Stop hurting yourself by: Not applying the non-security updates for Windows and Windows Server.
Applies to:
Windows 8.1/Windows 2012 R2
Windows 8/Windows 2012
Windows 7 SP1/Windows 2008 R2 SP1
Windows Vista/Windows 2008
Does not apply to:
Windows 10 1803 ((tbd))
Windows 10 1709 (Fall Creators update)
Windows 10 1703 (Creators update)
Windows 10 1607 (Anniversary update) / Windows Server 2016
Windows 10 1511 (November update)
Windows 10 1507 (RTM)
Before proceeding with this blog post, first review:
Stop hurting yourself by: Not updating the drivers and firmware’s in Windows and Windows Server.
https://blogs.technet.microsoft.com/yongrhee/2018/03/20/stop-hurting-yourself-by-not-updating-the-drivers-and-firmwares-in-windows-and-windows-server/
I was on-site this year (2018) and I had heard the following:
"We don’t always install hotfixes; We install hotfixes if that specific problem is experienced in the environment. Security and Critical patches take precedence and, in the case of servers, are usually the only update classification we install. KBxxxxxx is entirely optional and doesn’t show up in the WSUS catalog, another reason why we never caught wind of it."
Regarding item #1: "We install hotfixes if that specific problem is experienced in the environment".
Answer #1: The truth is, you probably have the issue, and just haven’t gotten to it.
- It requires a lot of time investment by using advanced tools such as Sysinternals (ProcMon/ProcExp/ProcDump/VMMAP/RAMMAP, etc…)/ETL tracing (WPRUI/WPR/Xperf), WinDbg (or DebugDiag)/Message Analyzer (or Wireshark or Netmon) and other logs.
e.g. When troubleshooting a high CPU in LSASS on a DC, we created an automated method of catching the issue while the problem was occurring.
1. We had to find all the data (13 different data sets) that we needed to collect to get to the root cause.
2. We had to translate the UI based information to a command line that would run in a batch/script (Powershell/VB).
3. We then had to test the data capture and made sure that it worked.
All of this, it took 3 days. And this is just capturing the data which is the easiest part of the troubleshooting.
or
- you are understaffed and are not able to take the time to fix the issue.
A lot of companies just end-up rebooting the system or rebuilding the system(s).
Regarding item #2: "Security and Critical patches take precedence and, in the case of servers, are usually the only update classification we install."
Answer #2: Probably the reason that your clients and servers are not 'stable'.
Recommended hotfixes and updates for Windows Server 2012 R2-based failover clusters
Recommended hotfixes and updates for Windows Server 2012-based failover clusters
Recommended hotfixes and updates for Windows Server 2008 R2 SP1 Failover Clusters
Recommended hotfixes for Windows Server 2008-based server clusters
List of currently available hotfixes for the File Services technologies in Windows Server 2012 and in Windows Server 2012 R2
List of Domain Controller Related Hotfixes Post RTM for Windows 8.1 and Windows Server 2012 R2 (Part 2)
Current Windows Server 2012 / R2 & Windows 8 / 8.1 Update Rollups
https://blogs.technet.microsoft.com/chad/2015/01/21/current-windows-server-2012-r2-windows-8-8-1-update-rollups/
Links to post SP1 hotfixes for Windows 7 Service Pack 1
https://blogs.technet.microsoft.com/yongrhee/2012/04/01/links-to-post-sp1-hotfixes-for-windows-server-2008-r2-service-pack-1/
Links to post SP1 hotfixes for Windows Server 2008 R2 Service Pack 1
https://blogs.technet.microsoft.com/yongrhee/2012/04/01/links-to-post-sp1-hotfixes-for-windows-server-2008-r2-service-pack-1/
etc...
Regarding item #3: KBxxxxxx is entirely optional and doesn’t show up in the WSUS catalog
Answer #3: Yes, and hopefully you were getting the RSS feeds regarding the newly released (non-security and security) hotfixes:
Most recent hotfixes RSS feed.
https://blogs.technet.microsoft.com/yongrhee/2013/06/27/most-recent-hotfixes-rss-feed/
For example, if there was a "Service Pack 3" for Windows 7 SP1 and Windows Server 2008 R2 SP1, would you have not installed it?
“Enterprise” Convenience Rollup Update II (2) for Windows 7 SP1 and Windows Server 2008 R2 SP1
Andrei Stoica wrote the following blog post:
Windows 7 refreshed media creation
https://blogs.technet.microsoft.com/astoica/2017/01/03/windows-7-refreshed-media-creation/
All of that lead to:
Further simplifying servicing models for Windows 7 and Windows 8.1
More on Windows 7 and Windows 8.1 servicing changes
Regarding item #4: But the KB article has the following statement:
"A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem."
Answer #4: It's a 'boiler' template. A lot of times, the same binary has been updated (superseded) multiple times.
Let me give you a real world example. A Premier customer opened a case due to their server bugchecking (a.k.a. BSOD), they got a non-security update created for them. The company was big enough and segmented enough, that their peers opened 11 more cases (yup, a total of 12 cases) with the same bugcheck and the fix was the same. So why wouldn't you have deployed it to all the server in the environment?
Q: How do I roll these fixes out?
A: Like you would have done in the past when you were doing a “Service Pack”. Target the IT folks first. Then try a few of your power users in each department in your company. Never have your C-Level executives test, unless you want to spend time working on executive escalations. And then continue with the phased deployment.
[Solution]
In Windows 10 and Windows Server 2016 and newer, that is why Windows As A Service (WaaS) is there.
You get all the "Security updates" and "Non-security update" via the cumulative rollup.
Overview of Windows as a service
/en-us/windows/deployment/update/waas-overview
Quick guide to Windows as a service
/en-us/windows/deployment/update/waas-quick-start
Q: Ok, I still have Windows 7 SP1 and Windows Server 2008 R2, 2012 and 2012 R2 based system.
A: If you are Microsoft Premier customer, there is an engagement called Proactive Operations Program (POP) - “Software Update Technical Implementation”. Please reach out to your Technical Account Manager (TAM) for more information (datasheet).
Thanks,
Yong “Working from home in the Museum district in Los Angeles, CA.”
P.S. Other “Stop hurting yourself by” posts:
Stop hurting yourself by: Disabling IPv6, why do you really do it?
https://blogs.technet.microsoft.com/yongrhee/2018/02/28/stop-hurting-yourself-by-disabling-ipv6-why-do-you-really-do-it-2/
WMI: Stop hurting yourself by using “for /f %%s in (‘dir /s /b *.mof *.mfl’) do mofcomp %%s”
https://blogs.technet.microsoft.com/yongrhee/2016/06/23/wmi-stop-hurting-yourself-by-using-for-f-s-in-dir-s-b-mof-mfl-do-mofcomp-s/