Microsoft announced plans to institute a more simple patching model for multiple Operating Systems

book

Article ID: 150442

calendar_today

Updated On:

Products

Patch Management Solution for Windows

Issue/Introduction

 

Resolution

Microsoft's Monthly Rollup Model beginning in October 2016 for Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. 

Review the following key points from this article:

  • The Monthly Rollups will include both security and reliability updates:
    • Multiple patches rolled together into a single update.
    • Will be cumulative in nature; including the entire release for that month's Software Updates, and will Supersede the previous Monthly Rollup.
  • The monthly security updates will include multiple security related fixes in a single rollup:
    • Will not be cumulative in nature; Microsoft detailed it will be possible to install the monthly security update for any given month without having the previous monthly security updates installed.
    • Advisory: No longer releasing individual security or reliability fixes; however, there is still a possible exception of out-of-band security releases and Zero-Day vulnerability fixes.

More details can be found in this TechNet article. Additionally, the .NET Framework will also follow the Monthly Rollup model as outlined on .Net Framework Monthly Rollup.

Additionally, Microsoft released more info regarding this change in update servicing changes. 

  • This article addresses the following common concerns:  
    • Will the Rollup Package Sizes get large?
    • What's expected if you install both updates [Monthly / Security Rollups]?
    • What if an update causes an issue?
  • This article details the layout for the how both B WeekC Week deployments will be released:
    • B Week: Cumulative Release (CR) & Security Bulletin (SB) for that specific Month
    • C Week: Quality Preview (QP) of the coming month for testing and review
      • Here is the example chart provided in this article outlining the B Week (CR/SB) & C Week (QP) deployment schedule:

Advisory: Because Monthly Rollups and monthly security updates are packages as a single update; administrators will not be able to pick and choose which individual fixes will be deployed/installed. Additionally, the full package size will need to be replicated from the SMP Server to Site/Package Servers and out to the managed endpoints. 

The deployment of these Software Bulletins will be listed in the Patch Remediation Center (PRC) as follows and detailed in INFO4140:

  • Cumulative Monthly Rollups as MS17-MR#-##
    • Example: April release is listed as MS17-MR81-04 (Monthly Rollup update for Windows 8.1 and Server 2012 R2)
      • ​​MR# will change pending Operating System: MR7, MR8, MR81
    • Note: Prior to 4/12/2017: Listed as CR##-###
      • Example: October release is listed as CR16-001
        • Estimated package size for English & Invariant Cultures: 664 MB
  • Security Bulletin Release as MS17-SO#-##-##
    • Example: April release is listed as MS17-SO81-04 (Security Only update for Windows 8.1 and Server 2012 R2)
      • ​​SO# will change pending Operating System: SO7, SO8, SO81
    • Note: Prior to 4/12/2017: Listed as SB##-###:
      • Example: October release is listed as SB16-001
        • Estimated package size for English & Invariant Cultures: 453 MB
  • Viewing the listed MS##-### being managed in these Software Bulletin listings outlined on TECH236395

October's Microsoft Software Bulletin release was provided in PMImport v7.1.861 released on 10/12/2016 and the following explains several of the more confusing aspects of this updated name scheme:

  • Patch Remediation Center (PRC) displays Software Bulletins MS16-118 through MS16-127 outside the CR & SB releases:
    • Confirmed all October's releases, for both Security and Software Updates, are included in CR16-001 & SB16-001.
      • Highlight > Right-click > List Software Updates for each of these and view the listed Software Updates
      • Confirmed each one houses the vulnerabilities for all of the individual Security and Software Updates released this month as detailed on each link above: These individual security update also resolves the following vulnerabilities:
        • Confirmed that clicking each individual MS16-### link will list all individual Software/Security Updates and they are individually tagged by Microsoft as one of the following:
          • Monthly Rollup
          • Security Only
        • Note: There are several Software Bulletins not housed in the two main rollups outlined above, for they are listed by Microsoft as being the software specific update, e.g. Microsoft Office or Adobe Security fixes, outside the general Windows Monthly Rollup. Examples: MS16-119MS16-121 & MS16-127. Furthermore, MS16-119 & MS16-125 are not listed in the PRC for they house the Windows 10 & Microsoft Edge Security Updates, which are deployed in CSWU name scheme per INFO3207. Please review HOWTO59203 for full details of acronyms listed in the PRC.
          • Additionally, there was no updates for Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 operating systems included in the separated MS16's which are provided, for those provided are for Windows6.0 and WindowsXP Embedded OS types. The two main rollups listed above for SB / CR are the only means to deploy Software Updates to these Windows6.1 operating systems.
        • Advisory: This methodology of supporting individual Software Bulletins with the new rollup method is strictly at the discretion of Microsoft and could be modified by that vendor at any time. Please note that the October 2016's release with individual Bulletins listed in the PRC is a result of Patch Management Solution providing support of all public software updates as presented by each vendor.
          • Additionally, Microsoft detailed the following: Each month there will be separate updates released for a variety of reasons (e.g. DST time zone changes, out-of-band security fixes). Many of these will be rolled into the next monthly rollup, although some will remain separate- including Office, Flash and Silverlight updates.
             
    • Confirmed all .NET vulnerabilities are housed under both CR16-001 & SB16-001 as detailed above; however, the individual .NET Software Updates are present and listed under MS16-120 if needed.
       
    • Please review TECH198736 if any Software Updates appear to be missing, for this article provides several methods for isolating which Bulletin the Updates are housed, or contact Support to have any missing Software Updates reviewed to be added.

Positive points for review:

  1. Ability to test deployment of Monthly Rollups longer with Patch Management Solution:
    • These Monthly Rollups will be Superseded each month, so Microsoft will not provide October's Software Updates in November, for November will be the currently supported method; however, Patch Management can continue to test October's releases into November by not scheduling the PMImport to run. If the PMImport is not scheduled; the old rule data for October is still viewed as current and the deployment of those releases may still be utilized until deemed safe for Production Rollout by the Administrator. 
    • Other patching tools will most likely only be able to target/patch current releases, so in November 2016, the October 2016 releases may not be made available.
       
  2. Software Update Policies will be easier to manage:
    • With the separation of Security Bulletins & Cumulative Releases; this will reduce the size/count of the Software Update Policies, for the best practices, per HOWTO95202, is to bundle the monthly release into a single policy, and with this change the Administrator is able to create a single policy for each Rollup Bulletin and deploy.
       
  3. Import Patch Data for Windows (PMImport) performance increase:
    • With only two policies per month being created at most; the Cumulative Releases will be Superseded each month, so they will not need to be kept active in the Console, and the PMImport will have less package/policy refresh and clean-up, resulting in a faster execution over time.