October marks a watershed in Microsoft patching practices for Windows 7 and 8.1, and confusion reigns supreme. With the majority of organizations still holding off upgrading their fleets to Window 10, this “patchocalpyse” may have significant impact if you’re not prepared for the sticky details.
The upshot: Windows 7 and 8.1 will no longer receive individual patches. These will give way to two separate kinds of monthly updates: a security-only strain and a full collection of updates. The security strain isn’t cumulative; the full bundle is. Each has its own deployment method. KBs have been KO’d. Sounds simple, right?
The devil, however, is in the details, and for many organizations, it may be quite a devil indeed. Here we break down what you need to know about Win7/8.1 updates going forward, in hopes of helping you avoid your own “patchocalypse.”
Microsoft’s new Win7/8.1 patching strategy
Six weeks ago, Microsoft product manager Nathan Mercer kicked off a long discussion about new directions for patching Windows 7 and 8.1, and Server 2012 R2, starting in October. Details are available on the TechNet blog (and its 100-plus questions), but here’s the synopsis:
- Security patches will be combined each month into a single Security-only Update that can be downloaded from the Microsoft Update Catalog. Those with corporate networks can access Security-only Updates through WSUS or SCCM. Security-only Updates are not cumulative.
- All security and nonsecurity patches will be combined into a cumulative update, called a “Monthly Rollup.” The Monthly Rollup is accessible from Windows Update -- where most individuals get their patches nowadays -- or from Update Catalog (where anyone can download and install it), WSUS, or SCCM. When you install a Monthly Rollup, Windows Update downloads only the deltas.
- Microsoft will gradually add older patches to the Monthly Rollup. For now, don’t expect to see a big bunch of patches in the Monthly Rollup, but realize Microsoft is working in that direction.
- You can uninstall an entire Security-only Update or an entire Monthly Rollup. There are no individual patches, thus no individual patch uninstalls, and you can’t hide individual patches.
On the face, it’s relatively straightforward: No more individual patches, but two different kinds of monthly updates. Security-only Updates must be downloaded and installed, while the full collection can go through Windows Update. Security-only Updates are not cumulative; the Monthly Rollup bundle, including both security and nonsecurity updates, is cumulative.
Those who continue to use Windows Update will get all of Microsoft’s Windows patches. Those who turn off Windows Update can manually install security patches only. But in all cases, individual patches -- analogous to the KBs we’ve known for a decade -- exist only as bullet points in the documentation.
Sign up for CIO Asia eNewsletters.