News

Microsoft Tweaks Its Security Updates for Orgs

• By Kurt Mackie
• January 17, 2017

Microsoft is changing the way it delivers Windows security updates to organizations starting next month.

The policy changes, announced last week, concern Windows security-only updates and Internet Explorer security updates. They only apply to organizations using Microsoft's older supported Windows client and server operating systems, namely "Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2," per the announcement. Consumers using Windows Update to get updates won't be affected.

The new policy will kick off in February for so-called "update Tuesdays," which are the second Tuesdays of each month when Microsoft releases both security and quality patches. Next month's patch Tuesday event is slated for Feb. 14, Valentine's Day.

The first policy change involves the bundling of IE security updates. Microsoft will exclude IE updates from the "security-only quality updates" it releases on update Tuesdays. The aim of this policy change is to reduce potential bandwidth hits that can occur on the networks of organizations using the security-only updates. Microsoft had started pushing IE updates into these security-only updates back in December, but that approach made them bulky for some organizations, Microsoft's announcement explained.

Consequently, IE security updates will once again become separate patches next month and won't be bundled up with the security-only quality update releases. Microsoft defines a security-only quality update as just having new security fixes for the month. It's not a "cumulative" release. Here's how Microsoft defines a security-only quality update:

"The Security Only update does not contain fixes from previous months, and allows enterprises to download as small of an update as possible to remain secure."

In contrast, the IE security updates that Microsoft will now release in a separate bundle, starting next month, will be cumulative, meaning that they will contain all previous IE security updates.

There's also a "security monthly quality roll-up" that arrives on update Tuesdays. It includes "both security and reliability fixes, as well as all fixes from previous roll-ups," according to Microsoft. In other words, it's cumulative. The security monthly quality roll-up will include IE security fixes.

Microsoft also releases a "preview of monthly quality roll-up" on the third Tuesday of each month, which is designed to let IT pros see what's coming down the pipe in advance. This preview release, too, will include IE security patches.

The second policy change Microsoft announced last week was actually announced in mid-December, and became effective retroactively on that month. Microsoft changed a behavior in which security-only quality updates were getting superseded by the "security monthly quality roll-up." That was a problem for the organizations preferring to defer feature updates.

Much of the recent confusion with Microsoft's updates occurred in October, when Microsoft started rolling out a new monthly client and server patch model for its older Windows OSes. The new model, somewhat like the update model of Windows 10, was announced back in August.

Today's changes are responses to customer feedback on the new patch model, Microsoft indicated.

In other patch news, Microsoft this week published a five-minute overview video of the Windows 10 servicing model. It's presented by Windows patch expert Michael Niehaus, director of product marketing for Windows at Microsoft.