News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • MS-DEFCON 1: Don’t apply ANY Windows or Office patches

    Home Forums AskWoody blog MS-DEFCON 1: Don’t apply ANY Windows or Office patches

    This topic contains 143 replies, has 40 voices, and was last updated by  Steve 2 years, 8 months ago.

    • Author
      Posts
    • #107805 Reply

      woody
      Da Boss

      I sure hope you folks followed my advice and locked down Windows Update prior to yesterday’s debacle. Going through the reports of Windows 7 and 8.1 m
      [See the full post at: MS-DEFCON 1: Don’t apply ANY Windows or Office patches]

      13 users thanked author for this post.
    • #107809 Reply

      Noel Carboni
      AskWoody_MVP

      It’s good to see that MS-DEFCON 1 can be fired up on occasion. I believe it’s the right call.

      Thank you for keeping a cool head and bringing reason to the game, Woody.

      I have to admit to wondering, myself, whether to step up the timescale for application of this month’s patches because of the reports of that Office zero-day. I only late last night learned that a recipient has to actively run an eMail attachment in order to be infected by it. Many sites, in their haste to sell their security packages, didn’t bother to dispel the worry that just having one of the bad eMails arrive in one’s inbox was enough to get the malware.

      -Noel

      7 users thanked author for this post.
      • #107873 Reply

        212louis
        AskWoody Lounger

        Noel,

        I’d like your take. I sent Woody an email re: the April .NET Security Only update x64. (I’m group C since the patchocalypse and I do only .NET Security Only updates when available ).

        When searching the April 2017 Security Only .NET update in the MS catalogue, the  search result provides a “Download” link for KB4014985…that  Download button  opens a window that provides 4 links that seem to NOT correlate to the KB4014985.

        Do you have any thoughts on this? Do you know which of those 4 links are actually the April Security Only .NET update for Windows 7 x64?

        (Could MS make this anymore confusing??)

        (Not updating anything yet, just preparing)

        TIA

        Download
        Download Updates

         

        Original Search results link:

        http://www.catalog.update.microsoft.com/Search.aspx?q=April%202017%20.NET%20Security%20Only%20update%20Windows%207

        1 user thanked author for this post.
        • #107896 Reply

          Noel Carboni
          AskWoody_MVP

          I’d like your take.

          (Not updating anything yet, just preparing)

          I think you’re taking the right stance. Weigh the risk and make the “go” decision when you feel you understand it well enough.

          How quickly you feel you have to install security updates depends on your confidence in your own security landscape. If your computing practices and technical perimeter keep you from knocking heads with malware much if at all, then you can guess that having an unpatched system isn’t that risky. Don’t forget that Microsoft didn’t release the security patches the day after they got the code fixed either – they waited until patch Tuesday.

          Regarding keeping an older system up to date with the latest functionality updates, then again you have to use your judgment. How often do you expect to install/use new software that requires the updated functionality?

          Personally I have two different systems for which I have made two different decisions. I have a Win 7 system that functions as a server that I have chosen to stop at a mid-2016 level of update, because I don’t actually need to install new software and it runs for as long as needed without a glitch. I also have a Win 8.1 workstation that I use interactively and conservatively keep up to date. Right now it’s up to date with general updates from January and some more current security patches, and I’m waiting to see whether the April functionality (group A) Updates bring unacceptable downsides.

          I’m also continually evaluating whether I need functionality from Windows 10 in order to continue doing business. So far I haven’t needed it, but if I should I already know the downsides and rewards because I have outfitted test systems with Windows 10 and gotten to know them.

          TL;DR: Do what you can to gain knowledge, both directly and by reading what others write, then use your best judgment.

          -Noel

          1 user thanked author for this post.
          • #107941 Reply

            b
            AskWoody Plus

            Don’t forget that Microsoft didn’t release the security patches the day after they got the code fixed either – they waited until patch Tuesday.

            How do you know when they got the code fixed (and tested)?

            Microsoft Edge, Win 10 Pro 1909: Group ASAP (pioneer)

            • #107954 Reply

              Noel Carboni
              AskWoody_MVP

              How do you know when they got the code fixed (and tested)?

              They don’t just fix their security holes only once a month, right before Patch Tuesday.

              How do you know they tested it?

              -Noel

              2 users thanked author for this post.
    • #107818 Reply

      AlexN
      AskWoody Lounger

      Does this apply to the older ones?  Either way, I am uninstalling the patches as I usually trust the “security only” patch and the .NET framework patch.

      Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
      A weatherman that can code

      • #107824 Reply

        Noel Carboni
        AskWoody_MVP

        You have to do what you’re comfortable with, but regarding changing a system that’s already got patches from before and has been running okay… I suggest a healthy dose of this should be applied:

        If it works, don’t fix it.

        -Noel

        4 users thanked author for this post.
        • #107828 Reply

          AlexN
          AskWoody Lounger

          I suppose so.  I don’t even know what processor I have to know whether or not I’m at risk.  I’ll post a reply when I find out… restarting to uninstall in 3… 2… 1…

          Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
          A weatherman that can code

          • #107833 Reply

            Anonymous

            Try using CPU-Z.

            1 user thanked author for this post.
            • #107878 Reply

              AlexN
              AskWoody Lounger

              Didn’t need to!  I looked at system info and found out I have a 5th generation processer 🙂

              Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
              A weatherman that can code

      • #107923 Reply

        212louis
        AskWoody Lounger

        Noel,

        Appreciate your response, thanks.

        That said, do you have any idea on the Update catalogue providing FOUR links in the download window that do not correspond to the <span style=”color: #000000; font-family: ‘Helvetica Neue’, Helvetica, Arial, sans-serif; font-size: 14px;”>KB4014985 update.</span>

        In trying to keep this simple, a user searches the MS catalogue for the April .NET Security Only update for W7 x64, the search returns the update but the download link shows FOUR different active links. Which link is the KB 4014985 ??

        (Both the search result link and the result(s) of the Download link are included in my original response and included below. If you could, click through these links to see what I’m talking about. Something is not right.)

        Search result…

        http://www.catalog.update.microsoft.com/Search.aspx?q=April%202017%20.NET%20Security%20only%20Windows%207%20×64%20

         

        Download
        Download Updates

         

        1 user thanked author for this post.
      • #107930 Reply

        212louis
        AskWoody Lounger

        Noel,

        Do you know which of the FOUR links in the Download window is the correct April .NET Security Only update for Windows 7 x64??

        (Seems my 2nd response got lost in the “internet of things”)

        • #107932 Reply

          PKCano
          Da Boss

          I would guess that the number after the “ndp” is indicative.

          1 user thanked author for this post.
    • #107831 Reply

      Anonymous

      I wish Microsoft would just make their stuff work. I mean what’s next? Are going to block drivers from working?

      • #107893 Reply

        zero2dash
        AskWoody Lounger

        Don’t give them any ideas. 🙂
        Technically, that’s just about what they’re doing here. The CPU kernels/architecture updates aren’t being allowed in anything other than 10, even though 1) AMD/Intel are willing to provide them (evident by these pieces of hardware working in Linux) and 2) Win8.1 is not in Extended Support phase yet (meaning feature updates are supposed to still be provided).

        People call them “Microshaft” for a reason. 🙂

        2 users thanked author for this post.
    • #107832 Reply

      anonymous

      The current state of (lack of) info available from Microsoft for security updates …….
      https://www.theregister.co.uk/2017/04/11/patch_tuesday_mess/

    • #107836 Reply

      smokey92036
      AskWoody Lounger

      No problem with Defcon 1 , group W since November of 2016.

      • #107895 Reply

        zero2dash
        AskWoody Lounger

        I’m starting to lean more that way myself.
        Every month, you have patches released that cause nothing but problems for several weeks, and then after, things just quiet down like they’re “fixed”. At this point I’m more concerned about what they’re trying to sneak in than what they’re trying to actually fix.

        The CPU microcode detection update, for instance – that shouldn’t be something that anyone receives on 7. That’s not a security update, that’s a feature update. I thought we weren’t getting those? [sarcasm] Oh, but they’re making an exception for this one, because it provides for further OS version prodding and forceful upgrades.

    • #107842 Reply

      BrianL
      AskWoody Lounger

      In my way of thinking, whether you have an older machine or a newer machine with Win 7 or Win 8.1 the safest thing to do is click on ‘Services’ go down the list and double click on Windows Update then click on ‘disable’ then click ‘apply’ then if not stopped click on ‘stop’ then click on’OK’ then exit Services.  When it is OK to apply updates just reverse above.  What do you all think? (to Woody and Noel Carboni)

      • #107845 Reply

        anonymous

        Not a bad solution. But how are you certain that it won’t find a way to turn itself back on again?

        • #108041 Reply

          anonymous

          – Make a backup, just in case. Always backup before you sc**w up!

          – Download the stand alone installation (or update) for the Windows Update Client. If you can find a version previous to all these shenanigans, even better. You might eventually need it in the future, even if just for some manual installation of selected updates.

          – Delete the Windows Update service.

          – For the overkill, get lost on the C:\windows\winSxS and have fun butchering traces of Windows Update Client there. And Media Player. And Windows Mail. And IE. And that ton of Chinese, Japanese and Korean trash that should have never been stuffed into that install.

           

          There! If it’s not there at all of if it is, it’s in such a broken state that I dare Micro$oft to try to do something out of this. If they can brake it, why can’t I? 😉

           

          (another anonymous)

          Edited for content

      • #107863 Reply

        Noel Carboni
        AskWoody_MVP

        Not a bad solution. But how are you certain that it won’t find a way to turn itself back on again?

        It CAN happen. I’ve personally seen it happen.

        This year, for example, at the time I installed TurboTax on my Windows 8.1 workstation I shortly thereafter found unexpected entries in my firewall log that showed Windows Update had been started – even though I had set it to Disabled – and was trying to contact Microsoft (it failed, because I also reconfigure my firewall to disallow updates).

        Sure enough, when I looked, I found this situation:

        WindowsUpdateRunning

        Looking at the details in the Windows event logs, I saw that when the TurboTax installer was started it changed my setting from Disabled to Manual, started the service, then changed it back to Disabled! Not at all what one would expect of an application installer. Coincidence? Maybe. In any case, something changed the startup type of the Windows Update service.

        WindowsUpdateStarted

        Moral of this story: Settings are just that – settings – and some software vendors have been losing their compulsion to heed them.

        Secondary observation: A multiple layer security strategy can in some cases actually be necessary.

        I myself keep the Windows Update service Disabled and my firewall configured to disallow communications with the list of servers below except when I want to apply updates. I do this on all my systems, running Win 7, 8.1, and 10, and I recommend it for those who want to retain control. I can verify that Windows Defender / MSE do keep themselves up to date without Windows Update running.

        List of update servers/domains I only allow when actually doing updates (the items starting with “WU”):

        ListOfUpdateServers

        -Noel

        Attachments:
        4 users thanked author for this post.
    • #107850 Reply

      Canadian Tech
      AskWoody_MVP

      I am following PKCano’s guide, but only up to and including February (non-existent.) I am adding Office patches BEFORE March only. This is the first time my clients have had updates since last October. It may be the last time ever — ala Group W.

      Note, my clients’ newest Office is Office 2010. Not one of them has bought a more recent version.

      CT

      1 user thanked author for this post.
    • #107852 Reply

      lurks about
      AskWoody Lounger

      Ouch, pre-alpha patches in the wild. Not good.

    • #107854 Reply

      Bigpaul101
      AskWoody Lounger

      Following on from a previous post. I look at this logically (and very non technically), and what I am seeing is that there is something not right about a patch from last night loading on Win 7 Professional with Office Pro 2010. After loading and rebooting the machine hangs on restart.

      Win 7 and Office 2007 or 2016 do not seem to be affected.

      I have 68 workstations with different clients that have brought me to these conclusions. I should have waited!!!

      A local switch off / on seems to fix the issue.

      Hopefully this helps one of you more technically minded helpers

    • #107860 Reply

      pmcjr6142
      AskWoody Plus

      I assume that Windows Defender and Malicious Software Removal Tool are OK to install?

      • #107862 Reply

        Canadian Tech
        AskWoody_MVP

        pmcjr, I would not recommend the MSRT. It rarely produces anything useful. A reasonable antivirus software installation far outstrips it. In addition, MSRT is now a suspect spyware tool used by Microsoft.

        CT

        11 users thanked author for this post.
        • #107897 Reply

          zero2dash
          AskWoody Lounger

          CT is absolutely spot on.

          Telemetry from the Malicious Software Removal Tool

          2 users thanked author for this post.
        • #107906 Reply

          pmcjr6142
          AskWoody Plus

          Thanks, CT.  I have a good antivirus plus Malwarebytes, but I’ve always thought if MSRT catches one more infection, it’s worth it.  As long as it’s not breaking my PC.

          • #108000 Reply

            woody
            Da Boss

            The problem is that… I’ve never had MSRT pick up any problems.

            That said, I don’t see where this MSRT is any worse than its predecessors. And Defender updates are always OK.

            2 users thanked author for this post.
            • #108001 Reply

              Canadian Tech
              AskWoody_MVP

              Woody, in years and years of applying MSRT to hundreds of machines, I can recall ONE instance of it turning up anything. We’re talking of thousands of instances. I strongly suspect that my choice of AV has been the reason.

              That sure tells me it is pretty worthless. Why would I risk MS installing spyware in MSRT? No value to it.

              CT

              3 users thanked author for this post.
            • #108008 Reply

              Microfix
              Da Boss

              MSRT is just another means of ‘accepted via EULA’ telemetry since July 2016 IIRC

              As CT has pointed out, a good up to date AV/Antimalware is suffice if you’re in the anti-snooping camp.

              Win7 Pro x64 | Win8.1 Pro x64 | Linux Hybrids x64 | W10 x86 1909
              2 users thanked author for this post.
            • #109749 Reply

              Noel Carboni
              AskWoody_MVP

              MSRT has never done anything bad to any system I’ve seen run it, NOR has it turned up any unexpected malware. If it potentially could catch something in the general case, so why not let it run?

              I suspect it’s more of a “for dummies” malware mitigation, and folks in-the-know have other, better means to keep malware out – which is why we adept computer managers don’t see MSRT catch anything on our systems.

              The one thing no one really discusses much regarding the unsaid philosophy of “security is good and more security is better” is how much time is being wasted checking for malware.

              • Does everyone wait a few minutes longer for their updates to finish while MSRT runs?
              • Does everyone have a computer that’s half as powerful as it could be if only it weren’t constantly checking to see if malware has sneaked in and infected it?

              I’ve recently done some testing with and without Windows Defender and with and without MalwareBytes v3, and the amount of responsiveness and compute capacity lost just to run the anti-malware software is not insignificant!

              What price security?

              -Noel

        • #108011 Reply

          anonymous

          I suspected there was something wrong with MSRT along time ago by virtue of the fact I must always “Agree” to run it… Case in point, I never had to “Agree” to run an antivirus scan. By the way I never agree to allow MSE send suspicious files to Microsoft or join MAPS. The term “suspicious files” is too vague… Microsoft and their friends at the NSA think every file is suspicious.

    • #107868 Reply

      b
      AskWoody Plus

      don’t open any Word docs attached to email messages!

      In the real world, can this really be better advice than applying the patch?

      Waiting to see how many millions get hit?

      Many combinations of Microsoft Word and Windows support “Protected View” for documents downloaded from the internet or opened directly from the email. In these cases, the user needs to “Enable Editing” before the exploit runs. However, most users are accustomed to enabling editing.
      https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day

      Microsoft Edge, Win 10 Pro 1909: Group ASAP (pioneer)

      1 user thanked author for this post.
      • #107888 Reply

        Noel Carboni
        AskWoody_MVP

        In the real world, can this really be better advice than applying the patch?

        Waiting to see how many millions get hit?

        There is no room for hype on this forum.

        If you have an inkling of the concept of “risk vs. reward” then you’ll understand that it’s what’s in play here. Who can possibly know the risk yet? Even Microsoft employees at this point have no testing to back up their positions.

        Knowing what we know of Microsoft’s behavior, do you still trust them implicitly to do no harm to your system? Or do you just not care whether other folks’ computing experiences are disrupted.

        Not to mention the elephant in the room…

        If getting the patch out was SO incredibly important to protect those millions, why didn’t Microsoft release the patch last week? The vulnerability has been known since when?

        Lastly?

        Have you already installed the updates on YOUR personal machine? I see that you haven’t offered your personal experience about whether your system(s) are working after the update.

        In my case I have seen no problems with a fully updated Windows 10 test system, and a Windows 8.1 test system seems to have weathered the updates well also. But I’m not done testing, so my critical systems remain unpatched until I understand the risk better.

        -Noel

        4 users thanked author for this post.
        • #107914 Reply

          b
          AskWoody Plus

          There is no room for hype on this forum.

          No hype from me. Woody posted yesterday about millions potentially affected:

          WOW. It is the same vuln I talked about on Saturday, but it looks like somebody figured out how to do it, and sent copies out to millions of people around the world:

          https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

          If you have an inkling of the concept of “risk vs. reward” then you’ll understand that it’s what’s in play here.

          I have. I do.

          Who can possibly know the risk yet? Even Microsoft employees at this point have no testing to back up their positions.

          How do you know what testing Microsoft have (not) done? They’ve been working on it for weeks.

          Knowing what we know of Microsoft’s behavior, do you still trust them implicitly to do no harm to your system?

          I trust them to do what they can to protect my system from harm by others.

          Or do you just not care whether other folks’ computing experiences are disrupted.

          That’s crucially important to me. Do you just not care whether folks’ computing experiences are disrupted by malware attacks during the normal course of their business?

          Not to mention the elephant in the room…

          If getting the patch out was SO incredibly important to protect those millions, why didn’t Microsoft release the patch last week?

          Because it wasn’t public until Friday/Saturday.

          The vulnerability has been known since when?

          A week or two longer than that (according to FireEye).

          Lastly?

          Have you already installed the updates on YOUR personal machine? I notice that you haven’t offer your personal experience about whether your system(s) are working after the update.

          I didn’t realize my personal experience was so important to you. Yes, I’ve installed yesterday’s Office and Windows updates on MY personal machine and I have not experienced any ill effects.

          In my case I have seen no problems with a fully updated Windows 10 test system, and a Windows 8.1 test system seems to have weathered the updates well also. But I’m not done testing, so my critical systems remain unpatched until I understand the risk better.

          -Noel

          I always install ALL updates on my “production” system immediately and then for others as soon as possible if I don’t suffer a catastrophic failure. In the last 22 years I can only remember one or two minor glitches easily rectified after updates.

          Microsoft Edge, Win 10 Pro 1909: Group ASAP (pioneer)

        • #108017 Reply

          anonymous

          “Who can possibly know the risk yet? Even Microsoft employees at this point have no testing to back up their positions.”

          Neil,

          What is the basis for your comment? 27 years in IT and having used Microsoft products since DOS 1.0 it has always been my understanding Microsoft has test labs to run their code, lots of test labs. While I understand Microsoft can’t test every possible scenario and borks a lot of systems the above statement seems unlikely. Do you have some information to the contrary? For the record I’ve taken updates on about 30 computers today and have had no issues.

          • #108057 Reply

            Noel Carboni
            AskWoody_MVP

            Perhaps I stated that in a bit of an extreme fashion, but the fact is that Microsoft no longer has the professional testing organization they once had. This says that our decades of experience aren’t necessarily valid (yes, I have had a long career of applying Microsoft Updates mostly successfully too).

            One of many reports easily found online about the changes at Microsoft:
            http://www.businessinsider.com/microsoft-just-laid-off-2100-people-2014-9

            Testing will no longer be done by a totally dedicated team, but will be rolled into the developer team. Nadella believes this will reduce bureaucracy and let Microsoft deliver products faster.

            -Noel

            • #108069 Reply

              Canadian Tech
              AskWoody_MVP

              Noel,

              A lot of the people who take part in this forum have had one or more experiences in their past when they worked for a major success story like IBM, NCR, DEC, HP. If you were watching, when the exodus began, the first out the door were the best. Those are the guys who have the most portability. Over time, the ones who remained, were not the strongest of the team.

              I believe that is what has and continues to happen at Microsoft. That is borne out by the track record we see in Windows Update. It has been one disaster after another. Patches to the patches, etc.

              So, Noel, I completely agree. The quality of product from Microsoft today is not even close to what it was a few years back.

              CT

              4 users thanked author for this post.
    • #107877 Reply

      cyberSAR
      AskWoody Plus

      I have to admit to wondering, myself, whether to step up the timescale for application of this month’s patches because of the reports of that Office zero-day.

      I’m going to install on my clients’ machines today due to potential liability if I ignore/delay it. I will explain that we’re installing without fully testing the patches. So far, the ones I’ve spoken with are appreciative and prefer to get the patch early.

      Have installed on all of our test machines and haven’t noted any issues… yet.

      • #107884 Reply

        Noel Carboni
        AskWoody_MVP

        You have to follow your best judgment of course, but…

        Do you have any liability issues by accelerating the install? Or can you just comfortably say, to someone who has had their setup scrogged, “That was Microsoft’s fault” – even though you are already aware of problems?

        Remember, as the expert your clients are trusting you to do the right things for them. If you consider their data and uptime no more important than what Microsoft considers them, how are you adding value. I’d suggest whatever you choose to do for yourself you do for them.

        -Noel

        1 user thanked author for this post.
        • #107885 Reply

          b
          AskWoody Plus

          even though you are already aware of problems?

          What problems in this case?

          Microsoft Edge, Win 10 Pro 1909: Group ASAP (pioneer)

          • #107903 Reply

            Noel Carboni
            AskWoody_MVP

            What problems in this case?

            Do you know what “havoc” means?

            MS-DEFCON1

            -Noel

            Attachments:
            • #107925 Reply

              b
              AskWoody Plus

              What problems in this case?

              Do you know what “havoc” means?

              MS-DEFCON1

              -Noel

              Yes, I have access to a dictionary thanks.

              What was the point of the screen shot?

              No known problems so far then?

              Microsoft Edge, Win 10 Pro 1909: Group ASAP (pioneer)

            • #107959 Reply

              Noel Carboni
              AskWoody_MVP

              The point was (and is) that there is not enough accumulated positive experience to advise people to go ahead yet.

              Do you know what’s interesting?

              That I’ve actually just discovered a new and potentially serious problem in my own testing:

              Adobe Creative Cloud and Photoshop CC 2017 won’t install successfully on Windows 10 version 1703 build 15063 updated to .138.

              InstallerFailed

              I don’t know why it fails; I’ve put out some queries to see if it’s a known issue. In fact, I may not learn why. I don’t even YET know whether it’s a common problem or something specific to just an updated Win 10 system, to version 1703, or even just to one test system.

              There is no question Microsoft is a different entity today than it has been in the past. It’s not important to people who care about the integrity of their computing environment what folks did decades ago or even 5 years ago. It’s important what Microsoft is delivering now, today.

              Before asking another naïve one-line question please pose this one to yourself: Why do you feel acknowledgement of potential risk has to come with proof?

              Ask instead: What evidence do we have that the updates don’t break something new?

              And finally, please consider the meaning of this phrase: Healthy skepticism.

              -Noel

              Attachments:
              4 users thanked author for this post.
            • #107971 Reply

              b
              AskWoody Plus

              Before asking another naïve one-line question please pose this one to yourself: Why do you feel acknowledgement of potential risk has to come with proof?

              Why do you feel potential risk (of updating) should outweigh actual risk (of not updating)?

              Ask instead: What evidence do we have that the updates don’t break something new?

              You’re expecting proof of a negative again. I don’t think anyone can provide that.

              Microsoft Edge, Win 10 Pro 1909: Group ASAP (pioneer)

            • #108065 Reply

              Noel Carboni
              AskWoody_MVP

              Why do you feel potential risk (of updating) should outweigh actual risk (of not updating)?

              Quantify both risks and one can easily make a decision (though I seriously doubt that you or anyone else can come close to quantifying the risk of being targeted by that Office zero day malware in the next few days or weeks).

              Even if one were to accept that there’s a more well-defined risk of getting a malware attack than getting a b** patch, there’s no way to weigh the latter without more experience.

              A few more days/weeks of A) personal testing without uncovering problems, and B) others not reporting meltdowns and it will be a better time to make a decision. And I’ll just bet Woody will change the MS-DEFCON level up to some higher number at some day in the near future.

              Essentially I see this conversation as you advising making rash decisions, while I’m suggesting gathering more information and making informed decisions.

              Why such a push to rush to a decision to take updates without knowing more about them? We are here, in a connected world, with an ability to learn from others’ experience. Just keep yourself from double-clicking on .rtf attachments a little longer.

              -Noel

              1 user thanked author for this post.
            • #107989 Reply

              NetDef
              AskWoody_MVP

              Noel,  seen that error a few times on 1607 and older Win 10.  Not sure if this applies to the new CU but worth a try perhaps?

              Try the steps here https://forums.adobe.com/message/7996709#7996709

              Adobe Creative Cloud and Photoshop CC 2017 won’t install successfully on Windows 10 version 1703 build 15063 updated to .138.  I don’t know why it fails; I’ve put out some queries to see if it’s a known issue.

               

              ~ Group "Weekend" ~

        • #107911 Reply

          cyberSAR
          AskWoody Plus

          Not a lawyer, and didn’t stay at a holiday inn express, but I would think my liability would be higher if I didn’t install an update for an exploit actively being abused and reported across many tech sites.

          Yes, we did install on 10 of our machines and noticed no issues so far. We give the client the choice but advise, based on our results so far, to go for it. We do have backups of all machines too 🙂

          2 users thanked author for this post.
          • #107964 Reply

            Noel Carboni
            AskWoody_MVP

            Thank you for the clarification. Involving the clients is a reasonable approach.

            Regarding updating clients to Windows 10 version 1703, please see my post above… If you have any clients specifically who use Adobe software, you might want to do a bit of additional testing.

            -Noel

    • #107880 Reply

      NetDef
      AskWoody_MVP

      The caveat for us is we manage updates with WSUS . . .  so the following should be read with that in mind.  This is not quite the same scenario where you accept updates directly from MS with only the native client update management tools (which for Win10 is pretty much not much at all.)

      We responded to the risk of infection from the Word 0-day vulnerability last night.  We allowed the April security only roll-up on all Win 7 and the cumulative April update for Win 10 machines.  We also allowed all Office security updates including the fix for CVE-2017-0199.

      As of this writing, we had zero problems with any of our client workstations during and after last nights update on Win 7 Pro or Win 10 Pro or Win 10 ENT.  We run a mix of Office 2010 and 2016.  A rough count of workstations across all our office sites = 350.

      EDIT:  For Win 10 machines we are on the 1607 CBB and are (for now) rejecting the Creators Update until it becomes CBB.

      ~ Group "Weekend" ~

      6 users thanked author for this post.
      • #107908 Reply

        Noel Carboni
        AskWoody_MVP

        THANK YOU for sharing your actual experience. That is arguably one of the most valuable things about this forum, and certainly one of the prime reasons I read it.

        -Noel

        4 users thanked author for this post.
      • #107991 Reply

        NetDef
        AskWoody_MVP

        Update:  Most of the day now — our workstations have been in heavy use — still no problems from our user base, no complaints.  We’re not seeing much fallout from forcing everything to patch last night. (Other than a lack of sleep.)

        I updated my ancient (6 years now – Sandy Bridge CPU) and beloved Lenovo Laptop this afternoon and it failed to patch. Got the dreaded roll-back error on bootup. It’s running Windows 10 Pro 1607 and Office 2010.  This would be the machine I abuse on the road the most.

        Fixed it by running sfc /scannow followed by a DISM /Online /Cleanup-Image /RestoreHealth and a second sfc /scannow.  All current patches for 1607 and Office 2010 installed with no problems afterwards.

        This was very likely self-inflicted . . .   🙂

        ~ Group "Weekend" ~

        1 user thanked author for this post.
    • #107917 Reply

      Seff
      AskWoody Plus

      Thanks Woody as always for the prompt advice, and to Noel for his detailed observations.

      Naturally I wouldn’t be considering installing any updates this early in the monthly cycle anyway, although I was concerned over the Office threat. However, although I have Office 2010 installed on one of my two Windows 7 machines, I haven’t received any Office updates yet, indeed the last one was back in August last year.

      All I have been offered on both machines thus far is the monthly security rollup KB4015549, the .NET framework rollup KB4014981, and the usual MSRT. An optional and unchecked Silverlight update has been hidden as I don’t have Silverlight installed on either machine.

      • #108785 Reply

        anonymous

        Seff,

        To get your “missing” Office updates, start Windows Update and look at the left side panel of the window. You should see a link that says “Change settings”. Click that link.

        On the new page that just came up, make sure the box labeled “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows” is checked. It will be listed under the “Microsoft Update” heading below the Important Updates drop-down box. It is NOT one of the choices in the drop-down box itself, but a separate heading below the drop-down box.

        Once you’ve done that, make sure you haven’t changed ANYTHING ELSE on the page and click the OK button at the bottom of the window. That should do it, allowing you to now see the updates for Office as well as those for Windows every time Windows Update is run.

        I hope this helps!

        • #108787 Reply

          Canadian Tech
          AskWoody_MVP

          Seff, some people have trouble getting the “Microsoft updates” to work. If that happens to you, here is what you need to do:

          Start Internet Explorer, click the gear (upper right) in IE11 and select Compatibility settings and enter Microsoft.com in the list

          CT

    • #107931 Reply

      BrianL
      AskWoody Lounger

      My previous comment about turning off windows update : Woody says that ‘I don’ t advocate turning off Windows Update’. I have to do this on my own machine because I can’t adjust how I get updates, for some reason. It very easy to do and restart. It keeps Microsoft from injecting any update onto your machine before you can get a look at them. This is for individual home machines not tied to company servers. You can turn updates back on when Woody gives the “all’s clear” with Defcon changes, otherwise just sit, read this forum and learn. I am.

    • #107933 Reply

      pmacS33
      AskWoody Lounger

      IE patch KB4014661 breaks MBSA.

      While testing, we installed ie11-windows6.1-kb4014661-x64.msu.  After rebooting we run MBSA to verify the patch.  MBSA starts but then fails, complaining about a bad signature file.  Now we don’t have a good way to verify that the vulnerability has been closed until MS either puts out a new signature file or they update kb4014661.  This is on Windows Server 2008 R2.  Have not verified on other supported OS platforms.

      -Dan

      2 users thanked author for this post.
      • #107973 Reply

        pmacS33
        AskWoody Lounger

        Well…we have performed some isolation testing and it seems that KB4015546 may be the real culprit. Once we run Windows6.1-KB4015546-x64.msu we receive the following MBSA results:

        Security assessment: Incomplete Scan
        Computer name: WORKGROUP\V-HELLIUM
        IP address: //snip//
        Security report name: WORKGROUP – V-HELLIUM (4-12-2017 8-31 PM)
        Scan date: 4/12/2017 8:31 PM
        Scanned with MBSA version: 2.3.2208.0
        Catalog synchronization date: 2017-04-10T21:31:59Z
        Security Updates Scan Results

        Issue:  Security Updates
        Score:  Unable to scan
        Result: Cannot load security CAB file

        2 users thanked author for this post.
    • #107957 Reply

      Jan K.
      AskWoody Lounger

      Ha! I didn’t even get the March updates… had a look back then and “meh”…

      Fun fact: my Windows 7 is an original install originating some two years after release, probably 2011? Had same problem back then on giving up good running stuff! 😀

      But this install has been running ultra smooth and rock steady ever since installed! Not a hitch, break-down or what not. As good as I could ever wish for.

      Nothing has threatened the stability, no virus, trojans, scripts. Nothing. And I’ve visited place, I’m not that proud of… never had a problem.

      But lately? Not so much luck… started with the brilliantly executed Get Windows X campaign. Took quite some manhours to get the system back to it’s old stable state.

      The irony? The only thing that ever has caused problems and that really, really scares me and is a very serious threat to my system’s stability – and my sanity – is… microSoft.

      Waiting with updates and Noel’s article of how to lock down the Windows 7 system…

      2 users thanked author for this post.
      • #107996 Reply

        Canadian Tech
        AskWoody_MVP

        When you get deep enough into this forum and read up on the Group A/B and W(C) theory, you may just realize, like I did, that the risk of applying MS devastating patches is much greater than not applying them at all. At minimum, do NOT apply ANY patches till Woody recommends it through his MS-Defcon rating system. For example, anyone applying those patches today is playing with fire.

        If you must choose Group B, do not apply any until they have aged at least one month and better yet two.

        CT

        4 users thanked author for this post.
    • #107965 Reply

      anonymous

      The first time I booted up my Win7 x64 laptop computer today (04/12/2017), Windows Update ran and I saw there were three important Windows 7 updates:  the April, 2017 Security Monthly Quality Rollup  (KB4015549), the April, 2017 Security and Quality Rollup for .NET Framework (KB4014981), and the Windows MSRT (KB890830).   This afternoon, when I rebooted my laptop after lunch, I see there are now four important Windows 7 updates; the three I saw this morning, plus the March, 2017 Security Monthly Quality Rollup (KB4012215).  I am in Group B and apply the Monthly Security Only Quality updates and therefore, did not install the March, 2017 Security Monthly Quality Rollup.  Rather, I installed the March, 2017 Monthly Security Only Quality update, KB4012212.  Has anyone else in Group B experienced this problem?

       

      So glad to see Woody has moved to MS-DEFCON-1.  Well-deserved!

      • #107967 Reply

        PKCano
        Da Boss

        Did you by any chance HIDE the Monthly ROLLUP. If you hide this month’s Rollup, last month’s will reappear. It is not recommended to hide updates. UNCHECK them and they will not get installed. Next month’s Monthly ROLLUP will replace it and it will disappear. If you hide them, the one that was superseded will become important and CHECKED.

        1 user thanked author for this post.
      • #107997 Reply

        Canadian Tech
        AskWoody_MVP

        Take some really good advice, Anonymous, set your Windows Update setting at Never and leave it there, forever.

        CT

        2 users thanked author for this post.
    • #107969 Reply

      anonymous

      No, PKCano, I did not hide the April Monthly Rollup (KB4015549).  I wrote about this issue  because,  due to supersedence,  I should not see both the April Monthly Rollup and the March Monthly Rollup at the same time.  The April Rollup should supersede the March Rollup.  Therefore, I ask again:  Has anyone else experienced seeing both the March and April Rollups displayed in Windows Update?

      • #108006 Reply

        abbodi86
        AskWoody_MVP

        Well, do you have them both? a screenshoot would be helpful 🙂

        1 user thanked author for this post.
    • #107981 Reply

      TheSuffering
      AskWoody Lounger

      D**n talk about back fires. And anyone care to explain the word exploit ? (I tried reading but couldnt understand). Does just avoiding spam mail with attachments subside ?

      Edited for content

    • #108015 Reply

      abbodi86
      AskWoody_MVP

      April 12, 2017, update for Word 2016 (KB3085439)
      https://support.microsoft.com/en-us/help/3085439

      1 user thanked author for this post.
    • #108020 Reply

      anonymous

      We might be in MS-Defcon 1, but since Microsoft has released Windows 8.1, all this beating we’ve been having on our side has in fact been quite lucrative for their stocks:

      https://finance.yahoo.com/chart/MSFT#eyJtdWx0aUNvbG9yTGluZSI6ZmFsc2UsImJvbGxpbmdlclVwcGVyQ29sb3IiOiIjZTIwMDgxIiwiYm9sbGluZ2VyTG93ZXJDb2xvciI6IiM5NTUyZmYiLCJtZmlMaW5lQ29sb3IiOiIjNDVlM2ZmIiwibWFjZERpdmVyZ2VuY2VDb2xvciI6IiNmZjdiMTIiLCJtYWNkTWFjZENvbG9yIjoiIzc4N2Q4MiIsIm1hY2RTaWduYWxDb2xvciI6IiMwMDAwMDAiLCJyc2lMaW5lQ29sb3IiOiIjZmZiNzAwIiwic3RvY2hLTGluZUNvbG9yIjoiI2ZmYjcwMCIsInN0b2NoRExpbmVDb2xvciI6IiM0NWUzZmYiLCJyYW5nZSI6IjV5In0%3D

      [ by the way, Woody, the graph is not zeroed on the vertical scale 😉 ]

       

      So yeah, we’re dying in here, but out there they are quite well. No wonder they won’t listen to us, Nadella has stocks and Dollars stuffing up his ears.

      • #108194 Reply

        woody
        Da Boss

        Points well taken.

        At some point I start feeling like a Volkswagen Bug enthusiast. There was a long period of decline, when it was fun and challenging to keep the old beasts running. But sooner or later, for most of us, reality set in.

        1 user thanked author for this post.
        • #108196 Reply

          PKCano
          Da Boss

          1962 (bug eye) and 1966 bus/campers. 1200cc. Jack up the back and drop the engine out on broomsticks. And you could change cylinders individually.

          • #108236 Reply

            woody
            Da Boss

            This was my bible for many, many years:

            https://www.amazon.com/How-Keep-Your-Volkswagen-Alive/dp/0912528001/ref=sr_1_7

             

            1 user thanked author for this post.
            • #108268 Reply

              BobbyB
              AskWoody Lounger

              @woody OMG its still in print? and “ringback/wirebound” too? thats a walk down memory lane 🙂

            • #108348 Reply

              Bill C.
              AskWoody Plus

              As a former Beetle owner, a ’64, ’65 and ’69 (with overbore), I now know why I stubbornly suffer with Win7-64Pro SP1 and Office 2010.

              Just as I moved to the ’77 VW Rabbit with FI and never looked back (kept the ’69 Beetle for a few more years then gave it to my sister), I have began acquiring the parts for the Linux PC build. As with the Beetle, I will keep the Windows 7 machine for certain tasks and gaming probably past EOL, but I have already started to do more browsing and email on Linux (and iOS) than Windows.

              I wonder if years later, I will look back at Windows like the Beetle. I sincerely doubt it. With the Beetle, the memories of the leaking running boards and humid defrosters are now ‘character.’ It is a car that when I sit in one today I wonder how I ever had so much fun in a car. They werer so easy to repair and maintain.

              Naah, I will NOT look back that way on Windows (or more accurately Microsoft’s misfeasance and sabotage of a decent operating system.)

        • #110594 Reply

          Steve
          AskWoody Plus

          I still have a 1974 Volkswagen Beetle in the garage here at the domicile. It hasn’t run since 1992 (I think). But it will be restored at some time in the future. I have a lot of other things to fix here before that, though. :-I

          Important links you can use, without all the fluff or sales pitch = https://v.gd/sdr28
      • #108638 Reply

        Ascaris
        AskWoody_MVP

        Stock prices can change quickly.  AOL was once so big that it got top billing in a merger with vaunted Time-Warner, but it came crashing down shortly thereafter.  Today, it’s a free email provider used by two (2) people worldwide, and that merger is regarded as one of the biggest blunders in business history.

        Irrational exuberance can keep things like real estate bubbles afloat for many years, but sooner or later, reality once again shows its dominance, and it all crashes to the ground.  That’s not to say I think this will happen with MS… only that it might. Sometimes the latest, greatest thing really is all it’s cracked up to be, but more often, it ends up being a dud.

        I don’t know whether MS deserves its current market capitalization or not. What I do know is that I keep hearing about how now Microsoft is now the innovator, how it’s the new Apple, all that kind of thing, but the only innovation I see here at ground level is new and innovative ways to make a rude finger gesture at its own customers.

        The rest of the stuff is oversold hype, a la The Emperor’s New Clothes, as I see it.  I think that anything including the word “cloud” is part of a fad right now, and while there is obviously some value in what they’re now calling “cloud” (as was the case when all those things were being done without the term “cloud” attached), it’s not any more innovative than it was during the 90s when they called it “thin client” or during the mainframe/terminal era when they called it “computing.”  It’s still having your stuff stored on someone else’s server and having some or all of the computation delegated to someone else.  It’s nothing new– it’s older than the PC, in fact.  The decentralized, client-focused PC was the innovation that did away with all that stuff decades ago, but that’s the status quo now, so everything else begins to look innovative and new, even if it’s the same old stuff.

        Business investors seem to really have a weakness for buzzwords and hype.  If you throw in a few “thinking outside the box”es and a few “paradigm shift”s, it must be good!  Now those terms are worn out, but there are always new ones to replace them.  “Innovation” and “cloud” are big ones now.  Sprinkle a few of the buzzwords into the prospectus and watch as the investors salivate on command…

        Group "L" (KDE Neon User Edition 5.17.5).

        1 user thanked author for this post.
        • #108653 Reply

          Canadian Tech
          AskWoody_MVP

          Ascaris, one thing I learned a lot of years ago: There is no correlation what so ever between the real value in a company and its stock price. Think IBM, as it was dying, it still had a huge stock price. I have not checked lately, but I think it still does.

          I have worked for some of these over-valued companies. Worked in positions in which I knew full well where all the warts were. It never failed to amaze me how gullible stock investors are, and what makes matters worse are stock peddlers who know even less about what they are shouting about.

          Think the tech bubble of 2000!

          CT

          1 user thanked author for this post.
    • #108028 Reply

      BobbyB
      AskWoody Lounger

      Its a little bit off topic but for the average user and probably quite a few power users as well. maybe time to check your mail settings. Yes I know this about Word attachments but if your ISP supports it may be switch from a POP acc (full download). to IMAP (stays on the server normally), For M$ Office Outlook users that have an outlook.com account may be “rejig” your settings to download headers only or any other account. That way before the thing gets to your machine you can actually check or trust the sender, check your mail rules are there any candidates in there that are trusted if there are can you enable automatic download? Do you share you mail app/machine? Sounds like old tired advice ehh? well yes but many’s the time stuff has been downloaded and potentially infected Word Doc’s have been opened inadvertantly. Do you use Macro’s? do you enable them? sounds like this exploit isnt about Macro’s but thats a regular target.
      Got a couple sitting in the inbox right now, one who I know, one that I am not sure of as they both have attachments. Its now a consciously made effort on my part to take a leap in to the unkown and decide to download or not. Got to admit over the years I have got a little “lax” purely for convenience and speed. Ahh but apparently the “malware merchant’s out there never sleep and with M$ offing a fix in an update that is the proverbial “poison chalice” may be time to trade expediency for security 😉

      2 users thanked author for this post.
    • #108031 Reply

      BrianL
      AskWoody Lounger

      One set of items I forgot to mention: Along with disabling windows update, I disable Diagnostic Policy Service, Diagnostic Service Host and Diagnostic System Host.  This seems to insure that Windows update does not turn on with you turning  it back on. Sorry I omitted these facts.

    • #108058 Reply

      CraigS26
      AskWoody Plus

      Thanks Woody as always for the prompt advice, and to Noel for his detailed observations. Naturally I wouldn’t be considering installing any updates this early in the monthly cycle anyway, although I was concerned over the Office threat. However, although I have Office 2010 installed on one of my two Windows 7 machines, I haven’t received any Office updates yet, indeed the last one was back in August last year. All I have been offered on both machines thus far is the monthly security rollup KB4015549, the .NET framework rollup KB4014981, and the usual MSRT. An optional and unchecked Silverlight update has been hidden as I don’t have Silverlight installed on either machine.

      My Win 7-64 Hm Prem showing (1) 2010 Excel, (2) Office, & (1) Outlook (which I don’t have) as of 4/12/17. You made somebody mad at WU to not have Any presented since 8/16 – -I’ve had a number of ’em. Good luck!

      W10-64 1909 Home / Hm-Stdnt Ofce '16 C2R / HP Envy i5-8400/ 12 GB / 256G SSD + 1 TB HDD / InSpectre #8 = GREEN

    • #108086 Reply

      anonymous

      Is any Intel i5 processor fine even with the update?

      • #108195 Reply

        woody
        Da Boss

        That’s a surprisingly complex question.

        If your i5 is a Skylake (many are not) you need to look up the manufacturer on this list to see if you’ll get updated without incident.

        If your i5 is a Kaby Lake (only released very recently), you’ll get zapped.

        There’s a list of processors here that may help. Use Speccy to see which processor you have.

        1 user thanked author for this post.
        • #108205 Reply

          radosuaf
          AskWoody Lounger

          If your i5 is a Skylake (many are not) you need to look up the manufacturer on this list to see if you’ll get updated without incident.

          All Skylake’s are OK until June or July? I can confirm (as a Skylake owner) that you can install Aprill rollup and still be able to search for updates on 8.1.

          MSI H110 PC MATE * Intel Core i5-6402P * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Aorus Radeon RX 570 4GB * Samsung 840 EVO 250GB SSD * Western Digital Blue 1TB HDD * Seagate Barracuda 1TB HDD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 1909 64-bit
          • #108215 Reply

            Pim
            AskWoody Plus

            Actually, MS has not communicated anything about Skylake computers that are not on the list, as far as I can tell. I am in the same boat as you and have been reading a few weeks ago what I could find about those computers. What they said was that Skylake computers on the list will be supported until 2020 (Win7), but absolutely nothing about other Skylake computers. That is why I am following the Kaby Lake issue with interest, as the block may well happen soon and unexpectedly for Skylake computers that are not on the list too.

            But what I have been wondering is if and how MS is able to check whether a computer is on “the list”. I know they can check for the CPU by checking the CPUID, but can they also check for the brand and type of computer?

            ASRock Beebox J3160 - Win7 Ultimate x64
            Asus VivoPC VC62B - Win7 Ultimate x64
            Dell Latitude E6430 - Win7 Ultimate x64
            Dell Latitude XT3 - Vista Ultimate x86 (still...)
            Gigabyte GA-H110M-HD3 DDR3 - Win10 Pro 1809 x64

            1 user thanked author for this post.
            • #108219 Reply

              radosuaf
              AskWoody Lounger

              I know they can check for the CPU by checking the CPUID, but can they also check for the brand and type of computer?

              They can check ID string of the mainboard (I guess that’s where they’d be looking) – not sure if these are so unique you can easily distinguish between supported and non-supported OEM.

              MSI H110 PC MATE * Intel Core i5-6402P * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Aorus Radeon RX 570 4GB * Samsung 840 EVO 250GB SSD * Western Digital Blue 1TB HDD * Seagate Barracuda 1TB HDD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 1909 64-bit
              1 user thanked author for this post.
              Pim
            • #108242 Reply

              anonymous

              So any chips that are 5th generation or lower are safe for now? I have 3rd generation chip.

            • #108246 Reply

              satrow
              AskWoody MVP

              All 5th gen and lower chips are safe, only some of the 6th gen are.

            • #108255 Reply

              woody
              Da Boss

              And we aren’t certain which 6th or 7th gen chips are safe.

              Windows Update roulette, anybody?

            • #108266 Reply

              b
              AskWoody Plus

              What’s unclear from the Lifecycle Policy FAQ excerpt you published today?

              Microsoft Edge, Win 10 Pro 1909: Group ASAP (pioneer)

    • #108146 Reply

      anonymous

      Right!  I read this and decided NOT install the April important updates.  I have just clean installed Windows 7 on my laptop, done all the other Windows updates (except some optional ones I have hidden, including 4012218).  Luckily I had done a system image but was about to do a second image after re-installing all my files and programs.

      Windows has installed the 5 April updates WITHOUT MY PERMISSION!  I still have Windows update set to download but let me choose what to install, after my clean install.

      I turned off the laptop and it said Windows is installing 5 updates – what?!!!!  I turned it back on and looked in installed updates and they weren’t there.  They were still sitting there waiting to be installed.  I turned off the laptop later that night.  This morning I turned it on and now they actually have installed themselves!

      I am furious – especially as I have a nice new clean install.  I haven’t seen any issues yet, but do you think I should remove them again and turn Windows updates OFF?!

      1 user thanked author for this post.
      • #108148 Reply

        PKCano
        Da Boss

        Download but let me choose what to install” means download in the background and install on next reboot/shutdown if you don’t intervene.
        You need to set it to “Search for updates but let me choose whether to download and install” of “Never check for updates.” The former searches but doesn’t download until you say so. The latter puts searching on manual and it doesn’t happen until you click on “search for updates.”

        1 user thanked author for this post.
        • #108149 Reply

          radosuaf
          AskWoody Lounger

          Download but let me choose what to install” means download in the background and install on next reboot/shutdown if you don’t intervene.

          I’m not a native speaker, but this somehow goes against my understanding of English 🙂

          MSI H110 PC MATE * Intel Core i5-6402P * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Aorus Radeon RX 570 4GB * Samsung 840 EVO 250GB SSD * Western Digital Blue 1TB HDD * Seagate Barracuda 1TB HDD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 1909 64-bit
          1 user thanked author for this post.
          • #108151 Reply

            PKCano
            Da Boss

            Yes, a lot of people have been mislead by it. WU didn’t install without his permission, he misunderstood the setting. The only way to get out of that is – when you see the yellow “!” in the Start “shutdown” button, you don’t shutdown. You go to WU and uncheck/hide what you don’t want. AND you change the setting to one of the two safe ones because the updates are already on your machine.

            2 users thanked author for this post.
      • #108238 Reply

        Canadian Tech
        AskWoody_MVP

        I have been explaining this for more than a year now. The bottom line is the only sensible setting is NEVER>….

        What happens with that setting is that once you start up, updates are downloaded. Some or all of them are pre-checked for installation. If you do not uncheck them before shut down, they will have your permission to be installed by virtue of those check marks.

        CT

        3 users thanked author for this post.
    • #108154 Reply

      anonymous

      Thanks for that info.  Yes it is news to me after donkeys years lol!  I did notice an exclamation mark in shutdown.  Still – never happened to me before.  Sneaky  – it also goes against my understanding of English – and I’m English lol.

      1 user thanked author for this post.
      • #108157 Reply

        anonymous

        Also – during my clean install I had it set to download but let me choose to install.  I had over 200 updates and chose to install some 5 or 6 at a time with reboots in between.  It didn’t install things I hadn’t chosen then – they just sat there until I selected the ones to install and clicked “install”.  It didn’t install all the others as well.

        • #108162 Reply

          PKCano
          Da Boss

          Because you probably intervened. You probably unchecked all then checked the few you wanted to install. Unchecked updates don’t get installed even they are in the “important update” list.

          1 user thanked author for this post.
    • #108158 Reply

      samak
      AskWoody Plus

      Yes, a lot of people have been mislead by it. WU didn’t install without his permission, he misunderstood the setting. 

      I don’t agree with this at all. In the dodgy MS world of misinformation, the words “Download but let me choose what to install” might mean “download in the background and install on next reboot/shutdown if you don’t intervene.” To any native English speaker it means “download in the background and then I will choose a time and place when I will install these items, if I choose to at all.”

      W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

      2 users thanked author for this post.
      • #108163 Reply

        PKCano
        Da Boss

        I think it’s dodgy too – typical Microspeak. But that’s the way it works.

        2 users thanked author for this post.
    • #108164 Reply

      dgreen
      AskWoody Lounger

      Before this months patch Tuesday,  I changed my Windows update setting from “check for updates but let me choose” to “never check for updates”.  On Wednesday I did a manual check for updates and had 3 updates, monthly rollup, preview, netframe, plus MSRT. I think I just let them be and didn’t uncheck them.
      This morning, after reading this thread,  I did a manual update again.

      All the previous updates are gone. It says my computer is “up to date”.
      Did MS pull all the patches?????

      Windows 7 Home Premium 64 bit 2008 R2
      Group B
      seriously considering Group W

      1 user thanked author for this post.
      • #108175 Reply

        PKCano
        Da Boss

        The Preview is never checked, and should be avoided at all cost.
        Rule of thumb – DO NOT check anything that is already UNCHECKED. That includes all the updates in the “optional updates” list (the Preview was here) and those in the “important updates” list that are not checked by default.

        To see if the updates were installed, in Windows Update click on “View update history.” If the ones you don’t want are there, you can go to “Installed updates” and uninstall the ones you don’t want. They will reappear in the update queue.

        2 users thanked author for this post.
    • #108174 Reply

      CraigS26
      AskWoody Plus

      Thanks Woody as always for the prompt advice, and to Noel for his detailed observations. Naturally I wouldn’t be considering installing any updates this early in the monthly cycle anyway, although I was concerned over the Office threat. However, although I have Office 2010 installed on one of my two Windows 7 machines, I haven’t received any Office updates yet, indeed the last one was back in August last year. All I have been offered on both machines thus far is the monthly security rollup KB4015549, the .NET framework rollup KB4014981, and the usual MSRT. An optional and unchecked Silverlight update has been hidden as I don’t have Silverlight installed on either machine.

      My Win 7-64 Hm Prem showing (1) 2010 Excel KB3191847, (2) Office KB 2589382 & 3141538, & (1) Outlook KB3118388 (my Ofc = No Outlook) as of 4/12/17. You made somebody mad at WU to not have Any presented since 8/16 – -I’ve had a number of ’em. Good luck!

      W10-64 1909 Home / Hm-Stdnt Ofce '16 C2R / HP Envy i5-8400/ 12 GB / 256G SSD + 1 TB HDD / InSpectre #8 = GREEN

    • #108183 Reply

      dgreen
      AskWoody Lounger

      PKCano  I know about the “preview” update to leave uncheck.
      I follow closely what is posted here, Woody’s advice, Ms-defcon,
      with one exception…  I am guilty of hiding updates.
      However, this is just what happened.
      I went to check my “hidden updates” since my last post and they were all gone.
      I thought, WTH????
      So I went back and changed my update settings back to “check for updates but let me choose”.
      I rebooted my computer.
      The Windows update did the checking…
      and this is what happened..
      I now have 77 important updates, and 47 optional updates. WTH?
      Checked my “hidden” updates and there aren’t any.
      So my “hidden” updates were now switched back to unhidden without me doing anything??
      How the heck did that happen?

      Couldn’t update my MSE  definitions as it was getting hung up earlier.

      BTW My processor is Intel I3-3240 (3rd generation ivy bridge)
      Seriously, this is getting very unsettling.

       

       

       

       

      1 user thanked author for this post.
      • #108185 Reply

        PKCano
        Da Boss

        If you hit the “back arrow” in hidden updates, you don’t make changes. I think if you hit “OK” you unhide them. Watch for the Microspeak, it will bite you every time.

        2 users thanked author for this post.
    • #108190 Reply

      dgreen
      AskWoody Lounger

      If you hit the “back arrow” in hidden updates, you don’t make changes. I think if you hit “OK” you unhide them. Watch for the Microspeak, it will bite you every time.

      PKCano  Thanks!  I’m not sure if I hit “back” or “ok”.
      oh well……
      So now I have 77 important patches from the past couple years (many are netframe).
      I guess I will uncheck them and turn over a new leaf…
      I won’t hide them.

      • #108193 Reply

        PKCano
        Da Boss

        The only updates to HIDE for Group B are the telemetry patches for your version of Win. See AKB2000003

        For more understanding of what to install for Group B see https://www.askwoody.com/forums/topic/group-b-and-patch-blocklists/#post-106970

        2 users thanked author for this post.
        • #108201 Reply

          212louis
          AskWoody Lounger

          PKCano,

          Windows 7 SP1, x64, with .NET 4.5.2

          OK…I’ve posted this a couple of times and thus far no one seems to have an answer.

          Can you indicate which one of the 4 links in the Download window for April’s .NET Security Only Update is the correct update?

          When April .NET Security Only Update Windows 7 x64 is searched in the catalogue the result shows KB 4014985.

          http://www.catalog.update.microsoft.com/Search.aspx?q=April%202017%20.NET%20Security%20Only%20Update%20Windows%207%20×64

          When the Download button is clicked, unlike in the past where there was one active link to download, there are 4 active links. And those links do not correspond to KB4014985. As you can see, one is an MSU and the other 3 are EXE’s. Can you indicate which is the correct KB for a W7 x64 machine looking for the April .NET Security Only update? (4.5.2)

          My guess is KB4014566 based on the MS “support” page, but I’m not certain. Description of KB4014566, the security update for the .NET Framework 4.5.2 for Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7 Service Pack 1, and Windows Server 2008 R2 Service Pack 1: April 11, 2017

          Thanks for any help you can provide.

          https://support.microsoft.com/en-us/help/4014985/security-only-update-for-the-net-framework-3-5-1-4-5-2-4-6-4-6-1-and-4

          Download

          Download Updates
          • #108212 Reply

            pmacS33
            AskWoody Lounger

            In the past, when you were searching for a .NET patch, the KB pointed to a specific flavor of .NET. For example, 3.1.5 or 4.5.2.

            With the new rollup system that MS is deploying there is no specific MS, just the monolithic KB; in your example KB4014985.  The four individual downloads you see correspond to a specific .NET version:

            4014573 = .NET Framework 3.5.1
            4014566 = .NET Framework 4.5.2
            4014558 = .NET Framework 4.6, 4.6.1
            4014552 = .NET Framework 4.6.2

            You need to download the version of .NET supported on your systems.  .NET 3.5.1 was patched via .msu files while .NET 4x use .exe files.

            r/Dan

            2 users thanked author for this post.
            • #109008 Reply

              glnz
              AskWoody Plus

              dan (pmacs33) – But how do I know which versions of .NET I have on my Win 7 Pro 64-bit machine?

              Belarc Advisor says I have
              Microsoft – .NET Framework Version 2.0.50727.5483 (32/64-bit)
              Microsoft – .NET Framework Version 3.0.6920.5011 (64-bit)
              Microsoft – .NET Framework Version 4.0.41210.0 (32/64-bit)
              Microsoft – .NET Framework Version 4.6.1087.0 (32/64-bit)

              BUT Control Panel – Programs and Features lists only 4.6.1 and 4.6.2
              However, Windows Features indicates I have PART OF 3.5.

              Why has MS made this so complicated?

              EDIT – I just downloaded and ran Raymondcc .NET Detector.  It says I have
              2.0 SP2
              3.0 SP2
              3.5 SP1 and
              4.6.1

              Is it accurate?

          • #108213 Reply

            PKCano
            Da Boss

            If you go to the Catalog and click on the “Title” instead of “Download'” it pops up a screen with a link “More Information.” That takes you to an explanation of which is which. “ndp45” is .NET 4.5 – check out the rest.

            3 users thanked author for this post.
            • #108435 Reply

              anonymous

              Thank you for this! Finally figured out which update to install on Vista. 🙂

    • #108223 Reply

      dgreen
      AskWoody Lounger

      The only updates to HIDE for Group B are the telemetry patches for your version of Win. See AKB2000003 For more understanding of what to install for Group B see https://www.askwoody.com/forums/topic/group-b-and-patch-blocklists/#post-106970

      None of those KB’s were listed.
      IIRC they were removed from my “hidden” updates a while back.  I believe I posted here about it.  I assumed MS removed them.

      My XP went kaput (blue screen of death) after an update in 2013.
      When I got  this computer with W7 I deceided to only update with “critical” updates.
      You could say I’ve been in Group B since 2014.
      I found this site last year.

      Thanks again for your responses.

    • #108220 Reply

      anonymous

      Until recently I was in the B-group, but finding the ‘right’ and avoiding the ‘wrong’ updates in MS’ enigmatic labyrinth is too much of a hassle every month, so I switched back to ‘Inform me about new updates’ (only).

      This time I did NOT wait for the green sign from Woody and -after making a back-up- installed two updates on my stand-alone Fujitsu i5 Windows 7 Pro SP1 x64 without problems so far:

      KB3141529 Security Update for Microsoft Office 2007 suites
      KB890830 Windows Malicious Software Removal Tool x64 – April 2017</span>

      Not installed yet, but presented by Windows Update:

      KB4015549 Security Monthly Quality Rollup for Windows 7 for x64-based Systems
      KB4014981 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7 and Windows Server 2008 R2 for x64

      Thanks Woody, Patron X

      Edited to remove HTML content

      1 user thanked author for this post.
      TJ
    • #108251 Reply

      anonymous

      Thanks for the info and need to be supervigilant about settings!  Ok so now I have the April updates is there a test I can do to see if they are causing issues?  I noticed someone above said they tried to run a couple of programs and they didn’t work.  Apart from the update to block future Windows updates for 6th generation onwards processors, what other issues are there with them please?   (I have 1st generation processor).

    • #108286 Reply

      anonymous

      Ok – so here’s my second issue with the April updates (apart from them installing themselves).  I now have a pop-up telling me to activate Windows and it is showing as not activated.  It was activated days ago.

    • #108310 Reply

      anonymous

      DO NOT install them!  I am sorry I am still showing up as anonymous – haven’t worked out how not to be anonymous.  But I am the anonymous who unwittingly installed the April updates.  I have issues already.

      1) My laptop is now showing as not activated.  I have owned this laptop for over 7 years, it came with Windows 7 on.  I did a clean install with a Windows 7 disc and used the product key from the base and it activated no problem – days ago.

      2) I am unable to remove the 5 April updates.

      3) I did system restore back to 2 days ago and the 5 updates are still installed (and I am still showing as not activated).

      At this point I am not even going to attempt to activate again, but will reinstall from my system image made a few days ago, before the April updates were installed (and when I was activated).  Which means I have to put all my xxxxx ing files and programs back on again!

      The five updates I had, which installed are:

      KB4015549 April 2017 Security Quality monthly roll-up

      KB973688 Update for Microsoft XML Core services 4.0 Service pack 2 for x64 based systems

      KB954430 Security update for Microsoft XML Core Services 4.0 Service pack 2 for x64 based systems

      KB4014981 April 2017 Security and Quality roll-up for .NET framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7 and Windows Server 2008R2 for x64

      KB890830 Windows Malicious Software removal tool x64 – April 2017

      Regarding Windows installing these updates because I shut down the laptop – I am still surprised it could do that when normally you have to agree to having the Malicious Software tool before it’s installed!

      • #109034 Reply

        Kirsty
        Da Boss

        Anon #108310

        I am sorry I am still showing up as anonymous – haven’t worked out how not to be anonymous.

        To not be anonymous, you can register here – it’s particularly painless, then we will be able to see your other posts easily too 🙂

    • #108338 Reply

      anonymous

      Lol!  I now have my nice system image reinstalled, updated to the point just before the April updates.  I was still showing as not activated, so activated again without problem.  Just copying all my files back on yawn.  Windows Update is now turned to NEVER.  Before I turned it to NEVER I set it on the third option, just to see what came through.  Only three April updates came through so maybe they have pulled two of them?

    • #108582 Reply

      SueW
      AskWoody Plus

      I am sorry I am still showing up as anonymous – haven’t worked out how not to be anonymous.

      Are you logged in prior to posting your comments?  If so, and you’re still showing as ‘anonymous,’ then maybe someone else can suggest how not to be [just another] anonymous.

      Win 7 SP1 Home Premium 64-bit; Office 2010; Group B; Former 'Tech Weenie'

    • #108583 Reply

      Noel Carboni
      AskWoody_MVP

      Something new I’ve noticed on my Win 8.1 test system with Office…

      LinkedIn (and other) eMails in Outlook 2010 now no longer show embedded images, but rather little [x] indicators and “Right-click to download pictures” nessages. Across the top are two messages in black on dark gray that seem to be pertinent…

      OutlookMessages

      I think the images just showed in the preview pane before the patches.

      This may be considered by Microsoft to be a trifecta: It degrades the integration of an older version of Office, claims to improve user privacy, and (presumably) improves security – all at once. Makes you wonder, though, why not just fix the image display logic so it can’t be a vector to infection.

      Clicking to browse in the browser, by the way, produces this:

      ScreenGrab_NoelC4_2017_04_14_134159

      -Noel

      Attachments:
      • #108591 Reply

        b
        AskWoody Plus

        What does File, Options, Trust Center, Trust Center Settings, Automatic Download, Don’t download pictures automatically in HTML e-mail messages or RSS items show?

        (You can also unblock pictures for a particular sender or domain by adding them to the Safe Senders List.)

        Block or unblock automatic picture downloads in email messages

        Microsoft Edge, Win 10 Pro 1909: Group ASAP (pioneer)

        1 user thanked author for this post.
        • #108597 Reply

          Noel Carboni
          AskWoody_MVP

          Did the patch just change these settings?

          ScreenGrab_NoelC4_2017_04_14_134502

          -Noel

          Attachments:
      • #108931 Reply

        Bill C.
        AskWoody Plus

        I have been fighting that problem for over a year. It just keeps getting worse and worse. No changes seem to affect the problem. Not safe senders, not the Trust Center, nothing I can find.

        I finally installed Mozilla Thunderbird. According to Thunderbird it is remote content that is being blocked. If it is a trusted email source, I just open it in Thunderbird.

        I also set my server setting to allow messages to remain on the server until I delete them. I just delete them once I have them all downloaded. I did that so when on the road with a laptop, I did not have to boot it up to see those emails. I just started the desktop and they all came down. Now I just use my iPhone to delete them from the server.

        1 user thanked author for this post.
    • #108631 Reply

      yuhong
      AskWoody Lounger

      pmcjr, I would not recommend the MSRT. It rarely produces anything useful. A reasonable antivirus software installation far outstrips it. In addition, MSRT is now a suspect spyware tool used by Microsoft.

      Notice the MSRT stats in this blog post:

      https://blogs.technet.microsoft.com/mmpc/2010/05/21/msrt-may-threat-reports-and-alureon/

      2 users thanked author for this post.
      SueW, b
    • #108772 Reply

      ediekrag
      AskWoody Lounger

      Does anybody know what the “speed-up” patch for Vista is this month?  Last time I will ever have to ask this question 🙂

    • #109588 Reply

      anonymous

      I hope someone can help clear something up for me.

      Win7 Pro 64-bit
      i5-6600 (google tells me this is a Skylake, however I can’t remember the manufacturer)

      The way I read the various articles, only some Skylakes will continue to get updates, and I’ll have to download Speccy to find out who made mine. I’d honestly prefer not to download/install something I know I’ll never use again.

      Furthermore, I have never seen a Speccy screenshot that listed the CPU brand, only the MOBO brand (ASUS in my case).

      Will I get update blocked if I install the April patches?

      I’m not going to actually update before Woody gives the clear, but I’d really like to get this cleared up.

      • #109596 Reply

        PKCano
        Da Boss

        I believe you can get the information:
        Start\Run – type in msinfo32 – Enter
        The Processor identification is on the first “System Summary” page.

        • #109786 Reply

          anonymous

          Thanks for the replies everyone.

          It seems I will get blocked if I update, since I bought my PC ~1.5 years ago, from a shop that offers various customizable standard rigs. This leaves a somewhat sour taste in my mouth, since I paid extra to get win7 instead of 10 and I still had to settle for an OEM key.

          Seems like all I can do is either stop updating, or hope MS will start actually honoring their 2020 promise (fat chance).

          I’m curious as to wether or not I’d be able to update normally, if I uninstalled the blocking update.

      • #109607 Reply

        MrBrian
        AskWoody_MVP

        If you are blocked from installing updates, you can uninstall the blocking update(s) to become unblocked.

      • #109623 Reply

        anonymous

        Unless your computer was purchased from a major manufacturer, chances are you will end up being blocked. I have the same Intel processor and built my own. I have no plans to accept any further Microsoft updates — Group W — I recommend it.

      • #109747 Reply

        JohnW
        AskWoody Plus

        The CPU brand is Intel.

        http://ark.intel.com/products/88188/Intel-Core-i5-6600-Processor-6M-Cache-up-to-3_90-GHz

        Unlike the motherboard, which can be manufactured by anybody using Intel chipsets, the processors are only made by Intel.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: MS-DEFCON 1: Don’t apply ANY Windows or Office patches

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.