Patching with Microsoft’s Update Rollup Methodology
Beginning in October, 2016, Microsoft will release some patches in bundles called “Update Rollups.” Kaseya has received several inquiries regarding this new approach and what it means for patching with the Virtual System Administrator (VSA) Patch Management module. The information contained within this article is based on what Kaseya understands regarding this new approach, but we can make no specific guarantees as to the Microsoft-specific functions. It is recommended that any administrator or business stakeholder fully research the new process and engage with Microsoft directly for additional details or clarification regarding the MS Patching processes.
Microsoft has announced they will release at least four types of patches:
Monthly Security Updates, bundled into a single installer
Monthly .NET Framework Updates, bundled into a single installer
Monthly Operating System Updates, bundled into a single Update Rollup
Individual patches for application-level updates (i.e., MS Office)
It is widely believed the patches in the Security Update and Update Rollup cannot be “split” from the cumulative rollup. There have been inquiries from the industry to Microsoft as to whether they will allow any pick-and-choose install (or pick-and-choose rollback) of components of the cumulative updates, but the general consensus is this is unlikely to be allowed by Microsoft. Microsoft has posted the following blog detailing the new approach: https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/
How does this affect Patch Management through the VSA?
This change should not affect the functions of Kaseya VSA Patch Management.
Kaseya will function as it does today, with the same requirements for discovering patches for endpoints (detailed in this KB article). Microsoft has announced the cumulative updates will be included in the MS Update Catalog. Therefore, the VSA should recognize these patches as missing when scans are run against managed endpoints. VSA Administrators can approve/deny these patches as they believe appropriate for his or her managed environments. Administrators may, however, need to take precautions to ensure the cumulative update does not include change which may negatively affect systems.
One particular concern could be machines running older web-based applications or custom software. If a monthly update does contain a component which may have an adverse impact the administrator’s endpoints, it may be necessary to roll back the entire update and suspend patching until either the update rollup OR the affected application is corrected. Bear in mind that if one month’s update is skipped, the next month will include the prior updates. As described in this article from PC World, “If you don’t bother to download October’s update, then you’ll be able to get those updates as part of November’s update cycle. If you wait until January to update your machine, you’ll get a single update containing patches from October, November, and December, in addition to the newest updates from January.”
While the update rollup approach is likely to simplify the patch approval process and limit the number of patches administrators must process each month, the concern for how this will affect managed machines is understood. Kaseya recommends administrators familiarize themselves with the information widely available regarding the new approach, and contact Microsoft for additional details on their methodology. Another valuable resource for independent information is the patchmanagement.org listserv. While not specific to the new patch methodology, this listserv does have several threads regarding the new approach.
While not directly related, administrators managing Windows 10 Enterprise endpoints with a MS volume licensing agreement might consider whether leveraging the Current Branch for Business (CBB) or the Long Term Servicing Branch (LTSB) is appropriate. This article provides some straightforward information on LTSB. Information from Microsoft regarding Servicing Branching is available in this TechNet article.
If you have specific questions or concerns regarding Patch Management with the VSA, please contact your Customer Success manager or, for technical assistance, open a ticket with Kaseya Support.
Patch Management module in all versions of Kaseya VSA