Microsoft adds another option to its complex Windows 10 patching story

IT pros, take notice: Microsoft is adding yet another set of Windows 10 Cumulative Updates -- ones that don't include security fixes -- to its patching mix.
Written by Mary Jo Foley, Senior Contributing Editor

Microsoft is adding another wrinkle to its already complex Windows as a Service strategy.


Microsoft is planning to make one or more additional Cumulative Updates available to Windows 10, starting with the Creators Update (aka Windows 10 1703). Because these Cumulative Updates won't include security fixes, they will be categorized as "Updates" in Configuration Manager and Windows Server Update Services (WSUS), according to Microsoft in an April 24 blog post. Additionally, Microsoft officials caution that the company "may occasionally identify non-security fixes that address more critical issues" which will be labeled as "Critical Updates."

Windows for Business users won't have any of these new Updates or Critical Updates installed on any devices that have been marked to defer quality updates, the post notes.

With this new addition of non-security updates to the mix, administrators have several options for dealing with them, according to Microsoft officials. They can deploy them on Patch Tuesday; deploy them only to a subset of devices for testing or to devices experiencing issues before the updates are included in the following Patch Tuesday cumulative updates; or don't deploy them at all when they're released, since they will automatically be included in the following Patch Tuesday's cumulative update.

Best I can tell from reading this post, Microsoft will continue to provide on Patch Tuesday Windows 10 Cumulative updates that include both security and non-security fixes. (I've asked Microsoft just to be sure; no word back yet.) These combined security and non-security Cumulative Updates will be designated as "Security Updates" in Configuration Manager and WSUS.

I'm not really clear on why Microsoft is adding these new non-security updates to its patching mix. Microsoft's official reason is it's for "increased flexibility."

Microsoft already has instituted a patch-rollup system for Windows 7, 8.1, and Server 2008/2012 machines that separates security and non-security updates.

Any IT pros out there see value in the addition of these Windows 10 non-security Cumulative Updates?

In related news, just a reminder that Microsoft won't be updating the original Windows 10 release (aka 1507, released in July 2015) after May 9, 2017.

Update (April 26): In the comments to yesterday's blog post, author Michael Niehaus shared some more information about how this will work and why Microsoft is doing this.

He said releasing the non-security updates separately, a couple of weeks before Patch Tuesday, will give IT the chance to validate these fixes ahead of Patch Tuesday's Cumulative Update package, which will include the same fixes.

He noted that the "Release Preview" Insider ring gets these same updates, but earlier than they are pushed to Windows Update, WSUS and the Windows Update Catalog.

Niehaus said that the Cumulative Update for Windows 10 1703 (KB4016240), which Microsoft released on April 25, was the first of these non-security Cumulative Updates. He also said that currently, these new non-security updates are for Windows 10 1703 only, but Microsoft is considering doing something similar for other Windows releases "at some point in the future."

Can't bring your laptop on a flight? Here's how to stay productive

Editorial standards