1. Automox
  2. Using Automox
  3. Patch Policies & Updates

Advanced Policy Package Targeting: Type (Windows)

Avatar
Tony
Updated:

Application

Typically, these are updates that are related to Microsoft applications that are not part of the core Windows operating system.

Updates for Microsoft Office Products: This is a primary category. You'll see updates for various versions of Microsoft Office (e.g., Microsoft 365 Apps for enterprise, Office 2019, Office 2016, etc.). These updates can include:

  • Feature updates: Adding new functionalities or improving existing ones within Office applications (Word, Excel, PowerPoint, Outlook, etc.).
  • Non-security updates: Bug fixes, stability improvements, and performance enhancements for the Office suite and its individual applications.

Updates for Other Microsoft Desktop Applications: This can include updates for applications like:

  • Microsoft Teams (desktop client): Updates for the Teams application itself, separate from operating system components.
  • OneDrive (desktop client): Updates for the synchronization client.
  • Other Microsoft productivity or utility applications.

Language Packs for Applications: Updates related to language support for Microsoft applications might also be classified here.
Service Packs and Cumulative Updates for Applications: Major updates or rollups for Microsoft applications, similar to how the operating system receives them.


Connectors

These updates are related to integrating WSUS with other Microsoft services or features.

Here's a breakdown of what you can generally expect to find under the "Connectors" classification:

  • Windows Update for Business (WUfB) Deployment Service Updates: This is the most prominent type of update you'll likely see under "Connectors."
  • Microsoft Intune Integration Updates: If your organization uses Microsoft Intune for device management and you've integrated it with WSUS for update delivery in certain scenarios (like co-management), you might see updates related to this connector under this classification.


Critical Updates

These updates address critical, non-security bugs or issues in the Windows operating system or closely related Microsoft components. These are updates that Microsoft deems important enough to deploy widely because they resolve problems that could: 

  • Cause system instability: Leading to crashes, freezes, or unexpected reboots.
  • Prevent core functionalities from working correctly: Affecting essential features of the operating system.
  • Have a significant negative impact on user experience or productivity.
  • If left unaddressed, it could potentially pave the way for security vulnerabilities (though the vulnerability itself might be fixed by a "Security Update").


Definition Updates

These definition databases are primarily used by security and anti-malware software to identify and detect malicious code, phishing websites, junk mail, and other threats.

The most common and prominent examples of updates that fall under the "Definition Updates" classification are:

  • Windows Defender Antivirus (or Microsoft Defender Antivirus) definition updates: These are the daily (or even multiple times a day) updates that allow Windows Defender to recognize the latest viruses, spyware, ransomware, and other forms of malware.
  • Microsoft Security Essentials definition updates: Similar to Windows Defender, these were for the standalone consumer anti-malware product.
  • Other Microsoft security product definitions: While less common, in the past, definitions for other Microsoft security products might have fallen under this category.

In essence, if you install "Definition Updates" you are ensuring that your managed client computers receive the latest threat intelligence for their built-in Microsoft security software. These are critical for maintaining up-to-date protection against evolving cyber threats.


Developer Kits

The "Developer Kits" classification is used for updates related to software development kits (SDKs), driver development kits (DDKs), assessment and deployment kits (ADKs), and other tools and resources specifically designed for software developers and IT professionals.

These updates are not typically intended for general end-user machines. Instead, they provide:

  • Updates to SDKs: For example, updates to the Windows SDK that developers use to create applications for Windows.
  • Updates to ADKs: The Windows Assessment and Deployment Kit, used by IT professionals for deploying, managing, and evaluating Windows installations. This often includes tools like the User State Migration Tool (USMT) and Windows Preinstallation Environment (Windows PE).
  • Updates to other development tools: This could include various utilities, debuggers (like WinDbg), and other components that aid in software development or advanced system administration.
  • Patches or improvements for these kits themselves: Ensuring the development environments are stable and up-to-date.

You would typically enable this classification only if you manage machines that are specifically used for software development, IT deployment, or advanced system analysis where these kits are installed and need to be kept current. Most standard corporate or end-user environments would not enable the "Developer Kits" classification, as it would download irrelevant and potentially large updates.


Feature Packs

The "Feature Packs" classification refers to new product functionality that is distributed outside of a full product release, but is typically intended to be included in the next major version or service pack of that product.


Here's a breakdown of what that means:

  • New Functionality: Unlike "Updates" (which fix bugs) or "Security Updates" (which address vulnerabilities), Feature Packs introduce new features, enhancements, or significant performance improvements.
  • Out-of-Cycle Release: They are released independently from the usual, larger product release cycles (like a full new version of Windows or a Service Pack).
  • Precursor to Next Major Release: The functionality introduced in a Feature Pack is generally rolled into the subsequent full product release. This allows Microsoft to deliver new capabilities sooner and gather feedback before they become a permanent part of the core product.
  • Examples:
    • Historically, Microsoft might release a Feature Pack for a specific version of Windows that includes new capabilities before the next major Windows release.
    • For applications, it could be a Feature Pack that adds significant new tools or UI elements to, say, a version of Office or a server product.
    • A prominent recent example would be the Windows 10 enablement packages. While often categorized under "Upgrades" or "Updates", the concept behind them is very much like a feature pack: a small package that "activates" already-present but dormant features from a newer version of Windows 10, bringing the OS to a new feature level without a full reinstallation.

Key takeaway for administrators:

You would typically use the "Feature Packs" classification if you intend to deploy these new functionalities to your managed systems. This is distinct from "Upgrades" which signify a full operating system version change (e.g., Windows 10 to Windows 11), though the line can sometimes blur with things like Windows 10 enablement packages. For most standard environments, careful consideration is needed before automatically installing Feature Packs, as they introduce changes that might require testing.


Guidance

The "Guidance" classification is somewhat of a historical or less commonly used category now, but it generally encompasses updates that provide:

  • Scripts: Automated routines or command-line tools.
  • Sample Code: Example programs or snippets to demonstrate functionality.
  • Technical Guidance: Documentation, best practices, or configuration templates.

These types of updates are designed to help IT professionals and developers in the deployment, configuration, or use of a specific Microsoft product or technology.

Unlike "Updates" that fix bugs, or "Security Updates" that address vulnerabilities, "Guidance" updates don't change the core functionality or security posture of a product. Instead, they provide supporting materials that can aid in managing or extending Microsoft technologies.

You would typically only use the "Guidance" classification if your organization specifically needs to distribute these kinds of administrative or development resources through your update infrastructure. For most standard production environments, it's usually left unused as it doesn't contain critical patches or direct product enhancements for end-users.


Security Updates

The "Security Updates" classification is one of the most critical and fundamental categories. It specifically refers to:

Broadly released updates for a product-specific, security-related vulnerability.

Here's a deeper dive into what that means:

  • Vulnerability Remediation: The primary purpose of a security update is to fix or patch a known security flaw or vulnerability in a Microsoft product (like Windows, Office, Exchange Server, SQL Server, etc.). These vulnerabilities, if exploited, could potentially allow attackers to gain unauthorized access, elevate privileges, execute arbitrary code, or cause denial-of-service.
  • Severity Ratings: Microsoft assesses the severity of these vulnerabilities, and the security updates addressing them are often rated in accompanying Microsoft Security Bulletins (now largely superseded by the Security Update Guide) as:
    • Critical: Exploitation could allow automatic propagation (e.g., worms) or remote code execution without user interaction.
    • Important: Exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.
    • Moderate: Exploitation is more difficult, or the impact is less severe.
    • Low: Exploitation is extremely difficult, or the impact is minimal. WSUS will download updates regardless of their severity rating within this classification.
  • Regular Release (Patch Tuesday): A large number of Security Updates are typically released by Microsoft on the second Tuesday of each month, commonly known as "Patch Tuesday."
  • Out-of-Band Releases: Occasionally, if a particularly severe or actively exploited vulnerability is discovered, Microsoft may release an "out-of-band" security update outside of the regular Patch Tuesday schedule to address the critical threat immediately.
  • Cumulative Nature (especially for Windows): For modern Windows versions (Windows 10, Windows 11, Windows Server 2016+), security updates are often part of a larger cumulative update. This means a single monthly update package includes all previous security fixes and often other bug fixes (classified as "Updates" or "Critical Updates") for that month. However, there is still distinction between the "Security Updates" classification to ensure you can specifically deploy updates primarily focused on security.

For administrators, installing "Security Updates" is generally considered a mandatory and high-priority action to protect systems from known vulnerabilities. Most organizations have policies to automatically install Security Updates due to their critical nature in maintaining a secure computing environment.


Service Packs

The "Service Packs" classification refers to a comprehensive, cumulative set of updates for a particular Microsoft product.

Here's a detailed breakdown:

  • Cumulative Nature: A Service Pack bundles together all previously released:
    • Hotfixes (small, targeted fixes for specific bugs)
    • Security Updates (fixes for security vulnerabilities)
    • Critical Updates (fixes for critical, but non-security-related bugs)
    • General Updates (fixes for non-critical, non-security-related problems) that have been released for a specific product since its original release or since the last Service Pack.
  • Internal Fixes: Service Packs may also include additional fixes for problems that Microsoft found internally, which were not necessarily released as individual hotfixes.
  • Customer-Requested Changes/Features: Sometimes, Service Packs might incorporate a limited number of customer-requested design changes or minor new features.
  • Major Milestone: Service Packs typically represent a significant milestone in a product's lifecycle. Installing a Service Pack brings the software up to a well-tested, consistent state.
  • Examples:
    • Historically, major versions of Windows (like Windows XP, Windows 7, Windows Server 2008 R2) received Service Packs (e.g., Windows 7 Service Pack 1).
    • Older versions of Microsoft Office (e.g., Office 2010 Service Pack 2) or other Microsoft server products also received Service Packs.

Important Note on Modern Windows (Windows 10/11 and newer Server OS):

With the advent of Windows 10's "Windows as a Service" model, the concept of traditional "Service Packs" has largely been replaced by Feature Updates (classified as "Upgrades") and Cumulative Updates (which bundle all monthly fixes). You won't see "Service Packs" for Windows 10, Windows 11, or Windows Server 2016 and newer in the same way you did for older operating systems.

However, the "Service Packs" classification still exists primarily for:

  • Managing older Microsoft operating systems (e.g., Windows 7, Windows Server 2008 R2, Windows Server 2012/2012 R2) that are still in use and may require their final Service Packs.
  • Older versions of other Microsoft products (like Office, SQL Server, Exchange) that might still release or have had Service Packs.

For administrators, installing "Service Packs" is usually a significant deployment event, requiring thorough testing, as they represent substantial changes to the software.


Tools

The "Tools" classification is designated for utilities or features that help to complete one or more tasks.

Essentially, these are updates for various standalone or integrated tools provided by Microsoft that assist with:

  • System Administration: Utilities for managing Windows, networks, or other Microsoft products.
  • Diagnostics and Troubleshooting: Tools designed to help identify and resolve issues with the operating system or applications.
  • Deployment and Configuration: Utilities that aid in the deployment of software or the configuration of system settings.

Examples of updates you might find under "Tools":

  • Microsoft Support Diagnostic Tool (MSDT) updates: While MSDT itself is often built into Windows, specific diagnostic packages or updates related to its functionality might fall here.
  • Updates to various administrative command-line utilities: If Microsoft releases an update to a specific cmd or PowerShell utility that's not part of a larger component.
  • Updates to specific feature components that are considered "tools" rather than core OS functionality: This could include things like the Windows Malicious Software Removal Tool (MSRT), though MSRT is sometimes also categorized under "Update Rollups" or even just "Updates" due to its broad distribution. Historically, it was a common example in "Tools."
  • Updates for smaller, standalone utilities that facilitate management or troubleshooting within a Microsoft ecosystem.

Similar to "Guidance" and "Developer Kits," the "Tools" classification is often not installed automatically by most organizations for general endpoints. These updates are typically intended for IT administrators, help desk personnel, or specific systems that require these specialized utilities, rather than for the average end-user PC.


Update Rollups

"Update Rollups" refer to cumulative sets of hotfixes that are packaged together for easy deployment.

Here's a breakdown of what that typically includes:

  • Cumulative Nature: Similar to Service Packs (but generally smaller in scope and less comprehensive), an Update Rollup combines several individual fixes into a single package.
  • Variety of Fixes: These hotfixes can include:
    • Security updates: Patches for security vulnerabilities.
    • Critical updates: Fixes for critical, non-security-related bugs.
    • Updates: Fixes for non-critical, non-security-related bugs.
    • Hotfixes: Specific fixes for particular issues.
  • Targeted Area: An Update Rollup generally addresses a specific area, component, or product. For example, you might see an Update Rollup for a particular version of Internet Information Services (IIS), SQL Server, or a specific set of functionality within an operating system.
  • Streamlined Deployment: The primary benefit of an Update Rollup is to simplify deployment. Instead of installing many individual hotfixes, you can deploy one package that contains them all, reducing the number of reboots and the complexity of patching.

Evolution and Modern Context:

With the "Windows as a Service" model (Windows 10, Windows 11, and newer Windows Server versions), the concept of separate "Update Rollups" has largely converged into Monthly Quality Rollups (also known as Cumulative Updates).

  • Monthly Quality Rollups / Cumulative Updates: These are now the standard for modern Windows. They include all security and non-security fixes from previous months, meaning installing the latest cumulative update brings the system fully up to date with all past fixes for that specific version of the OS. These are typically classified under the "Updates" or "Security Updates" classifications in WSUS, depending on whether they contain security fixes that month (which they almost always do).
  • "Update Rollups" Classification for Older Systems: The "Update Rollups" classification still exists in WSUS primarily to manage updates for older operating systems (like Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012/2012 R2) that were still using this patching model before the shift to fully cumulative updates. You might also find them for certain older Microsoft applications or server roles that haven't fully transitioned to the cumulative model.

In summary, if you're managing modern Windows clients (Windows 10/11) and servers (2016+), most of the "rollup" functionality you need will come through the "Updates" or "Security Updates" classifications as part of the monthly cumulative updates. The "Update Rollups" classification is more relevant for managing legacy Microsoft products.


Updates

The "Updates" classification is a broad category that covers widely released fixes for specific problems that address non-critical, non-security-related bugs.

Essentially, if a fix doesn't fall into a more specific, high-priority category like "Security Updates" or "Critical Updates," it often lands here.

Here's a breakdown of what "Updates" typically includes:

  • Non-Critical Bug Fixes: These are patches for issues that cause minor inconveniences, incorrect behavior, or performance glitches that are not severe enough to be classified as "Critical."
  • Non-Security Related: Importantly, these updates do not address security vulnerabilities. If they did, they would be classified as "Security Updates."
  • Feature Enhancements (minor): Occasionally, "Updates" might include very minor enhancements or changes that aren't significant enough to warrant a "Feature Pack" or "Upgrade" classification.
  • Examples:
    • A fix for a display issue in a specific application.
    • An improvement to a background process that was consuming slightly too much memory.
    • A patch for a minor compatibility problem with certain hardware or software.

Modern Context for "Updates" (Windows 10/11 and newer Server OS):

For modern Windows operating systems, the distinction of "Updates" as separate non-security fixes is often bundled into the Monthly Quality Rollups (also known as Cumulative Updates).

  • Each month, Microsoft releases a cumulative update that includes all the security fixes from that month, plus all the non-security bug fixes (what would traditionally be classified as "Updates" or "Critical Updates") from that month and all previous months.
  • Therefore, if you're managing Windows 10/11 or Windows Server 2016/2019/2022, installing the latest cumulative update (which will likely appear under the "Security Updates" classification due to its primary purpose) will generally encompass all the "Updates" for that month as well.

In summary: While "Updates" specifically refers to non-critical, non-security bug fixes, in practice for modern Windows environments, these are usually delivered as part of the larger cumulative update packages. However, the classification remains for filtering and for managing older Microsoft products that might still release individual "Updates."


Upgrades

The "Upgrades" classification specifically deals with major new versions of the Windows operating system.

Think of "Upgrades" as the mechanism for moving a system from one major Windows version or feature release to another.

Here's what falls under this classification:

  • Windows 10 Feature Updates: These are the semi-annual (or now annual) updates for Windows 10 that introduce significant new features, visual changes, and underlying platform improvements. For example, upgrading from Windows 10 version 21H2 to 22H2. While often called "feature updates," they are classified as "Upgrades".
  • Windows 11 Feature Updates: Similar to Windows 10, these are the annual feature updates for Windows 11 (e.g., upgrading from Windows 11 version 22H2 to 23H2).
  • Operating System Upgrades: This classification would also cover direct upgrades between different major OS versions, such as:
    • Windows 10 to Windows 11.
    • Potentially, future major upgrades for Windows Server (though server upgrades often involve more manual processes or dedicated deployment tools like SCCM).

Key characteristics of "Upgrades":

  • Large Download Size: These are significant updates, often several gigabytes in size, as they contain a large portion of the new operating system files.
  • Feature-Rich: They introduce new functionalities, user interface changes, and significant underlying architectural improvements.
  • Installation Time: They typically require a longer installation time and multiple reboots compared to regular monthly quality updates.
  • Hardware and Software Compatibility Checks: Before deploying, systems will undergo compatibility checks to ensure they meet the minimum requirements for the new OS version.

For administrators, managing "Upgrades" is a critical task for keeping operating systems current. Due to their size and the significant changes they introduce, "Upgrades" are almost never set for automatic installation and require careful planning, testing, and phased deployment in enterprise environments. 

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful