More on Windows 7 and Windows 8.1 servicing changes

Page 1 of 15 12311 ... LastLast

    More on Windows 7 and Windows 8.1 servicing changes


    Posted: 07 Oct 2016
    As we previously announced, we are moving to a rollup model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 updates. These changes will take effect with the next Update Tuesday release, on October 11.

    All supported versions of Windows will now follow a similar update servicing model, bringing a more consistent and simplified servicing experience. For those of you who manage Windows updates within your organization, it’s important that you understand the choices that will be available.

    First, let’s review what we will release each month:

    A security-only quality update

    • A single update containing all new security fixes for that month
    • This will be published only to Windows Server Update Services (WSUS), where it can be consumed by other tools like ConfigMgr, and the Windows Update Catalog, where it can be downloaded for use with other tools or processes. You won’t see this package offered to PCs that talk to Windows Update.
    • This will be published to WSUS using the “Security Updates” classification, with the severity set to the highest level of any of the security fixes included in the update.
    • This (like all updates) will have a unique KB number.
    • This security-only update will be released on Update Tuesday (commonly referred to as “Patch Tuesday”), the second Tuesday of the month. (This is also referred to as a “B week” update.)

    A security monthly quality rollup

    • A single update containing all new security fixes for that month (the same ones included in the security-only update released at the same time), as well as fixes from all previous monthly rollups. This can also be called the “monthly rollup.”
    • This will be published to Windows Update (where all consumer PCs will install it), WSUS, and the Windows Update Catalog. The initial monthly rollup released in October will only have new security updates from October, as well as the non-security updates from September.
    • This will be published to WSUS using the “Security Updates” classification. Since this monthly rollup will contain the same new security fixes as the security-only update, it will have the same severity as the security-only update for that month.
    • With WSUS, you can enable support for “express installation files” to ensure that client PCs only download the pieces of a particular monthly rollup that they haven’t already installed, to minimize the network impact.
    • This (like all updates) will have a unique KB number.
    • This monthly rollup will be released on Update Tuesday (also known as “Patch Tuesday), the second Tuesday of the month. (This is also referred to as a “B week” update.)

    A preview of the security monthly quality rollup

    • An additional monthly rollup containing a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollup. This can also be called the “preview rollup.”
    • This preview rollup will be released on the third Tuesday of the month (also referred to as the “C week”).
    • This will be published to WSUS using the “Updates” classification as an optional update. It will also be available via Windows Update (where all consumer PCs will install it) and on the Windows Update Catalog.
    • With WSUS, you can enable support for “express installation files” to ensure that client PCs only download the pieces of a particular monthly rollup that they haven’t already installed, to minimize the network impact.
    • Starting in early 2017 and continuing for several months, older fixes will also be added to the preview rollup, so it will eventually become fully cumulative; installing the latest monthly rollup will then get your PC completely up to date.
    • This (like all updates) will have a unique KB number.



    Each month there will be separate updates released for a variety of reasons (e.g. DST time zone changes, out-of-band security fixes). Many of these will be rolled into the next monthly rollup, although some will remain separate- including Office, Flash and Silverlight updates.

    Internet Explorer updates

    The security-only and monthly rollups will contain fixes for the Internet Explorer version supported for each operating system. For Windows 7, Windows 8.1, Windows Server 2008 R2, and Windows Server 2012 R2, that is Internet Explorer 11; for Windows Server 2012, that is Internet Explorer 10. The security-only, monthly rollup, and preview rollup will not install or upgrade to these versions of Internet Explorer if they are not already present.

    .NET Framework monthly rollup

    The .NET Framework will also follow the monthly rollup model with a monthly release known as the .NET Framework monthly rollup. The.NET Framework monthly rollup will deliver both security and reliability updates to all versions of the .NET Framework as a single monthly release, targeting the same timing and cadence as Windows. It is important to note that the rollup for the .NET Framework will only deliver security and quality updates to the .NET Framework versions currently installed on your machine. It will not automatically upgrade the base version of the .NET Framework that is installed. Additionally, the .NET Framework team will also release a security-only update on Microsoft Update Catalog and Windows Server Update Services every month.

    Update strategy choices

    Operationally, this means that you now have some choices for updating Windows 7 and Windows 8.1 PCs. These choices closely correspond to the way you update Windows today, as discussed in the following sections.

    You install all security and non-security fixes as we release them




    This is our recommended updating strategy, as it ensures that all fixes for Windows are deployed on the PCs that you manage. To implement this, you should deploy the monthly rollup. For those using WSUS, the following steps are recommended:

    • Ensure that you have selected the “Security Updates” classification in the WSUS “Products and Classifications” options page, so that the both the security-only update and monthly rollup on Update Tuesday are synchronized. To synchronize the optional preview rollup, also ensure the “Updates” classification is selected.
    • Ensure that you have enabled support for “express installation files” in the WSUS “Update Files and Languages” options page:
    • Existing automatic approval rules for Windows 7 or Windows 8.1 will continue to work as is. Note that since both the security-only update and monthly rollup are both classified as “Security Updates,” rules that specify this classification will approve both. See the What’s expected if you install both updates? section below for details. You may also manually approve just the monthly rollup.


    • To preview the next month’s non-security fixes on the third Tuesday of the month, you can set up an automatic approval rule for “Updates”, targeting all computers or a subset of them, as appropriate.

    If using ConfigMgr, you can perform similar steps:

    • Ensure you have the “Security Updates” classification selected in the “Software Update Point” properties for the site. To synchronize the optional third Tuesday monthly rollup, also ensure the “Updates” classification is selected.
    • Existing Automatic Deployment Rules (ADRs) for Windows 7 or Windows 8.1 will continue to work as is. Note that since both the security-only update and monthly rollup are both classified as “Security Updates,” rules that specify this classification will approve both. See the What’s expected if you install both updates? section below for details. You may also manually approve just the monthly rollup. Alternatively, you can filter based on the title of the update (taking into account the different localized strings when deploying non-English updates):

      Suggested English title search strings (which must be adjusted for other languages) include:
      “Security Only Quality Update”
      “Security Monthly Quality Rollup”
      “Preview of Monthly Quality Rollup”


    • Note that Configuration Manager does not support express updates, so the entire monthly rollup will be downloaded to each PC each month.

    With these small adjustments, the overall update management process will be very similar to what was used previously.

    You install all security fixes, but no other fixes



    For organizations that typically deploy only security fixes, you will now find that instead of approving or deploying a set of fixes each Update Tuesday, you will approve or deploy just a single update.
    Since the security-only update and the monthly rollup both are published using the “Security Updates” classification, existing automatic approval rules in WSUS would approve both the security-only and the monthly rollup each month. The same is also true with Configuration Manager automatic deployment rules. This will require either manually approving or deploying updates each month, or in the case of Configuration Manager, adjusting existing automatic deployment rules. See the previous section for details.

    You install all security updates as we release them, and some non-security fixes to address specific problems

    Since the organization will typically be deploying only the security-only fix, see the previous section for full details. In cases where there is a need to deploy one or more non-security fixes, manually approve the latest monthly rollup that contains the needed fixes. This monthly rollup will contain other fixes as well, so the entire package must be installed.

    What’s expected if you install both updates?

    Since all the new security fixes for a given month are available in both the security-only update and the monthly rollup, it’s important to understand the behavior that may been seen if you deploy both updates in the same month.

    For example, assume you approve and deploy the security-only update and the monthly rollup that are both released on Update Tuesday (a.k.a. “Patch Tuesday,” the second Tuesday of the month). This isn’t necessary, since the security fixes are also included in the monthly rollup, and it would generate additional network traffic since both would be downloaded to the PC. But what would happen? It depends on the installation sequence:

    • If the monthly rollup fix installs first, the security-only update would then no longer be applicable to the PC, since the entire content of that security-only update would already be installed.
    • If the security-only update installs first, the monthly rollup will still be applicable as it contains additional fixes (both non-security fixes and older security fixes) that are needed by the PC.

    Depending on the management tool you are using to deploy these updates, this may be represented differently in the compliance reports provided by those tools.

    As long as you install one or the other (security-only update or monthly rollup), the PCs will have the needed security fixes released that month.

    The common concern: What if an update causes an issue?


    Every Windows update is extensively tested with our OEMs and ISVs, and by customers – all before these updates are released to the general population.

    Your organization may also be interested in validating updates before they are publicly released, by participating in the Security Update Validation Program (SUVP). This program enables organizations to establish an additional early validation ring within the organization, while also providing a direct channel back to Microsoft for any issues encountered. For more information on SUVP, see The Microsoft Security Update Validation Program; contact your Technical Account Manager or Microsoft account team to discuss this further.

    To minimize the potential impact on an organization, we recommend that you always have a “ringed” deployment approach for all updates, starting with the IT organization, expanding to one or more pilot groups, followed by one or more broad deployment groups. Allow sufficient time between rings for users to report any issues that they might see.

    If any issues are encountered, we recommend stopping or pausing deployment of the update and contacting Microsoft Support as soon as possible. Based on our analysis of the issue, we may recommend different courses of action, such as:

    • Rolling back the update on affected machines while the issue is being investigated.
    • Installation of other updates known to resolve the issue observed.
    • Working with the publisher (ISV) for an affected application.

    The specific action is determined on a case-by-case basis, and could be different for each customer based on the specific impact to the organization. Regardless of the action, be assured that any issues with an update are considered top priority and that we will work hard to resolve these as quickly as possible.

    Use peer-to-peer technologies to help with update distribution

    While express installation files can help greatly reduce the amount of content needed to patch each PC, it is still useful to implement peer-to-peer sharing technologies like BranchCache or Delivery Optimization to reduce the overall impact on the network by allowing PCs to obtain the updates they need from other PCs on the network that have already obtained them from WSUS or ConfigMgr.

    You can deploy BranchCache by enabling the feature on each WSUS or ConfigMgr server, then configuring the client PCs using Group Policy to use a distributed cache. See Configure BranchCache for Windows 10 updates (Windows 10) for more information. While the full BranchCache functionality is only available in the Windows Enterprise SKU, BITS support (all that’s needed for caching updates) is also available in the Windows Pro SKU. See BranchCache for more information.

    Summary

    These changes will further simplify your updating of Windows 7 SP1, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 computers, while also improving scanning and installation times and providing flexibility depending on how you typically manage Windows updates today.


    Source: More on Windows 7 and Windows 8.1 servicing changes - TechNet
    Brink's Avatar Posted By: Brink
    07 Oct 2016



  1. Posts : 107
    Windows 7 Home Premium
       #1

    Thanks for this, I was hoping someone would post more information about this as I found parts of the new patch Tuesday routine really confusing.

    Over the last few months I'd got into the habit of only installing Security patches in order to avoid upgrading to W10, and now have about 20 Optional patches sitting around in Windows Update, including KB2952664.
    If I decide to install the monthly roll-up but not the security only one next Tuesday, should I install all these outstanding "optional" patches I currently have in Windows Update beforehand?
      My Computer


  2. Posts : 1,797
    Win 7 Ultimate, Win 8.1 Pro, Linux Mint 19 Cinnamon (All 64-Bit)
       #2

    The security only updates won't be made available through Windows Update, it's officially only being made available to businesses through WSUS.
    If you want to install the security updates only they might be made available through wsus offline.

    All the past patches will eventually be rolled into the cumulative updates. So you'll only have two choices through Windows Update - install them all or skip them all (including security updates).
      My Computer


  3. Posts : 111
    Windows 8 Pro x64
       #3

    So do I take it correctly that if I go to the Update Catalog (Security Bulletins Page) myself, I can no longer cherry pick which of the fixes I want to install, other than what is laid out above?
      My Computer


  4. Posts : 1,797
    Win 7 Ultimate, Win 8.1 Pro, Linux Mint 19 Cinnamon (All 64-Bit)
       #4

    Unfortunately not, there won't be much choice in future for anybody who uses Windows update and I don't think individual patches will be made available as standalone installers from next week. Only the rollups will be made available. Past patches will still be made avaliable, unless MS decides to remove those in future. I don't think that will happen though.

    I've grabbed all the past patches, up until the end of this month, just to be on the safe side.
      My Computer


  5. Posts : 20,583
    Win-7-Pro64bit 7-H-Prem-64bit
       #5

    Hi,
    Oh the joy
    Just create a system image before installing the updates and they can't hurt you :)
      My Computer


  6. Posts : 4,049
    W7 Ultimate SP1, LM19.2 MATE, W10 Home 1703, W10 Pro 1703 VM, #All 64 bit
       #6

    It looks like the Windows Update service will have to be permanently Disabled.

    OTOH, it seems like Security Updates don't really do much.

    I'm still waiting for "XP Armageddon" to start.
    "T+ 30 months and counting."

    Additional
    I installed updates on 2016-10-04.
    The Windows Update success message just appeared!

    This also happened a couple of months ago.
    Last edited by lehnerus2000; 08 Oct 2016 at 00:20. Reason: Additional
      My Computer


  7. Posts : 233
    Windows 7 Home Premium 64 Bit (Service Pack 1)
       #7

    I'm pretty pushed for time at the moment. Could anyone simplify that initial post? Are we supposed to install one or both updates?

    LevelBest
      My Computer


  8. Posts : 336
    Windows 7 Home Premium 64
       #8

    LevelBest said:
    I'm pretty pushed for time at the moment. Could anyone simplify that initial post? Are we supposed to install one or both updates?

    LevelBest
    As I understand it you either install the security-only update outside of the standard WU service, or you continue to run the WU service as now and get the monthly roll-up update comprising that month's security fixes and the previous month's non-security fixes. WU will continue to provide other updates for things like .Net Framework and Office etc separately.

    My intention is to carry on as now. Have WU set to "Notify but do not download or install" and then hold fire on all updates for two or three weeks after Patch Tuesday and follow expert recommendations as to which to install and when. Those who have all updates installed automatically on release are the ones most likely to suffer from any issues arising from the changes. Let them be the beta testers, it's far better to wait a while and pick up on any issues before jumping in.
      My Computer


  9. Posts : 20,583
    Win-7-Pro64bit 7-H-Prem-64bit
       #9

    Hi,
    Nothing really changes fewer updates because they are bundled.
    That also means no real documentation will exist on what exactly is included in these bundles

    Another thing that does not change is create a system image before downloading and installing these updates and don't bother using windows system images use Free Macrium reflect instead that way no updates can really hurt you...
      My Computer


 
Page 1 of 15 12311 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 17:09.
Find Us