Kaseya Community

Microsoft New Patch Rollup Announcement

  • Microsoft announced changes to the way they will issue patches for Windows 7 and 8.1 (see the official post at: https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/).  Starting in October 2016, Microsoft will provide a monthly "Rollup" patch for Windows 7 and 8.1 Operating Systems as opposed to issuing individual patches.  Their reasoning is to simplify patching complexities, testing and interoperability.  However, this means end-users will have less flexibility in determining which particular fixes they wish to deploy.  Simply, put, there will be one rollup patch per month which will include fixes for both security and reliability issues.

    Additionally, Microsoft announced that they would also provide a monthly Security-only update.  While these security updates will also be included in the monthly rollup patch, this provides an additional option for customer who only want to  patch security issues.  The Security-only update will not be published via Windows Update.

    We are working with Microsoft to determine the best way to distribute Security-only updates for those that only wish to deploy security updates and will be updating this post with additional details as they become available.

    correct URL to MS Announcement
    [edited by: Mike Puglia at 8:27 PM (GMT -7) on Sep 5, 2016]
  • Thanks Mike. Nice to know you're working on it.

    With MS's reputation for releasing patches that break things, it would be good to be able to hold the "all-in-one" patch but push the "security-only" patch each month (or vice versa, if required) based on what breaks each month.

    With patching being totally revised in R9.4, there's perhaps not a lot of point speculating on how this could be manage din the current patch management module....?

  • Here's a good overview article: www.infoworld.com/.../microsoft-changes-win781-updates-pushes-even-harder-for-windows-10.html

  • Thanks Mike, we look forward to hearing about what comes from your collaboration with Microsoft.

    Meanwhile, here are my notes so far, excuse bad formatting.  Brian Dagan started a good thread on this as well.

    1.    Patch types NOT subject to getting moved to the MAIN rollup
       a.    Servicing stack  (windows update agent, etc)
       b.    Flash
       c.    .NET
          i.    BUT .NET gets its OWN rollup
          ii.    https://blogs.msdn.microsoft.com/dotnet/2016/08/15/introducing-the-net-framework-monthly-rollup/
       d.    Office
       e.    GWX (The old windows 10 upgrade notifications)
       f.     Windows Defender definition updates
    2.    Prereq’s
        a.    Win 7 SP1, Server 2008 R2 SP1, Win 8.1, Server 2012, Server 2012 R2
        b.    April 2015 servicing stack update
           i.    https://support.microsoft.com/en-us/kb/3020369
    3.    Important quotes from Nathan Mercer
        a.    “Office has its own patches which are separate from Windows and not part of these servicing changes moving to rollups”
        b.    “announcements only relate to Windows, not other Microsoft products”
        c.    “Security-only will use the security category, Monthly Rollup will use the rollup category.”
        d.    “available to everyone and every Windows SKU not just business versions”
        e.    “IE version upgrades will not happen with Monthly rollup, but we plan to eventually include patches for which ever version of IE you currently have installed in the Monthly rollup, similar to the .NET rollup”
         f.    “announcement does not effect POSReady 2009”
         g.    “We are working to get IE included in the monthly rollup and security-only update but do not have a confirmed schedule yet”
         h.    “don’t currently have plans to extend the Rollup servicing model to Windows Vista or Windows Server 2008”
         i.    “this announcement does not effect driver updates. Driver updates are not included in Monthly Rollup or the Security-only rollup”
         j.    “In the new servicing model we will still be able to release security updates out of band if needed and then they would also be included in the next monthly rollup and security-only update that is released”
         k.    “After installing monthly rollups, we recommend running diskclean to clean up older superseded updates”
         l.    “Diskclean.exe is built into Windows 7 and can be used to clean up superseded updates. Windows 8.1 and Windows 10 automatically run clean up”
         m.    “rollups will start out small, but we expect that these will grow over time to something close to the convenience rollup size”
         n.    “Monthly Rollup will be classified as Critical or Security depending on the highest level of security fix in the Monthly Rollup”
         o.    “Monthly Rollup will be categorized as Update rollups”
         p.    “Security-only update will be classified as Critical or Security depending on highest level of security fix in the update”
         q.    “Security-only will be categorized as Security updates”
         r.    “If you only install security and critical updates, then you should use the security-only update rather than Monthly Rollup”
         s.    “Windows Defender definition updates are completely separate from this announcement and not impacted by this change”
         t.    “some ISVs also receive pre-release access to these updates to perform their own validation”
         u.    “These CU are improving the overall quality of the OS while also significantly reducing the rate of support calls. So we consider the changes to be very successful and that’s why we are making similar changes with Windows 7 and Windows 8.1.”
         v.    “you can still uninstall a rollup patch, its the entire rollup patch, not individual fixes included in the patch”
         w.    “GWX is not included in these rollups”
         x.    “for Windows 7, once the Monthly Rollup goes cumulative, the baseline will be SP1”
         y.    “Monthly rollup will be available thru all the same distribution methods, Security-only rollup the same except not available thru WU”

  • Is there any update on how Kaseya will present these patches to customers that only want the security only patches?


  • ,

    for the Patch Management module in 9.3 and older, if you only want the security updates, you would simply use patch policies to deny everything except the security updates.  Any patch which meets the requirements for patch discovery (see helpdesk.kaseya.com/.../34399846) would show in your VSA.  You would be able to approve/deny patches based on classification, product, by individual patch, or by KB number.

    Specific information regarding patching with the new patch module in 9.4 (community.kaseya.com/.../roadmap.aspx) will be available as we get closer to General Availability.