Begining October 11, Microsoft will be moving Windows 7 SP1, 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 to a new rollup model called “Update Tuesday”.
“All supported versions of Windows will now follow a similar update servicing model, bringing a more consistent and simplified servicing experience,” writes Microsoft.
If your managing Windows updates within your organization, here’s the highlight of the choices available on Oct 11:
A security-only quality update, will contain all new security fixes for that month, and will be published only to Windows Server Update Services (WSUS) using “Security Updates” classification, where it can be used by other tools like Configuration Manager and Windows Update Catalog.
A security monthly quality update (also called as “monthly rollup”) will contain all new security fixes for a month (same ones included in the security-only quality update), as well as fixes from all previous monthly rollups. This one will be published to Windows Update for consumer PCs, WSUS (using the “Security Updates” classification), and Windows Update Catalog.
With WSUS, you can enable support for “express installation files” to ensure that client PCs only download the pieces of a particular monthly rollup that they haven’t already installed, to minimize the network impact. The initial October rollup will have new security updates from October, as well as “non-security updates from September”.
Both above, will be released on Update Tuesday (commonly referred to as “Patch Tuesday”), the second Tuesday of the month (also referred to as a “B week” update).
A preview of the security monthly quality rollup (also known as “preview rollup”) will contain a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollups.
This will be published to WSUS using “Updates” classification as an optional update, Windows Update for consumer PCs, and Windows Update Catalog.
With WSUS, you can enable support for “express installation files” for client PCs to only download the pieces of a particular monthly rollup.
Starting in early 2017 and for several more months, “older fixes will also be added to preview rollup, so it’ll eventually become fully cumulative,” writes Windows team adding, “installing the latest monthly rollup will then get your PC completely up to date.”
This preview rollup will be released on the third Tuesday of the month (also referred to as the “C week”).
The security-only and monthly rollups will also contain fixes for the Internet Explorer version supported for each operating system. While the .NET Framework will follow “monthly rollup model with a monthly release known as the .NET Framework monthly rollup,” writes Windows team. Additionally, .NET Framework team will also release a security-only update on Microsoft Update Catalog and Windows Server Update Services every month.
For update strategy choices, Microsoft is offering three choices for updating Windows 7 and Windows 8.1 PCs: “admins install all security and non-security fixes as company release them.” And, another option being, “they install all security fixes, but no other fixes,” or “you install all security updates as released by them, and some non-security fixes to address specific problems,” explained Microsoft.
So, what would happen if both updates are installed? As Microsoft explains:
- If monthly rollup fix installs first, “the security-only update would not be applicable to PC, since entire security-only update is already installed.”
- If security-only update installs first, then monthly rollup will still be applicable as it contains additional fixes that are needed by the PC.
As long as you install one or other (security-only update or monthly rollup), “the PCs will have all needed security fixes released that month.”
What if an update causes an issue? Microsoft recommend organization that you always implement a “ringed” deployment approach for all updates, installing “starting with IT organization, then expanding to one or more pilot groups, followed by one or more broad deployment groups.”
If any issues encountered, Microsoft recommend different courses of action, such as: “Rolling back update on affected machines while the issue is being investigated,” “Installation of other updates known to resolve the issue observed,” “Working with the publisher (ISV) for an affected application,” microsoft explained.
Answering to network bandwidth and or client disk space concerns that may impact your environment during “Update Tuesday” (commonly referred to as “Patch Tuesday”) week, Microsoft recommending you only deploy the security-only quality update that has a small content size.
ConfigMgr 2007 customers should only deploy the update that contains the “Security Only Quality Update” string.
ConfigMgr 2012 and above (including Current Branch):
- with no ADR configured, deploy update that contains “Security Only Quality Update” string
- previously configured ADR rule based on “Patch Tuesday” template, should take one of the following two actions:
- Modify existing ADR rule to add a clause and filter on the title (highlighted)Patch Tuesday ADR
- or, as an alternate disable the ADR rule and manually deploy the update that contains the “Security Only Quality Update,” microsoft explained.