Microsoft Moving to Monthly Schedule for Windows 10 Cumulative Nonsecurity Updates
This week Microsoft detailed its changing "update options" for Windows 10 version 1703.
The creators update "current branch" was released two weeks ago, but it was updated yet again with Microsoft's update Tuesday release today, according to Microsoft's release-history page. Microsoft today indicated that "millions of customers" now have the creators update, although Microsoft is blocking its arrival for some users.
Creators Update Blocking
The blocking is done to provide the best experience for Windows 10 users, according to John Cable, director of program management for Windows servicing and delivery.
"Blocking availability of the update to devices we know will experience issues is a key aspect of our controlled rollout approach," Cable noted, in a blog post today. "We decide what to block based on user impact, and blocking issues are a high priority for us to address as quickly as possible."
Users can download the creators update in advance and avoid the blocking, but Microsoft doesn't necessarily recommend that approach.
"We continue to recommend (unless you're an advanced user who is prepared to work through some issues) that you wait until the Windows 10 Creators Update is automatically offered to you," Cable explained.
New Cumulative Nonsecurity Updates
Meanwhile, IT pros are getting some new options concerning cumulative nonsecurity updates when updating Windows 10 clients, starting with the creators update (version 1703). These options were explained this week in a blog post by Michael Niehaus, a Microsoft senior product marketing manager for Windows.
Microsoft's current scheme for updating Windows 10 looks like the table below, as described back in October:
|Security-only quality update
||Monthly (only security patches)
||On "B week" to WSUS and the Windows Update Catalog; accessible via SCCM
|Security monthy quality update (a.k.a the "monthly rollup")
||Cumulative (security plus non-security patches)
||On "B week" to WSUS and the Windows Update Catalog
|Preview of monthly quality update (a.k.a the "preview rollup")
||Cumulative (security plus non-security patches)
||On "C week" to WSUS and the Windows Update Catalog
|Separate updates (e.g., "out-of-band" security fixes)
||Monthly or separate
Table 1. Nomenclature and timing for Microsoft's monthly security updates for supported Windows clients and servers, starting on Oct. 11, 2016. The cumulative updates will start to include all past fixes by early 2017. "B week" represents "patch Tuesday," or releases that occur on the second Tuesday of each month. "C week" represents releases that occur on the third Tuesday of each month. WSUS, Windows Server Update Services; SCCM, System Center Configuration Manager. Source: Microsoft Windows blog post and Enterprise blog post.
Under this scheme, Microsoft releases cumulative updates that are either security-only patches or are a combination of security and so-called "quality" updates, which arrive on each patch Tuesday (the second Tuesday of the month). There's also a preview of the next combined security and quality update that arrives a week later.
Microsoft now plans to release additional cumulative nonsecurity updates each month, apparently on top of the current update scheme described above. It's not clear from Niehaus' announcement exactly when these added cumulative nonsecurity updates will arrive each month. In the comments section of his blog post, he suggested this approach would give IT pros two weeks more testing time, suggesting that the releases will happen before patch Tuesdays.
"Before, most organizations picked up new security and non-security updates in the cumulative update released on Update Tuesday," Niehaus explained. "Now those non-security updates will be available a couple of weeks earlier. This gives you the opportunity to validate these non-security fixes, in advance of the Update Tuesday package (which will include the same fixes, so if you don't deploy this non-security update, you'll still get the same fixes a couple of weeks later)."
Even though the cumulative nonsecurity updates apparently are planned for arrival two weeks before patch Tuesday each month, Niehaus indicated that this scheme is already in effect for the creators update. He said that "the first of these non-security cumulative updates for Windows 10 1703 (KB4016240) was released today."
One way to identify these kinds of releases is that they will increment the minor build number of Windows 10. In the case of KB4016240, it increments the minor build number (the last three digits) from 15063.138 to 15063.250, Niehaus explained.
The change would seem to complicate an already nuanced Windows 10 update scheme that Microsoft has altered many times in the recent past. This new approach was adopted "based on feedback from customers," Niehaus said, although he didn't elaborate on the reasons beyond the added two weeks of testing time.
Microsoft's management products will "see" these new cumulative nonsecurity updates in a specific way. Windows Server Update Services and System Center Configuration Manager will both show them as "updates" although they could also be labeled as "critical updates" in rare cases.
If an organization is using Windows Update for Business, which is Microsoft's update technologies associated with Group Policy controls, then the new cumulative nonsecurity updates won't appear if Windows Update for Business policies are set to defer quality updates.
Microsoft will field questions about its "Windows as a service" update approach next week. The one-hour Windows "Ask Microsoft Anything" session will happen on Thursday, May 4, starting at 9:00 a.m. Pacific Time.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.