Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Time to install Creators Update?

    Posted on April 26th, 2017 at 14:26 woody Comment on the AskWoody Lounge

    I’ve received many questions like this, from MT:

    I am currently on Version 1607 (Build 14393.953). Some time ago I enabled
    “Defer Windows Updates” per your instructions. Each month since then I have
    waited for your indication that it was ok to update. But now that the
    Creators Update is out, I am confused about how this will work.

    If I disable “Defer Windows Updates” and then I then run Windows Update,
    won’t I get the Creators Update installed?

    Or will it show up when I run wushowhide the second time? Thus giving me a
    chance to hide it.

    Thank you.

    Your best bet is to wait until Creators Update is declared “Current Branch for Business” – likely a couple months away.

    If you disable “Defer Windows Update,” you may or may not get Creators Update. At this point only 10% of Anniversary Update users have been upgraded to Creators Update, and Microsoft’s controlling the rollout closely.

    The easiest approach, if you’re using Win10 Pro, is to set Defer Windows Update. In Win10 Home, the options aren’t as easy.

    http://www.infoworld.com/article/3188869/microsoft-windows/todays-the-day-to-block-windows-10-creators-update.html

    If you’ve turned off all updating, via a metered connection, you’ll have to switch updating back on (perhaps turn off metered connection) before this month’s patches will appear.

  • More on DoublePulsar

    Posted on April 25th, 2017 at 16:51 woody Comment on the AskWoody Lounge

    Curiouser and curiouser…

    Dan Goodin on Ars Technica:

    On Tuesday, security firm Countercept released an update to the DoublePulsar detection script it published last week. It now allows people anywhere on the Internet to remotely uninstall the implant from any infected machine…  amid the radio silence Microsoft is maintaining, the tool will no doubt prove useful to admins responsible for large fleets of aging computers.

  • Just when you thought it couldn’t get any more complicated, Creators Update gets a new kind of patch, KB 4016240

    Posted on April 25th, 2017 at 14:09 woody Comment on the AskWoody Lounge

    Microsoft just released another patch for Win10 Creators Update. KB 4016240 brings the 1703 build number up to 15063.250.

    That’s quite normal for a new version of Win10 – we commonly get multiple updates for the first month or two.

    What’s abnormal – has me bamboozled – is the explanation surrounding the patch.

    If I read Michael Niehaus’s post on the Technet blog correctly, this is the first of the “new update options for Windows 10, version 1703.” Which is also fine — but I don’t understand what’s “new” about it. KB 4016240 apparently lacks any security updates, but KB 4016251, build 15063.13, didn’t have any security updates either. At least, there aren’t any documented.

    Many Win10 cumulative updates don’t have security patches. In fact, just thumbing through the list the only cumulative updates with security patches that I can find were released on Patch Tuesday. Look at KB 4016635, released on March 22, for example. Win10 patches with no security updates are quite common.

    Niehaus notes that the Insider Release Preview ring (which has always raised my blood pressure) will get new non-security updates first. Then the non-security updates will get rolled out to the normal update process later. (Today’s the first example of that.) Then, presumably, the non-security updates will get rolled into the regular cumul

    ative update that frequently appears on Patch Tuesday.

    (Except, if you look at the history, many Win10 cumulative updates don’t appear on Patch Tuesday.)

    Niehaus says:

    These additional cumulative updates will contain only new non-security updates, so they will be considered “Updates” in WSUS and Configuration Manager.

    Which, to me, is an oxymoron.

    Poster thymej explains:

    if its said these patches will contain only new non-security patches, how then can it be cumulative? Cumulative contains new and old, right?

    I don’t get it. Anybody out there have a Win10 Patch Babel Fish?

    Martin Brinkmann has a description on gHacks, but I’m still scratching my head. Maybe I’m just being unusually dense today.

    Peter Bright has an explainer on Ars Technica. He says the new cumulative non-security update contains “all the non-security fixes released for a given version.” I’m scratching my head again. He says, “This split packaging (and split classification) should make it easier for organizations to, for example, deploy Security Update very quickly but hold the non-security portion back so that it can be more thoroughly tested and validated.” — which makes sense, but why would we want the non-security updates early (but after the Preview ring)?

  • Petition to bring the old Security Bulletins back

    Posted on April 25th, 2017 at 12:16 woody Comment on the AskWoody Lounge

    Thanks to Rod Trent and myitforum.com.

    A simple upvote would be nice, if you can spare a click.

    https://social.technet.microsoft.com/Forums/security/en-US/e49ea9bf-f364-4f1f-8c84-93766fa96065/bring-the-old-security-bulletins-back

  • Looks like Windows 10 is going to get something like “Group B”

    Posted on April 25th, 2017 at 10:09 woody Comment on the AskWoody Lounge

    My head’s still reeling, but Microsoft patching honcho Michael Niehaus has just published information about a new patching branch for Windows 10 Creators Update.

    we will routinely offer one (or sometimes more than one) additional update each month. These additional cumulative updates will contain only new non-security updates, so they will be considered “Updates” in WSUS and Configuration Manager.

    The admin options:

    • Deploy each of them just like the updates on “Update Tuesday.” This enables the organization’s PCs to get the latest fixes more quickly.

    • Deploy each of them to a subset of devices. This enables the organization to ensure that these new non-security fixes work well, prior to those same fixes being included in the next “Update Tuesday” cumulative update which will be deployed throughout the organization.

    • Selectively deploy them, based on whether they address specific issues affecting the organization, ahead of the next “Update Tuesday” cumulative update.

    • Don’t deploy them at all. There is no harm in doing this since the same fixes will be included in the “Update Tuesday” cumulative update (along with all the new security fixes).

    Would somebody please tell me how this differs from the Windows Insider “Preview” ring?

    My head’s swimming. Just when you thought it couldn’t get any more complicated…

    UPDATE: Mary Jo Foley on ZDNet repeats the announcement. I’m still baffled.

  • Is the “Group B” approach of installing Security-only updates still viable?

    Posted on April 25th, 2017 at 07:34 woody Comment on the AskWoody Lounge

    As promised, I’d like to start a discussion about “Group B” and its future.

    As I see it, the “Group B” approach to installing Security-only patches is becoming unwieldy, both for Windows 7 and 8.1 users. @PKCano’s list in AKB 2000003 is getting downright oppressive. And the recent experience with Microsoft blocking Windows Update on Kaby Lake and Ryzen processors has me convinced that the line between Security-only and Monthly Rollup is growing fainter.

    If you can explain to me why a Security-only patch would block Windows Update, I’d surely like to understand.

    I’d like to open the topic up to discussion. I don’t want to debate the validity of Microsoft’s telemetry/snooping garbage, er, features. Some people think it’s OK. Others (like me) think Win7 customers didn’t sign up for this abuse, and shouldn’t be subjected to it. But that’s beside the point.

    I’m also not changing my stance on delaying patches. Even with this month’s Word 0day, I still think most Windows customers are better served by letting the other guys get the arrows in their backs.

    What I want to know is if there’s a real, valid, easy way for Win7 and 8.1 customers to install Monthly Rollups yet opt out of most of the snooping.

    So… what do you think? I know the topic’s controversial. I know Linux doesn’t snoop (at least, not as much). I know ChromeOS is worse and macOS’s snooping remains open to debate. Is there a way to stay with Windows and not become part of the Win10 borg?

    I’m not looking for heat, but light. As always, ad-hominem attacks won’t be tolerated. Stick to the facts, please….

    Also, note well – I’ve already been assimilated. I use Win10 all day, every day, and have for years.

  • MS-DEFCON 3: Time to get patched but, man, what a mess this month

    Posted on April 25th, 2017 at 07:31 woody Comment on the AskWoody Lounge

    Please follow these instructions on InfoWorld if you want to protect your machine.

    If you have an older Windows 7 or 8.1 machine, don’t mind if some telemetry/snooping sneaks onto your machine, and you don’t want to sweat the details, skip to Steps A1, A2 and A3.

  • DoublePulsar infections picking up steam

    Posted on April 24th, 2017 at 11:50 woody Comment on the AskWoody Lounge

    If you don’t have last month’s MS17-010 installed, better get off your duff.

    InfoWorld Woody on Windows

    Good point from Michael Horowitz:

    99.99% of the time ShieldsUP does not scan the computer it is run from, it scans the router the computer is connected to. Also, if the computer is using a VPN, it scans the VPN server rather than the router or the computer.

    What you wrote is true, but its not the whole story. That is, while a PC is connected to the router that was scanned, it is safe. But, if and when it connects to the Internet through another router, it may not be safe.