Don’t apply any updates just yet

Topic

New Reply

I know the updates are out. But hold off installing them. We don’t know if there are any major problems. Reminder: We’re still at MS-DEFCON 2, and wil
[See the full post at: Don’t apply any updates just yet]

Reply | Quote

Replies

I’m gonna wait until next tuesday to install. I wanna get these babies sorted and choose the right ones to install before the holidays.

Because the 26th I got after christmas shopping to do 🙂

But anyway I’ll keep my eyes peeled here for any news or comments from others for this month’s patch.

Reply | Quote

I have good news for Group B: some fixes that appear only in the Microsoft Security Catalog are also fixed in security-only updates. Example: Catalog-only update KB3200006 (https://support.microsoft.com/en-us/kb/3200006) fixes an issue in both the October cumulative rollup and October security-only update. Microsoft Security Catalog lists KB3200006 as being superseded by both the November and December security-only updates.

How to list catalog-only updates for 2016: search https://support.microsoft.com/en-us/kb/894199 for “: cat” (without quotes). Any other ways?

Reply | Quote

AWWWWWWRIGHT!

Reply | Quote

Very sneaky of Microsoft hiding it within there! I see they’ve marked the page with the “noIndex” attribute in its HTML.

The other method is going to this website and clicking on whichever patch you want more information on:

https://technet.microsoft.com/en-us/security/bulletins.aspx

You might need to click two/three deep.

Reply | Quote

On my throwaway VM test system, this crop of updates brings the build up to 14393.576, by the way.

-Noel

Reply | Quote

I am attempting to run today’s updates on my laptop. I have Windows 10 1607. The updates stuck at 95% downloaded for a long time, so I restarted the computer. It began downloading again, but appears to be stuck again at 95%.

I’m a computer novice. Are there any simple solutions to get these updates finished?

Reply | Quote

Are there Security-only Rollups for the .NET Frame patches? There is a Security & Quality .NET Frame rollup (KB3205402) on Windows Update, but is there a corresponding Security-Only update?

Reply | Quote

http://i.imgur.com/Xhtl8Cy.jpg

I’ll be your huckleberry err I mean guinea pig and test it out. I’m a sucker for new and shiny things that always makes me feel giddy.

https://support.microsoft.com/en-us/kb/3205402

https://support.microsoft.com/en-us/kb/3205397 (no info yet)

Pretty sure it’s safe to install software removal tool and .net framework updates. Main update I may hold out on for a bit.

Reply | Quote

We always wait a minimum of 2 weeks on workstations, and 4 weeks on servers. There’s been several updates for 2008/2008R2/2012/2012R2 in the past that screwed up AD or GP and (despite those being more critical to MS customers’ than desktop flavors), it seems like it takes MS longer to fix busted Server updates than anything.

Even though we’re behind things magnitudes better than consumer offerings (Cisco appliances, FireSIGHT, Cisco switches, VLAN’s, etc), I follow the same approaches at home.

Luckily we haven’t had to do a mass-rollback yet, but at least if we had to, we could always do that via GP since everything is on the domain. We should use WSUS, but, there’s about a million other things always going on that are more important than rolling out WSUS.

Reply | Quote

Woody, Please confirm, but it appears as if any attempt to download the security only .Net Framework update for Win 7, which is listed in the MS Update Catalog as: December, 2016 Security Only Update for .NET Framework 4.6.2 on Windows 7 (KB3205406), gets you KB3205405, that’s right the last digit is “5”. Go figure!

Reply | Quote

As always, just want to say thank you Woody for keeping an eye on it for us!

Reply | Quote

I assume it would make sense to at least update Flash Player to the latest version 24.0.0.186 which can be done directly from the bottom of this page:
https://helpx.adobe.com/flash-player/kb/installation-problems-flash-player-windows.html
(Before we get a torrent of well-meaning replies, yes, we all hate Flash but it is unavoidable for some of us at the moment.)

Reply | Quote

Any non-security fixes will not be inclued in Security Only Update unless the affected component have security fix as well

Reply | Quote

But there is also bad news for Group B: https://www.askwoody.com/2016/microsoft-fixes-problems-with-win78-1-group-b-security-only-patching-method/comment-page-1/#comment-110373.

Reply | Quote

Guess ya can’t win ’em all…

Reply | Quote

I don’t mean to burst any goodwill that might be associated with today’s updates, but this has been the single worst Windows Update experience I have ever had.

The updates stuck at 95% downloading forever, so I restarted the computer. When it came back up, it began the process again and got stuck at 95% again.

I downloaded and installed the Cumulative Update KB3206632 from the Microsoft Update Catalog. The update downloaded, installed, and restarted without any issue. The Adobe Flash and Malicious Software Removal updates also say they are installed. All together, this took close to 3.5 hours.

But I now have a new problem! Ever since the installation and restart has been completed, my disk usage is running high all the time. Prior to these updates, my CPU and disk both ran very low most of the time. Now, my disk is running close to 100% almost all the time. Every time I look at Task Manager, it is Windows Module Installer Worker that is causing it to run so high.

In short, the updates did get installed successfully. (I am now running 14393.576). But the disk usage problem that I never had before this update is now constant.

Reply | Quote

Could one of you .NET experts enlighten us?

Reply | Quote

Update to my previous comment: as soon as I right click on Windows Modules Installer Work in Task Manager and then hit “end task”, the high disk usage stopped almost immediately.

Is there a better way to fix this issue (other than a permanent fix)?

Reply | Quote

That screen shot is for the “Group A” rollup.

I wouldn’t test it yet. Let other folks take the first shot.

Reply | Quote

What about https://support.microsoft.com/en-us/kb/3205640 ?

Reply | Quote

Easiest way is to download the update and install it manually.

Hop over to Reddit

https://www.reddit.com/r/Windows10/comments/5i57fr/december_windows_10_cumulative_updates_kb3206632/

and ask one of the Microsoft employees what they would recommend. With some luck they’ll be able to diagnose your problem, so it won’t happen to other people (or you!) in the future.

Reply | Quote

I believe that is Microsoft’s policy indeed.

In this particular case, Microsoft documented that the fixes in non-security update KB3200006 are included in Internet Explorer security update https://support.microsoft.com/en-us/kb/3197655.

Reply | Quote

Just want to confirm that October Security & Quality Rollup that I confirmed I had earlier (yesterday) has now disappeared and is replaced by the December Security & Quality Rollup. Have Win7 in Group B so didn’t install these previously….
Also sitting waiting is a .Net Frame Security and Quality rollup…..and the MSR tool.
Also 6 for Office 2007.
Which of course will sit there until we hear further.
LT
Tough times never last, but tough people do.
– Dr. Robert Schuller

Reply | Quote

It downloads (as of 5 minutes ago) as KB3204805 in both x86 and x64 versions. File descriptions are accurate.

Reply | Quote

As I always ask, how about MSRT?

In this new patching system should it applied now or it is better to wait and push it all together when DEFCON hit 3 or 4?

Reply | Quote

If I have already installed the November or December security only update, is this KB3200006 no longer needed?

Reply | Quote

The security-only updates listed there are only for .NET 4.6.2. If you do not have it installed (like me, I only have 4.5.2 and have no plans to “upgrade”), then that update is probably not applicable.

No security-only update is available for other versions of .NET. Does this mean that (1) no security update is available for the other versions, or (2) Microsoft does not plan to fix security problems in other versions and want us to either “upgrade” to 4.6.2 for security updates or to use the “Security Quality Rollup”?

Guess we will have to wait and see.

Reply | Quote

Those in Group B might not be getting security-related change “Made updates to support the deprecation of SHA1 server authentication certificates where applications can opt in to the new behavior” that was first introduced in the November cumulative rollup preview. More info: http://www.infoworld.com/article/3064654/security/tick-tock-time-is-running-out-to-move-from-sha-1-to-sha-2.html.

Reply | Quote

Group A
Win 8.1

I’m not seeing any updates other than the eleven non-important updates from last month?

I have asked for the system to check for updates again.

Reply | Quote

I’m confused, which is par for the course with microsoft these days. I thought the security only update for .net was https://support.microsoft.com/en-us/kb/3205406 but that only seems to patch 4.6.2 whereas the monthly rollup – https://support.microsoft.com/en-us/kb/3205402 – patches 3.5, 4.5.2, 4.6, 4.6.1 and 4.6.2

Can anyone shed light on this? The monthly rollup is a much bigger file size since, i guess, it’s cumulative but why doesn’t the security only patch include the security fixes for the other versions of .net?

Reply | Quote

Well Microsoft has stated that .NET 4.5.2 will receive support until the end of support of the host operating system.

https://support.microsoft.com/en-us/help/17455/lifecycle-support-policy-faq-net-framework

So there is no need to “upgrade” to 4.6.2 at this time to receive support.

This is subject to change by Microsoft in the future, of course. But at least for Windows 7 I suppose we can continue to rely on 4.5.2 until the end of support of Windows 7 in January 2020.

Reply | Quote

No, you get KB3204805

try not to get too attached with KB numbers, as long as you downloaded the correct one by title 🙂

https://technet.microsoft.com/library/security/ms16-155
[2]This number is the Parent package KB number. Users will be offered the Parent KB; however, the package KB numbers listed for each platform will be displayed in Add Remove Programs.

Reply | Quote

The security only update(KB3205640)lists only for .NET Framework 4.6.2. However, the KB3205404 lists 3.5 to 4.6.2.

Where are the missing security only updates for other .NET Framework versions?

Reply | Quote

No, only .NET 4.6.2 got Security-only update
which is by the way, exactly the same bits as Security-and-Quality rollup, meaning the fixes are the same in both
not sure why MS felt they need to release two identical updates

nonetheless, .NET updates are generally safe and almost never cause issues or will contain telemetry
so it’s best and easier to just install the Rollup

Reply | Quote

If Microsoft really commits its efforts it can offer to fix bugs in security-only updates in future security-only updates, not just rollup updates.

The fact that it does not want to do so, indicates to me that it wants us to use those rollup updates and install whatever crap Microsoft chooses to include in those updates.

If it were not for the pressure of large customers I would think that Microsoft would not even offer the option of security-only updates at all.

Reply | Quote

Well, this is by far the worst update Microsoft has been shipped for the 1607 build.

1) ‘Getting Windows ready…’ takes ages (roughly 5 to 7 minutes) before runnning the 30% batch.

2) Working network connections get mad and require a reset.

3) As usual with the 1607 build, Windows won’t boot into the desktop (Local Session Manager hangs on start..) after applying updates and restarting..

4) A new error is showing up in the System event log (The Virtualization Based Security enablement policy check at phase 0 failed with status: The volume for a file has been externally altered such that the opened file is no longer valid.).

5) And if things can’t get worse, Hyper-V guests fail to boot (The guest operating system reported that it failed with the following error code: 0x1E).

No doubt, Windows 10 and the update mess is a nightmare; and the folks at Microsoft should finally get their heads out of their… These guys are utterly useless…

Reply | Quote

Have you posted this on Reddit?

https://www.reddit.com/r/Windows10/comments/5i57fr/december_windows_10_cumulative_updates_kb3206632/

Reply | Quote

It isn’t clear to me that “Microsoft doesn’t want to.” The decisions will be made case-by-case. Other than that, all we can do is wait and see.

Reply | Quote

Thank you!

Reply | Quote

Note 1: Wait!

Note 2: Wait longer!

Reply | Quote

Please excuse me if this is considered off topic, but I’ve noticed something today that I just have to share with you all, especially Woody.

I read a lot of tech news every day by skimming the headlines in IE’s baked in RSS feed reader (love it). Today I ran across at least a half dozen or more articles about today’s “patch Tuesday” cumulative update, KB3201845 for WIN 10 version 1607. Only ONE of the articles I saw even mentioned the early cumulative update fiasco that we’ve been through the past four days, and then got it all wrong.

So, I, being the “disruptor-in-chief” that I am, left the following comment in all the comment sections of all said sites:

“I’m confused. A widespread and serious Wi-Fi connect problem first showed up about a week or so ago. MS pushed out an early ‘patch Tuesday’ cumulative update, in my case (since I’m using WIN 10 version 1607) KB3201845 for version 1607, which made the build version 14393.479, that was supposed to fix this issue, on Friday, Dec. 9. It didn’t. In fact, it caused so many other problems the update was pulled from the MS Update Servers. It was put back up, and pulled, several times, in fact, for a full four days. However, this update had nothing to do with causing the Wi-Fi connection problem, as reported at a few sites in the tech media. No one knows what caused the problem, not even the folks at Microsoft.

“Many, including myself, received the update on Friday. However, I routinely block all cumulative updates for at least two, sometimes three, weeks until I can be pretty sure they’ll fix more things than they break — which they most always seem to do. In fact, I received, and blocked, the update twice; once on Friday, and again today.

“At any rate, I’m confused as to why: 1) The author of this article — and many other tech sites — seems to have not even noticed the early cumulative update four-day fiasco, and 2) why are all tech sites I’ve seen who are acknowledging the Wi-Fi problem still thinking the update caused the Wi-Fi problem in the first place?

“Good luck to everyone who has already installed the update today — hopefully, this one has solved the problem. It’s looking good on Reddit, so far.”

Seems the tech news industry has some of the same problems as the regular news industry, huh? 🙂

Anyhow, I found it “veeerrryyy” interesting reading! 🙂

Reply | Quote

Some folks say MSRT snoops too much. I generally run it. It’s never done anything good for me, as far as I can tell, but it doesn’t seem to be overly intrusive.

Reply | Quote

Yep. Misinformation ricochets at the speed of electrons.

Reply | Quote

“Case-by-case” is just their way of saying “We may do it if we want to. We won’t do it if we don’t want to.”

If Microsoft does want to pacify its customers, why doesn’t it just say that it will fix bugs introduced in security-only updates in future security-only updates then? Why is it necessary to consider “case by case”?

I don’t want to hear any “technical” reasons why it cannot be done. Remember that when Microsoft announced that they would stop supporting Windows 7 / 8.1 on Skylake computers from July 2017 it gave all sorts of “technical” reasons, and the result? Microsoft was forced to backtrack and reinstate support for Skylake systems to the original end of support date.

I may be pessimistic, but I tend to agree with Canadian Tech and others that this Group B approach is increasingly non-viable.

Reply | Quote

KB3200006 is no longer needed if you installed either of those two. KB3200006 is also no longer needed if you installed either the Nov. or Dec. cumulative rollup.

Reply | Quote

.NET updates for the month of November and 2016…

http://www.catalog.update.microsoft.com/Search.aspx?q=november%2B2016%2B.NET

Security Only updates for the month of November and 2016…

http://www.catalog.update.microsoft.com/Search.aspx?q=november%2B2016%2Bsecurity%20only

or just visit these MS links…

Windows 7 and Server 2008 –

https://support.microsoft.com/en-us/help/22801/windows-7-and-windows-server-2008-r2-update-history

Windows 8.1 and Server 2012 R2 –

https://support.microsoft.com/en-us/help/24717

Reply | Quote

That one is an EXE and I ran it so it could extract. Below are the first lines from the installer schema:

Shows KB3204805 there, but who knows what is listed after install? It’s a rollup for sure, with 24 different setup resources folders within that EXE. Aborted that process, since I had earlier installed KB3205402.

Reply | Quote

Schema paste failed for some reason. Disallowed characters?

Reply | Quote

Be careful what you wish for— now have four updates

Reply | Quote

Guys, thanks for the clarification. When I went back again, I see where I went wrong. But double checking raised another question: Why is there a “security only” file for .NET Framework 4.6.2 on Windows 7 but not a “security only” file for .NET Frameworks 3.5, 4.5.2, 4.6, 4.6.1? For these, all that is offered, in the update catalog, are various versions of “security and quality rollups”? Thanks.

Reply | Quote

@ Adam ……. That likely meant that yr Win 10 cptr was still trying to install the 500+MB(for 32bit) cumulative update or parts of it. This incomplete install of updates could be caused by certain incompatible configuration in yr cptr.
……. Can u uninstall, hide n block the cumulative update.?
.
This is the fate of some Win 10 beta-testers of M$$$$, ie their cptrs broken by M$’s cumulative updates, esp for Win 10 Home users.

Reply | Quote

Guess I am in Group A then as those were the updates shown to me. I’ve always installed updates the day they’re released but ever since discovering your site, I feel so overtly cautious if not paranoid now to install updates right off the bat. I also noticed that clicking on more info redirects to the no info yet (This page doesn’t exist.) link I mentioned above which is strange. Had to manually input the given KB number to get the right page.

https://support.microsoft.com/en-us/kb/3207752

As usual for non-security info:
https://support.microsoft.com/en-us/help/22801/windows-7-and-windows-server-2008-r2-update-history

I find it amusing how it says ‘For a complete list of affected files, see (KB#)’ but when going there it gives absolutely nothing useful and refers back to the link above (well, for the the Nov. preview rollup anyway).

Reply | Quote

If you wait long enough, chances are that it will eventually complete.
If you consider that you waited long enough, use plan B, the solution provided by Woody.

Reply | Quote

Thank you abbodi.
I suppose they released both them for consistency of delivery, even if they have nothing more to add into the Security and Quality Rollup.

Reply | Quote

“Other folks” like you and abbodi and me and few other beta testers 🙂

Reply | Quote

Group B – Windows 7 x64

December, 2016 Security Only Quality Update for Windows 7 for x64-based Systems (KB3205394)

Security Update for Windows 7 for x64-based Systems (KB3185319) IE 11 Cumulative
Security Update for Windows 7 for x64-based Systems (KB2993651)
Security Update for Windows 7 for x64-based Systems (KB3072630)
Security Update for Windows 7 for x64-based Systems (KB3108670)
Security Update for Windows 7 for x64-based Systems (KB3153171)
Security Update for Windows 7 for x64-based Systems (KB3161664)
Security Update for Windows 7 for x64-based Systems (KB3164033)
Security Update for Windows 7 for x64-based Systems (KB3167679)
Security Update for Windows 7 for x64-based Systems (KB3175024)
Security Update for Windows 7 for x64-based Systems (KB3177725)* security Update for Windows Kernel-Mode Drivers
Security Update for Windows 7 for x64-based Systems (KB3184122)
Update for Windows 7 for x64-based Systems (KB3156417)* Updated Printing bug patch
Update for Windows 7 for x64-based Systems (KB3187022)
Update for Windows 7 for x64-based Systems (KB3200006)

Waiting… 🙂

Reply | Quote

Yes, leave it to complete its cleanup task. Leave it overnight if required. There is no other way.

Reply | Quote

I don’t understand. I mainly use Chrome.

Reply | Quote

There are no security only update for .net 3.5, 4.5.2, 4.6, 4.6.1

just go with the Rollup

Reply | Quote

(1) correct
(2) no, they fixed those security issues in the rollup
no, they don’t want you to upgrade (4.6.2 is not even published to WU)
what’s wrong with using the Rollup?

Reply | Quote

Were you trying to paste something into a comment? You may be better off using pastebin and linking to the entry.

Reply | Quote

You may be right. We’ll know in the next few months.

Reply | Quote

Meanwhile, over at ZDNet, the conversion to Microsoft Apostle is now complete.
Not a peep about any Windows problems. Win 10 is now perfect.
All the rest of us are just an irrational bunch of complainers and MS haters.

Reply | Quote

Yeah, others have brought up the same point, thanks very much.

But therein lies the problem; if there are no security updates for the earlier versions of .net (I don’t have 4.6.2 installed) then why would I install the rollup? What worries me is that the rollup contains some crapware beneficial to Microsoft and not me.

Reply | Quote

Welcome to my world. 🙂

The choice between Group A and Group B (and, increasingly, Group W) is entirely up to you. The patches offered in Windows update aren’t your only option.

http://www.infoworld.com/article/3128983/microsoft-windows/how-to-prepare-for-the-windows-781-patchocalypse.html

Reply | Quote

🙂

Mary Jo’s hooked in, she just doesn’t follow the same things we tackle over here.

Reply | Quote

C’mon Woody, lets keep it simple.

Saying its on a “case by case basis” is corporate doublespeak for telling us to shove off.

Failing to repair a bug introduced by a security only update in a subsequent security only offering is not an act of fate, it’s a tangible decision taken by MS management.

That being the case, I am forced to conclude that “Microsoft doesn’t want to” is an accurate assessment.

We shouldn’t have to wait with bated breath and crossed fingers for MS to clean up it’s own mess. It’s that simple.

However, considering the callous disregard that MS has for mere consumers (guinea pigs/forced beta testers/cannon fodder) this dismissive posture and demonstration of corporate arrogance comes as no surprise.

Reply | Quote

(sigh)

But the other options aren’t very inviting, either.

Reply | Quote

EXE is just an installer wrapper for the actual .msp patch
what’s listed is the same KB number in EXE

why the over-analysis?

Reply | Quote

Yeah, but if they didn’t do it for other .NET versions, why they bother for .NET 4.6.2?

Reply | Quote

Hi All

On the off chance that anyone has SCCM 2007 managing software updates with security / windows 7 classifications enabled, would you mind just looking at the recent sync results & seeing if it was success full? I’m looking at an environment that is refusing to sync the October Security only update with a time out on a stored proc in the SCCM DB….I know WSUS & SCCM suffer from some common timeout problems, but this is the first we have seen of it on this server and seems a bit much of a coincidence….

Any reports either way appreciated!

Thanks

Reply | Quote

Apparently Microsoft laid off many of their more experienced programmers and quality control people a few years ago.

Could it be the problems with Windows 10 and updates can be traced directly back to this? See quotes, last three lines.

“H-1B work visas are in high demand – this year’s allocation list of 85,000 vacancies was filled less than a week into the process. Although it is billed as a way to fill skills gaps for American companies, this year 81 per cent of applicants were in the bottom two skill levels used for entry-level IT admins and programmers.”

Reply | Quote

So I should just let the Windows Modules Installer Worker run its course in the background? And it should eventually stop chewing up my disk/CPU space?

All of the version 1607 updates (cumulative, Adobe Flash security, Malicious Software Removal Tool) were installed successfully yesterday evening. But I had to install the cumulative update using the Microsoft Update Catalog and Standalone Updater because it stuck at 95% twice.

Is the WMIW just trying to finish its work from the updates it installed? I’m sorry for being so repetitive, but I’ve never had to deal with this stuff before and it drives me crazy.

Reply | Quote

Make sure you report this to Susan at patchmanagement.org…

Reply | Quote

@Rob,

Thanks for the actual KB number of the December Security Only KB…as for October (KB3192391) and November’s (KB3197867) Security Only updates, they have REappeared in the catalogue as of this morning.

Now, does anyone know if there is a December Security Only update for .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 for Windows 7 x64?

There’s a Security and Quality Rollup for .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 for Windows 7 x64, but no Security Only.

There’s also a December, 2016 Security Only Update .NET Framework “4.6.2” on Windows 7 (KB3205406) but should/can that be installed if .NET 4.5.2 is the current version on one’s machine?

Always murky with microsoft…

Reply | Quote

Rob,

I don’t have the list you do, BUT I’m going to check my list out in catalog and play it by ear from there.

I have the following:

KB3118380(MS Office 32bit)(I don’t have Office)
KB3205402 (.NET Framework 3.5.1,4.5.2,4.6,4.6.1,4.6.2)
KB3207752 (Monthly Quality Rollup Win 7 X64)
KB89030 (MSRT)

Thanks Woody and everyone else here for helping me stay on top of M$ unwanted crap.

Dave

Reply | Quote

Just more bad behavior by the bully on the block.

It’s a matter of time before some major bug introduced in a security only update goes unfixed for Group B consumers.

And I’m cynical enough about MS bad behavior to speculate that paying corporate customers will have access to any required remediation while the rest of us will have no choice other than to submit to cumulative updates. You can say it’s not a strategy but I beg to differ.

Reply | Quote

@ louis,
‘There’s a Security and Quality Rollup for .NET 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 for Windows 7 x64, but no Security Only.’

http://www.catalog.update.microsoft.com/Search.aspx?q=Windows%207%20×64%20December%202016

Security Only: seems to be the 2nd one down from the top for dotNet 4.6.2 but the description is N/A (very helpful MS) unsure whether this covers previous dotNet versions?!

Reply | Quote

That’s where I got the list, from the security only catalog (see link above yours in reply to louis 🙂

Reply | Quote

Maybe they can help
https://blogs.technet.microsoft.com/configurationmgr/2016/12/13/important-note-on-deploying-down-level-windows-updates-with-microsoft-configuration-manager-2007/

Reply | Quote

The rollup have the security fixes
.NET updates don’t have any crapware, and all included fixes are beneficial for the system/framework
if you don’t believe that, just stop updating .NET and move on 🙂

Reply | Quote

(December 2016 Security Only Quality Update)

When checking details for the “December 2016 Security Monthly Quality Rollup,” at “https://support.microsoft.com,” clicking “more information,” allows you to download the security only update, which did not appear in the windows update list…. Installing now on Win7 X64.

Reply | Quote

@Rob, @Woody

I am W7 SP1 x64 and I’m in group c. Thus far I have been installing Security Only .NET updates via the catalogue. As mentioned here, now, there is no December Security Only .NET update for anything below 4.6.2. However, there’s that December .NET Security and Quality ROLLUP…

Now, most in group C are there because they don’t want to do Rollups. Some in C may or may not do Security Only updates. For myself, it’s been .NET Security Only thus far.

Now, what do we do if there’s no .NET Security Only below 4.6.2 but a .NET Rollup for all below 4.6.2? We’re kind of getting boxed in here. How do we avoid Rollups if the only thing offered this month is a .NET Rollup??

(Without creating an issue, let’s just assume that any user avoiding ANY Rollups is making a justifiable decision just as group A, B and C users are making justifiable decisions about where they stand.
Anti Rollup users are looking for a .NET Security Only solution…are there any viable alternatives here, or do we just pass on the December .NET Rollup and wait to see if January brings a .NET Security Only update? Really, does MS have to play this way??)

Reply | Quote

Anyone know what the speed up patch for Vista is this month?

Reply | Quote

To determine which is the correct .NET Framework Updates for 3.5.1, 4.5.2, 4.6/4.6.1, 4.6.2, view Microsoft Security Bulletin MS16-155. For Windows 7 and Windows Server 2008 R2, scroll down the page until you come to section: Windows 7 and Windows Server 2008 R2 Microsoft .NET Framework Updates for 3.5.1, 4.5.2, 4.6/4.6.1, 4.6.2 (KB3205402) In my case I was looking for the correct update for Windows 7 for x64-based Systems Service Pack 1, using Microsoft .NET Framework 4.5.2. The correct update for 4.5.2 is KB3210139, for 3.5.2 it’s KB3210131, for 4.6/4.6.1 it’s KB3210136, and for 4.6.2 it’s KB3205379.

I looked for KB3210139 in the Microsoft Update Catalog but it came back with nothing. I didn’t bother looking for the others, but I’m fairly certain the result would be the same. What I did find was that I was able to locate KB3205402 in the update catalog. By clicking download link for the following: “December, 2016 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7 and Windows Server 2008 R2 for x64 (KB3205402)”, I was offered 4 different downloads to choose from: KB3210131, KB3210139, KB3210136, and KB3205379. I clicked on and downloaded:
ndp45-kb3210139-x64_24ee9b5347f56040a5d3aa43d32660924663ae4f.exe which is the correct update for my system.

Reply | Quote

Yes, this in from ER…

And it looks like the KB3204723 security updates from MS security bulletin MS16-151
are the new Windows Update win32k.sys “speed-up” fixes for Windows Vista & Server 2008
https://technet.microsoft.com/library/security/ms16-151
Once again, KB3204723 is a new temporary “speedup” patch that will work from Dec. 13, 2016
to Jan. 9, 2017.

Reply | Quote

I think you’re fine for now. However, I believe that Group B probably won’t get future Windows updates associated with “phase three” that is mentioned at “Windows Enforcement of SHA1 Certificates” (http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx?PageIndex=1):
“After February 2017, we intend to do more to warn consumers about the risk of downloading software that is signed using a SHA-1 certificate. Our goal is to develop a common, OS-level experience that all applications can use to warn users about weak cryptography like SHA-1. Long-term, Microsoft intends to distrust SHA-1 throughout Windows in all contexts. Microsoft is closely monitoring the latest research on the feasibility of SHA-1 attacks and will use this to determine complete deprecation timelines.”

Note: the article’s reference to “December 13th, 2017” probably should be “December 13th, 2016”.

Reply | Quote

Not for Windows 10 users. The solution for us is to use wushowhide preemptively, hide all but Flash Player and MSRT updates, then go unmetered and let only those two updates run. Then go back on metered connection and wait for the go ahead later this month before unhiding the CU and perhaps one or two other patches which will come out later this month.

I did this as soon as the Patch Tuesday updates came out and only ran Flash and MSRT updates. Worked perfectly. Nothing unwanted got downloaded.

Reply | Quote

If you wanted to follow the advice here, there is a method using wushowhide and a bit of Registry editing (or Group Policies) and you could have gotten only the Flash Player and MSRT patches. then wait for the CU and anything else until Woody gives the all-clear later. That might have avoided the failed CU or getting stalled at 95%.

BTW, the CU can take an awfully long time to download. It appears stuck at various points, but it eventually finishes. Installation and restarting do something similar. This has been true for a few CU cycles with Win 10. The download and then the restart can each stall for twenty to thirty minutes before showing percent completed.

Reply | Quote

If one was going to move to Group A, after the last two months of Group B, would they have to delete Oct. and Nov. security-only updates before downloading Dec. rollups?

Reply | Quote

Guinea pig reporting in.

Applied the Win 7 32-bit security only December update now, KB3205394. System booted up, doing a manual update check first gave an error but on 2nd try worked, showing the full package, the .NET stuff and the MSRT available. Check IE version though, see it says 11.0.38 (KB320361) when the IE11 cumulative December security update should be 3204059, 3205394 being listed as the IE9 one. What gives?

Reply | Quote

Tom (and Woody) —

Great tip! Thanks! This comment of yours made it easy for me on a Win7 64K SP1 machine! You cut down the weeds and made a path thru the jungle, in a brief post! Invaluable! Again, Tom, THANK YOU!

Reply | Quote

Nope. You can switch to Group A at any point by just installing the latest Monthly rollup.

But I advise you to wait a bit until we see if there are any problems.

Reply | Quote

Yes, straight ASCII and not that much of it. Not a big deal. Maybe when your new interface is running this won’t occur.

Reply | Quote

@ Louis,
I think that your last query is more or less along the same lines as Microsoft intentions IMHO.
No point looking for something that simply isn’t there..

For now, I would advise not to install anything from December until Woody & Co state.
These guys know their stuff and I am a mere padawan in comparison.

Reply | Quote

Hobby, not over-analysis, thank you.

Reply | Quote

Microsoft is sneaky about the .NET updates.
In october we had a separate 3.5.1 security ONLY and a separate 4.X security ONLY.

Now, in December, I am able to find a separate security update only for 4.6.2. The security fixes for 3.5.1 seem to have been bunched up into the “quality update”.

I have placed myself firmly into group B so this comes out as a big bummer since I can’t just put the security only updates for the 2 branches of .NET and I am forced to choose between:

1. Keep 3.5.1 compatible apps at a security risk while the 4.6.2 is safe.
2. Accept the bundle of 3.5.1 and 4.6.2 which contain other optional content.

Just why Microsoft, why are you making things so difficult? 🙁

Reply | Quote

🙂

Reply | Quote

Weird. Yes, please, test it when the AskWoody Lounge is up…

Reply | Quote

Copy that — Group A, B, C/W…I need Group JB (Jim Beam)

Reply | Quote

🙂

I wonder if we can get more interesting emojis in the AskWoody Lounge, when it comes out….

Reply | Quote

KB3203621 is the actual update number for all IE versions
but because IE11 cumulative is bundled with security-only/monthly rollup, it doesn’t get KB3203621 update file separately

if you check the article
http://support.microsoft.com/kb/3203621
you would see that the info is general for IE without specifying the version, except listing vista IE9 files at the end, because it get this update file separately

Reply | Quote

Yeah, one needs the passion to sort out through this jungle. 🙂

Reply | Quote

In theory yes. In practice… see my reply here
https://www.askwoody.com/2016/windows-10-1607-patch-kb-3206632-solves-the-dropped-internet-connection-bug/#comment-111243

Reply | Quote

No, delete/uninstall them after installing the monthly rollup 😀

Reply | Quote

Fair enough 🙂

Reply | Quote

Hm… What I see if I go to https://technet.microsoft.com/library/security/MS16-144 is that it leads me to https://support.microsoft.com/en-us/kb/3204059 and in the affected software list for IE11 on Windows 7 for 32-bit Systems Service Pack 1 Security Only it says 3205394, which is the security-only monthly update, 3203621 being the listed entry for IE9 regardless of OS.

(Had submitted a reply to correct the above message but see it wasn’t approved. Meant 11.0.38 (KB3203621) and that this is listed as IE9 of course, not 3205394.)

Reply | Quote

@Tom…

You solved the .NET Security Only problem. Well done sir.

@Woody,

You should make note of the is for those who are having issues locating Security Only .NET updates.

Reply | Quote

@Tom, @Woody,

On second look, Tom, there is still no Security Only Update…. KB3210139 is a Rollup…it’s located here,

https://technet.microsoft.com/library/security/ms16-155

under the main heading of
Microsoft .NET Framework – Monthly Rollup Release[1]

As you can see, it indicates it includes “All previously released updates[4]”

Windows 7 for x64-based Systems Service Pack 1
Microsoft .NET Framework 4.5.2
(3210139)
Important
Information Disclosure
All previously released updates[4]

Reply | Quote

Beware of the update to Flash Player. The FP 24.0.0.186 update is breaking websites in most browser and Windows versions.

The Comcast IPV4 / IPV6 test site at http://speedtest.xfinity.com/ being one of them.

Viper

Reply | Quote

By using Disk Cleanup 🙂

Reply | Quote

Does this help any, or is it old news?

https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/

Reply | Quote

Thanks for the advice! When I turned on the computer after work today, the high CPU/disk usage did not appear to be occurring. At no point during the first 3 hours of usage did the CPU or disk usage run abnormally high (generally in the single digits for both when idle or lightly used).

I have not noticed WMIW running at all during this time. I even checked Windows Updates again manually to see what type of response I would get. WMIW ran normally for about 30 seconds while checking for updates, then went back down to 0% usage after it said the device was up to date.

Thanks again for all the help and suggestions. Here’s hoping things are without issue for quite some time.

Reply | Quote

Like i said, IE11 do not have actual KB3203621 update file separately, so they can’t list it for it
just take KB3204059 as pseudo article for KB3203621, both serve the same purpose
but, KB3203621 still the actual update number that’s listed in all IE versions info, even Windows 10 which never have separate IE update 🙂

Reply | Quote

Are this suggesting that for 4.5.2 we should download the .NET Frame 4.5.2 Security & Quality Rollup from Windows Download (Even if we are a ‘B’ type)? Thanks

Reply | Quote

@Woody,

The irony of the link you provided is that MS indicates that this .NET approach…”You now have a simpler way to stay current with the latest updates to the .NET Framework.”

This method is anything but simpler.

If it was simpler there would be a Security Only Update, searchable, plainly labeled and downloadable, for Microsoft .NET Framework 4.5.2. And there isn’t.

But there’s a Security Only Update searchable, plainly labeled and downloadable for .NET 4.6.2.

What is it with MS, don’t they want their users and their OS’s to be up to date and secure??

Reply | Quote

I can confirm that the xfinity speedtest site is broken with the new Flash. However, it works fine if you go directly to the Ookla site ( http://www.speedtest.net/ — ookla is what provides the technology behind the xfinity site), so the problem must be very specific to some flash scripting or (something along those lines) on the Comcast site.

Reply | Quote

Since I always save a disk image before updating Windows I typically install updates quickly. December 2016 is no different.

For Windows 7 December Patch Tuesday have installed as follows:

Security Only Update KB3205394
Net Framework Security and Quality Rollup KB3205402
MS Office Security Updates KB3128020 KB3128022 KB3128024
December MSRT

So far everything is okay. The only thing that screwed the pooch was Flash Player Update 24.0.0.186 which broke several websites. A roll back to FP 23.0.0.207 got all sites back.

Reply | Quote

I have a quick question about updating an old Win 7 Starter Netbook. Haven’t used it in a while, and it is seriously behind in updates. Is MS still issuing updates for Win 7 Starter? Should I just let it check and see once the all clear in this month’s updates is given? Is there a speed up KB that I’d need first. Last time it was updated was probably back in early 2016 – been in mothballs since then – LOL! I’d probably be looking to put that in the Group A updates if indeed there are any since it really will just get light, occasional use.

Thanks!

Reply | Quote

Good question. I don’t have a clue.

Reply | Quote

Ookla is IPV4 only. Since Comcast site both IPV4 and IPV6 not sure if Ookla is the provider.

????

Reply | Quote

This may be the answer, but check with one of the .net experts. If the only “real” update this month is a a security update to .net 4.62 then there would be: a) a dedicated security only update download for 4.62 and b)this 4.62 security update would then be lumped in the big cumulative security/roll-up update for 3.5.1, 4.5.2, 4.6/4.6.1, 6.2 (which is also what is being offered). If there is no actual updating being performed on 3.5.1, 4.5.2, 4.6/4.6.1 this month, there would be no need for a security only update for any of these version, which there doesn’t appear to be. This, I think, explains why there is only a security update for 4.62 and a security/roll-up for all the other versions of .net, plus 4.62.

Reply | Quote

Okay Adobe found the problem with 24.0.0.186. It is corrected in the 24.0.0.189 beta available for Firefox, IE, etc, here:

http://labs.adobe.com/downloads/flashplayer.html

Windows 10 players will have to wait for an official Edge update from MicroSoft.

Viper

Reply | Quote

What you say feels like the correct assessment JNP. I’m still going to hold off on installing it for a week or 2, but it is the same conclusion I came to, in the absence of more data. I’m running 64 bit 8.1 and downloaded that labeled file from the catalog.

Reply | Quote

Indeed, I just tried that site on Chrome, have the new version 24.0.0.186, and test appears to start running but returns values of 0 across the board. Tried several server locations. Flash needs to die.

Reply | Quote

http://www.speedtest.net/ does work for me.

Reply | Quote

I applied the Win7-64 Pro Flash updates for IE and Firefox on Tuesday at noon. I downloaded the offline installers for both browsers for Windows 7-64 from the Adobe Website. I have had no problems (so far).

I tried the Comcast speed test at the link you p[rovided, and correct, it did not work.

I tried the Cox Communications Speedtest and it worked. It was Ookla, but did not specify IPV4 or IPV6.

Reply | Quote

Thanks for that link. I will check it out and download the newer 189b version if I have a problem.

I have had Flash problems in the past with bad updates, but not in the past year.

Reply | Quote

Group A Win 7 X64. Did Dec. update. Only problem was with Flash 24.0.0.186 Verizon speed test didn`t work but as mentioned by others Ookla speed test did work. Everything else is working as before the update.

Reply | Quote

Did a full disk image backup and then applied the December Security Only Rollup from the Catalog, and the December Quality and Security Rollup for .NET through Windows Update, and so far, so good.

Reply | Quote

OK, but there are no Security Only Rollups. Only the “Group A” Monthly Rollups and the “Group B” Security-only patches.

Reply | Quote

My mistake…

KB3205394 is the Security-Only update for December that I applied.

Reply | Quote

There are three new catalog-only updates listed at https://support.microsoft.com/en-us/kb/894199:

1. ‘”0x000000D1″ Stop error with update rollups on Windows Server 2012 R2’ – https://support.microsoft.com/en-us/kb/3210063

2. “iSCSI disks are lost on upgrade for StorSimple appliances after update 3172614 is installed on Windows Server 2012 R2” – https://support.microsoft.com/en-us/kb/3210083

3. “Internet browser page becomes blank after you install security updates 3185330 in Windows 7 SP1 or security update 3185331 in Windows 8.1” – https://support.microsoft.com/en-us/kb/3210694

Reply | Quote

Nice analysis @JNP

Reply | Quote

All Windows 7 editions get updates

the speedup is describe here:
https://support.microsoft.com/en-us/kb/3200747

Reply | Quote

Sunuvagun. That’s exactly the method we’ve been talking about for months!

Reply | Quote

It appears that MS16-155 (“Security Update for .NET Framework”) affects more than just .NET Framework 4.6.2.

Evidence #1: See affected .NET Frameworks at https://technet.microsoft.com/library/security/MS16-155.

Evidence #2: The only file present in “MS16-155: Description of the Security Only Update for the .NET Framework 4.6.2 for Windows 7 and Windows Server 2008 R2” (https://support.microsoft.com/en-us/kb/3204805) is System.Data.dll. This file was also changed in December in “MS16-155: Description of the Security and Quality Rollup for the .NET Framework 3.5.1 for Windows 7 and Windows Server 2008 R2” (https://support.microsoft.com/en-us/kb/3210131), and is the only file changed in that update after September. This is a more recent change than any of the file changes in the last cumulative .NET Framework preview rollup.a

Conclusion: For NET Frameworks other than 4.6.2, you should install the December .NET Framework cumulative rollup. For .NET Framework 4.6.2, you have the choice of either the .NET Framework security-only update or the .NET Framework cumulative rollup.

Reply | Quote

Good point.

Reply | Quote

When you get the result on Comcast, it has an Ookla logo.

Reply | Quote

Thanks so much! Much appreciated!!

Reply | Quote

Both .NET 4.6.2 updates are identical
it seems they created the security-only update just to comfort the non-security haters
apparently they didn’t feal the same or got the time to do that with other .NET versions

Reply | Quote

Now THAT’s remarkable….

Reply | Quote

In the comments at “.NET Framework December Monthly Rollup is Now Available” (https://blogs.msdn.microsoft.com/dotnet/2016/12/13/net-framework-december-monthly-rollup-is-now-available/), a Microsoft employee states that the vulnerability applies only to .NET Framework 4.6.2.

Reply | Quote

So that lines up with what Abbodi said.

Reply | Quote

“It’s a matter of time before some major bug introduced in a security only update goes unfixed for Group B consumers.”

That is exactly what I expect will happen.

I won’t submit to cumulative updates or “reliability” updates no matter what. I will adopt a “part Group B, part Group C” or even “Group C” approach going forward by refusing to install any security only updates that causes problems for me.

Reply | Quote

Woody, why are we left with these “not-so inviting” options (I would go further and say they are “bad” options.) then?

If Microsoft wants to do “better”, we won’t be forced to choose between these options.

Reply | Quote

I prefer Group J myself (Jamesons) 😛

Reply | Quote

Microsoft cares about the income stream from Win7 running in enterprises. Other than that, they realize that they need to provide security patches – but at the same time they’re starting to milk the data-gathering cow.

Ultimately, MS would much rather have you move to Win10. So there isn’t a whole lot of incentive to make your Win7 life easier.

Reply | Quote

In fact most Enterprises have Software Assurance agreements https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx which allows them to use any client operating system they choose. For Microsoft is exactly the same thing (financially, but obviously not so for prestige reasons) if 90% of the Enterprises use Windows 7 or 90% use Windows 10. They have to provide basic (unpaid) support via patches for Windows 7/2008 R2 until January 2020 and this is currently happening. Windows 10 is not purchased in most cases on top of a previous purchase for Windows 7, but as part of an ongoing agreement. From this point of view, it can be considered a sort of Windows as Service, although the maintenance is still happening in house.
I don’t know all the details, but I think the server licenses are purchased differently although there are DataCenter agreements which are expensive, but allow unlimited number of licenses to be used on certain (virtual) hardware.

Reply | Quote

Glad that it is fixed for you. Can you tell us if Windows Update is disabled? Because with Windows Update configured as disabled (in Group Policy on Win 10 Pro or Enterprise), none of the clean-up tasks would happen which is OK until the next update, but it would create problems at the next round of updates.
With Windows 10, I found the setting Download but not install as the best of all worlds, but these are only preliminary results as I am still testing. Check but do not download (or install) is apparently no longer officially supported, although it seems to be working still. Auto Update is out of discussion, while disabling WU has the downsides mentioned above.

Reply | Quote

I tend to agree with Mary Jo sometimes… but not so often. 🙂
I have different reasons to complain about Windows 10 than most who did not even install it at least once.

Reply | Quote

Since there was a security issue fixed in .NET 4.6.2, there is a 4.6.2 security-only update. Because security-only updates aren’t on Windows Update, a 4.6.2 cumulative rollup is also necessary even if it didn’t fix anything beyond security issues.

The other .NET Frameworks had only non-security fixes this month, and thus there are no security-only updates for them.

Reply | Quote

From Oct 2015 till early Nov 2016, I did not update my netbook. I have 2 other win7 systems. Anyways, I use the same procedure outline and updated my netbook. It took awhile because of 1 year of updates.

Reply | Quote

I said in a previous comment: “How to list catalog-only updates for 2016: search https://support.microsoft.com/en-us/kb/894199 for “: cat” (without quotes). Any other ways?”

In addition to the above search, also search for “: wsus” (without quotes). This will list updates that are on both WSUS and the catalog, but not on Windows Update. These are mostly the security-only updates for Windows and .NET Framework.

Reply | Quote

So I was thinking Tuesday when my New Dell XPS arrived what to do during setup? We are at Defcon 2.

Well I have 2 Windows 8.1 PC’s an All in One and a HP Laptop all locked down no updates since end of November safe there so what about this brand new Windows 10 Dell?

Automated setup was painless I went for customize the settings and used a checklist of recommendations from Woody and blog readers here.(turn off Cortana,tracking etc)

I took a chance knowing reverting a new PC would be easy and went with Windows Update (I had switched Metered connection on the moment I went online) It was fast and painless total setup was little over an hour and no problems with my 4 month old HP8725 which had a September hiccup over Win10 updates on the old HP Desktop.

So far so good metered connection is back on so I dont need to worry about the Family Desktop I rarely use. (They think Windows 10 is Wunnerful and want to know why they cant use Cortana I tell them she is a b**** who will steal your soul) ;-p

No matter we are buying Alexa so she will get all our Family secrets 😉

As for me I am happy with my Windows 8.1 PC’s well cared for maintained and SAFE

Thanks to Woody and the amazing community here.

I went ahead and bought Windows 10 for Dummies today (Kindle edition) I had been putting it off the past year because I was not planning on using Win10.

But I need the reference so I can keep an eye on MS shenanigans and of course AskWoody is my weekly go to source!

Reply | Quote

Thanks for getting the book!

General advice when you get a new machine: Bring it all up to date, right away. You may hit some problems, but establishing a sound starting point is more important. Then we can haggle from month to month.

Reply | Quote

To put some numbers on it, “a long time” for recent Win 10 1607 CUs has been up to 20 mins to 40 mins., stuck at various percentages of completion along the way. Then a Restart, where the shutdown phase can take 20 to 40 mins., followed by startup phase which is usually a few mins. shorter.

This has been my experience on everything from a speedy Intel NUC with a SSD, to a pokey atom based tablet with eMMC storage and WIMBoot. Not much difference in the elapsed time in any case.

Reply | Quote

Did the security only update (KB3205394) break anyone else’s applications? In an enterprise environment, it broke AD Admin Center console when trying to edit any object’s properties, and it also broke SCCM consoles. Removing just this patch resolved both situations

Reply | Quote

I haven’t heard anything, but I’ll run this up Twitter. Can you post it on patchmanagement.org?

Reply | Quote

I’m surprised that an enterprise environment would apply updates without testing them first…

Reply | Quote

Thanks woody; I’ll post there. We do test them… Which is why we found this out when it only affected 4 PCs, instead of 4,000… And our users don’t utilize ADAC so they wouldn’t have been any help in this situation.

It actually affects both Win7 and 10, as well as server 2012r2 from what I’ve seen.

Reply | Quote

Thanks. Keep us posted!

https://www.askwoody.com/2016/december-security-only-patch-breaks-active-directory-admin-center-console-when-editing-objects-properties/

Reply | Quote

Just done a websearch for KB3205402, and this page was one of the top results, advising not to install yet.
As this has been superseded today, by https://www.askwoody.com/2016/ms-defcon-3-cautiously-update-windows-and-office/, perhaps a postscript could be added to the top of this post, linking to today’s updated info.
Thks for the ongoing help, to all those keeping us in the loop.

Reply | Quote

Got it. Thanks!

Reply | Quote