News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • MS-DEFCON 1: Don’t apply ANY Windows or Office patches

    Home Forums AskWoody blog MS-DEFCON 1: Don’t apply ANY Windows or Office patches

    Viewing 44 reply threads
    • Author
      Posts
      • #107805
        woody
        Da Boss

        I sure hope you folks followed my advice and locked down Windows Update prior to yesterday’s debacle. Going through the reports of Windows 7 and 8.1 m
        [See the full post at: MS-DEFCON 1: Don’t apply ANY Windows or Office patches]

        13 users thanked author for this post.
      • #107809
        Noel Carboni
        AskWoody_MVP

        It’s good to see that MS-DEFCON 1 can be fired up on occasion. I believe it’s the right call.

        Thank you for keeping a cool head and bringing reason to the game, Woody.

        I have to admit to wondering, myself, whether to step up the timescale for application of this month’s patches because of the reports of that Office zero-day. I only late last night learned that a recipient has to actively run an eMail attachment in order to be infected by it. Many sites, in their haste to sell their security packages, didn’t bother to dispel the worry that just having one of the bad eMails arrive in one’s inbox was enough to get the malware.

        -Noel

        7 users thanked author for this post.
        • #107873
          212louis
          AskWoody Lounger

          Noel,

          I’d like your take. I sent Woody an email re: the April .NET Security Only update x64. (I’m group C since the patchocalypse and I do only .NET Security Only updates when available ).

          When searching the April 2017 Security Only .NET update in the MS catalogue, the  search result provides a “Download” link for KB4014985…that  Download button  opens a window that provides 4 links that seem to NOT correlate to the KB4014985.

          Do you have any thoughts on this? Do you know which of those 4 links are actually the April Security Only .NET update for Windows 7 x64?

          (Could MS make this anymore confusing??)

          (Not updating anything yet, just preparing)

          TIA

          Download
          Download Updates

           

          Original Search results link:

          http://www.catalog.update.microsoft.com/Search.aspx?q=April%202017%20.NET%20Security%20Only%20update%20Windows%207

          1 user thanked author for this post.
          • #107896
            Noel Carboni
            AskWoody_MVP

            I’d like your take.

            (Not updating anything yet, just preparing)

            I think you’re taking the right stance. Weigh the risk and make the “go” decision when you feel you understand it well enough.

            How quickly you feel you have to install security updates depends on your confidence in your own security landscape. If your computing practices and technical perimeter keep you from knocking heads with malware much if at all, then you can guess that having an unpatched system isn’t that risky. Don’t forget that Microsoft didn’t release the security patches the day after they got the code fixed either – they waited until patch Tuesday.

            Regarding keeping an older system up to date with the latest functionality updates, then again you have to use your judgment. How often do you expect to install/use new software that requires the updated functionality?

            Personally I have two different systems for which I have made two different decisions. I have a Win 7 system that functions as a server that I have chosen to stop at a mid-2016 level of update, because I don’t actually need to install new software and it runs for as long as needed without a glitch. I also have a Win 8.1 workstation that I use interactively and conservatively keep up to date. Right now it’s up to date with general updates from January and some more current security patches, and I’m waiting to see whether the April functionality (group A) Updates bring unacceptable downsides.

            I’m also continually evaluating whether I need functionality from Windows 10 in order to continue doing business. So far I haven’t needed it, but if I should I already know the downsides and rewards because I have outfitted test systems with Windows 10 and gotten to know them.

            TL;DR: Do what you can to gain knowledge, both directly and by reading what others write, then use your best judgment.

            -Noel

            1 user thanked author for this post.
            • #107941
              b
              AskWoody Plus

              Don’t forget that Microsoft didn’t release the security patches the day after they got the code fixed either – they waited until patch Tuesday.

              How do you know when they got the code fixed (and tested)?

              • #107954
                Noel Carboni
                AskWoody_MVP

                How do you know when they got the code fixed (and tested)?

                They don’t just fix their security holes only once a month, right before Patch Tuesday.

                How do you know they tested it?

                -Noel

                2 users thanked author for this post.
      • #107818
        AlexN
        AskWoody Lounger

        Does this apply to the older ones?  Either way, I am uninstalling the patches as I usually trust the “security only” patch and the .NET framework patch.

        Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
        A weatherman that can code

        • #107824
          Noel Carboni
          AskWoody_MVP

          You have to do what you’re comfortable with, but regarding changing a system that’s already got patches from before and has been running okay… I suggest a healthy dose of this should be applied:

          If it works, don’t fix it.

          -Noel

          4 users thanked author for this post.
          • #107828
            AlexN
            AskWoody Lounger

            I suppose so.  I don’t even know what processor I have to know whether or not I’m at risk.  I’ll post a reply when I find out… restarting to uninstall in 3… 2… 1…

            Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
            A weatherman that can code

            • #107833
              Anonymous
              Inactive

              Try using CPU-Z.

              1 user thanked author for this post.
              • #107878
                AlexN
                AskWoody Lounger

                Didn’t need to!  I looked at system info and found out I have a 5th generation processer 🙂

                Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
                A weatherman that can code

        • #107923
          212louis
          AskWoody Lounger

          Noel,

          Appreciate your response, thanks.

          That said, do you have any idea on the Update catalogue providing FOUR links in the download window that do not correspond to the <span style=”color: #000000; font-family: ‘Helvetica Neue’, Helvetica, Arial, sans-serif; font-size: 14px;”>KB4014985 update.</span>

          In trying to keep this simple, a user searches the MS catalogue for the April .NET Security Only update for W7 x64, the search returns the update but the download link shows FOUR different active links. Which link is the KB 4014985 ??

          (Both the search result link and the result(s) of the Download link are included in my original response and included below. If you could, click through these links to see what I’m talking about. Something is not right.)

          Search result…

          http://www.catalog.update.microsoft.com/Search.aspx?q=April%202017%20.NET%20Security%20only%20Windows%207%20×64%20

           

          Download
          Download Updates

           

          1 user thanked author for this post.
        • #107930
          212louis
          AskWoody Lounger

          Noel,

          Do you know which of the FOUR links in the Download window is the correct April .NET Security Only update for Windows 7 x64??

          (Seems my 2nd response got lost in the “internet of things”)

          • #107932
            PKCano
            Da Boss

            I would guess that the number after the “ndp” is indicative.

            1 user thanked author for this post.
      • #107831
        Anonymous
        Inactive

        I wish Microsoft would just make their stuff work. I mean what’s next? Are going to block drivers from working?

        • #107893
          zero2dash
          AskWoody Lounger

          Don’t give them any ideas. 🙂
          Technically, that’s just about what they’re doing here. The CPU kernels/architecture updates aren’t being allowed in anything other than 10, even though 1) AMD/Intel are willing to provide them (evident by these pieces of hardware working in Linux) and 2) Win8.1 is not in Extended Support phase yet (meaning feature updates are supposed to still be provided).

          People call them “Microshaft” for a reason. 🙂

          2 users thanked author for this post.
      • #107832
        anonymous
        Guest

        The current state of (lack of) info available from Microsoft for security updates …….
        https://www.theregister.co.uk/2017/04/11/patch_tuesday_mess/

      • #107836
        smokey92036
        AskWoody Lounger

        No problem with Defcon 1 , group W since November of 2016.

        • #107895
          zero2dash
          AskWoody Lounger

          I’m starting to lean more that way myself.
          Every month, you have patches released that cause nothing but problems for several weeks, and then after, things just quiet down like they’re “fixed”. At this point I’m more concerned about what they’re trying to sneak in than what they’re trying to actually fix.

          The CPU microcode detection update, for instance – that shouldn’t be something that anyone receives on 7. That’s not a security update, that’s a feature update. I thought we weren’t getting those? [sarcasm] Oh, but they’re making an exception for this one, because it provides for further OS version prodding and forceful upgrades.

      • #107842
        BrianL
        AskWoody Lounger

        In my way of thinking, whether you have an older machine or a newer machine with Win 7 or Win 8.1 the safest thing to do is click on ‘Services’ go down the list and double click on Windows Update then click on ‘disable’ then click ‘apply’ then if not stopped click on ‘stop’ then click on’OK’ then exit Services.  When it is OK to apply updates just reverse above.  What do you all think? (to Woody and Noel Carboni)

        • #107845
          anonymous
          Guest

          Not a bad solution. But how are you certain that it won’t find a way to turn itself back on again?

          • #108041
            anonymous
            Guest

            – Make a backup, just in case. Always backup before you sc**w up!

            – Download the stand alone installation (or update) for the Windows Update Client. If you can find a version previous to all these shenanigans, even better. You might eventually need it in the future, even if just for some manual installation of selected updates.

            – Delete the Windows Update service.

            – For the overkill, get lost on the C:\windows\winSxS and have fun butchering traces of Windows Update Client there. And Media Player. And Windows Mail. And IE. And that ton of Chinese, Japanese and Korean trash that should have never been stuffed into that install.

             

            There! If it’s not there at all of if it is, it’s in such a broken state that I dare Micro$oft to try to do something out of this. If they can brake it, why can’t I? 😉

             

            (another anonymous)

            Edited for content

        • #107863
          Noel Carboni
          AskWoody_MVP

          Not a bad solution. But how are you certain that it won’t find a way to turn itself back on again?

          It CAN happen. I’ve personally seen it happen.

          This year, for example, at the time I installed TurboTax on my Windows 8.1 workstation I shortly thereafter found unexpected entries in my firewall log that showed Windows Update had been started – even though I had set it to Disabled – and was trying to contact Microsoft (it failed, because I also reconfigure my firewall to disallow updates).

          Sure enough, when I looked, I found this situation:

          WindowsUpdateRunning

          Looking at the details in the Windows event logs, I saw that when the TurboTax installer was started it changed my setting from Disabled to Manual, started the service, then changed it back to Disabled! Not at all what one would expect of an application installer. Coincidence? Maybe. In any case, something changed the startup type of the Windows Update service.

          WindowsUpdateStarted

          Moral of this story: Settings are just that – settings – and some software vendors have been losing their compulsion to heed them.

          Secondary observation: A multiple layer security strategy can in some cases actually be necessary.

          I myself keep the Windows Update service Disabled and my firewall configured to disallow communications with the list of servers below except when I want to apply updates. I do this on all my systems, running Win 7, 8.1, and 10, and I recommend it for those who want to retain control. I can verify that Windows Defender / MSE do keep themselves up to date without Windows Update running.

          List of update servers/domains I only allow when actually doing updates (the items starting with “WU”):

          ListOfUpdateServers

          -Noel

          Attachments:
          4 users thanked author for this post.
      • #107850
        Canadian Tech
        AskWoody_MVP

        I am following PKCano’s guide, but only up to and including February (non-existent.) I am adding Office patches BEFORE March only. This is the first time my clients have had updates since last October. It may be the last time ever — ala Group W.

        Note, my clients’ newest Office is Office 2010. Not one of them has bought a more recent version.

        CT

        1 user thanked author for this post.
      • #107852
        lurks about
        AskWoody Plus

        Ouch, pre-alpha patches in the wild. Not good.

      • #107854
        Bigpaul101
        AskWoody Lounger

        Following on from a previous post. I look at this logically (and very non technically), and what I am seeing is that there is something not right about a patch from last night loading on Win 7 Professional with Office Pro 2010. After loading and rebooting the machine hangs on restart.

        Win 7 and Office 2007 or 2016 do not seem to be affected.

        I have 68 workstations with different clients that have brought me to these conclusions. I should have waited!!!

        A local switch off / on seems to fix the issue.

        Hopefully this helps one of you more technically minded helpers

      • #107860
        pmcjr6142
        AskWoody Plus

        I assume that Windows Defender and Malicious Software Removal Tool are OK to install?

        • #107862
          Canadian Tech
          AskWoody_MVP

          pmcjr, I would not recommend the MSRT. It rarely produces anything useful. A reasonable antivirus software installation far outstrips it. In addition, MSRT is now a suspect spyware tool used by Microsoft.

          CT

          11 users thanked author for this post.
          • #107897
            zero2dash
            AskWoody Lounger
            2 users thanked author for this post.
          • #107906
            pmcjr6142
            AskWoody Plus

            Thanks, CT.  I have a good antivirus plus Malwarebytes, but I’ve always thought if MSRT catches one more infection, it’s worth it.  As long as it’s not breaking my PC.

            • #108000
              woody
              Da Boss

              The problem is that… I’ve never had MSRT pick up any problems.

              That said, I don’t see where this MSRT is any worse than its predecessors. And Defender updates are always OK.

              2 users thanked author for this post.
              • #108001
                Canadian Tech
                AskWoody_MVP

                Woody, in years and years of applying MSRT to hundreds of machines, I can recall ONE instance of it turning up anything. We’re talking of thousands of instances. I strongly suspect that my choice of AV has been the reason.

                That sure tells me it is pretty worthless. Why would I risk MS installing spyware in MSRT? No value to it.

                CT

                3 users thanked author for this post.
              • #108008
                Microfix
                AskWoody MVP

                MSRT is just another means of ‘accepted via EULA’ telemetry since July 2016 IIRC

                As CT has pointed out, a good up to date AV/Antimalware is suffice if you’re in the anti-snooping camp.


                No problem can be solved from the same level of consciousness that created Pebcak
                2 users thanked author for this post.
              • #109749
                Noel Carboni
                AskWoody_MVP

                MSRT has never done anything bad to any system I’ve seen run it, NOR has it turned up any unexpected malware. If it potentially could catch something in the general case, so why not let it run?

                I suspect it’s more of a “for dummies” malware mitigation, and folks in-the-know have other, better means to keep malware out – which is why we adept computer managers don’t see MSRT catch anything on our systems.

                The one thing no one really discusses much regarding the unsaid philosophy of “security is good and more security is better” is how much time is being wasted checking for malware.

                • Does everyone wait a few minutes longer for their updates to finish while MSRT runs?
                • Does everyone have a computer that’s half as powerful as it could be if only it weren’t constantly checking to see if malware has sneaked in and infected it?

                I’ve recently done some testing with and without Windows Defender and with and without MalwareBytes v3, and the amount of responsiveness and compute capacity lost just to run the anti-malware software is not insignificant!

                What price security?

                -Noel

          • #108011
            anonymous
            Guest

            I suspected there was something wrong with MSRT along time ago by virtue of the fact I must always “Agree” to run it… Case in point, I never had to “Agree” to run an antivirus scan. By the way I never agree to allow MSE send suspicious files to Microsoft or join MAPS. The term “suspicious files” is too vague… Microsoft and their friends at the NSA think every file is suspicious.

      • #107868
        b
        AskWoody Plus

        don’t open any Word docs attached to email messages!

        In the real world, can this really be better advice than applying the patch?

        Waiting to see how many millions get hit?

        Many combinations of Microsoft Word and Windows support “Protected View” for documents downloaded from the internet or opened directly from the email. In these cases, the user needs to “Enable Editing” before the exploit runs. However, most users are accustomed to enabling editing.
        https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day

        1 user thanked author for this post.
        • #107888
          Noel Carboni
          AskWoody_MVP

          In the real world, can this really be better advice than applying the patch?

          Waiting to see how many millions get hit?

          There is no room for hype on this forum.

          If you have an inkling of the concept of “risk vs. reward” then you’ll understand that it’s what’s in play here. Who can possibly know the risk yet? Even Microsoft employees at this point have no testing to back up their positions.

          Knowing what we know of Microsoft’s behavior, do you still trust them implicitly to do no harm to your system? Or do you just not care whether other folks’ computing experiences are disrupted.

          Not to mention the elephant in the room…

          If getting the patch out was SO incredibly important to protect those millions, why didn’t Microsoft release the patch last week? The vulnerability has been known since when?

          Lastly?

          Have you already installed the updates on YOUR personal machine? I see that you haven’t offered your personal experience about whether your system(s) are working after the update.

          In my case I have seen no problems with a fully updated Windows 10 test system, and a Windows 8.1 test system seems to have weathered the updates well also. But I’m not done testing, so my critical systems remain unpatched until I understand the risk better.

          -Noel

          4 users thanked author for this post.
          • #107914
            b
            AskWoody Plus

            There is no room for hype on this forum.

            No hype from me. Woody posted yesterday about millions potentially affected:

            WOW. It is the same vuln I talked about on Saturday, but it looks like somebody figured out how to do it, and sent copies out to millions of people around the world:

            https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

            If you have an inkling of the concept of “risk vs. reward” then you’ll understand that it’s what’s in play here.

            I have. I do.

            Who can possibly know the risk yet? Even Microsoft employees at this point have no testing to back up their positions.

            How do you know what testing Microsoft have (not) done? They’ve been working on it for weeks.

            Knowing what we know of Microsoft’s behavior, do you still trust them implicitly to do no harm to your system?

            I trust them to do what they can to protect my system from harm by others.

            Or do you just not care whether other folks’ computing experiences are disrupted.

            That’s crucially important to me. Do you just not care whether folks’ computing experiences are disrupted by malware attacks during the normal course of their business?

            Not to mention the elephant in the room…

            If getting the patch out was SO incredibly important to protect those millions, why didn’t Microsoft release the patch last week?

            Because it wasn’t public until Friday/Saturday.

            The vulnerability has been known since when?

            A week or two longer than that (according to FireEye).

            Lastly?

            Have you already installed the updates on YOUR personal machine? I notice that you haven’t offer your personal experience about whether your system(s) are working after the update.

            I didn’t realize my personal experience was so important to you. Yes, I’ve installed yesterday’s Office and Windows updates on MY personal machine and I have not experienced any ill effects.

            In my case I have seen no problems with a fully updated Windows 10 test system, and a Windows 8.1 test system seems to have weathered the updates well also. But I’m not done testing, so my critical systems remain unpatched until I understand the risk better.

            -Noel

            I always install ALL updates on my “production” system immediately and then for others as soon as possible if I don’t suffer a catastrophic failure. In the last 22 years I can only remember one or two minor glitches easily rectified after updates.

          • #108017
            anonymous
            Guest

            “Who can possibly know the risk yet? Even Microsoft employees at this point have no testing to back up their positions.”

            Neil,

            What is the basis for your comment? 27 years in IT and having used Microsoft products since DOS 1.0 it has always been my understanding Microsoft has test labs to run their code, lots of test labs. While I understand Microsoft can’t test every possible scenario and borks a lot of systems the above statement seems unlikely. Do you have some information to the contrary? For the record I’ve taken updates on about 30 computers today and have had no issues.

            • #108057
              Noel Carboni
              AskWoody_MVP

              Perhaps I stated that in a bit of an extreme fashion, but the fact is that Microsoft no longer has the professional testing organization they once had. This says that our decades of experience aren’t necessarily valid (yes, I have had a long career of applying Microsoft Updates mostly successfully too).

              One of many reports easily found online about the changes at Microsoft:
              http://www.businessinsider.com/microsoft-just-laid-off-2100-people-2014-9

              Testing will no longer be done by a totally dedicated team, but will be rolled into the developer team. Nadella believes this will reduce bureaucracy and let Microsoft deliver products faster.

              -Noel

              • #108069
                Canadian Tech
                AskWoody_MVP

                Noel,

                A lot of the people who take part in this forum have had one or more experiences in their past when they worked for a major success story like IBM, NCR, DEC, HP. If you were watching, when the exodus began, the first out the door were the best. Those are the guys who have the most portability. Over time, the ones who remained, were not the strongest of the team.

                I believe that is what has and continues to happen at Microsoft. That is borne out by the track record we see in Windows Update. It has been one disaster after another. Patches to the patches, etc.

                So, Noel, I completely agree. The quality of product from Microsoft today is not even close to what it was a few years back.

                CT

                4 users thanked author for this post.
      • #107877
        cyberSAR
        AskWoody Plus

        I have to admit to wondering, myself, whether to step up the timescale for application of this month’s patches because of the reports of that Office zero-day.

        I’m going to install on my clients’ machines today due to potential liability if I ignore/delay it. I will explain that we’re installing without fully testing the patches. So far, the ones I’ve spoken with are appreciative and prefer to get the patch early.

        Have installed on all of our test machines and haven’t noted any issues… yet.

        • #107884
          Noel Carboni
          AskWoody_MVP

          You have to follow your best judgment of course, but…

          Do you have any liability issues by accelerating the install? Or can you just comfortably say, to someone who has had their setup scrogged, “That was Microsoft’s fault” – even though you are already aware of problems?

          Remember, as the expert your clients are trusting you to do the right things for them. If you consider their data and uptime no more important than what Microsoft considers them, how are you adding value. I’d suggest whatever you choose to do for yourself you do for them.

          -Noel

          1 user thanked author for this post.
          • #107885
            b
            AskWoody Plus

            even though you are already aware of problems?

            What problems in this case?

            • #107903
              Noel Carboni
              AskWoody_MVP

              What problems in this case?

              Do you know what “havoc” means?

              MS-DEFCON1

              -Noel

              Attachments:
              • #107925
                b
                AskWoody Plus

                What problems in this case?

                Do you know what “havoc” means?

                MS-DEFCON1

                -Noel

                Yes, I have access to a dictionary thanks.

                What was the point of the screen shot?

                No known problems so far then?

              • #107959
                Noel Carboni
                AskWoody_MVP

                The point was (and is) that there is not enough accumulated positive experience to advise people to go ahead yet.

                Do you know what’s interesting?

                That I’ve actually just discovered a new and potentially serious problem in my own testing:

                Adobe Creative Cloud and Photoshop CC 2017 won’t install successfully on Windows 10 version 1703 build 15063 updated to .138.

                InstallerFailed

                I don’t know why it fails; I’ve put out some queries to see if it’s a known issue. In fact, I may not learn why. I don’t even YET know whether it’s a common problem or something specific to just an updated Win 10 system, to version 1703, or even just to one test system.

                There is no question Microsoft is a different entity today than it has been in the past. It’s not important to people who care about the integrity of their computing environment what folks did decades ago or even 5 years ago. It’s important what Microsoft is delivering now, today.

                Before asking another naïve one-line question please pose this one to yourself: Why do you feel acknowledgement of potential risk has to come with proof?

                Ask instead: What evidence do we have that the updates don’t break something new?

                And finally, please consider the meaning of this phrase: Healthy skepticism.

                -Noel

                Attachments:
                4 users thanked author for this post.
              • #107971
                b
                AskWoody Plus

                Before asking another naïve one-line question please pose this one to yourself: Why do you feel acknowledgement of potential risk has to come with proof?

                Why do you feel potential risk (of updating) should outweigh actual risk (of not updating)?

                Ask instead: What evidence do we have that the updates don’t break something new?

                You’re expecting proof of a negative again. I don’t think anyone can provide that.

              • #108065
                Noel Carboni
                AskWoody_MVP

                Why do you feel potential risk (of updating) should outweigh actual risk (of not updating)?

                Quantify both risks and one can easily make a decision (though I seriously doubt that you or anyone else can come close to quantifying the risk of being targeted by that Office zero day malware in the next few days or weeks).

                Even if one were to accept that there’s a more well-defined risk of getting a malware attack than getting a b** patch, there’s no way to weigh the latter without more experience.

                A few more days/weeks of A) personal testing without uncovering problems, and B) others not reporting meltdowns and it will be a better time to make a decision. And I’ll just bet Woody will change the MS-DEFCON level up to some higher number at some day in the near future.

                Essentially I see this conversation as you advising making rash decisions, while I’m suggesting gathering more information and making informed decisions.

                Why such a push to rush to a decision to take updates without knowing more about them? We are here, in a connected world, with an ability to learn from others’ experience. Just keep yourself from double-clicking on .rtf attachments a little longer.

                -Noel

                1 user thanked author for this post.
              • #107989
                NetDef
                AskWoody_MVP

                Noel,  seen that error a few times on 1607 and older Win 10.  Not sure if this applies to the new CU but worth a try perhaps?

                Try the steps here https://forums.adobe.com/message/7996709#7996709

                Adobe Creative Cloud and Photoshop CC 2017 won’t install successfully on Windows 10 version 1703 build 15063 updated to .138.  I don’t know why it fails; I’ve put out some queries to see if it’s a known issue.

                 

                ~ Group "Weekend" ~

          • #107911
            cyberSAR
            AskWoody Plus

            Not a lawyer, and didn’t stay at a holiday inn express, but I would think my liability would be higher if I didn’t install an update for an exploit actively being abused and reported across many tech sites.

            Yes, we did install on 10 of our machines and noticed no issues so far. We give the client the choice but advise, based on our results so far, to go for it. We do have backups of all machines too 🙂

            2 users thanked author for this post.
            • #107964
              Noel Carboni
              AskWoody_MVP

              Thank you for the clarification. Involving the clients is a reasonable approach.

              Regarding updating clients to Windows 10 version 1703, please see my post above… If you have any clients specifically who use Adobe software, you might want to do a bit of additional testing.

              -Noel

      • #107880
        NetDef
        AskWoody_MVP

        The caveat for us is we manage updates with WSUS . . .  so the following should be read with that in mind.  This is not quite the same scenario where you accept updates directly from MS with only the native client update management tools (which for Win10 is pretty much not much at all.)

        We responded to the risk of infection from the Word 0-day vulnerability last night.  We allowed the April security only roll-up on all Win 7 and the cumulative April update for Win 10 machines.  We also allowed all Office security updates including the fix for CVE-2017-0199.

        As of this writing, we had zero problems with any of our client workstations during and after last nights update on Win 7 Pro or Win 10 Pro or Win 10 ENT.  We run a mix of Office 2010 and 2016.  A rough count of workstations across all our office sites = 350.

        EDIT:  For Win 10 machines we are on the 1607 CBB and are (for now) rejecting the Creators Update until it becomes CBB.

        ~ Group "Weekend" ~

        6 users thanked author for this post.
        • #107908
          Noel Carboni
          AskWoody_MVP

          THANK YOU for sharing your actual experience. That is arguably one of the most valuable things about this forum, and certainly one of the prime reasons I read it.

          -Noel

          4 users thanked author for this post.
        • #107991
          NetDef
          AskWoody_MVP

          Update:  Most of the day now — our workstations have been in heavy use — still no problems from our user base, no complaints.  We’re not seeing much fallout from forcing everything to patch last night. (Other than a lack of sleep.)

          I updated my ancient (6 years now – Sandy Bridge CPU) and beloved Lenovo Laptop this afternoon and it failed to patch. Got the dreaded roll-back error on bootup. It’s running Windows 10 Pro 1607 and Office 2010.  This would be the machine I abuse on the road the most.

          Fixed it by running sfc /scannow followed by a DISM /Online /Cleanup-Image /RestoreHealth and a second sfc /scannow.  All current patches for 1607 and Office 2010 installed with no problems afterwards.

          This was very likely self-inflicted . . .   🙂

          ~ Group "Weekend" ~

          1 user thanked author for this post.
      • #107917
        Seff
        AskWoody Plus

        Thanks Woody as always for the prompt advice, and to Noel for his detailed observations.

        Naturally I wouldn’t be considering installing any updates this early in the monthly cycle anyway, although I was concerned over the Office threat. However, although I have Office 2010 installed on one of my two Windows 7 machines, I haven’t received any Office updates yet, indeed the last one was back in August last year.

        All I have been offered on both machines thus far is the monthly security rollup KB4015549, the .NET framework rollup KB4014981, and the usual MSRT. An optional and unchecked Silverlight update has been hidden as I don’t have Silverlight installed on either machine.

        • #108785
          anonymous
          Guest

          Seff,

          To get your “missing” Office updates, start Windows Update and look at the left side panel of the window. You should see a link that says “Change settings”. Click that link.

          On the new page that just came up, make sure the box labeled “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows” is checked. It will be listed under the “Microsoft Update” heading below the Important Updates drop-down box. It is NOT one of the choices in the drop-down box itself, but a separate heading below the drop-down box.

          Once you’ve done that, make sure you haven’t changed ANYTHING ELSE on the page and click the OK button at the bottom of the window. That should do it, allowing you to now see the updates for Office as well as those for Windows every time Windows Update is run.

          I hope this helps!

          • #108787
            Canadian Tech
            AskWoody_MVP

            Seff, some people have trouble getting the “Microsoft updates” to work. If that happens to you, here is what you need to do:

            Start Internet Explorer, click the gear (upper right) in IE11 and select Compatibility settings and enter Microsoft.com in the list

            CT

      • #107931
        BrianL
        AskWoody Lounger

        My previous comment about turning off windows update : Woody says that ‘I don’ t advocate turning off Windows Update’. I have to do this on my own machine because I can’t adjust how I get updates, for some reason. It very easy to do and restart. It keeps Microsoft from injecting any update onto your machine before you can get a look at them. This is for individual home machines not tied to company servers. You can turn updates back on when Woody gives the “all’s clear” with Defcon changes, otherwise just sit, read this forum and learn. I am.

      • #107933
        pmacS33
        AskWoody Lounger

        IE patch KB4014661 breaks MBSA.

        While testing, we installed ie11-windows6.1-kb4014661-x64.msu.  After rebooting we run MBSA to verify the patch.  MBSA starts but then fails, complaining about a bad signature file.  Now we don’t have a good way to verify that the vulnerability has been closed until MS either puts out a new signature file or they update kb4014661.  This is on Windows Server 2008 R2.  Have not verified on other supported OS platforms.

        -Dan

        2 users thanked author for this post.
        • #107973
          pmacS33
          AskWoody Lounger

          Well…we have performed some isolation testing and it seems that KB4015546 may be the real culprit. Once we run Windows6.1-KB4015546-x64.msu we receive the following MBSA results:

          Security assessment: Incomplete Scan
          Computer name: WORKGROUP\V-HELLIUM
          IP address: //snip//
          Security report name: WORKGROUP – V-HELLIUM (4-12-2017 8-31 PM)
          Scan date: 4/12/2017 8:31 PM
          Scanned with MBSA version: 2.3.2208.0
          Catalog synchronization date: 2017-04-10T21:31:59Z
          Security Updates Scan Results

          Issue:  Security Updates
          Score:  Unable to scan
          Result: Cannot load security CAB file

          2 users thanked author for this post.
      • #107957
        Jan K.
        AskWoody Lounger

        Ha! I didn’t even get the March updates… had a look back then and “meh”…

        Fun fact: my Windows 7 is an original install originating some two years after release, probably 2011? Had same problem back then on giving up good running stuff! 😀

        But this install has been running ultra smooth and rock steady ever since installed! Not a hitch, break-down or what not. As good as I could ever wish for.

        Nothing has threatened the stability, no virus, trojans, scripts. Nothing. And I’ve visited place, I’m not that proud of… never had a problem.

        But lately? Not so much luck… started with the brilliantly executed Get Windows X campaign. Took quite some manhours to get the system back to it’s old stable state.

        The irony? The only thing that ever has caused problems and that really, really scares me and is a very serious threat to my system’s stability – and my sanity – is… microSoft.

        Waiting with updates and Noel’s article of how to lock down the Windows 7 system…

        2 users thanked author for this post.
        • #107996
          Canadian Tech
          AskWoody_MVP

          When you get deep enough into this forum and read up on the Group A/B and W(C) theory, you may just realize, like I did, that the risk of applying MS devastating patches is much greater than not applying them at all. At minimum, do NOT apply ANY patches till Woody recommends it through his MS-Defcon rating system. For example, anyone applying those patches today is playing with fire.

          If you must choose Group B, do not apply any until they have aged at least one month and better yet two.

          CT

          4 users thanked author for this post.
      • #107965
        anonymous
        Guest

        The first time I booted up my Win7 x64 laptop computer today (04/12/2017), Windows Update ran and I saw there were three important Windows 7 updates:  the April, 2017 Security Monthly Quality Rollup  (KB4015549), the April, 2017 Security and Quality Rollup for .NET Framework (KB4014981), and the Windows MSRT (KB890830).   This afternoon, when I rebooted my laptop after lunch, I see there are now four important Windows 7 updates; the three I saw this morning, plus the March, 2017 Security Monthly Quality Rollup (KB4012215).  I am in Group B and apply the Monthly Security Only Quality updates and therefore, did not install the March, 2017 Security Monthly Quality Rollup.  Rather, I installed the March, 2017 Monthly Security Only Quality update, KB4012212.  Has anyone else in Group B experienced this problem?

         

        So glad to see Woody has moved to MS-DEFCON-1.  Well-deserved!

        • #107967
          PKCano
          Da Boss

          Did you by any chance HIDE the Monthly ROLLUP. If you hide this month’s Rollup, last month’s will reappear. It is not recommended to hide updates. UNCHECK them and they will not get installed. Next month’s Monthly ROLLUP will replace it and it will disappear. If you hide them, the one that was superseded will become important and CHECKED.

          1 user thanked author for this post.
        • #107997
          Canadian Tech
          AskWoody_MVP

          Take some really good advice, Anonymous, set your Windows Update setting at Never and leave it there, forever.

          CT

          2 users thanked author for this post.
      • #107969
        anonymous
        Guest

        No, PKCano, I did not hide the April Monthly Rollup (KB4015549).  I wrote about this issue  because,  due to supersedence,  I should not see both the April Monthly Rollup and the March Monthly Rollup at the same time.  The April Rollup should supersede the March Rollup.  Therefore, I ask again:  Has anyone else experienced seeing both the March and April Rollups displayed in Windows Update?

        • #108006
          abbodi86
          AskWoody_MVP

          Well, do you have them both? a screenshoot would be helpful 🙂

          1 user thanked author for this post.
      • #107981
        TheSuffering
        AskWoody Lounger

        D**n talk about back fires. And anyone care to explain the word exploit ? (I tried reading but couldnt understand). Does just avoiding spam mail with attachments subside ?

        Edited for content

      • #108015
        abbodi86
        AskWoody_MVP

        April 12, 2017, update for Word 2016 (KB3085439)
        https://support.microsoft.com/en-us/help/3085439

        1 user thanked author for this post.
      • #108020
        anonymous
        Guest

        We might be in MS-Defcon 1, but since Microsoft has released Windows 8.1, all this beating we’ve been having on our side has in fact been quite lucrative for their stocks:

        https://finance.yahoo.com/chart/MSFT#eyJtdWx0aUNvbG9yTGluZSI6ZmFsc2UsImJvbGxpbmdlclVwcGVyQ29sb3IiOiIjZTIwMDgxIiwiYm9sbGluZ2VyTG93ZXJDb2xvciI6IiM5NTUyZmYiLCJtZmlMaW5lQ29sb3IiOiIjNDVlM2ZmIiwibWFjZERpdmVyZ2VuY2VDb2xvciI6IiNmZjdiMTIiLCJtYWNkTWFjZENvbG9yIjoiIzc4N2Q4MiIsIm1hY2RTaWduYWxDb2xvciI6IiMwMDAwMDAiLCJyc2lMaW5lQ29sb3IiOiIjZmZiNzAwIiwic3RvY2hLTGluZUNvbG9yIjoiI2ZmYjcwMCIsInN0b2NoRExpbmVDb2xvciI6IiM0NWUzZmYiLCJyYW5nZSI6IjV5In0%3D

        [ by the way, Woody, the graph is not zeroed on the vertical scale 😉 ]

         

        So yeah, we’re dying in here, but out there they are quite well. No wonder they won’t listen to us, Nadella has stocks and Dollars stuffing up his ears.

        • #108194
          woody
          Da Boss

          Points well taken.

          At some point I start feeling like a Volkswagen Bug enthusiast. There was a long period of decline, when it was fun and challenging to keep the old beasts running. But sooner or later, for most of us, reality set in.

          1 user thanked author for this post.
          • #108196
            PKCano
            Da Boss

            1962 (bug eye) and 1966 bus/campers. 1200cc. Jack up the back and drop the engine out on broomsticks. And you could change cylinders individually.

            • #108236
              woody
              Da Boss
              1 user thanked author for this post.
              • #108268
                BobbyB
                AskWoody Lounger

                @Woody OMG its still in print? and “ringback/wirebound” too? thats a walk down memory lane 🙂

              • #108348
                Bill C.
                AskWoody Plus

                As a former Beetle owner, a ’64, ’65 and ’69 (with overbore), I now know why I stubbornly suffer with Win7-64Pro SP1 and Office 2010.

                Just as I moved to the ’77 VW Rabbit with FI and never looked back (kept the ’69 Beetle for a few more years then gave it to my sister), I have began acquiring the parts for the Linux PC build. As with the Beetle, I will keep the Windows 7 machine for certain tasks and gaming probably past EOL, but I have already started to do more browsing and email on Linux (and iOS) than Windows.

                I wonder if years later, I will look back at Windows like the Beetle. I sincerely doubt it. With the Beetle, the memories of the leaking running boards and humid defrosters are now ‘character.’ It is a car that when I sit in one today I wonder how I ever had so much fun in a car. They werer so easy to repair and maintain.

                Naah, I will NOT look back that way on Windows (or more accurately Microsoft’s misfeasance and sabotage of a decent operating system.)

          • #110594
            Steve
            AskWoody Lounger

            I still have a 1974 Volkswagen Beetle in the garage here at the domicile. It hasn’t run since 1992 (I think). But it will be restored at some time in the future. I have a lot of other things to fix here before that, though. :-I

            Important links you can use, without all the fluff or sales pitch = https://v.gd/sdr34
        • #108638
          Ascaris
          AskWoody_MVP

          Stock prices can change quickly.  AOL was once so big that it got top billing in a merger with vaunted Time-Warner, but it came crashing down shortly thereafter.  Today, it’s a free email provider used by two (2) people worldwide, and that merger is regarded as one of the biggest blunders in business history.

          Irrational exuberance can keep things like real estate bubbles afloat for many years, but sooner or later, reality once again shows its dominance, and it all crashes to the ground.  That’s not to say I think this will happen with MS… only that it might. Sometimes the latest, greatest thing really is all it’s cracked up to be, but more often, it ends up being a dud.

          I don’t know whether MS deserves its current market capitalization or not. What I do know is that I keep hearing about how now Microsoft is now the innovator, how it’s the new Apple, all that kind of thing, but the only innovation I see here at ground level is new and innovative ways to make a rude finger gesture at its own customers.

          The rest of the stuff is oversold hype, a la The Emperor’s New Clothes, as I see it.  I think that anything including the word “cloud” is part of a fad right now, and while there is obviously some value in what they’re now calling “cloud” (as was the case when all those things were being done without the term “cloud” attached), it’s not any more innovative than it was during the 90s when they called it “thin client” or during the mainframe/terminal era when they called it “computing.”  It’s still having your stuff stored on someone else’s server and having some or all of the computation delegated to someone else.  It’s nothing new– it’s older than the PC, in fact.  The decentralized, client-focused PC was the innovation that did away with all that stuff decades ago, but that’s the status quo now, so everything else begins to look innovative and new, even if it’s the same old stuff.

          Business investors seem to really have a weakness for buzzwords and hype.  If you throw in a few “thinking outside the box”es and a few “paradigm shift”s, it must be good!  Now those terms are worn out, but there are always new ones to replace them.  “Innovation” and “cloud” are big ones now.  Sprinkle a few of the buzzwords into the prospectus and watch as the investors salivate on command…

          Group "L" (KDE Neon Linux 5.20.4 User Edition)

          1 user thanked author for this post.
          • #108653
            Canadian Tech
            AskWoody_MVP

            Ascaris, one thing I learned a lot of years ago: There is no correlation what so ever between the real value in a company and its stock price. Think IBM, as it was dying, it still had a huge stock price. I have not checked lately, but I think it still does.

            I have worked for some of these over-valued companies. Worked in positions in which I knew full well where all the warts were. It never failed to amaze me how gullible stock investors are, and what makes matters worse are stock peddlers who know even less about what they are shouting about.

            Think the tech bubble of 2000!

            CT

            1 user thanked author for this post.
      • #108028
        BobbyB
        AskWoody Lounger

        Its a little bit off topic but for the average user and probably quite a few power users as well. maybe time to check your mail settings. Yes I know this about Word attachments but if your ISP supports it may be switch from a POP acc (full download). to IMAP (stays on the server normally), For M$ Office Outlook users that have an outlook.com account may be “rejig” your settings to download headers only or any other account. That way before the thing gets to your machine you can actually check or trust the sender, check your mail rules are there any candidates in there that are trusted if there are can you enable automatic download? Do you share you mail app/machine? Sounds like old tired advice ehh? well yes but many’s the time stuff has been downloaded and potentially infected Word Doc’s have been opened inadvertantly. Do you use Macro’s? do you enable them? sounds like this exploit isnt about Macro’s but thats a regular target.
        Got a couple sitting in the inbox right now, one who I know, one that I am not sure of as they both have attachments. Its now a consciously made effort on my part to take a leap in to the unkown and decide to download or not. Got to admit over the years I have got a little “lax” purely for convenience and speed. Ahh but apparently the “malware merchant’s out there never sleep and with M$ offing a fix in an update that is the proverbial “poison chalice” may be time to trade expediency for security 😉

        2 users thanked author for this post.
      • #108031
        BrianL
        AskWoody Lounger

        One set of items I forgot to mention: Along with disabling windows update, I disable Diagnostic Policy Service, Diagnostic Service Host and Diagnostic System Host.  This seems to insure that Windows update does not turn on with you turning  it back on. Sorry I omitted these facts.

      • #108058
        CraigS26
        AskWoody Plus

        Thanks Woody as always for the prompt advice, and to Noel for his detailed observations. Naturally I wouldn’t be considering installing any updates this early in the monthly cycle anyway, although I was concerned over the Office threat. However, although I have Office 2010 installed on one of my two Windows 7 machines, I haven’t received any Office updates yet, indeed the last one was back in August last year. All I have been offered on both machines thus far is the monthly security rollup KB4015549, the .NET framework rollup KB4014981, and the usual MSRT. An optional and unchecked Silverlight update has been hidden as I don’t have Silverlight installed on either machine.

        My Win 7-64 Hm Prem showing (1) 2010 Excel, (2) Office, & (1) Outlook (which I don’t have) as of 4/12/17. You made somebody mad at WU to not have Any presented since 8/16 – -I’ve had a number of ’em. Good luck!

        W10-64 1909 Pro / Hm-Stdnt Ofce '16 C2R / HP Envy Desktop-Ethernet/ 12 GB / 256G SSD + 1 TB HDD / i5-8400 Coffee Lake/ GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0 + TRV = 2004

      • #108086
        anonymous
        Guest

        Is any Intel i5 processor fine even with the update?

        • #108195
          woody
          Da Boss

          That’s a surprisingly complex question.

          If your i5 is a Skylake (many are not) you need to look up the manufacturer on this list to see if you’ll get updated without incident.

          If your i5 is a Kaby Lake (only released very recently), you’ll get zapped.

          There’s a list of processors here that may help. Use Speccy to see which processor you have.

          1 user thanked author for this post.
          • #108205
            radosuaf
            AskWoody Lounger

            If your i5 is a Skylake (many are not) you need to look up the manufacturer on this list to see if you’ll get updated without incident.

            All Skylake’s are OK until June or July? I can confirm (as a Skylake owner) that you can install Aprill rollup and still be able to search for updates on 8.1.

            MSI H110 PC MATE * Intel Core i7-6700 * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Aorus Radeon RX 570 4GB * Samsung 840 EVO 250GB SSD * SanDisk Ultra 3D 1TB SSD * Western Digital Blue 1TB HDD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 20H2 64-bit
            • #108215
              Pim
              AskWoody Plus

              Actually, MS has not communicated anything about Skylake computers that are not on the list, as far as I can tell. I am in the same boat as you and have been reading a few weeks ago what I could find about those computers. What they said was that Skylake computers on the list will be supported until 2020 (Win7), but absolutely nothing about other Skylake computers. That is why I am following the Kaby Lake issue with interest, as the block may well happen soon and unexpectedly for Skylake computers that are not on the list too.

              But what I have been wondering is if and how MS is able to check whether a computer is on “the list”. I know they can check for the CPU by checking the CPUID, but can they also check for the brand and type of computer?

              ASRock Beebox J3160 - Win7 Ultimate x64
              Asus VivoPC VC62B - Win7 Ultimate x64
              Dell Latitude E6430 - Win7 Ultimate x64
              Dell Latitude XT3 - Vista Ultimate x86 (still...)
              Asus H170 Pro Gaming - Win10 Pro 1809 x64

              1 user thanked author for this post.
              • #108219
                radosuaf
                AskWoody Lounger

                I know they can check for the CPU by checking the CPUID, but can they also check for the brand and type of computer?

                They can check ID string of the mainboard (I guess that’s where they’d be looking) – not sure if these are so unique you can easily distinguish between supported and non-supported OEM.

                MSI H110 PC MATE * Intel Core i7-6700 * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Aorus Radeon RX 570 4GB * Samsung 840 EVO 250GB SSD * SanDisk Ultra 3D 1TB SSD * Western Digital Blue 1TB HDD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 20H2 64-bit
                1 user thanked author for this post.
                Pim
              • #108242
                anonymous
                Guest

                So any chips that are 5th generation or lower are safe for now? I have 3rd generation chip.

              • #108246
                satrow
                AskWoody MVP

                All 5th gen and lower chips are safe, only some of the 6th gen are.

              • #108255
                woody
                Da Boss

                And we aren’t certain which 6th or 7th gen chips are safe.

                Windows Update roulette, anybody?

              • #108266
                b
                AskWoody Plus

                What’s unclear from the Lifecycle Policy FAQ excerpt you published today?

      • #108146
        anonymous
        Guest

        Right!  I read this and decided NOT install the April important updates.  I have just clean installed Windows 7 on my laptop, done all the other Windows updates (except some optional ones I have hidden, including 4012218).  Luckily I had done a system image but was about to do a second image after re-installing all my files and programs.

        Windows has installed the 5 April updates WITHOUT MY PERMISSION!  I still have Windows update set to download but let me choose what to install, after my clean install.

        I turned off the laptop and it said Windows is installing 5 updates – what?!!!!  I turned it back on and looked in installed updates and they weren’t there.  They were still sitting there waiting to be installed.  I turned off the laptop later that night.  This morning I turned it on and now they actually have installed themselves!

        I am furious – especially as I have a nice new clean install.  I haven’t seen any issues yet, but do you think I should remove them again and turn Windows updates OFF?!

        1 user thanked author for this post.
        • #108148
          PKCano
          Da Boss

          Download but let me choose what to install” means download in the background and install on next reboot/shutdown if you don’t intervene.
          You need to set it to “Search for updates but let me choose whether to download and install” of “Never check for updates.” The former searches but doesn’t download until you say so. The latter puts searching on manual and it doesn’t happen until you click on “search for updates.”

          1 user thanked author for this post.
          • #108149
            radosuaf
            AskWoody Lounger

            Download but let me choose what to install” means download in the background and install on next reboot/shutdown if you don’t intervene.

            I’m not a native speaker, but this somehow goes against my understanding of English 🙂

            MSI H110 PC MATE * Intel Core i7-6700 * 2 x 8 GB Corsair Vengeance LPX DDR4 2133 MHz * Aorus Radeon RX 570 4GB * Samsung 840 EVO 250GB SSD * SanDisk Ultra 3D 1TB SSD * Western Digital Blue 1TB HDD * DVD RW Lite-ON iHAS 124 * Creative X-Fi XtremeGamer PCI * Windows 10 Pro 20H2 64-bit
            1 user thanked author for this post.
            • #108151
              PKCano
              Da Boss

              Yes, a lot of people have been mislead by it. WU didn’t install without his permission, he misunderstood the setting. The only way to get out of that is – when you see the yellow “!” in the Start “shutdown” button, you don’t shutdown. You go to WU and uncheck/hide what you don’t want. AND you change the setting to one of the two safe ones because the updates are already on your machine.

              2 users thanked author for this post.
        • #108238
          Canadian Tech
          AskWoody_MVP

          I have been explaining this for more than a year now. The bottom line is the only sensible setting is NEVER>….

          What happens with that setting is that once you start up, updates are downloaded. Some or all of them are pre-checked for installation. If you do not uncheck them before shut down, they will have your permission to be installed by virtue of those check marks.

          CT

          3 users thanked author for this post.
      • #108154
        anonymous
        Guest

        Thanks for that info.  Yes it is news to me after donkeys years lol!  I did notice an exclamation mark in shutdown.  Still – never happened to me before.  Sneaky  – it also goes against my understanding of English – and I’m English lol.

        1 user thanked author for this post.
        • #108157
          anonymous
          Guest

          Also – during my clean install I had it set to download but let me choose to install.  I had over 200 updates and chose to install some 5 or 6 at a time with reboots in between.  It didn’t install things I hadn’t chosen then – they just sat there until I selected the ones to install and clicked “install”.  It didn’t install all the others as well.

          • #108162
            PKCano
            Da Boss

            Because you probably intervened. You probably unchecked all then checked the few you wanted to install. Unchecked updates don’t get installed even they are in the “important update” list.

            1 user thanked author for this post.
      • #108158
        samak
        AskWoody Lounger

        Yes, a lot of people have been mislead by it. WU didn’t install without his permission, he misunderstood the setting. 

        I don’t agree with this at all. In the dodgy MS world of misinformation, the words “Download but let me choose what to install” might mean “download in the background and install on next reboot/shutdown if you don’t intervene.” To any native English speaker it means “download in the background and then I will choose a time and place when I will install these items, if I choose to at all.”

        W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

        2 users thanked author for this post.
        • #108163
          PKCano
          Da Boss

          I think it’s dodgy too – typical Microspeak. But that’s the way it works.

          2 users thanked author for this post.
      • #108164
        dgreen
        AskWoody Lounger

        Before this months patch Tuesday,  I changed my Windows update setting from “check for updates but let me choose” to “never check for updates”.  On Wednesday I did a manual check for updates and had 3 updates, monthly rollup, preview, netframe, plus MSRT. I think I just let them be and didn’t uncheck them.
        This morning, after reading this thread,  I did a manual update again.

        All the previous updates are gone. It says my computer is “up to date”.
        Did MS pull all the patches?????

        Windows 7 Home Premium 64 bit 2008 R2
        Group B
        seriously considering Group W

        1 user thanked author for this post.
        • #108175
          PKCano
          Da Boss

          The Preview is never checked, and should be avoided at all cost.
          Rule of thumb – DO NOT check anything that is already UNCHECKED. That includes all the updates in the “optional updates” list (the Preview was here) and those in the “important updates” list that are not checked by default.

          To see if the updates were installed, in Windows Update click on “View update history.” If the ones you don’t want are there, you can go to “Installed updates” and uninstall the ones you don’t want. They will reappear in the update queue.

          2 users thanked author for this post.
      • #108174
        CraigS26
        AskWoody Plus

        Thanks Woody as always for the prompt advice, and to Noel for his detailed observations. Naturally I wouldn’t be considering installing any updates this early in the monthly cycle anyway, although I was concerned over the Office threat. However, although I have Office 2010 installed on one of my two Windows 7 machines, I haven’t received any Office updates yet, indeed the last one was back in August last year. All I have been offered on both machines thus far is the monthly security rollup KB4015549, the .NET framework rollup KB4014981, and the usual MSRT. An optional and unchecked Silverlight update has been hidden as I don’t have Silverlight installed on either machine.

        My Win 7-64 Hm Prem showing (1) 2010 Excel KB3191847, (2) Office KB 2589382 & 3141538, & (1) Outlook KB3118388 (my Ofc = No Outlook) as of 4/12/17. You made somebody mad at WU to not have Any presented since 8/16 – -I’ve had a number of ’em. Good luck!

        W10-64 1909 Pro / Hm-Stdnt Ofce '16 C2R / HP Envy Desktop-Ethernet/ 12 GB / 256G SSD + 1 TB HDD / i5-8400 Coffee Lake/ GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0 + TRV = 2004

      • #108183
        dgreen
        AskWoody Lounger

        PKCano  I know about the “preview” update to leave uncheck.
        I follow closely what is posted here, Woody’s advice, Ms-defcon,
        with one exception…  I am guilty of hiding updates.
        However, this is just what happened.
        I went to check my “hidden updates” since my last post and they were all gone.
        I thought, WTH????
        So I went back and changed my update settings back to “check for updates but let me choose”.
        I rebooted my computer.
        The Windows update did the checking…
        and this is what happened..
        I now have 77 important updates, and 47 optional updates. WTH?
        Checked my “hidden” updates and there aren’t any.
        So my “hidden” updates were now switched back to unhidden without me doing anything??
        How the heck did that happen?

        Couldn’t update my MSE  definitions as it was getting hung up earlier.

        BTW My processor is Intel I3-3240 (3rd generation ivy bridge)
        Seriously, this is getting very unsettling.

         

         

         

         

        1 user thanked author for this post.
        • #108185
          PKCano
          Da Boss

          If you hit the “back arrow” in hidden updates, you don’t make changes. I think if you hit “OK” you unhide them. Watch for the Microspeak, it will bite you every time.

          2 users thanked author for this post.
      • #108190
        dgreen
        AskWoody Lounger

        If you hit the “back arrow” in hidden updates, you don’t make changes. I think if you hit “OK” you unhide them. Watch for the Microspeak, it will bite you every time.

        PKCano  Thanks!  I’m not sure if I hit “back” or “ok”.
        oh well……
        So now I have 77 important patches from the past couple years (many are netframe).
        I guess I will uncheck them and turn over a new leaf…
        I won’t hide them.

        • #108193
          PKCano
          Da Boss

          The only updates to HIDE for Group B are the telemetry patches for your version of Win. See AKB2000003

          For more understanding of what to install for Group B see https://www.askwoody.com/forums/topic/group-b-and-patch-blocklists/#post-106970

          2 users thanked author for this post.
          • #108201
            212louis
            AskWoody Lounger

            PKCano,

            Windows 7 SP1, x64, with .NET 4.5.2

            OK…I’ve posted this a couple of times and thus far no one seems to have an answer.

            Can you indicate which one of the 4 links in the Download window for April’s .NET Security Only Update is the correct update?

            When April .NET Security Only Update Windows 7 x64 is searched in the catalogue the result shows KB 4014985.

            http://www.catalog.update.microsoft.com/Search.aspx?q=April%202017%20.NET%20Security%20Only%20Update%20Windows%207%20×64

            When the Download button is clicked, unlike in the past where there was one active link to download, there are 4 active links. And those links do not correspond to KB4014985. As you can see, one is an MSU and the other 3 are EXE’s. Can you indicate which is the correct KB for a W7 x64 machine looking for the April .NET Security Only update? (4.5.2)

            My guess is KB4014566 based on the MS “support” page, but I’m not certain. Description of KB4014566, the security update for the .NET Framework 4.5.2 for Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7 Service Pack 1, and Windows Server 2008 R2 Service Pack 1: April 11, 2017

            Thanks for any help you can provide.

            https://support.microsoft.com/en-us/help/4014985/security-only-update-for-the-net-framework-3-5-1-4-5-2-4-6-4-6-1-and-4

            Download

            Download Updates
            • #108212
              pmacS33
              AskWoody Lounger

              In the past, when you were searching for a .NET patch, the KB pointed to a specific flavor of .NET. For example, 3.1.5 or 4.5.2.

              With the new rollup system that MS is deploying there is no specific MS, just the monolithic KB; in your example KB4014985.  The four individual downloads you see correspond to a specific .NET version:

              4014573 = .NET Framework 3.5.1
              4014566 = .NET Framework 4.5.2
              4014558 = .NET Framework 4.6, 4.6.1
              4014552 = .NET Framework 4.6.2

              You need to download the version of .NET supported on your systems.  .NET 3.5.1 was patched via .msu files while .NET 4x use .exe files.

              r/Dan

              2 users thanked author for this post.
              • #109008
                glnz
                AskWoody Plus

                dan (pmacs33) – But how do I know which versions of .NET I have on my Win 7 Pro 64-bit machine?

                Belarc Advisor says I have
                Microsoft – .NET Framework Version 2.0.50727.5483 (32/64-bit)
                Microsoft – .NET Framework Version 3.0.6920.5011 (64-bit)
                Microsoft – .NET Framework Version 4.0.41210.0 (32/64-bit)
                Microsoft – .NET Framework Version 4.6.1087.0 (32/64-bit)

                BUT Control Panel – Programs and Features lists only 4.6.1 and 4.6.2
                However, Windows Features indicates I have PART OF 3.5.

                Why has MS made this so complicated?

                EDIT – I just downloaded and ran Raymondcc .NET Detector.  It says I have
                2.0 SP2
                3.0 SP2
                3.5 SP1 and
                4.6.1

                Is it accurate?

            • #108213
              PKCano
              Da Boss

              If you go to the Catalog and click on the “Title” instead of “Download'” it pops up a screen with a link “More Information.” That takes you to an explanation of which is which. “ndp45” is .NET 4.5 – check out the rest.

              3 users thanked author for this post.
              • #108435
                anonymous
                Guest

                Thank you for this! Finally figured out which update to install on Vista. 🙂

      • #108223
        dgreen
        AskWoody Lounger

        The only updates to HIDE for Group B are the telemetry patches for your version of Win. See AKB2000003 For more understanding of what to install for Group B see https://www.askwoody.com/forums/topic/group-b-and-patch-blocklists/#post-106970

        None of those KB’s were listed.
        IIRC they were removed from my “hidden” updates a while back.  I believe I posted here about it.  I assumed MS removed them.

        My XP went kaput (blue screen of death) after an update in 2013.
        When I got  this computer with W7 I deceided to only update with “critical” updates.
        You could say I’ve been in Group B since 2014.
        I found this site last year.

        Thanks again for your responses.

      • #108220
        anonymous
        Guest

        Until recently I was in the B-group, but finding the ‘right’ and avoiding the ‘wrong’ updates in MS’ enigmatic labyrinth is too much of a hassle every month, so I switched back to ‘Inform me about new updates’ (only).

        This time I did NOT wait for the green sign from Woody and -after making a back-up- installed two updates on my stand-alone Fujitsu i5 Windows 7 Pro SP1 x64 without problems so far:

        KB3141529 Security Update for Microsoft Office 2007 suites
        KB890830 Windows Malicious Software Removal Tool x64 – April 2017</span>

        Not installed yet, but presented by Windows Update:

        KB4015549 Security Monthly Quality Rollup for Windows 7 for x64-based Systems
        KB4014981 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7 and Windows Server 2008 R2 for x64

        Thanks Woody, Patron X

        Edited to remove HTML content

        1 user thanked author for this post.
        TJ
      • #108251
        anonymous
        Guest

        Thanks for the info and need to be supervigilant about settings!  Ok so now I have the April updates is there a test I can do to see if they are causing issues?  I noticed someone above said they tried to run a couple of programs and they didn’t work.  Apart from the update to block future Windows updates for 6th generation onwards processors, what other issues are there with them please?   (I have 1st generation processor).

      • #108286
        anonymous
        Guest

        Ok – so here’s my second issue with the April updates (apart from them installing themselves).  I now have a pop-up telling me to activate Windows and it is showing as not activated.  It was activated days ago.

      • #108310
        anonymous
        Guest

        DO NOT install them!  I am sorry I am still showing up as anonymous – haven’t worked out how not to be anonymous.  But I am the anonymous who unwittingly installed the April updates.  I have issues already.

        1) My laptop is now showing as not activated.  I have owned this laptop for over 7 years, it came with Windows 7 on.  I did a clean install with a Windows 7 disc and used the product key from the base and it activated no problem – days ago.

        2) I am unable to remove the 5 April updates.

        3) I did system restore back to 2 days ago and the 5 updates are still installed (and I am still showing as not activated).

        At this point I am not even going to attempt to activate again, but will reinstall from my system image made a few days ago, before the April updates were installed (and when I was activated).  Which means I have to put all my xxxxx ing files and programs back on again!

        The five updates I had, which installed are:

        KB4015549 April 2017 Security Quality monthly roll-up

        KB973688 Update for Microsoft XML Core services 4.0 Service pack 2 for x64 based systems

        KB954430 Security update for Microsoft XML Core Services 4.0 Service pack 2 for x64 based systems

        KB4014981 April 2017 Security and Quality roll-up for .NET framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 on Windows 7 and Windows Server 2008R2 for x64

        KB890830 Windows Malicious Software removal tool x64 – April 2017

        Regarding Windows installing these updates because I shut down the laptop – I am still surprised it could do that when normally you have to agree to having the Malicious Software tool before it’s installed!

        • #109034
          Kirsty
          Da Boss

          Anon #108310

          I am sorry I am still showing up as anonymous – haven’t worked out how not to be anonymous.

          To not be anonymous, you can register here – it’s particularly painless, then we will be able to see your other posts easily too 🙂

      • #108338
        anonymous
        Guest

        Lol!  I now have my nice system image reinstalled, updated to the point just before the April updates.  I was still showing as not activated, so activated again without problem.  Just copying all my files back on yawn.  Windows Update is now turned to NEVER.  Before I turned it to NEVER I set it on the third option, just to see what came through.  Only three April updates came through so maybe they have pulled two of them?

      • #108582
        SueW
        AskWoody Plus

        I am sorry I am still showing up as anonymous – haven’t worked out how not to be anonymous.

        Are you logged in prior to posting your comments?  If so, and you’re still showing as ‘anonymous,’ then maybe someone else can suggest how not to be [just another] anonymous.

        Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'
      • #108583
        Noel Carboni
        AskWoody_MVP

        Something new I’ve noticed on my Win 8.1 test system with Office…

        LinkedIn (and other) eMails in Outlook 2010 now no longer show embedded images, but rather little [x] indicators and “Right-click to download pictures” nessages. Across the top are two messages in black on dark gray that seem to be pertinent…

        OutlookMessages

        I think the images just showed in the preview pane before the patches.

        This may be considered by Microsoft to be a trifecta: It degrades the integration of an older version of Office, claims to improve user privacy, and (presumably) improves security – all at once. Makes you wonder, though, why not just fix the image display logic so it can’t be a vector to infection.

        Clicking to browse in the browser, by the way, produces this:

        ScreenGrab_NoelC4_2017_04_14_134159

        -Noel

        Attachments:
        • #108591
          b
          AskWoody Plus

          What does File, Options, Trust Center, Trust Center Settings, Automatic Download, Don’t download pictures automatically in HTML e-mail messages or RSS items show?

          (You can also unblock pictures for a particular sender or domain by adding them to the Safe Senders List.)

          Block or unblock automatic picture downloads in email messages

          1 user thanked author for this post.
        • #108931
          Bill C.
          AskWoody Plus

          I have been fighting that problem for over a year. It just keeps getting worse and worse. No changes seem to affect the problem. Not safe senders, not the Trust Center, nothing I can find.

          I finally installed Mozilla Thunderbird. According to Thunderbird it is remote content that is being blocked. If it is a trusted email source, I just open it in Thunderbird.

          I also set my server setting to allow messages to remain on the server until I delete them. I just delete them once I have them all downloaded. I did that so when on the road with a laptop, I did not have to boot it up to see those emails. I just started the desktop and they all came down. Now I just use my iPhone to delete them from the server.

          1 user thanked author for this post.
      • #108631
        yuhong
        AskWoody Lounger

        pmcjr, I would not recommend the MSRT. It rarely produces anything useful. A reasonable antivirus software installation far outstrips it. In addition, MSRT is now a suspect spyware tool used by Microsoft.

        Notice the MSRT stats in this blog post:

        https://blogs.technet.microsoft.com/mmpc/2010/05/21/msrt-may-threat-reports-and-alureon/

        2 users thanked author for this post.
        SueW, b
      • #108772
        ediekrag
        AskWoody Lounger

        Does anybody know what the “speed-up” patch for Vista is this month?  Last time I will ever have to ask this question 🙂

      • #109588
        anonymous
        Guest

        I hope someone can help clear something up for me.

        Win7 Pro 64-bit
        i5-6600 (google tells me this is a Skylake, however I can’t remember the manufacturer)

        The way I read the various articles, only some Skylakes will continue to get updates, and I’ll have to download Speccy to find out who made mine. I’d honestly prefer not to download/install something I know I’ll never use again.

        Furthermore, I have never seen a Speccy screenshot that listed the CPU brand, only the MOBO brand (ASUS in my case).

        Will I get update blocked if I install the April patches?

        I’m not going to actually update before Woody gives the clear, but I’d really like to get this cleared up.

        • #109596
          PKCano
          Da Boss

          I believe you can get the information:
          Start\Run – type in msinfo32 – Enter
          The Processor identification is on the first “System Summary” page.

          • #109786
            anonymous
            Guest

            Thanks for the replies everyone.

            It seems I will get blocked if I update, since I bought my PC ~1.5 years ago, from a shop that offers various customizable standard rigs. This leaves a somewhat sour taste in my mouth, since I paid extra to get win7 instead of 10 and I still had to settle for an OEM key.

            Seems like all I can do is either stop updating, or hope MS will start actually honoring their 2020 promise (fat chance).

            I’m curious as to wether or not I’d be able to update normally, if I uninstalled the blocking update.

        • #109607
          MrBrian
          AskWoody_MVP

          If you are blocked from installing updates, you can uninstall the blocking update(s) to become unblocked.

        • #109623
          anonymous
          Guest

          Unless your computer was purchased from a major manufacturer, chances are you will end up being blocked. I have the same Intel processor and built my own. I have no plans to accept any further Microsoft updates — Group W — I recommend it.

        • #109747
          JohnW
          AskWoody Plus

          The CPU brand is Intel.

          http://ark.intel.com/products/88188/Intel-Core-i5-6600-Processor-6M-Cache-up-to-3_90-GHz

          Unlike the motherboard, which can be manufactured by anybody using Intel chipsets, the processors are only made by Intel.

    Viewing 44 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: MS-DEFCON 1: Don’t apply ANY Windows or Office patches

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.