MS-DEFCON 3: Time to get the first post-patchocalypse patches patched

Topic

New Reply

Patching Windows 7 and 8.1 has turned a bit more complex than it once was. Basically you need to choose between Group A – the folks who install everyt
[See the full post at: MS-DEFCON 3: Time to get the first post-patchocalypse patches patched]

Reply | Quote

Replies

I am still running 1511. I don’t understand “If you’re still on the Fall Update, version 1511, I say stay there until Microsoft gets a better version of the Anniversary Update, version 1607.”

I was told on a MS Website that the 1607 that I might download today is identical to the version that I might have downloaded in August and that all changes are included in subsequent KBxxx updates. Hence I do not understand waiting for a “better version” if they are all the same.

Does, in fact, 1607 itself change over time?

Thanks.

Reply | Quote

Yes. 1607 has had eight cumulative updates. I think the ninth will finally be the charm.

Reply | Quote

@Woody,

I notice that you don’t mention the option of not patching at all. (Group C/W)

I can see why it would be complicated to suggest this pathway to the general public as a viable way forward.

But have you decided you would not even recommend the C/W pathway to advanced and/or brave Windows users?

Reply | Quote

Okay so should I install the preview rollup? Any reported problems? I want to run it by you first Woody.

Reply | Quote

Thanks Woody

Win7 x64 Group B here.

File downloaded and installed without problems. Checked system files which validate correctly.

After adding in the .net and Office patches I am still left showing KB3185330 (Oct quality rollup) as an important download and the optional preview.

So it looks as if the monthly quality patch isn’t removed

Reply | Quote

@Woody,

I am considering whether to be in Group B or C/W.

If I wish to go with Group B, I would like to wait for another month (until late November) before I do *anything*, so I can see how going into Group B is working out for other people.

Would waiting for another 4 weeks before joining any group, particularly in my case it would be joining Group B,
be possible, and would it be relatively easy for me to “catch up”?

Are the security-only update packages (which Group B will install) definitely going to be non-cumulative?

If they are, would that mean that in late November (when you gave the OK for people to download November’s patches),
for me to join Group B for the first time,
I would just need to install October’s Group B patch and then November’s Group B patch, and then run Windows Update to pick up 2 months’ worth of Office updates, in that order?

Reply | Quote

As a Win 7 user, I’m looking at the KB-3185330 Security Rollup, 119.4 Megabyte update in WU. Can I feel safe (or relatively safe) downloading and installing it? It has updates within it that are not labelled Security.

Reply | Quote

A small typo in your InfoWorld post. You have a “Group A, Step 5” between “Group B, Step 4” and “Group B, Step 6”. Should be “Group B, Step 5”?

Thanks, now off to update my Group B Windows 8.1 box…

Reply | Quote

Thanks for responding, but I am sorry that I did not make myself clear.

Are the eight cumulative updates contained in the 1607 that I might download today, or are the updates contained in the subsequent KBs that I would install after 1607 is installed?

Thanks.

P.S. I hope your optimism is justified.

Reply | Quote

@Woody,

If one goes to the MS Update Catalogue it seems the only search that returns a result is “october 2016”. If one puts in an exact KB 3192391 the response is…

“We did not find any results for “KB 3192391″”..

The can’t find an October Security Only Update??

Are they serious?? First, it worked the other day with various search terms. Now, the only search term that seems to work is “october 2016” which returns 995 results.

Maybe they should engage Google search to search their Update Catalogue for users.

Good grief.

Reply | Quote

Earlier this month, when I was experimenting with the patches, I tried two different scenarios.

First case, I installed the security-only patches from the Catalog first, then the unchecked preview (I think Sept patchs KB3185278/KB3185279 were just called rollup) of non-security patches on Win7/8.1.

Next, I reversed the order, with the non-security rollups first and the security-only second.

In both cases, I was still offered the Security Monthly Quality Rollup (the combined security and non-security conglomeration) after the installation of the two separate patches.

Just saying – those of you in Group B need to be alert when you go back to WU for the non-Windows patches.

Reply | Quote

I had a different experience – installing the Security-only patch made Windows Update ignore the Monthly rollup – but I put copious warnings in the InfoWorld article.

Reply | Quote

I had a very similar problem – which is why I recommend downloading directly from the KB article.

I don’t know what’s wrong with Microsoft Update Catalog.

Reply | Quote

The cumulative updates for Windows 10 are just that – cumulative. You don’t need to install all of them, just the most recent one.

And, of course, even as we speak there’s a new cumulative update for 1607. Hang on, I’ll talk about it in InfoWorld in the morning.

Reply | Quote

Woody, I used to have 3 pc’s on Windows 7 & 10 and now I have only 1 on Win 7; the rest I moved to Linux. It’s easier to learn a new OS than it is to have to deal with the fiasco of Microsoft’s privacy concerns. I will still follow you due to the Windows 7 PC I have and appreciate all that you do!

Reply | Quote

@Woody,

Thanks,…it’s so hard to imagine they can’t get searches of their upate catalogue right!!

Id they can’t get a search of their own databases right, what kind of confidence does that give a user to download and install these (large) updates without knowing what’s in them?

I’m slowly sliding into Group W…and I don’t really even want to go there.

Reply | Quote

Try removing the space between “KB” and “3192391”.

Reply | Quote

I’ll be here!

Reply | Quote

Tried to find where to download KB 3192391 from Win7 update history page(link in InfoWorld article) and have had no luck, Windows 7 64 bit laptop here and I’m all confused (more than usual) Help…

Reply | Quote

Is this what I want?: October, 2016 Security Only Quality Update for Windows 7 for x64-based Systems (3192391)
Sorry for posting twice, just nervous about this

Reply | Quote

If you want to be in what Woody and others have labeled as “Group A,” i.e. willing to roll with Windows 7 telemetry/snooping/whateveryouwannacall it, then install it.

I myself am firmly in the Group B camp, and after I installed the October 11 Security-Only Quality Update (KB 3192391), I checked Windows Update, and sure enough, there was KB 3185330, the “October, 2016 Security Monthly Quality Rollup for Windows 7 x64-based Systems,” coming in at just like you said, 119.4 MB. I unchecked it, and only installed 3 updates: a .NET update, the latest MSRT, and the latest Defender update. I don’t use M$ Office, so no updates there. Under the Optionals, the preview update was there, unchecked. Left it that way, rebooted after the 3 updates, and am happily back in my “Never Check for Updates” foxhole. 🙂

Reply | Quote

Woody, thanks for the detailed instructions. I just installed the “Security Only Quality Update for Windows 7,” rebooted, and am in the process of doing a Windows Update scan. The scan seems to be going nowhere fast… do we still have to go jump through some other hoop(s) to get that to work (note: my scan was quick in September)? What is the latest procedure?
Thanks

Reply | Quote

I was reading Susan Bradley’s patch management letter for W8.1 and her recommendations seem to come down on the side of so-called Group A, i.e., install October patch KB3185331. I have been going back and forth between doing Group A or just installing the October security only patch. There are obviously pros and cons to each approach but the notion that pushes me toward Group A is a hunch that the security only option will be increasingly difficult to sustain through time because MS is notorious for not keeping the distinction between security and non-security updates perfectly clean. Telemetry points per se do not trouble me if their purpose is solely to provide info to understand and maintain OS integrity. Unfortunately MS poisoned the well for many folks with their GWX malware tactics and I feel that has tainted the decision making process on which fork in the road to take for future updating. I would be interested in others’ thoughts at this juncture.

Reply | Quote

Great, detailed InfoWorld article, @Woody. Thank you.

However, it’s too complicated for me on Windows 8.1, and I don’t trust Microsoft even for their security updates, so I’ll stay in Group W for now. Still working on getting Linux.

I did download the October Flash update for IE 11. I can’t do without Flash. I’ve tried.
I don’t use IE 11 normally, but just in case, and to try out the Update Catalog.

Contrary to what some people have said, one must get the Flash update for IE from Microsoft and not from Adobe, or I would have got it from Adobe, as I do for Firefox and Opera.

Reply | Quote

I noticed nothing is mentioned about the security only updates for .net framework. I’d rather install that than the rollup. I know some on here recommend the rollups but at this point unless it’s security only then my trust in them is all but eroded this past year.

Reply | Quote

Never do Preview. It’s for testing only

Reply | Quote

That is the whole wad – security and non-security. If you want the security-only you need to download it from the Microsoft Catalogue and ignore the one that saus Security Monthly Quality Rollup.

Reply | Quote

Guess I’m taking Group A on my W7 Pro x64 notebook due to convenience purposes…

Well I just installed all updates flagged as important, and after that one more update just popped up: KB3177467…

The documentation doesn’t say much about it, so I’m not completely sure on what does it do… Should it be installed?

Reply | Quote

I have an article in edit at InfoWorld at this moment. Unfortunately, it’s not clear-cut, but if you don’t use Bluetooth, you can get by with manually installing 3172605

Reply | Quote

See the new InfoWorld article. It’s easier to download from the KB article. But yes, the patch you listed s there correct security only patch for 64 bit

Reply | Quote

Also, make it a rule NOT to install any unchecked optional patches.

Reply | Quote

@JohnSeb

For Windows 10 –Do not install 1607 Anniversary Update unless you absolutely have to or are intent on doing it.

Woody has been advising we stick with the fall version 1511. Install the updates that he had us hide in the beginning of October for version 1511.

He will give everyone a go-ahead to install 1607 at some point, but that point is not now.

Those have been his general directions since the anniversary update version 1607 came out. Wait until version 1607 is stable and stick with version 1511.

I don’t mean to be stepping on toes, but I don’t think Woody quite understood what you were asking. I don’t think one should necessarily take what Microsoft people say as the gospel.

So far, for me anyway, Woody’s advice has worked perfectly.

I do have to install the October updste for version 1511, but up until this point everything has gone smoothly that he has advised.

Reply | Quote

@The Real Allan,

re: “Contrary to what some people have said, one must get the Flash update for IE from Microsoft and not from Adobe”

For Windows 8 and 10, people do have to get Flash updates from the Microsoft Update Catalog or Windows Update.

However, for Windows 7, people obtain the Flash update directly from Adobe at:
https://get.adobe.com/flashplayer/

I go to that site to update the Flash on my Windows 7 computer every couple of weeks.

(I don’t think that Windows 7 even has the option of receiving Flash updates through Microsoft.)

Reply | Quote

FYI, I installed the security only update from the MS catalog last week, but I did get the security monthly quality rollup listed, but thanks to you Woody, I unchecked it and avoided being sucked into Group A. Many thanks!!

Reply | Quote

See #4 above – David F at 3:17 today.

Reply | Quote

@T,

The “Group B” rollup that Woody is telling people to install today IS security-only.

There are several different rollups offered, so one must be careful when choosing which kb number to install, but the Group B rollup is said to only contain security patches.

That is the whole point of there being a Group B path, to limit patching to security-only updates.

Reply | Quote

@T,

Unless I am mistaken, I do think I saw something about the .net patch in Woody’s InfoWorld article.

If I remember correctly, he tells Group B people to get that from Windows Update, after installing the Group B security-only update package manually.

Reply | Quote

louis-

Try removing the space between “KB” and “3192391”.

Searching the catalog with the space I got the result you did.

Searching without the space I got six results for different versions of Windows 7 and Windows Server 2008 R2.

Reply | Quote

@Andy,

I am disappointed to hear that after you installed the Group B security-only update package, your Windows Update scan is still slow!

On another thread in the last week here, there was talk that the Windows Update scan would be fast after installing this month’s update package.

(However, on that thread maybe they were talking about installing the security + non-security update package,
and not just the security-only update package, which is what I was talking about on that thread.)

Reply | Quote

Woody, Using Windows Update I typically uncheck everything, then check only the KBs I want to download after checking your websites and Susan Bradley’s articles/advice. With Msoft’s new system, I’m starting off in group B and am wondering:

1)Will downloading/installing the security only KB trigger “creating restore point” before installing as Windows Update did in the past, or should we manually create a restore point prior to downloading the security only KB? (I realized we can still uninstall the updates, but having a restore point is reassuring.)

2)Since we need to run “check for updates” via Windows Update to get Net, Office etc. why isn’t it OK to continue to choose “Notify but don’t download” rather than “Never check for updates” – is the latter the only setting that allows us to manually download the security KB from the Windows Update History page?

3)Does starting in Group A physically preclude later using the Group B procedure when you say (in your 10/10 InfoWorld piece) that “there’s no way to move from Group A to Group B without completely reinstalling Win7 or 8.1” OR are you saying the only way to be totally “clean” of unwanted downloads is to reinstall the OS?

Reply | Quote

Windows 7 64 bit windows server 2008 R2 x 64 Currently GROUP B…. Reporting in.

I did the group B update per infoworld instructions. I actually downloaded to my folder then installed it. It went very well. Restarted computer and did a windows update scan which took about 3 minutes. The .net framework rollup was there and the kb3185330 (October 2016 security monthly quality rollup for windows was there both checked.
I unchecked kb3185330 (per your instructions), I also hid it, and ran the net frame. Rebooted the computer.

I went and checked the updates again and KB3177467 (service stack update) as important now appeared. If I remember correctly someone here said a few days ago that it was in the catalog it was now rated as critical. True?

another thing….
I had about 12 restore points (I checked before I did the updates) and they are all gone except the 2 created for todays updates.
I know many don’t like system restore but I’ve used it a few times and happy to have had a restore point to go to.

The other thing I wanted to ask is on the download pages of the KB articles, there was another download update for windows server 2008 R2 x 64 (which is what I have) with the same kb3192391 as the Windows7 64 bit update which is the one I downloaded. Am I suppose to download both packages?

Reply | Quote

Seriously? This is very interesting if true.
Because the other way around makes the Security Only required in WSUS.
Not the same happens with the .NET patches which are handled correctly.
I am wondering if they messed up the detection which is even more weird because the Security Only and Security Monthly have been revised twice, so now we are at the third version.
For the first revision there is description that the supersedence was revised, while for the second revision, the same day, there is no description at all.

Reply | Quote

Didn’t see a comment or recommendation on Update for MSE 4.10.205.0 (KB4294525).

Necessary? I’m leaning toward group W since it is all a bit much for little payback. MSFT has cause more trouble than help over the last year and half with updates and it doesn’t seem worth the effort anymore.

Reply | Quote

Susan Bradley is right in her advice for minimising potential problems.
Group B is not for end-users and Woody will end up supporting all those users who choose Group B as de facto system administrator of their systems, because there will be no support coming from Microsoft for a configuration meant to be used only by enterprises and even so only if they have special requirements.
Otherwise, the Group B style of patching is correct for securing the systems, less so for making them reliable with minimal effort.

Reply | Quote

If you’re already running 1607, there’s a servicing stack update, KB 3199209, which seems to be causing problems for some people. You’re probably better off avoiding it for now.

I had problems with the servicing stack update KB3199209 which was looping during the installation.
I ended up downloading and installing manually and it has been fine since then.
You will have to install this update eventually and it is probably better to do the manual install if Windows update fails to install it. give it a go to WU first, n

Note: Very important, install KB3199209 separately with reboots between installations.

Reply | Quote

Without comparing the long list of files affected by the updates described by Microsoft in October’s KB3192391 and KB3185330, I cannot detect in Microsoft’s descriptions any difference between these two patches other than the inclusion in KB3185330 of fixes in KB3185278, September’s update rollup. In other words, for anyone who has already installed September’s update rollup, there is effectively no difference between installing KB3192391 and KB3185330. Am I thinking about this correctly?

Reply | Quote

In my case, manually installing 3172605 did the trick. The subsequent scan for updates lasted only for 6 minutes.

Reply | Quote

I installed the security-only patch(KB3192391) and after a quick scan for updates I was offered the Security Monthly Quality Rollup (KB3185339) as important and checked. So, I unchecked and hid it.

Reply | Quote

@Woody

Should everything be OK if I wait and deal with everything in a couple days when I’m over my cold? Is there anything that needs patched right away? Thanks in advance.

Reply | Quote

@Woody,

Here’s the scenario…W7…
User does the .NET Security Rollup for October.
No Security Only Update and no Monthly Rollup.

Come November patch Tuesday, will a speed up patch 1- be needed for a Windows Update check, 2- if a speed up patch is needed would it have been in October’s Security Only Update or the Monthly Rollup?

My “hope” is that there will be no further need for speed up patches…care to venture a guess how this will go down going forward?

Thanks

Reply | Quote

With regards to speeding up the scan, if I just install KB3020369 (April 2015 servicing stack update for win 7) without KB3172605, will this speed up the scan even a little?

Reply | Quote

As much as I hate to admit it, it’s looking like I’m gonna be in the A Group. I do have Office 2010 and that bleepin MS Update Catalog is a mess and a real hassle to use. If I have problems and I have to, I’ll uninstall the whole Rolled up update completely. Man what a mess.

Reply | Quote

Nope.

My article on KB 3172605 just passed edit at InfoWorld. It should be out shortly. I suggest you wait until it’s published before hassling with slow scans – there are some quirks.

Reply | Quote

Apparently the fix that’s now available will continue to work. More info tomorrow, when InfoWorld publishes my article on the topic.

Reply | Quote

Nothing needs to be patched right now. Avoid IE and Edge, and don’t open any RTF files of questionable pedigree with Word. You’ll be fine.

Reply | Quote

That’s what I was worried about.

You did the right thing!

Reply | Quote

That appears to be the case. We’re just now starting with the new method, so in the future things may not work the same way.

Reply | Quote

Well put and so noted.

Reply | Quote

I’d be interested in hearing from other folks what they think about it.

Reply | Quote

I was looking for it, and I didn’t see the patch. But many people have reported otherwise – that the Monthly Rollup appears in Windows Update, even after the Security-Only Update it installed – so I’m beginning to doubt what I saw.

Reply | Quote

1) I don’t know.

2) You can use either. They’re both functionally the same.

3) When you switch from Group A to Group B, any unwanted patches installed while you were in Group A will still be there.

Reply | Quote

True, the Group B patch is the Security-only update. But it’s important to note that it isn’t a rollup. Only the Monthly Rollups are “rollups.”

Reply | Quote

+1

There’s a new cumulative update for 1607, released just a couple of hours ago. I’ll be testing it tonight, report on InfoWorld in the morning.

Reply | Quote

So, even for Group B folks, why bother to go through the manual update this month? (Next month may be different).

Here’s my argument (rebuttals will be appreciated).

For October, WU offers KB3185330 (“monthly rollup”), whereas the “security only download” is labeled KB3192391 (“security only”). But both of them apparently contain exactly the same collection of patches, to wit:

MS16-101 Security update for Windows authentication methods
MS16-118 Cumulative security update for Internet Explorer
MS16-120 Security update for Microsoft graphics component
MS16-122 Security update for Microsoft video control
MS16-123 Security update for kernel-mode drivers
MS16-124 Security update for Windows registry
MS16-126 Security update for Microsoft Internet Messaging API

Given that there’s nothing in KB3185330 that isn’t also in KB3192391, why shouldn’t Windows 7 Group B partisans just use WU this month, with “Give me recommended updates” UNCHECKED? That should deliver exactly the same patches that the manual download would deliver, plus additional (“important” .NET and Office patches that Group B folks would be looking for anyway, even if they first installed KB3192391 manually.

Reply | Quote

Woody has already been acting as “de facto system administrator” for everyone who follows him here by issuing his MS Defcon status, so I don’t see what’s new.

Reply | Quote

Ok,I admit I am a dummy. I am confused. I’m ready to throw in the towel and join group A, strictly for convenience. I am running win7x64 pro.

If i go to control panel/windows update, I have two Important updates (checked). They are
KB 3188740, (Oct. security and quality rollup for .net etc) and
KB8318330 (Oct. security monthly quality rollup etc.

Can I just click OK and download from here? Your infoworld instructions are much more complex, and frankly, I feel totally overwhelmed. Ready to simply ignore all updates until my machine explodes.

What to do? Thanks.

Reply | Quote

Really advanced users always update. 🙂

Reply | Quote

But the thing is the .net framework update in windows update is a rollup. People should be aware that there is a separate security only .net framework update, as shown here – https://technet.microsoft.com/library/security/ms16-oct (about half-way down the page)

Reply | Quote

I see, I might have misunderstood what T was saying.

Apologies, T!

Reply | Quote

@Woody,

In your InfoWorld article, is there a reason why you instruct Group B, Step 7 to install Security and Quality Rollup for .NET Framework (KB3188740) (via WU) instead of the Security Only for .NET Framework (KB3188730) (manual)?

Choosing Group B, I feel compelled to install the Security Only one, yet I’m also one to follow instructions exactly. So I will hold-off on the .NET one until I’m less confused.

By the way, I only learned of “this game” and of you and your work this October, and I feel as if I discovered a goldmine. THANK YOU Woody, for helping me and likely millions of other people.

Reply | Quote

I have September’s updates installed, and now October’s Security-only patch. It still wants me to install the Quality and Security updates through Windows Update – which shouldn’t happen.

I’m assuming this will be a revolving issue going forward, and leads me to believe there’s some unpublished hidden garbage and/or changes in the WU patches since they’re trying everything to get me to take them. (Win7 x64 Pro systems here)

Reply | Quote

I do not feel that Woody has quite that much responsibility to the readers of his articles who chose to follow his advice (any of his advice about anything),
for him to be seen as the “de facto system administrator” of thousands of strangers’ computers.

It’s up to each one of us to understand enough about what Woody is saying to know why he is advising something and why we are choosing to follow that advice.

Except for uncontrollable things that *Microsoft* forces onto our computers, everyone who owns their own computer (not a company-provided or school-provided one) must assume that anything they do with their computers is of their own volition and at their own risk.

Other computer experts, and ordinary users, from around the world, who have no particular ties to Woody and who may not even normally read his articles, will also be trying to follow a Group B approach, because it is merely a logical and prudent approach in many ways. The fact that it was a natural idea that various people had thought of for themselves was clear even in Nathan Mercer’s Q&A from weeks ago.

I wrote last week of Woody,
“We should not need an external Woody figure (who investigates, translates, distills, and instructs) to keep our simple, bedded-in, home-user systems running without major derailments. But we do need one, and we are lucky that we have him,”
but that doesn’t mean that he should shoulder an impossibly enormous responsibility of being thought of as administrating the computers of countless strangers.

He recommends various sets of actions by drawing upon the knowledge that he has, after researching and testing exhaustively, but the buck stops with each one of us.

—–
It is already the case that “There is no support coming from Microsoft”, even when the user has been as compliant as possible, so that isn’t an argument against/for choosing any particular updating pathway now.

—–
Saying that “Group B is not for end users”… well, that is not true.

Any possible path is an option for end users; Microsoft does not dictate what we do with our pre-Windows-10 machines.

End users of pre-Windows-10 machines are not beholden to allow the company’s unexpected, heavy-handed, half-cocked changes in Windows updating and Windows telemetry.

Microsoft in its own forced operations upon individual machines does screw up machines, sometimes permanently, sometimes at a great cost of time, money, stress, and data loss to individuals, so they are not a haven of benevolent safety and security.

Furthermore, the compliant Group A seems destined to have some major bumps in its pathway, due to the unwieldy nature of the massive, cumulative rollups that will steamroller their way onto machines that may or may not be able to cope with it all (such as my machine, which would be screwed up by a Group A approach, and Microsoft would not care.)

There are several compelling reasons why Group C is being said by multiple people, including IT experts, to look like it could be the safest of all to follow, at least for the time being.

Reply | Quote

Anybody’s thoughts on my question are welcome!

Is anyone planning to do something similar to this?

Reply | Quote

The new all-in-one security-only patch has
saved me heaps of work; previous to this month, going
back to last November when Win Update began its
rubbish behaviour, I’d been having to research every
single security patch via the MS Security Bulletin
tables.

As a kind of admin for the family members still stuck
with MS systems that need to face the Net, I’m very happy to be able to hand back the research work to them, with Woody’s how-to for group B.

Reply | Quote

You are better off by setting Flash to update automatically. You will not be going to assess the Flash patches anyway.

Reply | Quote

It is not only you on Windows 8.1 or others on Windows 10, most people reading and posting here still use Windows 7 and they have to download Flash for IE from Adobe and not Microsoft.
Flash for Firefox obviously has to be downloaded from Adobe regardless.

Reply | Quote

🙂

Reply | Quote

Win 7 SP1 x64…
Just installed the October Security Only Windows update (KB3192391). Looked then for the Security Only .NET 3.5.1 update as per the Infoworld article method, but could only find Security and Quality Rollup (KB3188740 in Windows Update) – so installed that.

Immediately afterwards, I did find the Security Only .NET 3.5.1 Update (KB3188730) in Microsoft Update Catalog (which seems to be working again now).

I would like to uninstall KB3188740, but can’t find out how (so that I can then install KB3188730 in its place). Can anyone help here?

Many thanks.

Reply | Quote

2. Check for updates triggers the AU client every time it checks and there is a possibility that it would run at high CPU/high RAM usage, depending on the patches you have installed previously. This happens by default once every 22 hours, randomised within -20% of that interval. Also runs TrustedInstaller which is useful as it cleans up the servicing stack and old log files. This also takes resources and can run for a long time, but as I said it is generally useful. Antivirus may contribute to the resource use in addition to the normal use due to the Microsoft services.
Never check for updates does not trigger the agent unless you run it manually and it does not consume CPU and RAM resources while not in use.
You have the facts, now you can choose which is the best setup for you.
I would recommend Never check…, but this require discipline and actually require the end-user to run the agent when the time comes and be patient with it.
Considering the issues mentioned above, as Woody says, they are functionally equivalent.

Reply | Quote

I think Woody is not giving advice for Windows Server, although some of us here shift the debate into that direction now and then.
You have no reason to belong to Group B on Windows 2008 R2 unless you belong to an organisation which has specific compliance requirements.
System Restore on Windows 2008 R2? Are you sure?

Reply | Quote

If fact there is the odd hotfix now and then released in addition to the CU to fix current issues, possible included in the next CU, but for most part it is only the CU that is relevant.

Reply | Quote

Is there a reason why it is mentioned to download the .Net Security Update via Windows Update rather than just downloading it via https://www.microsoft.com/en-us/download/details.aspx?id=54007 the same way one would download the Security Only Update (KB3192391) from https://www.microsoft.com/en-us/download/details.aspx?id=53990?

Reply | Quote

As I was doing the dishes tonight, it occurred to me that I was thinking of everything as a “rollup” partly because Nathan Mercer had several times referred to the security-only update package as a “rollup” in his Aug 15 Technet Q&A about the new system. Some examples:

“We are purposely releasing Security-only as a rollup but not cumulative like Monthly rollup is.”
https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/#comment-11975

“Driver updates are not included in Monthly Rollup or the Security-only rollup”
https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/#comment-10585

Looking at the newer comments on there, around the beginning of Oct., Nathan Mercer started saying “monthly rollup and security-only” (just the adjective without a noun), then towards the end of Oct. he finally called it a “Security Only Quality Update”.

—
Even Michael Niehaus’ October Technet overview several times appeared to use the word “rollup” to refer to both types:

“The security-only and monthly rollups will contain fixes for the Internet Explorer….”

“The security-only, monthly rollup, and preview rollup will not install or upgrade to these versions….”

“…existing automatic approval rules in WSUS would approve both the security-only and the monthly rollup each month….”

However, they clearly referred to it as an “update” rather than a “rollup” in most of that document.

https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/

—-
They could have done a better job of giving these things more distinct names, though they probably tossed the words “security” and “quality” into all the titles so as to confuse customers into just installing the whole lot.

Reply | Quote

was just wondering atnout the .NET update my computer only has .net 4.0 as latest version but version offered says 4.5.1. is this goiing to install more versions or just updates for ones i already have?

Reply | Quote

I’m in the group W with MU disabled and a newbie to boot (so to speak). Any patch that you can recommend that won’t screw up my computer to the point where I would have to bring it in to get it fixed?

Reply | Quote

poohsticks

When I see a post that Flash had an update, I will go to the Adobe site to check and see if I have the latest version. I find that I am updated already to the new version and I didn’t do anything.
Not sure exactly how I am automatically getting updates, it just happens….

Reply | Quote

Hi,

Running W7, SP1, 32-bit. I’m getting KB 3177467 thrown up by WU as important. Scouting around, I see that it has caused a few problems elsewhere. Should I install it, or leave it for now? With many thanks for your help.

Reply | Quote

KB3177567 also appeared here after the last round of updates…

Is it really critical, and thus needed?

I’ve read about some people having problems installing it, and even it’ MS description page does state about a known installation bug…

Reply | Quote

If you’re in Group A, yes, install it.

The worst problem I’ve seen is that it fails to install. If you can’t get it to install, follow the suggestions on this How-To Geek post: https://discuss.howtogeek.com/t/windows-update-kb3177467/52944

Reply | Quote

You should be OK with the Group B approach, but I can certainly understand why you’d rather stay in Group W.

Reply | Quote

Yep, it’s VERY confusing. Then the name changes to insert “Quality” and “Security” at random points….

Reply | Quote

That’s correct. I know absolutely nothing about Server. Leave that to you guys. 🙂

Reply | Quote

Yes. It’s the difference between Group A and Group B.

Reply | Quote

You bet.

I didn’t recommend manually installing the .NET Framework update from the Catalog because it seemed to be a huge amount of effort, with little benefit. I may be very wrong – wouldn’t be the first time – but I don’t think the .NET non-security patches pose much of a threat to anybody. And the amount of effort to install the security-only .NET patches just isn’t commensurate with the benefit received.

Of course, I’m very open to hearing otherwise! If anybody has an example of a non-security .NET patch installing a snooping routine, I’d love to hear about it.

Reply | Quote

That’s true. See my response to Inew above.

Reply | Quote

If you’re in Group A, follow the steps for Group A – which means you don’t have to check or uncheck anything other than the “Give me recommended” box. That’ll get you the full month’s update.

Reply | Quote

I tend to think of it that way, but many would disagree.

I’ve been doing the MS-DEFCON thang since XP days.

Reply | Quote

No, I’m in Group B! Sorry, I thought it might become necessary at some point. Is that not correct? Thanks.

Reply | Quote

They don’t contain the same patches.

Microsoft does a horrible job of describing the non-security parts of the Monthly Rollups.

Reply | Quote

If you’re in Group B, there’s reason to debate about installing it. I wonder if others have a strong opinion…

Reply | Quote

Has anyone tried manually downloading and installing the servicing stack update KB3177467 first? Since it’s a stand-alone install (has to be installed alone then reboot), my experience when I was testing was it didn’t appear in WU until after all the other patches were installed. I would think that might help.

Unfortunately, it’s too late for me to try that, as I have already taken care of the Oct updates.

Reply | Quote

I have a serious work load until January next, and can’t afford any potential muck ups.
Woody,can I safely postpone doing these type B updates [8.1 Pro & 81. Home] until January?
Thanks.

Reply | Quote

Right on, poohsticks! What you said is very well put. You have the common sense which some others here seem to lack for all their technical expertise.

Reply | Quote

Control Panel/FlashPlayer – on the Updates tab there are radio buttons where you control updating and a button for “Check Now” that takes you to the Adobe update site that shows the current version for all scenarios.

Reply | Quote

That’s the servicing stack update, and it pops up last b/c it’s a stand-alone (can only be installed by itself) update.

Reply | Quote

ch100
I am curious why you posted that I have no reason to belong to Group B on Windows 2008 R2, are you suggesting I be in Group A? Trust me, it would be much easier in the long run, but I am convinced 3 years ago a MS update fried my XP computer when I had “automatic updates” checked.
When I bought this computer with Windows 7 Home Premium in October 2013, one of the first things I did was uncheck “automatic updates”. I’ve only updated “critical” updates until recently to fix the “slow” scans.
Yes, I have System Restore on my computer. It sounds like are you surprised.

I have had problems in the past with restore points disappearing. Apparently this has been an issue with Windows 7 as I found out in my research.
I did manage to find a fix by doing a Vssadmin command to resize the shadowstorage, and then delete and recreate the paging file.
If I remember correctly MS knew of this problem and never fixed it.

Reply | Quote

System Restore has a set (limited) amount of disk space, expressed in % of total HDD spaace. Older restore points may disappear if the disk space is used up.
In Win7, Control PanelSystemSystem Protection highlight the C: drive and click “Configure” to increase/decrease the space System Restore can use. Remember, this is usable hard drive space you are dedicating to System Restore, so don’t go overboard.

Reply | Quote

Here are my thoughts, for what they’re worth.
1) I don’t see any problems with waiting another month. The 3-4 weeks that Woody has taken for years before giving the all-clear has never caused any problems that I know of and back in the days before Microsoft became Malware, Inc. I occasionally missed a month and it never caused any ill effects.
2) Yes, according to everything Woody and others have said you would just have to install October’s Group B patch, then November’s Group B patch, then run Windows Update and pick up two months’ worth of Office updates.

Reply | Quote

+1.

Much as I respect @ch100’s many contributions here, my reaction to his statement that Group B is not for end users was “More agitprop.”

I understand that those of us who post such statements here cannot (and should not) make the full case each time, but it is important for newcomers to understand that a toss-off, conclusory statement such as this does not mean that it is a settled question.

Reply | Quote

If you read closer I think you will find the description for KB3185330 says it contains what is in KB3185278 (the non-security Sept rollup) plus the list you provided of the security fixes.

That means KB3185330 contains both security and non-security patches, where KB3192391 contains ONLY security patches.

Reply | Quote

Pls disregard. Forgot about System Restore (haven’t used it for so long). Ran System Restore taken just before running KB3188740 (.NET 3.5.1 Rollup) and KB3118312 (Word 2010) from Windows Update. Both subsequently reappeared in Windows Update, so I assume that the Restore was successful. Then reinstalled KB3118312 (Word 2010) and installed KB3188730 (.NET 3.5.1 Security Only) downloaded from Microsoft Update Catalog. All OK once again!

Reply | Quote

@Woody

I’ve just figured out why people are apparently getting randomly hit by the KB3177467 update…

Since it has a known bug of hanging on reboot when it is installed together with other updates, apparently MS has “isolated” it from other updates making only possible to install it alone, avoiding the buggy scenario…

I’ve come to this conclusion because after installing the round of updates yesterday, KB3177467 popped up, and the two Optional updates I had just disappeared… Today after a scan when the Defender Definitions hit, KB3177467 vanished and the two Optional updates showed up again… After installing Defender Definitions it once again appeared alone…

I’ve just installed the KB3177467 servicing stack, the install went fast and did not require a reboot (but I did it anyway), scan after took about a minute and again, the two Optional updates were back, probably confirming my theory…

Reply | Quote

@poohsticks:

My apologies. You are right. I never think of Windows 7 since I use Windows 8.1. I never used Windows 7. I wonder why Microsoft changed the procedure in Windows 8.

Reply | Quote

Group B at this time.

I have installed KB3188730 and KB3192391 on several computers at home. They seemed to install fine.

I will wait some more time before installing them on my main computers.

Reply | Quote

Yikes. I wonder if MS could make this any more confusing?

Reply | Quote

I wouldn’t say it’s a toss-off.

ch100 has very good reasons for his recommendations. I don’t agree with all of his conclusions, but hey, that’s what makes a horse race.

Reply | Quote

+1

Reply | Quote

Yes.

So far, anyway. Just avoid IE, Edge, and don’t open any weird RTF files with Word.

Reply | Quote

Doc,
I think you are absolutely correct with your conclusion.
.
KB3177467 didn’t show up for me until after I updated the patches I wanted and then hid the updates I didn’t want.
Then I did another windows update check and that is when KB3177467 appeared by itself.
I think that is exactly what is happening.

Reply | Quote

Check these out. I’ve been asking/talking about this – even before today.

https://www.askwoody.com/2016/whats-the-latest-for-speeding-up-windows-7-scans/comment-page-1/#comment-103740

https://www.askwoody.com/2016/ms-defcon-3-time-to-get-the-first-post-patchocalypse-patches-patched/comment-page-1/#comment-104706

https://www.askwoody.com/2016/ms-defcon-3-time-to-get-the-first-post-patchocalypse-patches-patched/comment-page-1/#comment-104702

Reply | Quote

Just wanted to add my 2 bits, and thought this is an appropriate spot. @ikester…. join the club… there’s quite a few of us dummies around!!

Firstly thank you Woody for making all this easy!
Think my head would be swimming if it weren’t for your input. I followed your instructions on how
to access and download the necessary Security Patch on both my Win7 and my husbands Win8.1 machines.
(I used my tablet to read the article on InfoWorld as I was working on Win7 & Win8.1)I downloaded the patch and then installed, rebooted, and went into WU unchecked the ones I didn’t want and
proceeded to install the .Net patch and the Office ones (2007) All went amazingly smoothly and without any delay.
Now I have both machines set to “Never Check”………. all is well that ends well!

For those of you who are concerned about getting your head around all this and fearing the worst….
don’t….. with Woody’s expertise I can assure you
it’s a breeze (haha! that rhymes!)…… but seriously….. personally reading all the comments and all the details about this and that patch…. it’s true you get the feeling……. oh! gosh this is too much. But in the end it’s not. Just one Security Patch and a couple of others and your done and dusted.

Thanks Woody et al………. You’re the TOPS! LT

Reply | Quote

Woody said, “so in the future things may not work the same way.”

I agree. And from the description of the non-security “improvements” included in KB3192403, the October 2016 Preview of Monthly Quality Rollup, it appears that the future will arrive on the second Tuesday of November.

Reply | Quote

@ht:Concerning your question no. 1, in my Win 7 32bit laptop, installing the security-only update triggered a restore point. The same thing happened also before installing a few other important security updates (Office etc).

Reply | Quote

Yep, and I’m hoping that my InfoWorld post on the topic (should be out today) doesn’t include too many errors!

Reply | Quote

@PKcano — You are right, thanks.

Answer: KB3185330 (via Windows Update) also includes KB3185278 from September 20, 2016. That latter patch included the items below (quoted from Microsoft). However, even though I tend to be very wary of MS, I don’t see anything objectionable in this particular list. Do you? Regards, MM.

————————————
This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

— Improved support for the Disk Cleanup tool to free up space by removing older Windows Updates after they are superseded by newer updates.

— Improved compatibility of certain software applications.

— Removed the Copy Protection option when ripping CDs in Windows Media Audio (WMA) format from Windows Media Player.

— Addressed issue that causes mmc.exe to consume 100% of the CPU on one processor when trying to close the Exchange 2010 Exchange Management Console (EMC), after installing KB3125574.

— Addressed issue that causes the Generic Commands (GC) to fail upon attempting to install KB2919469 or KB2970228 on a device that already has KB3125574 installed.

——————————-

Reply | Quote

Why is it that Microsoft’s (d)evolving patching / update system – and the related hoops and hurdles that one must now jump through and over to get only what they truly need, rather than what Microsoft truly WANTS – is reminding me so much of the early days of Linux distributions?

…and those Linux distributions are now so straightforward and convenient. You know – like how Microsoft’s system used to be?

The only real difference is that the unfortunate complexities in those early Linux days weren’t due to / caused by bad intentions towards the end user.

:p

Reply | Quote

Is it correct that service stack updates are not removable? Therefore hardening updates in general.

Reply | Quote

I might add that neither Group A or B represent optimal patching approaches; rather they are alternatives imposed upon users by MS for reasons solely beneficial to MS. Group A and B are simply bad choices as updating protocols as A allows MS to install whatever it wants, whenever it wants and Group B will have to struggle over time with inconsistent documentation of what constitutes security versus non-security updates. In many instances, I suspect there will not be sufficient documentation that is available to sustain a pure Group A versus Group B strategy and at some point W7/8.1 systems may have to move to Group W status. My comments are a polite way of saying that MS has really pi$$ed me off over this last year with this latest crap and the prior GWX nonsense. Long term many users should just be on the lookout for migration options and abandon MS to the extent their individual circumstances allow. The comments by Ch100 are generally well-grounded technically but sometimes grant MS the benefit of the doubt that they currently no longer appear to deserve. I am technically capable of doing Group B but I doubt that it is an approach that users will be able to sustain because MS can easily sabotage your efforts whenever it suits their purpose. I apologize for sounding like a Debbie downer.

Reply | Quote

TY ch100 & Dimk. I’m hooked on the ongoing education/discussion/guidance/thoughts generated here. Thanks particularly to Woody for all of it, an immense undertaking.

Reply | Quote

But even you say for Group B users to rely on WU for the leftovers other than the Security-only update, and I think this will cause confusion with most people because they’re being given the same updates they’ve already installed.

For instance, October’s Security & Quality rollup (KB3185330) is the October Security-only patch (KB3192391), plus the September quality rollup (KB3185278).

I had already installed KB3185278, and I’m in Group B, so I installed KB3192391 by itself. I’m covered. Both patches are installed. So why then am I being given KB3185330 through WU? Obviously something’s different in there; something unpublished.

Because of that, I think you have to remove your recommendation for Group B to use WU for *anything*. It can’t be trusted. Group B’s job is now exponentially more difficult.

Secondly, I’m not being given the September servicing stack update (KB3177467) on any systems I’ve installed Security-only. However, a few of the workstations on our domain that did install KB3185330 have been given that servicing stack update. Again, I question ‘why’? If I hadn’t seen that update offered to those systems, I wouldn’t know to install it on the ones that haven’t been given that update. (Which I haven’t done yet, because it smells suspicious to me that obviously KB3185330 does something that then kicks off the recommendation of the September stack update.)

I hate to say it, but I think MS is intentionally blurring the lines between A and B, and almost making B impossible. The continued sabotaging of their users is absolutely disgusting; the sad thing is, it probably won’t bring the severe consequences that they deserve, because too many mid/large businesses and enterprise have to use Windows and they’re the only game in town because of that.

Reply | Quote

You have a good point, but I’m not 100% convinced that “October’s Security & Quality rollup (KB3185330) is the October Security-only patch (KB3192391), plus the September quality rollup (KB3185278).” Even if the contents of the patches themselves are identical, there’s still something in Windows Update that doesn’t want to live with the discrepancy. Might be a problem with WU.

The fact that you installed 3185278 kind of takes you off the Group B trajectory. There’s a transition period here, and it’s anybody’s guess which is the right way to bob or weave.

The Group B folks still need to update Office – and anything else that may come down the pike. Doing so through the Update Catalog would be a Herculean task.

As for Microsoft’s intent… man, I gave up on trying to figure it out when Get Windows 10 rolled out the update chute. Sigh.

Reply | Quote

It sounds quite logical to me.

Reply | Quote

In general, that’s true. ch100 and abboddi would know better than I.

Reply | Quote

The one you’re describing looks like KB3192391 for Win 7 X64 and is 79.2 MB in the MS Update Catalog. I could do this and hopefully just get the Security Updates. But I haven’t seen anything on how to get Office Updates! Also, I don’t remember seeing the Cumulative Security Update for IE-11 in the above mentioned security update. The Catalog didn’t have any Office updates for Oct. the last time I checked a few days ago.

Reply | Quote

To further muddy up the works, WSUS Offline just gave me 3177467 (Sept. servicing stack). Once I rebooted and re-ran WSUS Offline, it gave me
– 3188740 (even though I’d already installed the .NET Security-only update 3188730)
– 3192321 (Turkey DST)
– 3185330 (Oct. security & quality)
– 3018238 (? No idea why, this is supposed to only be for Server 2008R2 and 2012)

IOW, a tool that I once was able to rely on is now apparently going to muck up systems as well.

Ugh. [facepalm]

Reply | Quote

KB3185278 was an UNCHECKED OPTIONAL. If I’m not mistaken, it never became a CHECKED IMPORTANT update b/c it was supposedly rolled into KB3185330 (the Security Monthly Quality Rollup). The UNCHECKED OPTIONAL are not for general installation. Only the CHECKED IMPORTANT patches should be used. Do not understand why you installed it.

Reply | Quote

No, no, that’s fine. We’re still trying to wrap our heads around this new but, I feel, regressive, convoluted and poorly communicated updating system. It’s just so backwards that I no longer feel we’re in 2016.

Reply | Quote

Right.

Reply | Quote

@Just Sayin’

Thanks!

Reply | Quote

Yeah, I saw that, thanks. I’m almost convinced that the .net framework rollup being offered in Windows update is benign but I can no longer give Microsoft the benefit of the doubt as someone like ch100 seemingly can.

Reply | Quote

@wdburt1,
I agree with that completely.

Reply | Quote

@Just Sayin’,
I appreciate your comment so much.

Reply | Quote

I don’t let anything update automatically, if there is a user choice in the matter.

If one is a careful person, given how corporations often let us down and make mistakes in their products and services, not allowing auto-updates is often the better road to take.

I am good at keeping on top of the Flash updates. In fact, in the immortal words of ‘anon’, “I said it first” here this week about the new Flash update being available.
😉

Reply | Quote

I believe that the naming issues are intentional. MS does not want Group B, so will make it as difficult as possible to stay there..”obfuscate”.

Reply | Quote

@T,

When I was brushing my teeth this morning, I idly thought back to what I had seen yesterday on Susan Bradley’s Excel sheet of Windows Updates —

She wrote that the .Net update has a security-only patch that is only available in the Update Catalog,

while the .Net update that is offered in Windows Update includes non-security and security patches,

the distinction of which I hadn’t even noticed at the time that I was glancing over her Excel information.

(I don’t even know what .Net is, so I don’t pay it much attention,
besides knowing that it gets updated once in a while,
and always bearing in mind how Brian Krebs the security researcher is always so nervous about .Net updates in particular — which he reiterated a couple of weeks ago on his blog.)

When I put 2 and 2 together this morning, I realized that this is probably what you had been talking about, regarding .Net!

I actually logged into AskWoody this lunchtime to tell you that I *finally* understood.
🙂

—-
I agree with you, it does make sense to go “security-only” for everything where a “security-only” patch is given as an option, if one is trying so hard to avoid non-security patches.

However, it also makes sense not to worry that much about the non-security aspects of .Net, if people think that .Net is so narrow in focus or benign-by-nature that anything non-security that Microsoft would add to it would be harmless.

Every individual patch that people have to get from the Update Catalog introduces another layer of effort and potential confusion, which is another argument in favor of having most people get .Net from the automated Windows Update.

However, there might be a bit more safety and not much extra work in going “security-only” all the way through, so if I do go into Group B in the future, I will probably try to obtain the Update Catalog’s .Net security-only version for my computer.
(However, there are several .Net versions out there, which were offered to me as “optional” for my computer in the past and I chose not to install them, and I would want to be careful that I didn’t apply the wrong Update Catalog patch for my computer’s .Net version.)

====
====
For people who have not seen it, here is the
Susan Bradley Excel file on Windows Update:
https://onedrive.live.com/view.aspx?resid=C756C44362CD94AD!2257&ithint=file%2cxlsx&app=Excel&authkey=!AIOQkIu7flF7lPE

That link automatically pops up on the August worksheet, so go to the tabs on the bottom of the page and click on the October worksheet(s) to see Susan Bradley’s information for the current month.

Reply | Quote

Ha ha, I am so overboard with the space I’ve given System Restore! But it gives me comfort.

When my computer was new and misbehaving terribly, I decided to use system restore and I discovered that the computer didn’t have ANY points saved (the system restore was messed up in my new Lenovo from the start, along with other big things, and the machine was silently deleting every restore point soon after it was created — a genuine error in the way the machine was configured, and this was one reason that I had to reinstall the whole ball of wax from the “factory disks” soon after I received the machine from its factory in China — and the way it was configured after the “factory disks” were installed looked much different from how it was configured supposedly straight off the assembly line of the factory, which I found contradictory, but that was a good lesson for me),

After I got the computer behaving somewhat normally, I increased system restore’s maximum space by a large amount! But I had the extra space for that.

Reply | Quote

I have a question about Office —

Re: “The Group B folks still need to update Office… Doing so through the Update Catalog would be a Herculean task.”

On Susan Bradley’s Excel sheet for October (the non-Windows-10 sheet),
starting in row 204,
she has the new updates/kb numbers listed for Office 2013 and 2016,
but there is nothing listed on her sheet for my version of Office, which is Office 2007.

Am I to assume that Office 2007 didn’t get updated this month,
or
are there Office 2007 updates contained in different October patches which cover other things as well and thus have different titles?

—-
—-
For people who aren’t familiar with it, this is Susan Bradley’s spreadsheet of Windows Updates:
https://onedrive.live.com/view.aspx?resid=C756C44362CD94AD!2257&ithint=file%2cxlsx&app=Excel&authkey=!AIOQkIu7flF7lPE

(The link takes one to August; select the October tab(s) along the bottom row to get to this month’s information.)

Reply | Quote

@Anonymous,

That issue was addressed by Woody a little higher up on this page, in answer to another poster’s question about it:

https://www.askwoody.com/2016/ms-defcon-3-time-to-get-the-first-post-patchocalypse-patches-patched/comment-page-2/#comment-104695

Reply | Quote

This is a question I also have, if we need to be concerned about the version numbers of the .Net updates.

Reply | Quote

@PKCano,

I had noticed that you have been mentioning that one for a while, and I’ve been keeping an eye out for what the verdict is going to be on it!

Just wanted to say that I appreciated your flagging this up, and staying on the case.

Reply | Quote

Yes, because they never cause issues
and anyone says that KB3199209 have issues is either mistaken with other update or have botched system

the stuck reboot issue that win7 have is not an actual issue, just a race condition between updates 😀

Reply | Quote

1) No
manually installing security only KB doesn’t create restore point

Reply | Quote

They would not release it unless it will be a prerequisite for some future updates
just like April 2015 update KB3020369 which became prerequisite for several updates after months 🙂

Reply | Quote

@Lizzytish:

Just to verify about the “NEVER CHECK”. It’s my understanding that you can have it set at that, and when you’re ready just run “check for updates” and it will show what’s there.

I’m in no hurry to “try” anything at the present, however when you mentioned the “NEVER CHECK” I wondered if you had it set at that BEFORE you did the “check for updates”.

I just want to be certain of “everything” I can before I make any moves. I’m happy for you that everything went without a problem. I’m sure you are more computer literate than I am!

Thank you for posting your experiences. 🙂

Reply | Quote

From system bits (binaries), yes there is no difference
however, WU don’t recognize KB3192391 and still request KB3185330
and installing KB3192391 will make the chain of Monthly Rollups to be cut
you either go with Rollups route or Security-Only route, mixing both is not reliable

Reply | Quote

Good call Woody 🙂

Reply | Quote

KB3177467 is an exclusive update that must be installed alone with no other pending updates
otherwise, you would face the stuck reboot issue described in KB article

this is the 4th or 5th time i explain this 🙁

Reply | Quote

You’re more than welcome.

Reply | Quote

Sorry, I’m confused. In Woody’s InfoTech article, he writes “Group B, Step 7. Under “important” updates, you’ll likely find “Security and Quality Rollup for .NET Framework” — which you probably want,…”. Surely, if you are in Group B, you will probably NOT want the Security and Quality Rollup for .NET (KB3188740). Instead, you will probably want the Security Update for .NET (KB3188730). Yes/No? (The KB article numbers are for Windows 7.)

Reply | Quote

So far I haven’t seen any problem with the full Security + non-security patch for .NET. I’d welcome any indication where there’s a problem with the non-security part of the .NET rollup.

Reply | Quote

Sorry, I have now seen that Woody has answered this question later on.

Reply | Quote

Sorry. Yes, you have – and I’ll try to remember the KB number! 🙂

Reply | Quote

Office updates are listed here:

https://support.office.com/en-us/article/Office-Updates-a118ec61-f007-492f-bfa5-5a6f764d5471?ui=en-US&rs=en-US&ad=US

Reply | Quote

Woody, I think I am in group A but with setting – Check my updates, let me choose whether to download and install them. But I did not check the box – Give me recommended updates the same way I receive important updates. With this setting how would that different than your group A? What patches if any will be missing?

Reply | Quote

My comment was not addressed personaly, i just ment in general 🙂
thanks woody

Reply | Quote

I’m pretty sure it came up as an Important update that was not italicized or listed as Optional on my systems at home, but at this point I don’t remember for sure.

I don’t install anything under optional unless the KB is convincing enough or it’s related to security somehow.

Reply | Quote

I am still quite leery of Group B. Is it really practical over the longer term?

My concern is that if Security updates have defects that are corrected in non-security updates, how will Group B computers not be victimized?

I cannot imagine, MS accommodating Group B.

Reply | Quote

Thanks Woody.
I can see that there is a limited rollup for the core Office, in October 2016 this would be KB3194160.

Reply | Quote

I did it few times too. For some people WU might take care of the issue, I think not everyone is affected by the stuck reboot.
Good to reinforce the good practice though 🙂

Reply | Quote

Correct. There were issues in the remote past with KB3020369 and Woody raised alerts at that time, but it was largely due to “botched” systems as abbodi86 says. Some users may not consider certain configurations as botched, but if they are not following the specifications, they are botched by definition, even if those configurations are caused by Intel, Symantec, Avast or other software and hardware manufacturers which otherwise have decent products.
Let’s not forget that it is not the end user who designed the OS, they are users supposed to follow the specifications like for any technical product.

Reply | Quote

You are welcome 🙂

Reply | Quote

I think in few months, or maybe sooner, this will be resolved and the missing bits from the Security Only will be rolled into the Security Monthly. I also think, which I stated few times here, that the Security Only is a broken concept and designed only to facilitate the transition by not scaring users, who until now have been doing only Security updating, because this is what comes up in MBSA and related tools and it is also the generic Government recommendation as minimal – there is no recommendation or suggestion to not install everything else.

Reply | Quote

Nothing new and Woody deserves a lot of praise for it, otherwise most of us would not be here.
Those who are pleased with Woody’s work, please support this site.
The issue is that from now on it will be a lot more complicated! If Woody is ready to take on board the impossible challenge, I say go for it! 🙂

Reply | Quote

Download and install everything that comes on Windows Update when MS-DEFCON changes to 3 or above rating on top of this page.
Do not select what is unselected and do not unselect what is selected.
It is simple, and totally in accordance with Microsoft’s specifications.
The value added by Woody’s recommendation is that he monitors the various patches for known problems and tells you not to install potentially defective patches, which is big deal.

Reply | Quote

@PKCano

Sorry to “steal” your conclusion mate… Haha… I didn’t see those…

But anyways, now it’s as confirmed as possible…

Reply | Quote

Just type in the numbers only.

You do not enter KB or spaces – just the number

The number for October is 3192391.

Then just select Download for your specific OS. It’s that easy.

Reply | Quote

Group A does not mean Automatic Updates checked.
It means installing all updates when they are tested enough. Microsoft will take corrective action anyway given enough time, 4 weeks is more than enough, generally 1 week is OK, depending on your tolerance to risk.

Reply | Quote

Thank you, sir. A well-argued case is one thing. “Agitprop” (agitation propaganda) by dropping conclusory statements into the discussions, as if they were self-evident, is another.

Reply | Quote

It is not. You create your own problems by over-analysing.
Just use Windows Update when MS-DEFCON changes to 3 or above and everything will appear extremely clear to you.
Forget the Microsoft update Catalog or https://technet.microsoft.com exist, they are for system administrators only and just interesting reading for anyone else.

Reply | Quote

Thank you, Woody!

Reply | Quote

@Anonymous When you purchased Windows 7 you didn’t analyse in detail what came built-in with the system and there are a lot of components built-in about which you didn’t know then and don’t know now.
To claim now that updates are imposed by Microsoft to suit their purpose is redundant.
Stop using the system if it does suit your purpose or stop updating and assume responsibility for what may happen.

Reply | Quote

I agree with your observations regarding sustainability of a Group B updating strategy. But, MS has in fact provided the security only manual monthly update as an option. Inasmuch as the purported purpose given by MS for adopting the cumulative update approach was the reduction of patch fragmentation, the availability of the security only update seems somewhat at cross purposes. I am coming to view the Group B approach as more of a temporary tactic where one could mitigate zero day vulnerabilities while avoiding a potential known issue(s) in the monthly cumulative patch. However, the longer you extend your time horizon, the more questionable the Group B strategy seems to become. Each user has to make some decisions relative to the potential tradeoffs.

Reply | Quote

Group B at this time running Win7 x64

Are we still checking WMSRT in important updates?

Reply | Quote

You seem to like to traffic in arguments of “false choice” and assume that because a user cannot know everything about a piece of proprietary software that they in fact know nothing. I do not see as redundant the observation that MS’s recent actions appear to be more aligned with their business purposes that the functional needs and desires of the users. You display the type of attitude often observed in IT administration where the users are deemed to know little and cannot make intelligent choices. You have your opinion and I respect that as with all people but please spare me the attitude.

Reply | Quote

Sure. There appears to be a bit of snooping going on with MSRT, but it’s (arguably) necessary.

Reply | Quote

I also have several Windows 2008 R2 virtual machines that are configured to run like Windows 7. As far as I can see, the 64 bit versions of KB3188730 and KB3192391 will apply to them.

If I need to update them in the future, I would also just download the security-only updates to install on them.

Reply | Quote

It appears that a large number of persons do not consider themselves to have sufficient Technical Skills to be other than in Group A, AND that it is this aspect of the debate that is influencing their choice of group membership (A, B or W).

I suggest – without reservation – that everyone of us are more than capable of doing whatever is required to update our PC’s irrespective of our choice of group or our technical prowess.

Are we really saying that we cannot already download and install new programmes, use complex Photo Editing Programmes or Excel. How long does it take us to learn a new game ? Take your choice, I guarantee that everyone of us uses at least one programme that someone else claims is too difficult to understand. I, for example, have never got my head around GIMP for photo editing, but I daily use lots of others that are equally challenging.

Why? For some, it’s a question of perseverance and practise. Some can download, install and use a new feature very quickly, others take longer. It’s not a technical skill, it is a learning process. It’s no different with installing Updates.

Consider the options – so clearly defined by Woody.

Group A – Essentially, do as before. Let MS download and install your updates. The only change Woody has suggested is that you TURN OFF automatic updating after Windows has done it’s work, between Def-cons. No-one can suggest that this is difficult.

Group B – All Woody asks is that you take some control over your updates. Surely no-one is saying that they still cannot amend their update selection type – Automatic ? Download but …? Check but …?, Never !

Are we also saying that we cannot visit the Download Centre or MS Catalogue and download an update. Seriously ? We are the same people who visit Amazon, or any other site to order a product, but we cannot download an update from MS Catalogue? It takes less than 2 minutes to do so. Visit the catalogue. Woody and others have provided all links. Type in the number of the patch you require – just the number – Do not include “KB”. Click “Download” for your Operating System. That’s it. Finished. Now just install the patch – just remember that WU must first be set to Never, or it will want to search for all other updates. Why not visit the catalogue and explore ? You don’t have to download anything, just explore and see what it offers. Try navigating to the “Package Details” to find what patches are replaced by the patch you are interrogating. Please remember that “replaced” does not necessarily mean “superceded”.

Woody and others have rightly said that there is additional hassle for those who wish to update Office., but they have all issued simple instructions on how to proceed. The same for Net Framework patches. For those who have never downloaded updates before, it’s just something new. It’s just a little different. Do it once, and you will wonder what all the fuss was about. Do it once, and then say that you don’t have the “Technical Skills”.

Group W – No skills required. Just get on with the other things you enjoy doing – and remember that with no new features being issued (for 7), all updates are fixes for faults still outstanding from previous updates (and there are far too many of them !), or genuine security issues (of which I would suggest a large number are associated with Internet Explorer).

Possibly of interest to some, I’m group W, I still run 2 XP and 1 Vista as well as my Win 7 machine. Haven’t updated any but the Win 7 in years, and even the 7 machine has had no security patches for IE 11 (which I still use) since January 2016. I have no issues.

Please remember, you do require a level of “Technical Skills” for performing many tasks on a PC – registry modifications, for example, but downloading Updates requires no skill, just a little knowledge, and for those who think they don’t know, just LISTEN to Woody. He wont let you down

So my message is: Think carefully before saying “I’m group A because I have no Technical Skills”

Reply | Quote

At the moment I am in Group B. Not really worried re snooping (everybody does this) but about getting a faulty patch and not knowing how to fix is my problem. Reading lots of posts on here and the recommendation of many is that one should really be in Group A if a computer novice. Would that be a fair assessment.

Reply | Quote

If that happens in the future, I would just abandon that month’s security update. It won’t matter so much as the security-only updates are not cumulative.

In fact, I find that two of the updates that causes problems in September, namely KB3175024 and KB3185319, have been superseded by this month’s security-only update. I did not install these two updates on any of my computers in September, and there has been no problems. I believe I am justified in adopting this “Group B approach with occasional Group W” policy at this time.

I don’t care if I miss some security updates using this approach. In fact I am more than happy to completely stop installing updates if the situation becomes untenable.

Reply | Quote

I play an air combat flight simulator that comes right out of Moscow, Russia and it is Windows only friendly. My downloads of purchased products are downloaded over the Internet. Before my initial first time purchase I was not sure of me being in USA what the legality issues were / are. I called my NY State Washington based Senator’s office for advice. They said no problem. But I bet Federal people are looking over my shoulder from time to time. So Windows’ snooping concerning just advertisement does not worry me at all. I usually ignore the hard sell people anyway.

October’s patch roll up? I may just pass this month and wait and see.

Reply | Quote

I completely disagree and would have to ask where you have been for the past year. You don’t seem to understand that people’s trust in microsoft has been utterly destroyed because of their malware like tactics. I’m glad you are willing to accept everything microsoft shove down the update pipe but please don’t act like an apologist for their bad practices. It’s not over-analysing anything, it’s simply being a windows user in 2016. November’s rollup is about to get a heavy dose of telemetry and that is NOT going on my system so i’ll stick with the security only updates, thanks.

Reply | Quote

There was some talk here previously about the KB2952664, that it’s the same windows 10/spying patch from previous times.

Should that be ignored or installed now we are in defcon 3?

(Windows 7)

Reply | Quote

Woody
Is there a Win Update speedup trick for Win 8.1?

I’m in group B. Did the download Security update as you suggested. Now running Win Update to get the .Net and other stuff, and it is still just “checking” almost 2 hours later.

I did the Win 7 speedup last month on a different PC, but those patches all say “Win 7” so I wasn’t clear if I should try them on Win 8.1

Thanks

Reply | Quote

I haven’t heard of a speedup for Win 8.1.

The patches for Win7 speedup won’t install on 8.1.

Reply | Quote

Yes, that’s definitely a fair assessment.

You’ve read the instructions for Group B. If those look like Greek, you definitely belong in Group A.’

Faulty patches are a different kettle of fish. By delaying patching for a couple of weeks, and watching to see what problems arise, you can usually avoid the bad patches. That’s what MS-DEFCON is all about.

Reply | Quote

Walker….I readily admit that I am NOT that computer literate….. but over the years one learns a certain amount…….. and I tell my friends…….. that after your sons and daughters leave the nest…..you buy a computer! (variation of a line from Fawlty Towers) Getting back to your question about “Never Check”……. I did have it on “Check for updates but let me choose whether to download & install” as I wanted to see what was on offer. After I followed Woody’s advice to find and install the required Security Patch I looked at WU and unticked the ones I didn’t want and installed the ones I wanted. Which was the .NET one and 3 2007 Office ones. After that was done I went back to WU and found the ones I hadn’t installed were sitting there all ticked….. that was in the Important update section. It was then I changed my settings to NEVER CHECK….. and they all disappeared! (which of course was to be expected……… but still nice to see that they weren’t nagging me to be installed.) Think I will nearer the time for the next Tuesday Patch switch it back to “Check for updates but let me choose to download and install” as I will be curious as to what is offered me. After the discussion about MSRT I did NOT install it this time as I feel I do not need it and it seems to be causing a bit of snooping. But I didn’t look at the Optional section which I had previously made a note of and
they were to do with Journal and removal of GWX and a couple of other ones……… which reading
the comments here and on other posts seems that when MS considers them to be important (and bug free) they will turn them into Important, which is when I may consider installing them.

BTW I checked my System Restore points and I find I have 2 listed for yesterday – when I did those 2 separate installs – one for the Security and the other for the .NET & 3 office updates! (I read think it was Addobi86 said that no system restore point is made when manually installing.) So as Manuel in Fawlty Towers says…….. “I know nothing!”

I realise that this journey of ours in Group B will have lots of detours and roadblocks along the way……….. but for the moment seems to be bump free for me anyway…….. but of course we will see…….. won’t we!!! One thing at a time……. small steps and all that!!!
Good luck to all! LT

Reply | Quote

abbodi86 – Using Windows Update I have installed in the order listed below the following updates:

KB3172605 – July rollup
KB3179573 – August rollup
KB3185330 – October rollup

I did not install KB3185278, the September rollup, before it “disappeared” from Windows Update and was rolled into the October rollup. I have not installed any of the security-only updates.

Thanks for again providing a reminder that mixing monthly rollups and security-only updates can cause Windows Update to behave in a confusing manner.

Reply | Quote

“It is simple, and totally in accordance with Microsoft’s specifications.”
Yes, and over time it will eventually transform your Windows 7/8.1 into Windows 10 Lite.

Reply | Quote

And “totally in accordance with Microsoft’s specifications” means it’s what’s best for Microsoft, not what’s best for users.

Reply | Quote

My Win 8.1 box has been hit full bore with the WU scan forever problem. It’s actually worse than what I experienced with Win 7.

I can’t get to WU manually (I’m set to “never” check). The problem is caused by the 8.1 Flash patch.

I’ve tried to install the Flash patch from the MS Catalog, but can’t because the .msu launch results in the “checking for update” scan that doesn’t end.

I followed Woody’s instructions to stop WU Service (realizing that they were intended for W7), but when I get to the final step, I only have the option to START the service, no stop link indicated.

So, I’m stuck. Any suggestions…Please! Would installing the July and/or August optional rollups (3172614 and 3179574) help? (If I can get there!)

Just when ch100 convinced me that Group A was the way to go, I can’t get there!

Reply | Quote

Just making an assumption here. Woody didn’t take it personally, it is only that there are so many posts, which is great 🙂 , that it is practically impossible to keep track of everything and in good order.

Reply | Quote

@abbodi86,

I didn’t know that. Thank you for the info.

However, I can confirm that installing a non-security patch DOES automatically create a Restore Point.

Reply | Quote

The equivalent July 2016 rollup, KB3172614

Reply | Quote

Hi Woody,

I have a Win7 Home Premium 64 bit computer that I haven’t updated since July. I know – not a good idea, but for various reasons, I haven’t done it.

My question – if I class myself in Group A – is it safe to now just go ahead and enable Windows Update to get whatever is now needed? I have mine set to “Never” and I know that there have been many that I have missed over the last few months.

Is there a Win 7 speed up patch that I need first, or will it all be fine if I just run Windows Update now?

Thanks!!

Reply | Quote

I am looking after two third party machines (both Win7 x64) which I have consigned to Group A. Everything installed ok and only optional patches remain.

On my own two machines (one W7x32 and one W7x64) I have installed the Security Only patch KB3192391 and a separate .NET patch, but the Quality Rollup patch KB3185330 remains in WUpdate, whilst in Secunia there are also entries for .NET 3 and 4, IE11 and Silverlight 5, all quoting the same QR patch.

Anyone else seen this or otherwise able to comment, please?

Win10 21H2 Pro, MBAM Premium, Firefox, OpenOffice, Sumatra PDF.

Reply | Quote

I’m seeing it, too.

You’re doing fine. Ignore Secunia. It isn’t up to your level. 🙂

Reply | Quote

Short answer is, yes, if you’re OK with Group A, you should get everything installed. Use the procedure I wrote about

http://www.infoworld.com/article/3136173/microsoft-windows/how-to-cautiously-update-windows-7-and-81-machines.html

and only install the checked updates.

Yes, there is a speedup trick, and I wrote it up in great detail for InfoWorld. I see that the article is scheduled to publish early Monday morning. So wait until you’ve had a chance to read that article before you slog through an install.

Reply | Quote

I’ll take that as a compliment, though I’m starting from a low base 🙂

So just ignore the Quality update in WUpdate and retire to a rear trench?

Win10 21H2 Pro, MBAM Premium, Firefox, OpenOffice, Sumatra PDF.

Reply | Quote

I’m having a horrible time answering each post individually. We’re now getting hundreds a day – some of them pontificating, but mostly from people with real questions, real problems, differing observations and experiences.

Which is why I’m up at 6:30 on a Saturday morning answering posts. 🙂

I’ve toyed with the idea of changing over to a forum format, with moderators and user-started threads, but I don’t want to lose the “feel” of the site.

Reply | Quote

Pick a side – Group A or B – and stick with it.

Until Microsoft changes the game again….

Reply | Quote

Personally, I can see some advantages in the forum format, if you can find a way to stay in the middle of the discussions as the moderator. Worthwhile as this blog is, a thread as active as this one presents the reader each day with a new page of comments, while previous discussions appear on one of the “older comments” pages–but which one?
I can see how it must be driving you to distraction.

Digital Photography Review has a pretty good format, switchable between “threaded” view and “flat format” view, with info re the last post and time of that post, and a quick way to check for replies to one’s own posts. DPR is lightly moderated (a source of complaints by users reacting to abusive posts) but some moderators participate in the threads.

Reply | Quote

Woody, is the IE cumulative security update in the kb rollup or is it separate like the .NET patches?

Reply | Quote

IE security patches are in the Security-only update. (Originally MS said it would be separate, but they figured out how to roll it in.)

Reply | Quote

I need to see if there are any similar tools available to me. I’m running a very bare-bones WordPress theme.

Reply | Quote

Try disconnecting from the Internet as well as stopping the WU Service.

Reply | Quote

Thanks Woody!

I’m not so much “OK” with Group A as feeling that I’m pretty far behind in getting updates, and not sure if being in Group B will allow me to get everything I need at this point.

I will look for the speed up article on Monday and go from there.

Thanks again for the advice!!

Reply | Quote

Thanks Woody!

I’m not so much “OK” with Group A as feeling that I’m pretty far behind in getting updates, and not sure if being in Group B will allow me to get everything I need at this point.

I will look for the speed up article on Monday and go from there.

Thanks again for the advice!!

Reply | Quote

I updated one Win 7 machine last night, and the other this morning. Both machines loaded the Group B security update with no problems, and both did fine for searching.

However, last night, it took 2 hours to download the 32MB(!) update, while the bigger update this morning (44M, still have Silverlight on that machine) took about 10 minutes. The security-only update (79MB) took several seconds to download…

I don’t know if the WU servers are getting clobbered by Win 10 updates, or if MS found a 486 server from the scrapheap for Win 7 updates. I hope it was the former.

Reply | Quote

It isn’t over-analysing anything, even though I’m not a system administrator. It isn’t just interesting reading. Privacy is important to protect and worth the extra effort to maintain. I’m not messing up by choosing to be group B, but continuing to protect myself from Microsoft. That I shouldn’t have to, is true. But Microsoft is the one at fault and causing the problem. I understand how not following their protocols can cause problems. But they could solve that easily by providing working privacy settings (and any telemetry should be opt in). I would pay the extra money to have a system that is private and not being harvested for data. That is of value to me, as a customer. Microsoft clearly doesn’t want me as a customer, and has violated my trust in their products. That means I will not support or buy products that are solely for Windows in the future. I am going to protect my current computer for as long as possible, and I treasure Woody’s help. Ch100, you give wonderful, detailed information… but the reason I love Woody is that he informs me so I can make the best possible choices given my values and knowledge. Non-techy people can understand their choices… and do want to have a safe and reliable machine, even if it is their one and only. For me, right now, that means security only patches. If Woody didn’t lead me through the more technical aspects of obtaining them, I would be group W. Shame on Microsoft for making so difficult and shame on you for not respecting those of us who are not technically trained. I’m not trying to have privacy because I’m into illegal stuff. I believe in privacy as a human being. More of us need to be following group B… I’m encouraging my family and friends (with their computers backed up) to follow it too. If enough people did it, Microsoft might pay attention, instead of disregarding us as an unimportant minority. When I explain that the telemetry is in the updates… well, I haven’t found one person who wants it. Other than being in groups B or W, how can it be avoided? Clearly Microsoft Update Catalogue is for us, the non-techie people… unless you have another way to provide the essential privacy and security?

Non-techy Win 10 Pro and Linux Mint experimenter

Reply | Quote

I think the Recommended category is going away, so that may not matter in few months.

Reply | Quote

This is the time to download from the Microsoft Update Catalog – or from Windows Update?

Reply | Quote

Sorry to have to disagree with you Old Dog, but in the real world out here, the vast majority of Windows owners (I purposely used this word instead of users) think of their PC no differently than a potato peeler. It is just there when they turn it on. They use it to read and send email and occasionaly browse the web for something a friend told them about. Some use it only for Facebook.

Those people don’t even know there is a thing called Windows Update there or what it does or when.

When it (the potato peeler) doesn’t do what they expect it to do, they ask their nephew or cousin to “fix” it. Anybody who knows PCs knows where that leads to.

CT

Reply | Quote

@Woody,

What happens if a user is still on IE9 and wants to update with the Security Only Update for October? I saw that you mentioned MS has included IE updates into the Security Only Update whereas originally it was to be a separate update.

Will the October Security Update ignore IE9 or will it attempt to install IE11? Or, don’t we know exactly what will happen? Anyone?

Thanks

Reply | Quote

I’m not sure, but based on earlier wording, I don’t think it’ll try to switch you to IE 11. But then it won’t patch your IE 9, either.

Reply | Quote

@Woody:

Which is the KB for getting the latest Windows Update Client for Win 8.1 x86/x64? Is it related to Win 10 as the controversial KB3112336? Can it be installed as standalone or from Rollup?

Reply | Quote

Does this look right?

https://support.microsoft.com/en-us/kb/3102812

Reply | Quote

Canadian Tech,

Your response is much appreciated. I agree that many, many people do consider their computers as just a tool to take out of its’ box, use it and then put it back. In fact, why shouldn’t they ?

My post was addressed to the contributors and readers of AskWoody – whom I do not believe fit this description. They actively participate in these discussions and obviously do care about the issue of Updates and Telemetry.

If my post convinces just one person to better understand how they can control Windows Update, I will be quite content.

Reply | Quote

Just to report that on my secondary machine (which I always update first, both being W7 x64 Home Edition desktops), which I have set to “notify but don’t download”, I have now installed the October Important updates.

Although both KB3188740 (.Net Framework) and KB3185330 (security rollup) appeared initially, by the time I installed them the latter had disappeared only to reappear after the former was successfully installed. After KB3185330 had also installed successfully I was offered KB3177467 (service stack) and that also installed ok.

Both optional updates KB 3193713 (Silverlight – no longer present on my machines) and KB3192403 (Preview) remain hidden along with the September MSE update KB3193414 (due to the removal of the right-click scan option).

Assuming this machine boots up and runs ok tomorrow then I’ll unlock the “Never uodate” setting on my primary machine and install the updates as offered.

Thanks as ever, Woody and fellow commenters.

Reply | Quote

October updates is just an update for IE11, it doesn’t include IE11 itself

Reply | Quote

The equivalent July 2016 rollup KB3172614

Reply | Quote

I think it is like Woody says. There is a possibility that at some time later, the patches will stop working entirely. However this would go against Microsoft’s global intentions to have most systems patched at best as they can, so it may not happen at all, nobody outside of Microsoft knows.
Related to your question, do you have any particular reason to prefer IE9? That version was a poor version, a transition one I would say, while I think the best version ever released was IE10. Unfortunately all versions older than IE11 tend to be working with less and less sites.

Reply | Quote

Abbodi86 replied in another place that it is the equivalent to KB3172605 for Windows 8.1, released in July 2016.
The latest released as standalone should be the one in March 2016, but it is inferior to the one released in July 2016 as part of a cumulative update.

Reply | Quote

@Woody:

YOU ARE THE BEST!!!

This KB3102812 fixed the issue with Windows Update. Completed checking in 5 mins.

Reply | Quote

@Woody:

Looking at the instructions on Infoworld of Oct. 27. I have a question about having the updates set at “NEVER” and trying to follow the procedure set forth in InfoWorld.

When I go to the Win7 update history page, the information is there, however when I click on KB3192391 nothing happens. Do I need to turn “NEVER” off and return to “Check for updates but let me choose whetehr to DL & install them”?

I also noted that in the instructions for Group B, Step 5 in Group B references “Group A”. Thinking that is just a typo (?).

I’m so backed up on e-mails from the various discussions I don’t know where to try to find an answer.

I’m confused as there is no reference to the settings I should have on the “updates” before I try to get this Security Update. I would like to get started as soon as possible.

So far I’m only seeing ONE “Security Update” which needs to be installed, however I need to try to get caught up with all of the e-mails to see if there are anymore changes.
I need help desperately to get things started.
Thank you. 🙁

Reply | Quote

@Woody:

P.S.Is it possible to just leave “NEVER’ on the updates, and do a “Check for updates” to find the Security Only update KB3192391?

I’m feeling really insecure and confused right now. My apologies.

Reply | Quote

As part of the Group B contingent, I just wanted to thank you for your step-by-step instructions. Strangely, when I turn off notification of updates, Windows tells me that there are no additional updates, even though I know that there are. Anyway, I’ve set Windows Update to notify me of any updates but not to do anything about them. I’ve also found that, under Services in Administrative (under Control Panel), I need to set Windows update to Manual in order to let any updates load without searching endlessly for updates. I do have all the necessary updates that are supposed to speed up the process, but unless Windows Update is set to Manual they don’t work as intended. Don’t know why that is. Anyway, thanks again for walking us through the procedure. Please continue to include this as a monthly feature for those of us in Group B.

Reply | Quote

The Security-only update is only available if you download it directly.

It will never appear in Windows Update, no matter what your settings.

Reply | Quote

You don’t need to catch up on any of the posts here. Just pick Group A or Group B, and follow the instructions in the article. That’ will catch you up with everything you need.

Do you see the list shown in the article, in the screenshot? Click on the KB 3192391 link, per the instructions. What happens?

Yep, that’s a typo. Should be Group B Step 5.

Reply | Quote

This was from Windows Update. The Update Catalog (Security Only) took about 10 seconds.

The rest was .Net, MSE and the MSRT. Not much data, but bog slow.

Friday Night: 3 updates, 32M 2 hours
Saturday AM: 4 updates, 44M 10 minutes

I’ve had slow Windows Update downloads, but Friday’s reminded me of my dialup days. I got a couple of timeout errors on Friday, too.

Reply | Quote

Thank you Woody.

I saw on the link you provided that Office 2007 does have some updates in the latest PU “Public Update”, which is KB3194160 for October, and which appears to include updates for all years of Office.

Then it says, “For general guidelines about installing updates for a specific product, see the links in each version row.”

I clicked on the row for Office 2007 and was taken to this page: https://support.microsoft.com/en-us/kb/3194160

On that page, it says for Office 2007 there are 3 KBs:

“Word 2007 MS16-121: Description of the security update for Word 2007: October 11, 2016(KB3118308)

Office 2007 MS16-120: Description of the security update for 2007 Microsoft Office Suite: October 11, 2016(KB3118301)

Office Compatibility Pack Service Pack 3
MS16-121: Description of the security update for Microsoft Office Compatibility Pack Service Pack 3: October 11, 2016(KB3118307)”

—
My question:

Would updating my Office 2007, for October, manually from the Update Catalog, be as simple as hunting for those 3 KBs in the Update Catalog and installing them directly?

Or would it be likely to cause problems because I didn’t go through Windows Update?

Reply | Quote

@Woody: Thank you so much for the clarification. Yes, I see now the steps more clearly which I need to follow. I hope to get this done before November 1st, as I don’t know what’s going to break loose by then (hopefully “nothing”).

I am having vision problems, and that is part of the trouble. I must slow down and read everything several times to be sure I don’t miss anything.

THANK YOU so much for your help. As we all say “YOU ARE THE BEST”!! 🙂 🙂 🙂

Reply | Quote

@poosticks:

I agree with “Just Sayin’ 100%!! You are absolutely outstanding in every respect. You are not only knowledgeable, but have a wonderfully warm and common sense approach in all of your posts, which I always look forward to reading. Hope you will SOON get some relief on that bad patch which creates such a serious problem for you. I admire your knowledge and tenacity. Please don’t give up.

I wish you the very best of luck with that. You are an inspiration to all of us!! 🙂 🙂 🙂

Reply | Quote

woody, changing over to a forum format in my opinion, would be a good move. Wouldn’t it save you time having user started threads?

Who would be your moderators? My suggestion would be the many shining lights we see here (of course only if they wanted to as it is so time consuming) if that is what you meant. There are so many (experienced) posters on this blog from around the world there would always be someone online to ensure the “rules” (even though I haven’t seen any heavy handedness from you) would be followed.

You wouldn’t lose the “feel” of this site, after all it is because of you many people come visit AskWoody every day because of your honesty.

gts

Reply | Quote

Lemme think about it.

It’s a big, relatively expensive switch. And how would I stitch the posts here into a forum format?

Reply | Quote

You don’t need Windows Update. If you can find the patches, download and install them manually, you’re doing just fine.

Reply | Quote

Ah. Wait until Monday morning. I have a post coming in InfoWorld that goes into details.

Reply | Quote

Having more of a forum setup here would be SO great.

It would make it easier to follow all the wonderful advice and input that are newly posted daily on many different topics, and it would make it much easier to search for and retrieve information from past threads.

If you needed more hands on deck for the backend administration of a forum (even if you still wanted to approve all posts yourself, and remain the sole external “voice” of the operation, in order to keep the quality high), maybe you could get some rotating, part-time “interns” from a local university/college and give them some real-world experience and a nice entry for their resume, while benefitting from some inexpensive labor. Or advanced high school kids. (Not sure if any of that would be feasible or practical.)

Reply | Quote

In terms of keeping the prior blogposts and comment threads available to site visitors,

maybe you could have a searchable “Archives” section that reproduced every historical blogpost and the discussion thread that it inspired, but not allow any new posts to be made in the archive section.

Reply | Quote

Maybe you could start with a basic one, nothing fancy, and see how it goes.
And keep the present WordPress format in the wings, if going to a forum structure didn’t work out.

I’ve been a member of a few forums that were rudimentary, looked off-the-shelf and inexpensive to set up, and were mainly started/run by 1 or 2 people. Perhaps they had 30 to 100 registered members, with a few “guests” lurking around. They were not the most visually-exciting places, but they got the job done.

But I don’t know what the costs are like – would having a forum require spending a lot more per month on site hosting/server space/data conduction (or whatever the appropriate concepts/terms are)?

Reply | Quote

I am in no rush to try this, as I want to wait a month before deciding whether I’m in Group B or Group C/W and before doing any patching, to see how it goes for other people,

but if anyone else decides to update their OFFICE 2007/2013/2006 product in this way, manually through the Update Catalog, I’d be interested in hearing their experiences with that.

Reply | Quote

I think the exception for IE security updates is when you get out of band Flash updates and use IE11 where it is embedded.

So this time the Security only rollup did not include the latest Flash fix for IE11, which is why Flash showed up as a separate line item after running Windows Update

Reply | Quote

Thanks. Will try that next round. It took 3.25 hours but Win Update finally completed on my PC last night and I was able to get the other Group B items.

I think the slow problem comes when there is a Flash update for IE. In the past I had better luck by first installing the IE11 and Flash updates, then doing a check for Win Updates – but this time there was no Flash update already listed in WU until after I ran that long check.

Reply | Quote

I don’t really know. When I started Woody’s Lounge, there was one person – Eileen Wharmby – who handled all of the details. She was quite amazing.

Reply | Quote

Flash updates was and will still always separate

Reply | Quote

Adding my thanks too, for the Group B guidelines.

It looks like we manually grab the Security-Only KB once a month now? (Plus any small .Net type patches that we let WU tell us about.)

By manually, I mean find out here. I suppose we could watch the update catalogue for the phrase “Security-Only”.

Reply | Quote

I`m group A. Did the Oct. patch. You recommend afterwards to switch to don`t up date until next month`s patch. Instead can I switch to “Check for updates but let me choose whether to download and install them” ?

Reply | Quote

Woody
Thank you for your article and help. I am in group B, for now. I followed your instructions in the Info Article on all 3 computers.
2 did just fine, but the 3rd one, not so much.
It is Win 7 Pro- 64 bit. I did the security KB3192391 as you said. Restarted. Now I am checking for the .Net and Office security patches. It is still “checking for updates” is your article on Monday going to address this stuck on “checking for updates” for the Group B folks? Or what should I do?

Reply | Quote

Hello,
Since we’re at DEFCON 3:, may I ask for advice regarding my hidden updates W10 Home 1511 (10586.633).
KB3161102, 3181403, 3150513.
KB3201860 installed today.
Thanks

Reply | Quote

@Lizzytish:

My apology for being so late in responding to your very kind and encouraging message! I enjoy the comments from you and poosticks both so much because I can certainly relate to them. I am definitely “non-techie”, just trying to keep my head above water (not to mention the alligators!).

Good reminder to set the System Restore points before manually installing. Also a good reminder that the MSRT appears to not be “secure” either. Updating is definitely nothing like it was intended to be when I purchased my computer. What wonderful days those were!!

Good luck to us all, and (hopefully) eventually things will improve. We just need to “hang in there” and keep our morale up. thank you for your reply!

🙂 🙂

Reply | Quote

See

https://www.askwoody.com/2016/reported-problem-with-kb-3161102-the-windows-journal-zapper/

and

https://www.askwoody.com/2016/mysterious-re-release-of-kb3150513-on-windows-10-no-less/

3181403 is a servicing stack update – go ahead and install it

Reply | Quote

Yes.

Reply | Quote

You can. The effect is basically the same.

Reply | Quote

Yep.

Reply | Quote

Hi Woody,
I believe you may already be aware, but in case not, the INFOWORLD article about this has Group A steps and Group B steps. I think a typo exists in Group B step 5. It says, “Group A, Step 5” when I suspect you intended “Group B, Step 5.” Readers probably assume this, but just mentioning! Grateful for your dedication to all of this complexity!! About to jump ship and become a Group A person as it is all getting a bit too complex for my weak brain.

Reply | Quote

@dgreen

https://www.askwoody.com/2016/ms-defcon-3-time-to-get-the-first-post-patchocalypse-patches-patched/comment-page-2/#comment-104707

RE: Vssadmin to expand shadow copy space.

Linked article advocates disabling Vssadmin.exe by renaming it because of ransomeware attacks.

http://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/

Thought it might be of interest.

Reply | Quote

@Woody &Jussi:

Any recent information on the KB2952664?
Last information I noted was on InfoWorld on October 10th and it was listed as “uninstall” along with KB2976978, KB3150513, and KB 3021917. I don’t have the CEIP insofar as I know. I have at least the KB 2952664 installed, however haven’t checked the others yet. Win 7, x64.

Thank you for any current information you may be able to provide on these. 🙂

Reply | Quote

@Woody: Group B, looking at the Oct 27th directions. I do not see the direction to “turn automatic updating off”. Win 7, 66x.

I would like to move forward with getting the KB3192391 installed, however would like to verify if I do need to “turn automatic updating off”.

I know how busy you are, and I sincerely apologize for adding to the workload.

Thank you for all of your help, as always, and I apologize for sending an e-mail about this as well. Thank you for your help, it is always appreciated more than words can say. 🙂

Reply | Quote

Sorry, it’s Win 7 64x. Another apology with much gratitude for your understanding. 🙂

Reply | Quote

Hi Woody,
Many thanks for all your wonderful advice. I’m in group B with Win 7 Pro 64-bit. I installed the security only patch (KB3192391).

After reboot saw and installed KB3188740 (.net roll up), KB890830 (MSRT), and KB3193713 (Silverlight security). However I also saw KB3185330 (security quality monthly rollup) and KB3177467 (service stack?), and neither download nor installed either of them, as KB3185330 is for Group A (as I recall you noted?), but it’s unclear what to do about KB3177467 (which in ‘googling’ seems to indicate it can cause problems?).

Should Group B with Win 7 64-bit be downloading/installing KB 3177467? Thanks in advance for clarifying.

Reply | Quote

Thanks ch100, my question is why Woody recommended to check the box now – give me recommended updates the same way I receive important updates, which he did not recommend to check it before. I am confused. Without the box checked, I am still seeing KB3185330 on my download list.

Reply | Quote

If you’re in Group A, you’re going to want Recommended patches.

If you’re in Group B, you don’t want them.

Reply | Quote

That’s the servicing stack update.

Over on the My Digital Life forum, ch100 says:

https://forums.mydigitallife.info/threads/19461-Windows-7-Hotfix-repository/page1087?p=1285503&highlight=KB3177467#post1285503

Strictly speaking yes, KB3177467 is the only one required.
However, there are known issues with the detection for KB2533552 which Windows Update “thinks” that is needed after installing KB3020369. To keep it happy, you just tell it to install, WU probably sets a flag somewhere in the system and becomes quiet, although there is no installation as such.
I heard, without experiencing it myself, that KB3177467 might need more work at MS, so in the mean time KB3020369 might still be needed.

According to the KB article:

After you install update 3177467 together with other updates, a restart may be required to complete the installation. During this restart, you may find yourself stuck on “Stage 2 of 2” or “Stage 3 of 3”.

If you encounter this issue, press Ctrl+Alt+Delete to continue to log on. This should occur only one time and does not prevent updates from installing successfully.

Personally, I wouldn’t install it just yet. Abbodi notes that it must be installed all by itself, with no other pending updates, to avoid the “Stage 2 of 2” problem.

ch100, abbodi86, any better advice?

Reply | Quote

Follow the instructions precisely. You should already have Automatic Update set to “Never” – and leave it there.

Reply | Quote

Greetings Woody,

After following the Group B recommendations on four different Win 7 Pro x64 machines, the Secunia PSI scans on each report the same deficiencies:

Microsoft .NET Framework 3.x

Microsoft .NET Framework 4.x

Microsoft Internet Explorer 11.x

Microsoft Internet Explorer 11.x (64bit)

Microsoft Windows 7

However, scans by the Belarc Advisor (which I take as the Gold Standard) yield a 100% rating for each machine.

I know that Secunia were purchased by Flexera not too long ago, but they are still offering the Secunia PSI (version 3.0.0.11005, released February 2016), so I am assuming that its database is being maintained. Any thoughts on this discrepancy?

Thanks!

Reply | Quote

@Woody: Thank you so much, Woody, for clarifying this for me. I hope that everyone will join together to assist with supporting your amazing efforts!

Thank you once again. 🙂 🙂 🙂

Reply | Quote

@Joe Friday…Thanks for the link re Vssadmin.

Windows 7 64 bit here. Group B

Regarding the 3177467, (service stack)
I did download it with no problem. It was listed as important, also listed as a “critical” update I think in the catalog or somewhere????
The only thing I did not do is the Malicious Removal Tool. Haven’t deceided if it really is beneficial to do so.

Reply | Quote

A pleasure Walker! Don’t think I like the alligators tho’……. never gave them a thought….. but there could some lurking around in the swamps! Yuk! Will have to watch out for them!
Never smile at a Crocodile……… and all that! LT

Reply | Quote

Re: Windows Update setting “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows.”

I learned the following yesterday. Someone may find this helpful.

Unchecking the box next to the above referenced setting on the Windows Update “change settings” page causes the box and the setting to disappear. To obtain updates for non-Windows Microsoft products and software after unchecking the box requires clicking a link on the main Windows Update page that, as best as I can recall, says something like “learn how to obtain updates for other Microsoft products.” If a computer’s default browser is Chrome, clicking that link opens a Microsoft page that has some words and pictures about Windows Update but nothing more. Alternatively, if a computer’s default browser is IE11 clicking on the link opens a Microsoft page that asks the user to enroll in Microsoft Update. There are two enrollment options and even the least automatic option causes Windows Update to launch immediately. Quickly shutting down Windows Update allows the user to reopen Windows Update to confirm that the above referenced setting has returned and is checked and to change the update settings to “Never check for updates (not recommended)” or some other option.

Reply | Quote

Sorry if someone mentioned this–I haven’t read ALL the comments: Woody, there a typo in the InfoWorld explanation of GroupA/B: In the Group B list of steps, it says, “Group A Step 5.” Since by this point we’ve already read the Group A steps and are now reading the explanation for the B group stops, I’m pretty sure it should say, “Group B Step 5.”

GaryK

Reply | Quote

Yep. I’ll get it fixed as soon as my editors are back at their desks….

Reply | Quote

I don’t trust Secunia PSI with Windows stuff.

Reply | Quote

1) last comment re 3161102 is August 14, 2016 at 10:22 am
2) last comment re 3150513 is September 25, 2016 at 11:00 am
seem inconclusive, what to do….
3) 3181403 – install = Thanks

I’m curious why cumulative does not roll these in…

Reply | Quote

You’re talking about updating Win10 version 1511, yes?

You should go ahead and install all Win10 patches. See

https://www.askwoody.com/2016/ms-defcon-3-time-to-get-the-first-post-patchocalypse-patches-patched/

Reply | Quote

@Woody

Can I safely wait until Tuesday to patch or will it being the first of the month effect anything?

Reply | Quote

woody: You’re talking about updating Win10 version 1511, yes?
> Yes.
woody: You should go ahead and install all Win10 patches.
> Meaning all patches for 1511..?
woody: If you’re still on the Fall Update, version 1511, I say stay there until Microsoft gets a better version of the Anniversary Update, version 1607.

Reply | Quote

@Lizzytish:

It’s definitely “my pleasure”! Really enjoyed your message, and it gave me a much needed “chuckle” to end the day.

I’m reaching the point that a lot of us have – – – I’m just “plain weary”, and I’m sure that Woody is hard pressed trying to keep up with it all. He does a marvelous job!

Let’s hope we can all “weather the storm”, and eventually prevail against this *(&^% debacle.

Good Luck to us ALL!

🙂 🙂 🙂

Reply | Quote

abbodi86 knows this stuff, he is right 🙂
But if you wish to advice delaying it, there is no rush, KB3020369 is still the only one which is required for the current stage of updates.

Note: I advice KB2533552 entirely for cosmetic reasons. On 64-bit versions, without KB2533552 Windows Update will believe that SP1 is not installed and will fix the detection regardless by flagging that KB2533552 is installed. abbodi86 proved to me not long ago here on askwoody.com that KB2533552 is entirely overwritten by KB3020369.
Same thing with KB3177467 which entirely replaces KB3020369.
By installing in the sequence which I presented, the risk of failure to install is minimised, otherwise the only one required is KB3177467.

Reply | Quote

If it is not clear enough from my posts, each of those 3 updates (or only those selected) should be installed manually and separately from each other. They are all servicing stack updates belonging to a different stage in the life of Windows 7 and Windows 2008 R2.

Reply | Quote

It is as beneficial as any antivirus tool.
If you are against antivirus tools, then do not use it. Otherwise go ahead and use it.

Reply | Quote

@Walker & @Jussi, read this from Woody’s InfoWorld article from Oct 5:
http://www.infoworld.com/article/3127809/microsoft-windows/detested-get-windows-10-snooping-patch-kb-2952664-reappears.html

I don’t have 2664 installed as I wasn’t going to move to W10 …and now? it’s one I’m forgetting about – permanently.

Contributor ch100 said a while back that he/she doesn’t see anything bad concerning this patch (but his/her best practice is to install everything anyway :~ ). I’m steering clear of it, however it’s your choice to make.

gts

Reply | Quote

Thanks!

Reply | Quote

How would I go about this if I wanted to make it as simple as possible, while installing only the “essentials”? (I’m in Group “B,1” btw, I don’t care that much about privacy, telemetry slowing down my computer is more of a concern to me if anything), i just want things to work, and without me being a test subject for possibly botched patches and the likes.

1. Check the Windows 8.1 and Windows Server 2012 R2 update history for the relevant file. (I’m using Win 8.1, just for the record.)

1a. Check around the net if there are problems with the relevant Security Only update, and act thereafter.
1b. Install if has been given a green light, wait if unsure.
—

2.Check for Updates via Windows Update.

2a. Ignore all the non-program-specific Security Rollups and whatever they are called.
2b. Ignore all Optional Updates unless they are for some reason explicitly relevant to a product i am using (within reason of course).

2c. Check around the net for more input on entries in the “Important” list concerning software like .NET, Office, Adobe Flash Player a.s.o., generally installing them unless a web search reveals major problems with one of them.
(BTW, should all “Monthly” Rollups be avoided, or just the non-program-specific ones?)

2d. Check around the net for more input on any other entries in the “Important” list, but avoiding them unless they seem relevant and/or critically needed.
—

3. If all is OK, install updates, check that things didn’t break a.s.o.
—

4. Keep an eye out on this website (and on the net in general), in case the situation changes.
—

Have I understood the instructions correctly, or did I miss/misunderstand something?

(I’m sorry if I seem a bit daft, but I’ve both ADHD and Asperger’s, so this isn’t as much about me not understanding as it is about me trying to make sure I’ve understood correctly.)

Reply | Quote

EDIT/ADD: Another Question:

1. Are the instructions from the “How to cautiously update Windows 7 and 8.1 machines”-article going to be general unless things drastically change (i.e. Is this going to be the proper way to go about updating from now on?).

Reply | Quote

Yes.

Reply | Quote

All you need to do is follow along here (or on Twitter, or Facebook, or the RSS feed) and wait for MS-DEFCON to fall to 3, 4 or 5. At that point, follow the instructions in my MS-DEFCON post for Group B.

Reply | Quote

ch100, Interesting statement. I did not realize until just recently that after years and years and hundreds and hundreds of application of MSRT, I can only remember ONE instance that it finding something.

I suspect a reasonably good AV installation is many times more effective. I would advise MSRT to be used only in a case where no AV tool is intended to be used.

Reply | Quote

Thanks, Woody; it looks like it’s time to retire it, then.

Out of curiosity, what is your take on the Belarc Advisor?

Reply | Quote

Thanks for the reply. Woody, if the only two important updates that I haven’t downloaded yet (and hidden for now) are KB3177467 and KB3185330 (the latter being for Group A), and being I’m Group B, aside from not downloading KB3185330, I should hold off downloading KB3177476 svc stack update until Woody gives the ok? Also in layman terms, what is the KB3177467 for? Thanks.

Reply | Quote

I’m curious why Cumulative Update do not roll these in.?
Since W10 Home in-place upgrade (W8.1). I’ll only show/install Security and Cumulative Update.
Am I Group B.?

Reply | Quote

and for those that do not do social media..?

Reply | Quote

@Woody

When I installed kb3192391 and restarted my computer it did the whole “configuring windows please wait” thing, but when I installed kb3188740, the MSRT and kb3179930 it just restarted like normal. Did I mess something up?

Reply | Quote

Woody, would you please remove the forgoing post? I mistakenly put my email address in it. Or replace my email address with Canadian Tech

Thank you.

CT

Reply | Quote

I see, thanks for the quick answer 🙂

Reply | Quote

@Canadian Tech,

The email address is still appearing, so perhaps he didn’t realize what you were asking –

You might send him a direct email to:
woody at ask woody dot com

====
I agree about the MSRT —
it never found anything bad on my computer,
and it was requiring the hassle of a new legal authorization/permission every time it was allowed to run via Windows Update,
so I stopped using it this past February.

Reply | Quote

@prk280,

I recommend not unchecking that line which says,
“Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows,”
but if it is unchecked, and the computer owner wishes to get it back, there are 2 safe and reliable procedures to get it back.

Over the years there have been a handful of other procedures published which used to get it back, but they don’t work anymore.

The 2 procedures that still work have been described in the AskWoody.com discussion threads in the past.

One involves editing the Registry, which is only for intermediate and advanced computer owners to attempt,
and one involves an easy but roundabout way to make it show up again which does not involve going into the Registry, and is better for non-techies.

About 2 weeks ago, in a recent discussion thread here, someone asked me to repeat the non-techie procedure to get that selection back on the Windows Update settings screen
(this procedure is “safe” in the sense that it will not provoke Windows Update to start running on its own, as you have described seeing happen on your machine),
and that procedure should not be hard to find using the site search here.

Reply | Quote

I have found it to be OK for Windows up until this October, but ONLY if you use WU or the catalog to do the actual updating. I never use the PSI itself to do any updates, I just use it to let me know, and go the respective websites.

I think as of October the PSI is fixated on the Rollup, so I am no longer using them for Windows, but am still using them for all other stuff.

I also use Belarc. Nice tool for telling you what is missing.

Reply | Quote

@Anonymous,

As far as I know, the date of the 1st of the month is not relevant to patching.

The main days where the patching system has important changes are the 2nd Tuesday and 3rd Tuesday of each month.

As long as Woody’s “Def Con” system at the top of the page is showing that patching can be done, and it’s after the last 3rd Tuesday of the month (18th Oct) and before the next 2nd Tuesday of the month (8th Nov), then you should be fine.

Reply | Quote

@bjm We shall continue to “follow along here”, as Woody put it – i.e. keep an eye on this website.

Reply | Quote

@Swedra,

For me personally, I think the following two quotations from your post contain great advice that everyone should follow,
in order to see if there are any reports on the wider internet about problems regarding particular patches that show up on our Windows Update list –
maybe they are specific or rare problems which contributors to AskWoody.com may not have personally experienced, so the problems have not yet been reported on the AskWoody.com site, but they could still be problematic for one’s own computer configuration.

Your advice:

“generally installing them unless a web search reveals major problems with one of them”

“Check around the net for more input on any other entries in the “Important” list”

At the end of the day, each of us is the captain of our own ship (computer), and the responsibility lies with us to patch with as much care and research that we can muster, every single month.

What works for the vast majority of the population sometimes doesn’t work for oneself (and one’s equipment), and no independent researcher/independent website is going to have immediate knowledge of all the Windows Updating issues that are arising, especially the more rare ones.

—
The fact that complicated Windows Update problems can take several weeks to be understood and widely reported
[and my personal situation of often being in a small % of people who have an unusual experience rather than just having a statistically “normal” life (ha ha) ]
is why I have decided to wait an _extra_ month before I do anything.

So I have put October’s patching on hold, and I’ll wait until Woody’s go-ahead in late November for the November Patch Tuesday patches before deciding whether I will try October’s patches on my finicky computer.

Reply | Quote

@bjm,

“Following along here” on this website was the first option Woody gave, and you seem to be able to do that one, since you are here now!
🙂

The time of the month when he changes his Def Con rating is typically after the 3rd Tuesday of the month and prior to the 2nd Tuesday of the next month — generally, the Def Con rating to “go ahead and patch is in place during the last week of a month.

If you don’t normally visit Woody’s website (say, on a weekly basis), just coming here once in the middle of the last week of the month to see what the Def Con rating is would generally suffice.

Reply | Quote

@KH,

In my experience, what you have described is normal behavior for different patches — sometimes they have to configure Windows and take some time, sometimes they don’t.

Reply | Quote

@Woody,

I honestly don’t know what you guys are talking about here — but it seems to be important.

Is this something that is going to be explained in your “speeding-up” InfoWorld article which still seems not to be up on their site?

Reply | Quote

Naw. It’s just a sequence of patches that culminate in the servicing stack getting updated.

(By the way, looks like my speed-up post won’t run until Friday.)

Reply | Quote

Sorry ’bout that.

Reply | Quote

Ok, I should’ve mentioned in my first post that all the patches are listed as successfully installed in my update history but at the same time I’ve never seen it not need to configure after updating so I kinda freaked out a little. Thanks for the response.

Reply | Quote

Woody, if your InfoWorld article is not up till Friday, would you please publish it here? At least the gist of it, if you can not literally publish it here first.

CT

Reply | Quote

prk280, is this the procedure you are referring to?

https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-update-doesnt-work-even-with-the-solution/1e7c6642-fd2b-4122-a62d-b5dff90b777d?tm=1477181520617

CT

Reply | Quote

Thanks

CT

Reply | Quote

Not true. You should never ever find a virus on your computer, even with the best antivirus tools. The antivirus is there for assurance.
The viruses don’t just come out of the blue, there is some user action for this to happen.

Reply | Quote

ch100, Sorry have to disagree. I have had numerous cases of clients who were browsing sites that are normally considered safe and suddenly a pop up warns that their computer is infected and they must call a number to get it fixed. It actually should just be closed using Task Manager, but it traps lots of people. AV software does not necessarily catch this stuff.

Also, the average user (who thinks of their PC as a potato peeler) is just not sophisticated enough to know where not to go or to not click on a link in an email.

AV is there to protect them.

CT

Reply | Quote

It is not about speeding-up. It is about few updates which may fail if not installed separately. WU should take care of the sequence, but we are getting back to the subject of users knowing better and installing selectively, which sometimes confuses WU. In such situations, the best way of tackling the issue is to install manually each of the mentioned critical updates, one at a time.
Woody actually enquires about the most recent servicing stack update KB3177467 which seems to create problems for few people and if it can be delayed safely.
The answer is that it can be delayed now, but it will be required soon.
There is a condition though, which is not an issue for most. KB3020369 must be installed in all circumstances for anyone trying to do any update.

Reply | Quote

@Woody,

Is the main thing that I should take away from this servicing stack discussion
what you said in the middle of it:
“Personally, I wouldn’t install it just yet.” ?

And when it does come time for the general public to futz with these servicing stack updates, you will explain it in a blogpost or article?

Reply | Quote