I want to thank Paul Bergson for this great update. I do think this import to all our Techies out there!
Hello, Paul Bergson back again with a discussion on the upcoming changes to our monthly patch releases to align down-level supported operating systems, updating practices to coincide with the Windows 10 Service Model. This includes Windows 7/8/8.1 and Windows Server 2008 R2/2012/2012R2.
“From October 2016 onwards, Windows will release a single Monthly Rollup that addresses both security issues and reliability issues in a single update. The Monthly Rollup will be published to Windows Update (WU), WSUS, SCCM, and the Microsoft Update Catalog. Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current.”
Beginning in October 2016 onwards,
don’t expect to see individual KB’s but instead expect to see the following in the monthly patch release cycle:
- Collects all of the security patches for that month into a single update
- Security updates from previous bullet point
- All updates, rollups, patches, and security updates for that month
- Proactive addition of previously shipped patches (within 6-8 months the monthly rollup will include all patches back to the last baseline and will be fully cumulative)
.Net Framework Security-Only Update
- Contains only security updates
.Net Framework Rollup *1
- .Net Framework Security Updates from Previous Bullet Point
- Reliability updates
This change brings up a key question:
“With the new Windows as a Service: Service Model, can we back out a single patch (KB) if it causes issues since they are all rolled up?”
The short answer is “No”, you can’t control which KB’s can be applied, so the complete roll up would need to be backed out. But the answer is more complex than a simple no.
The point of rollups is to correct the fragmentation caused by systems containing a mix of individual updates. It will not be possible to uninstall specific KB’s of a rollup. If there is a problem the partner will need to open up a case and provide business justification to drive the discussion with Microsoft.
“Historically, we have released individual patches for these platforms, which allowed you to be selective with the updates you deployed. This resulted in fragmentation where different PCs could have a different set of updates installed leading to multiple potential problems;”
Typical customer patch fragmented operating system
Microsoft pre-release patch test environment (Fully patched)
“Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current”
A few details as to why the decision was made by Microsoft to follow the new servicing model.
“Traditionally, new versions of Windows have been released every few years. The deployment of those new versions within an organization would then become a project, either by leveraging a “wipe and load” process to deploy the new operating system version to existing computers, or by migrating to the new operating system version as part of the hardware replacement cycle. Either way, a significant amount of time and effort was required to complete these tasks.
With Windows 10, a new model is being adopted. This new model, referred to as “Windows as a service,” requires organizations to rethink how they deploy and upgrade Windows. It is no longer a project that happens every few years, it is a continual process.” *3
“Instead of new features being added only in new releases that happen every few years, the goal of Windows as a service is to continually provide new capabilities. New features are provided or updated two to three times per year, while maintaining a high level of hardware and application compatibility.
This new model uses simpler deployment methods, reducing the overall amount of effort required for Windows servicing. By combining these simpler methods (such as in-place upgrade) with new techniques to deploy upgrades in phases to existing devices, the effort that used to be performed as part of a traditional deployment project is spread across a broad period of time.” *4
Windows 10 servicing model terms.
|Feature Update||A new Windows 10 release that contains additional features and capabilities, released two to three times per year.|
|Quality Update||Packages of security patches, reliability patches, and other bug patches that are released periodically, typically once a month on Update Tuesday (sometimes referred to as Patch Tuesday). With Windows 10, these are cumulative in nature.|
|Branch||The windows servicing branch is one of four choices: Windows Insider, Current Branch, Current Branch for Business, or Long-Term Servicing Branch. Branches are determined by the frequency with which the computer is configured to receive feature updates.|
|Ring||A ring is a groups of PCs that are all on the same branch and have the same update settings. Rings can be used internally by organizations to better control the upgrade rollout process.|
|Servicing option||Availability of new feature upgrades for installation||Minimum length of servicing lifetime||Key benefits||Supported editions|
|Current Branch (CB)||Immediately after first published by Microsoft||Approximately 4 months||Makes new features available to users as soon as possible||Home, Pro, Education, Enterprise, IoT Core, Windows 10 IoT Core Pro (IoT Core Pro)|
|Current Branch for Business (CBB)||Approximately 4 months after first published by Microsoft||Approximately 8 months||Provides additional time to test new feature upgrades before deployment||Pro, Education, Enterprise, IoT Core Pro|
|Long-Term Servicing Branch (LTSB)||Immediately after published by Microsoft||10 Years||Enables long-term deployment of selected Windows 10 releases in low-change configurations||Enterprise LTSB|
Windows 10 release types and cadences
Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Windows 10 releases broadly to the public on an ongoing basis:
- Feature updates that install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature updates contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed.
- Quality updates that focus on the installation of security patches and other important updates. Microsoft expects to publish an average of two to three new feature updates per year, and to publish quality updates as needed for any feature updates that are still in support. Microsoft will continue publishing servicing updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally, Microsoft may publish additional quality updates for Windows 10 outside the Update Tuesday process when required to address customer needs.
The cumulative nature of all Windows 10 releases It is important to note that, in order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10 will be cumulative. This means new feature upgrades and servicing updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains patches for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four patches. *5
Note 1: There will continue to be a ratings rollup. Just like how we rate cumulative updates in Win10, if there is a new security patch in the rollup and the security patch is critical, then the entire rollup is marked as critical. Since both the security-only update and the monthly rollup will contain the same new security patches each month they will both also have the same security ratings each month. The customer can choose whichever one they prefer to deploy to stay compliant.
Note 2: For slow bandwidth sites, WSUS can be configured for Express installation files, but requires additional bandwidth on the WSUS side, but minimizes downloads on the client side. See Express Install Files section in this link:https://technet.microsoft.com/en-us/library/cc708456(v=ws.10)
Hopefully this information has helped and we encourage you to read all the linked documentation and share it with your staff as you prepare for the upcoming changes.