Last fall, when Microsoft rolled out their new servicing model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 and, Windows Server 2012 R2 it was their intent to make the process of updating those operating systems similar to the Windows as a Service (WaaS) model that is now familiar to many companies and users with Windows 10 and other products and services.
Those updates use a rollup model and are there are three categories of updates under this new servicing model that has been in effect since October:
- Security Monthly Quality Update (aka the Monthly Rollup) – New fixes are rolled into a single update, which includes both security and reliability fixes, as well as all fixes from previous rollups. Each new Monthly Rollup will supersede the previous, so installing the latest Monthly Rollup will ensure you have all fixes since the start of the model in October 2016. For example, the December 2016 Monthly Rollup contained all the fixes in the October and November Monthly Rollups.
- Preview of Monthly Quality Rollup (aka the Preview Rollup) – New reliability fixes are first released in an optional Preview Rollup that enables early deployment of the new reliability fixes before they are included in the next Monthly Rollup.
- Security Only Quality Update (aka the Security Only update) – In an alternative option released to WSUS and Microsoft Update Catalog only, new security fixes are also provided in a single Security Only update, which rolls all the security patches for that month into a single update. The Security Only update does not contain fixes from previous months, and allows enterprises to download as small of an update as possible to remain secure.
According to Microsoft, since this process rolled out it has provided a consistent process for remaining up to date on their systems.
The company is now tweaking this process for its enterprise and business customers who use WSUS, SCCM. the Microsoft Update Catalog, or other update management products to deploy updates on their networks. Note: Consumer customers will not see any changes to their rollup update process with these modifications.
Here are summaries of the two changes being made:
Deploying both the Security Only update and Monthly Rollup
Both the Monthly Rollups and Security Only updates are available on WSUS and the Microsoft Update Catalog, and both are published with the “Security updates” classification, enabling enterprise customers using WSUS or other update management tools to sync and deploy both updates, depending on their settings. To further simply installation and deployment in this scenario, the servicing model was updated in December 2016 to better handle the Security Only update installation applicability.
As of December 2016, a Security Only update will not be offered on a PC where a Monthly Rollup (from the same or later month) is already installed. This is accomplished through an applicability definition on the Security Only update, which checks for the installation of a Monthly Rollup (from the same or later month) to determine if it applicable on the PC. For example, if a PC attempts to install the February 2017 Security Only update, and the February 2017 (or later) Monthly Rollup is already installed, the Windows Update client will now report the Security Only update as not applicable. In addition to simplifying the installation scenario, tools that leverage such applicability for deployment reporting would see the Security Only update as not needed on the PC.
Additionally, as of December 2016, Security Only updates from earlier months (October and November 2016) were revised to leverage this applicability check, so it now applies to all Security Only updates released in the new servicing model. Finally, this applicability definition also checks for the installation of a Preview Rollup from the same or later month, which also includes the security fixes for that month.
Reducing the package size of the Security Only update
The Security Only update contains new security fixes for the Windows operating system, which includes Internet Explorer. Before October 2016, updates for the latest supported version of Internet Explorer (IE11 for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 and Windows Server 2012 R2; IE10 for Windows Server 2012) were provided in a separate monthly update. From October 2016 to January 2017 we included any Internet Explorer fixes for that month in the Security Only update to allow you to also remain secure for the latest supported Internet Explorer version for your operating system, all by installing the single Security Only update.
This inclusion enabled a simplified update installation process, though the Internet Explorer updates constituted a significant percentage of the total Security Only update package size. Given that package size is one of the primary reasons some enterprise customers choose to leverage the Security Only update (to optimize for smaller download in limited bandwidth scenarios), these customers have requested increased flexibility for deploying the Security Only updates for Windows independently of the fixes for Internet Explorer.
Starting with February 2017, the Security Only update will not include updates for Internet Explorer, and the Internet Explorer update will again be available as a separate update for the operating systems listed above.
With this separation, the Security Only update package size will be significantly reduced, but you will need to deploy and install the Internet Explorer update to remain secure for the latest supported version of the browser. [Note that the Internet Explorer update will not install or upgrade to the latest supported version of Internet Explorer if not already present.]
The Monthly Rollup will continue to include updates for Internet Explorer, as a single additive update that provides all security and reliability fixes since the beginning of the new servicing model in October 2016. Users of the Monthly Rollup will not need to install the separate Internet Explorer update. To simplify installation for Monthly Rollup users, the new Internet Explorer update will leverage the same installation applicability definition as the Security Only update (explained above), meaning that it will not install on a PC that has already installed the Monthly Rollup (or Preview Rollup) from the same or later month.
You can read more about these changes at the Windows for IT Pros website.
Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and Devops? Check out IT/Dev Connections!