Simplified servicing for Windows 7 and Windows 8.1: the latest improvements

First published on TechNet on : Jan, 13 2017

Today, we are providing insight into two recent and upcoming modifications to the servicing model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Customers using Windows Update and connected directly to Microsoft for updates (such as consumer PCs) will not be impacted by these changes, while enterprise customers using update management tools can benefit from these improvements.

Beginning in October 2016, updates for these versions of Windows have been released using a rollup model. Below is a quick summary of the updates available in this new model:

• Security Monthly Quality Update (aka the Monthly Rollup) - New fixes are rolled into a single update, which includes both security and reliability fixes, as well as all fixes from previous rollups. Each new Monthly Rollup will supersede the previous, so installing the latest Monthly Rollup will ensure you have all fixes since the start of the model in October 2016. For example, the December 2016 Monthly Rollup contained all the fixes in the October and November Monthly Rollups.
• Preview of Monthly Quality Rollup (aka the Preview Rollup) - New reliability fixes are first released in an optional Preview Rollup that enables early deployment of the new reliability fixes before they are included in the next Monthly Rollup.
• Security Only Quality Update (aka the Security Only update) - In an alternative option released to WSUS and Microsoft Update Catalog only, new security fixes are also provided in a single Security Only update, which rolls all the security patches for that month into a single update. The Security Only update does not contain fixes from previous months, and allows enterprises to download as small of an update as possible to remain secure.

For more information on these updates, and deployment scenarios, see our previous blog post.

For the last four months this new servicing approach has provided customers on Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2012 and Windows Server 2012 with a consistent model for staying current and secure. When there have been new fixes, a Monthly Rollup and a Security Only update have been released on Update Tuesday, and a Preview Rollup on the following Tuesday*.

In this time, we have also been listening to you, our customers, for opportunities to fine tune the model and further simplify the update deployment scenarios. We are happy to announce the following changes:

Deploying both the Security Only update and Monthly Rollup

Both the Monthly Rollups and Security Only updates are available on WSUS and the Microsoft Update Catalog, and both are published with the “Security updates” classification, enabling enterprise customers using WSUS or other update management tools to sync and deploy both updates, depending on their settings. To further simply installation and deployment in this scenario, the servicing model was updated in December 2016 to better handle the Security Only update installation applicability.

As of December 2016, a Security Only update will not be offered on a PC where a Monthly Rollup (from the same or later month) is already installed . This is accomplished through an applicability definition on the Security Only update, which checks for the installation of a Monthly Rollup (from the same or later month) to determine if it applicable on the PC. For example, if a PC attempts to install the February 2017 Security Only update, and the February 2017 (or later) Monthly Rollup is already installed, the Windows Update client will now report the Security Only update as not applicable. In addition to simplifying the installation scenario, tools that leverage such applicability for deployment reporting would see the Security Only update as not needed on the PC.

Additionally, as of December 2016, Security Only updates from earlier months (October and November 2016) were revised to leverage this applicability check, so it now applies to all Security Only updates released in the new servicing model. Finally, this applicability definition also checks for the installation of a Preview Rollup from the same or later month, which also includes the security fixes for that month.

See our earlier servicing model post for more information on update strategy choices and expected behaviors when deploying both updates.

Reducing the package size of the Security Only update

The Security Only update contains new security fixes for the Windows operating system, which includes Internet Explorer. Before October 2016, updates for the latest supported version of Internet Explorer (IE11 for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 and Windows Server 2012 R2; IE10 for Windows Server 2012) were provided in a separate monthly update. From October 2016 to January 2017 we included any Internet Explorer fixes for that month in the Security Only update to allow you to also remain secure for the latest supported Internet Explorer version for your operating system, all by installing the single Security Only update.

This inclusion enabled a simplified update installation process, though the Internet Explorer updates constituted a significant percentage of the total Security Only update package size. Given that package size is one of the primary reasons some enterprise customers choose to leverage the Security Only update (to optimize for smaller download in limited bandwidth scenarios), these customers have requested increased flexibility for deploying the Security Only updates for Windows independently of the fixes for Internet Explorer. Starting with February 2017, the Security Only update will not include updates for Internet Explorer , and the Internet Explorer update will again be available as a separate update for the operating systems listed above. With this separation, the Security Only update package size will be significantly reduced , but you will need to deploy and install the Internet Explorer update to remain secure for the latest supported version of the browser. [Note that the Internet Explorer update will not install or upgrade to the latest supported version of Internet Explorer if not already present.]

The Monthly Rollup will continue to include updates for Internet Explorer, as a single additive update that provides all security and reliability fixes since the beginning of the new servicing model in October 2016. Users of the Monthly Rollup will not need to install the separate Internet Explorer update . To simplify installation for Monthly Rollup users, the new Internet Explorer update will leverage the same installation applicability definition as the Security Only update (explained above), meaning that it will not install on a PC that has already installed the Monthly Rollup (or Preview Rollup) from the same or later month.

The following table highlights the inclusion and applicability for these updates.

With these two modifications for the Security Only updates (installation applicability and the standalone Internet Explorer update), enterprise customers using update management tools such as WSUS or System Center Configuration Manager will now have increased flexibility and simplicity in their deployments. Additionally, Windows Update users will continue to stay up-to-date through the Monthly Rollups. We are committed to listening to our customers, and are excited to provide these two improvements early in this new model to continue simplifying Windows servicing.

We will continue to gather and incorporate your feedback for additional opportunities to simplify servicing, and will communicate any forthcoming changes in advance to help you plan and leverage these improvements.

* Note:  Months with no new Windows security or reliability fixes will not have a Security Only or Monthly Rollup release; for example, January 2017 for Windows 8.1, Windows Server 2012 and 2012 R2. Similarly, months with no new reliability fixes to preview will not have a Preview Rollup; December 2016 and January 2017, for example.