In-Depth

Microsoft Explains Windows Server 2016 Patching

• By Kurt Mackie
• 11/09/2016

Windows Server 2016 patching likely won't differ too much from the monthly cumulative update model laid out by Microsoft for other Windows products, but there are some nuances.

In late October, Microsoft explained in a "Patching with Windows Server 2016" blog post that the server is getting basically two types of cumulative updates each month. These two updates arrive on different days within a given month.

Windows Server 2016 Cumulative Updates
For Windows Server 2016 installations, a security update arrives first, followed by a quality update a couple of weeks later. Here's the breakdown:

• Cumulative updates with new security fixes arrive on the second Tuesday of each month ("patch Tuesday")
• Cumulative updates with new quality fixes arrive on the fourth Tuesday of each month

That's a somewhat simplified explanation because the security update arriving on patch Tuesday also includes past security and quality fixes. Microsoft's announcement explained that point as follows:

"Being cumulative this update [the security one] will include all the previously released security and quality fixes."

Likewise, the quality update arriving on the fourth Tuesday "will include all the previously released security and quality fixes."

This Windows Server 2016 update approach, which staggers the releases of the security update and the quality update, is slightly different from Microsoft's update model that kicked off on Oct. 11 for all supported older Windows clients and servers, such as Windows 7 and Windows Server 2012. Those older Windows products get the security and quality updates on the same day, namely patch Tuesday.

Because the two cumulative updates arrive on the same day for older Windows products, many organizations have discovered to their dismay that the security update arrives superseded. That's because the quality update contains the security patches in the security update, so patch management systems read the security update as being unnecessary (superseded). Microsoft's solution for organizations is to delay the supersedence of those updates by modifying rules in a patch management system. However, System Center Configuration Manager 2007 users are out of luck because that product doesn't have the ability to customize the supersedence rules, Microsoft recently explained. Other System Center Configuration Manager products do have that customization ability, though.

In contrast, the Windows Server 2016 staggered update release approach seems like an improvement as it more easily permits organizations to opt for using the security update up front, if that's the approach they want to take. Using the security-only update is one approach to take if organizations have encountered compatibility issues after a Windows update.

"Customers can choose a security only update instead of a cumulative update," a Microsoft spokesperson clarified, via e-mail, in response to a question about the Windows Server 2016 patch process.

Other Monthly Updates
Microsoft's announcement last month didn't mention it, but preview updates also arrive each month for Windows Server 2016. Under the update model that kicked off on Oct. 11 for older Windows releases, Microsoft indicated that preview updates arrive on the third Tuesday of each month. Presumably, that's the case for Windows Server 2016, too. In response to a question, the Microsoft spokesperson simply stated that "preview updates apply to Server as well."

Also, Windows Server 2016 will get .NET Framework monthly rollups. They are cumulative updates and arrive on patch Tuesdays. There's a rollup that contains security and quality improvements, and a rollup that's "security only," but both arrive on the same day (patch Tuesday), according to this .NET blog explanation. A preview of a quality rollup arrives on the third Tuesday of each month.

Automatic Updates On by Default
Microsoft has turned on the Automatic Updates service in Windows Server 2016 by default. It will automatically download cumulative updates each month, but IT pros will have the ability to choose when to install them if using Windows Server Update Services, which has policy options for configuring the behavior of installations, as described in this TechNet article.

The control of Automatic Updates is important because Windows Server 2016 updates first arrive as "optional" updates, but they later become "recommended" updates after two weeks. Microsoft conceives of this time lag as a testing period for IT pros.

"This predicable behavior gives time to test updates such as in your lab, before being notified across the broader set," Microsoft's announcement explained.

Another way to manage the Windows Updates behavior in Windows Server 2016 is to use Microsoft's Server Configuration tool (Sconfig.cmd), as described in this tutorial. I asked the spokesperson if this tool could be used to turn off Windows Updates for Windows Server 2016, and whether the server could eventually end up on an unsupported branch as a consequence. While that's a scenario that organizations face with Windows 10 on the current branch for business (CBB) update model, it's not the case for the Desktop and Server Core installations of Windows Server 2016, which follow the long-term servicing branch (LTSB) approach. Here's how the Microsoft spokesperson explained the matter:

Windows Server 2016 Server with Desktop Experience and Server Core are using the LTSB model, not Windows as a service CBB model. With the CBB Windows as a service model, which Nano Server is using, you must move forward to a new build as older builds are no longer supported.

Nano Server is Microsoft's newest minimal-footprint deployment option that's available for Windows Server 2016. Microsoft doesn't enable Automatic Updates on Nano Server. There's no Group Policy support for it either. Instead, Microsoft offers PowerShell securityCmdlets or Desired State Configuration for management.

Tracking Updates
Microsoft has explained that it moved to the cumulative update model for Windows systems because it has seen fewer problems when computing environments are fully patched. Of course, IT pros typically have rolled back specific Windows patches when the patch was associated with a problem. Now, with the new cumulative update model, Microsoft has given IT pros a month to get those problems fixed or risk staying unpatched.

In the recent past, Microsoft has been less descriptive in its various Knowledge Base articles about the patches. Possibly, that approach will be changing. At least Microsoft is working to centralize its patch information.

For instance, this month, Microsoft announced a preview of a new "Security Updates Guide." It permits searches for software updates within a specific time period. One catch is that Microsoft will fill up this database with published security bulletins until January 2017. It'll only add "update information" after that date.

Microsoft also has added Windows Server 2016 information to an Update History page that already describes Windows 10 updates. This updated portal is supposed to kick off next month, but Windows Server 2016 details are already listed there this month. Other Windows products will get described at the Update History page, too.

"This new, unified Windows 10 and Windows Server 2016 update history page will be available beginning with the December Windows 10 and Windows Server 2016 Cumulative Update (CU), and then other Windows 10 updates and down-level platforms will follow over the coming months," Microsoft explained in this announcement.