More on Windows 7 and Windows 8.1 servicing changes

As we previously announced, we are moving to a rollup model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 updates. These changes will take effect with the next Update Tuesday release, on October 11.

All supported versions of Windows will now follow a similar update servicing model, bringing a more consistent and simplified servicing experience. For those of you who manage Windows updates within your organization, it’s important that you understand the choices that will be available.

First, let’s review what we will release each month:

A security-only quality update

  • A single update containing all new security fixes for that month
  • This will be published only to Windows Server Update Services (WSUS), where it can be consumed by other tools like ConfigMgr, and the Windows Update Catalog, where it can be downloaded for use with other tools or processes. You won’t see this package offered to PCs that talk to Windows Update.
  • This will be published to WSUS using the “Security Updates” classification, with the severity set to the highest level of any of the security fixes included in the update.
  • This (like all updates) will have a unique KB number.
  • This security-only update will be released on Update Tuesday (commonly referred to as “Patch Tuesday”), the second Tuesday of the month. (This is also referred to as a “B week” update.)
A security monthly quality rollup

  • A single update containing all new security fixes for that month (the same ones included in the security-only update released at the same time), as well as fixes from all previous monthly rollups. This can also be called the “monthly rollup.”
  • This will be published to Windows Update (where all consumer PCs will install it), WSUS, and the Windows Update Catalog. The initial monthly rollup released in October will only have new security updates from October, as well as the non-security updates from September.
  • This will be published to WSUS using the “Security Updates” classification. Since this monthly rollup will contain the same new security fixes as the security-only update, it will have the same severity as the security-only update for that month.
  • With WSUS, you can enable support for “express installation files” to ensure that client PCs only download the pieces of a particular monthly rollup that they haven’t already installed, to minimize the network impact.
  • This (like all updates) will have a unique KB number.
  • This monthly rollup will be released on Update Tuesday (also known as “Patch Tuesday), the second Tuesday of the month. (This is also referred to as a “B week” update.)
A preview of the security monthly quality rollup

  • An additional monthly rollup containing a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollup. This can also be called the “preview rollup.”
  • This preview rollup will be released on the third Tuesday of the month (also referred to as the “C week”).
  • This will be published to WSUS using the “Updates” classification as an optional update. It will also be available via Windows Update (where all consumer PCs will install it) and on the Windows Update Catalog.
  • With WSUS, you can enable support for “express installation files” to ensure that client PCs only download the pieces of a particular monthly rollup that they haven’t already installed, to minimize the network impact.
  • Starting in early 2017 and continuing for several months, older fixes will also be added to the preview rollup, so it will eventually become fully cumulative; installing the latest monthly rollup will then get your PC completely up to date.
  • This (like all updates) will have a unique KB number.


Each month there will be separate updates released for a variety of reasons (e.g. DST time zone changes, out-of-band security fixes). Many of these will be rolled into the next monthly rollup, although some will remain separate- including Office, Flash and Silverlight updates.

Internet Explorer updates

The security-only and monthly rollups will contain fixes for the Internet Explorer version supported for each operating system. For Windows 7, Windows 8.1, Windows Server 2008 R2, and Windows Server 2012 R2, that is Internet Explorer 11; for Windows Server 2012, that is Internet Explorer 10. The security-only, monthly rollup, and preview rollup will not install or upgrade to these versions of Internet Explorer if they are not already present.

.NET Framework monthly rollup

The .NET Framework will also follow the monthly rollup model with a monthly release known as the .NET Framework monthly rollup. The.NET Framework monthly rollup will deliver both security and reliability updates to all versions of the .NET Framework as a single monthly release, targeting the same timing and cadence as Windows. It is important to note that the rollup for the .NET Framework will only deliver security and quality updates to the .NET Framework versions currently installed on your machine. It will not automatically upgrade the base version of the .NET Framework that is installed. Additionally, the .NET Framework team will also release a security-only update on Microsoft Update Catalog and Windows Server Update Services every month.

Update strategy choices

Operationally, this means that you now have some choices for updating Windows 7 and Windows 8.1 PCs. These choices closely correspond to the way you update Windows today, as discussed in the following sections.

You install all security and non-security fixes as we release them




This is our recommended updating strategy, as it ensures that all fixes for Windows are deployed on the PCs that you manage. To implement this, you should deploy the monthly rollup. For those using WSUS, the following steps are recommended:

  • Ensure that you have selected the “Security Updates” classification in the WSUS “Products and Classifications” options page, so that the both the security-only update and monthly rollup on Update Tuesday are synchronized. To synchronize the optional preview rollup, also ensure the “Updates” classification is selected.
  • Ensure that you have enabled support for “express installation files” in the WSUS “Update Files and Languages” options page:
  • Existing automatic approval rules for Windows 7 or Windows 8.1 will continue to work as is. Note that since both the security-only update and monthly rollup are both classified as “Security Updates,” rules that specify this classification will approve both. See the What’s expected if you install both updates? section below for details. You may also manually approve just the monthly rollup.

  • To preview the next month’s non-security fixes on the third Tuesday of the month, you can set up an automatic approval rule for “Updates”, targeting all computers or a subset of them, as appropriate.
If using ConfigMgr, you can perform similar steps:

  • Ensure you have the “Security Updates” classification selected in the “Software Update Point” properties for the site. To synchronize the optional third Tuesday monthly rollup, also ensure the “Updates” classification is selected.
  • Existing Automatic Deployment Rules (ADRs) for Windows 7 or Windows 8.1 will continue to work as is. Note that since both the security-only update and monthly rollup are both classified as “Security Updates,” rules that specify this classification will approve both. See the What’s expected if you install both updates? section below for details. You may also manually approve just the monthly rollup. Alternatively, you can filter based on the title of the update (taking into account the different localized strings when deploying non-English updates):

    Suggested English title search strings (which must be adjusted for other languages) include:
    “Security Only Quality Update”
    “Security Monthly Quality Rollup”
    “Preview of Monthly Quality Rollup”

  • Note that Configuration Manager does not support express updates, so the entire monthly rollup will be downloaded to each PC each month.
With these small adjustments, the overall update management process will be very similar to what was used previously.

You install all security fixes, but no other fixes



For organizations that typically deploy only security fixes, you will now find that instead of approving or deploying a set of fixes each Update Tuesday, you will approve or deploy just a single update.
Since the security-only update and the monthly rollup both are published using the “Security Updates” classification, existing automatic approval rules in WSUS would approve both the security-only and the monthly rollup each month. The same is also true with Configuration Manager automatic deployment rules. This will require either manually approving or deploying updates each month, or in the case of Configuration Manager, adjusting existing automatic deployment rules. See the previous section for details.

You install all security updates as we release them, and some non-security fixes to address specific problems

Since the organization will typically be deploying only the security-only fix, see the previous section for full details. In cases where there is a need to deploy one or more non-security fixes, manually approve the latest monthly rollup that contains the needed fixes. This monthly rollup will contain other fixes as well, so the entire package must be installed.

What’s expected if you install both updates?

Since all the new security fixes for a given month are available in both the security-only update and the monthly rollup, it’s important to understand the behavior that may been seen if you deploy both updates in the same month.

For example, assume you approve and deploy the security-only update and the monthly rollup that are both released on Update Tuesday (a.k.a. “Patch Tuesday,” the second Tuesday of the month). This isn’t necessary, since the security fixes are also included in the monthly rollup, and it would generate additional network traffic since both would be downloaded to the PC. But what would happen? It depends on the installation sequence:

  • If the monthly rollup fix installs first, the security-only update would then no longer be applicable to the PC, since the entire content of that security-only update would already be installed.
  • If the security-only update installs first, the monthly rollup will still be applicable as it contains additional fixes (both non-security fixes and older security fixes) that are needed by the PC.
Depending on the management tool you are using to deploy these updates, this may be represented differently in the compliance reports provided by those tools.

As long as you install one or the other (security-only update or monthly rollup), the PCs will have the needed security fixes released that month.

The common concern: What if an update causes an issue?


Every Windows update is extensively tested with our OEMs and ISVs, and by customers – all before these updates are released to the general population.

Your organization may also be interested in validating updates before they are publicly released, by participating in the Security Update Validation Program (SUVP). This program enables organizations to establish an additional early validation ring within the organization, while also providing a direct channel back to Microsoft for any issues encountered. For more information on SUVP, see https://msdn.microsoft.com/en-us/gg309155.aspx; contact your Technical Account Manager or Microsoft account team to discuss this further.

To minimize the potential impact on an organization, we recommend that you always have a “ringed” deployment approach for all updates, starting with the IT organization, expanding to one or more pilot groups, followed by one or more broad deployment groups. Allow sufficient time between rings for users to report any issues that they might see.

If any issues are encountered, we recommend stopping or pausing deployment of the update and contacting Microsoft Support as soon as possible. Based on our analysis of the issue, we may recommend different courses of action, such as:

  • Rolling back the update on affected machines while the issue is being investigated.
  • Installation of other updates known to resolve the issue observed.
  • Working with the publisher (ISV) for an affected application.
The specific action is determined on a case-by-case basis, and could be different for each customer based on the specific impact to the organization. Regardless of the action, be assured that any issues with an update are considered top priority and that we will work hard to resolve these as quickly as possible.

Use peer-to-peer technologies to help with update distribution

While express installation files can help greatly reduce the amount of content needed to patch each PC, it is still useful to implement peer-to-peer sharing technologies like BranchCache or Delivery Optimization to reduce the overall impact on the network by allowing PCs to obtain the updates they need from other PCs on the network that have already obtained them from WSUS or ConfigMgr.

You can deploy BranchCache by enabling the feature on each WSUS or ConfigMgr server, then configuring the client PCs using Group Policy to use a distributed cache. See https://technet.microsoft.com/en-us/itpro/windows/manage/waas-branchcache for more information. While the full BranchCache functionality is only available in the Windows Enterprise SKU, BITS support (all that’s needed for caching updates) is also available in the Windows Pro SKU. See https://technet.microsoft.com/en-us/library/mt613461.aspx#bkmk_os for more information.

Summary

These changes will further simplify your updating of Windows 7 SP1, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2 computers, while also improving scanning and installation times and providing flexibility depending on how you typically manage Windows updates today.


Source: More on Windows 7 and Windows 8.1 servicing changes - TechNet
 
So do I take it correctly that if I go to the Update Catalog (Security Bulletins Page) myself, I can no longer cherry pick which of the fixes I want to install, other than what is laid out above?
:(
 

My Computer

System One

  • OS
    Windows 8 x64 Professional
    Computer type
    PC/Desktop
    System Manufacturer/Model
    HP xw8600 Workstation
    CPU
    Two Intel Xeon Core2 Quad 3.2 GHz Processors
    Motherboard
    Proprietary
    Memory
    16 GB DDR2 800 MHz
    Graphics Card(s)
    nVidia Quadro FX 3800 PCI-E
    Sound Card
    Realtek HD Audio
    Monitor(s) Displays
    Samsung SyncMaster 213T 21" 4x3 Flat Screen
    Screen Resolution
    1600x1200
    Hard Drives
    Two Seagate Cheetah 300 GB SAS Disks
    PSU
    Proprietary
    Case
    HP xw8600 Workstation Case
    Cooling
    Two CPU Fans and a Larger Case Fan
    Keyboard
    PS/2 Keyboard
    Mouse
    Logitech USB Optical Mouse
    Internet Speed
    7 mbps
    Browser
    Firefox ESR 102
    Antivirus
    Windows Defender
    Other Info
    Two LSI 3000 SAS Adapters
Seems, they remove the possibility to install or not install certain updates without affecting others. What if they roll out something "force update to Windows 11" along with some HDD fix?
 

My Computer

System One

  • OS
    Windows
My take is that they are forcing Win7 and Win8 updates to be like Win10 -- in that, you basically have no choices anymore.

Messing around with WSUS and Microsoft Update Catalog is well beyond the skills of most consumers -- which appears to be exactly what MS wants.
 

My Computer

Back
Top