Microsoft adds another layer to the Windows 10 patching onion

Offers non-security-only update two weeks before Patch Tuesday so enterprises can test fixes before rolling out to the masses

Microsoft yesterday added another update cycle to Windows 10's monthly patching, saying that the new collection of non-security-only fixes would give corporate customers the "increased flexibility" they had demanded.

On Monday, Michael Niehaus, director of Windows 10 product marketing, announced the new monthly update, saying that the company would initially issue it only to customers running 1703, the upgrade also known as Creators Update, which launched earlier this month.

"We will routinely offer one (or sometimes more than one) additional update each month," Niehaus wrote in a post to a company blog. "These additional cumulative updates will contain only new non-security updates" [emphasis added].

Microsoft issued the first such update Tuesday.

Prior to the Tuesday appearance of the new non-security update, Microsoft was offering just one kind of patch collection to Windows 10 commercial customers: An update that included fixes for security vulnerabilities and ones that addressed non-security bugs, the latter what Microsoft called "quality improvements." Those cumulative updates were eventually unavoidable, for while businesses could defer them, they could not be postponed indefinitely.

The new updates will consist of the non-security fixes normally included in the "roll-ups," the term Microsoft uses for the cumulative collections released on the second Tuesday of each month.

According to Niehaus, the new non-security updates will be issued "a couple of weeks earlier" than the Patch Tuesday cumulatives. Yesterday's first example, in fact, was released exactly two weeks before the next Patch Tuesday, slated for May 9. That means the fixes that appeared in Tuesday's non-security update will be reproduced in next month's roll-up.

This lead time "gives you the opportunity to validate these non-security fixes, in advance of the Update Tuesday package (which will include the same fixes, so if you don't deploy this non-security update, you'll still get the same fixes a couple of weeks later)," Niehaus said, using Microsoft's "Update Tuesday" terminology in place of the more common "Patch Tuesday" label.

Windows 10's non-security updates will be very similar in composition and release timetable to Windows 7's and Windows 8.1's "preview roll-ups," which debuted in October as an option for commercial customers. Preview roll-ups were also limited to non-security fixes and have been shipped in the second half of each month.

The non-security updates for Windows 10 will be simply classified as "Updates" in WSUS (Windows Server Update Services) and System Center Configuration Manager (SCCM), the two most popular enterprise tools for servicing Windows. Those released on Patch Tuesday that also contain security fixes will be marked as "Security Updates" in WSUS and SCCM.

Microsoft will probably extend the non-security format to other, older versions of Windows 10, such as 1607, last year's sole feature upgrade. "We're looking at the potential for doing this for other Windows releases at some point in the future," noted Niehaus. Because of the preview roll-ups available to Windows 7 and Windows 8.1, there will be no need to duplicate the new non-security-only updates for those OSes.

This story, "Microsoft adds another layer to the Windows 10 patching onion" was originally published by Computerworld.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)