- Which WSUS products to select for Windows 11? - Tue, Sep 26 2023
- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
- Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
The problem with both the products and the classifications is that you won't get all the updates you need if you check too few boxes. On the other hand, if you select too many, WSUS will transfer tons of entries into the database.
When you select the classifications, it is important to remember that they apply to all products, even if they are not available for every single product. For example, it is well known that there have been no service packs for Windows for many years, so you don't have to subscribe to them for the operating system, but you might need them for other products.
List of update classifications available in WSUS
Security updates
Checking security updates is a no-brainer. This category includes the cumulative updates released every second Tuesday of the month (B releases). This channel is also used to receive out-of-band patches that close critical security gaps.
Upgrades
Feature updates for Windows are offered under this classification. Since the WSUS products don't allow you to specify editions and hardware platforms, you also get the updates for the consumer versions and for x86 32-bit Windows 10 here.
Upgrades can comprise full feature updates if you want to skip multiple releases or upgrade the PCs to Windows 11. However, the direct upgrade to the next version is now done via enablement packages, which can also be obtained here.
Updates and critical updates
At first glance, both classifications make sense, even if it is not entirely clear which updates from Microsoft's service model fit here. All security-related updates and upgrades have already been assigned to the above two classifications. And Microsoft doesn't deliver the previews for optional quality updates over WSUS.
If you create your own update views for these two classifications in the WSUS console, you will see that not a single critical update has been released since Windows 10 1903.
In the case of updates, on the other hand, the delivery of cumulative updates for the .NET Framework stopped in November 2021. Until 2020, Microsoft also shipped the Chromium-based Edge browser through this channel before setting it up as its own product.
Nothing has appeared under Updates for Windows 10 since 2021 Windows 11 is not represented here
Since optional updates for improving system stability are now also included in the monthly B release, it is unlikely that much will happen with these two classifications. If it's only about Windows 10 and 11, then you don't need them, but you can't go wrong with them. However, other products, such as Windows Server 2012 or Edge, will still receive updates here.
Definition updates
The newest signatures for the virus scanner appear under this classification. Even if you get the updates for Windows from WSUS, you can define different sources from which to obtain the definitions for Microsoft Defender. Microsoft has its own group policy for this.
Feature packs and tools
Prior to Windows 10 1903, Microsoft delivered updates for the .NET Framework and language packs under Feature Packs. However, if you set up an update view for Windows 10 version 1903 and later, Windows 11 and Feature Packs in the WSUS console, you won't find anything there.
The same applies to the classification Tools. No updates have appeared here for a long time, either. Microsoft prefers to ship add-on products via the store; the same applies to language packs.
Update rollups
If you filter the updates by Windows 10 version 1903 and later, Windows 11 and update rollups, you can see that Microsoft uses this classification to distribute the malicious software removal tool. If you want to use this tool, then you need this classification.
For Windows 10 and 11 only new versions of the Malicious Software Removal Tool currently appear under the rollups
Driver and driver sets
In general, it is recommended that these classifications be avoided because they add a huge number of outdated drivers to the system.
Preview for optional, non-security updates
Microsoft releases a preview of non-security optional updates in the fourth week of each month (D release). These are also cumulative and are partially included in the security update for the following month. Admins can use them to test their system for possible compatibility issues with certain updates.
The cumulative update previews can be downloaded from the Update Catalog and imported into WSUS if required
They are classified as Updates in the Update Catalog, but they are not available in WSUS. Alternatively, you can get them by explicitly clicking the Check for Update button in the Settings app.
Conclusion
Microsoft's classification system has grown over the years without sufficient coordination between the product teams. Those who maintain the Windows updates often don't seem to know into which category certain patches fit, and they keep changing the assignments (e.g., for .NET or Edge).
Some classifications are now irrelevant for Windows. In any case, you should select security and definition updates, upgrades, and update rollups.
Subscribe to 4sysops newsletter!
It has been a long time since there have been any updates under Important Updates, Updates, Tools and Service and Feature Packs. Although the monthly previews for optional updates are classified as updates, they do not appear in WSUS.
Thank you for confirming that I am not going crazy, the WSUS classification system really is a mess.