Un article de Paul Bergson sur le mode de servicing (updates) de windows, et son évolution…à lire!
Hello, Paul Bergson back again with a discussion on the upcoming changes to our monthly patch releases to align down-level supported operating systems, updating practices to coincide with the Windows 10 Service Model. This includes Windows 7/8/8.1 and Windows Server 2008 R2/2012/2012R2 (this will also impact Windows Server 2016 once released).
“From October 2016 onwards, Windows will release a single Monthly Rollup that addresses both security issues and reliability issues in a single update. The Monthly Rollup will be published to Windows Update (WU), WSUS, SCCM, and the Microsoft Update Catalog. Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current.”
Beginning in October 2016 onwards,
don’t expect to see individual KB’s but instead expect to see the following in the monthly patch release cycle:
- Security-Only Update
- Collects all of the security patches for that month into a single update
- Cumulative Update
- Security Updates from previous bullet point
- Collective update of all Updates, Rollups, Bug Fixes, and Security Updates
- .Net Framework Security-Only Update
- Contains only security updates
- .Net Framework Rollup *1
- .Net Framework Security Updates from Previous Bullet Point
- Reliability updates
This change brings up a key question:
“With the new Windows as a Service: Service Model, can we back out a single patch (KB) if it causes issues since they are all rolled up?”
The short answer is “No”, you can’t control which KB’s can be applied, so the complete roll up would need to be backed out. But the answer is more complex than a simple no.
The point of rollups is to correct the fragmentation caused by systems containing a mix of individual updates. It will not be possible to uninstall specific KB’s of a rollup. If there is a problem the partner will need to open up a case and provide business justification to drive the discussion with Microsoft.
“Historically, we have released individual patches for these platforms, which allowed you to be selective with the updates you deployed. This resulted in fragmentation where different PCs could have a different set of updates installed leading to multiple potential problems;”
Feature upgrades that install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature upgrades contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed.
- Servicing updates that focus on the installation of security fixes and other important updates. Microsoft expects to publish an average of two to three new feature upgrades per year, and to publish servicing updates as needed for any feature upgrades that are still in support. Microsoft will continue publishing servicing updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally, Microsoft may publish additional servicing updates for Windows 10 outside the Update Tuesday process when required to address customer needs.
The cumulative nature of all Windows 10 releases It is important to note that, in order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10 will be cumulative. This means new feature upgrades and servicing updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 servicing update. For example, if a servicing update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes. *5
Note 1: There will continue to be a ratings rollup. Just like how we rate cumulative updates in Win10, if there is a new security fix in the rollup and the security fix is critical, then the entire rollup is marked as critical. Since both the security-only update and the monthly rollup will contain the same new security fixes each month they will both also have the same security ratings each month. The customer can choose whichever one they prefer to deploy to stay compliant.
Note 2: For slow bandwidth sites, WSUS can be configured for Express installation files, but requires additional bandwidth on the WSUS side, but minimizes downloads on the client side. See Express Install Files section in this link: https://technet.microsoft.com/en-us/library/cc708456(v=ws.10)
Hopefully this information has helped and we encourage you to read all the linked documentation and share it with your staff as you prepare for the upcoming changes.