The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
On May, 27 2016; Nathan Mercer announced new changes on the modus operandi for publishing updates.
The purpose of the changes introduced:
- to reduce the number of updates needed on a fresh installation.
- to reduce the variability on the set of updates installed on each computer that can be the cause of sync and dependency errors.
- to reduce the complexity of testing each update.
- to reduce the time needed by the Windows Update client to scan for needed updates.
- to reduce the complexity of finding and applying the right patches.
Read more here
A few months later, on August 15, there was another announcement
from the same author that established the actual details for the new Microsoft Update's philosophy:
- From October 2016 onwards, Windows will release a single Monthly Rollup on the second Tuesday of current month that addresses both security issues and reliability issues in a single update. (This is a cumulative update) Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current.
- Also from October 2016 onwards, Windows will release a single Security-only update on the same second Tuesday. This update collects all of the security patches for that month into a single update. (This is a non-cumulative update). The security-only update will allow enterprises to download as small of an update as possible while still maintaining more secure devices.
The products that will follow these rules are:
- Windows 7 SP1
- Windows 8.1
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Net Framework (All versions)
- Internet Explorer 11
- Internet Explorer 10
So, these are the basic rules of the game so far, until Microsoft decides to change them again.
Recommendations for WSUS Administrators:
Following in the tracks on Microsoft's Blog
I have found a few recommendations for WSUS administrators that I will describe next.
1. Avoid approving Security-Only updates AND Monthly-Rollup updates on the same WSUS server for the same product.
Although the updates, present on the Security-Only package, are included in the Monthly-Rollup package, both are treated independently by WSUS. This means that if any computer needs the Security-Only update then it needs the Monthly-Rollup update too. To avoid this incongruity you need to take a decision:
- You can decline Security-Only updates and approve Monthly-Rollup updates. This way you avoid to download and install twice the same update files.This is the Microsoft's recommended way to do it.
- You can decline Monthly-Rollup updates and approve Security-Only updates. This is not recommended by anyone, but there may be a very specific environment where you need strictly only security updates maintaining low bandwidth and resource consumption.
If you have a set of devices that need only those security updates but nothing else, and you have another set of devices with normal update needs, then it is better to install a separated WSUS server for each set of devices, that way you avoid approving Monthly-Rollup
updates on the same server. If you go and approve both types of updates on the same server, all devices will report that they need both updates, but you already know that it is a redundant overload that must be avoided to succeed.
2. Enable support for Express Installation Files on your WSUS options when using Monthly-Rollup updates.
You can enable support for “express installation files” to ensure that client PCs only download the pieces of a particular monthly rollup that they haven’t already installed, to minimize the network impact on the clients side.
I must say that using Express Installation files will increase the internet bandwidth and local storage consumption, so be ready for that. Take the following Microsoft image as an example:
And that is all for today.
Thanks for reading and good luck to everyone.