Aligning to Microsoft Standards for Update Classifications
We heard your feedback. In this blog post, we want to cover some changes to the way we set update classifications in our third-party software update catalog and why we decided to make these changes based on our customer’s feedback.
Topics covered in this article:
A Little Background on Software Update Classifications from Microsoft
First, we want to cover what update classifications are and how we classify updates in our catalog and some of the changes we are making to better align with the Microsoft terminology for classifications.
Every software update in WSUS/ConfigMgr will be assigned to a Vendor/Product and have an Update Classification. There are currently nine types of classifications for software updates in Configuration Manager.
- Critical Updates | Definition: A widely released fix for a specific problem that addresses a critical, non-security-related bug.
- Definition Updates | Definition: A widely released and frequent software update that contains additions to a product’s definition database. Definition databases are often used to detect objects that have specific attributes, such as malicious code, phishing websites, or junk mail.
- Feature Packs | Definition: New product functionality that is first distributed outside the context of a product release and that is typically included in the next full product release.
- Security Updates | Definition: A widely released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low.
- Service Packs | Definition: A tested, cumulative set of all hotfixes, security updates, critical updates, and updates. Additionally, service packs may contain additional fixes for problems that are found internally since the release of the product. Service packs may also contain a limited number of customer-requested design changes or features.
- Tools | Definition: A utility or feature that helps complete a task or set of tasks.
- Update Rollups | Definition: A tested, cumulative set of hotfixes, security updates, critical updates, and updates that are packaged together for easy deployment. A rollup generally targets a specific area, such as security, or a component of a product, such as Internet Information Services (IIS).
- Updates | Definition: A widely released fix for a specific problem. An update addresses a noncritical, non-security-related bug.
- Upgrades | Definition: A feature upgrade for Windows 10.
How We Classified Updates in the Past and Why
When the Configuration Manager synchronizes software updates from WSUS, only software updates assigned to an enabled classification will synchronize and show up in the configuration manager console.
When we initially started to author updates, we decided to classify all third-party software updates with the Security Classification. The reason we decided to classify all updates with the Security classification is because it s the most common classification that would be enabled for synchronization in ConfigMgr/WSUS. By setting updates to use the Security Classification, it would ensure any third-party updates are published regardless of whether they are Security Updates, Critical Updates, Updates, etc. from our catalog would synchronize and be visible in Configuration Manager.
Why We are Changing the Classification to Best Match Each Update
We’ve received feedback that by having all third-party software updates classified as Security Updates it can cause the software update compliance reporting to be skewed when filtering on the security classification. Based on customer feedback, we will now be classifying all third-party software updates based on the vendors release notes and best align each software update to correspond to the closest update classification. We plan to utilize the following update classifications for our third-party software updates.
- Critical Updates | A widely released fix for a specific problem that addresses a critical, non-security-related bug.
- Security Updates | A widely released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low. If the vendor indiciates a higher severity, we will use that instead.
- Updates | A widely released fix for a specific problem. An update addresses a noncritical, non-security-related bug.
- Update Rollups | The Update Rollups Classification will be used for migration updates such as JRE 6/7 to JRE 8 migration or Firefox to Firefox ESR migration.
What do These Changes Mean for You?
We believe this change is necessary and will provide a better experience for our customers to ensure the update metadata best aligned with the actual update type.
This change will have no impact on the publishing process you are performing today. When publishing third-party updates, you will want to ensure the classifications in the software update point that corresponds to the third-party updates are enabled.
If the classification isn’t enabled, the third-party software update will not sync into the Configuration Manager console until the classification is enabled in your software update point and another synchronization is performed.
When Will This Change Happen?
We plan to apply these metadata changes to all updates going forward as well as retroactively for updates released in the past. Since this is only a metadata change, updates can be republished/revised so the new software update classification will be reflected after the software update point synchronization in Configuration Manager. These metadata changes will be released in the October 22, 2018 catalog update.