Changes to Software Updates on Down Level Operating Systems for ConfigMgr Admins
Back in May, Microsoft started on a journey of simplifying and improving servicing for Operating Systems prior to Windows 10. These changes apply to Windows 7 SP1, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2.
- More on Windows 7 and Windows 8.1 servicing changes
- A Bit About the Windows Servicing Model
- Configuration Manager and Simplified Windows Servicing on Down Level Operating Systems
- Simplified servicing for Windows 7 and Windows 8.1: the latest improvements (Jan 2017)
Since the original announcement in May up until now, Microsoft has released individual security updates and a monthly rollup pack with non-security updates. Individual security updates allowed organisations to apply only security updates that they believed were applicable based on internal processes. In reality, most organisations applied all security updates to meet compliance requirements.
From Patch Tuesday in October 2016, there will be 3 update types released for each Windows version and architecture. The updates are described in the table below:
|Update Type||Description||Release Time||Classification||Windows Update||WSUS||Windows Update Catalog|
|Monthly Rollup||Includes security fixes, reliability fixes, bug fixes, etc. Supersedes and includes all updates provided previously.||2nd Tuesday||Security||Required||Yes||Yes|
|Security only||Security fixes released this month||2nd Tuesday||Security||No||Yes||Yes|
|Monthly Rollup Preview||Includes all previous security updates, and new reliability fixes, bug fixes, etc. Does not include new security fixes on top of the Monthly Rollup.||3rd Tuesday||Updates||Optional||Yes||Yes|
Graphically, this is how updates are changing (a lock is a security fix and a settings cog is a reliability or bug fix).
The updates will have names of the format:
|Update Type||Name Format||Example|
|Monthly Rollup||[Month, Year] Security Monthly Quality Rollup for [OS] [architecture] (KB #)||October, 2016 Security Monthly Quality Rollup for Windows Server 2012 R2 (KB3185331)|
|Security Only||[Month, Year] Security Only Quality Update for [OS] [architecture] (KB #)||October, 2016 Security Only Quality Update for Windows Server 2012 R2 (KB3192392)|
|Monthly Rollup Preview||[Month, Year] Preview of Monthly Quality Rollup for [OS] [architecture] (KB #)|
What does this mean for you as a Configuration Manager admin?
There are no updates required for Configuration Manager or WSUS. For organisations or groups within organisations that only want to apply security updates, security-only updates can continue to be applied. As before, if the update causes a problem the update can be removed until the issue is resolved. If the issue is related to the fix itself, a case should be logged with Microsoft.
The Configuration Manager and Simplified Windows Servicing on Down Level Operating Systems post on the Enterprise Mobility + Security blog gives a great explanation of how to modify ADRs to cater for the new update format.
What does the future hold? (Other than consistently patched Windows devices everywhere)
Over the next 18 months, Microsoft will continue to evaluate previous security and non-security updates and include them in then monthly hotfixes. Any update added to the rollups will be documented in the corresponding KB article.
While this all sounds very scary, it's actually really great. Simplifying servicing is a win for everyone. Less complexity, less updates, faster installation and Operating System build times.