[NOTE: This article does not apply to Windows 10 updates; Windows 10 patch releases are slightly different than Windows 7 and 8.1. For information about how Windows 10 patches work, see ZENworks Patch Management support for Windows 10 updates.]
In August 2016, I wrote a Cool Solutions article (ZENworks Patch Management support for Windows 7 and 8.1 updates) explaining that, starting in October 2016, Microsoft would be changing their operating system update model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
True to their word, Microsoft implemented the new model in October, providing a Monthly Rollup update that included both quality and security fixes and a second Security Only update that included only the security fixes. This gave you the option of deploying all patches to your devices or restricting your updates to security patches only.
Then, in November’s release of the updates, Microsoft did something that made us scratch our heads. They released the November Monthly Rollup as superseding not only the October Monthly Rollup, but also the October Security Only update and the November Security Only update. This effectively ended your ability to use the Security Only update option because the current month’s Security Only update was immediately superseded and ZENworks Patch Management is designed to not deploy superseded patches.
I know that this caused issues for many of you, because I spoke directly with some of you and heard from others through our Customer Care specialists. Fortunately, Microsoft apparently heard from customers as well and fixed the supersedence issue in their December update releases.
So, with these recent changes, I thought I’d take a minute to review what Microsoft is now doing, as well as provide some strategy options for how to deploy updates based on Microsoft’s new model. And, because patch supersedence has become such a hot issue, explain what we are working on in ZENworks Patch Management to give you better control over deployment of superseded patches.
Microsoft’s monthly update releases
Beginning December 2016, Microsoft started releasing three updates each month. Here’s a brief description of each, with their official titles:
- Security Only Quality Update: Contains all new security fixes for the month. It is released on the second Tuesday of each month (Patch Tuesday).
Supersedence: The Security Only Quality Update does not include security fixes from previous months. Therefore, Security Only Quality Updates are never superseded–not by newer Security Only Quality Updates and not by Security Monthly Quality Rollups.
- Security Monthly Quality Rollup (also referred to as “monthly rollup”: Contains the new security fixes for the month (same as the Security Only Quality Update), new non-security fixes for the month, and security and non-security fixes from all of the previous Security Monthly Quality Rollups. It is released on the second Tuesday of each month (Patch Tuesday).
Supersedence: The Security Monthly Quality Rollup supersedes all previous monthly rollups.
- Monthly Quality Rollup Preview (also referred to as “preview rollup”: Contains a preview of the non-security fixes that will be included in the next Security Monthly Quality Rollup and fixes from all previous Security Monthly Quality Rollups. It is released on the third Tuesday of each month. You can use the preview rollup to begin early testing of the next month’s updates.
I’ve only mentioned the major points for each update. If you want more details about what is contained in each release, review the Microsoft Technet More on Windows 7 and Windows 8.1 servicing changes article.
For more detailed information about update supersedence, including some easy-to-understand graphics, see the Microsoft Technet Update to Supersedence Behaviour for Security Only and Security Monthly Quality Rollup Updates article.
Both the Security Only Quality Update and the Security Monthly Quality Update are provided in our content feed. Below are some options you can use to implement your current, or desired, patching strategy.
NOTE: The Monthly Quality Rollup Preview is also included in our content feed. It is not discussed in the options below, but you can use the preview rollup to begin early testing of the next month’s updates in a controlled environment.
Option 1: Frequent Patch Security Policy
If you are applying only security patches today and are concerned about the impact of the monthly rollup, you should continue to deploy the Security Only Quality Update every Patch Tuesday. This will ensure you address the latest vulnerabilities. Keep in mind that the current month’s Security Only Quality Update contains only the current month’s security fixes, so you’ll want to make sure that you apply each month’s update (without skipping any months) or some vulnerabilities might be left unfixed.
Option 2: Infrequent Patch Security Policy
If you do not patch on a monthly basis, patch infrequently, or if you have new systems to patch, you should deploy the Security Monthly Quality Rollup. Using this patch ensures you have the latest set of all updates and they are being applied in one single process. Closely monitor the impact of this approach in your environment because this rollup will grow in size over time and may impact both network usage and the time it takes to scan and remediate your endpoints.
Option 3: Periodic Patch All Policy
If you miss a month of Security Only Quality Updates on some devices, or if you are concerned you may be missing some older patches, you can take a hybrid approach of options 1 and 2. Deploy the Security Only Quality Update for several months in a row and then deploy the Security Monthly Quality Rollup on a quarterly or semi-annual schedule to address any old vulnerability and reliability fixes that have been added. Keep in mind that the months when you deploy the Security Monthly Quality Rollup you don’t need to deploy the Security Only Quality Update. Doing so unnecessarily increases network usage and device remediation time.
What ZENworks Patch Management is doing to help you manage superseded patches
Currently, ZENworks Patch Management disables patches (from both Microsoft and other software vendors) that become superseded by newer patches, resulting in the inability to continue to deploy superseded patches to devices. This approach adheres to basic security principles designed to ensure that device patches are up-to-date and vulnerabilities are minimized.
Over the past while, and especially during Microsoft’s adventures with supersedence in November and December, I’ve received more and more requests asking us to allow you to control whether or not superseded patches continue to be deployed. And my response is that yes, we will…hopefully in ZENworks 2017 Update 1 (first half of this year) but certainly by Update 2.
We considered multiple approaches to resolving this issue and settled on a design that lets you control superseded patches through Patch policies:
- Patches added to a Patch policy via the Rules criteria will remain enabled, even when superseded, until the policy is rebuilt either manually or according to the rebuild schedule; at rebuild time, a superseded patch will be removed from the policy and replaced by the new patch (provided the new patch meets the Rules criteria).
- Patches added to the Patch policy via the Members list will remain enabled, even when superseded, until you remove them from the Members list.
As implementation occurs, some changes to the design might be necessary. If you have questions or comments, contact me: Darrin.VandenBos@microfocus.com.