Skip to content

Enterprise Mobility + Security


Author: Heidi Cheng, Senior Program Manager, Enterprise Client and Mobility

Applies to: All Supported System Center Configuration Manager Versions

Applicable Windows versions: Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012, and Windows Server 2012 R2

Note:  Updated 10/11/2016 to change the suggested ADR rule filter.

Note:  Updated 1/4/2017 based on the current servicing model for down-level versions of Windows.

 

As you are probably aware, Microsoft previously announced Windows servicing changes on down level operating systems aiming to have a more consistent and simplified servicing experience to down level operating systems.  There is a new blog post just released today that explains in a lot of detail the monthly rollup and security-only quality updates and the update deployment strategies.

While it is great that your monthly update process can be significantly simplified by adopting the new servicing model, you may also need to be aware that there might be changes necessary on your update management process using Configuration Manager and the recommendations from the ConfigMgr team.

Starting on the second Tuesday of October, only two security updates will be released for the month.  Below is a comparison among all the updates released for the month.

Monthly Update Publishing Channel Classification Release Schedule What’s in it Size
Windows

Update

(WU)

Windows Server Update Services (WSUS) Windows

Update

Catalog

Security Only Quality Update No Yes Yes Security Updates 2nd Tuesday of the month Security fixes for the month Relatively Small
Security Monthly Quality Rollup

(or “monthly rollup” in short)

 

Yes Yes Yes Security Updates 2nd Tuesday of the month All new security fixes for that month (the same ones included in the security-only update released at the same time), as well as fixes from all previous monthly rollups Starts out relatively small in October and grows month over month
Preview of Monthly Quality rollup

(or “preview rollup” in short)

 

Yes Yes Yes Updates 3rd Tuesday of the month Non-security updates for the month

AND previous rollups

Starts out relatively small in October and grows month over month

 

As stated in the servicing blog post, the monthly rollup eventually will become a cumulative update later in 2017 and the update size grows month over month with previous months rollups starting in October.  We understand that this may become an issue for customers operating in environments with limited network bandwidth. To help ensure that our customers have the best experience given this situation, we have created the following recommendations when managing the two monthly updates in the “Security Updates” classification:

NOTE: The preview rollup released on the 3rd Tuesday of the month is optional and does not contain any new security updates. We assume you will approve them on a case-by-case basis, and therefore the following recommendations will not cover it.

No network bandwidth or disk space concerns

In this case, neither network bandwidth nor client local disk space is a concern for your environment to download a large size update like monthly rollup could become.  You can always choose to approve at least one of the two security updates released for the month based on your business needs.  At a minimum, you should approve the “security-only quality update” for the month to keep your environment secure.

If you are using ConfigMgr 2012 and above (including Current Branch) and have an Automatic Deployment Rule (ADR) configured based on the “Patch Tuesday” template, the rule will continue to work in your environment.

Compliance Status when both security updates are approved:

  • When the monthly rollup installs first:
    • The security-only quality update would then no longer be applicable to the computer, since the entire content of that security-only quality update would already be installed.
    • Update compliance would show compliant for the monthly rollup, not required for the security-only quality update
    • Deployment compliance status would show compliant for the monthly rollup
  • When the security-only quality update installs first, the monthly rollup will be installed next.
    • Update compliance would show compliant for both the security-only and monthly rollup
    • Deployment compliance would show compliant for both the security-only and monthly rollup

Network bandwidth and/or disk space concerns

To minimize the network bandwidth and client disk space impact to your environment during the “Update Tuesday” (commonly referred to as “Patch Tuesday”) week, we are recommending you only deploy the security-only quality update that has a small content size.

For ConfigMgr 2007 customers

You should only deploy the update that contains the “Security Only” string. See Deploying Superseded Down Level Windows Updates with Microsoft Configuration Manager 2007 for more information.

For ConfigMgr 2012 and above (including Current Branch):

  • If you don’t have an ADR configured for security updates, you should only deploy the update that contains the “Security Only” string
  • If you have previously configured an ADR rule based on the “Patch Tuesday” template, you should take one of the following two actions:
    1. Modify the existing ADR rule to add a clause and filter on the title
       Suggested English (ENU) title search strings (which must be adjusted for other languages) – “Security Only”
      To avoid localization implications, it is recommended that you should create the ADR by running SCCM console locally or on the same language as the site server. It will not work if console language and site server language are different. 
    2. The alternative is to disable the ADR rule and manually deploy the update that contains the “Security Only Quality Update” string if you have concerns about filtering by a string in the update title, especially if you are using multiple languages across your site servers.  The drawback is that you won’t be automatically deploying the monthly update and it becomes more of a manual process for you.

Compliance Status

When you only approve the security-only quality update and leave the monthly rollup alone in the Configuration Manager console, the deployment compliance status would show that “security-only quality update” is compliant for the computers that have the security-only quality update installed.

We hope this blog post can help you decide, what, if any changes are needed to adopt the new simplified servicing model on the down level Windows operating systems.

-Heidi Cheng

 

Additional resources: