News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • MS-DEFCON 3: Lots of caveats, but it’s time to get patched

    Home Forums AskWoody blog MS-DEFCON 3: Lots of caveats, but it’s time to get patched

    • This topic has 246 replies, 49 voices, and was last updated 3 years ago.
    Viewing 122 reply threads
    • Author
      Posts
      • #164878
        woody
        Manager

        The January 2018 patches are now history. Thank heavens. I hesitate to say it, but it’s time to take proper precautions, and get the January patches i
        [See the full post at: MS-DEFCON 3: Lots of caveats, but it’s time to get patched]

        11 users thanked author for this post.
      • #164883
        WildBill
        AskWoody Plus

        I can hold out until the details arrive in Computerworld. It was almost looking like another skipped month, IMO. Let’s hope the short month of February is uneventful.

        2 Machines for Now!
        #1: Windows 8.1, 64-bit, back in Group A.
        #2: Getting close to buying a refurbished Windows 10 64-bit, recently updated to v1909. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
        Wild Bill Rides Again...

        • #164886
          Seff
          AskWoody Plus

          Agreed.

          Let’s hope the full article deals with the different aspects as they may apply e.g. to AMD or Intel users.

          Thanks to Woody in anticipation, and thanks also to those in the team who I’m sure he will have looked to for their thoughts in what I think we can all agree has been a nigh on impossible month to make sense of.

          1 user thanked author for this post.
      • #164881
        anonymous
        Guest

        No thanks i’m not going to install these  january patches that patch something that will unlikely ever  i bought a 6700k cpufor performance, i will not allow that to be compromised  for  imo a non-existent threat

        1 user thanked author for this post.
        • #164894
          woody
          Manager

          That’s a perfectly reasonable response, if you’re willing to accept the possibility that some major malware may appear before you get patched. At this point, nobody knows, but there are signs of a lot of effort being devoted to using Meltdown/Spectre vulnerabilities. And the bugs in the January patches are reasonably well know. For February… your guess is a good as mine.

          1 user thanked author for this post.
          • #164899
            AJNorth
            AskWoody Plus

            THIRD BASE.

             

            (BTW Boss, is it now time to give up on getting Email notifications via an Outlook.com address?  Tnx.)

            • #164918
              woody
              Manager

              That’s a bug in the AskWoody software. We’re working on it.

              1 user thanked author for this post.
              • #164999
                AJNorth
                AskWoody Plus

                Mucho Garcia!

                 

                (When in trouble, when in doubt – run in circles, scream and shout.)

          • #164896
            anonymous
            Guest

            Wait a minute…..Woody – Are you saying that we don’t have to install January’s Updates if were unsure if it’ll effect our systems somehow? Even for those with Windows 10? We can pull off from January patches and just wait to install the February patches?

            You mean we as users who have Win 7 and 10 can decide what is best for our computers? We don’t have to install January’s patches if we don’t want to due to all the chaos and gooey confusion we’ve faced with this and that?

            • #164919
              woody
              Manager

              As far as I know, the only major problem solved by the January patches is the Equation Editor vulnerability — and I talked about manually disabling that a month ago.

              All of the other patches are speculative, at this point. If you think you’re lucky enough, go ahead and wait for February….

              3 users thanked author for this post.
      • #164890
        Cousinjack
        AskWoody Lounger

        Skipping, as I’m not sure what the actual performance hit will be on old hardware running 7. Going to get a test rig for linux distros in the next couple of weeks

      • #164885
        Rick59
        AskWoody Lounger

        Sometimes I’m not sure what is keeping me safe. I haven’t had any unwanted malware on my computer since Win98 which was my first computer ever (Had lots of fun reinstalling the OS several times as I moved along the learning curve)

        Was it the diligent patching of my machine? Was it my antivirus ? Seems all I get is the odd false positive there. Is it because I use an adblocker? Is it because I use NoScript? Is it because I run everything exposed to the internet in Sandboixe? I also use HitmanProAlert but lately it just seems to complain about Sandboxie from time to time.

        When it comes to patches how much are they contributing to your security ? They won’t talk to you the way an antivirus does.

        Not dissing patches here, just wondering.

        January was a fun month, neither of our machines Win7-32 and Win10-64 would get the security update through WU even though I tweaked AVs, made sure the right registry key was set, ran WU troubleshooter etc. I feel now like I’m resigned to manually downloading the security patches every month. But nor for long because Windows is getting kicked out of our house this year for good………. I’m tired of babysitting Redmond’s junk.

         

         

        3 users thanked author for this post.
      • #164900
        Microfix
        AskWoody MVP

        Unlike Microsoft’s patch descriptions, your Computerworld article is definative, descriptive and helpful.

        Thanks again Woody!

        Let’s hope that February’s 2018 patches are like February 2017, namely W8.1 🙂

        2 users thanked author for this post.
      • #164902
        Kirsty
        Manager

        One word of caution on Kevin Beaumont’s list of antivirus products’ readiness for the Spectre patches, linked in Woody’s ComputerWorld article – it was last updated January 11th, and isn’t complete (others have since updated).

        3 users thanked author for this post.
      • #164895
        anonymous
        Guest

        Say Woody which 1703 updates are safe when it comes to update for windows 10 1703 x64 system? there’s KB4023057 and KB4073543. Then there is update for windows 10 x64 system KB4056254. So I need to know which ones of those I need to install with the others. So which ones are safe to install even among the two 1703 windows 10 update I just told ya? I need to know those are the ones I’m concerned about.

         

        • #164910
          PKCano
          Manager
          1 user thanked author for this post.
          • #164917
            anonymous
            Guest

            Ahhh~I see these sneaky devils try to install 1709. But yeah I am leaning toward NOT installing January’s Updates just to be safe.

            Besides I don’t need anymore stress right now. I think my Lenovo can do without icky-gooey January patches for the month and get a fresh, clean updates from Feb updates once were at Defcon3.

          • #164921
            woody
            Manager

            I should’ve included that info in the Computerworld article….

            • #164968
              anonymous
              Guest

              So is it safe to install the win 10 flash player, cumulative AND monthly malware protector updates and ignore the win 10 1703 and system updates that hide the 1709 force update in some odd way?

              I mean I am fine installing flash, cumulative and monthly malware and that way in a somewhat way my computer is safe and come february-it’ll have new system updates WITH NO HIDDEN 1709 FORCE updates to try to ruin my baby.

              • #164972
                PKCano
                Manager

                Yes.

              • #164976
                anonymous
                Guest

                Thank you PK. 🙂 Then I’ll install the flash player, cumulative and monthly malware protector. 🙂 I’ll do it tomorrow morning or tonight before bed. Pheww~THAT LIFTS A WHOLE LOT OFF MY shoulders PK I can’t thank you enough. 😀

                 

      • #164897
        anonymous
        Guest

        Unsure about performing the patches as I’m not sure on the situation with AMD machines, considering earlier in January the Meltdown/Spectre patches were making it so they could not boot at all.

        Honestly too afraid of the patch bricking my PC by making it unable to boot, I wouldn’t know how to fix that if it happened as I’m not as tech-savvy as other users on here if I had to run a Startup Repair sourced command line.

        • #164926
          woody
          Manager

          I haven’t heard of any AMD-specific problems with the latest patches, except Phenom II machines mentioned in the article.

          • #164942
            EricEWV
            AskWoody Lounger

            Accidentally clicked the wrong button to reply to you so decided to just go ahead and register.

             

            So my FX-Series should be fine?  If so which patch should I nab since it seems they revised them so many times, or is the AKB2000003 links the most up to date?

            • #165033
              woody
              Manager

              If you’re talking about manually installing security-only patches, yep, AKB 2000003 has the latest.

              For most folks, Monthly Rollup should be fine.

              1 user thanked author for this post.
              • #165045
                EricEWV
                AskWoody Lounger

                Alright, thanks.  And yeah ever since the GWX debacle, when I first discovered the site, I’ve been doing security only.  Running Windows 7 as well, was in a rush so I left out some details earlier lol.  I saw MrBrian’s post about using KB4073578 as the latest security patch, but I’m still uncertain so I may hold off until more info pops up on here for us AMD users.

      • #164905
        anonymous
        Guest

        I think I’ll skip January’s patches to be safe for me and my Windows 10 Lenovo Ideapad 320. I mean it’s been weeks, there has been chaos, confusion, re-releases, this and that-So it’s been a huge scare around the net.

        Plus I don’t want to do anything I might regret and have to spend hours fixing the problem and get stressed out. So to save myself and my computer the trouble-I’m gonna skip January’s patches, relax at the Anime convention next week, keep the updates hidden including those of the February and install the February patches when there is the next defcon3.

        I am skipping the January patch after reading the article Woody posted-I don’t want to deal with any gooeyness hidden in any of the updates.

      • #164931
        PKCano
        Manager

        IMPORTANT

        For those of you who have Win10 1703:

        If you find KB4023057, KB4073543, and/or KB4056254 in your January updates, please read @abbodi86 ‘s information on the patches before you install them.

        1 user thanked author for this post.
        • #164957
          anonymous
          Guest

          Okay PK-SO we shouldn’t install those updates then if it’ll cause the computer to force upgrade in some way to 1709. Then I SHALL Keep those hidden along with update to 1709 and install the Flash for Win 10, malware update, and cumulative.

        • #164973
          OscarCP
          AskWoody Plus

          PKCano:

          Same question, but about Windows 7 (just in case, mine is Pro, SP1, x64; CPU is old Intel I-7 sandy bridge).

          In particular, the safe (maybe, right now) KB numbers for: IE11 cumulative security only; Win 7 security only, and .Net.

          Thanks.

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

          • #164980
            PKCano
            Manager

            The above patches do not apply to WIn7 – only Win10 1703.

            Please read @MrBrians comments in this thread about the Win7 security-only patches.

      • #164935
        MrBrian
        AskWoody_MVP
        • #165021
          AJNorth
          AskWoody Plus

          Interestingly, the Belarc Advisor is showing all the Intel-based machines as being deficient in KB4056897. However, since none of the Windows boxes under my wing utilize AMD, I do not know whether Belarc would recommend KB4073578 for those that do (perhaps someone with an AMD processor can do that experiment and report back to us…).

          1 user thanked author for this post.
        • #165152
          anonymous
          Guest

          Mr Brian said:
          KB4073578 can be considered the latest version of the Windows 7 Windows security-only update.

          1) Just to clarify wrt Win 7 … Did you mean the following patching route — ie. for those planning to install Jan 2018’s Security-Only Update ?

          • Win 7 AMD users:  Should install KB 4073578 (instead of KB 4056897)
          • Win 7 Intel users:  Should install KB 4056897 (original patch for both AMD & Intel CPUs)

          Because you also previously said

          Mr Brian  (January 25, 2018 at 8:09 pm):
          I didn’t install KB 4073578 because I don’t have an AMD processor.

          Meanwhile, Microsoft’s KB article (below) indicates that AMD users who got boot-killed by KB 4056897 should install KB 4073578. I suppose Microsoft is assuming that affected AMD users are able to get into command prompt (eg. via OS install/repair disc) & uninstall KB 4056897 first, before installing KB 4073578 in order to get Jan 2018’s security fixes.

          KB 4056897:  https://support.microsoft.com/en-us/help/4056897
          Issue: Microsoft has reports of some customers on a small subset of older AMD processors getting into an unbootable state after installing this KB [4056897]. This issue is resolved in KB 4073578.

          2) There are some (older ?) Intel CPU users who similarly got boot-killed by KB 4056897. So should such users also install the newer KB 4073578, even though the latter patch apparently applies only to AMD CPUs & only contains the fix based on updated AMD microcodes ?

          3) As for KB 4056897 (original patch, meant for Intel CPUs), wasn’t this Security-Only Update created based on flawed microcodes supplied & subsequently withdrawn by Intel ? So by implication, should Intel users avoid installing Jan 2018’s security update KB 4056897 — & thus forgo the rest of security fixes contained within the same (non-cumulative) patch ?

      • #164934
        anonymous
        Guest

        All this talk about skipping January updates has me curious.

        If I’m Group B I can’t skip because the “security only” packages are not cumulative, correct?

        Choices & independent thinking aside, the dilemma persists.  Having one more month until the next batch doesn’t seem like it will get me much except some slim hope that something gets revised in the interim.

        Is there a serious warning from woody & crew to avoid skipping the January security only updates?  And what are the known advantages, if any?

         

      • #164937
        anonymous
        Guest

        so for win7 b-group user on an old intel processor this months patches are

        Jan 2018 KB 4056897
        Jan 2018 (IE11) KB 4056568

        and a recommended system image backup?

        1 user thanked author for this post.
      • #164943
        anonymous
        Guest

        as i don’t have any amd hardware i don’t need amd fixes i assume?

        and on windows 8.1 notebook: how do i find out if i need this 4077561 (release 1/24 for PIC/APIC stop errors)?

        • #164982
          anonymous
          Guest

          update to my question: on 8.1 notebook i skipped 4073576 but i installed 4056898 and 4077561. as 4077561 being the latest version, does it include 4073576?

          for office 2010 there are two updates: 4011610, 4011611
          for excel 2010 there is one update: 4011660
          for word 2010 there is one update: 4011659
          for outlook 2010 there is one update: 4011273

          as i read about bugs in january office patches, which ones shoud i NOT install?

          • #164993
            PKCano
            Manager

            Please read @MrBrian ‘s comments about the security-only patches for Win8.1 in this tread.

            Also, Woody;s ComputerWorld article, linked in the main blog, about the Office patches.

            1 user thanked author for this post.
            • #165008
              anonymous
              Guest

              as i’m not that good in english i installed all securtiy only patches for win 7: 4056897, 4073578 and ie11 4056568.

              on 8.1 i leave out 4073576, as 4077561 being installed already and if i have right, 4077561 is a replacement update replacing 4056898 and 4073576. so 4073576 seems to be needless after 4077561 being installed already. if i have not read right… well, as i said, my english is not that good…

              i also installed all office patches, malware removal tool and on 8.1 flash update.
              i don’t have xp and i haven’t read anthing else regarding office 2010 patches…

              of course NO optionals have been installed, also nothing .net related (optional).

              • #165016
                anonymous
                Guest

                after installing office updates, now there is .net security quality rollup availabe.
                but as author of this article is not sure about .net, i will NOT install it unless anyone of you tells me to do so…

              • #165017
                anonymous
                Guest

                i forgot to mention: “important”, this new .net rollup is “important”.

              • #165020
                PKCano
                Manager

                Please read Woody’s advice on .NET patches in the ComputerWorld article linked in the main bolg.

              • #165022
                anonymous
                Guest

                okay, installing .net security quality rollup marked as “important”. i still do NOT install optional .net framework…

      • #164958
        MrBrian
        AskWoody_MVP

        For Windows 7 and 8.1 users: If you’re in Group A, Windows Update might not offer you otherwise-applicable January 2018 updates for three reasons that have been mentioned already in other topics: antivirus compatibility, AMD processor issue, and PIC/APIC interrupt controller issue (Windows 8.1 only).

        If you’re in Group B, you don’t have the Windows Update-provided update blacklisting for those three issues that Group A users have. Even if you install the latest January 2018 Windows security-only update replacements (KB4077561 for Windows 8.1, KB4073578 for Windows 7), you still may experience the antivirus compatibility issue, and this is also true for any future Windows security-only updates that include the Meltdown/Spectre fixes.

        6 users thanked author for this post.
      • #164955
        anonymous
        Guest

        ANY CHANCE OF MACS IN YOUR FLEET, CAPTAIN WOODY?!

        Ahoy Captain Woody!
        Many thanks for keeping my beloved “Toshy” Win7 laptop safe for so long.
        Happily harboured now offline for good and still going strong on Office 2007.

        His replacement?
        A classic MacBook Pro 2012 running El Capitan.
        Office For Mac 2016 must have a “Special Team”!
        Updates so far so good.
        Mac OS Security Updates the same except…
        Meltdown and Spectre!
        Similar issues with Intel-based “fixes” on Macs too despite the usual Apple denial.

        I still regularly check your excellent posts here and on Computer World and re-interpret them for Mac as best I can.
        Your Pro Tips are great!
        Especially on holding off on firmware and software security updates for Meltdown and Spectre that are useless or unnecessary.

        So how about “Ask Woody On Macs”?
        Bring light To The Dark Side Too, Captain!

        Cheers!
        Sainty
        ??⛵️??

        • #165035
          woody
          Manager

          My brain is totally wiped out just dealing with Windows!

          If somebody would like to start issuing Mac/iOS patching recommendations, I’d be happy to host them. But for me, there ain’t enough hours in the day….

          • #165039
            PKCano
            Manager

            Believe me, Mac patching is not stressful.
            I’ve never had a BSOD or failure to operate correctly afterward.

            I can only watch the chaos that is Windows!!!

            2 users thanked author for this post.
            • #165250
              Ascaris
              AskWoody_MVP

              Apple still believes in silly, outmoded concepts like testing patches before shipping them to the customers, presumably.

              Group "L" (KDE Neon Linux 5.21.2 User Edition)

              1 user thanked author for this post.
      • #164964
        Seff
        AskWoody Plus

        I’m a tad confused on the AMD issue.

        Woody, you mention above that you’re only aware of AMD issues now with Phenom II machines as mentioned in the article, but that article only mentions them in the context of a specific Windows 10 update. I wasn’t under the impression that the AMD issue was only specific to Windows 10, so is that in fact the case or else what do those of us with Phenom II machines running Windows 7 do?

        I’ve thus far only installed (an hour ago) the MSRT and KB4056894 (monthly rollup) on my Intel Windows 7 machine (which has an AMD Radeon graphics card) – so far so good. The plan is to leave it for a day or two before installing the .Net Framework update if all is well, and then the Office 2010 updates if all is well thereafter. Only after that will I consider what to do with my other Windows 7 machine which has an AMD Phenom II processor (and Nvidia graphics card).

        • #165036
          woody
          Manager

          I believe the outstanding AMD problems have been solved. The only current problem I see is the one mentioned in the article.

          1 user thanked author for this post.
      • #164965
        anonymous
        Guest

        I think I’m going to skip as well for win10 1607, both mine and my parents’, until tis time for installing February patches or if an imminent threat appears, whichever one comes first…thanks Woody and the gang here, as always!

      • #164985
        WildBill
        AskWoody Plus

        Being in Windows 8.1 Group A (more or less), I’m downloading KB4077561 1st to fix the PIC/APIC bug. Then applying the Rollups for Win 8.1, .NET Framework, Flash Security Update (even though I’ve turned off Flash), & the MSRT (Malicious Software Removal Tool). Along with those, the .NET Framework for 4.7.1 (KB4033369). Though I don’t use Skype, thinking of applying the Skype for Desktop 7.3 update (KB2876229) to get caught up. Also applying Office updates for January.

        Don’t need to download the .NET Framework WPF fixit tool (KB4074906), since that’s for Win 7 SP1 & Windows Server 2008 R2 SP1. Not downloading KB4078130, since haven’t applied Intel microcode that the KB bypasses for Spectre 2; my processor is Ivy Bridge [Pentium 2020M], which Intel says isn’t affected by Spectre 2. I never apply KB2976978 (“compatibility update” unless I finally upgrade to Win 10), KB3080149 (Telemetry), & KB4023307 (Silverlight). Before all that…

        I will update Windows Defender, remove Win32/Spectre.A with it, run a full scan to make sure I’m clean, then get Macrum Reflect Free & do a full image backup.

        2 Machines for Now!
        #1: Windows 8.1, 64-bit, back in Group A.
        #2: Getting close to buying a refurbished Windows 10 64-bit, recently updated to v1909. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
        Wild Bill Rides Again...

        1 user thanked author for this post.
      • #164986
        twbartender
        AskWoody Plus

        I’m also a little confused about installing (security only) KB4056897 or KB4073578. According to the Microsoft Support Page for KB4073578, this update is not a replacement for a previous released update. As stated in the article under, “Update Replacement information”. The article was last updated on Jan 19, 2018

        1 user thanked author for this post.
      • #164992
        NoLoki
        AskWoody Lounger

        I have an AMD64, Athlon X2. I just now installed KB4073578, W7/64.

        I am Group B. I use MSE and MBAM 3, both were current before I started the MSI installer.
        – I stayed offline for the update.

        It took a lot longer doing the system configuration than most updates, however that might be because it is a kernel update. Once the first round of configuration updates completed, I got the screen indicating that Windows was starting, then it started a second round of configuration. It took a while, but it completed successfully and I got the login screen. Trusted installer ran for about 40 minutes after that, then it completed.

        I was concerned as the disk was thrashing and the system was at 100% most of the time – MSE and MBAM kept diving in while trusted installer tried to finish, after the system restart.

        The system up and running just fine. No slowdown. As a test, I shut down completely and rebooted.
        – All is well and the system is now supposedly protected from meltdown.

        7 users thanked author for this post.
      • #164997
        FakeNinja
        AskWoody Lounger

        What about the slowdowns? I really want to know if there’s a difference, especially now that Microsoft claims that “Windows 7/8.1 users will probably get the biggest slowdown” and given that the patch is hard to uninstall. Are there any good third party tests on this yet?

        4 users thanked author for this post.
        • #165013
          Cascadian
          AskWoody Lounger

          I have wondered if we are experiencing a First-party test right here on AskWoody. There are many variables involved in the repairs to a live environment, coinciding with updates applied, coinciding with massive public interaction on MSDefcon change day.

          But while others had noted slowdown previously, I did not until today. And it is significant. All good things are truly worth waiting for.

        • #165037
          woody
          Manager

          Good question.

          I’m not aware of any noticeable slowdowns with any of the latest patches. Of course, that’s based on personal machines. If you’re running an overloaded server, your mileage may well differ.

          1 user thanked author for this post.
      • #165004
        Microfix
        AskWoody MVP

        So, those not inclined not to trust January Patchmess in Group A could theoretically skip and wait for February patches meanwhile Group B have to patch regardless.

        Are cracks in the patching framework are starting to appear?

        • #165010
          PKCano
          Manager

          The problems surrounding Group B have only been getting more complicated for a while.

          2 users thanked author for this post.
        • #165089
          The Surfing Pensioner
          AskWoody Plus

          That depends on how you look at it. Those in Group A will inevitably be blessed with January Patchmess in February anyway (monthly rollups are cumulative). Those in Group B can choose whether to patch now, or take their chances risking a Spectre/Meltdown infection just a little longer. It’s horses for courses, I guess.

      • #165009
        Cascadian
        AskWoody Lounger

        Offering additional thanks on your writing style Woody. The complex can be made simple after all. I too was considering just letting JAN2018 go by without installing, then allowing FEB GroupA to do all the work. Decided to trust the Yellow3 you give, because of the doubt involved with predicting the future.

        And thanks for the heads up you give NoLoki. My AV and chosen method does not match yours. But I think the differences will not prevent a similar delay. Your post allows me to relax when the same happens here.

        Thanks to all involved, for the extra work this winter. Truly appreciated.

      • #165025
        dgreen
        AskWoody Lounger

        I am group A.
        Is it safe to do the Group A January rollup patch via my windows update, or do I just sit tight?
        I have never done a system image or a backup.  I have no idea of how to even go about it.

        I have Microsoft Security Essentials
        I use Chrome browser that was just updated to Version 64.

        Dell Inspiron 660 (purchased in 2013) just replaced hard drive in November 2017 and had Windows 7 reloaded.
        Windows 7 Home Premium 64 bit SP 1
        Server 2008 R2 x64
        Processor:  Intel i3-3240 (ivy bridge 3rd generation)
        chipset Intel (R) 7 series/C216
        chipset family SATA AHCI Controller -1 E02
        After new hard drive installed went to Group A

         

        I’m a bit nervous about applying January’s patch.

         

      • #165028
        anonymous
        Guest

        For Group B advocates with Windows 7 concerned about which of the January security-only updates to apply, take a look at this site:

        https://www.sevenforums.com/news/412466-kb4073578-update-fix-unbootable-state-amd-devices-windows-7-a.html

        Basically, it is recommended there that you install KB 4056897 and KB 4073538 BUT ONLY restart your computer AFTER both updates have been installed. Do not restart after the first update, but only after both are installed. Apparently, this way the potential boot problem with 4056897 gets corrected before it happens.

        3 users thanked author for this post.
        • #165052
          OscarCP
          AskWoody Plus

          I would like to point out that the recommendation there is three weeks old.

          MrBrian, today (see #16497)  recommends everyone with Windows 7  (Intel or AMD CPU)  installs KB4073578.

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

          2 users thanked author for this post.
          • #165057
            Seff
            AskWoody Plus

            That appears to be an incorrect comment number, could you please clarify the thread it relates to? Is it the one in which MrBrian recommends that Windows 7 Group B users install KB4073578 as a replacement to the original January update? Microsoft say it isn’t a replacement for any other update. I’ve also seen it recommended that both updates are installed, and yet KB4073578 isn’t offered through WU to Group A users anyway. I think some clarification is needed here, not least for Group A Windows 7 AMD users whose current position is both precarious and unclear in my view – especially given that Woody’s article only lists an AMD Phenom II issue in relation to a specific version/update of Windows 10.

             

            1 user thanked author for this post.
            • #165285
              abbodi86
              AskWoody_MVP

              Group B should install KB4073578 only
              Group A should install KB4057400 (preview rollup)

              Microsoft general rule on metadata level is that non-security update do not replace security update, per se
              but KB4073578 do contain and replace security-only components

              3 users thanked author for this post.
      • #165054
        OscarCP
        AskWoody Plus

        OK: So far I seem to get the idea that two (maybe) safe patch versions, for my Windows 7, x64, CPU Intel sandy bridge, are Windows Security Only and E11 Cumulative Security  number KB4073578 and KB4056568, respectively.

        But what is(are) the KB(s) of the NET update(s) that is(are) OK to install now (assuming there are any (maybe) safe ones already)?

        To anyone who knows the answer and lets me know what it is: Thanks!

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

        1 user thanked author for this post.
        • #165063
          PKCano
          Manager

          Woody’s ComputerWorld article has information on .NET

          • #165070
            OscarCP
            AskWoody Plus

            Not quite: a link there to another site that seems to have a link to the actual MS update, but then, on going there, I find myself in a site in what could be Arabic, so I get out of there. Then further searches get me to a MS English page for the update but with no “download” link on it. Instead, there is a recommendation to turn on Automatic Updates. Which means that then everything else out there will rush in and get installed as well.

            So, given this entirely unfortunate situation, I am holding off installing anything with .net in it. And probably everyone else should follow suit, to be safe.

             

            Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

        • #165064
          Seff
          AskWoody Plus

          I’ve no idea whether it’s safe to install, I haven’t tried yet on my Windows 7 machines, but the .Net Framework update I’m being offered as an Important update is KB405532. I’ve hidden KB4033342 which is an Optional update relating to .Net Framework 4.71 which I neither have nor want. I’ve also hidden the Optional  .Net Framework Preview KB4057270. These updates do tend to vary, however, according to which versions of .Net Framework you have installed, so “your mileage may vary” as they say!

      • #165062
        FakeNinja
        AskWoody Lounger

        I made performance tests before and after the update if anyone is interested.

        Decrease in Performance after Meltdown Patch

        1 user thanked author for this post.
        • #165086
          bobcat5536
          AskWoody Lounger

          Performance test down here too and if you get the new beta 5.23.5 release of Sandboxie, it works.

          https://forums.sandboxie.com/phpBB3/viewtopic.php?t=25114

          1 user thanked author for this post.
        • #165083
          anonymous
          Guest

          Same here, peformance decrease and Sandboxie borked. Was this Meltdown patch part of the monthly rollup update ? If so, I think I just joined group W.

          • #165100
            bobcat5536
            AskWoody Lounger

            My performance was slightly down and I install new beta version of Sandboxie and it fixed that.

      • #165073
        bobcat5536
        AskWoody Lounger

        Two Questions. One, after reading various post about KB4033342 on Win 7 x64, should we install the .NET offline installer or just hide it and forget about it?

        Two, Win 10 Pro 1703. I’m using wushowhide and feature updates delayed set to 365 and pause updates set to 35 days. As soon as I uncheck pause updates, it downloads and installs. Where do I get to pick and chose what to install and not install ? It installed both KB4023057 and KB4056254 as soon as I uncheck pause updates and I had no choice. None of the updates showed up in wushowhide when I ran it before updating.

      • #165079
        Purg2
        AskWoody Lounger

        “Unholy mess.”  This makes me want to forego 4055266.  There’s no real pressing issue for me.  Others might have the need, to each their own.

        Win 8.1 (home & pro) Group B, Linux Dabbler

      • #165081
        anonymous
        Guest

        @OscarCP you should install KB4056897 it’s a security only update; KB4073578 it is not and it’s for AMD devices

        for me  KB 4056897 and  KB 4056568 both installed Group B

      • #165085
        David F
        AskWoody Plus

        Group B Win 7 64 bit

        Seems okay so far (touch wood) and SFC /Scannow is clean, so hopefully Nadella’s Noobs haven’t broken anything critical.

        Why is patching starting to feel like the Apollo 13 mission, flying round the dark side of the moon?

        1 user thanked author for this post.
      • #165076
        anonymous
        Guest

        Win7 Pro x64 on Zbook 17 Workstation. FWIW, Looked up and installed the January Security Only .Net patches for versions onboard. Do not have nor plan to install 4.7. (Wish those .Net Security Only KB’s could be listed for Group B!) Did a full image and file backup as recommended prior. KB4054176, etc.

        Then installed Security Only, IE11 KB4056568; then installed KB4056897 separately; no AMD on this machine. Touch wood, everything still working. No clue about speed after patching. Seems unchanged but likely won’t know until I use DxO Pro 9 for photo/RAW image development which is processor-intensive. Will watch this site for more expert feedback! 😉

        Have Office 2010 Home & Student on here. Will turn on WU tomorrow and hide the rollups. Will be offered Office updates I expect. Install those or ignore any???

        Thanks!

        3 users thanked author for this post.
      • #165084
        anonymous
        Guest

        My computer is Windows 7 Home Premium 64-bit SP1
        AMD FX-6300 Six Core Processor, 4.0GB Ram, ATI Radeon 3000 Graphics.

        I installed KB4056894 January 5 and have had no problems but I have hidden KB405532 which is listed as important and KB4033342 is listed as Recommended. I don’t need any problems, I know just enough techie stuff to get into a lot of trouble. Should I install or chicken out?

      • #165087
        anonymous
        Guest

        What about the Intel Management Engine flaw?  I believe this is different than Meltdown et al, but has been overshadowed since the news in late November.  Should the home user patch this or let it be?

        https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

        • #165104
          anonymous
          Guest

          Is your machine VPro? There will be a sticker probably. If so, use the patch from your OEM. Did it on mine but IMO if yours isn’t VPro, you have less to worry about.

          • #165122
            anonymous
            Guest

            Sorry, didn’t read your link first. There IS a serious IME VPro vulnerability. Your link though references the WPA2 patch. If your OEM has one as mine did, yes, probably worthwhile. Not a techie myself but assume your router needs a patch too. For that, ask your ISP and/or your router OEM.

      • #165112
        geekdom
        AskWoody Plus

        Plugged the holes.

        Making backups.

        Always keep a rescue disk and a system image.

        On Hiatus {with backup and coffee}
        offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender TRV=1909 WuMgr
        offline▸ Win10Pro 20H2.19042.685 x86 Atom N270 RAM2GB HDD WindowsDefender WuMgr GuineaPigVariant
        online▸ Win10Pro 20H2.19042.804 x64 i5-9400 RAM16GB HDD Firefox86.0 WindowsDefender TRV=20H2 WuMgr
      • #165116
        geekdom
        AskWoody Plus

        (When in trouble, when in doubt – run in circles, scream and shout.)

        “Stand-in-place panic.”

        –Patrick McManus

        On Hiatus {with backup and coffee}
        offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender TRV=1909 WuMgr
        offline▸ Win10Pro 20H2.19042.685 x86 Atom N270 RAM2GB HDD WindowsDefender WuMgr GuineaPigVariant
        online▸ Win10Pro 20H2.19042.804 x64 i5-9400 RAM16GB HDD Firefox86.0 WindowsDefender TRV=20H2 WuMgr
        2 users thanked author for this post.
      • #165117
        bobcat5536
        AskWoody Lounger

        I have a couple of duplicate replies as it is taking a while for them to post. Don’t know if this is related to the latest updates or not.

        • #165119
          Kirsty
          Manager

          You were caught in the sp*m filter – reposting just causes us more work, in this case (not always…) 😉

          1 user thanked author for this post.
      • #165120
        b
        AskWoody MVP

        As you go through the steps, keep in mind that Microsoft, uh, forgot to honor the “Current Branch for Business” setting —

        That was for a few weeks three months ago. Version 1709 has been “Current Branch for Business” (Semi-Annual Channel) for three weeks now.

      • #165125
        samak
        AskWoody Lounger

        “ProTip #3. Make a full system image backup before you install the January patches.
        This month more than ever, there’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can re-install even if your machine refuses to boot.”

        How do you restore a system image (e.g. Macrium) if your machine won’t boot?

        W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

        • #165127
          PKCano
          Manager

          You use the Macrium (or whatever image software you use) Rescue CD/USB. You did make it when you installed the software, didn’t you?

          1 user thanked author for this post.
          • #165131
            samak
            AskWoody Lounger

            Thanks. Yes, I did make a rescue USB. I just interpreted the “refuses to boot” phrase to mean that there was a possibility that you wouldn’t be able to boot to the USB either.

            W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

            • #165316
              geekdom
              AskWoody Plus

              This is a parenthetical comment to the backup advice:

              • Make sure you make backups on a consistent basis — the whole banana including system images.
              • Make sure you have a rescue disk — that is, a separate disk that will boot your computer if your computer hurls.
              • Keep your rescue disk and backups accessible. Know where they are.
              • Make sure you know how to use your backups. Someday you will have a computer emergency: your computer will hurl. Really. Guaranteed. Your backups will do you no good at all if you can’t find them and don’t know how to use them.

              With the current software updates, it’s much more likely that you will need backups. Act now and avoid panic.

               

              On Hiatus {with backup and coffee}
              offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender TRV=1909 WuMgr
              offline▸ Win10Pro 20H2.19042.685 x86 Atom N270 RAM2GB HDD WindowsDefender WuMgr GuineaPigVariant
              online▸ Win10Pro 20H2.19042.804 x64 i5-9400 RAM16GB HDD Firefox86.0 WindowsDefender TRV=20H2 WuMgr
              4 users thanked author for this post.
      • #165128
        anonymous
        Guest

        ? says:

        KB4056897 works for an old Pentium 3.06 HT, no problem…

        KB4056897 does not work for a first gen K8 AMD AthlonX2. locked up solid on re-boot. got out Windows 7 Repair Disk and did: DISM /image:D:\ /cleanup-image /revertpendingactions, reboot back into Windows desktop and run KB4073578. reboot to desktop

        so much for January “updates!”

        • #165130
          PKCano
          Manager

          @MrBrian recommended to use KB4073578 as the Security-only update for Win7

          • #165132
            anonymous
            Guest

            ? says:

            Thank you, PKCano! i guess i get bleary-eyed at this late stage of windows 7 monthly updates.

             

      • #165133
        PKCano
        Manager

        I see a lot of confusion. I am going to share what I have done personally with my machines. All mine are Intel based.

        As a prelim:
        1. Update your Anti-virus to the latest version of the PROGRAM. Check to be sure the ALLOW Regkey is set.
        2. Verify whether your CPU is Intel or AMD.
        3. Backup your computer!!!!!
        4. Rule: DO NOT CHECK ANYTHING THAT IS NOT CHECKED BY DEFAULT

        The following are only my choices. Make the choices as applies to your case.

        Win7.
        I installed KB4056894 Monthly Rollup. If you have AMD and you feel unsure, download KB4073578 and install it manually first then the Rollup. See AKB2000003. EDIT: See @abbodi86 ‘s comment at #165285. Normally it is not recommended to install unchecked Preview patches, but in this case KB4057400 Preview probably contains the AMD fixes found in KB4073578.
        I installed MSRT
        I installed all the Office 2010 updates
        I have .NET 4.7 on all machines. I did not install .NET 4.7.1 (unchecked).
        My choice for .NET has always been the Rollups offered by WU.
        For Group B – follow @MrBrian ‘s instructions.

        Win8.1
        I installed KB4056895 Monthly Rollup. If you have AMD and you feel unsure, download KB4073576 and install it manually first then the Rollup. I suspect the PIC/APIC problem will be fixed in the Feb Rollup. See AKB2000003. EDIT: See @abbodi86 ‘s comment at #165285. Normally it is not recommended to install unchecked Preview patches, but in this case KB4057401 Preview probably contains the fixes found in KB4073576 and KB4077561.
        I installed the IE Flash update
        I installed MSRT
        I installed all the Office 2010 updates
        I have .NET 4.7 on all machines. I did not install .NET 4.7.1 (unchecked).
        My choice for .NET has always been the Rollups offered by WU.
        For Group B – follow @MrBrian ‘s instructions.

        Win10 1703
        Using wushowhide I hid KB4023057, KB4073543, and KB4056254
        I installed CU KB4057144 Build 15063.877
        I installed all the other non-driver patches.

        Win10 1709
        I have KB4056892 Build 16299.192 installed.
        I was not offered KB4058258 Build 16299.214 through WU and I did not try to manually install it. It seems to have an installation problem as noted here.

        EDIT 1/6/18 to add @abbodi86 ‘s comments

        9 users thanked author for this post.
        • #165141
          bobcat5536
          AskWoody Lounger

          Quick question.  Windows 10 1703  I run wushowhide on a regular basis and have never had it bring up a KB update. I get plenty of driver, printer and other stuff. I’m wondering if I’m not running something right. I always check the advanced box first and uncheck the fix option, but have never seen any KB’s.

          • #165268
            PKCano
            Manager

            They showed up on mine.

            Sometimes it is best before updating to run Disk Cleanup\Cleanup System Files and cleanup Windows Update points before you start, reboot, then run wushowhide immediately after startup.

            2 users thanked author for this post.
      • #165139
        pulsar
        AskWoody Lounger

        Non-technie user here so I really appreciate all the guidance and advice from Woody, PK and everyone on here!  I recall reading about a rebooting problem for Win  7, 64-bit machines with Haswell processors (which I have) after application of the January patches.  Has this issue been resolved?

        • #165142
          PKCano
          Manager

          I think most of the problems with the Intel processors were associated with the microcode firmware updates from Intel that were then dispensed by the OEM’s.

          The boot problems with the Jan patches were mostly concerning machines with AMD processors and some AMD Radeon graphics cards

          1 user thanked author for this post.
      • #165143
        Noel Carboni
        AskWoody_MVP

        Woody, I’d probably have mentioned the performance hits these patches cause as something to consider. Most folks probably won’t see the slowdowns in their daily work, and you may be advising for the masses, but make no mistake, the performance hits are there.

        And there are STILL very few people who have good, solid before/after measurements.

        -Noel

        1 user thanked author for this post.
        • #165159
          anonymous
          Guest

          No third-party benchmark software installed but did run Performance Information Windows Experience Index test from Win7 Control Panel. FWIW, scores didn’t change after installing KB4056897. No clue how indicative that might be…

        • #165247
          woody
          Manager

          I haven’t seen any validated slowdowns for “regular” users. Have you?

          • #165307
            Noel Carboni
            AskWoody_MVP

            I have personally sensed a slowdown so far on the small Win 7 hardware system I run.

            It’s a Haswell Pentium G3220, 2 core with 8 GB of RAM. A minimal, inexpensive system to say the least. But it never really felt slow to do things on the desktop until just the other day. I happened to log in when it was running a MSE malware scan – something that’s uncommon to be running when I’m logged in, but I’m sure I’ve done so before while a scan is running. I’ve logged in during scans a number of times just to learn why the disk light was active.

            This time – post January Windows patches, but no microcode changes – the desktop was almost unusably slow – QUITE noticeable. I found myself waiting several seconds for any application to start.

            That’s the first time this system has felt slow to respond – ever – since I installed it in 2015. With a RAID array of SSDs and plenty of free resources, such a system should NEVER be noticeably sluggish.

            Using an application that stresses the I/O subsystem I measured a repeatable 30%+ drop in the disk I/O throughput on this system, from an ability to move 1400 megabytes per second to/from the disks to 900 megabytes per second after the patches. I believe this is directly responsible for the sluggishness when doing a malware scan – which is of limited by I/O throughput.

            So yes, I’ve now seen the performance degradation in real world usage myself, under just the conditions in which I’d expect to sense a problem with a reduction in operating system I/O performance – trying to do something while something else was using the system volume heavily. Pretty much since time began the thing that holds any computer system back from doing more work and being responsive is I/O latency and throughput limitations.

            -Noel

            2 users thanked author for this post.
      • #165140
        anonymous
        Guest

        Not receiving email conformation of registering for this site?

        • #165147
          PKCano
          Manager

          It is an ongoing problem with the website software.

          1 user thanked author for this post.
        • #165240
          Elly
          AskWoody MVP

          If you checked your spam filter and it wasn’t there, either… then Woody usually tells people to e-mail him directly at woody@askwoody.com

           

          Non-techy Win 10 Pro and Linux Mint experimenter

          1 user thanked author for this post.
      • #165145
        anonymous
        Guest

        My question, is it safe now to go ahead and download /install NetFramework4.7.1 (KB4033342) for win7 ?

        • #165153
          PKCano
          Manager

          KB4033342 is UNCHECKED in Windows Update.

          Rule: DO NOT CHECK ANYTHING THAT IS NOT CHECKED BY DEFAULT

      • #165156
        MrBrian
        AskWoody_MVP

        I propose doing the following regarding Windows updates this month:

        For any manually-installed Windows update from January 2018 and later: If you use antivirus, you must ensure that the antivirus-related registry item was set by your antivirus before proceeding with manual installation

        If you don’t use antivirus, set the antivirus-related registry item, so that Windows Update won’t blacklist relevant updates.

        Group A Windows 7:

        If Windows Update offers KB4056894 then install it. If Windows Update doesn’t offer KB4056894, then if Windows Update offers KB4057400 then install it. If neither update is offered, then wait for the February 2018 Windows updates.

        Group A Windows 8.1:

        If Windows Update offers KB4056895 then install it. If Windows Update doesn’t offer KB4056895, then if Windows Update offers KB4057401 then install it. If neither update is offered, then wait for the February 2018 Windows updates.

        Group B Windows 7:

        Manually install KB4073578. Manually install KB4056568.

        Group B Windows 8.1:

        Manually install KB4077561. Manually install KB4056568.

        12 users thanked author for this post.
        • #165157
          bonbon
          AskWoody Plus

          How do you check your antivirus registry key to make sure it is correct?  A list on Microsoft shows that Norton has fixed the registry key.  I also uninstalled and reinstalled Norton to make sure I have the most recent updated software. 

          But I don’t know how to check the registry key on my computer to make sure it is correct, although Norton representative tells me it is correct and that shouldn’t be the issue.

        • #165162
          anonymous
          Guest

          Would you mind explaining your reasoning for pushing to non-AMD machines KB4073578? Installed the original KB4056897, which by now might have been revised anyway, on my Intel/Nvidia machine today, so far without issue. https://support.microsoft.com/en-us/help/4073578/unbootable-state-for-amd-devices-in-windows-7-sp1-windows-server-2008

          • #165183
            MrBrian
            AskWoody_MVP

            “Would you mind explaining your reasoning for pushing to non-AMD machines KB4073578?”

            It makes the instructions simpler :). If you have already installed KB4056897 and restarted your computer and had no issues, then I believe there’s no compelling reason to install KB4073578.

            3 users thanked author for this post.
        • #165185
          Steve D.
          AskWoody Lounger

          MrBrian,

          Here are quotes from Microsoft on the support pages for each of the Windows security updates you recommend be installed rather than the ones originally issued:

          “This update does not replace a previously released update.”

          “To apply this update, you don’t have to make any changes to the registry.”

          Both of these quotes seem inconsistent with the concept that the originals were superceded rather than supplemented. You are far more knowledgeable than I (and possibly Microsoft too!) but I wonder if it’s risky to ignore Microsoft’s descriptions of the updates. I wonder if there would be a downside to installing the original(s) and then the later one(s) you recommend, in sequence??

          • #165192
            MrBrian
            AskWoody_MVP

            It’s true that the newer updates don’t metadata-supersede the security-only updates, but that’s probably because there are good reasons that a non-security update shouldn’t metadata-supersede a security update. Another question: So why didn’t Microsoft classify the newer updates as security updates? I would guess it’s because Microsoft doesn’t want users that installed the older updates and didn’t have issues to think that they had to install the newer updates.

            2 users thanked author for this post.
            • #165211
              EricEWV
              AskWoody Lounger

              In a sane world, I would think Microsoft would push out an Intel-specific patch and an AMD-specific patch at this stage seeing the major issues that can arise from the AMD machines, or just release an AMD-specific patch with all the relative fixes.  Something like “Security Update for Windows 7 on AMD” maybe.  But I think that’s asking for much with MS’s recent track record.

          • #165286
            abbodi86
            AskWoody_MVP

            Support articles are generally generic

            besides, if you take Microsoft word, you would not follow Woody’s defcon system 😀

            1 user thanked author for this post.
      • #165160
        anonymous
        Guest

        In @MrBrian‘s post #164967 in this blog, where does he get his information from that KB4073578 can be installed instead of KB4056897 as the January 2018 security only update for Windows 7?  I am extremely nervous about this.  I can’t find any confirmation that the former is a replacement for the latter.

        And, as has already been pointed out by others in this blog, the KB4073578 article states “This update does not replace a previously released update”.  And, furthermore, as has already been pointed out, it raises the question as to why didn’t Microsoft release a second version of KB4056897 to replace the first version instead of releasing KB4073578?  It is all very confusing.

        As my PC has an Intel processor, unless I can find some convincing evidence to do otherwise, I am inclined to install only KB4056897.  Thinking ahead, would that then put my PC in a state in which I could not install the February 2018 security only update?

        • #165187
          MrBrian
          AskWoody_MVP

          “In @mrbrian‘s post #164967 in this blog, where does he get his information from that KB4073578 can be installed instead of KB4056897 as the January 2018 security only update for Windows 7?”

          It’s based on analysis of the contents of KB4056897 vs. KB4073578. If you’re sure that you don’t have an affected AMD CPU, then it’s fine to use KB4056897 instead.

          5 users thanked author for this post.
          • #165259
            TonyC
            AskWoody Lounger

            Yes, I suspected that was the way you did it.  I couldn’t find any explanation anywhere.  Microsoft’s documentation of these two updates and their relationship with one another is ambiguous and misleading.

        • #165188
          MrBrian
          AskWoody_MVP

          I forgot to mention: In another topic I posted that as a test I installed KB4073578 on my Intel CPU, rebooted, and had no issues. (After a few minutes, I restored the backup that I had just made because I am in Group A.)

          • #165267
            TonyC
            AskWoody Lounger

            Yes, after this month’s problems, I’m now seriously considering switching to Group A. It is not so much Microsoft’s snooping that I object to but, in 2016, I was appalled by Microsoft’s attempt to upgrade my system to Windows 10 and to prepare my system for the upgrade. I don’t want that to happen again. I know that I am going to have to start using Windows 10 within the next year or two, but I will do it by performing a clean install of Windows 10 on a new PC.

      • #165172
        anonymous
        Guest

        I can’t believe its gotten to the point where one is now required to have a system image and a repair disc standing by to download WU.  Well, actually I can after last month. I’m on WIN 7 with an older AMD machine, group A, and will still be sitting this one out until a I see a green for the Feb updates.  I’ve also tried to register on this site twice with no luck.

        • #165198
          Kirsty
          Manager

          An occasional problem in getting registration emails has been noticed in some cases. Your quickest solution is to email Woody your username (used in your attempt to register) and a password. If he can’t find the user name in the database, he has the tools to create it.

          1 user thanked author for this post.
      • #165181
        OscarCP
        AskWoody Plus

        OK, this is the situation with January’s Security Update, and it can be fun playing “Update Roulette” with your Win 7, x64, Intel 7 CPU PC (if possible, and old one of Sandy Bridge vintage, like mine).

        First: the initial game lineup:

        (1) MrBrian recommends the Security Update KB4073578 for Intel, AMD, etc.

        (2) Anonymous and a few others are all for KB4056897  for Intel. Some of them are even saying things like: “I installed KB4056897 and everything was OK afterwards!” Or: “Do not install KB4073578, that one is for AMD!”

        (3) Everyone seems to agree that KB4056568 is fine for E11, whatever the CPU may be.

        (4) Nobody, at least the way I see it (and am nothing more than an imperfect, error-prone mortal), has the slightest idea of what to do about .net.

        Now place your bets, ladies and gentlemen: Choose either (1) or (2). Don’t worry about (3), avoid having anything to do with (4).

        Win: Nothing bad happens. Dull, but all right…

        Loose: You’ll get a fancy doorstop and (if you are truly diligent), also an ISO disk image. Then you could place the disk on the doorstop, for an specially eye-catching effect. But you’ll be unable to visit Woody’s anymore, as you’ll no longer have what you’ll need to do that with. But it won’t matter, as you’ll never have to worry about updating Windows 7 again.

        (Just kidding.)

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

        2 users thanked author for this post.
        • #165189
          MrBrian
          AskWoody_MVP

          “(4) Nobody, at least the way I see it (and am nothing more than an imperfect, error-prone mortal), has the slightest idea of what to do about .net.”

          I recommend: Install the .NET Framework updates that Windows Update ticks by default.

          1 user thanked author for this post.
          • #165369
            anonymous
            Guest

            Had been installing the .Net rollups as well until a bug in image-rendering appeared in the rollup  a couple of months ago but not in the Security Only patches. Last thing I needed was to bork my RAW image developing and editing software. Been doing Security Only since, but it’s a pain.

      • #165201
        anonymous
        Guest

        Win7 intel pentium machine here. Thanks for the heads up. For us Win7 users, are there any major bugs that we should prepare for, like those in Win10?

      • #165206
        anonymous
        Guest

        First post on this site so please excuse me if I missed to read anything. I’m still reading up on the differences between Group A and Group B. Looks like I’m in Group A but I’m not a 100 percent certain yet. The DefCon system is very clear cut. I like it a lot.

        On my Dell Notebook running Win8.1 and AMD Radeon, I installed:KB4077561 (Manually)and KB4073576(Manually) and The Security Only Update KB4056898 (Manually)

        Via Windows update I installed: KB4057401 (Preview of Monthly Rollup) and KB4056895 (Monthly Rollup)

        On my Dell Desktop running Win 8.1 and an Intel core I5 I Installed those same updates I listed except the KB4073576 update which is a listed fix for older AMD processors.

        On Patch Tuesday last month on my Desktop and Notebook I installed the MSRT (KB890830) & The Adobe Flash Player update (KB4056887) and the Security and Quality Rollup for Microsoft.Net (KB4055266) Framework which in Hindsight I shouldn’t have installed at that time but fortunately I didn’t run into any problems. But I hid the other .Net Framwork updates and I don’t plan on installing them.

        Besides the updates I listed, did I miss anything major to install from the January patches?

        1 user thanked author for this post.
        • #165251
          Elly
          AskWoody MVP

          Hello Anonymous,

          There are a number of anonymous posting… so if you want to be anonymous, and not register on the site (which is okay), I’d suggest that you pick a name of some kind to stick on your post, so that it is easier to follow any further questions and answers (like when another anonymous is answering your post, or asking a related, but different question… it happens).

          I will say up front that I’m not a techy person, but I’ve been here for a while… and so would like to point out a few things… and maybe answer your questions…

          First, unless you want to experiment, and you know how to fix your computer, don’t install anything with preview in its name… those are for the early adapters to try out! You said you already installed it… so here’s hoping there aren’t any problems in it for your machine…

          Second, is if you are going the Group A route, and install the Monthly Quality and Security Update, you don’t need to install any Security only patches… they are included in the Monthly Quality and Security Update.

          Installing the Monthly Quality and Security Update puts you in Group A, even if you were following security only updating (Group B) before that.

          Did you follow each step (if Group A) at https://www.askwoody.com/forums/topic/2000004-how-to-apply-the-win7-and-8-1-monthly-rollups/? It is important to hide updates you are not installing, and then check for more, because some updates do not show up until all updates are installed or hidden.

          Group A is the recommended and easiest way to update… but I find that Group B works just fine for me.

          Also, although Woody says to turn off Windows Update, that is so you can control when to update. You can still click on it to run Windows Update, sort through the offered updates as recommended in the link above, and then install them. You don’t have to manually install them. I may have confused what you actually did, but this is an issue that a friend had problems understanding when I referred her here. She went to Microsoft and manually downloaded the Monthly Security and Quality Update, when it was already offered through Windows Update…

          The most important part, in the end, is to have a safe and working computer… so, if you have that, you were successful!

           

          Non-techy Win 10 Pro and Linux Mint experimenter

      • #165214
        AJNorth
        AskWoody Plus

        Not to add to the already formidable workload, but is the update to the procedure for a clean installation of WIN 7 (delineated into Groups A & B) still in the queue?  If memory serves, the most recent discussion was How would you install Win7 from scratch?  (2017.01.18), which should still provide the means to get the job done.

      • #165220
        LH
        AskWoody Plus

        Basically, it is recommended there that you install KB 4056897 and KB 4073538 BUT ONLY restart your computer AFTER both updates have been installed. Do not restart after the first update, but only after both are installed. Apparently, this way the potential boot problem with 4056897 gets corrected before it happens.

        OK, silly question – how do you install both patches without a reboot in between?

        I am Group B, Win 7 Pro, and have been trying to do this for months (that is, install the Win 7 security-only patch and the corresponding IE11 patch with just one reboot after both installed).  However, whenever I try to install the second patch after successfully completing the first (with a “restart required” message), I get another message saying something to the effect that “only one wusa process is allowed at a time” (forgotten the exact message).  This happens even if I Close the wusa screen rather than Restart.

        I have just installed both of the January patches, same problem – had to reboot after the first one before it would let me run the second (both eventually installed successfully).  If there is a way to delay rebooting until after both patches are installed, it would save me a lot of time every month – it takes my old PC at least 10 minutes to complete a reboot cycle.

        • #165236
          byteme
          AskWoody Plus

          KB 4056897 and KB 4073578 are the two alternative Win7 security-only updates. Neither is an IE update. I don’t think anyone was suggesting that you try to skip a mandated reboot in between a Win7 update and an IE update.

          More importantly, though, I think it’s fair to say that the guru-consensus in this thread is that you should only install one of those two Win7 updates. 4056897 is apparently fine if you’re sure your CPU is Intel and not AMD. And MrBrian says 4073578 is fine for both Intel and AMD CPUs.

          1 user thanked author for this post.
      • #165241
        Cascadian
        AskWoody Lounger

        A positive report on an uneventful update now complete.

        CPU: Dual AMD C-50 (wikipedia cross-references this as Brazos Ontario, 40nm)
        GPU: AMD Radeon HD 6250 (which should not matter, but including for completeness)
        Win7sp1x64, Microsoft Security Essentials, QualityCompat registry key set

        Following GroupA, allowing WU to make the appropriate choices.
        Preselected (checked) two important updates:
        2018-01 S&QR .NET Framework (all) Win7 & 2008 R2 x64 (KB4055532)
        2018-01 SMQR Win7x64-based Systems (KB4056894)
        and hid all others.

        Download delivered in about 99MB total for both items, download and installation required between 50m and 1h, restart took less than 10m, displaying only one start cycle including the expected percentage progress display and appropriate warning against removing power. No second cycle was observed. Windows Update History showed the appropriate information, listing KB4055532 .NETrollup first, around 45m from start, then KB4056894 SMQR second, 9m later.

        From curiosity, restored several usual suspects and allowed the new check for updates to review these items. All remained on offer, with same published dates and sizes previously seen, including KB2952664 still dated 14NOV2017.

        Gibson Research’s InSpectre release #6b reports:
        System is Meltdown protected: YES
        System is Spectre protected: NO!
        Performance: GOOD
        And much more information as well; all as expected.

        GroupA may allow some things that concern some people. But this system had the things that were likely to cause problems, and Windows Update provided the correct items without damage.

        3 users thanked author for this post.
      • #165256
        AJNorth
        AskWoody Plus

        Adobe Flash Player has been updated to version 28.0.0.161.

        “A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.

        Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.”

        For those who do not have Adobe Flash Player set to auto-update in WIN 7, or third-party browsers in WIN 8.1 and WIN 10, it may be updated manually from the Control Panel – or downloaded using these direct links (Right-click; select Save Link As):

         

        Microsoft will make the update for IE 11 (WIN 8.1 & 10) and Edge available from Windows Update.

        4 users thanked author for this post.
        • #165423
          anonymous
          Guest

          Thank You Elly.  That was very helpful.

          From now on I definitely won’t install Preview Updates anymore.

          I thought I needed both KB4056895 and KB4056898 to patch the Meltdown vulnerabilities which is why I installed both. So I take I don’t need to install anything from the January Patches?

          Also I wasn’t offered any internet explorer update via WU last month. But I see some people are manually installing it.

          1 user thanked author for this post.
          • #165428
            PKCano
            Manager

            Anon at #165423

            The IE separate patches are not offered through WU, they are part of the Monthly Rollup.
            If you do the security-only patches manually you need to also do the separate IE11 update manually.

            3 users thanked author for this post.
      • #165248
        anonymous
        Guest

        just double asking for saftey:

        on 8.1, if 4077561 being installed already, installation of 4073576 not necessary anymore?

        • #165263
          PKCano
          Manager
          • #165301
            anonymous
            Guest

            this post only says:

            Group B Windows 8.1:

            Manually install KB4077561. Manually install KB4056568.

            so 4073576 not needed anymore?

      • #165273
        EricEWV
        AskWoody Lounger

        Bit the bullet and performed the update with KB4073578 as suggested by @mrbrian in #165156 ; it went quickly and with no noticable slowdown upon reboot and login.  Entire process took around or less than 5 minutes taking actual WUSA install time and the reboot installation with Windows Update itself registering a successful installation.  You have my gratitude for all the work you have done with this everyone.

        Specs:

        Windows 7 x64 Ultimate SP1

        AMD FX-8320 3.50 GHz

        Nvidia GeForce GTX 1060 (for complete specs sake)

        1 user thanked author for this post.
      • #165270
        anonymous
        Guest

        Thanks @woody et al.

        I am the Win7 SP1 x64 guy who had the Sandboxie problems after installing KB 4056897, so I will avoid it till that’s solved by Invincea.

        Already updated KB 4056568 (IE) without problems, and will now go for KB 4055532 (.NET).

        Be safe everyone.

      • #165276
        mazzinia
        AskWoody Lounger

        Ok,

        eventually decided to take the risk, based mainly on the assumption that either with inspectre or manually I can disable the meltdown and “supposedly” revert to the “previous” cpu performance.

        My 2 cents…

        Win7 x64, group B
        Intel , dual xeon 52×0

        1) would be nice to have a simple reliable way to quantify the speed loss
        This said
        2) TrustedInstaller, after these patches, is back to spiking at 20/25% … it was years since it messed up
        3) DaemonTools got affected by the very first security patch. Saw some mention about updating a virtual driver, followed by a timeout on the very first restart. Subsequently ( next restart ) it tried to do something but effectively the 2nd virtual drive vanished
        3rd restart, and the 2nd virtual drive shows in explorer, but NOT in daemontools.
        4) The indexer is working a lot ( read it Lot with the uppercase ) more, on C drive.
        I’m seeing 5 to 10 minutes of extra disk activity, compared to before.
        SearchProtocolHost.exe runs more, definitely (2 instances).
        lot of writes to
        c:\programdata\microsoft\search\data\applications\windows\windows.edb
        constantly
        5) Sqlservr.exe (runtime only) shows quite a lot of activity while before it didn’t happen.
        Sql server services are disabled (by me, long ago), except sql server VSS writer (not sure if it was started before the patches, or if it got started due to them)

        • #165280
          PKCano
          Manager

          For third-party software, in several cases, installing the latest version has corrected the problems experienced after the latest round of patching. That has included the latest version of the anti-virus as well as other applications.

          • #165299
            mazzinia
            AskWoody Lounger

            Taking note, but seems the thing is a bit weird on this side.
            The 2nd virtual unit is present, but it got associated to a microsoft driver and identified as a real scsi unit on bus 0 id 0 lun 0.
            Now, I do have a few controllers, raid included… but no optical units on them. Quite weird outcome of the update, I would say

            TEXGV___JWXER8DYB_______1 scsi cdrom device

      • #165295
        dph853
        AskWoody Plus

        Typical discussion, lots of differing options not much in the way of specific guidance. Those clinging to Win7, 8.1, Win 1607 are on their own to make up their own minds as not too many can keep all the KB numbers straight for every version of Windows.

        For Win10 1703 the summary as I understand it.

        1) The only major bug squashed in January is the “Equation Editor” issue

        2) The changes that bring about a CPU slow-down addressing Specter/Meltdown have been removed for the Cumulative update currently available for January as well as in any updates to the bios/uefi.

        So, if what I stated above is the case, I may well install the Jan. Cumulative Update, and the three pending (3 on my system) WaasMedic & accompaning Windows New Version preparation files. I do not expect to be installing Win10 18XX until 17XX is no longer supported or I upgrade my cpu & motherboard to one that isn’t from the stone age.

        Unfortunately, I do not live in the industrialized world and for now, a new computer is completely out of the question due to cost and the fact that I would never be able to get it shipped to the 3rd world without it growing legs and walking off into the sunset.

        At present, I’m reading what I can find and from that am preparing to hit the update button on the assumption that there will be no cpu impact due to Specter/Meltdown patching. If that is not the case, then I definitely do not wish to install Jan. updates or probably anymore going forward until either the class actions against intel get me a new cpu (Ha!) or I get my hands on a CPU with the specter/meltdown vulnerabilities corrected on the cpu itself.

         

      • #165305
        Scoop
        AskWoody Lounger

        Woody,

        I have 2 Win 7×64 PC’s (circa 2010) with Intel I5-650 CPU’s; 1 built Desktop & 1 Toshiba Laptop (Win7 OEM install).

        I’m a regular Cloner & Imager so I have Cloned my Laptop (my ‘guinea pig’ test PC) prior to installing the Jan Rollup (WU not yet installed).

        My question is about the Win 7 Jan Monthly Rollup as it relates to any built-in Firmware updates which I don’t want installed on my PC’s.

        Can I install the default Jan Monthly Rollup without any Firmware Updates?  Does the Rollup now include any Firmware updates?

        The concern I have is if the Jan Rollup includes the “Spectre” Firmaware updates, my Clone (or full Image) HDD backups won’t help me rollback my Laptop PC if BIOS/Firmware updates were included in the Jan Rollup Update.  Is that correct?

        • #165308
          PKCano
          Manager

          The Jan patches do not contain firmware updates. Those come from the Computer OEM or the chip OEM.

          1 user thanked author for this post.
      • #165320
        gaiter
        AskWoody Lounger

        Updating windows 7 (group b) for security only and net security only is causing more problems that result in users spending hours trying to figure out or fixing the patches! I dislike spending more time on windows operating system than I use the computer for!

        My android tablet proves to be more enjoyable and much easier to manage.

        I have always enjoyed keeping my computer efficient, safe and enjoyable.

        my question: looks like installing 4056897 and 4055269 results in more problems than fixing any security issues, am I correct?

      • #165332
        The Surfing Pensioner
        AskWoody Plus

        Reply to # 165320;

        Well, it took me 20 mins. this morning, while I burnt the toast. But then I was prepared (patches downloaded and waiting) and took a no-frills approach (if you don’t really need it, don’t install it). Not exactly hours!

        2 users thanked author for this post.
      • #165333
        mazzinia
        AskWoody Lounger

        Possible bug report post patches installation :
        Outlook 2010 went unresponsive once when trying to open an email with inside lets say ads ( official from my phone provider ), killed the process after letting it stay at 25% for 10 minutes.

        It tried to lock up a 2nd time (on a different, simple email), subsequently, but it resumed after 30/40 seconds

      • #165362
        anonymous
        Guest

        @Elly Regarding the anonymous issue: I am a registered Patron, but prefer to comment anonymously most of the time when I reveal the set up etc. of my particular Win 7 SP1 x64 / Intel i4 system in order to get the right advice of the gurus here. I rather keep info like that low profile. (Welcome to my world of paranoia.)



        @MrBrian
        I read all your and most of other’s comments about the updates, so also about KB 4073578. (I had to uninstall and do a system restore after KB 4056897 messed up third party software.)
        If I understand correctly, KB 4073578 was meant for AMD systems and not for Intel. However, there seems to be no harm in installing KB 4073578 on a Intel system.

        But what I don’t understand: What is/would be the benefit of installing this update on a Intel system?? Thanks in advance.

        1 user thanked author for this post.
      • #165392
        abbodi86
        AskWoody_MVP

        @mrbrian I read all your and most of other’s comments about the updates, so also about KB 4073578. (I had to uninstall and do a system restore after KB 4056897 messed up third party software.) If I understand correctly, KB 4073578 was meant for AMD systems and not for Intel. However, there seems to be no harm in installing KB 4073578 on a Intel system. But what I don’t understand: What is/would be the benefit of installing this update on a Intel system?? Thanks in advance.

        updates are for all systems, regardless if they fix something for one of them

        the benefit is to align patching recommendation 🙂

        4 users thanked author for this post.
      • #165420
        jrmoffett
        AskWoody Lounger

        I am absolutely not going to install the Meltdown Spectre patch. At this point I just don’t believe that there is a real threat. A potential 30% slowdown is not acceptable, and there is no indication that these holes are actually going to be useful ways of hacking into a personal computer. Someone might try to hack an un-patched server, but there isn’t enough of a reason to try and do this to someone’s PC.

        If I hear that these exploits are actually working to attack regular people’s PCs then I will reconsider. But as of now, that patch stays unchecked.

        4 users thanked author for this post.
      • #165448
        jelson
        AskWoody Lounger

        OK, silly question – how do you install both patches without a reboot in between? …. However, whenever I try to install the second patch after successfully completing the first (with a “restart required” message), I get another message saying something to the effect that “only one wusa process is allowed at a time”

        Try installing the patches manually. When I do that, first I disable the network (unplug the ethernet cable) and then stop the Windows Update service (via services.msc) After the 1st patch is installed, I opt out of a reboot and then again stop the Windows Update service (otherwise it can take awhile before I’m asked if I want to install patch blah-blah-blah)

        Works for me; Win 7 x 64 “Group B”

         

         

        • #165491
          anonymous
          Guest

          “If you do the security-only patches manually you need to also do the separate IE11 update manually.”

          Pkcano So this explains what the people in Group B are doing?

           

      • #165508
        Hopper15
        AskWoody Lounger

        Looks like I made it through that January patch minefield unscathed for now.  No noticeable slowdowns so far.

      • #165523
        Purg2
        AskWoody Lounger

        Wow, 112 MB (or 114 depending on how you look at it).  Must be some kinda record.

        Win 8.1 (home & pro) Group B, Linux Dabbler

        • #167766
          Noel Carboni
          AskWoody_MVP

          Don’t look now but Win 10 .msu files can be an order of magnitude larger than that.

          -Noel

      • #165623
        dgreen
        AskWoody Lounger

        January patch KB4056894 applied and MSRT KB890830 applied 2/6/18 without any issues.

        Dell Inspiron 660 (purchased in 2013) just replaced hard drive in November 2017 and had Windows 7 reloaded.
        Windows 7 Home Premium 64 bit SP 1
        Server 2008 R2 x64
        Processor: Intel i3-3240 (ivy bridge 3rd generation)
        chipset Intel (R) 7 series/C216
        chipset family SATA AHCI Controller -1 E02

        After new hard drive installed went to
        Group A

        2 users thanked author for this post.
      • #165701
        MrBrian
        AskWoody_MVP

        If anyone has unanswered questions regarding my advice, please post at https://www.askwoody.com/forums/topic/a-quick-overview-of-january-patching-recommendations-for-windows/.

        1 user thanked author for this post.
      • #165703
        bjm
        AskWoody Lounger

        RE: Win10 1703
        Using wushowhide I hid KB4023057, KB4073543, and KB4056254
        I installed CU KB4057144 Build 15063.877
        I installed all the other non-driver patches.
        ————————————————————

        What about KB4078130?

      • #165711
        Seff
        AskWoody Plus

        By way of personal update, my Intel Windows 7 x64 machine with AMD Radeon graphics card now has KB4056894 (monthly rollup), KB4055532 (.Net Framework update), 5 updates for Office 2010 and the MSRT all installed over the past couple of days and seemingly all running ok at the moment. I have also now been offered KB4011187 for Office 2010 but it’s unchecked and therefore left well alone for now.

        That leaves me with the outstanding task of installing both KB4056894 and KB4055532 on my other machine which is an AMD Phenom II Windows 7 x64 machine with a Nvidia graphics card. That machine doesn’t have Office installed so the only other update for it which I have now installed ok is the MSRT.

        Has any other Windows 7 user installed these updates on an AMD Phenom II machine, and if so with what results? I know Woody’s view is that the only outstanding problem with that processor is for certain Windows 10 users but that doesn’t make me any less apprehensive!

      • #165718
        abbodi86
        AskWoody_MVP

        RE: Win10 1703
        Using wushowhide I hid KB4023057, KB4073543, and KB4056254
        I installed CU KB4057144 Build 15063.877
        I installed all the other non-driver patches.
        ————————————————————

        What about KB4078130?

        That’s not an update, merely a tool to disable Specture mitigation
        and it’s not available through Windows Update

        2 users thanked author for this post.
      • #165719
        PKCano
        Manager

        What about KB4078130?

        KB4078130 is downloadable from the Catalog only and disables branch targeting vuln (CVE-2017-5715 Spectre variant 2). It is a workaround for those who have installed the defective Intel microcode. Microsoft says this about it.

        While Intel tests, updates and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing, this update has been found to prevent the described behavior in devices that have affected microcode.

        I have not installed the defective microcode and do not need this patch. It is not necessary for those who have not installed the microcode.

        2 users thanked author for this post.
      • #165722
        bjm
        AskWoody Lounger

        What about KB4078130?

        KB4078130 is downloadable from the Catalog only and disables branch targeting vuln (CVE-2017-5715 Spectre variant 2). It is a workaround for those who have installed the defective Intel microcode. Microsoft says this about it.

        While Intel tests, updates and deploys new microcode, we are making available an out-of-band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing, this update has been found to prevent the described behavior in devices that have affected microcode.

        I have not installed the defective microcode and do not need this patch. It is not necessary for those who have not installed the microcode.

        Hmm, I thought KB4057144 Build 15063.877 brings defective microcode.   How does defective microcode get installed?

      • #165723
        hjf
        AskWoody Plus

        Windows 7 intel Centrino vPro group B. Novice and grateful AskWoody reader. I have Avast antivirus. How can I make sure that the reg key is allowed? I have looked over my Avast options and don’t see any mention of this function.  Thanks!

      • #165724
        bjm
        AskWoody Lounger

        RE: Win10 1703 Using wushowhide I hid KB4023057, KB4073543, and KB4056254 I installed CU KB4057144 Build 15063.877 I installed all the other non-driver patches. ———————————————————— What about KB4078130?

        That’s not an update, merely a tool to disable Specture mitigation and it’s not available through Windows Update

        I pulled KB4078130 from Windows Update Catalog.

      • #165726
        PKCano
        Manager

        Hmm, I thought KB4057144 Build 15063.877 brings defective microcode. How does defective microcode get installed?

        Microcode does not come from MS. It comes from the computer OEM or the chip OEM. It is a patch (code) applied to the CPU, not software to the Windows OS.

        1 user thanked author for this post.
        bjm
      • #165727
        PKCano
        Manager

        Windows 7 intel Centrino vPro group B. Novice and grateful AskWoody reader. I have Avast antivirus. How can I make sure that the reg key is allowed? I have looked over my Avast options and don’t see any mention of this function. Thanks!

        Here are the instructions for finding the key

        1 user thanked author for this post.
        hjf
      • #165729
        abbodi86
        AskWoody_MVP

        I pulled KB4078130 from Windows Update Catalog.

        Windows Update = the OS internal update infrastructure

        Microsoft Update Catalog = external web site to download updates manually

      • #165730
        bjm
        AskWoody Lounger

        Hmm, I thought KB4057144 Build 15063.877 brings defective microcode. How does defective microcode get installed?

        Microcode does not come from MS. It comes from the computer OEM or the chip OEM. It is a patch (code) applied to the CPU, not software to the Windows OS.

        Hmm, afaik I have not recently installed HP/Intel updates.   Guess, I’ll look to HP for info.  Thanks

        Hmm, so KB4078130 is downloadable from the Microsoft Update Catalog…but, defective microcode does not come from MS.
        head scratch  Thanks

      • #165734
        PKCano
        Manager

        Hmm, afaik I have not recently installed HP/Intel updates. Guess, I’ll look to HP for relevant info. Thanks

        Advice – do not install any BIOS/microcode at this time. Things are messed up with the microcode at the moment.

        3 users thanked author for this post.
      • #165735
        MrBrian
        AskWoody_MVP

        Windows 7 intel Centrino vPro group B. Novice and grateful AskWoody reader. I have Avast antivirus. How can I make sure that the reg key is allowed? I have looked over my Avast options and don’t see any mention of this function. Thanks!

        An alternative method for Windows 7 users is to see if Windows Update offers KB4057400.

      • #165736
        bjm
        AskWoody Lounger

        I pulled KB4078130 from Windows Update Catalog.

        Windows Update = the OS internal update infrastructure Microsoft Update Catalog = external web site to download updates manually

        I pull my Windows updates from Microsoft (Windows) Update Catalog.   Thanks

      • #165739
        bjm
        AskWoody Lounger

        Hmm, afaik I have not recently installed HP/Intel updates. Guess, I’ll look to HP for relevant info. Thanks

        Advice – do not install any BIOS/microcode at this time. Things are messed up with the microcode at the moment.

        Okay.  I hear ya’.    I thought AVs pushed a reg update to allow update from Microsoft/Windows related to Spectre-Meltdown.     Guess, I’m confused as to whats what.

        Thanks

      • #165742
        PKCano
        Manager

        Okay. I hear ya’. I thought AVs pushed a reg update to allow update from Microsoft/Windows related to Spectre-Meltdown. Guess, I’m confused as to whats what.

        Microsoft pushes updates to Windows OS for vulns related to Spectre-Meltdown.
        The Hardware manufacturer pushes updates for the hardware (CPU) for vulns related to Spectre-Meltdown.
        The AV‘s push a Registry change to allow MS updates

        They are NOT the same thing.

        1 user thanked author for this post.
        bjm
      • #165751
        bjm
        AskWoody Lounger

        Okay. I hear ya’. I thought AVs pushed a reg update to allow update from Microsoft/Windows related to Spectre-Meltdown. Guess, I’m confused as to whats what.

        Microsoft pushes updates to Windows OS for vulns related to Spectre-Meltdown. The Hardware manufacturer pushes updates for the hardware (CPU) for vulns related to Spectre-Meltdown. The AV‘s push a Registry change to allow MS updates They are NOT the same thing.

        Granted, they’re not the same.   Okay, KB4078130 is related to hardware (HP/Intel) side even though KB4078130 came from software (Microsoft/OS) side.   And AVs reg push was related to software side.   Thanks again.

      • #165755
        hjf
        AskWoody Plus

        Many thanks to PKCano for the quick and useful response and the link to OscarCP’s utterly clear instructions–thanks also to OscarCP. I checked and all is well with reg edit. Onward to the next step, backing up.

      • #165760
        SueW
        AskWoody Plus

        Many thanks to PKCano for the quick and useful response and the link to OscarCP’s utterly clear instructions–thanks also to OscarCP.

        Thanks, @hjf!  Those were actually my original “utterly clear” instructions that I posted back on January 6, 2018: https://www.askwoody.com/forums/topic/multiple-reports-of-blue-screens-bsods-0x000000c4-when-installing-the-january-win7-monthly-rollup-kb-4056894/page/7/#post-157000.  Unfortunately, they were neither quoted nor attributed in the more recent post . . .

        Glad to hear that your reg edit is well!

        Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'
        1 user thanked author for this post.
      • #165810
        bjm
        AskWoody Lounger

        RE: Win10 1703
        Okay, I installed CU KB4057144 Build 15063.877
        I’m curious what to do about KB4049011, KB4023057, KB4056254 that are WUshowhide hidden.

        And also hidden is KB2538243 Security Update Visual C++ 2008 Redistributables (Microsoft Update Catalog reports Last Updated 4/5/2012).
        My Apps lists several Visual C++ 2005, 2008, 2010 & 2012 with dates 2014, 2016 & 2018.
        Any thoughts what I should do regarding KB2538243.

        Thanks

        • #165823
          PKCano
          Manager

          ’m curious what to do about KB4049011, KB4023057, KB4056254 that are WUshowhide hidden.

          KB4049011 is the servicing stack you need it – the others stay hidden.
          Update Visual C++

      • #165821
        anonymous
        Guest

        Pensioner Lady here…

        I am using Avast free edition (which is up to date) and I note that on the ‘list’ it should be compatible for the Windows 7 January Rollup but I have only received the Net.framework KB4033342 and no monthly rollup.  Should I uninstall Avast in order to receive it?  I am non techie and set my updates to ‘never’ until DEFON 3 and am in group A

        • #165826
          PKCano
          Manager

          I am using Avast free edition (which is up to date) and I note that on the ‘list’ it should be compatible for the Windows 7 January Rollup but I have only received the Net.framework KB4033342 and no monthly rollup. Should I uninstall Avast in order to receive it? I am non techie and set my updates to ‘never’ until DEFON 3 and am in group A

          Right click on the icon in the right taskbar, chose update engine and definitions. In the box that pops up, click on update in the lower portion.
          If you have an AMD processor you may still not get the update.

      • #165830
        bjm
        AskWoody Lounger

        ’m curious what to do about KB4049011, KB4023057, KB4056254 that are WUshowhide hidden.

        KB4049011 is the servicing stack you need it – the others stay hidden. Update Visual C++

        Um, which vc file?  What’s ia64?  W10 x64 Home.
        2473

        Attachments:
      • #165837
        bjm
        AskWoody Lounger

        @bjm Whichever one is available in Windows Update.

        Yeah, I don’t run Windows Update if I don’t have to.   Okay.  Thanks

         

      • #165838
        anonymous
        Guest

        Pensioner Lady again….

        Thank you PKCano.  I have followed your instructions and am informed that engine and definitions + program are all up to date.  My machine has a Celeron processor.

        • #165840
          PKCano
          Manager

          Pensioner Lady again…. Thank you PKCano. I have followed your instructions and am informed that engine and definitions + program are all up to date. My machine has a Celeron processor.

          Install Kb4057894

          If Kb4057894 still won’t install.
          Go to the optional updates. Check KB4057400, check OK at the bottom.
          Go to the important updates. UNCHECK the Monthly Rollup KB4056894, click OK

          Install KB4057400

      • #165846
        Seff
        AskWoody Plus

        Pensioner Lady again…. Thank you PKCano. I have followed your instructions and am informed that engine and definitions + program are all up to date. My machine has a Celeron processor.

        Install Kb4057894 If Kb4057894 still won’t install. Go to the optional updates. Check KB4057400, check OK at the bottom. Go to the important updates. UNCHECK the Monthly Rollup KB4056894, click OK Install KB4057400

        Isn’t Pensioner Lady’s point that as a Group A user she isn’t being offered any of the updates you’re referring to? That’s my interpretation of post #165821.

        If that is the case then as a first step I would do a new search for Windows Updates (open WU from the program list and then look for updates) and see if any rollup is now offered.  If not, then I would wait until the February monthly rollup is released and keep an eye on the advice here including the DefCon ratings.

        If not already done, it would also be worth following @SueW‘s link in post #165760 to establish whether the registry key has been set to enable the monthly rollup to be installed. It may be that the rollup isn’t being offered through system incompatibility. Either way there’s no real harm in waiting a few days to see what is offered in the February update and for which purposes rather than setting WU to “Never” it could be set to “Notify but do not download or install” – that way it’s possible to see what is being made available and whether it’s checked or not.

      • #165874
        walker
        AskWoody Lounger

        @Woody:

        MS Defcon 3:

        This happened so fast that I’m hoping I’m not going to miss any “warnings”, etc.  It’s been so hectic that I know it’s going to be a nightmare trying to avoid the possible “bad patches”.   Is there a site that has “everything” on it for our MS Defcon3 information yet?  Thank you for getting the site more organized.    IMHO there are too many comments which do not add any information to share, rather that they are more about what is occurring with their own methods with their computers and everything takes up a lot of space and time for everyone to read.   Good Luck, and  hope the new method will help!   Thank you for all of your hard work!   🙂

        2 users thanked author for this post.
      • #165891
        Cascadian
        AskWoody Lounger

        @woody: MS Defcon 3: … Thank you for getting the site more organized. IMHO there are too many comments which do not add any information to share, rather that they are more about what is occurring with their own methods with their computers and everything takes up a lot of space and time for everyone to read.

        Walker, I know you addressed Da Boss; but as someone who did post a detailed description of hardware, process, and result, I felt I could respond with my motivation. The Outstanding Advice by all MVP’s here is clear, and uses specific language to make it apply to the widest range of cases possible. I hope you are able to find your correct course from their directions.

        The most useful benefit here is for people who have questions. And the more specific they can describe their computer, the more accurate the answers will be. Another benefit comes from comparing successful reports that support the original advice. If the accurate description of my system helps another reader to recognize their own details, and so decide the advice is good; then I feel I have helped, even if they never write a comment.

        If I have misunderstood the purpose of sharing results, both success and failure, then I apologize to you Walker, and others who have spent time on my non-question.

        4 users thanked author for this post.
        • #166060
          walker
          AskWoody Lounger

          @Paul:   I addressed the comments to Woody, although it’s really for all of us.  I welcome questions, and situations asking for help, and/or clarification.    We all learn from what we are having problems with.  No “dings” intended.  Your comments were well-taken, and understand exactly what you are referring to.    The exchange of information to help each other is beneficial to everyone, and in most instances the more data provided expedites the process.

          I, like many others, am “computer illiterate”, so in some instances these exchanges go “right over my head”.  Thank you for your excellent comments, they are very much appreciated.    🙂

          1 user thanked author for this post.
      • #165947
        dgreen
        AskWoody Lounger

        Windows 7 intel Centrino vPro group B. Novice and grateful AskWoody reader. I have Avast antivirus. How can I make sure that the reg key is allowed? I have looked over my Avast options and don’t see any mention of this function. Thanks!

        Here are the instructions for finding the key

        Ok, I just rechecked my computer regarding the above instructions.
        When I checked my computer when the instructions were first given, the results was I did have the “quality …” key there.
        This morning, it is not there.
        Other then on going updates of Microsoft Security Essentials definitions, and yesterday applying the January roll up patch and MSRT, oh and I did upgrade my Chrome browser to Vs 64 (2/2/18) that is all.
        Is something wrong here?

        Dell Inspiron 660 (purchased in 2013) just replaced hard drive in November 2017 and had Windows 7 reloaded.

        Windows 7 Home Premium 64 bit SP 1

        Server 2008 R2 x64

        Processor:  Intel i3-3240 (ivy bridge 3rd generation)

        chipset Intel (R) 7 series/C216

        chipset family SATA AHCI Controller -1 E02

         

        After new hard drive installed went to

        Group A

         

      • #165953
        PKCano
        Manager

        When I checked my computer when the instructions were first given, the results was I did have the “quality …” key there. This morning, it is not there. Other then on going updates of Microsoft Security Essentials definitions, and yesterday applying the January roll up patch and MSRT, oh and I did upgrade my Chrome browser to Vs 64 (2/2/18) that is all. Is something wrong here?

        MSE is supposed to set the key. The only thing I can suggest is to update MSE then reboot and check again. You can manually set the key (at your own risk, of course) but MSE should be compatible.

        1 user thanked author for this post.
      • #165964
        mazzinia
        AskWoody Lounger

        Well, I’ve something weird to report.
        I installed january group B security patches on win 7 x64, 2 days ago. The cpu is a xeon E5205 ( 2 of them ), and there’s NO microcode offered ( and doubt it’ll ever happen ).
        I have the pc under the SAME load daily, and weirdly I GAINED 10% cpu… I’m still very puzzled.

        Major gain was on skype.. before was sitting at 25% , now at most goes to 21 but averages at 19%

      • #165974
        dgreen
        AskWoody Lounger

        When I checked my computer when the instructions were first given, the results was I did have the “quality …” key there. This morning, it is not there. Other then on going updates of Microsoft Security Essentials definitions, and yesterday applying the January roll up patch and MSRT, oh and I did upgrade my Chrome browser to Vs 64 (2/2/18) that is all. Is something wrong here?

        MSE is supposed to set the key. The only thing I can suggest is to update MSE then reboot and check again. You can manually set the key (at your own risk, of course) but MSE should be compatible.

        Ok, I finally found it.
        Apparently the instructions was for Windows 10???
        I found it searching
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat
        and there it was!

      • #165977
        Seff
        AskWoody Plus

        Before anyone thinks they don’t have the registry key set, they should make sure they’re searching for “QualityCompat” (minus the quotation marks) as a single word. It’s too easy to think of it as two words but if you search for it as two words it won’t then be found.

        2 users thanked author for this post.
        • #166000
          anonymous
          Guest

          I have AVG free and an old version of MB pro (1.62.0.1300) working on my i5-750 machine with win 7 32 ultimate. Did the search for the key and found:

          REG_SZ (valor no establecido)
          cadca5fe-87d3-4b96-b7fb-a231484277cc
          REG_DWORD 0x00000000 (0)

          So I plan to install KB4055532, KB 4056568 and KB 4056898, all for 32 bit.
          Question is if this procedure is right.

          Thanks in advance, Mónica

          Edit to remove HTML.
          Please convert to plain text (.txt) before cut/paste

      • #166008
        PKCano
        Manager

        I have AVG free and an old version of MB pro (1.62.0.1300) working on my i5-750 machine with win 7 32 ultimate. Did the search for the key and found: REG_SZ (valor no establecido) cadca5fe-87d3-4b96-b7fb-a231484277cc REG_DWORD 0x00000000 (0) So I plan to install KB4055532, KB 4056568 and KB 4056898, all for 32 bit. Question is if this procedure is right. Thanks in advance, Mónica

        The information on the Registry key is here.
        If it is present, for Win7 you should install KB4073578 (security-only), KB4056568 (IE11) and KB4055532 (.NET Rollup)

        KB4056898 is for Win8.1

        You can download from AKB2000003 on this site

        2 users thanked author for this post.
        • #166022
          anonymous
          Guest

          Thanks so much, PKCano, Mónica

        • #166371
          walker
          AskWoody Lounger

          @PKCano:   Out of those listed I have only one in my pending updates, and that is  KB 4055532.   I do not have any of the others.   I am Win7 x64, Group A.  I think that is the only one that I would need (Security and Quality Rollup for .NET Framework (goes to 4.7.1) on Win7 and server2008 R2 for x64).  I think this would be the way to proceed with this KB (I hope).  Thank you for your guidance on this.

      • #166016
        anonymous
        Guest

        Pensioner Lady her again….

        Thank you Seff. Your interpretation of my problem is correct.  I have 2 PCs and the one I was referring to is my laptop (running Windows 7 Home Edition and Avast AV free edition) which I use as a ‘test’ machine each time we get to DEFCON 3.  I have checked using regedit.exe and the registry key has not been set which is presumably why I am not getting the Monthly Rollup. I will follow your advice for which I thank you.

        My second machine is a Lenovo desktop running Windows 7 Pro and Avira AV.  The registry key appears to be set for that so I am going to bite the bullet and try to install updates on this machine………..fingers crossed……

         

         

         

      • #166064
        CraigS26
        AskWoody Plus

        FWIW, I’m OK now but had to Image back to an hour earlier after Re-Start Stuck (gave-up after 30 min) on “About to install updates – Don’t Turn-off computer”. I had Inst’d All Chk’d Importants – EXCEPT –  .NET Rollup for 4.7.1.

        Today I Inst’d in separate segments: (1) KB 4056894 W-7 Qual Rollup, then (2) [5] Office 2010 + MSRT, then (after Image Incr) (3) KB 4055532 Quality Rollup NET Frmwk 4.7.1.

        (Jun ’12 Gateway – Best Buy) With Sandy Bridge = No Intel Help …  I presume I’m operating at a self-imposed risk, anyway, until I get a new computer. Good luck to All!

        W10 Pro 20H2 / Hm-Stdnt Ofce '16 C2R / HP Envy Desktop-Ethernet/ 12 GB / 256G SSD + 1 TB HDD / i5-8400 Coffee Lake/ GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU=0

        2 users thanked author for this post.
      • #166080
        Cascadian
        AskWoody Lounger

        @paul: I addressed the comments to Woody, although it’s really for all of us. … No “dings” intended. … much appreciated.

        I also assume public comments are for public reply, like an open letter. Glad you intended that way as well. No ding received. Only I felt the urge to explain a bit for you, in response. Cheers! Enjoy the day.

        Fast edit to remove smiley from Quote box. It displayed in five inches (13cm) and I feared it would be taken as sarcasm not intended.

        1 user thanked author for this post.
      • #166093
        Seff
        AskWoody Plus

        Pensioner Lady her again…. Thank you Seff. Your interpretation of my problem is correct. I have 2 PCs and the one I was referring to is my laptop (running Windows 7 Home Edition and Avast AV free edition) which I use as a ‘test’ machine each time we get to DEFCON 3. I have checked using regedit.exe and the registry key has not been set which is presumably why I am not getting the Monthly Rollup. I will follow your advice for which I thank you. My second machine is a Lenovo desktop running Windows 7 Pro and Avira AV. The registry key appears to be set for that so I am going to bite the bullet and try to install updates on this machine………..fingers crossed……

        You’re welcome, and good luck!

        I know the feeling, one of my desktops is an AMD Phenom II and they had problems with the January rollup so that it was first offered, then unchecked, then checked again. Today I too decided to bite the bullet and installed it – fortunately all is well thus far. Just the .Net Framework update to install in the next day or two (when there are problematic updates I prefer to keep them apart so that if anything happens I know which one caused it) and my January updating will be complete, my Intel machine having taken both those updates and the Office 2010 updates ok the other day (again, both machines are updated a couple of days apart in case of issues). The extra Office update that was offered yesterday is unchecked and will be reviewed as part of the February patches.

        I owe so much to Microsoft, as a Pensioner Gent if I didn’t have their updates to worry about I don’t know how I’d fill my time! Oh wait, I already have less free time now before thinking about the updates than I had when I was working full-time!

        1 user thanked author for this post.
      • #166107
        anonymous
        Guest

        Hi. My OS is Windows 10 PRO 64-bit version 1703. Since we are at MS-DEFCON 3, I disabled the quality updates deferral group policy which was set to 30 days. WU installed all the January updates including cumulative update KB4056891 but I have not received KB4057144 yet. Thus my build remains at 15063.850 when 15063.877 has been available for weeks. I have tried rebooting, checking for updates many times. My antivirus is Windows Defender and the “QualityCompat” registry key exists. WU thinks that my device is up to date. My CPU is Intel. Is KB4057144 just for AMD systems by any chance? Is anyone else having this problem please?

      • #166115
        PKCano
        Manager

        Hi. My OS is Windows 10 PRO 64-bit version 1703. Since we are at MS-DEFCON 3, I disabled the quality updates deferral group policy which was set to 30 days. WU installed all the January updates including cumulative update KB4056891 but I have not received KB4057144 yet. Thus my build remains at 15063.850 when 15063.877 has been available for weeks. I have tried rebooting, checking for updates many times. My antivirus is Windows Defender and the “QualityCompat” registry key exists. WU thinks that my device is up to date. My CPU is Intel. Is KB4057144 just for AMD systems by any chance? Is anyone else having this problem please?

        I got KB4057144 on an Intel machine through WU for my Win10 1703.
        Settings: Feature updates = 365, quality updates = 0, no pause
        Group Policy: Windows Update = Notify download/install (2), Delivery Optimization Enable = 99 (HTTP, no peering, no DO)

      • #166187
        anonymous
        Guest

        Update from Pensioner Lady

        Have installed KB4055532, KB4056894, and KB4033342 individually on my Lenovo Desktop (Windows 7 Pro and Avira AV) without any problems.

        Will tackle my troublesome laptop updates over the weekend.

        Thank you so much for the folks who take the trouble to answer questions on this site. As an ordinary (non techie) user but one who likes some control over what is being downloaded onto her machines, your help and advice is invaluable.

        • #166373
          walker
          AskWoody Lounger

          @Pensioner Lady:  Noted that you installed KB 4056894 with no problems on your desktop computer.  I had seen a few issues with some users,  however yours appeared to be successful.   I think the last comment about this KB was for your laptop only?

      • #166222
        anonymous
        Guest

        Pensioner Lady further update…

        Tried again on my laptop but still no Rollup being offered. Uninstalled Avast AV and turned on Windows Defender … still no update offered and on checking regedit.exe still no ‘key’. Closed Defender and installed Avira AV and voila…. I now have updates…..

        2 users thanked author for this post.
      • #166234
        PKCano
        Manager

        Pensioner Lady further update… Tried again on my laptop but still no Rollup being offered. Uninstalled Avast AV and turned on Windows Defender … still no update offered and on checking regedit.exe still no ‘key’. Closed Defender and installed Avira AV and voila…. I now have updates…..

        The later version of Avira set the Registry key for you.

      • #166446
        anonymous
        Guest

        Walker – Pensioner Lady here

        Yes – Lenovo Desktop was no problem.  I wasnt getting offered any monthly rollup for my laptop but was offered KB4056894  after changing AV from Avast to Avira (the new 2018 edition). The download and installation on both machines was fine.

         

         

      • #166818
        anonymous
        Guest

        BSOD’d  after KB4058258. An elder friend’s HP Notebook i3-7100U running Win 10 home x64 1709 (16299.192).

        “inaccessible boot device”

        Restore to pre-KB4058258 restore point (and then one older one) claims sucess, but still un-bootable.
        Same update same day on his wife’s HP and my Dell, with no apparent problems.

      • #167108
        Northwest Rick
        AskWoody Lounger

        G’day!  I seem to have survived yesterday’s Jan 2018 updates for Win7 (AMD desktop) & Win10 (Intel laptop) without incident.  What prompts me to write today is Woody’s observation for Win7 patches in his Feb 5 “snake oil” column (not the first appearance):

        “…the privacy path’s getting more difficult. The old “Group B” – security patches only – isn’t dead, but it’s no longer within the grasp of typical Windows customers.”

        Let me be clear:  I am not nitpicking.  I am, however, genuinely puzzled.  Follow…

        Back in the day (1990’s) I was considered to be the “tech genius” in our small low-tech office, people frequently coming to me for help untying their computer knots more creatively than pitching a shoe at their screens.  I was the senior engineer, so no surprise there.  Not a computer or electrical engineer, mind you, but when there is a “P.E.” after your name, people expect you to know how to do everything from designing a bridge to fixing a malfunctioning vacuum cleaner or can opener.

        I had acquired basic DOS literacy, so I was able to solve 90% of my colleagues’ problems, but I was embarrassed by the adulation which followed, repeatedly pointing out that “I just know 10% more than YOU do, which just makes me SEEM like a genius!”

        That gets me back to Woody’s observation.  Especially in the Windows era, I consider myself a “typical” user – a Group B refusenik, yes, but otherwise typical.  It seems to me, Woody and his compadres ( @PKCano, @MrBrian and others) have made the Group B option ridiculously easy, reducing it to a strictly paint-by-numbers operation.  Another memory that comes to mind is the hall floors of the famous Oakland Induction Center (the gateway to the infamous Vietnam War when I walked them), which were densely painted with multi-color arrows leading hither and yon, so even the most mentally challenged among us could find their way to the next station in the induction process.

        So, all I do is list my installed updates (Control Panel>Programs>Programs and Features>Installed Updates) to confirm I am up-to-date before I start, find the new updates in @PKCano‘s AKB 2000003, follow the crystal-clear steps, and voilà – I’m done!

        What’s so difficult about that??  I am getting that uneasy feeling one gets just before discovering that he is doing it all wrong, and missing some essential step!

        If I am, I hope someone sets me straight pronto!

        If not, then Woody’s estimation of the “typical Windows customer” is either excessively low – or mine is too high!  🙂

        – Northwest Rick

        • #167202
          Elly
          AskWoody MVP

          Hello Northwest Rick,

          I, too, am Group B… and I find it quite simple to follow… but I’ve been doing it since its inception, here at the Lounge.

          Group B works well for people who want to avoid telemetry being added to their systems, or that need to avoid a particular patch that causes havoc on their Win 7 or Win 8.1 system.

          There was some concern that a fix for a security update might be included in the non-security updates. I don’t remember now how that worked out, but I continued doing only the security updates and have had no problems.

          Then there is an issue of having to either hide or install all available updates before certain (servicing stack?) updates are even offered through Windows Update… and every month you need to make sure everything is installed or hidden, and run Windows Update one more time, to see what shows up. MrBrian spent a lot of time testing and figuring it out. He made it relatively easy for us, but it was a lot of work for him.

          Group B has to update IE separately, but Group A has it updated automatically. Yes, they provide the links, but it is one more thing that makes it more complicated, or that someone could forget to do.

          It can be difficult for some people to understand that there was a particular time that the rollups started, and that they can’t just skip back and forth between the Monthly Quality and Security Rollups and the Security only updates and get the results that they are expecting. Once a Group B computer is updated with the Monthly Quality and Security Rollup, it is Group A. The reverse is not true. Microsoft made it confusing by having ‘Security’ in the name of both updates. Rollups are Group A… unless we are talking about .Net… See… it gets confusing to explain.

          Then there are the people who come here recently, and like the idea of Group B updating, having stopped updating entirely for some time, or having regularly updated with the Rollups… It can be done/undone… but it is time consuming and every monthly security update has to be installed… and it is relatively easy to accidentally skip this or that and have less than a fully updated machine, and not even know it. There are 100’s of updates if you decide to do a clean install, and start back from scratch, and you don’t install certain updates to avoid the telemetry, so you have to pay attention… and all those KB numbers can make your head spin. So, it takes some commitment.

          It is a lot easier to tell people to join Group A and  just install the latest cumulative rollup and be done with it.

          That said, the MPVs do an outstanding job helping people find their way… even us, the more difficult to explain and support, Group B types.

          Non-techy Win 10 Pro and Linux Mint experimenter

          4 users thanked author for this post.
          • #167264
            Northwest Rick
            AskWoody Lounger

            G’day Elly,

            Thanks for addressing my perplexity. You managed to be both thorough and brief, a balance I strive for myself, alas with mixed results. Though I realize that we live in an age of severely truncated attention spans, most things worth discussing simply cannot be reduced to a bumper sticker.

            The important thing is, no one has so far told me: “RED ALERT! You skipped Step X!” I suspected much of what you have suggested, but I wanted to hear it from an independent source. Thank you for volunteering! 🙂

            The problem with saying an option isn’t dead but becoming progressively more difficult is, it strongly implies an eventual demise. As is usually true, it isn’t that simple, no?

            For those of us who are charter members since inception, and have faithfully kept our devices current according to that option, Group B seems to be internally sound and healthy. The only threat to its viability that I am aware of is external: if M$ stops offering complete security-only versions of monthly updates. So I would suggest, we should not be referring to it as “not dead”. It’s misleading. Those of us currently walking the planet aren’t dead either, and even though that may be our ultimate destination, most of us are focused on enjoying the vital and vibrant present, not morosely obsessed with the end game.

            But as you rightly point out, Group B is a considerably more complicated option for Johnny- and Mary-come-latelies, including followers of Group W. If they stopped updating long before the inception of Group B, they would have to follow the installation sequence laid out and maintained in @PKCano‘s AKB 2000003 step-by-step, in chronological sequence, cognizant of the fact that these are incremental, not cumulative, and cannot be skipped or omitted. Yes, that makes it more difficult, but neither impossible nor hopeless. If I were in that position, I would view it as an effort worth undertaking and roll up my sleeves, rather than moaning “woe is me!”

            Similarly, if some members of Group A (formally or not) suddenly determine themselves to be on the “wrong” track (a subjective, not objective judgment), and decide to switch to Group B, that door is not closed either. As you also point out, they would have to uninstall rollups back to Group B inception, then do what is described in the previous paragraph.

            I don’t know about you, but I have never been defeated by the mere difficulty of an undertaking I determined to be either worthwhile or essential (sometimes both). It’s a question of personal choice, not one of being thwarted by a daunting obstacle, no?

            So, perhaps monthly Group B instructions should begin with something like this:

            “The Group B option works well for those who have followed it since inception, but because manually processed security-only updates are not cumulative, and must be installed in chronological order, it is not possible to jump in at any time. Those considering switching to Group B must either have stopped updating before inception, or must first uninstall any rollups processed since inception.”

            You are quite right that Woody’s team continues to provide yeoman service in the background. I have consistently acknowledged this in my periodic comments, even backed up my appreciation through periodic monetary contributions to askwoody.com. But I am pretty sure that references to degree-of-difficulty are warnings to end users, not attempts to generate sympathy for the team itself, who after all are professionals, no?

            Thanks again for sharing your thoughts with me Elly. May fortune continue to smile on us in Group B. Cheers! 🙂

            – Northwest Rick

      • #167122
        MrBrian
        AskWoody_MVP

        So, all I do is list my installed updates (Control Panel>Programs>Programs and Features>Installed Updates) to confirm I am up-to-date before I start, find the new updates in @pkcano‘s AKB 2000003, follow the crystal-clear steps, and voilà – I’m done!

        What’s so difficult about that?? I am getting that uneasy feeling one gets just before discovering that he is doing it all wrong, and missing some essential step!

        There is specialized advice for the January 2018 updates.

        1 user thanked author for this post.
        • #167153
          Northwest Rick
          AskWoody Lounger

          All caveats have been observed.  Do you mean antivirus-compliant registry entry and chip maker awareness?  Confirmed those a month ago, when the Spectre/Meltdown issue first emerged.

          Maintaining a current system image as a fall-back, not placing a check next to unchecked items, avoiding anything marked “Preview” and avoiding telemetry or driver-related updates?  Those have been standing guidelines for some time already.

          Avoiding firmware patches was part of an alert from Woody (“Belay that order!”) weeks ago, (not that I needed it – my default position is “don’t do it before consensus develops!”)

          Anything else?  Thanks!

          BTW, Woody’s assessment regarding the “difficulty” of the Group B approach predates all of these complications, so remains a head-scratcher for me…

          1 user thanked author for this post.
      • #167157
        MrBrian
        AskWoody_MVP

        All caveats have been observed. Do you mean antivirus-compliant registry entry and chip maker awareness?

        Yes, and for Windows 8.1 there is an additional “PIC and APIC interrupt controllers” issue.

        2 users thanked author for this post.
      • #167247
        MrBrian
        AskWoody_MVP

        It can be difficult for some people to understand that there was a particular time that the rollups started, and that they can’t just skip back and forth between the Monthly Quality and Security Rollups and the Security only updates and get the results that they are expecting. Once a Group B computer is updated with the Monthly Quality and Security Rollup, it is Group A. The reverse is not true.

        There is no problem that I am aware of with switching from Group A to Group B. Windows monthly rollups can be uninstalled if they are no longer wanted.

        2 users thanked author for this post.
        • #167734
          Elly
          AskWoody MVP

          I wasn’t saying that you can’t switch back to Group B, only that as long as there are rollups installed, and you start installing the Security Only updates, you aren’t accomplishing what Group B is for… unless you are only trying to avoid a particular update going forward. The rollups install telemetry…

          Non-techy Win 10 Pro and Linux Mint experimenter

          • #167743
            MrBrian
            AskWoody_MVP

            The rollups install telemetry…

            The Windows monthly rollups, as well as some other updates, install Diagnostics Tracking Service, but it’s KB2952664 (Win 7) and KB2976978 (Win 8.1) that are responsible for the telemetry that most here who are concerned about telemetry seem to care about. KB2952664 (at least in the older version(s) that I tested) does not need Diagnostics Tracking Service installed to send telemetry to Microsoft.

            • #167749
              Elly
              AskWoody MVP

              Does that mean the Diagnostics Tracking Service as installed by the rollups doesn’t send info back to Microsoft unless KB2952664 (Win 7) and KB2976978 (Win 8.1) are installed?

              Non-techy Win 10 Pro and Linux Mint experimenter

              • #167751
                MrBrian
                AskWoody_MVP

                Does that mean the Diagnostics Tracking Service as installed by the rollups doesn’t send info back to Microsoft unless KB2952664 (Win 7) and KB2976978 (Win 8.1) are installed?

                Some third-party programs can use Diagnostics Tracking Service to send telemetry. If not participating in Windows Customer Experience Improvement Program, then I didn’t find evidence that anything else within Windows 7 sends telemetry via Diagnostics Tracking Service, except for a little bit by KB2952664; reference: https://www.askwoody.com/forums/topic/care-to-join-a-win7-snooping-test/#post-21467.

                Here’s what I did regarding telemetry (Win 7):

                1. Be in Group A.

                2. Turn off Windows Customer Experience Improvement Program.

                3. Don’t install KB2952664.

                4. Don’t install KB3021917.

                A topic that may be of interest: Care to join a Win7 snooping test?

                 

                3 users thanked author for this post.
      • #167249
        Cascadian
        AskWoody Lounger

        G’day! I seem to have survived yesterday’s Jan 2018 updates for Win7 (AMD desktop) & Win10 (Intel laptop) without incident. …
        Let me be clear: I am not nitpicking. I am, however, genuinely puzzled. Follow…
        What’s so difficult about that?? I am getting that uneasy feeling …
        If not, then Woody’s estimation of the “typical Windows customer” is either excessively low – or mine is too high!

        Glad it all went well for you, Rick. And I do believe you are doing it correctly. Many of the ‘difficult’ things flow right by you from familiarity.

        But Woody writes his tips for both you and FamilyMan here, and many others besides. Needing to meet everyone’s needs might lead to generalizations. You have the experience and skill to perform the monthly task with no problem. FamilyMan may have just as much knowledge and skill, but lacks experience in the AskWoody jargon and presentation style. Others may not approach the same skill or comfort level.

        The phrase that troubles you could be the phrase that gives these folks hope in the middle of a hopeless mess. They may be looking for the simple way to get this tedious process done and move on to life away from the silicon pile. It is good that you do not find it tedious. But I have seen fear in their eyes, and anguish in their voice disappear after reading Woody. He communicates in a way that I cannot. And I am glad that he has helped people recover sanity. Some are people that I only got from one month to the next, never succeeding to make them feel they could do it themselves. Now they do.

        1 user thanked author for this post.
        • #167288
          Northwest Rick
          AskWoody Lounger

          Hey Cascadian,

          I do realize that a range of abilities is being addressed, but IMHO discussion about Group B has been unnecessarily pessimistic.  You may recall, Woody opened up a topic about the very viability of Group B a while back.  That did not leave me feeling warm and fuzzy!  When people start questioning whether something is viable, one starts looking to see if the undertaker is rolling up the driveway!

          I have never had much affection for the Windows interface (I actually preferred DOS);  I have grown comfortable with Win 7, but I positively loathe Win 10.  So I haven’t given much thought to the inner workings of either one.  In that sense, though I may have a problem-solving nature and peripheral abilities, I too rely on advice I find here.

          Group B seems to me to be a good response to relentless snooping by M$, one that appears to be working well, so I have trouble understanding why its drawbacks rather than its benefits continue to be emphasized.  I don’t see that to be a necessary element of addressing a broad audience.

          For me, the fallback option is not Group A, but Group W.  If Group B is allowed to wither on the vine, I will be forced to shift to post Win 7 support mode sooner than expected.  I know that day is coming, I just don’t see why we have to rush it.

          But hey, mine is just one opinion among many!  I don’t expect to win every battle, but I am not one to remain passive or silent when I sense the tide turning against my preferred outcome.  Cheers!

          -NR

          2 users thanked author for this post.
          • #167298
            Cascadian
            AskWoody Lounger

            Hi Northwest Rick,

            I hope I did not read as dismissive, I meant to add inclusion of others rather than diminish your opinion. I do remember Woody’s actively seeking opinions of his trusted readers on the utility of GroupB. And I think many voices were heard. That is specifically why Woody continues to acknowledge the option and link to the appropriate directions. If there was a battle for continuation of GroupB, consider it won not lost.

            Similar to your personal story, I wanted to offer the story of three specific people that I rolled into one short line, because they are unlikely to share their own experience. I don’t throw the word guru around much, and I hope Woody’s not too humble to hear it. To the kind of person who’s eyes glaze over when I step them through while they move the cursor around, there is a relief that is visible when they read a guru say this is difficult stuff. It doesn’t matter if a mere mortal like me reassures them. Reading it on Computerworld and linking to AskWoody gives them the feeling that this is a website they can trust. Woody has a flair for expression that reaches these people.

            I do use GroupA currently. And I do mean currently. When Microsoft sets something I do not want, I can wait until they convince me (MSDefcon), or opt for the pieces I do want (GroupB), while waiting for them to figure it out. At this current point, with my Win7, I am not convinced that GroupB excludes anything I have not already addressed through other means. Therefore I take advantage of the internal checklist available through Windows Update, and GroupA, when I choose to allow updates. I can switch to GroupB to protect my system from a future flaw when one becomes apparent. It will not suddenly revert me to OCT2016, but I do not expect or demand that.

            I am happy that the GroupB method continues to be curated. If I need it it is there. Returning to your ocean waters, you are a strong swimmer, and should be able to hear the lifeguard advise the nervous paddlers about the strength of the surf because they need the reassurance. They like knowing someone is looking out for them. It gives them the courage to learn to become a stronger swimmer themselves.

            1 user thanked author for this post.
          • #167310
            Cascadian
            AskWoody Lounger

            Hi again Northwest Rick,

            Staircase thoughts. They happen to me all the time. It is a separate point from my prior item, so commenting separately.

            I realized I failed to address your very first line “I do realize that a range of abilities is being addressed…” There is an error there that can be dismissive to others, and they may not let you know. I am sure you do not intend it that way. And I hope I did not perpetuate it myself.

            The choice to follow GroupA or GroupB might hinge on ability. But I believe there are people far more capable of making silicon sit up and bark while serving me a nice cup of coffee, and getting Jimmy out of the well. And they are choosing to use the GroupA method. I do not think it is lack of ability that drives their choice. Rather, a choice of comfort, expediency, or a knowledge based decision to receive the complete package on offer, because it meets their requirements.

            Every system and user may have unique requirements. There may also be a significant amount of overlap. Cheers to you as well.

            1 user thanked author for this post.
      • #164960
        PKCano
        Manager

        Read #164935

        It says very clearly the answer to your question.

        1 user thanked author for this post.
      • #164967
        MrBrian
        AskWoody_MVP

        It’s probably ok for everybody in Group B to use KB4073578 as your January 2018 Windows security-only update for Windows 7, and KB4077561 as your January 2018 Windows security-only update for Windows 8.1. Caveat #1: These updates have the Spectre/Meltdown fixes, so even these updates have the potential for serious compatibility issues with your antivirus software. Caveat #2, as is always the case with any update, it’s an open question if there are problems with these newer updates that the older updates don’t have.

        6 users thanked author for this post.
      • #165243
        The Surfing Pensioner
        AskWoody Plus

        Torture test? I can’t say I’ve been inconvenienced at all, largely thanks to the excellent advice I’ve picked up on this site. Just slightly mazed at the angst expressed by so many. But I do hide everything I don’t want to install – I understand from MrBrian that’s the only way forward if you’re in Group B – so my WU is very tidy. Rather a lot got hidden, this month.

        3 users thanked author for this post.
    Viewing 122 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: MS-DEFCON 3: Lots of caveats, but it’s time to get patched

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.