Heads up. Beginning in October 2016, Microsoft is changing their servicing model for all currently supported editions of Windows.
Currently with Windows 10 (and the yet-to-be-released Windows Server 2016), Microsoft releases monthly updates that are cumulative. Internally these are referred to as Quality Updates. These contain security, performance, and compatibility fixes, similar to the various KBs that have been released on down-level versions of Windows. This has somewhat simplified the update process for Windows 10 machines, because the names are a lot catchier (July, 2016 Update Rollup; rather than “Update for Windows 8.1, KB3102429”) as well as the fact that there simply won’t be as many updates to deal with.
Starting next month, this model will apply to older editions of Windows 7, 8, and 8.1; as well as Windows Server 2008 R2 and 2012/R2. Windows Vista and Server 2008 vanilla got off easy and are exempt from this new model. These single, monthly updates will include all security and quality updates released for the month; and will be cumulative – for example, the December 2016 Update Rollup will include all October and November updates. Before you get out your torches and pitchforks, let’s get some questions answered:
Won’t these updates eventually be HUGE if they’re cumulative?
Yes and no. These updates will be network optimized just like updates in the past have, and will only download and install the portions that are required. This is similar to downloading and installing Windows 7 SP1 after you’ve already installed a few updates versus installing Windows 7 SP1 on a new image – you’ll notice that the size can be quite a bit different.
I’m still clinging to WSUS and haven’t become an IT Rockstar and deployed SCCM yet. How will this affect me?
WSUS will still operate normally, with approvals and ratings operating normally (more on ratings in a minute). However, you will want to begin to download the express installation files for this to work well. The express install files contain every possible variation of the update files; but will only deliver required files to the client, so as updates move to a more cumulative nature, this will greatly help with internal bandwidth and the speed at which clients can install updates, at the expense of some storage space on WSUS. This setting is in WSUS, in Options -> Update Files and Languages.
I’ve already got SCCM because I’m awesome. What’s up now?
SCCM will largely continue to operate the same as it does now. You’ll definitely have fewer monthly updates to approve (and if you’re utilizing an install of SCCM that Dalechek Technology Group has deployed or performed an alignment on, you’ll already be set to handle this change). Express installation files do not apply, because SCCM already takes this into account when it deploys and downloads updates from Distribution Points to client machines.
What about critical security updates?
These monthly updates will still be categorized in a similar manner to security updates now, but it will apply to the whole update package. For example, if the update contains a critical security fix, the whole package will be rated as critical. As of 8/31/16, Microsoft hasn’t yet announced a strategy for immediate release security updates.
What if I only want to deploy security updates?
You’re in luck – Microsoft did consider that. Each monthly quality update will have a corresponding security-only update. Keep this in mind as you go through your monthly patch approvals, either via SCCM or WSUS. Also know that the quality updates include the security updates released in the security-only patch, so it’s unnecessary to deploy both updates.
What if I’ve had to exclude updates in the past?
This is where it gets weird. If you’ve specifically skipped updates, they may get included in these new cumulative update patches, as they'll catch up your machines to the current supported patch level. Test, test, test, and please contact your technology partners if you need help, that's why we're here! If there’s one specific update that you need to skip that is part of a monthly quality update, you can skip the update, but you’ll likely get it the following month. Microsoft is encouraging you to contact CSS if there is an update that is part of a quality rollup that causes problems. There are contact options here: https://support.microsoft.com/en-us/gp/support-options-for-business.
Keep an eye out over the coming weeks for more on this change, and hit me up as you have questions. Happy patching!
EDIT: Some links for ya:
https://www.microsoft.com/en-us/WindowsForBusiness/windows-roadmap