First published on TechNet on : Oct, 07 2016
UPDATE: 6/12/2018: Windows Server 2008 SP2 is moving to a rollup model. Please see this blog post for details.
UPDATE: 12/5/2016: In November 2016, the Security Monthly Quality Rollups were released as superseding the Security Only Quality updates. This resulted in an impact to customers deploying the Security Only Quality updates, using tools that cannot easily deploy superseded updates, such as System Center Configuration Manager 2007. Based on customer feedback, this supersedence has been changed in December 2016. Please review the updates below if this impacts your deployment scenarios.
As we previously announced, we are moving to a rollup model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 updates. These changes will take effect with the next Update Tuesday release, on October 11.
The above versions of Windows will now follow a similar update servicing model as later Windows versions, bringing a more consistent and simplified servicing experience. For those of you who manage Windows updates within your organization, it’s important that you understand the choices that will be available.
First, let’s review what we will release each month - listed below are the three updates and their official titles:
A security only quality update
A security monthly quality rollup
A preview of the monthly quality rollup
Each month there will be separate updates released for a variety of reasons (e.g. DST time zone changes, out-of-band security fixes). Many of these will be rolled into the next monthly rollup, although some will remain separate- including Office, Flash and Silverlight updates.
The security only and monthly rollups will contain fixes for the Internet Explorer version supported for each operating system. For Windows 7, Windows 8.1, Windows Server 2008 R2, and Windows Server 2012 R2, that is Internet Explorer 11; for Windows Server 2012, that is Internet Explorer 10. The security only, monthly rollup, and preview rollup will not install or upgrade to these versions of Internet Explorer if they are not already present.
UPDATE: 1/13/2017: Starting with February 2017, the Security Only update will not include updates for Internet Explorer. Please see our January 2017 blog post for further details.
The .NET Framework will also follow the monthly rollup model with a monthly release known as the .NET Framework monthly rollup. The.NET Framework monthly rollup will deliver both security and reliability updates to all versions of the .NET Framework as a single monthly release, targeting the same timing and cadence as Windows. It is important to note that the rollup for the .NET Framework will only deliver security and quality updates to the .NET Framework versions currently installed on your machine. It will not automatically upgrade the base version of the .NET Framework that is installed. Additionally, the .NET Framework team will also release a security only update on Microsoft Update Catalog and Windows Server Update Services every month.
See https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/ for more information on the changes to .NET Framework updates.
Operationally, this means that you now have some choices for updating Windows 7 and Windows 8.1 PCs. These choices closely correspond to the way you update Windows today, as discussed in the following sections.
This is our recommended updating strategy, as it ensures that all fixes for Windows are deployed on the PCs that you manage. To implement this, you should deploy the monthly rollup. For those using WSUS, the following steps are recommended:
If using ConfigMgr, you can perform similar steps:
With these small adjustments, the overall update management process will be very similar to what was used previously.
For organizations that typically deploy only security fixes, you will now find that instead of approving or deploying a set of fixes each Update Tuesday, you will approve or deploy just a single update.
Since the security only update and the monthly rollup both are published using the “Security Updates” classification, existing automatic approval rules in WSUS would approve both the security only and the monthly rollup each month. The same is also true with Configuration Manager automatic deployment rules. This will require either manually approving or deploying updates each month, or in the case of Configuration Manager, adjusting existing automatic deployment rules. See the previous section for details.
Since the organization will typically be deploying only the security only fix, see the previous section for full details. In cases where there is a need to deploy one or more non-security fixes, manually approve the latest monthly rollup that contains the needed fixes. This monthly rollup will contain other fixes as well, so the entire package must be installed.
Since all the new security fixes for a given month are available in both the security only update and the monthly rollup, it’s important to understand the behavior that may been seen if you deploy both updates in the same month.
For example, assume you approve and deploy the security only update and the monthly rollup that are both released on Update Tuesday (a.k.a. “Patch Tuesday,” the second Tuesday of the month). This isn’t necessary, since the security fixes are also included in the monthly rollup, and it would generate additional network traffic since both would be downloaded to the PC. But what would happen? It depends on the installation sequence:
Depending on the management tool you are using to deploy these updates, this may be represented differently in the compliance and deployment reports provided by those tools. New Security Monthly Quality Rollups will supersede earlier Security Monthly Quality Rollups and Security Only Quality Updates.
UPDATED 12/5/2016: Starting in December 2016, monthly rollups will not supersede security only updates. The November 2016 monthly rollup will also be updated to not supersede security only updates. Installing the latest monthly rollup will ensure the PC is compliant for all security updates released in the new servicing model.
Note that installing just the security only updates may show the monthly rollup as Missing in compliance tools or reports, as the monthly rollup is also a “Security update”. If the security only updates are installed each month, the PC will have all the necessary security fixes released in the new servicing model.
As long as you install one or the other (security only update or monthly rollup), the PCs will have the needed security fixes released that month.
Every Windows update is extensively tested with our OEMs and ISVs, and by customers – all before these updates are released to the general population.
Your organization may also be interested in validating updates before they are publicly released, by participating in the Security Update Validation Program (SUVP). This program enables organizations to establish an additional early validation ring within the organization, while also providing a direct channel back to Microsoft for any issues encountered. For more information on SUVP, see this blog post; and contact your Technical Account Manager or Microsoft account team to discuss this further.
To minimize the potential impact on an organization, we recommend that you always have a “ringed” deployment approach for all updates, starting with the IT organization, expanding to one or more pilot groups, followed by one or more broad deployment groups. Allow sufficient time between rings for users to report any issues that they might see.
If any issues are encountered, we recommend stopping or pausing deployment of the update and contacting Microsoft Support as soon as possible. Based on our analysis of the issue, we may recommend different courses of action, such as:
The specific action is determined on a case-by-case basis, and could be different for each customer based on the specific impact to the organization. Regardless of the action, be assured that any issues with an update are considered top priority and that we will work hard to resolve these as quickly as possible.
While express installation files can help greatly reduce the amount of content needed to patch each PC, it is still useful to implement peer-to-peer sharing technologies like BranchCache or Delivery Optimization to reduce the overall impact on the network by allowing PCs to obtain the updates they need from other PCs on the network that have already obtained them from WSUS or ConfigMgr.
You can deploy BranchCache by enabling the feature on each WSUS or ConfigMgr server, then configuring the client PCs using Group Policy to use a distributed cache. See https://technet.microsoft.com/en-us/itpro/windows/manage/waas-branchcache for more information. While the full BranchCache functionality is only available in the Windows Enterprise SKU, BITS support (all that’s needed for caching updates) is also available in the Windows Pro SKU. See https://technet.microsoft.com/en-us/library/mt613461.aspx#bkmk_os for more information.
These changes will further simplify your updating of Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 computers, while also improving scanning and installation times and providing flexibility depending on how you typically manage Windows updates today.
To learn more about the security and non-security updates for these versions, check out the Update History pages below: