Today Microsoft starts its new patching policy for certain versions of Windows desktop and server, promising a more consistent and simplified servicing experience. However, it means more choices for IT administrators.
The change affects Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 updates.
In a blog a few days ago staffer Michael Niehaus gave a lengthy and detailed explanation of what’s happening. Briefly, there will be three monthly releases, :
— a single update on the usual Patch Tuesdays containing all new security fixes for that month, to be published to Windows Server Update Services (WSUS), where it can be accessed by other tools like ConfigMgr, and the Windows Update Catalog, where it can be downloaded for use with other tools or processes. This package won’t be offered to PCs that talk to Windows Update.
— a single update on Patch Tuesdays called the “monthly rollup” containing all new security fixes for that month (the same ones included in the security-only update released at the same time), as well as fixes from all previous monthly rollups. This will be published to Windows Update for consumer PCs, WSUS, and the Windows Update Catalog. The initial monthly rollup released in October will only have new security updates from October, as well as the non-security updates from September;
–for those who like looking ahead on the third Tuesday of the month there will be a “preview rollup” with a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollup.
“Some small enterprise and mid-market companies rely on Microsoft management tools,” commented Jon Olsik, an analyst at Enterprise Strategy Group. “For organizations that fit this model, Microsoft patch management is a good addition as it aligns with their current knowledge and processes. Large organizations will not find this attractive as they have built their patch management processes around different vendor technologies.”
The security-only and monthly rollups will contain fixes for the Internet Explorer version supported for each operating system, Microsoft adds. For Windows 7, Windows 8.1, Windows Server 2008 R2, and Windows Server 2012 R2, that is Internet Explorer 11; for Windows Server 2012, that is Internet Explorer 10. The security-only, monthly rollup, and preview rollup will not install or upgrade to these versions of Internet Explorer if they are not already present.
Administrators that use WSUS should make sure that the “Security Updates” classification in the “Products and Classifications” options page has been selected, so that the both the security-only update and monthly rollup on Update Tuesday are synchronized. To synchronize the optional preview rollup, also ensure the “Updates” classification is selected.
Also ensure that support for “express installation files” in the WSUS “Update Files and Languages” options page has been enabled.
Microsoft says existing automatic approval rules for Windows 7 or Windows 8.1 will continue to work as is. But since both the security-only update and monthly rollup are both classified as “Security Updates,” rules that specify this classification will approve both. Admins may also manually approve just the monthly rollup.