Written for Adaptiva by Cliff Hobbs, Microsoft MVP in Enterprise Mobility and Founder and CEO of FAQShop.com
One of the biggest pain points in maintaining any IT infrastructure is keeping it up to date. A vendor software update may be fixing a bug, addressing reliability issue, plugging a security vulnerability, or sometimes adding minor features/enhancements between major releases. Prior to Windows 10 we have been able to selectively decide which updates we want to install rather than a blanket “install all” approach.
This selective approach though has given us problems. Probably the biggest issue is that you can potentially end up with different machines having different patch combinations installed across your estate. This does not help in large environments where you are trying to keep things as consistent as possible. Plus, when you start having issues or weird things happening on certain machines and not others, it could be down to the concoction of patches and trying to pick it apart is no small feat.
Starting with Windows 10 Microsoft changed the servicing model. They release a single, cumulative servicing update containing security and reliability updates in a single Monthly Rollup, which you can deploy to all of your Windows 10 machines. No more trying to decide which updates from a long list you should install. No more problems with different machines running different patches. Plus, since the updates are cumulative, it does not matter if you missed a previous update as the latest one contains all of the previous ones.
To help bring organizations running Windows 7/8.1 into this brave new world, back in May Microsoft announced the availability of a new optional convenience rollup package for Windows 7 Service Pack (SP) 1 containing all of the security and non-security fixes suitable for general distribution released since SP1 (so up until April 2016). In other words, if you install this one you don’t need to install any prior updates.
However, fast forward to this month and as you will see from this TechNet post, things are changing in Redmond. From this October Microsoft is aligning all currently supported versions of Windows with the Windows 10 servicing model. In other words, starting in October, if you are using any version of Windows currently in mainstream support (Windows 7 SP1 and Windows 8.1 from the client side, and Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 on the server side), only the following two updates will be available each month:
- Monthly Rollup – Published every month to ConfigMgr, the Microsoft Update Catalog, WSUS and Windows Update (WU), the Monthly Rollup will be cumulative and will contain updates that address both security and reliability issues. The ultimate goal is by applying the latest update your device will be up to date. WSUS and Windows Update can utilize express packages to keep the monthly download size smaller (for WSUS you will need to configure it to use express packages as detailed here).
- Security-only updates – As its name suggests, these will be a single update containing just the security updates for the relevant month into one update. These will be published through the same channels as the Monthly Rollups with the exception of Windows Update.
So what does this mean?
Well from this October you will no longer be able to download individual updates as they will no longer be available, which is potentially going to make life challenging if a specific patch causes an issue and you need to remove just the one. Under the new model you may need to work out which update contains the problem patch and then back track to remove it, unless Microsoft has some clever way of doing this up its sleeve.
Note that at the moment Internet Explorer is excluded from this new model but Microsoft is working to include this at some point in the future. Office is not affected by this change nor are Microsoft products such as Exchange and SQL. Driver updates and Windows Defender updates are also not affected.
There is no doubt that from an administrative point of view this new model makes it easier to deploy updates. From a standardization perspective, it also ensure that all of your machines should be running the same updates per Windows version. However, there is, of course, one potential massive negative impact of this model and that is: network bandwidth.
If these updates are cumulative then as each month’s updates are released they will supersede the previous month’s rollup. The result? You will need to distribute each month’s update to all of your Windows machines to keep them up-to-date even if it means they need just a single update.
Also bear in mind that over time the size of the updates will increase as more updates are updated. Plus Microsoft has stated that over the coming year they will be adding previously released updates in order to achieve the goal of installing just the latest update to cover you for everything prior.
Windows 10 is already up to 1GB for cumulative updates, and at that rate it could be 2GB in another year. That is a lot of data to deliver to each machine every month.
Of course ConfigMgr has various ways of dealing with content distribution, but now might be a good time to take a look at peer caching and bandwidth-management technologies that help with bandwidth management. For example, BranchCache could be a good option in some situations, especially for smaller companies. Smart-scaling systems management company, Adaptiva, has also written a blog on ways to solve the problem for medium to large businesses using the company’s OneSite content distribution engine. I highly recommend exploring these options before you find yourself dealing with an angry networking team when cumulative Windows 10 updates start in the fall.
No matter what you decide to decide to do (or not do) about it, one thing is for sure: get your network delivery plan ready because a BIG change is coming to your Windows monthly updates.