News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Group B – Win7/8.1 “Missing” updates, Hiding Rollups, Security-only patches

    Home Forums AskWoody support Windows Group B – Win7/8.1 “Missing” updates, Hiding Rollups, Security-only patches

    This topic contains 93 replies, has 13 voices, and was last updated by

     MrBrian 1 year ago.

    • Author
      Posts
    • #136861 Reply

      PKCano
      Da Boss

      I did some testing in response to the report that Group B was “missing” a large number of Security Updates by UNCHECKING (not installing) the “Security Monthly Quality Rollups” instead of hiding them.
      If you get bogged down with the data, read the top and bottom text of Parts 1 and 2 and the synopsis in Part 3.

      This Topic consists of three parts, separated into three replies, because of the length.

      Part 1 – Hiding Rollups on a Clean Install
      Part 2 – Installing Group B “Security Only Quality Updates” on a Clean Install
      Part 3 – Implications, Observations and Conclusion

      7 users thanked author for this post.
    • #136874 Reply

      PKCano
      Da Boss

      Part 1 – Hiding Rollups on a Clean install

      I saw a report that those following the Group B method of installing security-only patches resulted in a huge “missing Security updates list.” The list was generated by hiding the Oct 2016 – Sept 2017 Security Monthly Quality Rollups on a security-only up-to-date machine, then running a check for updates.

      I decided to start from the other end – a Clean Install.

      I did an OFFLINE clean install of Windows Home Premium SP1 32-bit. Still OFFLINE, I installed KB3020369, KB3138612, KB3177467, and KB3172605.
      ONLINE, I set Windows Update to “Never Check” and CHECKED the box “Give me recommended updates the way I get important ones.”
      I did a search for updates and recorded the numbers of the Updates. This is the “original important updates list.”

      Starting with 184 important and 8 optional updates

      1. Hiding 4038777 2017-09 Rollup (Sept), search for updates
      186 important and 8 optional updates
      Added updates
      4034664 2017-08 (Aug) Rollup
      3170455 Security
      2798162 Win Update

      2. Hiding 4034664 2017-08 Rollup (Aug), search for updates
      187 important and 8 optional updates
      Added updates
      4025341 2017-07 (Jul) Rollup
      2868116 Win Update
      2929733 Win Update
      3021917 Win Update (unchecked)

      3. Hiding 4025341 2017-07 Rollup (July), search for updates
      190 important and 8 optional updates
      Added updates
      4022719 2017-06 (Jun) Rollup
      2840149 Security
      3042553 Security
      3121255 Win Update

      4. Hiding 4022719 2017-06 Rollup (June), search for updates
      191 important and 8 optional updates
      Added updates
      4019264 2017-05 (May) Rollup
      3080446 Security

      5. Hiding 4019264 2017-05 Rollup (May), search for updates
      194 important and 8 optional updates
      Added updates
      4015549 April 2017 Rollup
      2503665 Security
      2957189 Security
      3138901 Win Update

      6. Hiding 4015549 April 2017 Rollup, search for updates
      201 important and 8 optional updates
      Added updates
      4012215 March 2017 Rollup
      2676562 Security
      3108678 Security
      3123479 Security
      3146706 Security
      3149090 Security
      3156017 Security
      3118401 Win Update

      7. Hiding 4012215 March 2017 Rollup, search for updates
      204 important and 8 optional updates
      Added updates
      3212646 January 2017 Rollup
      3161561 Security
      3177186 Security

      8. Hiding 3212646 January 2017 Rollup, search for updates
      207 important and 8 optional updates
      Added updates
      3207752 December 2016 Rollup
      2570947 Security
      3033889 Security
      3087039 Security

      9. Hiding 3207752 December 2016 Rollup, search for updates
      211 important and 8 optional updates
      Added updates
      3197868 November 2016 Rollup
      2993651 Security
      3109094 Security
      3164035 Security
      3185911 Security

      10. Hiding 3197868 November 2016 Rollup, search for updates
      215 important and 8 optional updates
      Added updates
      3185330 October 2016 Rollup
      2511455 Security
      4164033 Security
      3184122 Security

      11. Hiding 3185330 October 2016 Rollup, search for updates
      227 important and 8 optional updates
      Added updates
      3005607 Security
      3033929 Security
      3076949 Security
      3124280 Security
      3138962 Security
      3145739 Security
      3146963 Security
      3168965 Security
      3175024 Security
      3178034 Security

      I have not installed anything on this machine, simply sequentially hidden the Monthly Rollups. For all practical purposes, this is still a Clean Install.

      So, at first glance, it would seem that simply UNCHECKING (i.e. not installing), but not hiding, the October 2016 -September 2017 Rollups, would leave the Group B participants with a large “missing Security updates list.”

      Next, I am going to install all theGroup B Security Only Quality Updates”, leaving the October 2016 – September 2017 Rollups hidden. I want to see how many of these “missing security updates” will disappear, implying that they are actually replaces/superseded by the Group B security-only Updates.

      7 users thanked author for this post.
    • #136875 Reply

      PKCano
      Da Boss

      Part 2 – Installing Group B security-only patches on a Clean Install

      I did an OFFLINE clean install of Windows Home Premium SP1 32-bit. Still OFFLINE, I installed KB3020369, KB3138612, KB3177467, and KB3172605.
      ONLINE, I set Windows Update to “Never Check” and CHECKED the box “Give me recommended updates the way I get important ones.”
      I did a search for updates and recorded the numbers of the Updates. There were 184 important updates and 8 optional updates in the “original important updates list.”

      Then I sequentially hid the Monthly Rollups from Sept 2017 to Oct 2016. On hiding the latest one and searching for updates, the next earlier one appeared in the important update list. In the end, all Rollups were hidden from Oct 2016 to Sept 2017.

      Next, I searched for updates. Then I began installing the “Security Only Quality Updates,” beginning with Oct 2016 through Sept 2017.

      Starting with 227 important and 8 optional updates

      1. Installing 3192391 October 2016 Security Only Update, search for updates
      221 important and 9 optional updates
      Removed “missing” updates
      3076949 Security
      3124280 Security
      3145739 Security
      3175024 Security
      3178034 Security
      3138901 Win Update

      2. Installing 3197867 November 2016 Security Only Update, search for updates
      215 important and 9 optional updates
      Removed “missing” updates
      2511455 Security
      2570947 Security
      3033889 Security
      3087039 Security
      3164033 Security
      3184122 Security

      3. Installing 3205394 December 2016 Security Only Update, search for updates
      210 important and 9 optional updates
      Removed “missing” updates
      2993651 Security
      3108670 Security
      3109094 Security
      3164035 Security
      3185911 Security

      4. Installing 3212642 January 2017 Security Only Update, search for updates
      210 important and 9 optional updates
      Removed “missing” updates
      NONE

      5. Installing 4012212 March 2017 Security Only Update, search for updates
      207 important and 9 optional updates
      Removed “missing” updates
      3146963 Security
      3161561 Security
      3177186 Security

      6. Installing 4015546 April 2017 Security Only Update, search for updates
      206 important and 9 optional updates
      Removed “missing” updates
      3146706 Security
      3156017 Security

      7. Installing 4019263 2017-05 (May) Security Only Update, search for updates
      202 important and 9 optional updates
      Removed “missing” updates
      2503666 Security
      2957189 Security

      8. Installing 4022722 2017-06 (Jun) Security Only Update, search for updates
      201 important and 9 optional updates
      Removed “missing” updates
      3080446 Security

      9. Installing 4025337 2017-07 (Jul) Security Only Update, search for updates
      198 important and 9 optional updates
      Removed “missing” updates
      2840149 Security
      3042553 Security
      3121255 Win Update

      10. Installing 4034679 2017-08 (Aug) Security Only Update, search for updates
      197 important and 9 optional updates
      Removed “missing” updates
      2929733 Win Update

      11. Installing 408779 2017-09 (Sep) Security Only Update, search for updates
      194 important and 9 optional updates
      Removed “missing” updates
      3170455
      2798162

      After installing the “Security Only Updates” with the Monthly Rollups hidden, I compared the “final important updates list” with the “original important updates list” to see how many of the “missing security updates” were still missing.

      Of the original list of updates that Group B was “missing” by not hiding the Monthly Rollups, “final important updates list” still had these “missing” updates.
      2676562 Security
      3005607 Security
      3033929 Security
      3123479 Security
      3138962 Security
      3149090 Security
      3168965 Security
      2868116 Win Update
      3021917 Win Update
      3118401 Win Update

      The fact that there were considerably fewer “missing” security updates after the installation of the “Security Only Quality Updates”, seems to imply that the “missing” updates are being superseded by the security-only patches. If that is the case, Group B may not be not “missing” as many security updates as was originally thought if they uncheck, instead of hide, the Rollups.

      8 users thanked author for this post.
    • #136877 Reply

      PKCano
      Da Boss

      Part 3 – Implications, Observations and Conclusion

      Implications:
      1. The fact that there were considerably fewer “missing” security updates after the installation of the “Security Only Quality Updates”, seems to imply that the “missing” updates are being superseded/replaced by the security-only patches. If that is the case, Group B may not be not “missing” as many security updates as was originally thought if they uncheck, instead of hide, the Rollups.

      2. Perhaps, the problem lies in the update supersedence chain. Windows Update is a mess, and it would not be the first time that the supersedence chain has been broken. Recently, we have had old updates show up in windows Update with some regularity. Are they really needed (“missing”) or is it because the supersedence metadata is not correct. The problem is, you are never sure.

      3. I am not one for hiding updates. But once you start hiding the Monthly Rollups, you will have to hide them all, and keep hiding them in the future if you want to stay in Group B. That is, IF you are really “missing” updates if you don’t hide them. And hiding Updates may also involve hiding .NET Rollups as well if you want to install .NET security-only updates.

      Observations:
       1. Who is going to generate and maintain the list of Updates that need to be hidden? If you don’t have a definitive list to go by, how are you going to know if you have or have not missed one. To me, an ever growing list of Updates to be hidden is shades of GWX.

      2. Group B is getting harder and harder to maintain. especially for the average non-technical user, not only considering these findings but for other reasons. And there are updates, like the servicing-stacks, and even some .NET updates, that won’t show up in Windows Update as long as there is a pending, CHECKED, important update in the queue. These will have to be downloaded and manually installed from now on if the Monthly Rollups are not hidden. So, other stand-alone Updates will have to be added to the list of manual installs.

      3. What worked for a Clean install for Group B in the past has now become a nightmare. I still haven’t come up with a procedure to replace my suggested Clean Install method. And it needs replacing.

      Conclusion:

      I am going to make an attempt to revise the Group B instructions and come up with procedure for a Clean Install.

      But, to be honest, I am seeing Group B as a lost cause. I am coming to the conclusion that the Group B thing is not even for the half-way tech savvy average user, which includes most of the people trying to use it on this site. And trying to add .NET into the mix is just adding fuel to the fire.
      I really don’t like the idea of hiding all those updates. And at this point I think the supersedence chain is as messed up as Microsoft itself. Without going through and checking version numbers of every critical file in Windows (an impossible task), I don’t think anyone really knows what they have.

      In fact, I have converted all my machines, and those I support, to Group A, using other methods to curtail the telemetry. I am not going to stop all of it, and I certainly am not going to go to the extremes Noel Carboni does block it. I think I can reduce telemetry to a level I can live with using one-time settings that are easy enough for the average user to manage.

      9 users thanked author for this post.
      • #137556 Reply

        ch100
        AskWoody_MVP

        @pkcano I think that there should be less concern about avoiding updates and trying to control telemetry via Task Scheduler as already mentioned. Avoiding updates like KB2952664 raises another set of issues due to this update being updated itself often.
        There are in reality only 2 scheduled tasks required to be blocked, while the other tasks often mentioned obey with the CEIP setting.
        As I said in the past, this tool can provide further insight into optimising various versions of Windows and those guys are not the regular backyard optimisers often mentioned here and on other forums, but the real deal.
        https://labs.vmware.com/flings/vmware-os-optimization-tool

        3 users thanked author for this post.
        • #137560 Reply

          PKCano
          Da Boss

          Back when KB2952664 first appeared, I did some investigations and found one of the places it made changes was in Task Scheduler in Application Experience. For that reason I disable the tasks there.

          • This reply was modified 1 year, 6 months ago by
             PKCano.
          1 user thanked author for this post.
          • #137613 Reply

            ch100
            AskWoody_MVP

            Back when KB2952664 first appeared, I did some investigations and found one of the places it made changes was in Task Scheduler in Application Experience. For that reason I disable the tasks there.

            Exactly so. 🙂

    • #136913 Reply

      MrBrian
      AskWoody_MVP

      Thank you to PKCano for starting this thread. I haven’t read PKCano’s posts yet, but I will soon. I have also done a considerable amount of testing regarding this issue. I’ll post my results and commentary within the next few days. Within the past few weeks, I started a topic called “Unwanted Win updates must be hidden to ensure that you see all available updates,” but unfortunately due to site issues it’s now unavailable. Fortunately I saved most of my posts in that topic on my computer, and I will soon repost them.

      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      4 users thanked author for this post.
    • #136917 Reply

      MrBrian
      AskWoody_MVP

      “And there are updates, like the servicing-stacks, and even some .NET updates, that won’t show up in Windows Update as long as there is a pending, CHECKED, important update in the queue.”

      This applies to Group A also. I have a screenshot illustrating this issue that I will post soon.

      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      3 users thanked author for this post.
    • #136931 Reply

      Purg2
      AskWoody Lounger

      Please review my latest results on the hiding aspect of this new development.

      https://askwoody.com/forums/topic/patch-tuesday-patches-are-out-2/#post-136658

      Win 8.1 Group B, Linux Dabbler

      1 user thanked author for this post.
      • #137052 Reply

        MrBrian
        AskWoody_MVP

        Are you asking why the .NET Framework monthly rollups aren’t on your list of hidden updates?

    • #136949 Reply

      MrBrian
      AskWoody_MVP

      Those interested in technical details about supersedence may wish to read The different types of Windows update supersedence.

      3 users thanked author for this post.
    • #136952 Reply

      MrBrian
      AskWoody_MVP

      An anonymous post (now available at https://askwoody.com/forums/topic/missing-security-updates-as-from-ms16-027-in-group-b-fresh-installation/) intrigued me and caused me to further investigate. My conclusion: For Windows 7 users (and probably also Windows 8.1 users), when using Windows Update, you must hide all unwanted updates in order to guarantee that all available updates are listed. There are two different reasons for the need to hide unwanted updates: 1) In Windows Update, the presence of an unwanted update suppresses the listing of wanted update(s) that are metadata-superseded by the unwanted update 2) some updates need to be installed exclusively (i.e. by themselves).

      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      7 users thanked author for this post.
    • #136954 Reply

      MrBrian
      AskWoody_MVP

      Background technical info: When you use Windows Update to check for Windows updates in Windows 7 (and I assume also in Windows 8.1), the following seems to happen behind the scenes (simplified version):

      1. The Windows Update client gets a list of all applicable updates that are not installed on your computer.

      2. Any updates in the list in step 1 that you have previously marked as hidden are removed from the list.

      3. Any updates in the list in step 2 that Microsoft considers to be metadata-superseded (first type of supersedence at https://askwoody.com/forums/topic/the-different-types-of-windows-update-supersedence/) by any other updates in the list in step 2 are removed from the list.

      In Windows Update you see the updates that remain after step 3 is done.

      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      2 users thanked author for this post.
      • #136958 Reply

        PKCano
        Da Boss

        And that should apply in the research that I did as well. So how do you account for the difference in the huge list of “missing” updates that are generated on a fully patched Group B install by hiding the Rollups, and the much smaller list from my findings?

        • #137030 Reply

          MrBrian
          AskWoody_MVP

          My list in https://askwoody.com/wp-content/uploads/2017/10/2-Hid-all-Windows-rollups.png shows 9 updates that were applicable (not counting KB3177467 which was listed after installing those 9 updates and then rebooting). I didn’t start with a clean installation because I was merely trying to establish whether there are circumstances in which not hiding updates can cause a user who thinks they are up-to-date are actually missing applicable updates. If I were to try this test again at a later date, some of those 9 updates might no longer be listed, while other update(s) might appear which aren’t in that list.

          • This reply was modified 1 year, 6 months ago by
             MrBrian.
          1 user thanked author for this post.
    • #136960 Reply

      Purg2
      AskWoody Lounger

      Supersedence isn’t as easily understood as I’d like it to be.

      Strange how they disappeared like that.  The last time that happened was because I was hiding GWX updates & they got duped in the important list.  Since then I have not hidden anything to avoid similar occurrences.

      That hide test I did with those rollups presented me with nothing useful.  Which leads me to believe that it might not be mission critical to how I go about updating group B style.  At some point I may even unhide the stragglers that didn’t disappear, shrugs indifferently.

      Win 8.1 Group B, Linux Dabbler

    • #136969 Reply

      MrBrian
      AskWoody_MVP

      Test: I started with a Windows 7 x64 Service Pack 1 virtual machine that had last been updated in September 2016 (thus had no Windows monthly rollups installed), had few if any security updates installed, and had many non-security updates installed. Then I installed all Important Windows updates except for the Windows monthly rollups. At this point no Windows security-only updates were installed.

      Here are screenshots showing which Important updates were listed in Windows Update without hiding any Windows monthly rollups vs. hiding all Windows monthly rollups:

       

      Attachments:
      You must be logged in to view attached files.
      4 users thanked author for this post.
      • #136994 Reply

        PKCano
        Da Boss

        Many of the “missing” updates in my Part 1 section  were dated before Sept 2016 and would thus have been already installed on this machine. Unless you start with a Clean Install it seems your results could be skewed.

        1 user thanked author for this post.
        • #137034 Reply

          MrBrian
          AskWoody_MVP

          ‘Many of the “missing” updates in my Part 1 section  were dated before Sept 2016 and would thus have been already installed on this machine.’

          That’s true for those that installed those updates before the existence of the monthly rollups. In other cases though, such as a clean installation, that won’t be the case.

          • This reply was modified 1 year, 6 months ago by
             MrBrian.
          2 users thanked author for this post.
    • #136981 Reply

      MrBrian
      AskWoody_MVP

      Test: Continuing from post #136969….

      Then I installed all Windows security-only updates (as of September 2017) and also the September 2017 Internet Explorer cumulative update. At this point, one might have expected this computer to be up-to-date on security updates, right (I did this test before October 10, 2017)? Wrong!

      Here are screenshots showing which Important updates were listed in Windows Update without hiding any Windows monthly rollups vs. hiding all Windows monthly rollups:

       

      Attachments:
      You must be logged in to view attached files.
      3 users thanked author for this post.
    • #136989 Reply

      MrBrian
      AskWoody_MVP

      Test: Continuing from post #136981….

      Does installing any of the updates listed in image “2-Hid-all-Windows-rollups” of post #136981 install anything important? I used a program to note which files were present before and after installing those updates, and also got the Windows Media Player version in its user interface before and after installing those updates.

      Here is a list of the changed executable files in folder c:windows\system32:

      audiodg.exe    6.1.7601.17514    2010-11-20 06:24.28    126,464        old
      6.1.7601.18741    2015-02-02 22:30.19    126,464        new
      AudioEng.dll    6.1.7600.16385    2009-07-13 20:40.04    440,832        old
      6.1.7601.18741    2015-02-02 22:30.55    440,832        new
      AUDIOKSE.dll    6.1.7600.16385    2009-07-13 20:41.53    499,712        old
      6.1.7601.18741    2015-02-02 22:31.05    500,224        new
      AudioSes.dll    6.1.7601.17514    2010-11-20 06:25.44    296,448        old
      6.1.7601.18741    2015-02-02 22:30.55    296,448        new
      audiosrv.dll    6.1.7601.17514    2010-11-20 06:25.44    679,424        old
      6.1.7601.18741    2015-02-02 22:30.55    680,960        new
      blackbox.dll    11.0.7601.17514    2010-11-20 06:25.48    840,192        old
      11.0.7601.18741    2015-02-02 22:30.55    842,240        new
      cryptsp.dll    6.1.7600.16385    2009-07-13 20:40.24    79,872        old
      6.1.7601.18741    2015-02-02 22:30.56    82,432        new
      cryptui.dll    6.1.7601.17514    2010-11-20 06:26.00    1,065,984        old
      6.1.7601.18741    2015-02-02 22:30.56    1,069,056        new
      drmmgrtn.dll    11.0.7601.17514    2010-11-20 06:26.08    495,104        old
      11.0.7601.18741    2015-02-02 22:30.57    497,664        new
      drmv2clt.dll    11.0.7600.16385    2009-07-13 20:40.33    1,200,640        old
      11.0.7601.18741    2015-02-02 22:30.57    1,202,176        new
      dxmasf.dll    12.0.7601.17514    2010-11-20 06:27.26    5,120        old
      12.0.7601.19148    2016-02-09 04:56.09    5,120        new
      EncDump.dll    5.0.1.1    2009-07-13 20:40.37    283,648        old
      5.0.1.1    2015-02-02 22:30.58    284,672        new
      msdxm.ocx    12.0.7601.17514    2010-11-20 06:27.26    5,120        old
      12.0.7601.19148    2016-02-09 04:56.09    5,120        new
      msnetobj.dll    11.0.7601.17514    2010-11-20 06:27.06    325,632        old
      11.0.7601.18741    2015-02-02 22:31.03    325,632        new
      msscp.dll    11.0.7601.17514    2010-11-20 06:27.08    641,024        old
      11.0.7601.18741    2015-02-02 22:31.03    641,024        new
      pcadm.dll    6.1.7600.16385    2009-07-13 20:41.53    37,376        old
      6.1.7601.18741    2015-02-02 22:31.04    37,376        new
      pcaevts.dll    6.1.7600.16385    2009-07-13 20:32.05    8,704        old
      6.1.7601.18741    2015-02-02 22:29.19    8,704        new
      pcalua.exe    6.1.7600.16385    2009-07-13 20:39.26    9,728        old
      6.1.7601.18741    2015-02-02 22:30.36    9,728        new
      pcasvc.dll    6.1.7600.16385    2009-07-13 20:41.53    186,368        old
      6.1.7601.18741    2015-02-02 22:31.04    188,416        new
      pcawrk.exe    6.1.7600.16385    2009-07-13 20:39.26    11,264        old
      6.1.7601.18741    2015-02-02 22:30.36    11,264        new
      samlib.dll    6.1.7600.16385    2009-07-13 20:41.53    107,008        old
      6.1.7601.23390    2016-03-15 19:16.10    106,496        new
      samsrv.dll    6.1.7601.17514    2010-11-20 06:27.26    758,784        old
      6.1.7601.23390    2016-03-15 19:16.10    760,320        new
      spwmp.dll    6.1.7601.17514    2010-11-20 06:27.24    9,728        old
      6.1.7601.19148    2016-02-09 04:54.38    9,728        new
      tzres.dll    6.1.7601.23497    2016-07-08 10:32.47    2,048        old
      6.1.7601.23511    2016-08-05 10:30.32    2,048        new
      wmdrmsdk.dll    11.0.7601.17514    2010-11-20 06:27.30    781,312        old
      11.0.7601.18741    2015-02-02 22:31.23    782,848        new
      wmp.dll    12.0.7601.17514    2010-11-20 06:27.30    14,633,472        old
      12.0.7601.19148    2016-02-09 04:57.04    14,634,496        new
      wmploc.DLL    12.0.7601.17514    2010-11-20 06:16.14    12,625,920        old
      12.0.7601.19148    2016-02-09 04:57.08    12,625,920        new

      Some other folders had important file changes also.

      So, does installing any of the updates listed in image “2-Hid-all-Windows-rollups” of post #136981 install anything important? Answer: Yes!

      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      Attachments:
      You must be logged in to view attached files.
      3 users thanked author for this post.
    • #136995 Reply

      MrBrian
      AskWoody_MVP

      Test: Continuing from post #136989….

      So now we’ve installed all Important updates, right? No! I checked for Windows Updates again. Servicing stack update KB3177467 was now available. Notice that the Optional tab isn’t present in the screenshot below. Also notice from the Install Resources tab of https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=16740a04-df6d-4be3-b27f-f7cdb287ebf2 that Microsoft states that KB3177467 must be installed exclusively of other updates. Thus, I believe that Windows Update shows exclusive updates only when no other Important updates are listed. This is the second reason for my advice of hiding all unwanted (or at least all Important) Windows updates when updating Windows, and it applies to Group A also.

      Attachments:
      You must be logged in to view attached files.
      4 users thanked author for this post.
    • #137001 Reply

      MrBrian
      AskWoody_MVP

      As a result of these issues, here is the algorithm that I now use when updating Windows 7 (I am in Group A):

      1. Check for Windows updates.

      2. Hide all Windows updates that you don’t intend to install now. If you hid any updates during this step, go to step 1.

      3. Install desired Windows updates. Reboot if asked. If you installed any updates during this step, go to step 1.

      4. (Optional) Unhide any hidden updates that you may want to install in the future, so that you don’t forget about them.

      I wrote a .vbs script that hides all applicable updates that have a given description. For example, it can be used to hide all applicable Windows monthly rollups and Windows preview monthly rollups by targeting “monthly quality rollup”. I have used this script on my home computers. I will make it available if anybody requests.

      Free program Windows Update MiniTool has a checkbox “Include superseded” that when ticked can be used to hide all unwanted applicable updates in one pass. Woody’s thoughts on Windows Update MiniTool are at https://www.askwoody.com/2017/in-praise-of-windows-update-minitool/. I recommend that Windows 7 and 8.1 users don’t use Windows Update MiniTool with checkbox “Include superseded” unticked to install updates due to this issue.

      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      6 users thanked author for this post.
    • #137002 Reply

      MrBrian
      AskWoody_MVP

      I also did similar tests that show that the same metadata-supersedence issue can affect those who install the .NET Framework security-only updates and don’t hide the .NET Framework monthly rollups. More details are in a comment I wrote at https://blogs.msdn.microsoft.com/dotnet/2017/09/12/net-framework-september-2017-security-and-quality-rollup/.

      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      3 users thanked author for this post.
    • #137004 Reply

      MrBrian
      AskWoody_MVP

      Question: Is everybody reading this who uses Windows 7 or 8.1 and doesn’t follow my algorithm from post #137001 missing applicable updates?

      Answer: Not necessarily. However, I believe I have established that there are scenarios in which those who don’t follow my algorithm from post #137001 are missing applicable updates.

      2 users thanked author for this post.
    • #137006 Reply

      MrBrian
      AskWoody_MVP

      Some may recall reading advice from others on this site to not hide updates. I started a relevant topic earlier this year: What issues can result from hiding a Windows update?

      I have seen no evidence that hiding updates causes any issues.

      3 users thanked author for this post.
    • #137008 Reply

      MrBrian
      AskWoody_MVP
    • #137010 Reply

      PKCano
      Da Boss

      @mrbrian
      I have to ask these questions:
      + Is this procedure for most of the people on this site who are trying to follow Group B patching, and for the general user reading these Forums?

      + Who is going to generate and maintain the list of patches that shouldn’t be installed and need to be hidden? Or the list of hidden patches that need to be unhidden and installed ?

      3 users thanked author for this post.
      • #137016 Reply

        MrBrian
        AskWoody_MVP

        “Is this procedure for most of the people on this site who are trying to follow Group B patching, and for the general user reading these Forums?”

        It’s the update procedure that I now use. I recommend that Group A, Group B, and any other update instructions be updated to mitigate these issues. I will certainly help if I am asked. Until the instructions are updated, immediately after following those instructions, readers can follow my algorithm to list updates that previously weren’t listed. The basic idea of my algorithm: any update listed in Windows Update should either be installed or hidden.

        “Who is going to generate and maintain the list of patches that shouldn’t be installed and need to be hidden? Or the list of hidden patches that need to be unhidden and installed?”

        I think there is no need for such lists. The updates that the previous instructions would have not installed (i.e. are unticked) should now be hidden, in my opinion.

        1 user thanked author for this post.
    • #137020 Reply

      MrBrian
      AskWoody_MVP

      As an example, I’ll now explain why the March 2016 KB3138962 security update for Windows Media Player is not applied for some Group B users.

      Fact #1: Read post #136954.

      Fact #2: An updated version of Windows Media Player thus far has not been included in any of the Windows 7 Windows security-only updates. This is not a mistake by Microsoft because there apparently have been no security updates for Windows Media Player between October 2016 and September 2017.

      Fact #3: All Windows 7 Windows monthly rollups since October 2016 have included v12.0.7601.23517 of Windows Media Player. The documented reason for inclusion of v12.0.7601.23517 of Windows Media Player is the non-security reason “Removed the Copy Protection option when ripping CDs in Windows Media Audio (WMA) format from Windows Media Player.” (The October 2016 Windows 7 monthly rollup includes the changes from the Optional September 2016 rollup.)

      Fact #4: Since v12.0.7601.23517 of Windows Media Player is later than v12.0.7601.19148 that is installed by KB3138962, we can assume that v12.0.7601.23517 of Windows Media Player includes the fix in KB3138962.

      Fact #5: Since v12.0.7601.23517 of Windows Media Player is later than v12.0.7601.19148 that is installed by KB3138962, and since both are security-related updates, it shouldn’t be surprising that Microsoft considers KB3138962 to be metadata-superseded by all of the Windows 7 monthly rollups since October 2016. You can see this by looking at the Package Details tab of https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=aa68972f-8750-4215-b225-330dcd851217.

      Thus, if you had not installed KB3138962 before the October 2016 Windows 7 Windows monthly rollup was released on October 11, 2016, you will not see KB3138962 listed in Windows Update anymore after October 11, 2016 unless you hide all of the Windows 7 monthly rollups, because all of the Windows 7 monthly rollups metadata-supersede KB3138962 (Fact #5), and Windows Update doesn’t show available updates that are metadata-superseded by other available updates (Fact #1) . Since Group B doesn’t install the Windows monthly rollups, and since none of the Windows 7 security-only updates thus far have included Windows Media Player (Fact #2), perhaps you can now see the reason why some Group B users have a version of Windows Media Player before the version that KB3138962 installs, while Group A users have a version of Windows Media Player that includes the fixes in KB3138962 (Fact #3 and Fact #4).

      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      4 users thanked author for this post.
      • #137089 Reply

        Volume Z
        AskWoody Lounger

        In short: KB3138962 applies whenever the September 2016 Rollup Update is missing.

        • #137091 Reply

          Kirsty
          Da Boss

          September 2016 Rollup Update

          I think I’m getting confused here – didn’t the rollups start in October 2016? I don’t believe there was a September 2016 rollup update, was there?!

          • #137140 Reply

            MrBrian
            AskWoody_MVP

            The September 2016 rollup was actually the first monthly rollup in this series, but it has no security-related updates, and is an Optional update. From October 11, 2016 — KB3185330 (Monthly rollup): “This security update includes improvements and fixes that were a part of update KB3185278 (released September 20, 2016)…”

            @Volume Z: I mentioned one of your posts in https://askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/#post-137008.

            1 user thanked author for this post.
            • #137149 Reply

              Volume Z
              AskWoody Lounger

              Hi MrBrian,

              interesting enough the non-security KB3185278 supersedes the security KB3138962. The superseding capacity of the Security Monthly Quality Rollups toward KB3138962 is due to the September 2016 Rollup being included in them.

              Regards, VZ

            • #137157 Reply

              MrBrian
              AskWoody_MVP

              @Volume Z: KB3185278 for Windows 7 x64 doesn’t metadata-supersede (i.e. first type of supersedence) anything according to https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=22b15c08-6fe4-499d-81e1-6fd61ea756de. It’s probably true though that after installing KB3185278, KB3138962 will always be considered not applicable because all of its components are component-superseded (second type of supersedence) by the components already present on the computer.

              See also https://askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/#post-137020.

              • This reply was modified 1 year, 6 months ago by
                 MrBrian.
            • #137256 Reply

              Volume Z
              AskWoody Lounger

              It’s probably true that KB3185278 doesn’t metadata-supersede anything – but how to determine this other than referring to the Catalog only? :/

            • #137281 Reply

              MrBrian
              AskWoody_MVP

              Microsoft declares which updates metadata-supersede which other updates. An alternate method of seeing this information is to use a script like this.

              2 users thanked author for this post.
            • #137559 Reply

              ch100
              AskWoody_MVP

              @mrbrian

              The first Windows Update rollup in the current series started in June 2016, being replaced by the July 2016 when it was found that the June 2016 update was faulty.
              However, some people consider the current round of rollups being started in May 2016 with KB3125574.

              Regardless, this is a lot of effort for nothing.
              Most people should update monthly around the Friday after Patch Tuesday and stop being concerned with those issues.
              Those maintaining ONE computer should update immediately though.

              1 user thanked author for this post.
            • #137616 Reply

              MrBrian
              AskWoody_MVP

              Post from abbodi86 (my bolding):

              “I just noticed that KB3185278/KB3185279 rollups CBS name is Package_for_RollupFix (the name shown with Dism tool)
              i.e. for win7 x86:
              Package_for_RollupFix~31bf3856ad364e35~x86~~7601.23545.1.4

              which is the same scheme used in Win10 cumulative updates to ensure old ones get superseded and removed automatically

              so this officially makes September rollups the first Monthly Rollup Preview Update

              2 users thanked author for this post.
          • #137555 Reply

            PKCano
            Da Boss

            There were earlier Rollups, but they were not cumulative. Group B was originally started to avoid the telemetry that MS was adding to Win7 and Win8.1, and to avoid the “cumulativeness” where you couldn’t choose individual patches. I believe the Oct 2016 Rollup was the first “cumulative” update, but MS didn’t start adding telemetry till the Nov 2016 update.

            Just my own choice, I never avoided the Oct 2016 Rollup because I wasn’t as concerned about the content until MS started adding telemetry. I had always had recommended updates checked, so I wasn’t culling changes changes to the Windows OS.

            1 user thanked author for this post.
    • #137038 Reply

      MrBrian
      AskWoody_MVP

      I will now explain the first issue further.

      Some pre-October 2016 updates are metadata-superseded by the Windows monthly rollups or .NET Framework monthly rollups. Group B doesn’t install the Windows monthly rollups. Some people also don’t install the .NET Framework monthly rollups. Windows Update doesn’t list applicable updates that are metadata-superseded by other applicable updates. Therefore, the presence of Windows monthly rollups or .NET Framework monthly rollups in Windows Update suppresses the listing of the pre-October 2016 updates that they metadata-supersede. In some circumstances, some of the pre-October 2016 metadata-superseded updates are still applicable (as of September 2017).

      Hiding unwanted updates fixes this issue because of how Windows Update works.

      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      2 users thanked author for this post.
    • #137055 Reply

      Purg2
      AskWoody Lounger

      Please review my latest results on the hiding aspect of this new development. https://askwoody.com/forums/topic/patch-tuesday-patches-are-out-2/#post-136658

      Are you asking why the .NET Framework monthly rollups aren’t on your list of hidden updates?

      No, I just find it interesting that my update hiding experiment seems to have had different results.

      Those interested in technical details about supersedence may wish to read The different types of Windows update supersedence.

      To which my below statement was made.

      Supersedence isn’t as easily understood as I’d like it to be. Strange how they disappeared like that. The last time that happened was because I was hiding GWX updates & they got duped in the important list. Since then I have not hidden anything to avoid similar occurrences. That hide test I did with those rollups presented me with nothing useful. Which leads me to believe that it might not be mission critical to how I go about updating group B style. At some point I may even unhide the stragglers that didn’t disappear, shrugs indifferently.

      And for giggles & laughs, included here is the version of windows media player I have.

      https://i.imgur.com/iAw4ElR.png

      Perhaps the notion of hiding updates does not apply to the group B members that are up to date (for the most part) & have never done a clean install.  My experience tells me that nothing vital was missed & probably won’t be in the future.  I might be missing something in this discussion & will adapt accordingly if needbe.  You’ve certainly given me plenty to consider.  So I thank you for that.

      Win 8.1 Group B, Linux Dabbler

      • #137061 Reply

        MrBrian
        AskWoody_MVP

        You’re welcome :).

        Different people can indeed get different results for the same operating system. Also, whether a given user is missing any applicable updates by not hiding unwanted updates can change from one month to the next.

        P.S. Your Windows Media Player version seems to indicate that you are using Windows 8.1. I did my tests on Windows 7 x64 with Service Pack 1 installed.

        1 user thanked author for this post.
    • #137428 Reply

      glnz
      AskWoody Lounger

      PKCano – Thanks so much for your efforts here.

      But I take your advice that it’s time for someone like me to drop Group B and go with Group A.  I’m not a tech and I would never try to duplicate your steps above on my wife’s important SOHO machine.

      What’s the right way to move from Group B to Group A?  Win 7 Pro 64-bit.

      Since some time last year, I’ve been on Group B mostly but not religiously.  So over the last year there are a lot of your Security-Only Updates and IE 11 Only Updates but also a few of the all-inclusive Rollups.

      What should I do now to move to Group A and not “miss” anything?

      Thanks.

      • This reply was modified 1 year, 6 months ago by
         glnz.
      • #137468 Reply

        ch100
        AskWoody_MVP

        It is relatively easy.
        1. Reset the SoftwareDistribution database by stopping the WU service and deleting the whole C:\Windows\SoftwareDistribution folder.
        2. Scan against Windows Update and install everything offered, less those updates with Preview in title. You may skip those Optional updates, although I am in favour of installing them all, except for the above mentioned Preview updates. Scan repeatedly until there is nothing left. Install ALL Recommended updates too, no exception.

        1 user thanked author for this post.
      • #137483 Reply

        PKCano
        Da Boss

        Here are the steps I took to move from Group B to Group A, with some additional information I use to reduce telemetry. What I’ve done is basically what @ch100 recommends with the exception that I leave the UNCHECKED optional updates list alone.

        I switched over to Group A with the September patch set. I can tell you what I did and how I have my computers set up. Understand this is NOT gospel, and I’m certainly not telling anyone this is what they have to do.

        Settings external to Windows Update (to reduce telemetry):
        1. In Action Center\Maintenance\Settings – Windows Error Reporting is set to “Never check for solutions.”
        2. In Action Center\Change Action Center settings\Related settings: CEIP is set to “No” and Problem reporting is set to “No.”
        3. In Administrative Tools\Services – Diagnostics Tracking Service is Disabled. (If is’t not there, it WILL be installed once you start using the Monthly Rollups.)
        4. In Administrative Tools\Task Scheduler\Library\Microsoft\Windows – all tasks under Application Experience, Autochk, and CEIP are Disabled.
        5. Smart Screen Filter is turned OFF in IE11 in Win7/8.1 and on the desktop in Win8.1
        6. Bing is not the default search engine in IE11 and IE11 is not my default browser.

        Windows Update Settings:
        1. CHECKED “Give me recommended updates the same way I receive important updates”
        2. CHECKED “Give me updates for other MS products”
        3. Windows Updates set to “Never” or “Let me choose when to download and install”
        4. ONLY hidden updates are telemetry related: Win7 KB2952664/3150513, 3021917, 3068708, 3080149; Win8.1 KB2976978/KB3150513, KB3044374, KB3068708, KB3080149. Unhide everything else.

        1. Search for updates. If the telemetry patches are not to be installed, check to be sure they are removed (hidden) before installing anything.
        2. For Win7 only, UNCHECK MS .NET Framework 4.7 KB3186497 (reason: the Monthly Rollup for Win7 supplies the D3D Compiler that needs to be installed for .NET 4.7)
        3. Install the patches in the “important updates” list (Monthly Rollup, .NET Rollups, MSRT, IE Flash (Win8.1) .NET4.7 (Win 8.1), Office, etc.). If  “Give me recommended” was NOT checked in the past, there may be a quite a few recommended updates. Reboot.
        4. About 10 min. after login, search for updates. install any important updates, Win7 also install .NET 4.7 KB3186497, reboot.
        5. About 10 min. after login, search for updates. install any important updates, reboot, repeat #5 until there are no important updates.
        6. After the last reboot, wait 30 minutes. Run Disk Cleanup, click “Clean up system files” and be sure “Windows Update Cleanup” is checked
        7. Now in Group A

        • This reply was modified 1 year, 6 months ago by
           PKCano.
        • This reply was modified 1 year, 6 months ago by
           PKCano.
        • This reply was modified 1 year, 6 months ago by
           PKCano.
        • This reply was modified 1 year, 6 months ago by
           PKCano.
        • This reply was modified 1 year, 6 months ago by
           PKCano.
        • This reply was modified 1 year, 6 months ago by
           PKCano.
        4 users thanked author for this post.
        • #137490 Reply

          ch100
          AskWoody_MVP

          Just a mention in relation to Error Reporting.
          Make sure that this is configured for All Users.
          Otherwise the system and all other users of the computer will still log errors and at minimum will fill the hard-disk with GB of useless information.

          2 users thanked author for this post.
          • #137526 Reply

            glnz
            AskWoody Lounger

            PKCano and ch100 — many thanks again.  Some follow-up questions:

            PKCano – you wrote BOTH pf these:

            2.For Win7 only, UNCHECK MS .NET Framework 4.7 KB3186497 (reason: the Monthly Rollup for Win7 supplies the D3D Compiler that needs to be installed for .NET 4.7)   ….

            4. About 10 min. after login, search for updates. install any important updates, Win7 install .NET 4.7 KB3186497, reboot.

            So, as to KB3186497 , you’ve written both “uncheck” and “install”.  Please advise.

            ch100 – You advise making sure Error Reporting is configured for All Users.  Where do I go to check or set this?

            THANKS PKCano and ch100!

            • #137535 Reply

              PKCano
              Da Boss

              On Win7, the D3D Compiler has to be installed for .NET4.7
              It is included in the Rollups, but not in the security-only updates that Group B does.
              So – you uncheck .NET4.7 BEFORE you install the Rollup. You get the D3D Compiler included in the Rollup. Then you go back and install .NET4.7 (AFTER the Rollup/Compiler are in place).

              Otherwise, you have to manually install the D3D Compiler.

              • This reply was modified 1 year, 6 months ago by
                 PKCano.
              1 user thanked author for this post.
            • #137538 Reply

              glnz
              AskWoody Lounger

              PKCano – sorry but I’m a dummy.  Do you mean uncheck in Windows Components in Programs and Features?

            • #137540 Reply

              PKCano
              Da Boss

              No. We’re talking about Windows Update. Uncheck the update in the important list in Windows Update.

              No mention here about Programs and Features.

            • #137546 Reply

              glnz
              AskWoody Lounger

              So when I first see KB3186497 listed in the Important Updates, UNcheck it.  Then at the very end after all the other Important Updates are in and the PC runs OK for 10 mins, REcheck it and install it.

            • #137549 Reply

              PKCano
              Da Boss

              You can recheck it in the round of updates immediately AFTER you install the Monthly Rollup. Install Rollup in Step 3, install .NET4.7 in sStep 4.

            • #137566 Reply

              glnz
              AskWoody Lounger

              PKCano – Question for after.

              After I’ve moved fully into Group A and up to date with it, then let’s talk about next month:  Sometimes, the Defcon is to wait for some time while MS maybe fixes the problems in the new round of big fat Rollups.  However, sometimes there are real nasty risks out there and I want to do something faster to protect the wife’s important SOHO Win 7 machine.

              So, how bad is it if I first run your security-only and IE 11 updates on the early side, wait for the Defcon to get better, and then run the Rollups for the same month?

              Thanks.

            • #137570 Reply

              PKCano
              Da Boss

              The Rollup is three-part: non-security, security-only, and IE11 cumulative. So doing the Group B patches is doing 2/3 of the Rollup. So there is no problem there…..

              Unless the IE11 CU has a problen (affects both it and the Rollup), or the security-only part has a problem (affects both it and the Rollup).

              If there’s a serious threat, like WannaCry, you may need to go ahead. But otherwise, it’s better to wait for the DEFCON go-ahead.

            • #137605 Reply

              glnz
              AskWoody Lounger

              PKCano and ch100 – All done on the first of two 7 machines.

              On this one, the only two updates that actually installed were the two from this month: KB4043766 and KB4041681.

              KB3186497 (related to the D3D  compiler) was NOT there before, did not appear on the update list, and is not there now.  Is that OK or should I go get it manually?

              EDIT – On a final reboot after everything above was done, the machine said it was installing updates even though there were no more.  And on the reboot it got stuck on “Running Updates.  100% Complete.  Please do not turn off the machine.” for a long time.  Finally that finished, but there’s nothing new in the View Updates or Installed Updates lists.  Belarc indicates that KB4041681 apparently didn’t finish updating until after midnight, when I had thought both were done around 11:15pm.  WEIRD, MAN.

              Many thanks.

              • This reply was modified 1 year, 6 months ago by
                 glnz.
            • #137651 Reply

              PKCano
              Da Boss

              Just be sure the ONLY hidden updates are the telemetry ones listed. UNHIDE anything else that is hidden. (Did you hide the .NET4.7 Framework patch?)

            • #137701 Reply

              glnz
              AskWoody Lounger

              PKCano – thanks again for your help.  I confirm that the ONLY items that are hidden are the four telemetry ones you had listed above.  When I first followed your instructions last night, they appeared and I hid them.

              KB3186497 (related to the D3D  compiler) was not in the two long lists of updates before I started, did not appear after I started, and still does not appear anywhere in connection with Windows Update.

              HOWEVER, I’ve just run a Search through the entire hard drive, and in my Downloads folder, I have NDP47-KB3186497-x86-x64-AIIOS-ENU.exe with Modified Date 8/9/2017 and file size 60,144 KB.  So is it possible I ran it in August but it was superseded by something else I ran later?  Maybe I ran another recent global rollup for .NET that included it and so it no longer shows anywhere?  It is also NOT in Belarc’s long list of updates.

              Should I run it again (or first re-download it from MS in case there’s a later version)?

            • #137703 Reply

              PKCano
              Da Boss

              Now that you are in Group A, you should not have to download or manually install ANYTHING. It should all come through Windows Update. All you have to do now is watch for DEFCON 3 or above!

              1 user thanked author for this post.
            • #139624 Reply

              glnz
              AskWoody Lounger

              PKCano and ch100 – thanks again for your help immediately above.  I followed your instructions and converted the first of my two Win 7 Pro 64-bit machines to Group A last weekend.  So far no problems.

              However, before I convert the second Win 7 Pro 64-bit machine to Group A, do you have any updates or further thoughts?  This second machine is the important one – my wife’s SOHO machine.  (BTW, it’s a Dell Optiplex 780 with 8GB RAM and an Intel Core 2 Duo E8400 @ 3.00GHz, an older machine that’s still OK.)

              Thanks.

            • #139635 Reply

              PKCano
              Da Boss

              Make an image in case you have serious problems.
              Also back up all (including AppData folder) under the User ID.
              Just in case….

            • #139963 Reply

              glnz
              AskWoody Lounger

              PKCano and ch100 – All seems to be good on my second conversion from Group B to Group A – my wife’s important SOHO Win 7 Pro 64-bit machine.

              Once again, however, after all the updates and many reboots, and after I then did the Windows Update Cleanup, the next reboot gave me a screen saying “Configuring Windows updates – 100% complete – Do not turn off your computer,” and this screen stayed there for about 20 minutes!  Something about the cleanup triggers this.  But all seems well afterwards so far.  MAYBE this event is explained lower down on this page here: https://askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/#post-139441  ?

              As with my earlier machine, KB3186497 was nowhere in sight – it was not in any list before, during or after this conversion.

              Like last time, the two first Important updates were KB4043766 and KB4041681.  This time, however, after those first two, I also got KB3135445 and KB3138612 as Important updates, which I decided to install.  (I had hid them many months ago, on this machine only, but unhid them for this conversion.)  Those four were all.

              Many thanks.

              • This reply was modified 1 year, 5 months ago by
                 glnz.
              • This reply was modified 1 year, 5 months ago by
                 glnz.
        • #139953 Reply

          walker
          AskWoody Lounger

          @pkcano:  This was a very detailed list, and you have presented it wonderfully.   I only wish I had the knowledge and/or experience to fully absorb it completely.   I made the wrong choice when the Group A versus Group B issues first became apparent, which has caused me a great deal of grief.  I have made a huge amount of progress, after having an “almost insurmountable” difficulty getting my “”Updating” problems repaired.

          I’m in Group A, and got into this menu in error.   My apologies.

          Thank you for the information you have posted here.    I will make a concerted effort to understand much more than I do now although I am in Group A, not Group B.   The information you have provided is most sincerely appreciated.    🙂

    • #137466 Reply

      ch100
      AskWoody_MVP

      I think the best and only reliable way to identify the missing updates if any is to use a tool referencing Wsusscn2.cab https://msdn.microsoft.com/en-us/library/windows/desktop/aa387290(v=vs.85).aspx
      WUMT, Belarc are few of those tools available to regular users.

      2 users thanked author for this post.
    • #137518 Reply

      SueW
      AskWoody Plus

      I’ve been reading through this thread, trying to determine whether my own monthly Group B strategy needs to be tweaked (or trashed) based on what I’ve been reading here.  Oy — I’m thinking that I might be missing any number of Security Updates since October 2016.

      Except for Windows 10-related updates, I have never hidden any of the Security Monthly Quality Rollups for Windows 7.  I have always unchecked them.  Always.  Also, I get Recommended Updates along with Optional Updates.

      What updates, if any, am I missing?  Thank you, ch100, for reminding me about Belarc Advisor!

      So I decided to run BA, after letting it update its database to 2017.10.11.1 (based on Microsoft’s 10/10/17 Security Bulletin Summary).

      Note: I have not installed October’s Updates yet — waiting for DEFCON 3.

      Here are the results, with my added descriptions following ‘ = ‘:

      “These security updates apply to this computer but are not currently installed (using Advisor definitions version 2017.10.11.1), according to the 10/10/2017 Microsoft Security Bulletin Summary and bulletins from other vendors. Note: Security benchmarks require that Critical and Important severity security updates must be installed.

      Hotfix Id     Severity     Description (click to see security bulletin)

      Q2553338    Unrated    Microsoft security advisory (KB2553338) = Security update for Office 2010: October 10, 2017
      Q2837599    Unrated    Microsoft security advisory (KB2837599) = Security update for Office 2010: October 10, 2017
      Q3159398    Important    Microsoft security update (KB3159398) = MS16-072: Security update for Group Policy: June 14, 2016 <= hid: not on Home Edition
      Q3213630    Important    Microsoft security update (KB3213630) = Security update for Word 2010: October 10, 2017
      Q4011196    Important    Microsoft security update (KB4011196) = Security update for Outlook 2010: October 10, 2017
      Q4040685    Critical    Microsoft security update (KB4040685) = Cumulative security update for Internet Explorer: October 10, 2017
      Q4041678    Critical    Microsoft security update (KB4041678) = October 10, 2017—KB4041678 (Security-only update)

      What I’m seeing is that all but one of these “missing” updates are October’s updates that will be installed after I get the go-ahead from Woody & Team.  What I am not seeing are any other updates due to not hiding the Security Monthly Quality Rollups . . .

      I hope this helps in any further analysis . . .

      Win 7 SP1 Home Premium 64-bit; Office 2010; Group B; Former 'Tech Weenie'

    • #137532 Reply

      BobT
      AskWoody Lounger

      Phew this is getting b***** complex, I really hate them for doing rollups and making it as annoying and confusing as this.

      So we’ll need updated instructions on:

      Group A Updates
      Group B Updates

      Recommended Hidden Updates (Telemetry etc).

      I’ll probably give Group B a try when I reinstall and have seen some instructions, but they’re probably out of date now. I’ve seen PKCano’s list of Telemetry updates to hide, but unsure if this is the definitive list? (Whether there’s any others to be hidden too, such as the Windows Activation one). I have a good chunk of these hidden and can show you if you wish. Started hiding them yonks ago when 292664 came along and the GWX fiasco, tis when I started reading Woody’s posts to scrutinize updates before installing. Always trusted MS for everything but drivers before that..

    • #137641 Reply

      MrBrian
      AskWoody_MVP

      For those that want to avoid hiding unwanted updates, here is an alternative update algorithm that utilizes the best aspects of Windows Update and Windows Update MiniTool:

      1. Using Windows Update, check for updates.

      2. Install desired updates listed in step 1. Reboot if asked. If you installed any updates during this step, go to step 1.

      3. Using Windows Update MiniTool with checkbox “Included superseded” ticked, check for updates.

      4. Install desired updates listed in step 3. Reboot if asked. If you installed any updates during this step, go to step 3.

      Steps 1 and 2 aren’t strictly necessary, but are included to reduce the number of metadata-superseded updates installed.

      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      • This reply was modified 1 year, 6 months ago by
         MrBrian.
      4 users thanked author for this post.
      • #137809 Reply

        SueW
        AskWoody Plus

        I, for one, am not averse from hiding unwanted updates (or from using this alternative).  However, now that there is the potential issue for those of us in Group B missing earlier updates for several months [and not willing to switch to Group A], is there a recommended method to finding those missing updates so that we can install them (without reinstalling Windows 7)? Or is this what the Windows Update MiniTool does?

        Win 7 SP1 Home Premium 64-bit; Office 2010; Group B; Former 'Tech Weenie'

        • #137826 Reply

          MrBrian
          AskWoody_MVP

          Hiding all unwanted updates in Windows Update is one way to find out if there are any applicable updates that you didn’t know about. If you hide any updates in Windows Update, then you need to check for Windows updates again to see if more updates are listed. Keep repeating this process until all unwanted updates are hidden. For example, if you’re using Windows Update to hide Windows monthly rollups, then the first time you’ll see just the October 2017 Windows monthly rollup. Hide it. Then check for updates again. You’ll now see the September 2017 Windows monthly rollup. Hide it. Then check for updates again.  You’ll now see the August 2017 Windows monthly rollup. This could get tedious. Faster alternatives for mass hiding of Windows updates are 1) Windows Update MiniTool with checkbox “Include superseded” ticked 2) My script that hides updates with a given description. Also see https://askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/#post-137001.

          2 users thanked author for this post.
          • #137834 Reply

            SueW
            AskWoody Plus

            Thank you, MrBrian 🙂  Although I haven’t hidden any Monthly Rollups, I had hidden all Windows 10-related updates as they presented themselves each month.  I’ve also hidden Daylight Savings Time-related updates as well.  I’ve kept a list of those hidden.

            I think I’ll unhide what I’ve hidden to see what remains, and then decide what to re-hide.  I’ll also find out more about Windows Update MiniTool: I’m already reading https://askwoody.com/2017/in-praise-of-windows-update-minitool/ 🙂

            Win 7 SP1 Home Premium 64-bit; Office 2010; Group B; Former 'Tech Weenie'

            1 user thanked author for this post.
    • #139042 Reply

      GoneToPlaid
      AskWoody Plus

      Of the original list of updates that Group B was “missing” by not hiding the Monthly Rollups, “final important updates list” still had these “missing” updates. 2676562 Security 3005607 Security 3033929 Security 3123479 Security 3138962 Security 3149090 Security 3168965 Security 2868116 Win Update 3021917 Win Update 3118401 Win Update The fact that there were considerably fewer “missing” security updates after the installation of the “Security Only Quality Updates”, seems to imply that the “missing” updates are being superseded by the security-only patches. If that is the case, Group B may not be not “missing” as many security updates as was originally thought if they uncheck, instead of hide, the Rollups.

      Actually, Group B is not “missing” anything. Following are the details about your final list:

      2676562 Security — Superseded by the April, May, June, August, September and October 2017 Security Only Updates.
      3005607 Security — If you are on either Group A or B and if you download and try to install this update, then you will receive a message that “This update is not applicable to your computer”, as in superseded, yet not documented.
      3033929 Security — Not superseded by anything.
      3123479 Security — Superseded by the May 2017 Security Only Update.
      3138962 Security — Not superseded by anything.
      3149090 Security — Not superseded by anything.
      3168965 Security — Not superseded by anything.
      2868116 Win Update — Superseded by the September 2017 Security Only Update.
      3021917 Win Update — Is a Telemetry Update which is NOT wanted by Group B.
      3118401 Win Update — Update for Universal C Runtime in Windows which installs telemetry and is only needed if you want to run apps which are specifically designed for Windows 10. Basically, it is another version of KB2999226 which installs deep system wide telemetry.

      DISM under the Command Prompt has an issue such that it can NOT list all installed updates on a Win7 computer. DISM will hiccup and cough once it reaches its configured limits. To see all installed updates, you either need to check the Installed Updates shown under Programs and Updates in Control Panel, or you need to use a 3rd party utility such as Belarc Advisor. The latter will also tell you what you are missing, including updates which you deliberately chose not to install.

      When I build up a new Win7 SP1 machine and then update it, I install updates in groups which are based on the update original release dates, and on the update class — security updates and optional updates. I NEVER install the Convenience Update since it is riddled with bugs and since it installs telemetry updates.

      Before I install any updates on a fresh Win7 SP1 install, I first perform some basic configuration, and then run several REG files which fix various inherent issues. In other words, my first step is to nip various issues in the bud. Then I start installing updates.

      After installing even a very small group of updates, sometimes new relevant updates (based on the original release date) will magically appear when I have Windows Update check for updates after I rebooted the computer. Why does this occur? My guess is that Windows Update itself has a similar issue as the DISM issue I described above. The upshot is that one should never assume that they are done with updating their computer until, after installing updates, one actually checks for any new updates.

      Note that you mostly can continue to install the next group of updates when building up a fully updated Win7 computer, without having to waste time checking for new updates. Yet there specific points during the process where you should check for new updates, in order to get “magically” found new updates which should be installed before moving on to the next batch of updates, based on their original release dates.

      Once all updates have been installed, I double-check everything. Specifically, I make sure that I did not install an unwanted botched update or any updates which installed telemetry. I also make sure that the list of hidden updates matches my saved list of hidden updates. Once I have confirmed that everything is “good to go”, then I perform an incremental backup for the new computer, versus the full backup of the freshly installed Win7 SP1 OS partition which I made before any updates were installed.

      Once the computer was fully updated and the incremental backup was completed, I then run Disk Cleanup’s initially hidden utility to remove all superseded updates from the computer. Doing so also cleans out information about failed updates, and update installations which were canceled by the user. The latter can present problems when relying on DISM error codes when checking whether or not specific updates are installed on a Win7 computer.

      There is more than simply opting out of CEIP and disabling only two CEIP tasks, since there are other CEIP tasks which will still periodically run if they are not disabled. Opting out of CEIP merely prevents gathered telemetry data from being sent to Microsoft. All CEIP tasks must also be disabled, and all updates which gather telemetry must also be uninstalled as well. Yet this is another topic.

      In summary, Group B is tenable, yet Microsoft makes Group B fairly difficult.

      1 user thanked author for this post.
      • #139101 Reply

        MrBrian
        AskWoody_MVP

        “3138962 Security — Not superseded by anything.”

        As an example. KB3138962 for Windows 7 x64 is metadata-superseded by the Windows 7 monthly rollups.

        • This reply was modified 1 year, 6 months ago by
           MrBrian.
        • This reply was modified 1 year, 6 months ago by
           MrBrian.
        • #139332 Reply

          GoneToPlaid
          AskWoody Plus

          “3138962 Security — Not superseded by anything.” As an example. KB3138962 for Windows 7 x64 is metadata-superseded by the Windows 7 monthly rollups.

          That is most interesting. Yep, most of the Win7 Security Monthly Quality Rollups do list supersedence for KB3138962, yet none of the Win7 Security Only Quality Updates do. This is rather interesting, and it got my attention. I downloaded KB3138962, tried to install it on my primary Win7 x64 machine, and got this message: “Security Update for Windows (KB3138962) is already installed on this computer.” This computer shows that I installed KB3138962 on 03/08/2016.

          KB3138962 is a “Security Update for Windows Media to Address Remote Code Execution”.

          Keep in mind that I am on Group B. Group A includes not only updates for Internet Explorer, but also telemetry updates. Given that I also separately update Internet Explorer and that KB3138962 wasn’t subsequently updated, my guess is that KB3138962 had to be updated in order to address issues with Group A updates which gather telemetry and report to servers (some not controlled by Microsoft) which are located around the globe. This is just a wild guess.

          • #139340 Reply

            MrBrian
            AskWoody_MVP

            You probably installed KB3138962 before the existence of the Windows monthly rollups that metadata-supersede KB3138962. Another possibility is that you installed KB3185278, which is an Optional update that strict adherence to Group B avoids. This post goes into more detail about KB3138962.

             

      • #139371 Reply

        anonymous

        “Once the computer was fully updated and the incremental backup was completed, I then run Disk Cleanup’s initially hidden utility to remove all superseded updates from the computer. Doing so also cleans out information about failed updates, and update installations which were canceled by the user. The latter can present problems when relying on DISM error codes when checking whether or not specific updates are installed on a Win7 computer.”

        Disk Cleanup (cleanmgr.exe) is a utility that has gone through many changes in its lifetime. Could you clarify if here you write about having it up to date with all applicable patches and improvements. Or if you are referring to the need to ‘run as an administrator’, either by selecting such in the GUI window, or running the command in an elevated prompt. Or third, some other aspect of the Disk Cleanup utility I am not familiar with before now?

        Thank you for explaining.

    • #139198 Reply

      BobT
      AskWoody Lounger

      Before I install any updates on a fresh Win7 SP1 install, I first perform some basic configuration, and then run several REG files which fix various inherent issues. In other words, my first step is to nip various issues in the bud. Then I start installing updates.

      I then run Disk Cleanup’s initially hidden utility to remove all superseded updates from the computer. Doing so also cleans out information about failed updates, and update installations which were canceled by the user. The latter can present problems when relying on DISM error codes when checking whether or not specific updates are installed on a Win7 computer.

      There is more than simply opting out of CEIP and disabling only two CEIP tasks, since there are other CEIP tasks which will still periodically run if they are not disabled. Opting out of CEIP merely prevents gathered telemetry data from being sent to Microsoft. All CEIP tasks must also be disabled, and all updates which gather telemetry must also be uninstalled as well. Yet this is another topic.

      Hi mate, can you give a few more details of the actions in these 3 paragraphs please? In guide form if possible.

      I’m literally just about to start reinstalling W7 afresh now, so any further details on the extra tasks re: Telemetry, the “hidden Disk Cleanup function” and your initial basic config / reg files, what do you change etc? (I presume to only prompt for Restart is one of them).

      • #139347 Reply

        GoneToPlaid
        AskWoody Plus

        Hello BobT,

        I just sent you a PM.

        Best regards,

        –GTP

         

        1 user thanked author for this post.
    • #139368 Reply

      GoneToPlaid
      AskWoody Plus

      You probably installed KB3138962 before the existence of the Windows monthly rollups that metadata-supersede KB3138962. Another possibility is that you installed KB3185278, which is an Optional update that strict adherence to Group B avoids. This post goes into more detail about KB3138962.

      Hello MrBrian,

      Yes, KB3138962 was installed before the existence of the monthly rollups. Yet as mentioned and unlike the Group A rollups, none of the Group B Security rollups list KB3138962 as being superseded by any of the Security Only rollups. Only several of the Group A rollups list KB3138962 as being superseded. So again and only for Group B who has only installed the Security Only rollups, I stand by my claim that KB3138962 was never superseded for Group B followers.

      No. I never installed KB3185278. It is not and never was installed, and it is in the list of my hidden updates since it breaks EMET.

      Best regards,

      –GTP

       

       

      • #139374 Reply

        MrBrian
        AskWoody_MVP

        I agree with everything in your post.

        Here’s the problem regarding KB3138962 and Group B: Those in Group B who didn’t have KB3138962 installed by October 11, 2016 – the date of the release of the October 2016 Windows monthly rollup – will not see KB3138962 listed in Windows Update because KB3138962 is metadata-superseded by the October 2016 Windows monthly rollup (unless the Windows monthly rollups are hidden).

    • #139413 Reply

      GoneToPlaid
      AskWoody Plus

      “Once the computer was fully updated and the incremental backup was completed, I then run Disk Cleanup’s initially hidden utility to remove all superseded updates from the computer. Doing so also cleans out information about failed updates, and update installations which were canceled by the user. The latter can present problems when relying on DISM error codes when checking whether or not specific updates are installed on a Win7 computer.”

      Disk Cleanup (cleanmgr.exe) is a utility that has gone through many changes in its lifetime. Could you clarify if here you write about having it up to date with all applicable patches and improvements. Or if you are referring to the need to ‘run as an administrator’, either by selecting such in the GUI window, or running the command in an elevated prompt. Or third, some other aspect of the Disk Cleanup utility I am not familiar with before now? Thank you for explaining.

      Here ya go. With Disk Cleanup, all I did was this:

      https://support.microsoft.com/en-us/help/2852386/disk-cleanup-wizard-addon-lets-users-delete-outdated-windows-updates-o

      Just follow the instructions. YET NOTE: You will not see any progress bar indicator or other messages. Just kick back and walk away, or sit there and wait, until you eventually see a message that it has finished. It could take up to 10 to 15 minutes, or considerably longer on older and slower computers.

      • #139418 Reply

        BobT
        AskWoody Lounger

        Ah-ha I see. I presume you meant initially-hidden since it requires Administrator privileges for that option to show up? Or that MS added it over time.

        Either way yes I have that option in my Cleanup Tool.

      • #139441 Reply

        anonymous

        Sorry to be tedious, trying to make the step clear for all levels of users and readers of this site. I did the legwork, and reviewed your link to the Microsoft official outdated doubletalk. And I have concluded that this is not a mysterious function.

        Back in 2013, as part of regular updating, an add-on to the Disk Cleanup Manager was provided by scavengeui.dll

        It is a function triggered only under certain conditions. Not seeing it does not suggest there is a problem. If you have ever run Disk Cleanup with administrator privileges, and seen a checked box for Windows Update, then you have this function intact, and likely have for four years time. It is the reason that the NEXT shutdown/restart cycle will appear to install yet another update, even when you have not installed anything. That is Microsoft’s clear as mud way to show the activity has occurred, without actually explaining anything.

        It is a useful step in finishing the update process. I apologize for my confusion over your initial description. I fear mine is not much clearer.

        • #139532 Reply

          BobT
          AskWoody Lounger

          Yep, seems to only show up if you have administrator privileges, AND unneeded updates exist. If it can’t clean anything, it apparently won’t show the option.

          • #139540 Reply

            PKCano
            Da Boss

            See #137483 above

            6. After the last reboot, wait 30 minutes. Run Disk Cleanup, click “Clean up system files” and be sure “Windows Update Cleanup” is checked

            It’s not a hidden mysterious function

            • This reply was modified 1 year, 6 months ago by
               PKCano.
            1 user thanked author for this post.
            • #139548 Reply

              The Surfing Pensioner
              AskWoody Plus

              No, it’s not – I use it routinely. A lot of debris ends up in there.

              1 user thanked author for this post.
    • #141499 Reply

      anonymous

      Hi PKCano,

      I havent read whole thread, but think, I know whats about. Funny is, last 1-2 weeks, I worked for the same task. Since, there were some rumors about .NET 4.6.1, I decide to revise my offline installer.

      I know, Windows Update offline has been done by others and maybe better, but, I wanted do it myself. When I saw the W10-upgrade-hell and what MS can do, if these really decide to push for something, I simply couldnt just wait what will happend, I made some colllection of BAT/BINs to install Win7 up to date and offline.

      I maintain 2 basic directions, lets say one as Group A and second like Group B+NET. And 2 years, month after month, I updated it and after last news, I decided to make 3rd fork / GroupB+.NET, but 4.5.2 NET. But thats not important. I forked my files and simply started from scratch (I was thinking, they might be some obsolete KBs over the time). And I have found, there are some KBs, they are missing compared to prePatchocalypse state, so I started to investigate, line by line of my “code”. I checked missing KBs, search which SecurityOnly month patch has beed replaced with and maybe, result can be usefull for you.

      About my installer – its splitted into these steps>

      1. IE11 prerequisites, SP1 supredences fix
      2. IE11, .NET, latest WUagent, kernel mode driver framework
      3. WUA speed relevant updates, NET language pack
      4. NET updates
      5-8. Security KBs, those prePatchocalypse ones.
      9. Selected optional KBs
      10. some KBs with special care (KB2830477)
      11. KBs (secu+optio) detected later as dependence
      12. 10/2016+ SecuOnly rollups+IE,NET

      I have versions of my installer many month old, so I decide to compare actual WUA scan with latest prePatchocalypse scan. And the result is appr. 30 KBs dissapeared, some has valid reason (replaced by some SecuOnly rollups) and those missing without SecuQua replace, they are very similar to your conclusion:

      KB2544893
      KB2965788
      KB3005607
      KB3033929
      KB3076949
      KB3109094
      KB3126446
      KB3138962
      KB3149090
      KB3168965
      KB3185911

      And just for records / I does not count on socalled SP2 and my telemetry ignore list contain these>  971033 (x64), 2952664, 2966583, 3021917, KB3035583, 3068708, 3080149, KB3123862, 3170735, 3184143, 3181988

      If you need it, I can send detailed list of my installer from 9/2016

      HzK

      p.s. My opinion about Group B and strategy to patch:
      1. set up exact 9/2016 state
      2. minus those KBs, they are missing from scans today, but there is documented replace of some SecuOnly
      Methods based on todays scans only / well, I dont trust them no matter how sofistically we study them today. Its todays version of M$ truth

      3 users thanked author for this post.
      • #141508 Reply

        MrBrian
        AskWoody_MVP

        There are a lot of updates that are in both your “missing updates” list and mine.

        • This reply was modified 1 year, 5 months ago by
           MrBrian.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Group B – Win7/8.1 “Missing” updates, Hiding Rollups, Security-only patches

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.