Classifying Windows updates in common deployment tools
Published Feb 05 2019 10:34 AM 13K Views

If you utilize automated update deployment tools, such as Windows Server Update Services (WSUS) or System Center Configuration Manager, you likely use automatic rules to streamline the approval and deployment of Windows updates. Using the correct update classification is, therefore, an important component of your organization’s device update process. For some industries, it can even be a requirement as, if properly configured, it will ensure that devices across your environment receive the most current update available.

Some Windows enterprise-level customers opt to take only security updates (aka the “B” release, or “Patch Tuesday”) to reduce the impact to their network, their personnel, and their devices. To accomplish this, they configure automatic rules to deliver only updates with a classification of “Security Update.”

But what if there is an issue with the security update itself? When this occurs, depending on the severity, we (the Windows Servicing & Delivery group) may choose to mitigate the issue through an additional security update or an out-of-band release—or we may choose to resolve the issue in the following month’s security update.

Unlike regularly scheduled monthly security updates, non-security and out-of-band updates are classified simply as “Update” in both WSUS and Configuration Manager. That means, if you are using auto-update rules set to receive updates classified as “Security Update” only, you will not receive a more recent update should one be produced and, thus, will miss the earliest opportunity to acquire a necessary fix for their environment.

So, what options are available for WSUS and Configuration Manager customers?

  1. You can opt to configure your automatic rules to include updates classified as “Update” temporarily, or longer-term if preferred. Here are instructions for updating these rules:
  2. You can opt to wait for the next security update, which will include all previous fixes.

If you’re interested in learning more, or would like to see how you can use tools like Configuration Manager, WSUS, or Windows Update for Business to manage updates, see the Quick guide to Windows as a service. To learn more about Windows as a service, check out the Windows as a service gateway on Docs.


Version history
Last update:
‎Feb 06 2019 10:07 AM
Updated by: