KB 4016240 confirms: Microsoft's 'new' Windows update option changes little
Microsoft desperately needs to simplify its patching process, but the latest change to how it rolls out updates for Windows 10 adds little to the mix except more confusion.
Earlier this week Microsoft patching honcho Michael Niehaus published details of new update options for Windows 10, version 1703. His article left me scratching my head—I didn’t see much, if anything, that was new.
The heart of Niehaus’ announcement goes like this:
We are making some adjustments to the updates that we are releasing for Win10, version 1703… we will routinely offer one (or sometimes more than one) additional update each month. These additional cumulative updates will contain only new non-security updates, so they will be considered “Updates” in WSUS and Configuration Manager… For those using Windows Update for Business, these new “Updates” and “Critical Updates” will not be installed on any devices that have been configured to defer quality updates.
He goes on to say that this week’s Windows 10 Creators Update patch, KB 4016240 (build 15063.250) is “the first of these non-security cumulative updates for Win10 1703.”
The Technet blog post has been subsequently updated with this illustration:
Some industry observers have argued that this “new” approach will reduce the number of patches or improve Microsoft’s ability to keep items updated during the crucial first few months of a new version’s release or make it easier for admins to control updates to their computers. I’m not convinced any of those observations is true.
For example, in the first three weeks of the rollout for Anniversary Update, version 1607, we saw build 14393.10 on Aug. 2 (same date as general availability), build 14393.51 on Aug. 9, and build 14393.82 on Aug. 23—three patches in the first three weeks.
In the case of Creators Update, version 1703, there was an initial patch to build 15063.13 on April 5, another to build 15063.138 on April 11, and one to build 15063.250 on April 25. Again, three patches in the first three weeks. What’s new about that?
Microsoft has long released Windows 10 cumulative updates both with and without security patches. Last month, we saw three patches to Win10 Anniversary Update; build 14393.953 (released on Patch Tuesday) included security updates, build 14393.969 fixed bugs that were introduced by the previous patch, and build 14393.970 also fixed bugs found in earlier patches. Only one of the three was a security patch.
I asked Susan Bradley for her thoughts. Bradley is moderator of the patchmanagement.org mailing list, columnist for Windows Secrets, a Microsoft MVP, and the most plugged-in admin patcher I know. Here’s what she says:
Once again Microsoft is reacting to customer requests to change how they roll out updates to Windows 10. But this latest announced change… in my opinion… It’s just an acknowledgement that their process to get feedback through telemetry tells them what they need in order to fix the operating system.
When the 1607 update was released, we received updates to that platform about once a week. That’s right if you received the 1607 update when it was first released in July of 2016, you rebooted about once a week until the 1607 release finally settled down in the November time frame and started only getting rebooted once a month. So when Microsoft indicated in this recent posting that “based on feedback from customers” they are making this change… I would challenge that statement. This is merely fixes to fix an operating system that by their own statement is getting a slow rollout to make sure that they find issues.
In fact this rollout is so slow, I have yet to see a 1607 Windows 10 machine that has received 1703 through Windows Update. Everyone I know who has received 1703 did so by requesting the update, either from the opt in process, or through the ISO download process. Microsoft isn’t releasing the media to their Enterprise customers (the volume license version) until May 1st. So for businesses, we’re still being urged to hold back and not rollout the 1703 release until the operating system gets a few more fixes.
But bottom line I don’t see this new announced patch as anything other than normal bug fixes for a recently released feature release. On my WSUS server I can opt to install them just like any other Windows 10 cumulative update. They include all fixes to date. But this newly announced change doesn’t change how I’m deploying Windows 10:
- I still have machines that I consider test machines on the latest feature release: currently 1703.
- I have my production machines on what is the current CBB release: Currently 1607.
- I have no machines on the original RTM version and if I had any computers on the 1511 version (the first feature update) I would be in the process of upgrading them to 1607.
So for me, this is business as the new usual with Windows 10: Expect any computer on a recently released feature update to be rebooted. A lot.
I posed a question to Neihaus on his blog about how this new approach differs from the Windows Insider “Release Preview” ring. He said:
The “Release Preview” Insider ring will get these same updates, but earlier in the process before they are published broadly to Windows Update, WSUS, and the Windows Update Catalog.
That’s the point where my head-scratching started drawing blood. I get that the Win10 updating cycle is different from the Win7/8.1 updating cycle. But I don’t see how the “new” Win10 updating cycle is substantially different from the old.
With Win7 and 8.1, we get:
- Monthly Security-only patches
- Cumulative Monthly Rollups
- Previews of the nonsecurity part of the next month’s Monthly Rollup
With Win10 we now get:
- Two levels of beta test versions (Insider Program Fast and Slow rings)
- Previews of the nonsecurity part of the next Cumulative Update (Insider Release Preview ring)
- Sporadic nonsecurity patches (which apparently contain the security part of the preceding cumulative update)
- Cumulative updates (which contain both the preceding nonsecurity patches and the latest security patches)
Could someone explain to me how we could make this any more complicated?
To me, KB 4016240—this week’s cumulative update for Win10 Creators Update and the first patch under the “new” regime—is essentially identical to KB 3176934, the third-week patch for Win10 Anniversary Update. If there’s something new, I don’t get it.
Microsoft desperately needs to simplify the patching process. We need something that doesn’t require a decoder ring, a secret handshake, and a Harry Potter incantation. Evanesco!
You should be able to explain Windows patching to a five-year-old. Or a CEO.
Tell me what I’ve missed on the AskWoody Lounge.