Microsoft’s New Patch Strategy

Starting yesterday (October 11), Microsoft began rolling out a new way to patch Win7, Win 8.1, Server 2008 R2, Server 2012, and Server 2012 R2 systems. Instead of releasing a bunch of individual updates, they will be pushing out monthly rollups, which will include all fixes from previous monthly rollups. Microsoft apparently feels that too many systems are vulnerable because people chose not to install specific patches, so, for consumers in particular, you will no longer be able to consume updates granularly.

Here’s the scoop on how this will work, taken from the Technet blog at https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/:

A security-only “quality update” will be released each month on the second Tuesday of the month (commonly known as “Patch Tuesday,” or, in Microsoft-speak, as “B week”). This will be a single update that contains all the new security fixes for that month. It will be pushed only to Windows Server Update Services (WSUS), where it can be consumed by other tools such as System Center Configuration Manager. It will show up in WSUS with the “Security Updates” classification, with the severity set to the severity of the highest-level component of the update.

A security monthly “quality rollup” will also be released on Patch Tuesday, which will contain all of the security fixes in the security-only update as well as the fixes from all previous monthly rollups. It will be pushed to WSUS, to the Windows Update Catalog, and to Windows Update, where all consumer PCs will pick it up for installation. Again, it will show up in WSUS with the “Security Updates” classification, with the severity set to the severity of the highest-level component of the update. If you’re using WSUS to distribute updates to your users, you can enable “express installation files,” which will ensure that client PCs only download the pieces of a particular monthly rollup that they haven’t already installed. If you’re picking up the rollup with Configuration Manger and pushing it on out that way, you don’t currently have that option – they’ll get the full rollup.

On the third Tuesday of the month (“C week”), Microsoft will release a rollup consisting of a preview of the new non-security fixes that will be included in the next monthly rollup, as well as everything from all previous monthly rollups. This will be published to WSUS as an optional update, as well as being made available via Windows Update and on the Windows Update catalog. This is so you can get a head start on testing the rollup before it’s released for real on the next Patch Tuesday – something that many enterprise shops will do, but probably next to zero consumers will do. Beginning early next year, and “continuing for several months,” Microsoft will start adding older fixes to the preview update. Eventually it will become “fully cumulative,” and installing the latest monthly rollup will ensure that your PC is completely up to date.

The bottom line is that if you’re an enterprise organization that uses WSUS and/or Configuration Manager to distribute updates to your users, you still have some control over how things get rolled out. You can choose to deploy the security-only update, but you’ll get the whole thing – you won’t get to pick and choose between the fixes included in the update. If you discover that you need a non-security fix, you’ll have to install the monthly rollup that includes that fix – again, you don’t get just the fix you want, you get the entire monthly rollup, whether you want it or not. Or, you can do what Microsoft recommends, and install the monthly rollup each month as it is released.

But, you ask, what if an update causes a problem? Well, first of all, Microsoft recommends that you use a “ringed” approach to deploying updates, where you deploy first within the IT organization (which presumably is better able to cope with machines that are no longer working properly), and then expanding to one or two pilot groups before rolling the updates out to everyone. Of course, the longer you wait, the more vulnerable your users are to whatever exploits the security fixes are designed to patch, so, like so many other things in IT, designing a rollout strategy is as much an art as it is a science. Microsoft also has a Security Update Validation Program, which allows an organization to get even earlier access to the updates and help Microsoft test them. More information on this program is available at https://msdn.microsoft.com/en-us/gg309155.aspx.

If you’re a consumer, good luck. You’re going to get the monthly rollup, and there’s not a whole lot you can do about it. The good news is that Windows will typically create a restore point before the installation of an update begins, so you probably have the ability to roll your system back to that restore point.

Leave a Comment