Home
Microsoft

Windows 10 update servicing cadence

I’ve heard from many of you that you’d like a primer on our monthly Windows 10 quality update servicing cadence and terminology. In response, I’d like to share our guiding principles, then dive into them further to provide context for the quality updates themselves.

Guiding principles

We use the following principles for the monthly Windows servicing process:

  • Be simple and predictable. IT managers should be able to plan for a simple, regular and consistent patching cadence. You shouldn’t need to stop what you’re doing to test and deploy an update. You should be able to plan a time, well in advance, to work on new updates. You also shouldn’t have to memorize multiple release schedules; the Windows release cadence should align with that of other Microsoft products.
  • Be agile. In today’s security landscape, we must be able to respond to threats quickly when required. We should also provide you with updates quickly without compromising quality or compatibility.
  • Be transparent. To simplify the deployment of Windows 10 in large enterprises or small businesses, you should have access to as much information as you need, and you should be able to understand and prepare for updates in advance. This includes guides for common servicing tools, simple release notes, and access to assistance or a feedback system to provide input.

Monthly quality updates

Next, I’d like to offer a quick summary of our monthly quality update types:

  • At times referred to as our “B” release, Update Tuesday (most often referred to as Patch Tuesday) updates are published the second Tuesday of each month. These updates are the primary and most important of all the monthly update events and are the only regular releases that include new security fixes.
  • An out-of-band release is any update that does not follow the standard release schedule. These are reserved for situations where devices must be updated immediately either to fix security vulnerabilities or to solve a quality issues impacting many devices.
  • The “C” and “D” releases occur the third and fourth weeks of the month, respectively. These preview releases contain only non-security updates, and are intended to provide visibility and testing of the planned non-security fixes targeted for the next month’s Update Tuesday release. These updates are then shipped as part of the following month’s “B” or Update Tuesday release.

Now let’s align our principles to our monthly quality update releases.

Be simple and predictable

Across Microsoft, we have aligned on releasing updates on the second Tuesday of every month. It is the common, shared release date for Windows updates and for other products like Office. This consistent approach gives you the ability to simplify planning, testing, and deploying in advance.

For Windows, Update Tuesday is the most important monthly service event. This quality update does not include new features; instead, it serves to enhance system stability and security. We develop and test these updates quickly to minimize the impact of a vulnerability should one be made public, and they should be installed as soon as possible once released.  

As an IT professional, you should have an established process and plan to ingest Update Tuesday releases each month.

Be agile 

As much as we try to simplify and standardize our release cadence, there will always be situations that require agility, and an out-of-band update is necessary. As mentioned earlier, out-of-band updates are reserved for security vulnerabilities in active exploit or significant quality issues that must be fixed before the next B, C or D release.

Out-of-band updates may similarly require an out-of-band effort from IT pros to test and deploy them. While you should keep an eye out for out-of-band updates, they are rare and we have set a high threshold for releasing them.

Be transparent

Due to the sensitive nature of security fixes, Update Tuesday releases must be coordinated internally between our product teams and tested externally with our partners. Non-security releases do not have this limitation so, for the latest version of Windows 10, we typically release the majority of non-security updates the fourth week of every month, two weeks after the last Update Tuesday and two weeks before the next, in a “D” release.

During the two-week period between the initial release of a D release and our active push to install them on devices, you can test the updates included in the release and provide feedback, reducing the amount of testing necessary following Update Tuesday and, thereby, improving our ability to solve issues before they even happen. 

For older versions of Windows 10 (as well as supported versions of Windows 7 and Windows 8.1), we sometimes release updates during the third week with a “C” release to provide you with extra time to test your legacy systems. In addition, as a new feature release draws near, we shift the current release to the “C” week, since there are fewer fixes and improvements necessary on the current version. Having just a few updates to test on the “C” week and none on the “D” week gives you the chance to concentrate on other responsibilities and frees up time for when the next semi-annual update arrives.

In most cases, “C” and “D” releases do not need be deployed to your broader device ecosystem. Instead, you can use these releases to identify any issues that could impact your next “B” deployment and provide feedback. This helps you get a head start on testing and understanding the potential impact of updates and gives you a chance to provide suggestions before those updates are officially released, providing a smoother and more tailored experience when the “B” release comes around.

The history of Update (aka Patch) Tuesday

Before I conclude this post, I wanted to provide a brief look back at the origins of our second Tuesday release schedule. “Patch Tuesday” was formalized in October 2003 after years of updates shipping whenever they were ready, a method called “ship-when-ready.” While this allowed fixes to go out almost immediately, it was a burden on IT pros, who were forced to start their workdays not knowing whether they would have to test and deploy an update. It was also a challenge for users, who sometimes had to reboot their computers multiple times a month to apply new updates, rather than just one reboot to apply a cumulative update, the process we use today.

We chose the second Tuesday at 10:00 a.m. Pacific time for two reasons:

  • To provide you with a day (Monday) to deal with any other issues you need to work through from the previous week.
  • To give you plenty of time to test the updates and deploy them to devices, then respond to any issues that may arise during the rest of the week.

Microsoft also spends the rest of the week watching for feedback and issues identified by businesses and consumers so we can begin preparing fixes immediately if necessary. 

In addition to giving us time to respond to user feedback, the Update Tuesday schedule has enabled us to employ artificial intelligence in our deployment process. As John Cable noted back in June, “We continuously collect update experience data and retrain our models to learn which devices will have a positive update experience, and where we may need to wait until we have higher confidence in a great experience. Our overall rollout objective is for a safe and reliable update, which means we only go as fast as is safe.” This careful, strategic approach ensures that devices will be updated quickly and without any problems, even if we don’t have those specific devices available to test on, so that users can enjoy a seamless update experience. 

Learn more

I hope this provides helpful insight into the rhythm of Windows quality updates and how they align to our servicing principles. For an overview of our monthly update process in just three minutes, check out this video:

If you’re interested in learning more about release channels, or would like to see how you can use tools like System Center Configuration Manager , Windows Server Update Services (WSUS), or Windows Update for Business to manage updates, see the Quick guide to Windows as a service. To learn more about Windows as a service, check out the Windows as a service page on the Windows IT Pro Center.

15 Comments
Regular Contributor

Installing latest CU update in theory is what is needed. But in practice (as i have mentioned on another blog post) sometimes it for some reason pulls older CU from WSUS, then can't see the newest one until you wipe SoftDist folder and then installs the latest.

 

We have a practice here to only watch for Security and Critical updates in WSUS. Not sure if C and D still apply. But out of band updates were rare maybe 5 years ago. Now it is very common. I would say i see something not on Patch Tuesday every month. Office updates (2010-2013) usually appear during 1st week (more come on regular schedule) and then i see some more updates on 3-4 week of a month (for Windows). As they are marked as Security or Critical, i can't ignore them and have to approve. We don't do testing for 15+ years now as we didn't have issues with updates to warrant that. But i still have to check/apply/file the change in our system/etc. Would like to see most updates on the actual Patch Tuesday. Why Office updates are released earlier?

Frequent Visitor

Could you check the link for Quick guide to Windows as a service? I get the message An invalid set of parameters has been specified in the url. Thanks

Contributor

The month of July was a study in NOT being simple.  The cumulative updates were not cumulative.  Also in the last several months the release of the C and D patches have been very inconsistent.  Sometimes we've had them released on Tuesday, other times it's been Wednesdays or Thursdays.   We've also had some Windows 10 fixes released on the A week.

 

Consistency and release dates and times have not been simple in the era of Windows 10.

Contributor

To Oleg - Office releases two sets of updates - non security is released on the first Tuesday, security on the second.  Starting with Office 2019 we will all be on click to run and you won't see individual updates.  Office does their own patching cadence slightly differently than windows.

Bottom line this too shall pass.

Regular Contributor

Well, we only sync security and critical, so maybe first week Office updates are classified as critical (don't remember from the top of my head) and i can't ignore critical updates. But we have only a few users with standalone Office (Visio only), so impact is small and should be even less when we move to Visio Online.

 

Btw, Susan, i have read your open letter to Microsoft on Computerworld. Good points ;)

New Contributor

I think we're less interesting in hearing a rehash of terms, and more interested in when the quality of updates will be addressed. Specifically, when will the Open Letter get response?  https://www.computerworld.com/article/3293440/microsoft-windows/an-open-letter-to-microsoft-manageme...

New Contributor

Sorry to say but for 1703 the only patch detected was the Patchday patch. The following CUs were not relesed to WSUS so how would I test them?

I was really surprised to learn that all other 1703 CUs are NOT APPLICABLE (manual import to WSUS 2016 with PowerShell) but installing by hand works.

For me it feels like all Windows 10 people making the updates are in over their heads and no one is getting the complete picture or at least does know how to get back on track.

Regular Visitor

Wasn't aware, that MS also ships C and D 'cumulative' updates for Windows 10 ...

 

And I didn't noticed, that MS tries to ship W10 updates on C and D week, to 'test' that stuff before it's shipped on the next months patchday. So all Windows 10 systems without updates deferred will autoinstall (aka: Win 10 Home users are guinea pigs, or is this group doesn't get C and D updates?). 

Reading the first part of the above article, I thought 'Ok, they intend to keep things simple', but now I'm just confused - and my impression is, that things are getting more complicated. Admins need to decide between security and non security updates, between C and D updates (for test purposes) and also, whether they are patching old Windows or the most recent build. You think that's simple? 

 

Just another thing: I mentioned the above article within my blog and got a comment from an admin/consultant:

 

What John Wilcox from Microsoft writes is not (yet) true. I’m not aware that Microsoft would have rolled out C and D updates but Out of Band because of fixes for fixes.

If they introduce preview updates *** I’m out, because these ruin the possibility of automatic approval in WSUS even before Windows 10 / 2016 because they do not belong to a separate category.

 

I'm not an expert in WSUS - but I received a similar 2nd comment within my German blog. What's with that topic? 


Community Manager

@Cordell Melin - thanks for the note. We've fixed the broken link for the Quick guide to Windows as a service in the post.

Contributor

So take the month of July.  July Windows 10 updates had a release on the B week - second Tuesday, then a fix to a bsod released on the 16th, then even older Windows 10 releases had a release on the D week even though this blog post says older Windows 10 releases will probably get them on the C week.  I'm still confused as to when we should expect updates so that I'm crystal clear as to what is an out of band and what is a C or D release?

 

Also be aware that until this blog post --to the best of my knowledge - this is the first time it has been acknowledged that these additional C and D releases will be now normal for all Windows 10.  Prior to this, for example 1703 late 2017, we only received one release a month, not two.  If any future changes are made, can this be announced ahead of time not stated after the fact?

Occasional Visitor

It really doesn't seem like you're listening. Windows Update is intrusive, opaque, and uncontrollable. WaaS is a nightmare for OEMs and IT administrators -- not to mention end users!

 

And WSUS is a confusing hot mess straight out of the early 2000s. I've had a ticket open with the MS Windows OEM team for 3 months, they're still trying to figure out how to get  WSUS to update the embedded Windows appliance we make -- a direction we took after the May Windows cumulative update turned our appliances into expensive bricks:
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/devices-with-certain-in...

 

Instead of defending the state Windows is in, you should be acknowledging the problem, and engaging the community transparently on how to fix it. Susan Bradley articulated what your entire user base is experiencing. Brushing that off is a mistake.

Contributor

Last night July microcode updates were expired off of WSUS and I'm getting reports that the August updates are bricking machines - even surface devices, and possibly being offered up and installed on machines where the chip set doesn't match.  Please be transparent on this issue?

Occasional Visitor

It would be great if you could sink some time into improving Windows to the point where it can update without rebooting.

 

I've got fully patched linux boxes which can upgrtade their kernerl without a reboot, some with uptime measured in years. My Windows machines struggle to make it a month,

Contributor

Would it be possible to add the naming "Preview" to these D week releases so that there is consistency between the Windows 7 update naming and Windows 10 for these D week releases?

Occasional Visitor

I have really just got into using Windows 10 and Server 2016 and managing updates on these products (having spent over 20 years in the industry managing Windows versions). I am currently horrified on how updates are installed and the failure rate I get in comparison to that rate I used to get with Windows 7 and server 2008. I have managed 'large estates of Win 7 (1000+) machines and 2-300 servers where the success rate of patching was in the 95%+ range, and patches just installed just one after another. I currently only manage 10 servers, 9 of which are 2016, one server will not patch, (it did initially), the only thing I haven't tried on this server is to do an install repair which is my next step,  1 of the other 9 hangs on the restart after patching, I have to switch it off and start it up, and 2 of the other servers will not automatically restart (all controlled by WSUS), all virtuals running on HyperV.

Whenever I get new PCs to configure, the first thing I do is to patch them, before I load any other software, we are not big enough to have open or select license agreements, so dont have images etc built and current.. This usually takes a good day of installing, restarting, retrying and fixing any issues before I have a system I can start to install and configure for our users. New PCs will try and install feature updates prior to any security patches, cumulative updates are generally enormous, I dont know how Microsoft could have made patching this bad.