Microsoft Updates New Servicing from OCT onwards

Microsoft came out with major changes in new windows updates servicing model which was released on October 11 by Microsoft via TechNet https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

Let’s review briefly what will be released each month and their official titles.

A security-only quality update

A single update containing all new security fixes for that month. This will be published only to Windows Server Update Services (WSUS), where it can be consumed by other tools like SCCM , and the Windows Update Catalog, where it can be downloaded for use with other tools or processes.This will be published to WSUS using the “Security Updates” classification, with the severity set to the highest level of any of the security fixes included in the update.

A security monthly quality rollup

A single update containing all new security fixes for that month, as well as fixes from all previous monthly rollups.This can also be called the “monthly rollup.” The initial monthly rollup released in October will only have new security updates from October, as well as the non-security updates from September.
This will be published to WSUS using the “Security Updates” classification.

A preview of the monthly quality rollup

An additional monthly rollup containing a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollup.  This can also be called the “preview rollup.”This preview rollup will be released on the third Tuesday of the month.This will be published to WSUS using the “Updates” classification as an optional update.

Note : Second Tuesday of Month (also referred to as the “B week”) & Third Tuesday of Month (also referred to as the “C week”).

WindowsUpdate.png

For more detail visit :  https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/

 

Advertisements

What is Patch Management ?

Patch Management cycle :

cycle

Stages: 

1) Research-  Define a scope. Get in contact with system owners. Get SLA requirements. Confirm update schedule. Sync inventory of SCCM/Landesk/IPAM. Define QA/DEV and PROD systems. Build vulnerabilities by server report.

2) Assess – 1st week. Define baseline. Build a list of missing updates with details/rating/exploitability index. Review and approve the list of patches during Patch meeting.

3) Remediate – 2nd week. Deploy patches to a testing environment. Evaluate system functionality. Check Event log for errors. Confirm system operability.

3rd week. Notify DEV/QA system owners about patching, provide the list of approved patches. Deploy to DEV\QA systems. Let system owners  evaluate and confirm operability during next week

4th week. Notify Prod system owners about patching, provide the list of patches. Deploy to Prod systems. Let system owners to evaluate and confirm operability.

5) Confirm –  Run vulnerabilities by server report. Confirm vulnerabilities patched and the environment is compliant with current baseline.

6) Report –  Build report for management and system owners on applied patches.

7) Patch Tuesday – New patches are released by Microsoft. Notify system owners about patching schedule, so they can schedule maintenance and provide advance notice to customers. Reiterate starting step 2.

Patch Test Environment:

  • Will consist of several VMs with different OS versions for 1st stage patch testing and system operability.
  • Windows Server 2003 (32bit and 64-bit)
  • Windows Server 2008 (32bit and 64-bit)
  • Windows Server 2008R2
  • Windows Server 2012
  • Windows Server 2012R2
  • Windows Server 2016
  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10

Small VMs 2vCPUs, 2GB RAM, no need HA – can be stored on local datastores. Enough datastore space for snapshots.

Back out plan :

We need to define back out procedures at least for Production critical systems. Define these systems and choose an appropriate roll-back plan (backup/snapshot/patch uninstall).

If snapshot will be taken check datastore space availability and schedule removing the snapshot.

Conclusion:

There is no such best practice suggested\recommended by Microsoft as each Organization environment is different from one another . The process described can vary from Organization to Organization basis.