Windows Update Classifications Can Cause Orgs To Miss Fixes to Bad Patches
Organizations using Microsoft's tools to manage Windows updates could be missing out on early fixes to problems because of the way Microsoft classifies its updates.
The issue applies to IT pros using automatic rules with some of Microsoft's tools, such as Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM), according to a Tuesday post by Microsoft Tech Community employee Rashid Siddiqui. They may have set rules to better manage the deployment of Windows updates, such as setting a rule to only approve the "security-only" Windows patches that arrive each month. However, these rules may miss any subsequently released "out-of-band" patches from Microsoft. An out-of-band patch is one that arrives at any time, and Microsoft sometimes uses them to fix updates it later discovered it has botched.
The reason these out-of-band patches could get missed is that they are classified simply as "Update" in both WSUS and SCCM, Siddiqui explained. So a rule that just applies security-only patches would miss such a fix.
Missing the fix just means that an organization would end up, at worst, waiting until the next month's Windows update cycle to get the fixed patch, Siddiqui noted. However, there's a more oblique way to configure automatic rules to address the issue. IT pros can opt to "include updates classified as 'Update' temporarily" in WSUS and SCCM, Siddiqui suggested.
Comments reacting to this Microsoft Tech Community post didn't appear to be happy ones. One commenter simply asked, "Why can't you classify updates for security updates as security updates?" There was no Microsoft answer to this basic question.
Another commenter suggested that Microsoft should clean up its "update classification mess," noting that Microsoft also classifies its servicing stack updates (SSUs) as security updates. Ironically, Microsoft actually recently changed SSUs to be security updates because they weren't previously included with security-only patches and consequently these SSUs didn't get applied by some Windows 7 users, leading to Windows Update problems later on.
A third commenter rejected using automatic rules with Microsoft's Windows update management tools because of the complexity. Instead, a PowerShell script is used to accept only the applicable updates, an approach the reader suggested would reduce the storage and bandwidth demands of Microsoft's monthly Windows updates.
Last August, Microsoft had suggested that it would deliver a new type of monthly quality update that would be smaller in size for Windows 10 and Windows Server machines. This new unnamed monthly quality update type would replace Full Updates, Express Updates and Delta Updates, Microsoft had indicated. The new quality update type was supposed to have appeared as early as the fall of last year, but if it did appear, there's not been much noise about it.
Microsoft more recently announced it would reserve 7GB of space on machines to address Windows 10 updates. However, only new machines or machines that are clean-installed to use Windows 10 version 1903, expected to be released this spring, will have this new "Reserved Storage" feature.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.