Patching with Windows Server 2016
Patching with Windows Server 2016
There are exciting changes in Windows Server 2016 which simplifies and streamlines patching. I think you will find Windows Server 2016 will be easier to maintain and help reduce OpEx costs. Let's discuss some of these key changes.
Update Consolidation
In Windows Server 2016 the sea of updates has been streamlined and simplified into a single package. All updates released over a given month will be rolled up in a single package. This will remove the guess work and burden to sort through the large number of hot-fixes released through the breadth of different channels trying to identify the ones you need. It will also simplify the test matrix, making your internal verification processes easier as well as increasing quality by ensuring all changes are verified together to confirm interoperability.
Cumulative
The complexity and uncertainty of trying to figure out which updates you may have installed or missed is gone with Windows Server 2016. The monthly packages are cumulative, meaning they will include all previous updates. When you install a new server, no more having to install a long list of updates. If you have the latest monthly update installed, you have all the updates you need... it's just that simple!
Predictable Cadence
On the second Tuesday of each month (aka. Patch Tuesday) during the mainstream support phase a cumulative update which includes new security and quality fixes will be released for Windows Server 2016. Being cumulative this update will include all the previously released security and quality fixes.
In the second half of each month (generally the 3rd week of the month) a quality update will be released for Windows Server 2016. Like all updates, this update is cumulative and includes all quality and security fixes shipped prior to this release. This quality update is ideal for deployment into test environments to get pre-validation prior to adopting the Patch Tuesday update. As an example, our own MSIT's patch management strategy is to deploy the quality update in their lab and let it run for a few weeks, then deploy the Patch Tuesday update once released. Another scenario is if you have a known issue and want access to the update sooner. The quality update will be available on the Microsoft Update Catalog.
Having a predictable cadence for when you can expect updates, enables you to build regular update maintenance and deployment processes. Being able to plan ahead will simplify and streamline your ability to manage Windows Server.
Proactive Patch Discovery
Windows Server 2016 will help you keep it up to date better than it has ever before. Automatic Updates (AU) is enabled by default on Windows Server 2016 and configured to:
Download updates for me, but let me choose when to install them
Windows Server will automatically check Windows Update or a Windows Server Update Services (WSUS) for any relevant updates, and when it finds updates they will be downloaded and you will be notified that there are updates ready to be applied. Updates will not be installed and servers will not be rebooted automatically, as avoiding production downtime is critical for a server. You control scheduling a maintenance window and installing the updates when it is best for your business. The key improvement is that Windows Update will automatically check and proactively notify you when there are updates you should apply. This helps you get the fixes before you encounter issues and avoid downtime before it ever happens.
For customers who prefer the behavior of previous releases Automatic Updates can be easily configured, including being disabled with group policies.
Additionally, there is now a single location where the release history of all updates for Windows Server 2016 can be found. No more wandering the internet!
https://support.microsoft.com/en-us/help/4000825
Key Takeaways
Windows Server 2016 will reduce costs by delivering:
- Predicable monthly update cadence you can plan for
- Fewer updates to manage
- Cumulative updates that have everything you need
- Proactive notification of updates before they cause downtime
- Simplified test matrix and streamlined verification process
In Windows Server 2016 you will be able to build a simple maintenance plan: One update... once a month... That's it!
Written by: Elden Christensen, Microsoft
Comments
- Anonymous
October 26, 2016
What happens when a single cumulative update causes a problem with a server application. What are the contingency plans to get the security updates to those users as soon as possible? What is MS commitment to its corporate users? - Anonymous
October 27, 2016
I have mixed feelings about this approach. What about zero-day vulnerability patches, they will need to wait one month ?This is ok for Desktop OS, but enterprise system are different. I prefer specialized solution over universal that fit all but are not so good in many situations. I am ok with CBB update model for Home users, but LTSB is must have for Enterprise (Desktop and Systems). - Anonymous
December 12, 2016
I'm late to this party, but yes, I agree with the two prior comments. This has bad news written all over it. A business with even a policy that even remotely resembles maintaining a secure environment will be running security patches asap. Not once a month.When you can tout only needing to update once a month because nobody's finding more vulnerabilities (I'm looking at you, devs) and they're all just QOL updates, then this will be good news.Until then, a little more focus on providing secure software and a little less focus on making it more secure would be good. It's 2016, secure coding practices should be second nature by now. Yet on a daily/weekly basis, new vulnerabilities are discovered. - Anonymous
January 02, 2017
The comment has been removed - Anonymous
January 26, 2017
The comment has been removed- Anonymous
January 26, 2017
You should only need a connection to the network on which the WSUS server is connected to.- Anonymous
January 26, 2017
That's what I assumed as well, but unfortunately it is not working that way. Without an internet connection the "Checking for updates" process errors out with "We couldn't connect to the update service. We'll try again later, or you can check now. If it still doesn't work, make sure you're connected to the Internet." I'm not expecting you to troubleshoot this for me, just confirming whether this is expected behavior. I should also mention this is our first server 2016; we have thirty server 2012R2 & 2008R2 that have been updating fine for years.- Anonymous
February 06, 2017
Like Amos, I am also unable to check for updates without internet connection. With internet enabled, I can see in the logs that it attempts to connect to the MS site to check for the updates "ProtocolTalker ServiceId = {9482F4B4-E343-43B6-B170-9A65BC822C77}, Server URL = https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx".Downloading is done thought WSUS which is fine, but is this an expected behavior when it comes to checking for updates?
- Anonymous
- Anonymous
- Anonymous
- Anonymous
January 28, 2017
Nonsense. I do not find a program or app, which hears on the name 'update'. So I do not know, if the update worked at all. You can not leave medium experienced users completely alone. If I key in Update, there should be a better response than: No answer found. - Anonymous
February 14, 2017
We have 2012R2 WSUS server. Will that be fully capable to patch 2016 Servers/systems? We are just starting our rollout to 2016. In the past we found we had issues with our 2008 WSUS server patching 2012R2 Servers/systems , where we could not get all patches for 2012R2 systems until we replaced our 2008WUSS server with 2012R2 WSUS.- Anonymous
February 21, 2017
For the richest possible driver management and the smoothest feature update experience, then Windows Server 2016 is recommended, but certainly Windows Server 2012R2 will do the job.
- Anonymous
- Anonymous
February 15, 2017
The comment has been removed - Anonymous
February 17, 2017
The comment has been removed - Anonymous
February 22, 2017
I'm amazed at Microsoft's arrogance to think any of this is acceptable to corporate customers. It comes down to taking no updates at all or taking whatever Microsoft shoves down companies throats. No updates, or no control over production servers - or setting up even further Microsoft complication with WSUS. And of course it does not work at all with our automated roll-out tools. None of those alternatives are acceptable. SO after months of debate and gnashing of teeth it has been decided we will convert our 2,600+ servers to Linux, except for 8-10 needed by management. It's a better platform for Apple support anyway. And we're not the only company to make the switch. Microsoft is obviously abandoning corporate customers in favor of their "one size fits all, take it or leave it" mentality. - Anonymous
March 14, 2017
Removes the guess work with updates? Recent years of MS patches surely has shown that it means you'll get 1 bad apple in the basket of patches you might need, ruining all the apples, instead of being able to selectively install the updates that -work- and avoiding the broken patches until MS reissue a fixed version. - Anonymous
March 29, 2017
How would you go about updating Windows Server 2016 that is offline and not intended for internet access.