News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • MS-DEFCON 3: Time to get the first post-patchocalypse patches patched

    Home » Forums » AskWoody blog » MS-DEFCON 3: Time to get the first post-patchocalypse patches patched


    Patching Windows 7 and 8.1 has turned a bit more complex than it once was. Basically you need to choose between Group A – the folks who install everyt
    [See the full post at: MS-DEFCON 3: Time to get the first post-patchocalypse patches patched]

    Viewing 426 reply threads
    • #24990

      I am still running 1511. I don’t understand “If you’re still on the Fall Update, version 1511, I say stay there until Microsoft gets a better version of the Anniversary Update, version 1607.”

      I was told on a MS Website that the 1607 that I might download today is identical to the version that I might have downloaded in August and that all changes are included in subsequent KBxxx updates. Hence I do not understand waiting for a “better version” if they are all the same.

      Does, in fact, 1607 itself change over time?


    • #24993

      Yes. 1607 has had eight cumulative updates. I think the ninth will finally be the charm.

    • #24994


      I notice that you don’t mention the option of not patching at all. (Group C/W)

      I can see why it would be complicated to suggest this pathway to the general public as a viable way forward.

      But have you decided you would not even recommend the C/W pathway to advanced and/or brave Windows users?

    • #24995

      Okay so should I install the preview rollup? Any reported problems? I want to run it by you first Woody.

    • #24996

      Thanks Woody

      Win7 x64 Group B here.

      File downloaded and installed without problems. Checked system files which validate correctly.

      After adding in the .net and Office patches I am still left showing KB3185330 (Oct quality rollup) as an important download and the optional preview.

      So it looks as if the monthly quality patch isn’t removed

    • #24997


      I am considering whether to be in Group B or C/W.

      If I wish to go with Group B, I would like to wait for another month (until late November) before I do *anything*, so I can see how going into Group B is working out for other people.

      Would waiting for another 4 weeks before joining any group, particularly in my case it would be joining Group B,
      be possible, and would it be relatively easy for me to “catch up”?

      Are the security-only update packages (which Group B will install) definitely going to be non-cumulative?

      If they are, would that mean that in late November (when you gave the OK for people to download November’s patches),
      for me to join Group B for the first time,
      I would just need to install October’s Group B patch and then November’s Group B patch, and then run Windows Update to pick up 2 months’ worth of Office updates, in that order?

    • #24998

      As a Win 7 user, I’m looking at the KB-3185330 Security Rollup, 119.4 Megabyte update in WU. Can I feel safe (or relatively safe) downloading and installing it? It has updates within it that are not labelled Security.

    • #24999

      A small typo in your InfoWorld post. You have a “Group A, Step 5” between “Group B, Step 4” and “Group B, Step 6”. Should be “Group B, Step 5”?

      Thanks, now off to update my Group B Windows 8.1 box…

    • #25000

      Thanks for responding, but I am sorry that I did not make myself clear.

      Are the eight cumulative updates contained in the 1607 that I might download today, or are the updates contained in the subsequent KBs that I would install after 1607 is installed?


      P.S. I hope your optimism is justified.

    • #25001


      If one goes to the MS Update Catalogue it seems the only search that returns a result is “october 2016”. If one puts in an exact KB 3192391 the response is…

      “We did not find any results for “KB 3192391″”..

      The can’t find an October Security Only Update??

      Are they serious?? First, it worked the other day with various search terms. Now, the only search term that seems to work is “october 2016” which returns 995 results.

      Maybe they should engage Google search to search their Update Catalogue for users.

      Good grief.

    • #25002

      Earlier this month, when I was experimenting with the patches, I tried two different scenarios.

      First case, I installed the security-only patches from the Catalog first, then the unchecked preview (I think Sept patchs KB3185278/KB3185279 were just called rollup) of non-security patches on Win7/8.1.

      Next, I reversed the order, with the non-security rollups first and the security-only second.

      In both cases, I was still offered the Security Monthly Quality Rollup (the combined security and non-security conglomeration) after the installation of the two separate patches.

      Just saying – those of you in Group B need to be alert when you go back to WU for the non-Windows patches.

    • #25004

      I had a different experience – installing the Security-only patch made Windows Update ignore the Monthly rollup – but I put copious warnings in the InfoWorld article.

    • #25007

      I had a very similar problem – which is why I recommend downloading directly from the KB article.

      I don’t know what’s wrong with Microsoft Update Catalog.

    • #25012

      The cumulative updates for Windows 10 are just that – cumulative. You don’t need to install all of them, just the most recent one.

      And, of course, even as we speak there’s a new cumulative update for 1607. Hang on, I’ll talk about it in InfoWorld in the morning.

    • #25016

      Woody, I used to have 3 pc’s on Windows 7 & 10 and now I have only 1 on Win 7; the rest I moved to Linux. It’s easier to learn a new OS than it is to have to deal with the fiasco of Microsoft’s privacy concerns. I will still follow you due to the Windows 7 PC I have and appreciate all that you do!

    • #25018


      Thanks,…it’s so hard to imagine they can’t get searches of their upate catalogue right!!

      Id they can’t get a search of their own databases right, what kind of confidence does that give a user to download and install these (large) updates without knowing what’s in them?

      I’m slowly sliding into Group W…and I don’t really even want to go there.

    • #25019

      Try removing the space between “KB” and “3192391”.

    • #25021

      I’ll be here!

    • #25022

      Tried to find where to download KB 3192391 from Win7 update history page(link in InfoWorld article) and have had no luck, Windows 7 64 bit laptop here and I’m all confused (more than usual) Help…

    • #25023

      Is this what I want?: October, 2016 Security Only Quality Update for Windows 7 for x64-based Systems (3192391)
      Sorry for posting twice, just nervous about this

    • #25024

      If you want to be in what Woody and others have labeled as “Group A,” i.e. willing to roll with Windows 7 telemetry/snooping/whateveryouwannacall it, then install it.

      I myself am firmly in the Group B camp, and after I installed the October 11 Security-Only Quality Update (KB 3192391), I checked Windows Update, and sure enough, there was KB 3185330, the “October, 2016 Security Monthly Quality Rollup for Windows 7 x64-based Systems,” coming in at just like you said, 119.4 MB. I unchecked it, and only installed 3 updates: a .NET update, the latest MSRT, and the latest Defender update. I don’t use M$ Office, so no updates there. Under the Optionals, the preview update was there, unchecked. Left it that way, rebooted after the 3 updates, and am happily back in my “Never Check for Updates” foxhole. 🙂

    • #25025

      Woody, thanks for the detailed instructions. I just installed the “Security Only Quality Update for Windows 7,” rebooted, and am in the process of doing a Windows Update scan. The scan seems to be going nowhere fast… do we still have to go jump through some other hoop(s) to get that to work (note: my scan was quick in September)? What is the latest procedure?

    • #25026

      I was reading Susan Bradley’s patch management letter for W8.1 and her recommendations seem to come down on the side of so-called Group A, i.e., install October patch KB3185331. I have been going back and forth between doing Group A or just installing the October security only patch. There are obviously pros and cons to each approach but the notion that pushes me toward Group A is a hunch that the security only option will be increasingly difficult to sustain through time because MS is notorious for not keeping the distinction between security and non-security updates perfectly clean. Telemetry points per se do not trouble me if their purpose is solely to provide info to understand and maintain OS integrity. Unfortunately MS poisoned the well for many folks with their GWX malware tactics and I feel that has tainted the decision making process on which fork in the road to take for future updating. I would be interested in others’ thoughts at this juncture.

    • #25027

      Great, detailed InfoWorld article, @Woody. Thank you.

      However, it’s too complicated for me on Windows 8.1, and I don’t trust Microsoft even for their security updates, so I’ll stay in Group W for now. Still working on getting Linux.

      I did download the October Flash update for IE 11. I can’t do without Flash. I’ve tried.
      I don’t use IE 11 normally, but just in case, and to try out the Update Catalog.

      Contrary to what some people have said, one must get the Flash update for IE from Microsoft and not from Adobe, or I would have got it from Adobe, as I do for Firefox and Opera.

    • #25028

      I noticed nothing is mentioned about the security only updates for .net framework. I’d rather install that than the rollup. I know some on here recommend the rollups but at this point unless it’s security only then my trust in them is all but eroded this past year.

    • #25029

      Never do Preview. It’s for testing only

    • #25030

      That is the whole wad – security and non-security. If you want the security-only you need to download it from the Microsoft Catalogue and ignore the one that saus Security Monthly Quality Rollup.

    • #25031

      Guess I’m taking Group A on my W7 Pro x64 notebook due to convenience purposes…

      Well I just installed all updates flagged as important, and after that one more update just popped up: KB3177467…

      The documentation doesn’t say much about it, so I’m not completely sure on what does it do… Should it be installed?

    • #25032

      I have an article in edit at InfoWorld at this moment. Unfortunately, it’s not clear-cut, but if you don’t use Bluetooth, you can get by with manually installing 3172605

    • #25033

      See the new InfoWorld article. It’s easier to download from the KB article. But yes, the patch you listed s there correct security only patch for 64 bit

    • #25034

      Also, make it a rule NOT to install any unchecked optional patches.

    • #25035


      For Windows 10 –Do not install 1607 Anniversary Update unless you absolutely have to or are intent on doing it.

      Woody has been advising we stick with the fall version 1511. Install the updates that he had us hide in the beginning of October for version 1511.

      He will give everyone a go-ahead to install 1607 at some point, but that point is not now.

      Those have been his general directions since the anniversary update version 1607 came out. Wait until version 1607 is stable and stick with version 1511.

      I don’t mean to be stepping on toes, but I don’t think Woody quite understood what you were asking. I don’t think one should necessarily take what Microsoft people say as the gospel.

      So far, for me anyway, Woody’s advice has worked perfectly.

      I do have to install the October updste for version 1511, but up until this point everything has gone smoothly that he has advised.

    • #25036

      @The Real Allan,

      re: “Contrary to what some people have said, one must get the Flash update for IE from Microsoft and not from Adobe”

      For Windows 8 and 10, people do have to get Flash updates from the Microsoft Update Catalog or Windows Update.

      However, for Windows 7, people obtain the Flash update directly from Adobe at:

      I go to that site to update the Flash on my Windows 7 computer every couple of weeks.

      (I don’t think that Windows 7 even has the option of receiving Flash updates through Microsoft.)

    • #25037

      FYI, I installed the security only update from the MS catalog last week, but I did get the security monthly quality rollup listed, but thanks to you Woody, I unchecked it and avoided being sucked into Group A. Many thanks!!

    • #25038

      See #4 above – David F at 3:17 today.

    • #25039


      The “Group B” rollup that Woody is telling people to install today IS security-only.

      There are several different rollups offered, so one must be careful when choosing which kb number to install, but the Group B rollup is said to only contain security patches.

      That is the whole point of there being a Group B path, to limit patching to security-only updates.

    • #25040


      Unless I am mistaken, I do think I saw something about the .net patch in Woody’s InfoWorld article.

      If I remember correctly, he tells Group B people to get that from Windows Update, after installing the Group B security-only update package manually.

    • #25041


      Try removing the space between “KB” and “3192391”.

      Searching the catalog with the space I got the result you did.

      Searching without the space I got six results for different versions of Windows 7 and Windows Server 2008 R2.

    • #25042


      I am disappointed to hear that after you installed the Group B security-only update package, your Windows Update scan is still slow!

      On another thread in the last week here, there was talk that the Windows Update scan would be fast after installing this month’s update package.

      (However, on that thread maybe they were talking about installing the security + non-security update package,
      and not just the security-only update package, which is what I was talking about on that thread.)

    • #25043

      Woody, Using Windows Update I typically uncheck everything, then check only the KBs I want to download after checking your websites and Susan Bradley’s articles/advice. With Msoft’s new system, I’m starting off in group B and am wondering:

      1)Will downloading/installing the security only KB trigger “creating restore point” before installing as Windows Update did in the past, or should we manually create a restore point prior to downloading the security only KB? (I realized we can still uninstall the updates, but having a restore point is reassuring.)

      2)Since we need to run “check for updates” via Windows Update to get Net, Office etc. why isn’t it OK to continue to choose “Notify but don’t download” rather than “Never check for updates” – is the latter the only setting that allows us to manually download the security KB from the Windows Update History page?

      3)Does starting in Group A physically preclude later using the Group B procedure when you say (in your 10/10 InfoWorld piece) that “there’s no way to move from Group A to Group B without completely reinstalling Win7 or 8.1” OR are you saying the only way to be totally “clean” of unwanted downloads is to reinstall the OS?

    • #25044

      Windows 7 64 bit windows server 2008 R2 x 64 Currently GROUP B…. Reporting in.

      I did the group B update per infoworld instructions. I actually downloaded to my folder then installed it. It went very well. Restarted computer and did a windows update scan which took about 3 minutes. The .net framework rollup was there and the kb3185330 (October 2016 security monthly quality rollup for windows was there both checked.
      I unchecked kb3185330 (per your instructions), I also hid it, and ran the net frame. Rebooted the computer.

      I went and checked the updates again and KB3177467 (service stack update) as important now appeared. If I remember correctly someone here said a few days ago that it was in the catalog it was now rated as critical. True?

      another thing….
      I had about 12 restore points (I checked before I did the updates) and they are all gone except the 2 created for todays updates.
      I know many don’t like system restore but I’ve used it a few times and happy to have had a restore point to go to.

      The other thing I wanted to ask is on the download pages of the KB articles, there was another download update for windows server 2008 R2 x 64 (which is what I have) with the same kb3192391 as the Windows7 64 bit update which is the one I downloaded. Am I suppose to download both packages?

    • #25045

      Seriously? This is very interesting if true.
      Because the other way around makes the Security Only required in WSUS.
      Not the same happens with the .NET patches which are handled correctly.
      I am wondering if they messed up the detection which is even more weird because the Security Only and Security Monthly have been revised twice, so now we are at the third version.
      For the first revision there is description that the supersedence was revised, while for the second revision, the same day, there is no description at all.

    • #25046

      Didn’t see a comment or recommendation on Update for MSE (KB4294525).

      Necessary? I’m leaning toward group W since it is all a bit much for little payback. MSFT has cause more trouble than help over the last year and half with updates and it doesn’t seem worth the effort anymore.

    • #25047

      Susan Bradley is right in her advice for minimising potential problems.
      Group B is not for end-users and Woody will end up supporting all those users who choose Group B as de facto system administrator of their systems, because there will be no support coming from Microsoft for a configuration meant to be used only by enterprises and even so only if they have special requirements.
      Otherwise, the Group B style of patching is correct for securing the systems, less so for making them reliable with minimal effort.

    • #25048

      If you’re already running 1607, there’s a servicing stack update, KB 3199209, which seems to be causing problems for some people. You’re probably better off avoiding it for now.

      I had problems with the servicing stack update KB3199209 which was looping during the installation.
      I ended up downloading and installing manually and it has been fine since then.
      You will have to install this update eventually and it is probably better to do the manual install if Windows update fails to install it. give it a go to WU first, n

      Note: Very important, install KB3199209 separately with reboots between installations.

    • #25049

      Without comparing the long list of files affected by the updates described by Microsoft in October’s KB3192391 and KB3185330, I cannot detect in Microsoft’s descriptions any difference between these two patches other than the inclusion in KB3185330 of fixes in KB3185278, September’s update rollup. In other words, for anyone who has already installed September’s update rollup, there is effectively no difference between installing KB3192391 and KB3185330. Am I thinking about this correctly?

    • #25050

      In my case, manually installing 3172605 did the trick. The subsequent scan for updates lasted only for 6 minutes.

    • #25051

      I installed the security-only patch(KB3192391) and after a quick scan for updates I was offered the Security Monthly Quality Rollup (KB3185339) as important and checked. So, I unchecked and hid it.

    • #25052


      Should everything be OK if I wait and deal with everything in a couple days when I’m over my cold? Is there anything that needs patched right away? Thanks in advance.

    • #25053


      Here’s the scenario…W7…
      User does the .NET Security Rollup for October.
      No Security Only Update and no Monthly Rollup.

      Come November patch Tuesday, will a speed up patch 1- be needed for a Windows Update check, 2- if a speed up patch is needed would it have been in October’s Security Only Update or the Monthly Rollup?

      My “hope” is that there will be no further need for speed up patches…care to venture a guess how this will go down going forward?


    • #25054

      With regards to speeding up the scan, if I just install KB3020369 (April 2015 servicing stack update for win 7) without KB3172605, will this speed up the scan even a little?

    • #25055

      As much as I hate to admit it, it’s looking like I’m gonna be in the A Group. I do have Office 2010 and that bleepin MS Update Catalog is a mess and a real hassle to use. If I have problems and I have to, I’ll uninstall the whole Rolled up update completely. Man what a mess.

    • #25056


      My article on KB 3172605 just passed edit at InfoWorld. It should be out shortly. I suggest you wait until it’s published before hassling with slow scans – there are some quirks.

    • #25057

      Apparently the fix that’s now available will continue to work. More info tomorrow, when InfoWorld publishes my article on the topic.

    • #25058

      Nothing needs to be patched right now. Avoid IE and Edge, and don’t open any RTF files of questionable pedigree with Word. You’ll be fine.

    • #25059

      That’s what I was worried about.

      You did the right thing!

    • #25060

      That appears to be the case. We’re just now starting with the new method, so in the future things may not work the same way.

    • #25061

      Well put and so noted.

    • #25062

      I’d be interested in hearing from other folks what they think about it.

    • #25063

      I was looking for it, and I didn’t see the patch. But many people have reported otherwise – that the Monthly Rollup appears in Windows Update, even after the Security-Only Update it installed – so I’m beginning to doubt what I saw.

    • #25064

      1) I don’t know.

      2) You can use either. They’re both functionally the same.

      3) When you switch from Group A to Group B, any unwanted patches installed while you were in Group A will still be there.

    • #25065

      True, the Group B patch is the Security-only update. But it’s important to note that it isn’t a rollup. Only the Monthly Rollups are “rollups.”

    • #25066


      There’s a new cumulative update for 1607, released just a couple of hours ago. I’ll be testing it tonight, report on InfoWorld in the morning.

    • #25067

      So, even for Group B folks, why bother to go through the manual update this month? (Next month may be different).

      Here’s my argument (rebuttals will be appreciated).

      For October, WU offers KB3185330 (“monthly rollup”), whereas the “security only download” is labeled KB3192391 (“security only”). But both of them apparently contain exactly the same collection of patches, to wit:

      MS16-101 Security update for Windows authentication methods
      MS16-118 Cumulative security update for Internet Explorer
      MS16-120 Security update for Microsoft graphics component
      MS16-122 Security update for Microsoft video control
      MS16-123 Security update for kernel-mode drivers
      MS16-124 Security update for Windows registry
      MS16-126 Security update for Microsoft Internet Messaging API

      Given that there’s nothing in KB3185330 that isn’t also in KB3192391, why shouldn’t Windows 7 Group B partisans just use WU this month, with “Give me recommended updates” UNCHECKED? That should deliver exactly the same patches that the manual download would deliver, plus additional (“important” .NET and Office patches that Group B folks would be looking for anyway, even if they first installed KB3192391 manually.

    • #25068

      Woody has already been acting as “de facto system administrator” for everyone who follows him here by issuing his MS Defcon status, so I don’t see what’s new.

    • #25069

      Ok,I admit I am a dummy. I am confused. I’m ready to throw in the towel and join group A, strictly for convenience. I am running win7x64 pro.

      If i go to control panel/windows update, I have two Important updates (checked). They are
      KB 3188740, (Oct. security and quality rollup for .net etc) and
      KB8318330 (Oct. security monthly quality rollup etc.

      Can I just click OK and download from here? Your infoworld instructions are much more complex, and frankly, I feel totally overwhelmed. Ready to simply ignore all updates until my machine explodes.

      What to do? Thanks.

    • #25070

      Really advanced users always update. 🙂

    • #25071

      But the thing is the .net framework update in windows update is a rollup. People should be aware that there is a separate security only .net framework update, as shown here – (about half-way down the page)

    • #25072

      I see, I might have misunderstood what T was saying.

      Apologies, T!

    • #25073


      In your InfoWorld article, is there a reason why you instruct Group B, Step 7 to install Security and Quality Rollup for .NET Framework (KB3188740) (via WU) instead of the Security Only for .NET Framework (KB3188730) (manual)?

      Choosing Group B, I feel compelled to install the Security Only one, yet I’m also one to follow instructions exactly. So I will hold-off on the .NET one until I’m less confused.

      By the way, I only learned of “this game” and of you and your work this October, and I feel as if I discovered a goldmine. THANK YOU Woody, for helping me and likely millions of other people.

    • #25074

      I have September’s updates installed, and now October’s Security-only patch. It still wants me to install the Quality and Security updates through Windows Update – which shouldn’t happen.

      I’m assuming this will be a revolving issue going forward, and leads me to believe there’s some unpublished hidden garbage and/or changes in the WU patches since they’re trying everything to get me to take them. (Win7 x64 Pro systems here)

    • #25075

      I do not feel that Woody has quite that much responsibility to the readers of his articles who chose to follow his advice (any of his advice about anything),
      for him to be seen as the “de facto system administrator” of thousands of strangers’ computers.

      It’s up to each one of us to understand enough about what Woody is saying to know why he is advising something and why we are choosing to follow that advice.

      Except for uncontrollable things that *Microsoft* forces onto our computers, everyone who owns their own computer (not a company-provided or school-provided one) must assume that anything they do with their computers is of their own volition and at their own risk.

      Other computer experts, and ordinary users, from around the world, who have no particular ties to Woody and who may not even normally read his articles, will also be trying to follow a Group B approach, because it is merely a logical and prudent approach in many ways. The fact that it was a natural idea that various people had thought of for themselves was clear even in Nathan Mercer’s Q&A from weeks ago.

      I wrote last week of Woody,
      “We should not need an external Woody figure (who investigates, translates, distills, and instructs) to keep our simple, bedded-in, home-user systems running without major derailments. But we do need one, and we are lucky that we have him,”
      but that doesn’t mean that he should shoulder an impossibly enormous responsibility of being thought of as administrating the computers of countless strangers.

      He recommends various sets of actions by drawing upon the knowledge that he has, after researching and testing exhaustively, but the buck stops with each one of us.

      It is already the case that “There is no support coming from Microsoft”, even when the user has been as compliant as possible, so that isn’t an argument against/for choosing any particular updating pathway now.

      Saying that “Group B is not for end users”… well, that is not true.

      Any possible path is an option for end users; Microsoft does not dictate what we do with our pre-Windows-10 machines.

      End users of pre-Windows-10 machines are not beholden to allow the company’s unexpected, heavy-handed, half-cocked changes in Windows updating and Windows telemetry.

      Microsoft in its own forced operations upon individual machines does screw up machines, sometimes permanently, sometimes at a great cost of time, money, stress, and data loss to individuals, so they are not a haven of benevolent safety and security.

      Furthermore, the compliant Group A seems destined to have some major bumps in its pathway, due to the unwieldy nature of the massive, cumulative rollups that will steamroller their way onto machines that may or may not be able to cope with it all (such as my machine, which would be screwed up by a Group A approach, and Microsoft would not care.)

      There are several compelling reasons why Group C is being said by multiple people, including IT experts, to look like it could be the safest of all to follow, at least for the time being.

    • #25076

      Anybody’s thoughts on my question are welcome!

      Is anyone planning to do something similar to this?

    • #25077

      The new all-in-one security-only patch has
      saved me heaps of work; previous to this month, going
      back to last November when Win Update began its
      rubbish behaviour, I’d been having to research every
      single security patch via the MS Security Bulletin

      As a kind of admin for the family members still stuck
      with MS systems that need to face the Net, I’m very happy to be able to hand back the research work to them, with Woody’s how-to for group B.

    • #25078

      You are better off by setting Flash to update automatically. You will not be going to assess the Flash patches anyway.

    • #25079

      It is not only you on Windows 8.1 or others on Windows 10, most people reading and posting here still use Windows 7 and they have to download Flash for IE from Adobe and not Microsoft.
      Flash for Firefox obviously has to be downloaded from Adobe regardless.

    • #25080


    • #25081

      Win 7 SP1 x64…
      Just installed the October Security Only Windows update (KB3192391). Looked then for the Security Only .NET 3.5.1 update as per the Infoworld article method, but could only find Security and Quality Rollup (KB3188740 in Windows Update) – so installed that.

      Immediately afterwards, I did find the Security Only .NET 3.5.1 Update (KB3188730) in Microsoft Update Catalog (which seems to be working again now).

      I would like to uninstall KB3188740, but can’t find out how (so that I can then install KB3188730 in its place). Can anyone help here?

      Many thanks.

    • #25082

      2. Check for updates triggers the AU client every time it checks and there is a possibility that it would run at high CPU/high RAM usage, depending on the patches you have installed previously. This happens by default once every 22 hours, randomised within -20% of that interval. Also runs TrustedInstaller which is useful as it cleans up the servicing stack and old log files. This also takes resources and can run for a long time, but as I said it is generally useful. Antivirus may contribute to the resource use in addition to the normal use due to the Microsoft services.
      Never check for updates does not trigger the agent unless you run it manually and it does not consume CPU and RAM resources while not in use.
      You have the facts, now you can choose which is the best setup for you.
      I would recommend Never check…, but this require discipline and actually require the end-user to run the agent when the time comes and be patient with it.
      Considering the issues mentioned above, as Woody says, they are functionally equivalent.

    • #25083

      I think Woody is not giving advice for Windows Server, although some of us here shift the debate into that direction now and then.
      You have no reason to belong to Group B on Windows 2008 R2 unless you belong to an organisation which has specific compliance requirements.
      System Restore on Windows 2008 R2? Are you sure?

    • #25084

      If fact there is the odd hotfix now and then released in addition to the CU to fix current issues, possible included in the next CU, but for most part it is only the CU that is relevant.

    • #25085

      Is there a reason why it is mentioned to download the .Net Security Update via Windows Update rather than just downloading it via the same way one would download the Security Only Update (KB3192391) from

    • #25086

      As I was doing the dishes tonight, it occurred to me that I was thinking of everything as a “rollup” partly because Nathan Mercer had several times referred to the security-only update package as a “rollup” in his Aug 15 Technet Q&A about the new system. Some examples:

      “We are purposely releasing Security-only as a rollup but not cumulative like Monthly rollup is.”

      “Driver updates are not included in Monthly Rollup or the Security-only rollup”

      Looking at the newer comments on there, around the beginning of Oct., Nathan Mercer started saying “monthly rollup and security-only” (just the adjective without a noun), then towards the end of Oct. he finally called it a “Security Only Quality Update”.

      Even Michael Niehaus’ October Technet overview several times appeared to use the word “rollup” to refer to both types:

      “The security-only and monthly rollups will contain fixes for the Internet Explorer….”

      “The security-only, monthly rollup, and preview rollup will not install or upgrade to these versions….”

      “…existing automatic approval rules in WSUS would approve both the security-only and the monthly rollup each month….”

      However, they clearly referred to it as an “update” rather than a “rollup” in most of that document.

      They could have done a better job of giving these things more distinct names, though they probably tossed the words “security” and “quality” into all the titles so as to confuse customers into just installing the whole lot.

    • #25087

      was just wondering atnout the .NET update my computer only has .net 4.0 as latest version but version offered says 4.5.1. is this goiing to install more versions or just updates for ones i already have?

    • #25088

      I’m in the group W with MU disabled and a newbie to boot (so to speak). Any patch that you can recommend that won’t screw up my computer to the point where I would have to bring it in to get it fixed?

    • #25089


      When I see a post that Flash had an update, I will go to the Adobe site to check and see if I have the latest version. I find that I am updated already to the new version and I didn’t do anything.
      Not sure exactly how I am automatically getting updates, it just happens….

    • #25090


      Running W7, SP1, 32-bit. I’m getting KB 3177467 thrown up by WU as important. Scouting around, I see that it has caused a few problems elsewhere. Should I install it, or leave it for now? With many thanks for your help.

    • #25091

      KB3177567 also appeared here after the last round of updates…

      Is it really critical, and thus needed?

      I’ve read about some people having problems installing it, and even it’ MS description page does state about a known installation bug…

    • #25092

      If you’re in Group A, yes, install it.

      The worst problem I’ve seen is that it fails to install. If you can’t get it to install, follow the suggestions on this How-To Geek post:

    • #25093

      You should be OK with the Group B approach, but I can certainly understand why you’d rather stay in Group W.

    • #25094

      Yep, it’s VERY confusing. Then the name changes to insert “Quality” and “Security” at random points….

    • #25095

      That’s correct. I know absolutely nothing about Server. Leave that to you guys. 🙂

    • #25096

      Yes. It’s the difference between Group A and Group B.

    • #25097

      You bet.

      I didn’t recommend manually installing the .NET Framework update from the Catalog because it seemed to be a huge amount of effort, with little benefit. I may be very wrong – wouldn’t be the first time – but I don’t think the .NET non-security patches pose much of a threat to anybody. And the amount of effort to install the security-only .NET patches just isn’t commensurate with the benefit received.

      Of course, I’m very open to hearing otherwise! If anybody has an example of a non-security .NET patch installing a snooping routine, I’d love to hear about it.

    • #25098

      That’s true. See my response to Inew above.

    • #25099

      If you’re in Group A, follow the steps for Group A – which means you don’t have to check or uncheck anything other than the “Give me recommended” box. That’ll get you the full month’s update.

    • #25100

      I tend to think of it that way, but many would disagree.

      I’ve been doing the MS-DEFCON thang since XP days.

    • #25101

      No, I’m in Group B! Sorry, I thought it might become necessary at some point. Is that not correct? Thanks.

    • #25102

      They don’t contain the same patches.

      Microsoft does a horrible job of describing the non-security parts of the Monthly Rollups.

    • #25103

      If you’re in Group B, there’s reason to debate about installing it. I wonder if others have a strong opinion…

    • #25104

      Has anyone tried manually downloading and installing the servicing stack update KB3177467 first? Since it’s a stand-alone install (has to be installed alone then reboot), my experience when I was testing was it didn’t appear in WU until after all the other patches were installed. I would think that might help.

      Unfortunately, it’s too late for me to try that, as I have already taken care of the Oct updates.

    • #25105

      I have a serious work load until January next, and can’t afford any potential muck ups.
      Woody,can I safely postpone doing these type B updates [8.1 Pro & 81. Home] until January?

    • #25106

      Right on, poohsticks! What you said is very well put. You have the common sense which some others here seem to lack for all their technical expertise.

    • #25107

      Control Panel/FlashPlayer – on the Updates tab there are radio buttons where you control updating and a button for “Check Now” that takes you to the Adobe update site that shows the current version for all scenarios.

    • #25108

      That’s the servicing stack update, and it pops up last b/c it’s a stand-alone (can only be installed by itself) update.

    • #25109

      I am curious why you posted that I have no reason to belong to Group B on Windows 2008 R2, are you suggesting I be in Group A? Trust me, it would be much easier in the long run, but I am convinced 3 years ago a MS update fried my XP computer when I had “automatic updates” checked.
      When I bought this computer with Windows 7 Home Premium in October 2013, one of the first things I did was uncheck “automatic updates”. I’ve only updated “critical” updates until recently to fix the “slow” scans.
      Yes, I have System Restore on my computer. It sounds like are you surprised.

      I have had problems in the past with restore points disappearing. Apparently this has been an issue with Windows 7 as I found out in my research.
      I did manage to find a fix by doing a Vssadmin command to resize the shadowstorage, and then delete and recreate the paging file.
      If I remember correctly MS knew of this problem and never fixed it.

    • #25110

      System Restore has a set (limited) amount of disk space, expressed in % of total HDD spaace. Older restore points may disappear if the disk space is used up.
      In Win7, Control PanelSystemSystem Protection highlight the C: drive and click “Configure” to increase/decrease the space System Restore can use. Remember, this is usable hard drive space you are dedicating to System Restore, so don’t go overboard.

    • #25111

      Here are my thoughts, for what they’re worth.
      1) I don’t see any problems with waiting another month. The 3-4 weeks that Woody has taken for years before giving the all-clear has never caused any problems that I know of and back in the days before Microsoft became Malware, Inc. I occasionally missed a month and it never caused any ill effects.
      2) Yes, according to everything Woody and others have said you would just have to install October’s Group B patch, then November’s Group B patch, then run Windows Update and pick up two months’ worth of Office updates.

    • #25112


      Much as I respect @ch100‘s many contributions here, my reaction to his statement that Group B is not for end users was “More agitprop.”

      I understand that those of us who post such statements here cannot (and should not) make the full case each time, but it is important for newcomers to understand that a toss-off, conclusory statement such as this does not mean that it is a settled question.

    • #25113

      If you read closer I think you will find the description for KB3185330 says it contains what is in KB3185278 (the non-security Sept rollup) plus the list you provided of the security fixes.

      That means KB3185330 contains both security and non-security patches, where KB3192391 contains ONLY security patches.

    • #25114

      Pls disregard. Forgot about System Restore (haven’t used it for so long). Ran System Restore taken just before running KB3188740 (.NET 3.5.1 Rollup) and KB3118312 (Word 2010) from Windows Update. Both subsequently reappeared in Windows Update, so I assume that the Restore was successful. Then reinstalled KB3118312 (Word 2010) and installed KB3188730 (.NET 3.5.1 Security Only) downloaded from Microsoft Update Catalog. All OK once again!

    • #25115


      I’ve just figured out why people are apparently getting randomly hit by the KB3177467 update…

      Since it has a known bug of hanging on reboot when it is installed together with other updates, apparently MS has “isolated” it from other updates making only possible to install it alone, avoiding the buggy scenario…

      I’ve come to this conclusion because after installing the round of updates yesterday, KB3177467 popped up, and the two Optional updates I had just disappeared… Today after a scan when the Defender Definitions hit, KB3177467 vanished and the two Optional updates showed up again… After installing Defender Definitions it once again appeared alone…

      I’ve just installed the KB3177467 servicing stack, the install went fast and did not require a reboot (but I did it anyway), scan after took about a minute and again, the two Optional updates were back, probably confirming my theory…

    • #25116


      My apologies. You are right. I never think of Windows 7 since I use Windows 8.1. I never used Windows 7. I wonder why Microsoft changed the procedure in Windows 8.

    • #25117

      Group B at this time.

      I have installed KB3188730 and KB3192391 on several computers at home. They seemed to install fine.

      I will wait some more time before installing them on my main computers.

    • #25118

      Yikes. I wonder if MS could make this any more confusing?

    • #25119

      I wouldn’t say it’s a toss-off.

      ch100 has very good reasons for his recommendations. I don’t agree with all of his conclusions, but hey, that’s what makes a horse race.

    • #25120


    • #25121


      So far, anyway. Just avoid IE, Edge, and don’t open any weird RTF files with Word.

    • #25122

      I think you are absolutely correct with your conclusion.
      KB3177467 didn’t show up for me until after I updated the patches I wanted and then hid the updates I didn’t want.
      Then I did another windows update check and that is when KB3177467 appeared by itself.
      I think that is exactly what is happening.

    • #25123
    • #25124

      Just wanted to add my 2 bits, and thought this is an appropriate spot. @ikester…. join the club… there’s quite a few of us dummies around!!

      Firstly thank you Woody for making all this easy!
      Think my head would be swimming if it weren’t for your input. I followed your instructions on how
      to access and download the necessary Security Patch on both my Win7 and my husbands Win8.1 machines.
      (I used my tablet to read the article on InfoWorld as I was working on Win7 & Win8.1)I downloaded the patch and then installed, rebooted, and went into WU unchecked the ones I didn’t want and
      proceeded to install the .Net patch and the Office ones (2007) All went amazingly smoothly and without any delay.
      Now I have both machines set to “Never Check”………. all is well that ends well!

      For those of you who are concerned about getting your head around all this and fearing the worst….
      don’t….. with Woody’s expertise I can assure you
      it’s a breeze (haha! that rhymes!)…… but seriously….. personally reading all the comments and all the details about this and that patch…. it’s true you get the feeling……. oh! gosh this is too much. But in the end it’s not. Just one Security Patch and a couple of others and your done and dusted.

      Thanks Woody et al………. You’re the TOPS! LT

    • #25125

      Woody said, “so in the future things may not work the same way.”

      I agree. And from the description of the non-security “improvements” included in KB3192403, the October 2016 Preview of Monthly Quality Rollup, it appears that the future will arrive on the second Tuesday of November.

    • #25126

      @ht:Concerning your question no. 1, in my Win 7 32bit laptop, installing the security-only update triggered a restore point. The same thing happened also before installing a few other important security updates (Office etc).

    • #25127

      Yep, and I’m hoping that my InfoWorld post on the topic (should be out today) doesn’t include too many errors!

    • #25128

      @PKcano — You are right, thanks.

      Answer: KB3185330 (via Windows Update) also includes KB3185278 from September 20, 2016. That latter patch included the items below (quoted from Microsoft). However, even though I tend to be very wary of MS, I don’t see anything objectionable in this particular list. Do you? Regards, MM.

      This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

      — Improved support for the Disk Cleanup tool to free up space by removing older Windows Updates after they are superseded by newer updates.

      — Improved compatibility of certain software applications.

      — Removed the Copy Protection option when ripping CDs in Windows Media Audio (WMA) format from Windows Media Player.

      — Addressed issue that causes mmc.exe to consume 100% of the CPU on one processor when trying to close the Exchange 2010 Exchange Management Console (EMC), after installing KB3125574.

      — Addressed issue that causes the Generic Commands (GC) to fail upon attempting to install KB2919469 or KB2970228 on a device that already has KB3125574 installed.


    • #25129

      Why is it that Microsoft’s (d)evolving patching / update system – and the related hoops and hurdles that one must now jump through and over to get only what they truly need, rather than what Microsoft truly WANTS – is reminding me so much of the early days of Linux distributions?

      …and those Linux distributions are now so straightforward and convenient. You know – like how Microsoft’s system used to be?

      The only real difference is that the unfortunate complexities in those early Linux days weren’t due to / caused by bad intentions towards the end user.


    • #25130

      Is it correct that service stack updates are not removable? Therefore hardening updates in general.

    • #25131

      I might add that neither Group A or B represent optimal patching approaches; rather they are alternatives imposed upon users by MS for reasons solely beneficial to MS. Group A and B are simply bad choices as updating protocols as A allows MS to install whatever it wants, whenever it wants and Group B will have to struggle over time with inconsistent documentation of what constitutes security versus non-security updates. In many instances, I suspect there will not be sufficient documentation that is available to sustain a pure Group A versus Group B strategy and at some point W7/8.1 systems may have to move to Group W status. My comments are a polite way of saying that MS has really pi$$ed me off over this last year with this latest crap and the prior GWX nonsense. Long term many users should just be on the lookout for migration options and abandon MS to the extent their individual circumstances allow. The comments by Ch100 are generally well-grounded technically but sometimes grant MS the benefit of the doubt that they currently no longer appear to deserve. I am technically capable of doing Group B but I doubt that it is an approach that users will be able to sustain because MS can easily sabotage your efforts whenever it suits their purpose. I apologize for sounding like a Debbie downer.

    • #25132

      TY ch100 & Dimk. I’m hooked on the ongoing education/discussion/guidance/thoughts generated here. Thanks particularly to Woody for all of it, an immense undertaking.

    • #25133

      But even you say for Group B users to rely on WU for the leftovers other than the Security-only update, and I think this will cause confusion with most people because they’re being given the same updates they’ve already installed.

      For instance, October’s Security & Quality rollup (KB3185330) is the October Security-only patch (KB3192391), plus the September quality rollup (KB3185278).

      I had already installed KB3185278, and I’m in Group B, so I installed KB3192391 by itself. I’m covered. Both patches are installed. So why then am I being given KB3185330 through WU? Obviously something’s different in there; something unpublished.

      Because of that, I think you have to remove your recommendation for Group B to use WU for *anything*. It can’t be trusted. Group B’s job is now exponentially more difficult.

      Secondly, I’m not being given the September servicing stack update (KB3177467) on any systems I’ve installed Security-only. However, a few of the workstations on our domain that did install KB3185330 have been given that servicing stack update. Again, I question ‘why’? If I hadn’t seen that update offered to those systems, I wouldn’t know to install it on the ones that haven’t been given that update. (Which I haven’t done yet, because it smells suspicious to me that obviously KB3185330 does something that then kicks off the recommendation of the September stack update.)

      I hate to say it, but I think MS is intentionally blurring the lines between A and B, and almost making B impossible. The continued sabotaging of their users is absolutely disgusting; the sad thing is, it probably won’t bring the severe consequences that they deserve, because too many mid/large businesses and enterprise have to use Windows and they’re the only game in town because of that.

    • #25134

      You have a good point, but I’m not 100% convinced that “October’s Security & Quality rollup (KB3185330) is the October Security-only patch (KB3192391), plus the September quality rollup (KB3185278).” Even if the contents of the patches themselves are identical, there’s still something in Windows Update that doesn’t want to live with the discrepancy. Might be a problem with WU.

      The fact that you installed 3185278 kind of takes you off the Group B trajectory. There’s a transition period here, and it’s anybody’s guess which is the right way to bob or weave.

      The Group B folks still need to update Office – and anything else that may come down the pike. Doing so through the Update Catalog would be a Herculean task.

      As for Microsoft’s intent… man, I gave up on trying to figure it out when Get Windows 10 rolled out the update chute. Sigh.

    • #25135

      It sounds quite logical to me.

    • #25136

      In general, that’s true. ch100 and abboddi would know better than I.

    • #25137

      The one you’re describing looks like KB3192391 for Win 7 X64 and is 79.2 MB in the MS Update Catalog. I could do this and hopefully just get the Security Updates. But I haven’t seen anything on how to get Office Updates! Also, I don’t remember seeing the Cumulative Security Update for IE-11 in the above mentioned security update. The Catalog didn’t have any Office updates for Oct. the last time I checked a few days ago.

    • #25138

      To further muddy up the works, WSUS Offline just gave me 3177467 (Sept. servicing stack). Once I rebooted and re-ran WSUS Offline, it gave me
      – 3188740 (even though I’d already installed the .NET Security-only update 3188730)
      – 3192321 (Turkey DST)
      – 3185330 (Oct. security & quality)
      – 3018238 (? No idea why, this is supposed to only be for Server 2008R2 and 2012)

      IOW, a tool that I once was able to rely on is now apparently going to muck up systems as well.

      Ugh. [facepalm]

    • #25139

      KB3185278 was an UNCHECKED OPTIONAL. If I’m not mistaken, it never became a CHECKED IMPORTANT update b/c it was supposedly rolled into KB3185330 (the Security Monthly Quality Rollup). The UNCHECKED OPTIONAL are not for general installation. Only the CHECKED IMPORTANT patches should be used. Do not understand why you installed it.

    • #25140

      No, no, that’s fine. We’re still trying to wrap our heads around this new but, I feel, regressive, convoluted and poorly communicated updating system. It’s just so backwards that I no longer feel we’re in 2016.

    • #25141


    • #25142

      @Just Sayin’


    • #25143

      Yeah, I saw that, thanks. I’m almost convinced that the .net framework rollup being offered in Windows update is benign but I can no longer give Microsoft the benefit of the doubt as someone like ch100 seemingly can.

    • #25144

      I agree with that completely.

    • #25145

      @Just Sayin’,
      I appreciate your comment so much.

    • #25146

      I don’t let anything update automatically, if there is a user choice in the matter.

      If one is a careful person, given how corporations often let us down and make mistakes in their products and services, not allowing auto-updates is often the better road to take.

      I am good at keeping on top of the Flash updates. In fact, in the immortal words of ‘anon’, “I said it first” here this week about the new Flash update being available.

    • #25147

      I believe that the naming issues are intentional. MS does not want Group B, so will make it as difficult as possible to stay there..”obfuscate”.

    • #25148


      When I was brushing my teeth this morning, I idly thought back to what I had seen yesterday on Susan Bradley’s Excel sheet of Windows Updates —

      She wrote that the .Net update has a security-only patch that is only available in the Update Catalog,

      while the .Net update that is offered in Windows Update includes non-security and security patches,

      the distinction of which I hadn’t even noticed at the time that I was glancing over her Excel information.

      (I don’t even know what .Net is, so I don’t pay it much attention,
      besides knowing that it gets updated once in a while,
      and always bearing in mind how Brian Krebs the security researcher is always so nervous about .Net updates in particular — which he reiterated a couple of weeks ago on his blog.)

      When I put 2 and 2 together this morning, I realized that this is probably what you had been talking about, regarding .Net!

      I actually logged into AskWoody this lunchtime to tell you that I *finally* understood.

      I agree with you, it does make sense to go “security-only” for everything where a “security-only” patch is given as an option, if one is trying so hard to avoid non-security patches.

      However, it also makes sense not to worry that much about the non-security aspects of .Net, if people think that .Net is so narrow in focus or benign-by-nature that anything non-security that Microsoft would add to it would be harmless.

      Every individual patch that people have to get from the Update Catalog introduces another layer of effort and potential confusion, which is another argument in favor of having most people get .Net from the automated Windows Update.

      However, there might be a bit more safety and not much extra work in going “security-only” all the way through, so if I do go into Group B in the future, I will probably try to obtain the Update Catalog’s .Net security-only version for my computer.
      (However, there are several .Net versions out there, which were offered to me as “optional” for my computer in the past and I chose not to install them, and I would want to be careful that I didn’t apply the wrong Update Catalog patch for my computer’s .Net version.)

      For people who have not seen it, here is the
      Susan Bradley Excel file on Windows Update:!2257&ithint=file%2cxlsx&app=Excel&authkey=!AIOQkIu7flF7lPE

      That link automatically pops up on the August worksheet, so go to the tabs on the bottom of the page and click on the October worksheet(s) to see Susan Bradley’s information for the current month.

    • #25149

      Ha ha, I am so overboard with the space I’ve given System Restore! But it gives me comfort.

      When my computer was new and misbehaving terribly, I decided to use system restore and I discovered that the computer didn’t have ANY points saved (the system restore was messed up in my new Lenovo from the start, along with other big things, and the machine was silently deleting every restore point soon after it was created — a genuine error in the way the machine was configured, and this was one reason that I had to reinstall the whole ball of wax from the “factory disks” soon after I received the machine from its factory in China — and the way it was configured after the “factory disks” were installed looked much different from how it was configured supposedly straight off the assembly line of the factory, which I found contradictory, but that was a good lesson for me),

      After I got the computer behaving somewhat normally, I increased system restore’s maximum space by a large amount! But I had the extra space for that.

    • #25150

      I have a question about Office —

      Re: “The Group B folks still need to update Office… Doing so through the Update Catalog would be a Herculean task.”

      On Susan Bradley’s Excel sheet for October (the non-Windows-10 sheet),
      starting in row 204,
      she has the new updates/kb numbers listed for Office 2013 and 2016,
      but there is nothing listed on her sheet for my version of Office, which is Office 2007.

      Am I to assume that Office 2007 didn’t get updated this month,
      are there Office 2007 updates contained in different October patches which cover other things as well and thus have different titles?

      For people who aren’t familiar with it, this is Susan Bradley’s spreadsheet of Windows Updates:!2257&ithint=file%2cxlsx&app=Excel&authkey=!AIOQkIu7flF7lPE

      (The link takes one to August; select the October tab(s) along the bottom row to get to this month’s information.)

    • #25151


      That issue was addressed by Woody a little higher up on this page, in answer to another poster’s question about it:

      MS-DEFCON 3: Time to get the first post-patchocalypse patches patched

    • #25152

      This is a question I also have, if we need to be concerned about the version numbers of the .Net updates.

    • #25153


      I had noticed that you have been mentioning that one for a while, and I’ve been keeping an eye out for what the verdict is going to be on it!

      Just wanted to say that I appreciated your flagging this up, and staying on the case.

    • #25154

      Yes, because they never cause issues
      and anyone says that KB3199209 have issues is either mistaken with other update or have botched system

      the stuck reboot issue that win7 have is not an actual issue, just a race condition between updates 😀

    • #25155

      1) No
      manually installing security only KB doesn’t create restore point

    • #25156

      They would not release it unless it will be a prerequisite for some future updates
      just like April 2015 update KB3020369 which became prerequisite for several updates after months 🙂

    • #25157


      Just to verify about the “NEVER CHECK”. It’s my understanding that you can have it set at that, and when you’re ready just run “check for updates” and it will show what’s there.

      I’m in no hurry to “try” anything at the present, however when you mentioned the “NEVER CHECK” I wondered if you had it set at that BEFORE you did the “check for updates”.

      I just want to be certain of “everything” I can before I make any moves. I’m happy for you that everything went without a problem. I’m sure you are more computer literate than I am!

      Thank you for posting your experiences. 🙂

    • #25158

      From system bits (binaries), yes there is no difference
      however, WU don’t recognize KB3192391 and still request KB3185330
      and installing KB3192391 will make the chain of Monthly Rollups to be cut
      you either go with Rollups route or Security-Only route, mixing both is not reliable

    • #25159

      Good call Woody 🙂

    • #25160

      KB3177467 is an exclusive update that must be installed alone with no other pending updates
      otherwise, you would face the stuck reboot issue described in KB article

      this is the 4th or 5th time i explain this 🙁

    • #25161

      You’re more than welcome.

    • #25162

      Sorry, I’m confused. In Woody’s InfoTech article, he writes “Group B, Step 7. Under “important” updates, you’ll likely find “Security and Quality Rollup for .NET Framework” — which you probably want,…”. Surely, if you are in Group B, you will probably NOT want the Security and Quality Rollup for .NET (KB3188740). Instead, you will probably want the Security Update for .NET (KB3188730). Yes/No? (The KB article numbers are for Windows 7.)

    • #25163

      So far I haven’t seen any problem with the full Security + non-security patch for .NET. I’d welcome any indication where there’s a problem with the non-security part of the .NET rollup.

    • #25164

      Sorry, I have now seen that Woody has answered this question later on.

    • #25165

      Sorry. Yes, you have – and I’ll try to remember the KB number! 🙂

    • #25166
    • #25167

      Woody, I think I am in group A but with setting – Check my updates, let me choose whether to download and install them. But I did not check the box – Give me recommended updates the same way I receive important updates. With this setting how would that different than your group A? What patches if any will be missing?

    • #25168

      My comment was not addressed personaly, i just ment in general 🙂
      thanks woody

    • #25169

      I’m pretty sure it came up as an Important update that was not italicized or listed as Optional on my systems at home, but at this point I don’t remember for sure.

      I don’t install anything under optional unless the KB is convincing enough or it’s related to security somehow.

    • #25170

      I am still quite leery of Group B. Is it really practical over the longer term?

      My concern is that if Security updates have defects that are corrected in non-security updates, how will Group B computers not be victimized?

      I cannot imagine, MS accommodating Group B.

    • #25171

      Thanks Woody.
      I can see that there is a limited rollup for the core Office, in October 2016 this would be KB3194160.

    • #25172

      I did it few times too. For some people WU might take care of the issue, I think not everyone is affected by the stuck reboot.
      Good to reinforce the good practice though 🙂

    • #25173

      Correct. There were issues in the remote past with KB3020369 and Woody raised alerts at that time, but it was largely due to “botched” systems as abbodi86 says. Some users may not consider certain configurations as botched, but if they are not following the specifications, they are botched by definition, even if those configurations are caused by Intel, Symantec, Avast or other software and hardware manufacturers which otherwise have decent products.
      Let’s not forget that it is not the end user who designed the OS, they are users supposed to follow the specifications like for any technical product.

    • #25174

      You are welcome 🙂

    • #25175

      I think in few months, or maybe sooner, this will be resolved and the missing bits from the Security Only will be rolled into the Security Monthly. I also think, which I stated few times here, that the Security Only is a broken concept and designed only to facilitate the transition by not scaring users, who until now have been doing only Security updating, because this is what comes up in MBSA and related tools and it is also the generic Government recommendation as minimal – there is no recommendation or suggestion to not install everything else.

    • #25176

      Nothing new and Woody deserves a lot of praise for it, otherwise most of us would not be here.
      Those who are pleased with Woody’s work, please support this site.
      The issue is that from now on it will be a lot more complicated! If Woody is ready to take on board the impossible challenge, I say go for it! 🙂

    • #25177

      Download and install everything that comes on Windows Update when MS-DEFCON changes to 3 or above rating on top of this page.
      Do not select what is unselected and do not unselect what is selected.
      It is simple, and totally in accordance with Microsoft’s specifications.
      The value added by Woody’s recommendation is that he monitors the various patches for known problems and tells you not to install potentially defective patches, which is big deal.

    • #25178


      Sorry to “steal” your conclusion mate… Haha… I didn’t see those…

      But anyways, now it’s as confirmed as possible…

    • #25179

      Just type in the numbers only.

      You do not enter KB or spaces – just the number

      The number for October is 3192391.

      Then just select Download for your specific OS. It’s that easy.

    • #25180

      Group A does not mean Automatic Updates checked.
      It means installing all updates when they are tested enough. Microsoft will take corrective action anyway given enough time, 4 weeks is more than enough, generally 1 week is OK, depending on your tolerance to risk.

    • #25181

      Thank you, sir. A well-argued case is one thing. “Agitprop” (agitation propaganda) by dropping conclusory statements into the discussions, as if they were self-evident, is another.

    • #25182

      It is not. You create your own problems by over-analysing.
      Just use Windows Update when MS-DEFCON changes to 3 or above and everything will appear extremely clear to you.
      Forget the Microsoft update Catalog or exist, they are for system administrators only and just interesting reading for anyone else.

    • #25183

      Thank you, Woody!

    • #25184

      @Anonymous When you purchased Windows 7 you didn’t analyse in detail what came built-in with the system and there are a lot of components built-in about which you didn’t know then and don’t know now.
      To claim now that updates are imposed by Microsoft to suit their purpose is redundant.
      Stop using the system if it does suit your purpose or stop updating and assume responsibility for what may happen.

    • #25185

      I agree with your observations regarding sustainability of a Group B updating strategy. But, MS has in fact provided the security only manual monthly update as an option. Inasmuch as the purported purpose given by MS for adopting the cumulative update approach was the reduction of patch fragmentation, the availability of the security only update seems somewhat at cross purposes. I am coming to view the Group B approach as more of a temporary tactic where one could mitigate zero day vulnerabilities while avoiding a potential known issue(s) in the monthly cumulative patch. However, the longer you extend your time horizon, the more questionable the Group B strategy seems to become. Each user has to make some decisions relative to the potential tradeoffs.

    • #25186

      Group B at this time running Win7 x64

      Are we still checking WMSRT in important updates?

    • #25187

      You seem to like to traffic in arguments of “false choice” and assume that because a user cannot know everything about a piece of proprietary software that they in fact know nothing. I do not see as redundant the observation that MS’s recent actions appear to be more aligned with their business purposes that the functional needs and desires of the users. You display the type of attitude often observed in IT administration where the users are deemed to know little and cannot make intelligent choices. You have your opinion and I respect that as with all people but please spare me the attitude.

    • #25188

      Sure. There appears to be a bit of snooping going on with MSRT, but it’s (arguably) necessary.

    • #25189

      I also have several Windows 2008 R2 virtual machines that are configured to run like Windows 7. As far as I can see, the 64 bit versions of KB3188730 and KB3192391 will apply to them.

      If I need to update them in the future, I would also just download the security-only updates to install on them.

    • #25190

      It appears that a large number of persons do not consider themselves to have sufficient Technical Skills to be other than in Group A, AND that it is this aspect of the debate that is influencing their choice of group membership (A, B or W).

      I suggest – without reservation – that everyone of us are more than capable of doing whatever is required to update our PC’s irrespective of our choice of group or our technical prowess.

      Are we really saying that we cannot already download and install new programmes, use complex Photo Editing Programmes or Excel. How long does it take us to learn a new game ? Take your choice, I guarantee that everyone of us uses at least one programme that someone else claims is too difficult to understand. I, for example, have never got my head around GIMP for photo editing, but I daily use lots of others that are equally challenging.

      Why? For some, it’s a question of perseverance and practise. Some can download, install and use a new feature very quickly, others take longer. It’s not a technical skill, it is a learning process. It’s no different with installing Updates.

      Consider the options – so clearly defined by Woody.

      Group A – Essentially, do as before. Let MS download and install your updates. The only change Woody has suggested is that you TURN OFF automatic updating after Windows has done it’s work, between Def-cons. No-one can suggest that this is difficult.

      Group B – All Woody asks is that you take some control over your updates. Surely no-one is saying that they still cannot amend their update selection type – Automatic ? Download but …? Check but …?, Never !

      Are we also saying that we cannot visit the Download Centre or MS Catalogue and download an update. Seriously ? We are the same people who visit Amazon, or any other site to order a product, but we cannot download an update from MS Catalogue? It takes less than 2 minutes to do so. Visit the catalogue. Woody and others have provided all links. Type in the number of the patch you require – just the number – Do not include “KB”. Click “Download” for your Operating System. That’s it. Finished. Now just install the patch – just remember that WU must first be set to Never, or it will want to search for all other updates. Why not visit the catalogue and explore ? You don’t have to download anything, just explore and see what it offers. Try navigating to the “Package Details” to find what patches are replaced by the patch you are interrogating. Please remember that “replaced” does not necessarily mean “superceded”.

      Woody and others have rightly said that there is additional hassle for those who wish to update Office., but they have all issued simple instructions on how to proceed. The same for Net Framework patches. For those who have never downloaded updates before, it’s just something new. It’s just a little different. Do it once, and you will wonder what all the fuss was about. Do it once, and then say that you don’t have the “Technical Skills”.

      Group W – No skills required. Just get on with the other things you enjoy doing – and remember that with no new features being issued (for 7), all updates are fixes for faults still outstanding from previous updates (and there are far too many of them !), or genuine security issues (of which I would suggest a large number are associated with Internet Explorer).

      Possibly of interest to some, I’m group W, I still run 2 XP and 1 Vista as well as my Win 7 machine. Haven’t updated any but the Win 7 in years, and even the 7 machine has had no security patches for IE 11 (which I still use) since January 2016. I have no issues.

      Please remember, you do require a level of “Technical Skills” for performing many tasks on a PC – registry modifications, for example, but downloading Updates requires no skill, just a little knowledge, and for those who think they don’t know, just LISTEN to Woody. He wont let you down

      So my message is: Think carefully before saying “I’m group A because I have no Technical Skills”

    • #25191

      At the moment I am in Group B. Not really worried re snooping (everybody does this) but about getting a faulty patch and not knowing how to fix is my problem. Reading lots of posts on here and the recommendation of many is that one should really be in Group A if a computer novice. Would that be a fair assessment.

    • #25192

      If that happens in the future, I would just abandon that month’s security update. It won’t matter so much as the security-only updates are not cumulative.

      In fact, I find that two of the updates that causes problems in September, namely KB3175024 and KB3185319, have been superseded by this month’s security-only update. I did not install these two updates on any of my computers in September, and there has been no problems. I believe I am justified in adopting this “Group B approach with occasional Group W” policy at this time.

      I don’t care if I miss some security updates using this approach. In fact I am more than happy to completely stop installing updates if the situation becomes untenable.

    • #25193

      I play an air combat flight simulator that comes right out of Moscow, Russia and it is Windows only friendly. My downloads of purchased products are downloaded over the Internet. Before my initial first time purchase I was not sure of me being in USA what the legality issues were / are. I called my NY State Washington based Senator’s office for advice. They said no problem. But I bet Federal people are looking over my shoulder from time to time. So Windows’ snooping concerning just advertisement does not worry me at all. I usually ignore the hard sell people anyway.

      October’s patch roll up? I may just pass this month and wait and see.

    • #25194

      I completely disagree and would have to ask where you have been for the past year. You don’t seem to understand that people’s trust in microsoft has been utterly destroyed because of their malware like tactics. I’m glad you are willing to accept everything microsoft shove down the update pipe but please don’t act like an apologist for their bad practices. It’s not over-analysing anything, it’s simply being a windows user in 2016. November’s rollup is about to get a heavy dose of telemetry and that is NOT going on my system so i’ll stick with the security only updates, thanks.

    • #25195

      There was some talk here previously about the KB2952664, that it’s the same windows 10/spying patch from previous times.

      Should that be ignored or installed now we are in defcon 3?

      (Windows 7)

    • #25196

      Is there a Win Update speedup trick for Win 8.1?

      I’m in group B. Did the download Security update as you suggested. Now running Win Update to get the .Net and other stuff, and it is still just “checking” almost 2 hours later.

      I did the Win 7 speedup last month on a different PC, but those patches all say “Win 7” so I wasn’t clear if I should try them on Win 8.1


    • #25197

      I haven’t heard of a speedup for Win 8.1.

      The patches for Win7 speedup won’t install on 8.1.

    • #25198

      Yes, that’s definitely a fair assessment.

      You’ve read the instructions for Group B. If those look like Greek, you definitely belong in Group A.’

      Faulty patches are a different kettle of fish. By delaying patching for a couple of weeks, and watching to see what problems arise, you can usually avoid the bad patches. That’s what MS-DEFCON is all about.

    • #25199

      Walker….I readily admit that I am NOT that computer literate….. but over the years one learns a certain amount…….. and I tell my friends…….. that after your sons and daughters leave the nest… buy a computer! (variation of a line from Fawlty Towers) Getting back to your question about “Never Check”……. I did have it on “Check for updates but let me choose whether to download & install” as I wanted to see what was on offer. After I followed Woody’s advice to find and install the required Security Patch I looked at WU and unticked the ones I didn’t want and installed the ones I wanted. Which was the .NET one and 3 2007 Office ones. After that was done I went back to WU and found the ones I hadn’t installed were sitting there all ticked….. that was in the Important update section. It was then I changed my settings to NEVER CHECK….. and they all disappeared! (which of course was to be expected……… but still nice to see that they weren’t nagging me to be installed.) Think I will nearer the time for the next Tuesday Patch switch it back to “Check for updates but let me choose to download and install” as I will be curious as to what is offered me. After the discussion about MSRT I did NOT install it this time as I feel I do not need it and it seems to be causing a bit of snooping. But I didn’t look at the Optional section which I had previously made a note of and
      they were to do with Journal and removal of GWX and a couple of other ones……… which reading
      the comments here and on other posts seems that when MS considers them to be important (and bug free) they will turn them into Important, which is when I may consider installing them.

      BTW I checked my System Restore points and I find I have 2 listed for yesterday – when I did those 2 separate installs – one for the Security and the other for the .NET & 3 office updates! (I read think it was Addobi86 said that no system restore point is made when manually installing.) So as Manuel in Fawlty Towers says…….. “I know nothing!”

      I realise that this journey of ours in Group B will have lots of detours and roadblocks along the way……….. but for the moment seems to be bump free for me anyway…….. but of course we will see…….. won’t we!!! One thing at a time……. small steps and all that!!!
      Good luck to all! LT

    • #25200

      abbodi86 – Using Windows Update I have installed in the order listed below the following updates:

      KB3172605 – July rollup
      KB3179573 – August rollup
      KB3185330 – October rollup

      I did not install KB3185278, the September rollup, before it “disappeared” from Windows Update and was rolled into the October rollup. I have not installed any of the security-only updates.

      Thanks for again providing a reminder that mixing monthly rollups and security-only updates can cause Windows Update to behave in a confusing manner.

    • #25201

      “It is simple, and totally in accordance with Microsoft’s specifications.”
      Yes, and over time it will eventually transform your Windows 7/8.1 into Windows 10 Lite.

    • #25202

      And “totally in accordance with Microsoft’s specifications” means it’s what’s best for Microsoft, not what’s best for users.

    • #25203

      My Win 8.1 box has been hit full bore with the WU scan forever problem. It’s actually worse than what I experienced with Win 7.

      I can’t get to WU manually (I’m set to “never” check). The problem is caused by the 8.1 Flash patch.

      I’ve tried to install the Flash patch from the MS Catalog, but can’t because the .msu launch results in the “checking for update” scan that doesn’t end.

      I followed Woody’s instructions to stop WU Service (realizing that they were intended for W7), but when I get to the final step, I only have the option to START the service, no stop link indicated.

      So, I’m stuck. Any suggestions…Please! Would installing the July and/or August optional rollups (3172614 and 3179574) help? (If I can get there!)

      Just when ch100 convinced me that Group A was the way to go, I can’t get there!

    • #25204

      Just making an assumption here. Woody didn’t take it personally, it is only that there are so many posts, which is great 🙂 , that it is practically impossible to keep track of everything and in good order.

    • #25205


      I didn’t know that. Thank you for the info.

      However, I can confirm that installing a non-security patch DOES automatically create a Restore Point.

    • #25206

      The equivalent July 2016 rollup, KB3172614

    • #25207

      Hi Woody,

      I have a Win7 Home Premium 64 bit computer that I haven’t updated since July. I know – not a good idea, but for various reasons, I haven’t done it.

      My question – if I class myself in Group A – is it safe to now just go ahead and enable Windows Update to get whatever is now needed? I have mine set to “Never” and I know that there have been many that I have missed over the last few months.

      Is there a Win 7 speed up patch that I need first, or will it all be fine if I just run Windows Update now?


    • #25208

      I am looking after two third party machines (both Win7 x64) which I have consigned to Group A. Everything installed ok and only optional patches remain.

      On my own two machines (one W7x32 and one W7x64) I have installed the Security Only patch KB3192391 and a separate .NET patch, but the Quality Rollup patch KB3185330 remains in WUpdate, whilst in Secunia there are also entries for .NET 3 and 4, IE11 and Silverlight 5, all quoting the same QR patch.

      Anyone else seen this or otherwise able to comment, please?

      Win10 21H1 Pro, MBAM Premium, PaleMoon, OpenOffice, Sumatra PDF.
    • #25209

      I’m seeing it, too.

      You’re doing fine. Ignore Secunia. It isn’t up to your level. 🙂

    • #25210

      Short answer is, yes, if you’re OK with Group A, you should get everything installed. Use the procedure I wrote about

      and only install the checked updates.

      Yes, there is a speedup trick, and I wrote it up in great detail for InfoWorld. I see that the article is scheduled to publish early Monday morning. So wait until you’ve had a chance to read that article before you slog through an install.

    • #25211

      I’ll take that as a compliment, though I’m starting from a low base 🙂

      So just ignore the Quality update in WUpdate and retire to a rear trench?

      Win10 21H1 Pro, MBAM Premium, PaleMoon, OpenOffice, Sumatra PDF.
    • #25212

      I’m having a horrible time answering each post individually. We’re now getting hundreds a day – some of them pontificating, but mostly from people with real questions, real problems, differing observations and experiences.

      Which is why I’m up at 6:30 on a Saturday morning answering posts. 🙂

      I’ve toyed with the idea of changing over to a forum format, with moderators and user-started threads, but I don’t want to lose the “feel” of the site.

    • #25213

      Pick a side – Group A or B – and stick with it.

      Until Microsoft changes the game again….

    • #25214

      Personally, I can see some advantages in the forum format, if you can find a way to stay in the middle of the discussions as the moderator. Worthwhile as this blog is, a thread as active as this one presents the reader each day with a new page of comments, while previous discussions appear on one of the “older comments” pages–but which one?
      I can see how it must be driving you to distraction.

      Digital Photography Review has a pretty good format, switchable between “threaded” view and “flat format” view, with info re the last post and time of that post, and a quick way to check for replies to one’s own posts. DPR is lightly moderated (a source of complaints by users reacting to abusive posts) but some moderators participate in the threads.

    • #25215

      Woody, is the IE cumulative security update in the kb rollup or is it separate like the .NET patches?

    • #25216

      IE security patches are in the Security-only update. (Originally MS said it would be separate, but they figured out how to roll it in.)

    • #25217

      I need to see if there are any similar tools available to me. I’m running a very bare-bones WordPress theme.

    • #25218

      Try disconnecting from the Internet as well as stopping the WU Service.

    • #25219

      Thanks Woody!

      I’m not so much “OK” with Group A as feeling that I’m pretty far behind in getting updates, and not sure if being in Group B will allow me to get everything I need at this point.

      I will look for the speed up article on Monday and go from there.

      Thanks again for the advice!!

    • #29533

      Thanks Woody!

      I’m not so much “OK” with Group A as feeling that I’m pretty far behind in getting updates, and not sure if being in Group B will allow me to get everything I need at this point.

      I will look for the speed up article on Monday and go from there.

      Thanks again for the advice!!

    • #29534

      I updated one Win 7 machine last night, and the other this morning. Both machines loaded the Group B security update with no problems, and both did fine for searching.

      However, last night, it took 2 hours to download the 32MB(!) update, while the bigger update this morning (44M, still have Silverlight on that machine) took about 10 minutes. The security-only update (79MB) took several seconds to download…

      I don’t know if the WU servers are getting clobbered by Win 10 updates, or if MS found a 486 server from the scrapheap for Win 7 updates. I hope it was the former.

    • #29535

      It isn’t over-analysing anything, even though I’m not a system administrator. It isn’t just interesting reading. Privacy is important to protect and worth the extra effort to maintain. I’m not messing up by choosing to be group B, but continuing to protect myself from Microsoft. That I shouldn’t have to, is true. But Microsoft is the one at fault and causing the problem. I understand how not following their protocols can cause problems. But they could solve that easily by providing working privacy settings (and any telemetry should be opt in). I would pay the extra money to have a system that is private and not being harvested for data. That is of value to me, as a customer. Microsoft clearly doesn’t want me as a customer, and has violated my trust in their products. That means I will not support or buy products that are solely for Windows in the future. I am going to protect my current computer for as long as possible, and I treasure Woody’s help. Ch100, you give wonderful, detailed information… but the reason I love Woody is that he informs me so I can make the best possible choices given my values and knowledge. Non-techy people can understand their choices… and do want to have a safe and reliable machine, even if it is their one and only. For me, right now, that means security only patches. If Woody didn’t lead me through the more technical aspects of obtaining them, I would be group W. Shame on Microsoft for making so difficult and shame on you for not respecting those of us who are not technically trained. I’m not trying to have privacy because I’m into illegal stuff. I believe in privacy as a human being. More of us need to be following group B… I’m encouraging my family and friends (with their computers backed up) to follow it too. If enough people did it, Microsoft might pay attention, instead of disregarding us as an unimportant minority. When I explain that the telemetry is in the updates… well, I haven’t found one person who wants it. Other than being in groups B or W, how can it be avoided? Clearly Microsoft Update Catalogue is for us, the non-techie people… unless you have another way to provide the essential privacy and security?

      Non-techy Win 10 Pro and Linux Mint experimenter

    • #29536

      I think the Recommended category is going away, so that may not matter in few months.

    • #29537

      This is the time to download from the Microsoft Update Catalog – or from Windows Update?

    • #29538

      Sorry to have to disagree with you Old Dog, but in the real world out here, the vast majority of Windows owners (I purposely used this word instead of users) think of their PC no differently than a potato peeler. It is just there when they turn it on. They use it to read and send email and occasionaly browse the web for something a friend told them about. Some use it only for Facebook.

      Those people don’t even know there is a thing called Windows Update there or what it does or when.

      When it (the potato peeler) doesn’t do what they expect it to do, they ask their nephew or cousin to “fix” it. Anybody who knows PCs knows where that leads to.


    • #29539


      What happens if a user is still on IE9 and wants to update with the Security Only Update for October? I saw that you mentioned MS has included IE updates into the Security Only Update whereas originally it was to be a separate update.

      Will the October Security Update ignore IE9 or will it attempt to install IE11? Or, don’t we know exactly what will happen? Anyone?


    • #29540

      I’m not sure, but based on earlier wording, I don’t think it’ll try to switch you to IE 11. But then it won’t patch your IE 9, either.

    • #29541


      Which is the KB for getting the latest Windows Update Client for Win 8.1 x86/x64? Is it related to Win 10 as the controversial KB3112336? Can it be installed as standalone or from Rollup?

    • #29542
    • #29543

      Canadian Tech,

      Your response is much appreciated. I agree that many, many people do consider their computers as just a tool to take out of its’ box, use it and then put it back. In fact, why shouldn’t they ?

      My post was addressed to the contributors and readers of AskWoody – whom I do not believe fit this description. They actively participate in these discussions and obviously do care about the issue of Updates and Telemetry.

      If my post convinces just one person to better understand how they can control Windows Update, I will be quite content.

    • #29544

      Just to report that on my secondary machine (which I always update first, both being W7 x64 Home Edition desktops), which I have set to “notify but don’t download”, I have now installed the October Important updates.

      Although both KB3188740 (.Net Framework) and KB3185330 (security rollup) appeared initially, by the time I installed them the latter had disappeared only to reappear after the former was successfully installed. After KB3185330 had also installed successfully I was offered KB3177467 (service stack) and that also installed ok.

      Both optional updates KB 3193713 (Silverlight – no longer present on my machines) and KB3192403 (Preview) remain hidden along with the September MSE update KB3193414 (due to the removal of the right-click scan option).

      Assuming this machine boots up and runs ok tomorrow then I’ll unlock the “Never uodate” setting on my primary machine and install the updates as offered.

      Thanks as ever, Woody and fellow commenters.

    • #29545

      October updates is just an update for IE11, it doesn’t include IE11 itself

    • #29546

      The equivalent July 2016 rollup KB3172614

    • #29547

      I think it is like Woody says. There is a possibility that at some time later, the patches will stop working entirely. However this would go against Microsoft’s global intentions to have most systems patched at best as they can, so it may not happen at all, nobody outside of Microsoft knows.
      Related to your question, do you have any particular reason to prefer IE9? That version was a poor version, a transition one I would say, while I think the best version ever released was IE10. Unfortunately all versions older than IE11 tend to be working with less and less sites.

    • #29548

      Abbodi86 replied in another place that it is the equivalent to KB3172605 for Windows 8.1, released in July 2016.
      The latest released as standalone should be the one in March 2016, but it is inferior to the one released in July 2016 as part of a cumulative update.

    • #29549



      This KB3102812 fixed the issue with Windows Update. Completed checking in 5 mins.

    • #29550


      Looking at the instructions on Infoworld of Oct. 27. I have a question about having the updates set at “NEVER” and trying to follow the procedure set forth in InfoWorld.

      When I go to the Win7 update history page, the information is there, however when I click on KB3192391 nothing happens. Do I need to turn “NEVER” off and return to “Check for updates but let me choose whetehr to DL & install them”?

      I also noted that in the instructions for Group B, Step 5 in Group B references “Group A”. Thinking that is just a typo (?).

      I’m so backed up on e-mails from the various discussions I don’t know where to try to find an answer.

      I’m confused as there is no reference to the settings I should have on the “updates” before I try to get this Security Update. I would like to get started as soon as possible.

      So far I’m only seeing ONE “Security Update” which needs to be installed, however I need to try to get caught up with all of the e-mails to see if there are anymore changes.
      I need help desperately to get things started.
      Thank you. 🙁

    • #29551


      P.S.Is it possible to just leave “NEVER’ on the updates, and do a “Check for updates” to find the Security Only update KB3192391?

      I’m feeling really insecure and confused right now. My apologies.

    • #29552

      As part of the Group B contingent, I just wanted to thank you for your step-by-step instructions. Strangely, when I turn off notification of updates, Windows tells me that there are no additional updates, even though I know that there are. Anyway, I’ve set Windows Update to notify me of any updates but not to do anything about them. I’ve also found that, under Services in Administrative (under Control Panel), I need to set Windows update to Manual in order to let any updates load without searching endlessly for updates. I do have all the necessary updates that are supposed to speed up the process, but unless Windows Update is set to Manual they don’t work as intended. Don’t know why that is. Anyway, thanks again for walking us through the procedure. Please continue to include this as a monthly feature for those of us in Group B.

    • #29553

      The Security-only update is only available if you download it directly.

      It will never appear in Windows Update, no matter what your settings.

    • #29554

      You don’t need to catch up on any of the posts here. Just pick Group A or Group B, and follow the instructions in the article. That’ will catch you up with everything you need.

      Do you see the list shown in the article, in the screenshot? Click on the KB 3192391 link, per the instructions. What happens?

      Yep, that’s a typo. Should be Group B Step 5.

    • #29555

      This was from Windows Update. The Update Catalog (Security Only) took about 10 seconds.

      The rest was .Net, MSE and the MSRT. Not much data, but bog slow.

      Friday Night: 3 updates, 32M 2 hours
      Saturday AM: 4 updates, 44M 10 minutes

      I’ve had slow Windows Update downloads, but Friday’s reminded me of my dialup days. I got a couple of timeout errors on Friday, too.

    • #29556

      Thank you Woody.

      I saw on the link you provided that Office 2007 does have some updates in the latest PU “Public Update”, which is KB3194160 for October, and which appears to include updates for all years of Office.

      Then it says, “For general guidelines about installing updates for a specific product, see the links in each version row.”

      I clicked on the row for Office 2007 and was taken to this page:

      On that page, it says for Office 2007 there are 3 KBs:

      “Word 2007 MS16-121: Description of the security update for Word 2007: October 11, 2016(KB3118308)

      Office 2007 MS16-120: Description of the security update for 2007 Microsoft Office Suite: October 11, 2016(KB3118301)

      Office Compatibility Pack Service Pack 3
      MS16-121: Description of the security update for Microsoft Office Compatibility Pack Service Pack 3: October 11, 2016(KB3118307)”

      My question:

      Would updating my Office 2007, for October, manually from the Update Catalog, be as simple as hunting for those 3 KBs in the Update Catalog and installing them directly?

      Or would it be likely to cause problems because I didn’t go through Windows Update?

    • #29557

      @Woody: Thank you so much for the clarification. Yes, I see now the steps more clearly which I need to follow. I hope to get this done before November 1st, as I don’t know what’s going to break loose by then (hopefully “nothing”).

      I am having vision problems, and that is part of the trouble. I must slow down and read everything several times to be sure I don’t miss anything.

      THANK YOU so much for your help. As we all say “YOU ARE THE BEST”!! 🙂 🙂 🙂

    • #29558


      I agree with “Just Sayin’ 100%!! You are absolutely outstanding in every respect. You are not only knowledgeable, but have a wonderfully warm and common sense approach in all of your posts, which I always look forward to reading. Hope you will SOON get some relief on that bad patch which creates such a serious problem for you. I admire your knowledge and tenacity. Please don’t give up.

      I wish you the very best of luck with that. You are an inspiration to all of us!! 🙂 🙂 🙂

    • #29559

      woody, changing over to a forum format in my opinion, would be a good move. Wouldn’t it save you time having user started threads?

      Who would be your moderators? My suggestion would be the many shining lights we see here (of course only if they wanted to as it is so time consuming) if that is what you meant. There are so many (experienced) posters on this blog from around the world there would always be someone online to ensure the “rules” (even though I haven’t seen any heavy handedness from you) would be followed.

      You wouldn’t lose the “feel” of this site, after all it is because of you many people come visit AskWoody every day because of your honesty.


    • #29560

      Lemme think about it.

      It’s a big, relatively expensive switch. And how would I stitch the posts here into a forum format?

    • #29561

      You don’t need Windows Update. If you can find the patches, download and install them manually, you’re doing just fine.

    • #29562

      Ah. Wait until Monday morning. I have a post coming in InfoWorld that goes into details.

    • #29563

      Having more of a forum setup here would be SO great.

      It would make it easier to follow all the wonderful advice and input that are newly posted daily on many different topics, and it would make it much easier to search for and retrieve information from past threads.

      If you needed more hands on deck for the backend administration of a forum (even if you still wanted to approve all posts yourself, and remain the sole external “voice” of the operation, in order to keep the quality high), maybe you could get some rotating, part-time “interns” from a local university/college and give them some real-world experience and a nice entry for their resume, while benefitting from some inexpensive labor. Or advanced high school kids. (Not sure if any of that would be feasible or practical.)

    • #29564

      In terms of keeping the prior blogposts and comment threads available to site visitors,

      maybe you could have a searchable “Archives” section that reproduced every historical blogpost and the discussion thread that it inspired, but not allow any new posts to be made in the archive section.

    • #29565

      Maybe you could start with a basic one, nothing fancy, and see how it goes.
      And keep the present WordPress format in the wings, if going to a forum structure didn’t work out.

      I’ve been a member of a few forums that were rudimentary, looked off-the-shelf and inexpensive to set up, and were mainly started/run by 1 or 2 people. Perhaps they had 30 to 100 registered members, with a few “guests” lurking around. They were not the most visually-exciting places, but they got the job done.

      But I don’t know what the costs are like – would having a forum require spending a lot more per month on site hosting/server space/data conduction (or whatever the appropriate concepts/terms are)?

    • #29566

      I am in no rush to try this, as I want to wait a month before deciding whether I’m in Group B or Group C/W and before doing any patching, to see how it goes for other people,

      but if anyone else decides to update their OFFICE 2007/2013/2006 product in this way, manually through the Update Catalog, I’d be interested in hearing their experiences with that.

    • #29567

      I think the exception for IE security updates is when you get out of band Flash updates and use IE11 where it is embedded.

      So this time the Security only rollup did not include the latest Flash fix for IE11, which is why Flash showed up as a separate line item after running Windows Update

    • #29568

      Thanks. Will try that next round. It took 3.25 hours but Win Update finally completed on my PC last night and I was able to get the other Group B items.

      I think the slow problem comes when there is a Flash update for IE. In the past I had better luck by first installing the IE11 and Flash updates, then doing a check for Win Updates – but this time there was no Flash update already listed in WU until after I ran that long check.

    • #29569

      I don’t really know. When I started Woody’s Lounge, there was one person – Eileen Wharmby – who handled all of the details. She was quite amazing.

    • #29570

      Flash updates was and will still always separate

    • #29571

      Adding my thanks too, for the Group B guidelines.

      It looks like we manually grab the Security-Only KB once a month now? (Plus any small .Net type patches that we let WU tell us about.)

      By manually, I mean find out here. I suppose we could watch the update catalogue for the phrase “Security-Only”.

    • #29572

      I`m group A. Did the Oct. patch. You recommend afterwards to switch to don`t up date until next month`s patch. Instead can I switch to “Check for updates but let me choose whether to download and install them” ?

    • #29573

      Thank you for your article and help. I am in group B, for now. I followed your instructions in the Info Article on all 3 computers.
      2 did just fine, but the 3rd one, not so much.
      It is Win 7 Pro- 64 bit. I did the security KB3192391 as you said. Restarted. Now I am checking for the .Net and Office security patches. It is still “checking for updates” is your article on Monday going to address this stuck on “checking for updates” for the Group B folks? Or what should I do?

    • #29574

      Since we’re at DEFCON 3:, may I ask for advice regarding my hidden updates W10 Home 1511 (10586.633).
      KB3161102, 3181403, 3150513.
      KB3201860 installed today.

    • #29575


      My apology for being so late in responding to your very kind and encouraging message! I enjoy the comments from you and poosticks both so much because I can certainly relate to them. I am definitely “non-techie”, just trying to keep my head above water (not to mention the alligators!).

      Good reminder to set the System Restore points before manually installing. Also a good reminder that the MSRT appears to not be “secure” either. Updating is definitely nothing like it was intended to be when I purchased my computer. What wonderful days those were!!

      Good luck to us all, and (hopefully) eventually things will improve. We just need to “hang in there” and keep our morale up. thank you for your reply!

      🙂 🙂

    • #29576
    • #29577


    • #29578

      You can. The effect is basically the same.

    • #29579


    • #29580

      Hi Woody,
      I believe you may already be aware, but in case not, the INFOWORLD article about this has Group A steps and Group B steps. I think a typo exists in Group B step 5. It says, “Group A, Step 5” when I suspect you intended “Group B, Step 5.” Readers probably assume this, but just mentioning! Grateful for your dedication to all of this complexity!! About to jump ship and become a Group A person as it is all getting a bit too complex for my weak brain.

    • #29581


      MS-DEFCON 3: Time to get the first post-patchocalypse patches patched

      RE: Vssadmin to expand shadow copy space.

      Linked article advocates disabling Vssadmin.exe by renaming it because of ransomeware attacks.

      Thought it might be of interest.

    • #29582

      @Woody &Jussi:

      Any recent information on the KB2952664?
      Last information I noted was on InfoWorld on October 10th and it was listed as “uninstall” along with KB2976978, KB3150513, and KB 3021917. I don’t have the CEIP insofar as I know. I have at least the KB 2952664 installed, however haven’t checked the others yet. Win 7, x64.

      Thank you for any current information you may be able to provide on these. 🙂

    • #29583

      @Woody: Group B, looking at the Oct 27th directions. I do not see the direction to “turn automatic updating off”. Win 7, 66x.

      I would like to move forward with getting the KB3192391 installed, however would like to verify if I do need to “turn automatic updating off”.

      I know how busy you are, and I sincerely apologize for adding to the workload.

      Thank you for all of your help, as always, and I apologize for sending an e-mail about this as well. Thank you for your help, it is always appreciated more than words can say. 🙂

    • #29584

      Sorry, it’s Win 7 64x. Another apology with much gratitude for your understanding. 🙂

    • #29585

      Hi Woody,
      Many thanks for all your wonderful advice. I’m in group B with Win 7 Pro 64-bit. I installed the security only patch (KB3192391).

      After reboot saw and installed KB3188740 (.net roll up), KB890830 (MSRT), and KB3193713 (Silverlight security). However I also saw KB3185330 (security quality monthly rollup) and KB3177467 (service stack?), and neither download nor installed either of them, as KB3185330 is for Group A (as I recall you noted?), but it’s unclear what to do about KB3177467 (which in ‘googling’ seems to indicate it can cause problems?).

      Should Group B with Win 7 64-bit be downloading/installing KB 3177467? Thanks in advance for clarifying.

    • #29586

      Thanks ch100, my question is why Woody recommended to check the box now – give me recommended updates the same way I receive important updates, which he did not recommend to check it before. I am confused. Without the box checked, I am still seeing KB3185330 on my download list.

    • #29587

      If you’re in Group A, you’re going to want Recommended patches.

      If you’re in Group B, you don’t want them.

    • #29588

      That’s the servicing stack update.

      Over on the My Digital Life forum, ch100 says:

      Strictly speaking yes, KB3177467 is the only one required.
      However, there are known issues with the detection for KB2533552 which Windows Update “thinks” that is needed after installing KB3020369. To keep it happy, you just tell it to install, WU probably sets a flag somewhere in the system and becomes quiet, although there is no installation as such.
      I heard, without experiencing it myself, that KB3177467 might need more work at MS, so in the mean time KB3020369 might still be needed.

      According to the KB article:

      After you install update 3177467 together with other updates, a restart may be required to complete the installation. During this restart, you may find yourself stuck on “Stage 2 of 2” or “Stage 3 of 3”.

      If you encounter this issue, press Ctrl+Alt+Delete to continue to log on. This should occur only one time and does not prevent updates from installing successfully.

      Personally, I wouldn’t install it just yet. Abbodi notes that it must be installed all by itself, with no other pending updates, to avoid the “Stage 2 of 2” problem.

      ch100, abbodi86, any better advice?

    • #29589

      Follow the instructions precisely. You should already have Automatic Update set to “Never” – and leave it there.

    • #29590

      Greetings Woody,

      After following the Group B recommendations on four different Win 7 Pro x64 machines, the Secunia PSI scans on each report the same deficiencies:

      Microsoft .NET Framework 3.x

      Microsoft .NET Framework 4.x

      Microsoft Internet Explorer 11.x

      Microsoft Internet Explorer 11.x (64bit)

      Microsoft Windows 7

      However, scans by the Belarc Advisor (which I take as the Gold Standard) yield a 100% rating for each machine.

      I know that Secunia were purchased by Flexera not too long ago, but they are still offering the Secunia PSI (version, released February 2016), so I am assuming that its database is being maintained. Any thoughts on this discrepancy?


    • #29591

      @Woody: Thank you so much, Woody, for clarifying this for me. I hope that everyone will join together to assist with supporting your amazing efforts!

      Thank you once again. 🙂 🙂 🙂

    • #29592

      @Joe Friday…Thanks for the link re Vssadmin.

      Windows 7 64 bit here. Group B

      Regarding the 3177467, (service stack)
      I did download it with no problem. It was listed as important, also listed as a “critical” update I think in the catalog or somewhere????
      The only thing I did not do is the Malicious Removal Tool. Haven’t deceided if it really is beneficial to do so.

    • #29593

      A pleasure Walker! Don’t think I like the alligators tho’……. never gave them a thought….. but there could some lurking around in the swamps! Yuk! Will have to watch out for them!
      Never smile at a Crocodile……… and all that! LT

    • #29594

      Re: Windows Update setting “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows.”

      I learned the following yesterday. Someone may find this helpful.

      Unchecking the box next to the above referenced setting on the Windows Update “change settings” page causes the box and the setting to disappear. To obtain updates for non-Windows Microsoft products and software after unchecking the box requires clicking a link on the main Windows Update page that, as best as I can recall, says something like “learn how to obtain updates for other Microsoft products.” If a computer’s default browser is Chrome, clicking that link opens a Microsoft page that has some words and pictures about Windows Update but nothing more. Alternatively, if a computer’s default browser is IE11 clicking on the link opens a Microsoft page that asks the user to enroll in Microsoft Update. There are two enrollment options and even the least automatic option causes Windows Update to launch immediately. Quickly shutting down Windows Update allows the user to reopen Windows Update to confirm that the above referenced setting has returned and is checked and to change the update settings to “Never check for updates (not recommended)” or some other option.

    • #29595

      Sorry if someone mentioned this–I haven’t read ALL the comments: Woody, there a typo in the InfoWorld explanation of GroupA/B: In the Group B list of steps, it says, “Group A Step 5.” Since by this point we’ve already read the Group A steps and are now reading the explanation for the B group stops, I’m pretty sure it should say, “Group B Step 5.”


    • #29596

      Yep. I’ll get it fixed as soon as my editors are back at their desks….

    • #29597

      I don’t trust Secunia PSI with Windows stuff.

    • #29598

      1) last comment re 3161102 is August 14, 2016 at 10:22 am
      2) last comment re 3150513 is September 25, 2016 at 11:00 am
      seem inconclusive, what to do….
      3) 3181403 – install = Thanks

      I’m curious why cumulative does not roll these in…

    • #29599

      You’re talking about updating Win10 version 1511, yes?

      You should go ahead and install all Win10 patches. See

      MS-DEFCON 3: Time to get the first post-patchocalypse patches patched

    • #29600


      Can I safely wait until Tuesday to patch or will it being the first of the month effect anything?

    • #29601

      woody: You’re talking about updating Win10 version 1511, yes?
      > Yes.
      woody: You should go ahead and install all Win10 patches.
      > Meaning all patches for 1511..?
      woody: If you’re still on the Fall Update, version 1511, I say stay there until Microsoft gets a better version of the Anniversary Update, version 1607.

    • #29602


      It’s definitely “my pleasure”! Really enjoyed your message, and it gave me a much needed “chuckle” to end the day.

      I’m reaching the point that a lot of us have – – – I’m just “plain weary”, and I’m sure that Woody is hard pressed trying to keep up with it all. He does a marvelous job!

      Let’s hope we can all “weather the storm”, and eventually prevail against this *(&^% debacle.

      Good Luck to us ALL!

      🙂 🙂 🙂

    • #29603

      abbodi86 knows this stuff, he is right 🙂
      But if you wish to advice delaying it, there is no rush, KB3020369 is still the only one which is required for the current stage of updates.

      Note: I advice KB2533552 entirely for cosmetic reasons. On 64-bit versions, without KB2533552 Windows Update will believe that SP1 is not installed and will fix the detection regardless by flagging that KB2533552 is installed. abbodi86 proved to me not long ago here on that KB2533552 is entirely overwritten by KB3020369.
      Same thing with KB3177467 which entirely replaces KB3020369.
      By installing in the sequence which I presented, the risk of failure to install is minimised, otherwise the only one required is KB3177467.

    • #29604

      If it is not clear enough from my posts, each of those 3 updates (or only those selected) should be installed manually and separately from each other. They are all servicing stack updates belonging to a different stage in the life of Windows 7 and Windows 2008 R2.

    • #29605

      It is as beneficial as any antivirus tool.
      If you are against antivirus tools, then do not use it. Otherwise go ahead and use it.

    • #29606

      @Walker & @Jussi, read this from Woody’s InfoWorld article from Oct 5:

      I don’t have 2664 installed as I wasn’t going to move to W10 …and now? it’s one I’m forgetting about – permanently.

      Contributor ch100 said a while back that he/she doesn’t see anything bad concerning this patch (but his/her best practice is to install everything anyway :~ ). I’m steering clear of it, however it’s your choice to make.


    • #29607


    • #29608

      How would I go about this if I wanted to make it as simple as possible, while installing only the “essentials”? (I’m in Group “B,1” btw, I don’t care that much about privacy, telemetry slowing down my computer is more of a concern to me if anything), i just want things to work, and without me being a test subject for possibly botched patches and the likes.

      1. Check the Windows 8.1 and Windows Server 2012 R2 update history for the relevant file. (I’m using Win 8.1, just for the record.)

      1a. Check around the net if there are problems with the relevant Security Only update, and act thereafter.
      1b. Install if has been given a green light, wait if unsure.

      2.Check for Updates via Windows Update.

      2a. Ignore all the non-program-specific Security Rollups and whatever they are called.
      2b. Ignore all Optional Updates unless they are for some reason explicitly relevant to a product i am using (within reason of course).

      2c. Check around the net for more input on entries in the “Important” list concerning software like .NET, Office, Adobe Flash Player a.s.o., generally installing them unless a web search reveals major problems with one of them.
      (BTW, should all “Monthly” Rollups be avoided, or just the non-program-specific ones?)

      2d. Check around the net for more input on any other entries in the “Important” list, but avoiding them unless they seem relevant and/or critically needed.

      3. If all is OK, install updates, check that things didn’t break a.s.o.

      4. Keep an eye out on this website (and on the net in general), in case the situation changes.

      Have I understood the instructions correctly, or did I miss/misunderstand something?

      (I’m sorry if I seem a bit daft, but I’ve both ADHD and Asperger’s, so this isn’t as much about me not understanding as it is about me trying to make sure I’ve understood correctly.)

    • #29609

      EDIT/ADD: Another Question:

      1. Are the instructions from the “How to cautiously update Windows 7 and 8.1 machines”-article going to be general unless things drastically change (i.e. Is this going to be the proper way to go about updating from now on?).

    • #29610


    • #29611

      All you need to do is follow along here (or on Twitter, or Facebook, or the RSS feed) and wait for MS-DEFCON to fall to 3, 4 or 5. At that point, follow the instructions in my MS-DEFCON post for Group B.

    • #29612

      ch100, Interesting statement. I did not realize until just recently that after years and years and hundreds and hundreds of application of MSRT, I can only remember ONE instance that it finding something.

      I suspect a reasonably good AV installation is many times more effective. I would advise MSRT to be used only in a case where no AV tool is intended to be used.

    • #29613

      Thanks, Woody; it looks like it’s time to retire it, then.

      Out of curiosity, what is your take on the Belarc Advisor?

    • #29614

      Thanks for the reply. Woody, if the only two important updates that I haven’t downloaded yet (and hidden for now) are KB3177467 and KB3185330 (the latter being for Group A), and being I’m Group B, aside from not downloading KB3185330, I should hold off downloading KB3177476 svc stack update until Woody gives the ok? Also in layman terms, what is the KB3177467 for? Thanks.

    • #29615

      I’m curious why Cumulative Update do not roll these in.?
      Since W10 Home in-place upgrade (W8.1). I’ll only show/install Security and Cumulative Update.
      Am I Group B.?

    • #29616

      and for those that do not do social media..?

    • #29617


      When I installed kb3192391 and restarted my computer it did the whole “configuring windows please wait” thing, but when I installed kb3188740, the MSRT and kb3179930 it just restarted like normal. Did I mess something up?

    • #29618

      Woody, would you please remove the forgoing post? I mistakenly put my email address in it. Or replace my email address with Canadian Tech

      Thank you.


    • #29619

      I see, thanks for the quick answer 🙂

    • #29620

      @Canadian Tech,

      The email address is still appearing, so perhaps he didn’t realize what you were asking –

      You might send him a direct email to:
      woody at ask woody dot com

      I agree about the MSRT —
      it never found anything bad on my computer,
      and it was requiring the hassle of a new legal authorization/permission every time it was allowed to run via Windows Update,
      so I stopped using it this past February.

    • #29621


      I recommend not unchecking that line which says,
      “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows,”
      but if it is unchecked, and the computer owner wishes to get it back, there are 2 safe and reliable procedures to get it back.

      Over the years there have been a handful of other procedures published which used to get it back, but they don’t work anymore.

      The 2 procedures that still work have been described in the discussion threads in the past.

      One involves editing the Registry, which is only for intermediate and advanced computer owners to attempt,
      and one involves an easy but roundabout way to make it show up again which does not involve going into the Registry, and is better for non-techies.

      About 2 weeks ago, in a recent discussion thread here, someone asked me to repeat the non-techie procedure to get that selection back on the Windows Update settings screen
      (this procedure is “safe” in the sense that it will not provoke Windows Update to start running on its own, as you have described seeing happen on your machine),
      and that procedure should not be hard to find using the site search here.

    • #29622

      I have found it to be OK for Windows up until this October, but ONLY if you use WU or the catalog to do the actual updating. I never use the PSI itself to do any updates, I just use it to let me know, and go the respective websites.

      I think as of October the PSI is fixated on the Rollup, so I am no longer using them for Windows, but am still using them for all other stuff.

      I also use Belarc. Nice tool for telling you what is missing.

    • #29623


      As far as I know, the date of the 1st of the month is not relevant to patching.

      The main days where the patching system has important changes are the 2nd Tuesday and 3rd Tuesday of each month.

      As long as Woody’s “Def Con” system at the top of the page is showing that patching can be done, and it’s after the last 3rd Tuesday of the month (18th Oct) and before the next 2nd Tuesday of the month (8th Nov), then you should be fine.

    • #29624

      @bjm We shall continue to “follow along here”, as Woody put it – i.e. keep an eye on this website.

    • #29625


      For me personally, I think the following two quotations from your post contain great advice that everyone should follow,
      in order to see if there are any reports on the wider internet about problems regarding particular patches that show up on our Windows Update list –
      maybe they are specific or rare problems which contributors to may not have personally experienced, so the problems have not yet been reported on the site, but they could still be problematic for one’s own computer configuration.

      Your advice:

      “generally installing them unless a web search reveals major problems with one of them”

      “Check around the net for more input on any other entries in the “Important” list”

      At the end of the day, each of us is the captain of our own ship (computer), and the responsibility lies with us to patch with as much care and research that we can muster, every single month.

      What works for the vast majority of the population sometimes doesn’t work for oneself (and one’s equipment), and no independent researcher/independent website is going to have immediate knowledge of all the Windows Updating issues that are arising, especially the more rare ones.

      The fact that complicated Windows Update problems can take several weeks to be understood and widely reported
      [and my personal situation of often being in a small % of people who have an unusual experience rather than just having a statistically “normal” life (ha ha) ]
      is why I have decided to wait an _extra_ month before I do anything.

      So I have put October’s patching on hold, and I’ll wait until Woody’s go-ahead in late November for the November Patch Tuesday patches before deciding whether I will try October’s patches on my finicky computer.

    • #29626


      “Following along here” on this website was the first option Woody gave, and you seem to be able to do that one, since you are here now!

      The time of the month when he changes his Def Con rating is typically after the 3rd Tuesday of the month and prior to the 2nd Tuesday of the next month — generally, the Def Con rating to “go ahead and patch is in place during the last week of a month.

      If you don’t normally visit Woody’s website (say, on a weekly basis), just coming here once in the middle of the last week of the month to see what the Def Con rating is would generally suffice.

    • #29627


      In my experience, what you have described is normal behavior for different patches — sometimes they have to configure Windows and take some time, sometimes they don’t.

    • #29628


      I honestly don’t know what you guys are talking about here — but it seems to be important.

      Is this something that is going to be explained in your “speeding-up” InfoWorld article which still seems not to be up on their site?

    • #29629

      Naw. It’s just a sequence of patches that culminate in the servicing stack getting updated.

      (By the way, looks like my speed-up post won’t run until Friday.)

    • #29630

      Sorry ’bout that.

    • #29631

      Ok, I should’ve mentioned in my first post that all the patches are listed as successfully installed in my update history but at the same time I’ve never seen it not need to configure after updating so I kinda freaked out a little. Thanks for the response.

    • #29632

      Woody, if your InfoWorld article is not up till Friday, would you please publish it here? At least the gist of it, if you can not literally publish it here first.


    • #29633


    • #29634



    • #29635

      Not true. You should never ever find a virus on your computer, even with the best antivirus tools. The antivirus is there for assurance.
      The viruses don’t just come out of the blue, there is some user action for this to happen.

    • #29636

      ch100, Sorry have to disagree. I have had numerous cases of clients who were browsing sites that are normally considered safe and suddenly a pop up warns that their computer is infected and they must call a number to get it fixed. It actually should just be closed using Task Manager, but it traps lots of people. AV software does not necessarily catch this stuff.

      Also, the average user (who thinks of their PC as a potato peeler) is just not sophisticated enough to know where not to go or to not click on a link in an email.

      AV is there to protect them.


    • #29637

      It is not about speeding-up. It is about few updates which may fail if not installed separately. WU should take care of the sequence, but we are getting back to the subject of users knowing better and installing selectively, which sometimes confuses WU. In such situations, the best way of tackling the issue is to install manually each of the mentioned critical updates, one at a time.
      Woody actually enquires about the most recent servicing stack update KB3177467 which seems to create problems for few people and if it can be delayed safely.
      The answer is that it can be delayed now, but it will be required soon.
      There is a condition though, which is not an issue for most. KB3020369 must be installed in all circumstances for anyone trying to do any update.

    • #29638


      Is the main thing that I should take away from this servicing stack discussion
      what you said in the middle of it:
      “Personally, I wouldn’t install it just yet.” ?

      And when it does come time for the general public to futz with these servicing stack updates, you will explain it in a blogpost or article?

    • #29639

      last week of the month, sounds like a plan….Thanks

    • #29640

      @poohsticks, @Seff
      last week of the month, sounds like a plan.
      (still getting accustomed to vanilla WordPress editor)
      Is there a dedicated DEFCON thread that reports DEFCON change, that I may subscribe to.

    • #29641

      Yes. And yes.

    • #29642

      Thanks, Bill C.; it had occurred to me as well that the PSI database was being linked to the “official” WU offerings, so that Group B would no longer scan as fully updated. Fortunately, the Belarc Advisor continues to be able to make that differentiation (at least for now…).

    • #29643

      email notifications with for example
      Author: woody
      Yes. And yes.
      are a challenge to know who “Yes. And yes” is intended for…
      Guess, in string format. There’s no way to be email notified for reply intended for me.

    • #29644

      Well said, and yea, waiting for a bit (and then a while longer) is usually the way to go, it seems.

    • #29645

      I didn’t even think about that!

      I’ll try to be less obtuse….

    • #29646

      The RSS feed for the site always includes MS-DEFCON changes, as do both my Facebook page and my Twitter account @woodyleonhard

    • #29647

      AFAIK, all those solutions links to WSUS
      there is no auto way to link with WU, must be done manually

    • #29648

      I need to unsubscribe to this post as my inbox is being buried with replies and your website makes it virtually impossible to do so.

      Please help!

    • #29649

      Following the link at the end of the messages should work… but lemme try it from here

    • #29650

      Easiest way… forward one of your emails to me – – and I’ll take it from there. I can’t find your email address in the subscriber list for this post.

    • #29651

      I have read all the prior posts and haven’t seen anything addressing Sept. KB3179930 Win 7 Reliability Rollup for .NET Framework 4.5.2, 4.6 which showed up as Optional in Sept. It is still in Optional. October .NET 3.5.1 security and quality rollup for Win7 KB3188740 is showing up as checked and important which I will install. I’m in Group A. So, my question is what to do with the Reliablity rollup for .NET Framework 4.5.2, 4.6 that hasn’t moved to Important status. Is it safe to install? I don’t understand why it was released as Optional in Sept. and remains there.

    • #29652

      Poohsticks – Thanks for the reply. Like you, I don’t recommend unchecking the box next to “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows.” However, if for whatever reason a user unchecks that box, the above referenced setting disappears and the user will need to click on the link “learn how to obtain updates for other Microsoft products” to get that setting back. My main point was that that is easy to do IF the user’s default browser is Internet Explorer in which case a Microsoft web page opens that has a few simple steps for getting the above setting back. That page does not work with Chrome so Chrome users need to temporarily change their default browser to IE.

    • #29653

      Canadian Tech – Thanks for the reply. Please see my reply to poohsticks.

    • #29654

      If it’s optional, you don’t need it.

    • #29655

      pk280, In IE, you need to include in the compatibility view settings, as well


    • #29656

      Ok thanks Woody. But interesting that previous .NET Framework updates for 4.5.2 and 4.6 were released as Important prior to Sept. and not released as Reliability Rollups. So I’ll sit tight for now as you suggested until it rolls to Important, if it ever does.

    • #29657

      That`s what I do, close it using task manager.

    • #29658

      Woody, I’m in Group A, what is the recommendation to do with KB2952664? It’s offered separately and checked.

    • #29659


      I have IE 11, and I lost the selection of “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows” last year by mistakenly unchecking that box,
      but no steps that Microsoft offered (either in a straightforward, sensible way from my machine’s programs themselves, or in answers given out on Microsoft’s Support website) solved it for me at the time.

      Likewise, no other set of steps offered on non-Microsoft internet discussion forums helped me to get that selection back (since I choose not to edit my Registry unless it is basically absolutely necessary),
      except for one person’s process that I found on some farflung website, after I spent several hours of looking the topic up and trying various recommended things that didn’t work. (This process is the non-techie, roundabout process that I’ve been recommending on AskWoody for the past year.)

      I don’t want to uncheck that box and try what you describe, in case it doesn’t work for me, but according to your report, it looks like Microsoft has wised up and re-instituted a solution that is accessible directly via a sensible pathway within a relevant Microsoft program.

      They used to have a couple of easy fixes in prior years, according to the discussions I read online about it, but they then apparently closed down the straightforward paths (for a period of time, at least). The steps that are normally advised for this issue would lead to dead-end empty pages on the Microsoft site, which they needed to get their ducks in a row about, so maybe they’ve finally done that.

    • #29660

      @Canadian Tech,

      I have had a quick look at your link and I think that is not what prk280 was talking about, unless he/she and I have been talking at cross-purposes.

      prk280 was talking about what to do after
      “unchecking the box next to “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows.” ”

      That is an option in the Windows Update settings. If you uncheck the box, the entire option disappears from the settings page, so you can’t re-select it if you change your mind. You have to figure out on your own how to restore the whole option to the Windows Update settings screen.

      For a non-techie, it can be hard to figure out how to get the option back in the settings page. Additionally, at least last year when I ran into this, Microsoft had closed down the paths that earlier they had recommended for people to use to get this option back. So people resorted to either editing the Registry or trying some off-the-wall things.

      Nothing other people suggested (in online discussion forums) worked for me last year, except for one off-the-wall thing that did help me out, and I was thrilled to have found an answer that didn’t involve the Registry.

      It seems that prk280 has recently found a more straightforward way to get that option showing again in the Windows Update settings.

    • #29661


      Re your question: “Is there a dedicated DEFCON thread that reports DEFCON change, that I may subscribe to”

      What you are seeking is a very specific “alert”, to be sent out only upon a change in the DefCon level, whilst you don’t want to receive any notices about any other topics…
      but I don’t think there is that option at the present time.

      If Woody changes the site’s format to more of a “forum” format, maybe he can have a locked, stickied thread on DefCon updates that only shows his DefCon announcements, and you could subscribe to receive an email when a new post were posted there (knowing that it would only be “official” DefCon posts that were posted there).

      Otherwise, you could just make an entry in your calendar (or set an alarm in your smartphone, or set up an email notice to be sent to you from your calendar program) for yourself to come to this site in the middle of the last week of the month and look at the top of the page at the DefCon graphic, to see what number it’s on. 1 and 2 mean “don’t patch”, while 3 and 4 mean “time to patch, but must read Woody’s warnings about things to be cautious about”.

      (The unlikely appearance of a 5 would mean that contributor and staunch Microsoft advocate CH100 has hacked into Woody’s site. Chortle. 😉 )

    • #29662

      thanks woody and company! made it through mash up october patch tuesday by following the KB3192319, then KB3020369 and finally KB3172605 recepie…
      then went on to a super fast (3-4) minute check for updates! Just like the old days hey, hey
      in the “Important” list were
      KB3185530 which i hid
      KB3188740 which i installed
      KB3042058 update to default cipher suites? from 05/12/2015 which i installed after a fruitless google search for possible badness and msrt october which installed as usual
      in the optional list were:
      KB3193713 hid it
      KB3192403 hid it
      KB3181988 hid it because SFC kills my custom clear aero customization
      after all that on 4 win7 installations, one of which has office 2010 on which i added the KB3118312 word 2010 security update
      i guess i’m good to go (until next time)
      finished by resetting windows update to “Never Check,” and windows update in services back to disabled…
      as far as MSE goes when i manually check for updates i get the “No connection” pop up and while i’m getting the manual update download from microsoft, MSE magically updates the definitions on its own.
      just for laughs i have an XP Pro SP3 with the pos registry hack and it still gets ALL the single KB updates for me to graze upon at my discretion.
      thank you and everyone who helps us get through another month of (needless) and (enhanced) dll hell imposed by the redmond death star mother ship!

    • #29663

      Ah hah, I have stumbled upon the famous
      “Yes. And yes.”
      comment that someone referred to on another thread!

      (He/she was complaining about being subscribed to receive an email when a new post is made on a discussion thread on, but the emails arrive containing sometimes-disembodied posts with no context and therefore don’t make sense on their own, such as “Yes. And yes.”)


    • #29664

      I’m in Group B with Windows 7. When I did the “Check for Updates” (Steps 5-7 for Group B), it came up with a list of ten “important” updates, but six of them appeared to be non-security and one was the rollup KB3185330, and so I unchecked those six non-security ones and also unchecked the rollup KB3185330. So the seven items that I unchecked were: KB3185330, KB2999508, KB2881030, KB3114555, KB3114989, KB3138612, and KB3182203. Woody, can you tell me should I have left any of those seven checked?

    • #29665

      You will likely get a full rollup in November 2016 replacing or elevating the current one from September 2016. Just leave it not installed if it is Optional.
      Do not hide it, as it may impact future functionality if it is revised in place. It will disappear by itself if it is made obsolete by Microsoft.

    • #29666

      Quick look, those appear to be old non-security patches for Office 2010. Mostly they fix bugs introduced by updates to Office 2010. Personally, I’d go ahead and install them.

    • #29667

      Yes. 🙂

    • #29668

      The most abbreviated list is on Facebook, but that’s only because I don’t update it often enough…

    • #29669

      KB2952664 is a snooping patch. But if you’re in Group A, yeah, you do want to install it.

      Remember that Group A won’t protect you from snooping….

    • #29670

      Arghhh, Woody you have decided to allow KB2952664 to be installed! After KB2952664, then KB3150513 will be offered. +1 😀
      OK, so we have a guideline from now on, Group A is like Windows 10, whatever. KISS method, not bad for the less technical end-user.
      It may be useful at sometime in the future and the equivalent functionality is built-in Windows 10 nevertheless.

    • #29671

      Hmmmm… I’d be willing to re-think it. Group A means you’re willing to take anything Microsoft dishes out – including, most explicitly, snooping. But that decision isn’t necessarily retroactive. In the past, I’ve firmly recommended against installing KB2952664 – even for those in Group A. Now, if it appears as a checked (recommended) update, it falls in the realm of “you made the decision, and here’s what you get.”

      Unless you think it would be worthwhile to explicitly tell people to NOT install KB2952664 – even if they’re in Group A. That has implications now, and in the future.

      What do you think?

    • #29672

      You are looking for problems and I am looking for solutions. I am not sure what most people reading Woody’s blog are looking for here.
      Do you have any idea? Both approaches are useful to a certain extent.
      MS-DEFCON should be a 5 for October 2016 anyway and people using Bluetooth should disable it (just to hide the issue with KB3172605, as hiding seems to be a favourite for a lot of readers). 😀

    • #29673

      Windows 10 has the Scheduled Task (Appraiser) and functionality which is installed by KB2952664. Also Windows 10 gets the KB2952664 “extension” which is KB3150513.
      I don’t have any opinion in regards to this functionality. For the sake of simplicity and because a lot of those who now claim that they will never touch Windows 10 will (be forced to) upgrade at some time in the future, I would say for those not overly concerned, they can go ahead and install everything that comes checked/ticked.

      Maybe you should reinforce the advice for not installing anything unchecked and in particular anything that comes with Preview in title.

      Note: Even among those unchecked old patches – not the Preview category, some may be installed, but this is to be analysed by the user on a needs basis, as there cannot be a general recommendation for those. Many of them extend Windows functionality with specialised components and have most benefit for IT Professionals.

    • #29674

      @Woody: I don’t think I have KB2952664 installed, however if I do can I uninstall it?

      I’m Group B,and have always hidden this one.

      My last note on this shows that I hid it (AGAIN) on October 8th. (I’m not going to check anything until after everything stabilizes) It’s been issued so many times (and been hidden so many times) I’ve lost count. Thanks for your advice, as always.

      🙂 🙂 🙂

    • #29675

      I’ve been struggling with the MS-DEFCON level definitions, too. The old 1 thru 5 system worked great for XP-era patches. Now with Group A and Group B, my main concern isn’t with having people install Windows patches, it’s with Office.

      Oy, for the days when it was simple!

    • #29676

      It was not a suggestion to move to 5, just a reply to @poohsticks post who as we know is affected by the Bluetooth bug shared by Intel and Microsoft. 😀

    • #29677

      OK, but I still wonder if it’s time to shake up the MS-DEFCON system.

      Or is it ain’t broke, don’t fix?

    • #29678

      As far as I’m concerned, it ain’t broke. The particular DEFCON number doesn’t matter so much; regular visitors to this site know that #2 or lower is a serious red flag, and that #3 or higher is a go-ahead, perhaps with some reservations. More important, Woody’s accompanying descriptions tell whatever story is not contained in the numbering system.

    • #29679


      I uninstalled kb3179930 last night (after having mistakenly installing it yesterday morning) and while I waited for my installed update list to load I noticed that these 7 updates all had an install date of 10/31/2016


      I figured they were all just part of the .NET reliability update and would disappear when it was gone. The update uninstalled successfully and I thought nothing more about it. This morning I decided I should check to see if the update was really gone since it was still listed in the update history. the reliability update WAS gone but the above patches now had an install date of 1/11/2016. Why would the updates installed on dates change especially when I know at least kb3136000 is an older update? Is there anything I can or should do here? Would anything break if the updates were uninstalled?

    • #29680


      How can you say, “It was not a suggestion to move to 5,”

      when just above that, you wrote, “MS-DEFCON should be a 5 for October 2016 anyway.”

      That is pretty contradictory. Why say one thing to me, and then turn around to Woody and say you didn’t mean it?

      Your following sweeping statement is not true: “You are looking for problems and I am looking for solutions.”

      It is not true to characterize me in this way, and it’s certainly not accurate to characterize yourself in this way.

      If you sampled the readers here, and asked them if I come across to them as a person who is looking for problems and who is not trying to find solutions, they would say “that is totally false”.

      You say, “I am not sure what most people reading Woody’s blog are looking for here.
      Do you have any idea?”

      Indeed, I actually do.

      “people using Bluetooth should disable it”

      No, they shouldn’t have to disable a component of their computer that they paid for, that they use, and that a third-party company has screwed up.

      You need to be able to take a gentle joke, and not to strike out at people.

      You are very judgemental, and I know that you get stood up for in a way that I don’t, but if you don’t see the value in my contributions, my viewpoints, and my concerns, you are in the minority here, even amongst the best IT experts who grace this site.

    • #29681

      I’m confused about what to do about KB2952664. I’m Group A, you and ch100 discussed but what is outcome? To install or not install? It is in my list of updates and checked. I believe it removes KB’s related to get Win 10 but I don’t know. Can you advise please? To install or not install. I don’t see this KB going away.

    • #29682

      Gimme a while to hash it out with ch100. Nothing pressing at the moment.

      There are serious pro’s and con’s.

    • #29683

      Lighten up, folks! There’s no one “right” way – no golden path to enlightenment.

      I just hope we can avoid the tar pits on the way.

    • #29684


      (I am responding to a comment you made above in this thread at a point in the nesting structure when a direct reply to a comment is no longer an option, so I’m putting my reply in the main flow of the thread here.)

      You wrote,
      “I… wonder if it’s time to shake up the MS-DEFCON system.”

      With the new MS patching system in place, and the substantially-different pathways of Group A and B, I think that the Defence Condition system might benefit from a refresh or a re-jigging.

      Maybe there isn’t a need for 5 levels now – perhaps 3 levels would cover the main sets of circumstances.

    • #29685


      “people using Bluetooth should disable it”

      No, they shouldn’t have to disable a component of their computer that they paid for, that they use, and that a third-party company has screwed up.


      poohsticks is absolutely right…people should not have to disable BT.

      I think it’s fair to say that everyone appreciates your technical knowledge, ch100, but going back months I have had an issue with your “approach” to allowing MS to install anything and everything on one’s personal machine for the sake of “being safe”.

      I mentioned this to Woody some time ago, I have a friend who is a lawyer and an IT guy and he has not patched his W7 and W8 systems for YEARS. And he has had no issues. Is he careful what he does on the web? yes…but he’s not a fanatic about it either.

      Somehow you seem to ignore or forget, over the years, those who have installed everything and yet somehow their machines have been disabled, changed for the worse, blue screened, lose certain functionalities, etc. You cannot dismiss these events while saying that users should install everything MS sends down the chute so “the system runs optimally”. If one installs everything running “optimally” is a 50-50 shot, at best…

      It’s a proven fact that a certain % of users who use automatic updates have been hurt by those auto updates.

      As well, if we had allowed everything MS sends down the chute to be installed, users would have had the GWX campaign so intertwined in their OS that, without a Josh Mayfield, one can safely say those machines might never have recovered.

      In the end, if I recall correctly, you indicate to install everything, yet even you have posted a list of patches to avoid (I believe it might be 2-4 patches). How does one “install everything” and not install everything at the same time??

      You have a MS bias, and people can easily detect it. That doesn’t take away from your expertise, but it does take away from some of your recommended actions users should take.

    • #29686

      Ok Woody. Is it ok to install other KB’s released in October? I think there are 2 plus MSRT.

    • #29687

      If Group A is based on “accept snooping” and “install everything,” it seems to me if you start culling patches you just moved to Group B. Don’t accept KB2952664 and it’s followup KB315053 (or several others that were on the old block list). Don’t accept non-security Windows patches. etc. And there’s bound to be others in the future at the rate MS is going.

      For the people who are incapable or unwilling to take responsibility for their computers, the Windows Update setting should be Automatic. If you put the computer on Automatic, you get all the CHECKED updates under IMPORTANT. You do NOT get the UNCHECKED patches ANYWHERE. And you get the problems MS has been causing with bad patches.

      The people who come to this site are willing to take responsibility for the operation of their computers. The benefit to being in Group A is the time buffer between patch release and patch installation. MS releases the patches on the second Tuesday. We WAIT to see if they cause problems and if the problems are fixed. Somewhere around the end of the month, Woody gives the go-ahead to install the safe patches.

      But in the end, it you follow the guidelines for Group A, the results should be the same as Automatic (without the problems) – you install the CHECKED updates under IMPORTANT and you do NOT install the UNCHECKED updates ANYWHERE.

      I think that’s being fully patched as ch100 recommends. But it seems that even he makes exceptions. It’s difficult.

    • #29688

      Canadian Tech – Thank you for adding what I forgot to include in my original post. Incidentally, there are some discussions on various websites that versions of Internet Explorer earlier than version 11 do not require the addition of to compatibility view. I used IE11 so I cannot attest to the accuracy of those discussions.

    • #29689

      Poohsticks – As you concluded, if your Windows Update works the way you want it to work, it is probably best not to uncheck the box next to “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows” just to confirm that the procedure I posted works.

      Two other items for informational purposes:

      1. The last line on your main page of Windows Update probably says “You receive updates: For Windows and other products from Microsoft Update.” If you uncheck the box next to “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows” (something that we both agree is not a good idea), the last line on your main page of Windows Update will disappear and be replaced by two lines. The first is “You receive updates: For Windows only.” The second line is “Get updates for other Microsoft products. Find out more.” The words “Find out more” (or maybe it is “Learn more) are the link that will take to the Microsoft web page to enroll in Microsoft Update, the extension of Windows update that will give you non-Windows Updates.

      2. Please see my second reply to Canadian Tech regarding the necessity of adding to compatibility view in Internet Explorer.

    • #29690

      That’s exactly the conundrum. I hate to advise installing a snooping patch.

    • #29691

      Follow the instructions for either Group A or Group B.

      In other words, it depends on what the other KBs are – and you don’t have to think too hard. 🙂

    • #29692

      PK280, what is your question?


    • #29693

      I can attest to that. When I do re-installs and IE8 is installed as part of the install, before any Windows Updates, you can click that link and get those additional updates without the compatibility view being set. In IE11, you can click the link but it will not work until you first set up that compatibility view setting.


    • #29694

      @Anonymous, I DO take responsibility for my computer which is why I visit this site frequently. KB2952664 is the old problem update and not rolled into the security and quality rollup for Group A so that’s why I asked. If we install do I need to get GWX Control panel again to protect from Windows 10? Is MS still forcing win 10 on users?

    • #29695

      Naw. No chance GWX will return. Zero. Microsoft might try something else that’s sneaky – or maybe even make an offer you can’t refuse. But it won’t go through the GWX heartburn again.

      YOu don’t need GWX Control Panel.

    • #29696

      Canadian Tech – No question. I was just offering some additional detailed information about when and where the link “Find out more” appears.

    • #29697

      Canadian Tech – On the rare occasions when I need to use Internet Explorer I use IE11. Consequently, prior to going through the procedure I described a few days ago I needed to add to compatibility view.

      I will probably never use older versions of Internet Explorer, but thanks for confirming that adding to compatibility view is not necessary with older versions.

    • #29698

      I can’t leave a post below your comment, Woody, further down which is :

      “Or is it ain’t broke, don’t fix?”

      I would like to add:


      Also…Marty’s comments just below yours perfectly reflect my thoughts on this subject. LT

      “Keep high aspirations, moderate expectations, and small needs.” – H. Stein

    • #29699

      You’re probably running into the 10-deep nested limitation of this WordPress theme.

    • #29700

      Will installing the preview patches move a person into group “A”?

    • #29701

      Installing the Preview patches is a sure way to insanity.

      Unless you specifically need to test a product that you’re selling – or you have a big network that’s going to need some TLC – stay away from the Preview patches. They’re betas, not fit for human consumption.

    • #29702

      Oh I knew that, I uninstalled it as soon as I realized it had installed (my mouse needs replacing, it doesn’t always click the 1st time so it didn’t get unchecked) So am I still safely in group b?

    • #29703

      Woody thank you for all your help and guidance. I’ll wait on KB2952664 until you have time to noodle it some more.

    • #29704

      I guess I am in group B. If I continue to use the setting – Check my updates, let me choose whether to download and install them, will Microsoft continue send me the security patches for Net and Office so I don’t have to search elsewhere for it?

    • #29705

      I haven’t seen this aspect addressed in this thread. I followed the Group B instructions on InfoWorld, installed KB 3192391, rebooted then ran Check for Updates. The check for updates and the subsequent download/install ran MUCH faster than they have for many months. 2 laptops Win 7×64.

      Thanks again Woody for your efforts!

    • #29706

      KB2952664 = Ease upgrade to latest version of Windows.

      KB3184143 = Remove software related to the Windows 10 free upgrade offer.

    • #29707

      If you run Windows Update with “Give me updates for Microsoft products” checked, Windows Update will scan for Office (and .NET) patches.

      The automatic update setting doesn’t even come into play.

    • #29708

      Yep, you’re fine.

    • #29709

      @poohsticks, take it as a joke. Sometimes it is complicated to express the true meaning in a forum.
      It was only meant as a reply to this part of your post:
      “(The unlikely appearance of a 5 would mean that contributor and staunch Microsoft advocate CH100 has hacked into Woody’s site. Chortle. ? )”

    • #29710


      There is an important difference between setting on Automatic and what I recommend. My recommendation is in line with Woody’s to postpone the installation until after the patches have been around for a while and don’t have known issues. This cannot be achieved with the Automatic setting, which can also cause other well-known problems. Otherwise, yes in general I recommend full patching, although there are special patches which need further analysis and discussion, like KB2952664 or all the old GWX patches which are now expired and no longer offered.
      There are also patches which impact certain software or hardware and they need to be treated individually based on each user’s needs. If I had one such piece of software or hardware, I would think that it is now the time to decommission it, but everyone has the right to have a different approach.

    • #29711

      KB2952664 has a relationship with the upgrade but its main functionality is to assess the compatibility of various software by sending data to Microsoft for analysis. How well this works or if this is ethical is open for debate, but this is the idea.

    • #29712

      Jeri, see my reply few comments above about what KB2952664. It does something else than upgrading to Windows 10, but it is related to snooping.

    • #29713

      Let’s all have a beer one of these days and chortle about it….

    • #29714

      The short answer is that we don’t know. Nothing bad happens if you don’t install it, but if it is totally annoying for you, install it to get rid of it from the list. It is better for your system to install it than to hide it. 🙂

    • #29715

      Nobody (at least not recently) has mentioned the role, if any, of in preventing, or at least minimising snooping telemetry by M$ or indeed others. Reviews are generally favourable but as usual range from “wouldn’t be without it” to “it screwed up my computer”.

      Is anyone here using it or had experience of it?

      side queries like this are another good reason why a proper forum would be useful, to identify separate subjects and be able to search for them. Some of the clubs I belong to use which I believe to be free open source.

      Win10 21H1 Pro, MBAM Premium, PaleMoon, OpenOffice, Sumatra PDF.
    • #29716

      I uninstalled KB3185319 after it caused problems with security alerts in September but having now joined the A camp for updating I have found that of course it has been installed again so I am back with the same issues. I am wondering why Microsoft hasnt addressed this issue. Having all these security alerts each time I try to use a shortcut is a pain in the arse.

    • #29717

      Yep. I’ve got my web team looking into it.

      Biggest question is how to integrate that format with the current AskWoody format. Windows Secrets does it, but I’m not real fond of the way Penton handles the forum.

    • #29718
    • #29719

      Each month’s security updates seem to include a speed-up patch, which works only until the next month’s security patches are offered. At that point, it’s back to the slow WU scans.

      Woody’s forthcoming InfoWorld article (already previewed on AskWoody) suggests a fix that is more permanent.

    • #29720

      It follows Microsoft’s official pronouncement on solving the problem….

    • #29721

      Anyone know why kb3177467 is listed as being 4.0 MB on but over twice that size within Windows Update?

    • #29722

      Ever heard about x86 and x64, aka 32 bit and 64 bit?
      i won’t explain further 🙂

    • #29723

      I have been running Spybot for the past couple of months, in addition to uninstalling telemetry related patches. I don’t know how effective it is, since it hasn’t been updated since October of last year, and I don’t really have any way to monitor my outgoing communications traffic. But it at least indicates that it is turning off connections, and even turned off some which were turned back on when I inadvertently installed KB2952664 last month. I have since deleted that patch, and run Spybot every time I install any patches.

    • #29724

      Not for me, unfortunately. I downloaded and installed 3192391 successfully, rebooted and ran win update looking for .NET updates. No joy–1 hr plus and still “checking for updates”. Anyone know how I can get .NET updates without using Windows Update?

    • #29725

      Did you follow this?

      The core of the Win7 update scan slowdown

      Full article coming tomorrow in InfoWorld.

    • #29726

      Thank you.

    • #29727

      @louis as well as @poohsticks”

      louis wrote (in a deeper nested reply):

      “poohsticks is absolutely right…people should not have to disable BT.”

      I feel ya louis… people shouldn’t **have to** disable a component of their computer that they paid for” (with emphasis on “have to”)

      Unfortunately… MS is in the process of abandoning end-users and shifting their focus to where they believe the $$ is: the cloud (Azure)

      Bottom line: we are no longer important to them… and there’s no entry for “what’s the ‘right thing’ to do” in corporate quarter reports.

      So… we’ve been abandoned (or are at least in a drawn out process of being abandoned)… we can only do what we can do.

      I’m already having to adapt my long-term computing strategy since a mobile device is simply inadequate or, at best, inefficient for my needs.

      I can no longer count on Windows being around down the road… or as being stable and reliable as it was in the heydays of XP & Win7.

      I’m much more concerned with my software investment than I am with hardware.

      And in the case of the MS Bluetooth debacle, I took the more technically challenging but effect path of installing the WU Client (“KB3161647”) that abbodi extracted from the July 2016 rollup (KB3172605). Mucho gracias abbodi

      Of course, that process is more than most users are comfortable with… so what are their choices?

      a. Install KB3172605 and do without BT if their BT hardware has been abandoned by MS/Intel

      b. Install KB3172605 and install newer BT hardware if needed… “Thanks MS!”

      c. ????

    • #29728


      I really appreciate your replies to my comments about this topic! (I have only just found them tonight.)

      After seeing Woody’s new blogpost on this issue this afternoon, I did a site search to find some of the instances where I had previously described on my “easy” way of going about getting “Give me updates for Microsoft products” back.

      My way is described here:

      How to restore “Give me updates for Microsoft products”

      The part where you said,
      “The second line is “Get updates for other Microsoft products. Find out more.” The words “Find out more” (or maybe it is “Learn more) are the link that will take to the Microsoft web page to enroll in Microsoft Update, the extension of Windows update that will give you non-Windows Updates.”

      I know what you mean, because 2 years ago I read other people’s descriptions that this was supposed to happen, but clicking on that link never worked for me – I would get taken to an error page on a Microsoft site that said something like, “Oops, you appear to be searching for a page that doesn’t exist.” Other people in discussion forums were also complaining that the page was missing for them, when I was researching this. So that’s what led me to find the easy, but roundabout, solution that I found.
      (I guess that this is the point where adding to “compatibility view” does the trick? And it lets one see the proper page on the Microsoft website?)

      My easy solution still works, as confirmed by AskWoody contributor “BrianC” on October 15th, 2016:

      MS-DEFCON 2: Get patched, and turn off Automatic Updates

    • #29729

      poohsticks –

      Yes, adding to compatibility view was the key for me because my installed version of Internet Explorer is version 11. Once I got the “Give me updates for Microsoft products” setting to reappear, I removed from compatibility view and switched my default browser back to Chrome.

    • #29730

      Hi Woody

      I’ve read your article in InfoWorld but I’m a bit confused because Microsoft didn’t download KB3192391 only the following for my Windows7 computer on 16 October:

      October, 2016 Preview of Monthly Quality Rollup for Windows 7 for x64-based Systems (KB3192403)

      October, 2016 Security and Quality Rollup for .NET Framework 3.5.1 on Windows 7 SP1 and Windows Server 2008 R2 SP1 for x64 (KB3188740)

      October, 2016 Security Monthly Quality Rollup for Windows 7 for x64 based Systems (KB3185330)

      Am I right in thinking that the only one I want is KB3188740?

      Thank you.

    • #29731

      First: Don’t install the November patches.

      Second: Microsoft doesn’t download the Security-only updates. You have to reach out, download and install it separately. Follow this closely:

      Assuming you’re in Group B (you only want security updates), you have to manually download and install KB3192391. In Group B, you don’t want KB3185330. If you want to keep .NET up-to-date, yes, install KB3188740. Nobody, but nobody, wants KB3192403.

    • #29732

      Hi Woody

      I won’t install the November patches until I see something on your site.

      Thank you very much indeed for explaining that I have to download KB3192391 manually from Microsoft and which KBs I should/shouldn’t install.


    • #29733

      I`m the guinea pig. I`m group A. I down loaded November. Nothing happened so far. Didn`t break anything or slow down my computer so far.

    • #29734

      Assuming you’re running Win7, did you download 3197867 and install it, or did you use Windows Update to install 3197868?

    • #29735

      Using 7. I had the check but don`t download or install. I did manual download and install and it wouldn`t. Just kept running for about 15 minutes then said failed. Went back in and changed the setting to automatic and closed the update box. Came back about a half hour later and it was installed.

    • #29736

      Yep, that’s Group A.

      I’d wait longer, but it’s nice to know you haven’t hit any problems.

    • #29737

      On my work machine (Win 8.1 Pro x64) I always use suspend / hibernate and only reboot once or twice a month.

      After these October patches (group “B”) I began to have frequent BSOD at wake up.

      Finally, as I did not find solution, I recovered a previous backup and my machine works well again.

      From now on I will stay in the group “W” in my work machine and I’ll use another computer to browse.

    • #29738

      I wonder if this is related to the stability issue mentioned here:

      Win7 October Monthly rollup KB 3185330 hiding browser search history

      Do you leave Internet Explorer running?

    • #29739

      Hi Woody,

      I don’t use IE for browse, but I must use it for LogMeIn, so IE 11 is running when I suspend / hibernate…. so yes, could be related.

    • #29740

      I am a long-time Logmein user. I have 150 computers on it.

      Logmein is likely the cause.

      An example. For literally years, I struggled with a problem in which my keyboard would become unusable. I finally discovered that Logmein was the culprit.


    • #29741

      About the keyboard problem, yes, it often happens if you remotely power off or restart a computer. (What I do to avoid it is to quickly use the keyboard on my own computer before the connection is cut off -I write garbage in my Notepad-).

      About this problem … I do not know, because without the October update the problem has not happened again

    • #29742

      There is a solution to the Logmein keyboard problem. I hope no one will mind me putting it here…

      While the host is on line:
      Click Preferences, wait quite a while
      View Reboot options
      Normal reboot

      A pain in the neck, but it works.