Only Updates that could end up being much larger.

    Why hasn’t the SCCM team come out with a blog or more detail on how this process will work with SCCM?

    1. SCCM can deploy the security-only update and/or the Monthly rollup. The overall update management process will be very similar to what was used previously; the biggest difference is that there will only be one update rollup package to deploy per month.

  39. Nick says:

    Will the convenience update for Windows Server 2008 R2 need to be applied prior to moving to the new update model in October?

  40. JBrown says:

    Nathan, what release schedule will the monthly rollup and security-only patches follow starting in October 2016? Will these updates continue to be released along the existing Patch Tuesday schedule or will they be published on a different schedule?

    1. Security-only update will be released on Update Tuesday, the second Tuesday of the month

      Monthly rollups will also be released on Update Tuesday, the second Tuesday of the month.

      1. Old Dog says:

        Hi Nathan,

        I quote “Monthly rollups will be released on Update Tuesday, the second Tuesday of the month. Additionally, we will also release a new rollup on the third Tuesday of the month, containing only new non-security fixes”

        I don’t recall seeing any prior announcement of a “secondary” rollup.

        Will this additional rollup released on the 3rd Tuesday of each month be subsequently superceded by the following monthly Rollup?

        Thank you for your attention.

        1. Monthly Rollup Preview is a new Optional Update available on Windows Update, WSUS and Catalog on the 3rd Tuesday

          3 weeks later on patch Tuesday it releases as Monthly Rollup including the security patches from patch Tuesday. You can preview the new non-security patches before they release in Monthly Rollup.

      2. Chad West says:

        This 3rd Thursday roll-up. Can you elaborate on it more? Will this contain the same cumulative updates from the 2nd Tuesday minus the security-only updates?

        1. Monthly Rollup Preview is a new Optional Update, that will be available on the 3rd Tuesday, that then releases 3 weeks later including the security patches from patch Tuesday, as Monthly rollup.

          Monthly Rollup Preview will be available as an Optional Update on Windows Update, WSUS and Catalog

  41. Steven says:

    If I choose to install Security-only updates for several months and then stop for one or more months, what happens if I want to resume installing Security-only updates? Will I be required to first install Security-only updates for the missing months, or will I be able to resume leaving a gap?

    1. we recommend you install all Security updates but you can pick and choose if you wish.

  42. Fernando Ares says:

    Hi Nathan, do you have the confirmation starting October, NET Framework team will release a security-only update? Thank you in advance

    1. the .NET Framework Monthly Rollup which includes the latest security and quality improvements is announced here https://blogs.msdn.microsoft.com/dotnet/2016/08/15/introducing-the-net-framework-monthly-rollup/

  43. I cannot see any mention of MSRT.
    Will this be included in the security only CU or if not in the full CU, or will it be seperate like .NET?
    I can see why MS see this whole change as good. Unfortunately from a business perspective it is nowhere near simple as we, most months, have one or more security patches causing issues with installed software and a number of us in our team think this is going to cause even more of a headache when one occurs. So an interesting thought occurs. If I install all security CUs from October to say June next year and find Junes CU causes an issue. As Junes CU includes all the updates I installed in previous CUs if I uninstall June will all the patches in it be uninstalled or just those it installed? even though it includes the previous months installs as well?

    Thanks

    Adrian

    1. Security-only are just that months patches, not prior months like Monthly rollup. The patch installs and uninstalls as a complete package, so if you uninstall either the Security-only update or the Monthly rollup it will revert the state of your machine.

  44. Manikandan Boopathy says:

    Hi Nathan,
    This sounds great !! I have few doubts, can you clarify this please?
    1. In worst case scenario, we experienced the single patch may cause issue if it happens after Oct-2016, do we need to uninstall whole single patches or any other option to uninstall specific which cause issue?
    2. In worst case scenario, if the system didn’t get patches on Aug 2016 (just for an example) and if the system looking for patches on Oct 16 (After 2 month or After August/Sep) will the system looking for superseded of Aug/Sep 2016 patches? or the system will adopt single patch rollout of Oct 2016?
    3. is the single patch include with Office standalone patches?

    1. 1. the patch installs and uninstalls as a complete unit
      2. you would get the latest Monthly rollup available
      3. these announced changes are only for Windows

  45. Jelle says:

    Hi Nathan,
    “that addresses both security issues and reliability issues”
    With reliabilty issues, you mean the critical updates?
    Thanks!

    1. Monthly rollup also contains recommended non-security patches

  46. Kevin Dibb says:

    Hi Nathan, I am reading some mixed messages, can you please clarify?

    In the article it says “Windows will also proactively add patches to the Monthly Rollup that have been released in the past. Our goal is eventually to include all of the patches we have shipped in the past since the last baseline, so that the Monthly Rollup becomes fully cumulative and you need only to install the latest single rollup to be up to date.”

    In a comment below, you say “we recommend you install all Security updates but you can pick and choose if you wish.”
    That comments makes it sound like you can select individual patches to install or not.

    But in another comment you say “Individual patches will no longer be available after October 2016.” and “you can still uninstall a rollup patch, its the entire rollup patch, not individual fixes included in the patch.”

    So my question is, say someone had purposes not installed a few patches in 2014 and 2015, when the cumulative patches start rolling out, will they include all the previous patches that weren’t installed? (the comment from the article leads me to believe they will be installed)

    And can you or not select individual patches to install from the future rollup patches?
    Thank you for the information.

    1. Each update can be installed and removed only as a complete package. There’s no way to uninstall just a portion of it. The comment about pick and choose is referring to choosing security-only updates (just that months security updates) vs Monthly rollup contains security + reliability.

      Offering the security-only update allows enterprises to gradually adopt the monthly rollup, or completely avoid if it they choose.

  47. Mike says:

    Hi Nathan. What about components/services like Hyper-V, AD or DNS included in Windows Server 2008 R2 or 2012 R2? Are they also impacted by this new patching process?

    1. yes, these changes also apply to Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

  48. Andy Webster says:

    “These changes also apply to Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.”

    Does this mean that individual patches for these platforms will also no longer be available?

    1. yes. you will have one update to test and deploy instead of 8 or 10 or 23.

  49. Alexander says:

    Hello,

    How does this apply to Active Directory security updates and hotfixes, are they included in the rollups ?

    Thanks.

    1. yes these changes also apply to Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2

  50. Bob says:

    Hey Nathan, Reading between the lines, it sounds like the new cumulative update will utilize a restore point to roll back. Is this correct? Or will the uninstall be similar to current packages? Also, will we be able to approve cumulative packages for removal in WSUS, or is there new job security for desktop admins?

    1. the patches install and uninstall using the same technology as today, likewise in WSUS they install and uninstall in the same way as today.

      This announcement does not change package types, requires no infrastructure changes and even uses the same categories in WSUS and SCCM. Offering the security-only update allows enterprises to gradually adopt the monthly rollup, or completely avoid if it they choose.

  51. Andy Webster says:

    Nathan, you have linked to an article detailing the .Net monthly roll up can you link to one that more specifically addresses the server products?

    1. these servicing changes also apply to Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

  52. Kannan CS says:

    Hi Nathan,

    I would like to know to more about Office 2010, 2013, 2016 patches release, it would be single security update per product or it will have more individual patches (current model) per product wise.

    1. these announced servicing changes only apply to Windows not Office.

        1. Kannan CS says:

          Hi Nathan,

          Could you please explain the below situation, how MS will proact and react

          In the Security update bundle, if there is an issue with update cause the major issue after deployment,

          a. can we have an option to uninstall the particular update ?

          b. will MS release the bundle or it will update the new bundle ?

          1. a) you can uninstall the update, but not a single patch from inside the update.
            b) If any issues are encountered by the customer, we encourage customers to open a support case right away; we will work to resolve these as quickly as possible.
            In cases where issues are found, we will evaluate these on a case-by-case basis to determine what appropriate steps should be taken; these could be different for each issue. Organizations can always uninstall offending updates (or stop deploying them more broadly, if they are doing a staged deployment and the issues aren’t too severe) until the issue is resolved. We could choose to revise the update package, or provide an additional update that could be installed over the top of the offending update. There’s no single “right” answer.

  53. Dick DeFuria says:

    Will the stated “single Monthly Rollup” list the security updates that are superseded by it (i.e., in the WSUS GUI in the “Updates superseded by this update” details section)?

    Also, lets say that I choose to dip my toes in the water for the first 2 months and only apply the “single Security-only update”

    Then lets says that in the third month I am more comfortable with the new servicing model, so I apply the cumulative monthly rollup for that month.

    Will the two previous months worth of security-only updates be deep-cleaned (over time)?

    Thanks.

  54. richard c says:

    scenario – october updates are installed, we find an issue with one of the patches which causes problems but need all the others updating.
    we can’t uninstall the rollup, as we need all the other patches? what do you do

    1. Please call us and log a support call. Things that block you from being able to install a security patch are our highest priority.

  55. Aidan says:

    Hi Nathan,

    Can the installation of the security-only update and cumulative updates be staggered? For example, we install the security-only update in Month A, the security-only update in Month B, then apply the cumulative for Month A. Would that revert the security patches installed in Month B?

    Thanks.

    1. Yes, this will work fine. ‘Component based servicing’ is smart enough to only apply newer binaries when you install an update. So when you install the monthly rollup for month A it will detect that you have some newer binaries from month B and will not overwrite them.

  56. Corey Reed says:

    Question,

    I was just told that if you run SCCM in your environment you will still be able to select individual patches. Is this correct?

    1. individual patches will no longer be available, the patch will install and uninstall at the patch level, not the individual patches contained within Monthly rollup or Security-only update.

  57. Nico says:

    Hi Nathan,

    You mention in the comments that drivers are not covered by this new process.
    Can you clarify all the categories in Windows patches, what is included, and what is not ?
    Thanks

    1. Our plan is the monthly rollup will be classified as Update Rollups
      The security-only update will be classified as security updates

      1. Nico says:

        Thanks,
        One last clarification. Will security patches be included in the rollup, or will they be separate except for Windows 10 Home ?

        1. Security updates are included in both Monthly rollup and Security-only update. Security-only is not published to WU, whereas Monthly rollup will be.

  58. Dave Kelly says:

    is the .NET Framework Monthly Roll-up cumulative like the monthly roll-up or or just the updates for the current month like the Security only updates?

      1. Dave Kelly says:

        On another subject. I send out a cumulative update now each month. It goes back a full year. I am thinking that with the new Rollup updates it will be basically just adding the next months updates to the database in my distribution directory. So I will not have numerous rollup packages in my directory that is distributed to the remote DP’s. Or will it just replace everything in the distribution directory with the new monthly rollup file.

  59. Kiran says:

    Hi Nathan,
    Need to know whether file size of monthly rollup will increase as every month will have previous month update? This may impact bandwidth to download and install. What will be average file size? Please clarify.

    1. eventually Monthly rollup will grow to be about the same size as Convenience rollup update. If you install via WU or WSUS you can take advantage of the Express feature to just have deltas going across the network. Security-only update will obviously be much smaller.

  60. Michael Fenter says:

    Will Silverlight security patches will be included in the monthly rollup patches starting in October for Servers

    1. no Silverlight is not included

  61. Kevin says:

    Is there a prerequisite for these updates? Example: A brand new Windows 7 PC is deployed with no patches. Will it be eligible for this new patching model, or will it have to be “Windows Updates” up to October 2016 before these patches will be applicable?

    1. Systems need to be at Windows 7 Service Pack 1, or November 2014 update for Windows 8.1. We don’t expect to have any other prerequisite right now.

  62. David M says:

    Could someone please let me know whether WSUS 3.0 SP2 running on Windows 2008 R2 would be able to handle these new style updates, from October onwards? As it’s unclear, We have a couple of offline Windows 2008 R2 WSUS running in our environment and to uplift these servers to 2012 R2 won’t be an easy task for us, and plus the license cost to upgrade from 2008 R2 to 2012 R2 being forced on us.

    1. there are no changes to your infrastructure required to take these new patches

  63. James says:

    Will I be able to exclude specific patches from the roll-up?

    1. no, the patch installs and uninstalls in its entirety

      1. James says:

        Thank you for the quick reply, will this also be the case for enterprise users using wsus, or can we selectively pick which updates / patches are deployed?

        1. You can choose which patches to install, but at the patch level, individual updates will no longer be available. WSUS can install either the Monthly rollup patch or the Security-only update.

          Our commitment to keeping Windows secure remains steadfast. We’re making these servicing changes because overtime we have seen that the piecemeal approach to patching has been one of the biggest challenges in achieving high quality servicing.

          In this simplified process our focus on both quality and dealing rapidly with regressions is our highest priority.

  64. John Morgan says:

    Will WSUS still extract the individual updates allowing an enterprise to selectively approve updates and not approve problem updates?

    Seems that would be a huge impact to an enterprise if selective approval is lost

    1. individual updates will no longer be available, you’ll be installing at the patch level. WSUS can install either the Monthly rollup patch or the Security-only update.

      Our commitment to keeping Windows secure remains steadfast. We’re making these servicing changes because overtime we have seen that the piecemeal approach to patching has been one of the biggest challenges in achieving high quality servicing.

      In this simplified process our focus on both quality and dealing rapidly with regressions is our highest priority.

  65. Harris Stewart says:

    Nathan: Regarding the prerequisite updates that must be installed on Windows 7 and 8.1 systems to make those systems eligible to receive updates under the new servicing model starting in October 2016, your September 20, 2016 10:06 am post says “Systems need to be at Windows 7 Service Pack 1, or November 2014 update for Windows 8.1. We don’t expect to have any other prerequisite right now.” Could you please identify the “November 2014 update” by its KB number and the day in November on which it was published (or did you mean all updates for Windows 8.1 that were published up to and including the month of November 2014?). If I haven’t yet installed the November 2014 update, what website should I visit in order to download it. Thanks your for help and advice.

  66. Rand Salow says:

    It states that if your running a WSUS server for your security updates you can opt out. How do we do that?

    1. WSUS will have the option to install both the Security-only and the Monthly Rollup updates, it will be your choice of which update to install. Remember Security-only is just that months security patches.

  67. Cliff Knapp says:

    We currently use MBSA with the wsusscn2.cab file to scan our servers for security issues. How will this impact MBSA? Will MBSA still use the wsusscn2.cab file to identify the single security-only update?

    1. The WSUS scan cab will have both the security-only update and the monthly rollup in it. The scan cab includes all updates that are in both the Update Rollups and Security Updates classifications so that is why they will both be included. We aren’t making any changes to how the scan cab works. There are no planned changes to the XML format.

  68. Wendy Myers says:

    I haven’t received any Microsoft updates (Windows 7) since April 2016. When I check it says that the updates are up to date. Am concerned about the security of my laptop. Any comments?

    1. you could try to Download and run the Windows Update Troubleshooter for Windows 8.1, Windows 8, and Windows 7. https://support.microsoft.com/en-us/kb/971058

  69. Eduard Falos says:

    Hello again Nathan. Sorry for being so persistent but October is near and we still need some answers. Besides the previous question with regarding the quarterly patching model, will the Security only update for October will appear in WSUS/SCCM in November, December and so on?

    To rephrase this, will we be able to install the same Security only update (the one released in October) in November and December?
    If we want in January to install 3 Security only updates (November, December, January) will we be able to do that?

    Many thanks!

  70. Henry Ung says:

    I am concerned about the security patches that apply to SharePoint 2013. We normally deploy these through the SharePoint monthly CU. We also have a maintenance Window, so that we can run the SharePoint Configuration wizard. Will the patches simply be installed but not applied till we run the wizard?

    1. these announcements relate to Windows not Office products.

  71. dave kelly says:

    Just a quick Verification. The Monthly security updates are both the security update & critical updates combined?

    1. Jozy says:

      Is this already availlable?

      1. these changes start on patch Tuesday this month, which is next week.

  72. Donna Simpson says:

    My customer has the following question:

    We are very concerned that if something were to break with this new strategy that we would be stuck not patching. That leads us to the next month, would the previous patches that broke our environment be in the next patch? We are looking for some answers so we can plan better.

    1. Security-only would only contain that months new security patches, whereas Monthly Rollup will include that months security updates, plus previous months.

      ie October Monthly Rollup will only have security updates from October. Whereas in November it will include Novembers and Octobers and so on.

  73. Brian Marofsky says:

    I have lots of concerns. One is with this:
    Over time, Windows will also proactively add patches to the Monthly Rollup that have been released in the past. Our goal is eventually to include all of the patches we have shipped in the past since the last baseline, so that the Monthly Rollup becomes fully cumulative and you need only to install the latest single rollup to be up to date.

    How large will that Cumulative patch be if it contains every patch since the last SP(baseline)?

    Also, I read elsewhere that IE security patches will still be delivered separately for the next several months. Is that true?

    1. we plan to start proactively adding patches that have been released in the past, to Monthly Rollup starting next calendar year, eventually Monthly Rollup will grow to around the 500Mb size.
      IE security patches will be included in both Monthly Rollup and Security-only starting with this announcement, ie this next upcoming Patch Tuesday.

  74. Liam Armitage says:

    Hi, does anyone have any specifics on dates as to when the roll up releases will happen and be expected to be seen on servers?

    1. this change starts next week in October, on Patch Tuesday, and yes it does apply to Windows Server – from the blog: “These changes also apply to Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2”

  75. Randy says:

    Hi Nathan,

    We manage and deploy updates through SCCM using ADRs in a tiered release. From a reporting standpoint, how will compliance status show up in reporting by KB and/or MS individually? Or only as that months update package?

    Also, within the context of the ADR, if I understand correctly I will now be managing the Security Update/Monthly Rollup update as we choose, but also individual Microsoft product updates such as Office, Lync and Skype? I am assuming the list will just be a little shorter?

    Thank you for your time

      1. Randy says:

        Thank you!! That is an excellent source of information!

  76. Joshua says:

    Without a September ISO or rollup we now have an air gap where we manually have to select patches on standalone machines. What is being done about this? Will there be a September rollup or a September ISO?

    1. Joshua says:

      It does not still work, they have abandoned the ISO format 1 month prematurely in favour of the new rollup style. So there is neither an ISO nor a rollup for September 2016.

    2. Joshua says:

      Did you really withdraw your reply, you’re that ashamed of this? To reiterate, the DVD ISOs were stopped prematurely after the August release, and now we have rollups starting from October. Where is the September ISO or rollup?

      “You can obtain the security updates offered this month on Windows Update, from Download Center on Security and Critical Releases ISO CD Image files. For more information, see Microsoft Knowledge Base Article 913086.”
      https://support.microsoft.com/en-us/kb/913086

      1. We’re confirming with the team where the ISOs went for September. For now you could download and create your own ISO or move them onto your system with a USB key etc

        1. Joshua says:

          Sorry I didn’t realise you had a direct connection to the team! It’s just that I made a batch file to extract the DVD iso’s (per operating system) and another batch to install them, which assumes the ISO format, and updates in msu format. Thank you very much for chasing this up!

        2. Joshua says:

          Any news?

  77. Joshua says:

    Hang on I’ve seen a massive flaw with this, does this mean that we have to wait for every component of a patch rollup to be superseded before the rollup is superseded? And if so, doesn’t that mean we’ll have to download every single patch from October 2016 until the current month going forward? Rebuilds are going to take so much longer…

    1. November monthly rollup will contain everything that was in October monthly rollup, December monthly rollup will contain everything in November and October monthly rollups, and so on. Additional info on this blog https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/

      1. Joshua says:

        Well that’s actually very sensible.

  78. Borislav says:

    Hi Nathan,
    I have another question:
    If we install first Security Only Quality Rollup and after this Monthly Quality Rollup – what will happened? They will be replaced or the Monthly Quality Rollup will detect that the Security Only is already installed and will install only the updates which a not presented?
    The same question is valid also in the opposite case.
    Thanks

    1. it will only install the bits that are needed/missing, it will not reinstall.

      1. jd says:

        Hi Nathan,
        In your previous answers regarding the “superseding” property of the new model, you mentioned that only the Monthly Rollup would have that superseding property (aka: by default, will remove any previous Monthly Rollup’s superseded bits, and then install only the new bits needed/missing).
        The Security-Only Monthly Rollup would not have that capability.

        This raise one major flaw (wether it’s on purpose or not, only you can tell):
        If one (like me and MANY users) do NOT want some or any of the reliability-related update(s)/bits to be installed on his machine/fleet, he would have no choice but keeping with the Security-only Montlhly Rollup model…, hence never be able to remove superseded bits from those previous Security-only Monthly Rollup packages installed the month before and before…

        This means, he will eventually have a choice to make in order to have only up-to-date (and non-faulty/outdated/unsafe) bits installed:
        1- Ditch the Security-Only Monthly Rollup model, to go to the full Montly Rollup one. (which will include those unwanted reliability update)
        2- Pilling up a bunch of superseded Security updates months after month, not only making his system less stable but less secure and waste huge amount of storage space by not being able to superseed the superseded bits…

        1. When a new Monthly Rollup is applied, disk cleanup removes older installed Monthly Rollups as they are superseded. Disk cleanup will clean up any update that has been superseded for more than 30 days. This only runs automatically on Windows 8.1, and would need to be manually run or scheduled on Windows 7. New Security Only Quality Updates do not regularly supersede older months’ Security Only Quality Updates, because they will always only have the new security fixes for that month, which will usually include fixes for different components and therefore cannot supersede an older update with different components. It’s worth noting though that this could happen on occasion, in the event an older month’s update only contains a subset of components (or the same components) as a future update.

  79. Tuan Nguyen says:

    Do you know whether or not future Hotfixes be rolled up in the Security Monthly Quality Rollup or Updates? For example, will the Hotfixes released in November be rolled up in the December’s Security Monthly Quality Rollup or Updates?

    Thanks.

    1. security only updates only contain security updates from that month, not prior months and it literally is only security updates, no other types of patches

      1. Tuan Nguyen says:

        Hi Nathan, thank you for the reply. I am concern about Microsoft’s “Hotfixes”. Do they get rollup in the monthly “Quality Rollup”?

  80. Gianni says:

    Hi,
    In our company, we have a certain group of computers that have IE 11 but need to be excluded from monthly Internet Explorer patches. How can I go about being able to download all other updates individually or is it possible to create a custom package that includes the updates EXCEPT the Internet Explorer Update?

    1. Updates for IE11 are included in the Security-only Update and the Monthly Rollup. There is no capability to remove the fixes for IE11 from these updates, or to release a version of the updates that does not include the IE11 fixes.

      It would be helpful to understand your scenario further for the desire to not patch IE11 on your computers where it is installed.

      1. Gianni says:

        There is a vendor web application accessed by a some users (~50) which runs into issues after applying IE updates starting with KB3154070 on the useers PCs. The ‘updated’ version of the app will be released by the vendor by the end of the year or Q1 next year. The vendor stated they will not provide a fix for the current app version. As of now, we have been excluding those PCs from the IE 11 updates only.

  81. Borislav says:

    Hi Nathan,
    on 18.10 our WSUS starts to show “October 2016 Preview of Monthly Quality Rollup for Windows Server * (2008R2, 2012, 2012R2)”
    The question is – what is purpose of this update in WSUS? Just to get a view of what is coming ? Should we approve it and install although it is “Preview” or wait for release?
    Thanks in advance

  82. Borislav says:

    Hi Nathan,
    thanks for the information but I have a question. We are using WSUS where some of the servers are separated by their usage – for example Domain-Controller, DHCP, WSUS. In some of the previous patch releases there were security updates ONLY for Domain Controllers, DNS, Skype for Business and some other roles.

    Q1: Where these updates will appear?
    Q2: If all security updates are all together this means that the “standard” servers will get as well these updates?

    What will happened in this case?

    Thanks in advance.

  83. John Ferragamo says:

    Hello.

    Hoping to get a definitive, clear answer on this question as I have not see it specifically asked, or addressed in these posts.

    Lets say I have been applying the Monthly Rollups since October 2016 and now in January 2017 we find an issue which forces us to rollback.

    Since these rollups are cumulative, what is the net effect of uninstalling the January 2017 Monthly rollup?
    Will my machine revert back to the December 2016 Monthly Rollup patch level?
    Or will it revert all the way to the pre-October 2016 patch level?

    Thank you

    1. it will simply roll your machine back to the prior state before you installed the rollup patch. so in your example, you’d be back at the December level.

      1. John Ferragamo says:

        Thank you Nathan.
        That is the answer I have been looking for.
        Much appreciated.

    2. John Morgan says:

      Is this really true…

      why I think more thought should go into this answer…
      If I am using a technology that leverages express packages…(WSUS, Windows Updates, other) I agree…since the client only received the limited patch package….
      BUT….
      If I don’t have an express enabled packaging tool in place…I just downloaded a full cumulative package and I also use to do the uninstall with…leaving me to believe that all updates will get uninstalled….back to October 2016

      If this is not reality…please explain how the uninstall will be aware of what to leave in vs. what to take out?

      Thanks in advance,

      John

      1. John Morgan says:

        I have to consider the what if because…
        I have 16k PCs that are patched with LANDesk….no express package awareness…I think I’m in trouble here
        I have 2.5k servers that are patched with WSUS…express package aware…and I think they will be just fine

        Food for thought,

        John

    3. John Morgan says:

      Is this really true…

      why I think more thought should go into this answer…
      If I am using a technology that leverages express packages…(WSUS, Windows Updates, other) I agree…since the client only received the limited patch package….
      BUT….
      If I don’t have an express enabled packaging tool in place…YOu willhave just used a full cumulative package and you will be leveraging the same full cumulative package to do the uninstall …leaving me to believe that all updates will get uninstalled….back to October 2016

      If this is not reality…please explain how the uninstall will be aware of what to leave in vs. what to take out?

      Thanks in advance,

      John

    4. John Morgan says:

      Is this really true…

      why I think more thought should go into this answer…
      If I am using a technology that leverages express packages…(WSUS, Windows Updates, other) I agree…since the client only received the limited patch package….
      BUT….
      If I don’t have an express enabled packaging tool in place…You have just used a full cumulative package and you will be leveraging the same full cumulative package to do the uninstall …leaving me to believe that all updates will get uninstalled….back to October 2016

      If this is not reality…please explain how the uninstall will be aware of what to leave in vs. what to take out?

      Thanks in advance,

      John

  84. Rick Burke says:

    Am I correct in understanding that if we install a rollup, (say Oct) and find it ‘in our opinion’ causes an unwanted impact and uninstall it that rollup. The same ‘update’ that caused the unwanted impact will now be in the Nov rollup; because we uninstalled the Oct rollup?

    1. November monthly roll-up will include October content too yes. Remember that security-only only contains that security fixes released in that month. See https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/ for more info

  85. Joshua says:

    More problems with the new model!! This is a joke if this is going to keep on this way.

    Quality update: KB3185330 replaces Security update: KB3138962
    Security Update kb3192391 does not.

    Ok no problem, just keep the old one deployed? Nope, they Expired it so it can no longer be deployed via WSUS/SCCM.

    1. Malcolm Cross says:

      My Win 7 will NOT do auto Window Updates. Can I manually update the new system Updates? How ?

  86. Malcolm Cross says:

    Nathan: My Win 7 will NOT do auto Window Updates. Can I manually update the new system Updates? How ?

  87. Mapla_kiki says:

    Hi, Nathan. I have question. Microsoft was saying that Security Monthly Quality rollup will contain Security fixex for Internet Explorer link: https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/. But suddenly I see some strange thing on this site: https://support.microsoft.com/en-us/help/4019264 : This Monthly Rollup update does not include security fixes for Internet Explorer. In order to obtain the security fixes for Internet Explorer, the Cumulative Security Update for Internet Explorer KB4018271 should also be installed. Note that the Security Monthly Quality Rollup does contain security updates for Internet Explorer. It don’t understand this, so it does not contain but note that it contain…sound radiculus . So could You tell me if May 2017 Security Montly Quality rollup for windows 2008R2 / 2012R2 contain May Cumulative Security update for Internet Explorer 11 or not?

    1. Starting with February 2017, the Security Only update will not include updates for Internet Explorer.  Please see our January 2017 blog post for further details https://blogs.technet.microsoft.com/windowsitpro/2017/01/13/simplified-servicing-for-windows-7-and-windows-8-1-the-latest-improvements/

      1. Mapla_kiki says:

        Nathan but this KB4019264 is Monthly Rollup….and there is information: This Monthly Rollup update does not include security fixes for Internet Explorer….please explain.

        1. Mapla_kiki says:

          Looks like a missprint for me.

          1. Mapla_kiki says:

            Nathan, So could You please confirm that this Monthly rollup KB4019264 contains Cumulative Security Update for IE 11 ? And the information provided on site: https://support.microsoft.com/en-us/help/4019264 saying that: “This Monthly Rollup update does not include security fixes for Internet Explorer. In order to obtain the security fixes for Internet Explorer” is wrong ? Missleading and will be corrected ?

Skip to main content