Windows 10 update servicing cadence
Published Aug 01 2018 04:17 PM 217K Views
Microsoft

Update 07.29.2021:  For current information on the Windows servicing cadence and monthly quality updates, see the Windows quality updates primer.

I’ve heard from many of you that you’d like a primer on our monthly Windows 10 quality update servicing cadence and terminology. In response, I’d like to share our guiding principles, then dive into them further to provide context for the quality updates themselves.

Guiding principles

We use the following principles for the monthly Windows servicing process:

  • Be simple and predictable. IT managers should be able to plan for a simple, regular and consistent patching cadence. You shouldn’t need to stop what you’re doing to test and deploy an update. You should be able to plan a time, well in advance, to work on new updates. You also shouldn’t have to memorize multiple release schedules; the Windows release cadence should align with that of other Microsoft products.
  • Be agile. In today’s security landscape, we must be able to respond to threats quickly when required. We should also provide you with updates quickly without compromising quality or compatibility.
  • Be transparent. To simplify the deployment of Windows 10 in large enterprises or small businesses, you should have access to as much information as you need, and you should be able to understand and prepare for updates in advance. This includes guides for common servicing tools, simple release notes, and access to assistance or a feedback system to provide input.

Monthly quality updates

Next, I’d like to offer a quick summary of our monthly quality update types:

  • At times referred to as our “B” release, Update Tuesday (most often referred to as Patch Tuesday) updates are published the second Tuesday of each month. These updates are the primary and most important of all the monthly update events and are the only regular releases that include new security fixes.
  • An out-of-band release is any update that does not follow the standard release schedule. These are reserved for situations where devices must be updated immediately either to fix security vulnerabilities or to solve a quality issues impacting many devices.
  • The “C” and “D” releases occur the third and fourth weeks of the month, respectively. These preview releases contain only non-security updates, and are intended to provide visibility and testing of the planned non-security fixes targeted for the next month’s Update Tuesday release. These updates are then shipped as part of the following month’s “B” or Update Tuesday release.

Now let’s align our principles to our monthly quality update releases.

Be simple and predictable

Across Microsoft, we have aligned on releasing updates on the second Tuesday of every month. It is the common, shared release date for Windows updates and for other products like Office. This consistent approach gives you the ability to simplify planning, testing, and deploying in advance.

For Windows, Update Tuesday is the most important monthly service event. This quality update does not include new features; instead, it serves to enhance system stability and security. We develop and test these updates quickly to minimize the impact of a vulnerability should one be made public, and they should be installed as soon as possible once released.  

As an IT professional, you should have an established process and plan to ingest Update Tuesday releases each month.

Be agile 

As much as we try to simplify and standardize our release cadence, there will always be situations that require agility, and an out-of-band update is necessary. As mentioned earlier, out-of-band updates are reserved for security vulnerabilities in active exploit or significant quality issues that must be fixed before the next B, C or D release.

Out-of-band updates may similarly require an out-of-band effort from IT pros to test and deploy them. While you should keep an eye out for out-of-band updates, they are rare and we have set a high threshold for releasing them.

Be transparent

Due to the sensitive nature of security fixes, Update Tuesday releases must be coordinated internally between our product teams and tested externally with our partners. Non-security releases do not have this limitation so, for the latest version of Windows 10, we typically release the majority of non-security updates the fourth week of every month, two weeks after the last Update Tuesday and two weeks before the next, in a “D” release.

During the two-week period between the initial release of a D release and our active push to install them on devices, you can test the updates included in the release and provide feedback, reducing the amount of testing necessary following Update Tuesday and, thereby, improving our ability to solve issues before they even happen. 

For older versions of Windows 10 (as well as supported versions of Windows 7 and Windows 8.1), we sometimes release updates during the third week with a “C” release to provide you with extra time to test your legacy systems. In addition, as a new feature release draws near, we shift the current release to the “C” week, since there are fewer fixes and improvements necessary on the current version. Having just a few updates to test on the “C” week and none on the “D” week gives you the chance to concentrate on other responsibilities and frees up time for when the next semi-annual update arrives.

In most cases, “C” and “D” releases do not need be deployed to your broader device ecosystem. Instead, you can use these releases to identify any issues that could impact your next “B” deployment and provide feedback. This helps you get a head start on testing and understanding the potential impact of updates and gives you a chance to provide suggestions before those updates are officially released, providing a smoother and more tailored experience when the “B” release comes around.

The history of Update (aka Patch) Tuesday

Before I conclude this post, I wanted to provide a brief look back at the origins of our second Tuesday release schedule. “Patch Tuesday” was formalized in October 2003 after years of updates shipping whenever they were ready, a method called “ship-when-ready.” While this allowed fixes to go out almost immediately, it was a burden on IT pros, who were forced to start their workdays not knowing whether they would have to test and deploy an update. It was also a challenge for users, who sometimes had to reboot their computers multiple times a month to apply new updates, rather than just one reboot to apply a cumulative update, the process we use today.

We chose the second Tuesday at 10:00 a.m. Pacific time for two reasons:

  • To provide you with a day (Monday) to deal with any other issues you need to work through from the previous week.
  • To give you plenty of time to test the updates and deploy them to devices, then respond to any issues that may arise during the rest of the week.

Microsoft also spends the rest of the week watching for feedback and issues identified by businesses and consumers so we can begin preparing fixes immediately if necessary. 

In addition to giving us time to respond to user feedback, the Update Tuesday schedule has enabled us to employ artificial intelligence in our deployment process. As John Cable noted back in June, “We continuously collect update experience data and retrain our models to learn which devices will have a positive update experience, and where we may need to wait until we have higher confidence in a great experience. Our overall rollout objective is for a safe and reliable update, which means we only go as fast as is safe.” This careful, strategic approach ensures that devices will be updated quickly and without any problems, even if we don’t have those specific devices available to test on, so that users can enjoy a seamless update experience. 

Learn more

I hope this provides helpful insight into the rhythm of Windows quality updates and how they align to our servicing principles. For an overview of our monthly update process in just three minutes, check out this video:

If you’re interested in learning more about release channels, or would like to see how you can use tools like System Center Configuration Manager , Windows Server Update Services (WSUS), or Windows Update for Business to manage updates, see the Quick guide to Windows as a service. To learn more about Windows as a service, check out the Windows as a service page on the Windows IT Pro Center.

24 Comments
Silver Contributor

Installing latest CU update in theory is what is needed. But in practice (as i have mentioned on another blog post) sometimes it for some reason pulls older CU from WSUS, then can't see the newest one until you wipe SoftDist folder and then installs the latest.

 

We have a practice here to only watch for Security and Critical updates in WSUS. Not sure if C and D still apply. But out of band updates were rare maybe 5 years ago. Now it is very common. I would say i see something not on Patch Tuesday every month. Office updates (2010-2013) usually appear during 1st week (more come on regular schedule) and then i see some more updates on 3-4 week of a month (for Windows). As they are marked as Security or Critical, i can't ignore them and have to approve. We don't do testing for 15+ years now as we didn't have issues with updates to warrant that. But i still have to check/apply/file the change in our system/etc. Would like to see most updates on the actual Patch Tuesday. Why Office updates are released earlier?

The month of July was a study in NOT being simple.  The cumulative updates were not cumulative.  Also in the last several months the release of the C and D patches have been very inconsistent.  Sometimes we've had them released on Tuesday, other times it's been Wednesdays or Thursdays.   We've also had some Windows 10 fixes released on the A week.

 

Consistency and release dates and times have not been simple in the era of Windows 10.

To Oleg - Office releases two sets of updates - non security is released on the first Tuesday, security on the second.  Starting with Office 2019 we will all be on click to run and you won't see individual updates.  Office does their own patching cadence slightly differently than windows.

Bottom line this too shall pass.

Silver Contributor

Well, we only sync security and critical, so maybe first week Office updates are classified as critical (don't remember from the top of my head) and i can't ignore critical updates. But we have only a few users with standalone Office (Visio only), so impact is small and should be even less when we move to Visio Online.

 

Btw, Susan, i have read your open letter to Microsoft on Computerworld. Good points ;)

Brass Contributor

I think we're less interesting in hearing a rehash of terms, and more interested in when the quality of updates will be addressed. Specifically, when will the Open Letter get response?  https://www.computerworld.com/article/3293440/microsoft-windows/an-open-letter-to-microsoft-manageme...

Copper Contributor

Sorry to say but for 1703 the only patch detected was the Patchday patch. The following CUs were not relesed to WSUS so how would I test them?

I was really surprised to learn that all other 1703 CUs are NOT APPLICABLE (manual import to WSUS 2016 with PowerShell) but installing by hand works.

For me it feels like all Windows 10 people making the updates are in over their heads and no one is getting the complete picture or at least does know how to get back on track.

Brass Contributor

Wasn't aware, that MS also ships C and D 'cumulative' updates for Windows 10 ...

 

And I didn't noticed, that MS tries to ship W10 updates on C and D week, to 'test' that stuff before it's shipped on the next months patchday. So all Windows 10 systems without updates deferred will autoinstall (aka: Win 10 Home users are guinea pigs, or is this group doesn't get C and D updates?). 

Reading the first part of the above article, I thought 'Ok, they intend to keep things simple', but now I'm just confused - and my impression is, that things are getting more complicated. Admins need to decide between security and non security updates, between C and D updates (for test purposes) and also, whether they are patching old Windows or the most recent build. You think that's simple? 

 

Just another thing: I mentioned the above article within my blog and got a comment from an admin/consultant:

 

What John Wilcox from Microsoft writes is not (yet) true. I’m not aware that Microsoft would have rolled out C and D updates but Out of Band because of fixes for fixes.

If they introduce preview updates *** I’m out, because these ruin the possibility of automatic approval in WSUS even before Windows 10 / 2016 because they do not belong to a separate category.

 

I'm not an expert in WSUS - but I received a similar 2nd comment within my German blog. What's with that topic? 


Community Manager

@Cordell Melin - thanks for the note. We've fixed the broken link for the Quick guide to Windows as a service in the post.

So take the month of July.  July Windows 10 updates had a release on the B week - second Tuesday, then a fix to a bsod released on the 16th, then even older Windows 10 releases had a release on the D week even though this blog post says older Windows 10 releases will probably get them on the C week.  I'm still confused as to when we should expect updates so that I'm crystal clear as to what is an out of band and what is a C or D release?

 

Also be aware that until this blog post --to the best of my knowledge - this is the first time it has been acknowledged that these additional C and D releases will be now normal for all Windows 10.  Prior to this, for example 1703 late 2017, we only received one release a month, not two.  If any future changes are made, can this be announced ahead of time not stated after the fact?

Copper Contributor

It really doesn't seem like you're listening. Windows Update is intrusive, opaque, and uncontrollable. WaaS is a nightmare for OEMs and IT administrators -- not to mention end users!

 

And WSUS is a confusing hot mess straight out of the early 2000s. I've had a ticket open with the MS Windows OEM team for 3 months, they're still trying to figure out how to get  WSUS to update the embedded Windows appliance we make -- a direction we took after the May Windows cumulative update turned our appliances into expensive bricks:
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/devices-with-certain-in...

 

Instead of defending the state Windows is in, you should be acknowledging the problem, and engaging the community transparently on how to fix it. Susan Bradley articulated what your entire user base is experiencing. Brushing that off is a mistake.

Last night July microcode updates were expired off of WSUS and I'm getting reports that the August updates are bricking machines - even surface devices, and possibly being offered up and installed on machines where the chip set doesn't match.  Please be transparent on this issue?

Copper Contributor

It would be great if you could sink some time into improving Windows to the point where it can update without rebooting.

 

I've got fully patched linux boxes which can upgrtade their kernerl without a reboot, some with uptime measured in years. My Windows machines struggle to make it a month,

Would it be possible to add the naming "Preview" to these D week releases so that there is consistency between the Windows 7 update naming and Windows 10 for these D week releases?

Copper Contributor

I have really just got into using Windows 10 and Server 2016 and managing updates on these products (having spent over 20 years in the industry managing Windows versions). I am currently horrified on how updates are installed and the failure rate I get in comparison to that rate I used to get with Windows 7 and server 2008. I have managed 'large estates of Win 7 (1000+) machines and 2-300 servers where the success rate of patching was in the 95%+ range, and patches just installed just one after another. I currently only manage 10 servers, 9 of which are 2016, one server will not patch, (it did initially), the only thing I haven't tried on this server is to do an install repair which is my next step,  1 of the other 9 hangs on the restart after patching, I have to switch it off and start it up, and 2 of the other servers will not automatically restart (all controlled by WSUS), all virtuals running on HyperV.

Whenever I get new PCs to configure, the first thing I do is to patch them, before I load any other software, we are not big enough to have open or select license agreements, so dont have images etc built and current.. This usually takes a good day of installing, restarting, retrying and fixing any issues before I have a system I can start to install and configure for our users. New PCs will try and install feature updates prior to any security patches, cumulative updates are generally enormous, I dont know how Microsoft could have made patching this bad.

Copper Contributor

hi

Brass Contributor

I don't understand how "C" and "D" are optional updates - quoting Fortin:

 

https://blogs.windows.com/windowsexperience/2018/12/10/windows-monthly-security-and-quality-updates-...

 

We also release optional updates in the third and fourthweeks of the month, respectively known as “C” and “D” releases.

... only to have

 

quality updates are cumulative and contain all previously released fixes to guard against fragmentation of the OS that can lead to reliability and vulnerability issues when only a subset of fixes are installed.  Most users are familiar with what is commonly referred to as “Patch Tuesday” or Update Tuesday.  These updates are published on the second Tuesday of each month, known as the “B” release (“B” refers to the second week in the month),

which is a forced update within a fortnight for 'Home' users....

Microsoft

You are correct, with Windows 10, all releases, Quality and Feature are cumulative, so subsequent releases are built on and contain all previous releases. 

 

To minimize end-user reboot disruption, most of our self managed customers, and as default for the devices we manage, configure to update once a month, to get the lastest security patches. These are the B releases.

 

We refer to the "C" and "D" releases as "optional" because"

  • They only include quality fixes, not security fixes and therefore don't have the zero day exposure impications.
  • The fixes will  come to you in the next "B" release, which is what we and most of you are focused on getting quickly installed when they come out. So unless there is a specfic fix that your blocked on, and thus need quickly, you will  get the improvements with the next "B", along with the new security fixes, and then only have on reboot. 

"C" and "D" are there to so that  if you want, you can deploy them early with your first flighting rings and have data and visibility to the changes before deploying the "B" release.

 

The fixes themselves are not optional, as you correctly called out, we only have cumulative updates now, but the specific update package that you deploy to get a set of fixes, and when is optional. 

Iron Contributor

Thanks for the detailed post. I think you've omitted some details. I'm trying to match this simple story to the schedule of actually released updates and  seeing some gaps. Let's take 1809 update history, which at the moment shows:

 UNxqFeR

There are three questions:

1. You have two updates dated November 13 (KB4467708 and KB446455). If they are cumulative, should be just one on the same date. Oh, wait, KB4464455 is actually the October cumulative update that you re-released on the same date with the first release of the November cumulative update. Am I getting this right?

 

2. You still have two cumulative updates for November, according to my WU history: KB4467708 and KB4469342.

https://i.imgur.com/DPlGcgl.png

Why is that?

 

3 (which echoes back to 1). KB4469342 is showing December 5. Yes, it's the last release date, but it's a November cumulative update released on November 13, then again on November 28, and then again on December 5. So you pushed it three times, but the KB article neglects to mention any release history.

How does this fit into your patch tuesday schedule? Why don't you list the complete history?

 

All in all, this does look very agile, but it's not simple, absolutely not transparent and totally unpredictable. Care to clarify? 

 

Thanks,
Vadim

For 1809, the month of April and May 2019 have been not very clear at all.  We have 

4/2 (preview) 4/9 (main security) 5/1 (WSUS) and 5/3 (was supposed to be preview but I got it pushed to me on Friday with a reboot)

Why all these random dates and release cadence for 1809?

Community Manager

@Susan Bradley - There was additional information about the timing of the April and May 2019 updates for Windows 10, version 1809 posted on the new Windows message center this week:

Reminder: Windows 10 update servicing cadence

This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence: 
  • April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
  • May 1, 2019 was an "optional," out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
  • May 3, 2019 was the "optional" Windows 10, version 1809 "C" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as "required" (instead of "optional") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.

I totally forgot about that page until yesterday and found it. 

Question though... why so late in releasing these preview updates?  They are coming out in "A" week cadence not "C or D" week?  "Out of band" should be reserved for security updates, not non security.    March 1, April 2 releases were also  "out of band" and delayed.

Iron Contributor

Across Microsoft, we have aligned on releasing updates on the second Tuesday of every month

This↓ is the recent update history for 1809. Can you explain how this aligns with the second Tuesday of every month?

1809wu.png

 

Copper Contributor

thank you im excited

Co-Authors
Version history
Last update:
‎Jul 29 2021 05:35 PM
Updated by: