When Windows 10 was released, one of the biggest things that worried IT System Admins was the pretty major change to the way Windows Updates were deployed. Traditionally, Microsoft released an assortment of security fixes and minor non-security fixes every month. Then once or twice a year they may have released service packs as fix rollups and feature improvements. This approach allowed IT System Admins to push security patches out whenever they got round to it or let computers update themselves. Then every X amount of years (or never) they thought about planning to upgrade their IT estate which would be a massive project.
With Windows 10, this all changed and this year, it changed for earlier operating systems too.
In May this year, Microsoft announced that they would be moving to a “Servicing” update deployment for Windows 7, 8 and 8.1 and this went live last week (TechNet). This new model of updates moves away from the roll out of individual updates and moves to the deployment of a number of Monthly Rollups. Unlike Windows 10, you are not forced to install these rollups. However, not doing so could potentially leave your estate vulnerable.
Each month you will start receiving the following:
- A security-only quality update – This will contain all security fixes for a month and is only released to WSUS
- A monthly quality rollup – This will contain all security fixes for a month and all fixes from previous months. This will be released to both WSUS, Windows Update and the Update Catalog
- A .NET Framework rollup – Security and reliability updates for all versions of .NET. However, you will not be upgraded to newer base versions of .NET.
Is this move a good thing? In my opinion, yes. Using the traditional method, it can be very difficult to make sure that each device on your network has every recommended update released installed. This inconsistency often causes issues and can often be difficult to re-mediate. Moving to this method makes it so much easier to ensure your estate is up to date and so much easier to identify the cause, when problems occur.
A question I had from a customer is, “What if a single update in the rollup breaks something?”. The answer is, you should be using ring deployments. This means that you specify rings of devices to minimise the impact of a faulty update on your estate. Enabling you to pull the update and investigate with minimal impact to end-users. It should be noted that Microsoft have gotten a lot better at testing updates thoroughly before public release, so this should be rare.
These update rollups are cumulative, which means that the fixes from the last rollups will be added to the latest one. Over time, this means that the rollup can become quite large. To combat this, if you are not already, you should consider using a centralised update management system, which you can additionally augment with peer-to-peer technologies such as BranchCache to reduce the impact on your network.
I think this approach works, however it might require some changes in IT departments’ mentality. In some cases, it might require some improvement to your infrastructure. Please feel free to get in touch if you have any questions or need any further advice on this.