More on Windows 7 and Windows 8.1 servicing changes


UPDATE: 12/5/2016: In November 2016, the Security Monthly Quality Rollups were released as superseding the Security Only Quality updates. This resulted in an impact to customers deploying the Security Only Quality updates, using tools that cannot easily deploy superseded updates, such as System Center Configuration Manager 2007. Based on customer feedback, this supersedence has been changed in December 2016. Please review the updates below if this impacts your deployment scenarios.

As we previously announced, we are moving to a rollup model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 updates. These changes will take effect with the next Update Tuesday release, on October 11.

The above versions of Windows will now follow a similar update servicing model as later Windows versions, bringing a more consistent and simplified servicing experience. For those of you who manage Windows updates within your organization, it’s important that you understand the choices that will be available.

First, let’s review what we will release each month – listed below are the three updates and their official titles:

A security only quality update

  • A single update containing all new security fixes for that month
  • This will be published only to Windows Server Update Services (WSUS), where it can be consumed by other tools like ConfigMgr, and the Windows Update Catalog, where it can be downloaded for use with other tools or processes. You won’t see this package offered to PCs that are directly connected to Windows Update.
  • This will be published to WSUS using the “Security Updates” classification, with the severity set to the highest level of any of the security fixes included in the update.
  • This (like all updates) will have a unique KB number.
  • This security only update will be released on Update Tuesday (commonly referred to as “Patch Tuesday”), the second Tuesday of the month.  (This is also referred to as a “B week” update.)

A security monthly quality rollup

  • A single update containing all new security fixes for that month (the same ones included in the security only update released at the same time), as well as fixes from all previous monthly rollups.  This can also be called the “monthly rollup.”
  • This will be published to Windows Update (where all consumer PCs will install it), WSUS, and the Windows Update Catalog.  The initial monthly rollup released in October will only have new security updates from October, as well as the non-security updates from September.
  • This will be published to WSUS using the “Security Updates” classification.  Since this monthly rollup will contain the same new security fixes as the security only update, it will have the same severity as the security only update for that month.
  • With WSUS, you can enable support for “express installation files” to ensure that client PCs only download the pieces of a particular monthly rollup that they haven’t already installed, to minimize the network impact.
  • This (like all updates) will have a unique KB number.
  • This monthly rollup will be released on Update Tuesday (also known as “Patch Tuesday), the second Tuesday of the month.  (This is also referred to as a “B week” update.)

A preview of the monthly quality rollup

  • An additional monthly rollup containing a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollup.  This can also be called the “preview rollup.”
  • This preview rollup will be released on the third Tuesday of the month (also referred to as the “C week”).
  • This will be published to WSUS using the “Updates” classification as an optional update.  It will also be available via Windows Update (where all consumer PCs will install it) and on the Windows Update Catalog.
  • With WSUS, you can enable support for “express installation files” to ensure that client PCs only download the pieces of a particular monthly rollup that they haven’t already installed, to minimize the network impact.
  • Starting later in 2017 and continuing for several months, older fixes will also be added to the preview rollup, so it will eventually become fully cumulative; installing the latest monthly rollup will then get your PC completely up to date.
  • This (like all updates) will have a unique KB number.

Each month there will be separate updates released for a variety of reasons (e.g. DST time zone changes, out-of-band security fixes). Many of these will be rolled into the next monthly rollup, although some will remain separate- including Office, Flash and Silverlight updates.

Internet Explorer updates

The security only and monthly rollups will contain fixes for the Internet Explorer version supported for each operating system.  For Windows 7, Windows 8.1, Windows Server 2008 R2, and Windows Server 2012 R2, that is Internet Explorer 11; for Windows Server 2012, that is Internet Explorer 10.  The security only, monthly rollup, and preview rollup will not install or upgrade to these versions of Internet Explorer if they are not already present.

UPDATE: 1/13/2017: Starting with February 2017, the Security Only update will not include updates for Internet Explorer.  Please see our January 2017 blog post for further details.

.NET Framework monthly rollup

The .NET Framework will also follow the monthly rollup model with a monthly release known as the .NET Framework monthly rollup. The.NET Framework monthly rollup will deliver both security and reliability updates to all versions of the .NET Framework as a single monthly release, targeting the same timing and cadence as Windows. It is important to note that the rollup for the .NET Framework will only deliver security and quality updates to the .NET Framework versions currently installed on your machine. It will not automatically upgrade the base version of the .NET Framework that is installed. Additionally, the .NET Framework team will also release a security only update on Microsoft Update Catalog and Windows Server Update Services every month.

See https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/ for more information on the changes to .NET Framework updates.

Update strategy choices

Operationally, this means that you now have some choices for updating Windows 7 and Windows 8.1 PCs.  These choices closely correspond to the way you update Windows today, as discussed in the following sections.

You install all security and non-security fixes as we release them

100616_2357_2.png

This is our recommended updating strategy, as it ensures that all fixes for Windows are deployed on the PCs that you manage.  To implement this, you should deploy the monthly rollup.  For those using WSUS, the following steps are recommended:

  • Ensure that you have selected the “Security Updates” classification in the WSUS “Products and Classifications” options page, so that the both the security only update and monthly rollup on Update Tuesday are synchronized.  To synchronize the optional preview rollup, also ensure the “Updates” classification is selected.
  • Ensure that you have enabled support for “express installation files” in the WSUS “Update Files and Languages” options page:
    100616_2357_3.png
  • Existing automatic approval rules for Windows 7 or Windows 8.1 will continue to work as is.  Note that since both the security only update and monthly rollup are both classified as “Security Updates,” rules that specify this classification will approve both.  See the What’s expected if you install both updates? section below for details.  You may also manually approve just the monthly rollup.
  • To preview the next month’s non-security fixes on the third Tuesday of the month, you can set up an automatic approval rule for “Updates”, targeting all computers or a subset of them, as appropriate.

If using ConfigMgr, you can perform similar steps:

  • Ensure you have the “Security Updates” classification selected in the “Software Update Point” properties for the site.  To synchronize the optional third Tuesday monthly rollup, also ensure the “Updates” classification is selected.
    100616_2357_4.png
  • Existing Automatic Deployment Rules (ADRs) for Windows 7 or Windows 8.1 will continue to work as is.  Note that since both the security only update and monthly rollup are both classified as “Security Updates,” rules that specify this classification will approve both.  See the What’s expected if you install both updates? section below for details.  You may also manually approve just the monthly rollup.  Alternatively, you can filter based on the title of the update (taking into account the different localized strings when deploying non-English updates):

    Suggested English title search strings (which must be adjusted for other languages and could be different for .NET Framework updates) include:
    “Security Only”
    “Security Monthly Quality Rollup”
    “Preview of Monthly Quality Rollup”
  • Note that Configuration Manager does not support express updates, so the entire monthly rollup will be downloaded to each PC each month.

With these small adjustments, the overall update management process will be very similar to what was used previously.

You install all security fixes, but no other fixes

100616_2357_6.png

For organizations that typically deploy only security fixes, you will now find that instead of approving or deploying a set of fixes each Update Tuesday, you will approve or deploy just a single update.

Since the security only update and the monthly rollup both are published using the “Security Updates” classification, existing automatic approval rules in WSUS would approve both the security only and the monthly rollup each month.  The same is also true with Configuration Manager automatic deployment rules.  This will require either manually approving or deploying updates each month, or in the case of Configuration Manager, adjusting existing automatic deployment rules.  See the previous section for details.

You install all security updates as we release them, and some non-security fixes to address specific problems

Since the organization will typically be deploying only the security only fix, see the previous section for full details.  In cases where there is a need to deploy one or more non-security fixes, manually approve the latest monthly rollup that contains the needed fixes.  This monthly rollup will contain other fixes as well, so the entire package must be installed.

What’s expected if you deploy both updates?

Since all the new security fixes for a given month are available in both the security only update and the monthly rollup, it’s important to understand the behavior that may been seen if you deploy both updates in the same month.

For example, assume you approve and deploy the security only update and the monthly rollup that are both released on Update Tuesday (a.k.a. “Patch Tuesday,” the second Tuesday of the month).  This isn’t necessary, since the security fixes are also included in the monthly rollup, and it would generate additional network traffic since both would be downloaded to the PC.  But what would happen?  It depends on the installation sequence:

  • If the monthly rollup installs first, all the fixes that are in the security only update would already be installed.  Depending on your deployment steps, the security only update may still be listed as applicable for download and install, but doing so would not update any components on the PC.  For simplicity, we recommend approving only one of the packages for deployment.UPDATED 12/5/2016: Starting in December 2016, the security only updates will not be applicable for installation on the PC if a monthly rollup (from the current or future month) is already installed.  The security only updates from October and November 2016 will also be updated to the same behavior.
  • If the security only update installs first, the monthly rollup will still be applicable as it contains additional fixes (both non-security fixes and older security fixes) that are needed by the PC.  The monthly rollup would then download and install, providing the additional non-security fixes (and any security fixes from previous months).

Depending on the management tool you are using to deploy these updates, this may be represented differently in the compliance and deployment reports provided by those tools.  New Security Monthly Quality Rollups will supersede earlier Security Monthly Quality Rollups and Security Only Quality Updates.

UPDATED 12/5/2016: Starting in December 2016, monthly rollups will not supersede security only updates. The November 2016 monthly rollup will also be updated to not supersede security only updates. Installing the latest monthly rollup will ensure the PC is compliant for all security updates released in the new servicing model.

Note that installing just the security only updates may show the monthly rollup as Missing in compliance tools or reports, as the monthly rollup is also a “Security update”. If the security only updates are installed each month, the PC will have all the necessary security fixes released in the new servicing model.

As long as you install one or the other (security only update or monthly rollup), the PCs will have the needed security fixes released that month.

The common concern:  What if an update causes an issue?

Every Windows update is extensively tested with our OEMs and ISVs, and by customers – all before these updates are released to the general population.

Your organization may also be interested in validating updates before they are publicly released, by participating in the Security Update Validation Program (SUVP).  This program enables organizations to establish an additional early validation ring within the organization, while also providing a direct channel back to Microsoft for any issues encountered.  For more information on SUVP, see https://msdn.microsoft.com/en-us/gg309155.aspx; contact your Technical Account Manager or Microsoft account team to discuss this further.

To minimize the potential impact on an organization, we recommend that you always have a “ringed” deployment approach for all updates, starting with the IT organization, expanding to one or more pilot groups, followed by one or more broad deployment groups.  Allow sufficient time between rings for users to report any issues that they might see.

If any issues are encountered, we recommend stopping or pausing deployment of the update and contacting Microsoft Support as soon as possible.  Based on our analysis of the issue, we may recommend different courses of action, such as:

  • Rolling back the update on affected machines while the issue is being investigated.
  • Installation of other updates known to resolve the issue observed.
  • Working with the publisher (ISV) for an affected application.

The specific action is determined on a case-by-case basis, and could be different for each customer based on the specific impact to the organization.  Regardless of the action, be assured that any issues with an update are considered top priority and that we will work hard to resolve these as quickly as possible.

Use peer-to-peer technologies to help with update distribution

While express installation files can help greatly reduce the amount of content needed to patch each PC, it is still useful to implement peer-to-peer sharing technologies like BranchCache or Delivery Optimization to reduce the overall impact on the network by allowing PCs to obtain the updates they need from other PCs on the network that have already obtained them from WSUS or ConfigMgr.

You can deploy BranchCache by enabling the feature on each WSUS or ConfigMgr server, then configuring the client PCs using Group Policy to use a distributed cache.  See https://technet.microsoft.com/en-us/itpro/windows/manage/waas-branchcache for more information.  While the full BranchCache functionality is only available in the Windows Enterprise SKU, BITS support (all that’s needed for caching updates) is also available in the Windows Pro SKU.  See https://technet.microsoft.com/en-us/library/mt613461.aspx#bkmk_os for more information.

Summary

These changes will further simplify your updating of Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 computers, while also improving scanning and installation times and providing flexibility depending on how you typically manage Windows updates today.

To learn more about the security and non-security updates for these versions, check out the Update History pages below:

Updated 11/8/2016 to include additional detail on Deploying Superseded Down Level Windows Updates with Microsoft Configuration Manager 2007
Updated 12/5/2016 to include additional detail on the removal of Monthly Rollup supersedence of Security Only updates.
Comments (31)

  1. Rich says:

    Thank you Michael this contained a lot of useful information for WSUS/SCCM users. The pictures are very helpful as well! Kudos!

  2. Gokulnath says:

    Good information. I will publish my site and group.. 😂

  3. JBrown says:

    Michael,

    Will a security-only update be released monthly for .NET Framework? Or will there only be one update posted each month for .NET Framework (which will include both security and reliability fixes)?

    1. Andreiz says:

      .NET Framework monthly rollup

      See this paragraph:
      The .NET Framework will also follow the monthly rollup model with a monthly release known as the .NET Framework monthly rollup. The.NET Framework monthly rollup will deliver both security and reliability updates to all versions of the .NET Framework as a single monthly release

  4. Michael Niehaus says:

    Will “Windows Update” also get a “quality” update?

    To experience its current miserability visit https://www.microsoft.com/en-us/software-download/windows7 and fetch the installation media for Windows 7 x86, then perform a fresh install. Be sure to have network connectivity for Windows Update. Wait 2 to 6 hours, then take a look into %windir%\WindowsUpdate.log … and notice the EPIC failure with error code 0x8007000E alias E_OUTOFMEMORY.
    Also notice that WU delivers the COMPLETELY outdated WUA 7.6.7600.320 to Windows 7 clients.

    Then take a look into the MSKB articles 3050265 and 3161647 and notice that there is an updated WUA available which should have 0x8007000E fixed.

    And while you’re there: the MSKB article 949104 suffers from bit-rot too!

  5. Craig says:

    The article mentions Internet Explorer 10 and Internet Explorer 11 and that “The security-only, monthly rollup, and preview rollup will not install or upgrade to these versions of Internet Explorer if they are not already present.”

    What about older versions of IE, like Internet Explorer 9 (IE9)?

    1. On Windows 7, only Internet Explorer 11 is supported – older versions are no longer being updated. See https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support for more detail.

  6. italiangm says:

    I didn’t see a reference to Windows 10 nagware updates. Will any of those updates be present in the Windows 7 SP1 rollups starting Oct 2016? Will any of the rollups contain an update that specifically removes Windows 10 nagware? Please advise. Thanks.

    1. the free Windows 10 upgrade offer period has now ended. GWX is not included in security-only or monthly rollup updates

  7. Jerry Sully says:

    It appears from the diagram under “You install all security fixes, but no other fixes” that the Security-only updates are not cumulative. In that scenario, if a patch in the October Security-only update were causing a problem, I could hold off on deploying that update, and still go ahead and install the November Security-only update knowing that the problematic patch would not be included. In other words, “11B” in the diagram does not include the contents of “10B”. Is that correct?

    1. correct, security-only update, only include security updates from that month, not from previous months like Monthly Rollup

  8. Calash_nec says:

    Windows Update Catalog, as of this morning, is showing individual patches available for download. Has this changeover been moved to next month?

  9. Keith says:

    Great Article. Shared it with a bunch of my teammates. Very good.

  10. Lokesh Gaur says:

    Great Efforts in providing this technical information, Great thanks Michael.

  11. Umar says:

    What will be the approach for SQL server Patching. Can some one explain this.

    1. these changes only relate to Windows.

  12. Cole says:

    Thank you for further clarifying this update process.

  13. Lokesh Gaur says:

    Michael,
    Queries are occurring across different departments, if there’s going to be issue with the cumulative updates for OS and operation teams are asking,
    1. Would they need to uninstall/remove cumulative updates
    2. And would it remove all the previous updates as well ?
    3. If this is the case, business running critical applications may be leads to crash.
    4. Kindly provide some root cause understanding of the situation for the above said scenario un which we uninstall or remove
    cumulative updates/patches.
    I can be reached at the following Email and Contact Numbers:
    Lokesh.Gaur@in.britishcouncil.org
    Mobile: +91-9717658989

    1. uninstalling monthly rollup, will take your machine back to the state it was in before that Monthly Rollup was installed.

      If any issues are encountered, we encourage you to open a support case right away; we will work to resolve these as quickly as possible.

      In cases where issues are found, we will evaluate these on a case-by-case basis to determine what appropriate steps should be taken; these could be different for each issue.  Organizations can always uninstall offending updates (or stop deploying them more broadly, if they are doing a staged deployment and the issues aren’t too severe) until the issue is resolved.  We could choose to revise the update package, or provide an additional update that could be installed over the top of the offending update.  There’s no single “right” answer.

  14. Alex S says:

    Thank you for this awesome post! Could you please re-attach all images that were originally on this page? The ones with matrices of packages that are to be published over the next time period… Those images helped me a lot while trying to explain the idea to business owners.

    1. I’m not sure where they went, but I’ve re-added them.

  15. gaurav says:

    Hello Michael,

    Just a example : If I am updating Monthly rollup, lets say Feb month (first time ) ,In this case the Feb month rollup will have the rollup update since OCT ?

    As rollup monthly patch consist of previous month updates as well , in this case won’t it effect network & server performance while downloading huge amount of window update ?

    1. Yes, the rollup would contain all fixes released from October onward. The PC would download only the pieces of the update that it hasn’t already installed, as long as express updates are enabled (with Windows Update, Windows Update for Business, and WSUS).

  16. Brian says:

    Is it possible that a future security-only update could include the Diagnostics Tracking Service component?

    1. since that component is not a security update, no it would not be included in a security-only update.

      1. Brian says:

        Thank you for responding :).

        How about the following scenario? Suppose a security-related issue is found in the file that contains the code for Diagnostics Tracking Service, and a fixed version of this file is included in the January 2017 monthly rollup. Consider a user who installs the December 2016 monthly rollup (which installs the Diagnostics Tracking Service), and then installs the January 2017 security-only update. If a fixed version of the file is not included in the January 2017 security-only update, then this user will be vulnerable, correct?

  17. Brian says:

    If a security-only update has a bug of a non-security nature, and this bug is fixed in a monthly rollup, can we expect the bug to also be fixed a) in an updated version of the problematic security-only update, b) in a separate update, or c) none of the above? Example: suppose a security-only update has a bug that results in a very long login time for some users. The point of this question is whether installing only security-only updates can be expected to be a viable choice for those who want a reasonably good experience in regards to bugs.

  18. Malcolm Cross says:

    My tired HP laptop will NOT do automatic Win 7 Window Updates. Can I MANUALLY update the new system Updates?
    How ? Thank you.

  19. Pete says:

    Is this information still valid? Regarding Windows 7 the Windows update catalog shows KB3212642 for January 2017 and KB4012212 for March 2017, but nothing for February 2017?

    1. The February 2017 updates were delayed and included as part of the March 2017 updates – https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/

Skip to main content