Microsoft will change how patches and updates are delivered to devices running Windows 7 or Windows 8 starting tomorrow.
We have talked about the push towards all-in-one (cumulative) Windows updates in August when the company announced the change.
There is a bit of light and a lot of shadow when it comes to the new system that Microsoft has used for Windows 10 ever since the operating system launched.
Before we look at those, lets recap what changes and how that may affect your updating strategy.
October 2016 Windows updating changes for Windows 7 and 8
Microsoft moves from a one patch per issue update model to a cumulative update model known from Windows 10.
The company plans to release two patches in total for devices running Windows 7 or 8: the first is a cumulative security update that includes all security patches of the given month.
These security updates can be downloaded from Microsoft’s Update Catalog.
Additionally, a single cumulative update is made available each month that includes all security and non-security updates. This update is made available via Windows Update, but also as a download from the Update Catalog.
For managed systems, updates are also available through WSUS or SCCM.
These monthly rollups are cumulative which means that they include all patches that were added to previous rollup updates. Microsoft plans to integrate all available patches — that were published prior to October 2016 — eventually as well so that a single monthly rollup patch installs all patches released for Windows 7 or 8.
Microsoft will make available certain updates separately. This includes update for Microsoft’s .NET Framework, and for Internet Explorer 11.
Additionally, driver updates won’t be included in those patches, and out-of-band security updates will be published as soon as they are available. They will be added to the next monthly rollup patch and security update automatically.
Microsoft references a third update, called monthly quality rollup. This is a preview update that will include fixes that will be included in the next monthly rollup, and it will be released on the third Tuesday of each month.
Microsoft will release it as an optional update on WSUS, Windows Update Catalog and Windows Update.
The new update strategy
- Second Tuesday of a month: Microsoft will release a single security update containing all patches for a given month but only through WSUS and the Windows Update Catalog.
- Second Tuesday of a month: A monthly rollup update is released that contains all security and non-security fixes, including all updates from previous monthly rollups. These are released through WSUS, Windows Update Catalog and Windows Update.
- Third Tuesday of a month: A preview of the upcoming monthly rollup is released. This is classified as an optional update, and is available through Windows Update, WSUS and the Windows Update Catalog.
What’s good about the change
If you look at the new patching strategy you will notice that patching will get easier on first glance provided that things work.
Users who update Windows through Windows Update need to install a single patch instead of several. This may be especially useful when a new system is set up as it may take a while for patches to be retrieved on first use of Windows Update.
The downside
Microsoft’s new patching strategy is quite problematic for system administrators and many end users. The past has shown for instance that Microsoft does release patches every now and then that cause issues on the operating system. Some issues caused blue screens or endless reboot loops.
Users could remove the update responsible for that once it was identified, but that is no longer possible when the new updating system hits.
This means that you need to uninstall an entire month worth of security updates, or a monthly rollup update, to resolve the issue.
This leaves the system vulnerable to patched security vulnerabilities that did not cause any issues on the device.
Considering that it sometimes takes weeks or even longer to produce a working patch, this could leave systems vulnerable for a long time.
While that is bad enough, it gets worse.
If you don’t trust Microsoft enough because of its actions in the past year — Get Windows 10 or Telemetry are two headwords — then you may not want those cumulative updates. The reason is simple: you cannot block updates that you don’t want anymore.
If Microsoft would have launched the new patching strategy earlier, no one would have been able to block Get Windows 10 updates and Telemetry updates from being added to a running Windows 7 or 8.1 system unless Windows Update would have been turned off completely prior to the release.
Anyone who wants control over which updates get installed or removed cannot do that anymore. It is either all or nothing, with no middle-ground.
Since the organization will typically be deploying only the security-only fix, see the previous section for full details. In cases where there is a need to deploy one or more non-security fixes, manually approve the latest monthly rollup that contains the needed fixes. This monthly rollup will contain other fixes as well, so the entire package must be installed.
Your options
So what are the options that you have? There are three:
- Use Windows Update and install a single cumulative Monthly Rollup patch that includes security and non-security updates.
- Disable Windows Update, and download Security Patches through Microsoft’s Update Catalog.
- Disable Windows Update and don’t download and install any patches.
If you pick option 1, you get every update that Microsoft includes in the monthly rollup patches. This includes all security updates, all feature updates and fixes, but also every Telemetry, privacy-invasive or next generation Get Windows 10 update the company produces.
If you pick option 2, you get all security updates but may still run into issues with these patches.You do need to download and install those manually through Microsoft’s Update Catalog though, as you can’t use Windows Update for that anymore.
You won’t get feature updates, and likely won’t get the majority of updates that you don’t want either. Microsoft did include non-security patches in security updates in the past, which means that there is a theoretical chance that you still get unwanted updates.
Option 3 finally leaves your system vulnerable because of missing security updates. It is however the only option to avoid any unwanted updates on the device.
If you need additional information, Woody over at InfoWorld has you covered.
What Organizations may do
Organizations may join Microsoft’s Security Update Validation Program (SUVP) to validate updates before they are released publicly.
Other than that, the options outlined above apply to organizations as well.
Now You: What is your take on the change?