Security Experts:

Connect with us

Hi, what are you looking for?



Windows 7, 8.1 to Adopt “Monthly Rollup” Patch Model

Windows 7 and Windows 8.1 users who miss their security updates for a month or longer will soon be able to install a single “Monthly Rollup” package to get both the missed and current software patches. The new patching method will be available starting in October.

Windows 7 and Windows 8.1 users who miss their security updates for a month or longer will soon be able to install a single “Monthly Rollup” package to get both the missed and current software patches. The new patching method will be available starting in October.

Microsoft is planning various other changes to the update process on Windows computers, in an attempt to make the process more user friendly and less time consuming than before. Also starting in October 2016, Microsoft will release a single Security-only update for Windows each month, to deliver all of the security patches for a month in a single package.

For years, Microsoft has been releasing security patches for its products, Windows included, on the second Tuesday of each month. Because not all users have time to install these patches when they arrive, sometimes computers would miss tens or hundreds of them, making the update process long and complicated.

As Microsoft is moving to a monthly rollup model for the older operating system releases, multiple patches will be rolled up in a single update and users will need to download and install a single package to get the latest patches. This change brings Windows 7 and Windows 8.1 in line with the Windows 10 security update model, while also making users’ lives easier.

“Historically, we have released individual patches for these platforms, which allowed you to be selective with the updates you deployed. This resulted in fragmentation where different PCs could have a different set of updates installed leading to multiple potential problems,” Microsoft’s Nathan Mercer notes.

Because of this fragmentation, users experienced sync and dependency errors and lower update quality, while the testing complexity increased for enterprises. Scan times also increased, and finding and applying the right patches became challenging, Mercer notes. What’s more, some customers were having a difficult time in finding and applying proactively patches that were already released, but with limited distribution.

The rollup model will ensure that all supported versions of Windows follow a similar update servicing model, while also leaving customers with fewer updates to manage and higher quality updates. Windows’ overall reliability will also improve, while getting the current security updates will be easier with only one rollup update required, because each Monthly Rollup will include the previously released ones as well.

“From October 2016 onwards, Windows will release a single Monthly Rollup that addresses both security issues and reliability issues in a single update. The Monthly Rollup will be published to Windows Update (WU), WSUS, SCCM, and the Microsoft Update Catalog. Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current,” Microsoft explains.

Over time, Microsoft also plans to proactively add patches to the Monthly Rollup that have been released in the past, so that all of the security patches previously released to be included in these rollup updates. As soon as the Monthly Rollup becomes fully cumulative, users will indeed only require to install the latest single rollup to be up to date.

Another major change coming in October is the move to a single Security-only update, which will collect all of the security patches for that month in a single one. Only the new security patches will be included in this update, but the new model eliminates the use of individual patches. However, these Security-only updates won’t be published to Windows Update, but instead will be available to download and deploy from WSUS, SCCM, and the Microsoft Update Catalog.

Microsoft is also updating the “down-level documentation to provide consolidated release notes with the Rollups for all supported versions of Windows,” which should bring consistency to the release notes model the company has introduced with Windows 10. Release notes will be provided for both monthly rollup updates and for security-only updates coming out starting with October 2016, the company says.

The .NET Framework will adopt the Monthly Rollup model as well, and the monthly release will be known as the .NET Framework Monthly Rollup. It will include both security and reliability updates to all versions of the .NET Framework in a single monthly update. These updates will be applied only to the.NET Framework versions installed on users’ machines and will not automatically upgrade the base version of the .NET Framework that is installed.

A .NET Framework security-only update will also be released on Microsoft Update Catalog and Windows Server Update Services every month, the company says. What’s more, Microsoft is updating the Microsoft Update Catalog website to remove the ActiveX requirement, meaning that it will work with any browser, a major shift from the current mode, where the website requires the use of Internet Explorer.

Related: Windows Information Protection to Address Data Leaks in Windows 10

Related: Secure Boot Vulnerability Exposes Windows Devices to Attacks

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.