If you utilize automated update deployment tools, such as Windows Server Update Services (WSUS) or System Center Configuration Manager, you likely use automatic rules to streamline the approval and deployment of Windows updates. Using the correct update classification is, therefore, an important component of your organization’s device update process. For some industries, it can even be a requirement as, if properly configured, it will ensure that devices across your environment receive the most current update available.
Some Windows enterprise-level customers opt to take only security updates (aka the “B” release, or “Patch Tuesday”) to reduce the impact to their network, their personnel, and their devices. To accomplish this, they configure automatic rules to deliver only updates with a classification of “Security Update.”
But what if there is an issue with the security update itself? When this occurs, depending on the severity, we (the Windows Servicing & Delivery group) may choose to mitigate the issue through an additional security update or an out-of-band release—or we may choose to resolve the issue in the following month’s security update.
Unlike regularly scheduled monthly security updates, non-security and out-of-band updates are classified simply as “Update” in both WSUS and Configuration Manager. That means, if you are using auto-update rules set to receive updates classified as “Security Update” only, you will not receive a more recent update should one be produced and, thus, will miss the earliest opportunity to acquire a necessary fix for their environment.
So, what options are available for WSUS and Configuration Manager customers?
You can opt to configure your automatic rules to include updates classified as “Update” temporarily, or longer-term if preferred. Here are instructions for updating these rules: