• MS-DEFCON 3: Win10 customers should install March updates, but Win7 victims have some soul searching

    Home » Forums » Newsletter and Homepage topics » MS-DEFCON 3: Win10 customers should install March updates, but Win7 victims have some soul searching

    • This topic has 455 replies, 81 voices, and was last updated 4 years ago.
    Author
    Topic
    #181929

    Full details — and there are many — coming in Computerworld.
    [See the full post at: MS-DEFCON 3: Win10 customers should install March updates, but Win7 victims have some soul searching]

    Viewing 125 reply threads
    Author
    Replies
    • #181938

      Oh-oh. “Victims” sounds especially ominous. I have a sinking feeling and don’t want to screw-up my machine as it’s performing fine now. Awaiting further details on Computerworld. Win 7 Pro x 64 i7-Haswell Core

      1 user thanked author for this post.
      • #182588

        That ‘sinking feeling’ as you put it, was my instinct with the news and introduction of Meltdown/ Spectre patches in January. Since then, neither of our W7 systems have been online or patched. My W8.1 system however has since been re-imaged to December 2017 and ALL the systems work well.

        ‘Bliss’ was the name of the default WinXP wallpaper, defaults nowadays are FAR from bliss!

        "-rw-rw-rw-" extreme computing
    • #181939

      “Fasten your seatbelts. It’s going to be a bumpy night!”

      Or,

      “Don’t open that closet door, McGee!”

      3 users thanked author for this post.
      • #181950

        I am now officially as “old as dirt” as I “get” both of your references. Which explains why I stubbornly declined the multiple offers by Microsoft to “upgrade” me to Win 10 when it was a freebie.

        7 users thanked author for this post.
        • #182095

          Same here. And the never-ending months of increasingly botched updates, plus the need to avoid installing telemetry updates, has given me a lot more white hair. The only upside to all of this is that everyone at the office thinks that I look more distinguished.

        • #182596

          which one is telemetry update? i usually only install monthly rollup, i should be fine right? kinda new at this updating windows 🙁

        • #182597

          Telemetry: Win7 KB 2952664, Win8.1 KB 2976978

          1 user thanked author for this post.
        • #182604

          i read this https://www.computerworld.com/article/3268133/microsoft-windows/get-the-march-patches-for-your-windows-machines-installed-but-watch-out-for-win7.html

          and woody said that the total meltdown fix bring bug from march updates. is it better to uninstall it? or should i be okay? and about IE patches, do i need to install it too if i never use IE myself?

          btw my update sequence installed so far is January rollup update and KB4100480. (is this okay?)

          i didnt install february/march rollup so far

        • #182685

          Hello heybengbeng,

          Welcome to the Lounge. It sounds like you are doing Group A updating, on Windows 7, last having updated with January patches. The January patch had the Total Meltdown bug included.

          The usual pattern of updating here is to wait for the Defcon level to change… and Woody writes a post like this one, and it always includes a link to a ComputerWorld article. You only need to follow Woody’s instructions for Windows 7, Group A. This month is a little different because he points out there are potential problems for Windows 7, and that users need to make a choice about what option they want to follow, in addition to being Group A or B. Woody has done an awesome job figuring out what the problems are, and what the different options are. You need to make a decision about what path to take… and then follow the instructions for that path.

          In #182158 I isolated out what Woody was saying for Windows 7, Group A people, in his ComputerWorld article. It also has links to information on telemetry in Windows 7, and the Knowledge Base article on Group A updating.

          The March Rollup will include February’s updates, so you don’t have to go back and patch that separately, if you decide to install March’s Rollup.

          Non-techy Win 10 Pro and Linux Mint experimenter

          1 user thanked author for this post.
        • #182910

          Hello heybengbeng, Welcome to the Lounge. It sounds like you are doing Group A updating, on Windows 7, last having updated with January patches. .

          Hello Elly, i dont know if im doing Group A or not since im just recently join and starting updating my windows. before i never update it XD. when i update so far i only update security rollup update ( every a few months or so), ignoring other important update or optional one. dont know if thats okay or not tho since thats what i always do and never had problem before 🙂

        • #182924

          @heybengbeng,

          Group A is the updating recommended by Woody for most people. It uses the Monthly Quality and Security Rollups that are offered through Windows Update. These are cumulative, and if you apply the most recent one, you are up to date.

          Group B uses Security Only patches that must be individually applied. They are not offered through Windows Update. There is a Security Only patch issued for every month, since the Rollups started, and each month’s patch must be applied for your OS to be fully patched.

          I assumed, since you said rollup, that you are doing Group A updating.

          Non-techy Win 10 Pro and Linux Mint experimenter

        • #183168

          Have the telemetry patches made it into any of the Monthly roll-ups to date?  It seems like that is a separate course on the WU menu so far.

          1 user thanked author for this post.
        • #183271

          Datapoint:

          On our W8.1 yesterday, I had noticed checking SDAntibeacon that it is now blocking 1 of 5 where the day previous 4 of 5 CEIP Scheduled tasks were being blocked. I’m now thinking that MS are not honouring switches in W8.1

          Having checked settings for appropriate areas within the OS, everything was as it should be for our system.!?

          NOTE: NO patches were installed for Jan/Feb/March (not even MSRT, licence declined) other than Flash Critical updates.

          "-rw-rw-rw-" extreme computing
        • #183286

          “Have the telemetry patches made it into any of the Monthly roll-ups to date?  It seems like that is a separate course on the WU menu so far.”

          See my post “What evidence exists that Group B gets less telemetry than Group A?”

          1 user thanked author for this post.
    • #181951

      ok – this is probably a stupid question – but how do you know if you have  Windows 7/server 2008 R2?

      When I click on computer and properties mine says – windows 7 home premium,  service pack 1 but nothing else.  It is a 64 bit machine with an intel core i7 processor if that matters.

      2 users thanked author for this post.
      • #181958

        You have Win7. The “/” means “or.” Server 2008 R2 is a different kind of computer.

        1 user thanked author for this post.
      • #181994

        @anonymous:  When I click on Computer, there is no line item which refers to “properties”  – – – – I wonder why.  I’m not computer literate, however normally I would have expected to see something referring to properties.    ????

        • #182014

          Right click…

          Non-techy Win 10 Pro and Linux Mint experimenter

          1 user thanked author for this post.
        • #182197

          @Elly:  Thank you SO much for the help!   Mine says the same as “anonymous”, so guess I’m just the WIN7, Home Premium, Service Pack 1.     Your help is very much appreciated!    🙂

          1 user thanked author for this post.
    • #181956

      on windows 8.1 notebook i’m installing march security only (group b) patches right now, then i go for office 2010, defender, flash patches as every month.

      on windows 7 machine i do nothing. i won’t install buggy march patches and i also won’t rollback to december. i’m gonna rely on askwoody and on noscript for some time.
      what about office 2010 patches on windows 7? can i install these without having windows security only patches installed?

      • #181959

        The answers to your questions will be in the ComputerWorld article linked on the main blog page once it gets published.

        1 user thanked author for this post.
        • #181978

          after reading that article i’m still not sure if i can install office 2010 patches without having installed any march windows security only windows patches.

          if i decide to install security only patches on windows 7 64bit some day (not today) following article 2000003:

          Mar 2018 KB 4088878
          Mar 2018 (IE11) KB 4089187
          Mar 2018 (IE11) KB 4096040 (released 3/23/2018, replaces KB 4089187, fixes “IE11 doesn’t start after installing KB4089187)

          if kb4096040 replaces kb4089187: can i skip kb4089187 and only install 4096040?

          and on windows 8.1 there is one curiosity:
          after applying security only march patches for windows 8.1 (kb4088879 and kb4089187) snooping patch kb2976978 appears BOTH as checked important AND as unchecked optional… that’s weird…

        • #181983

          You only need KB 4096040 for IE – it’s cumulative.
          Read the requirements for KB 4088878 – You need to install KB 4099950 FIRST.
          You will also need the fix for Total Meltdown KB 4100480

          3 users thanked author for this post.
        • #181995

          now i’m totally confused. if i have to install kb4099950 and kb4100480 first, why aren’t these listed in article 2000003? if i just would have followed that, i would have done everything wrong… what a mess!

          is this order/sequence correct?
          1. kb4099950
          2. kb4100480
          3. kb4088878
          4. kb4096040

          for now i stay group w. i’m not going to install any of march updates, i also won’t install kb4099950 and kb4100480. i also won’t rollback to december, so i’m staying on february patch level for a while, relying on panda endpoint protection and noscript (firefox), ublock (chrome)…

          1 user thanked author for this post.
        • #182005

          Follow this order
          1. kb4099950
          2. kb4088878
          3. kb4100480
          4. kb4096040

          now i’m totally confused. if i have to install kb4099950 and kb4100480 first, why aren’t these listed in article 2000003? if i just would have followed that, i would have done everything wrong… what a mess!

          The instructions in AKB2000003 are for Group B. Group B does not include the things like hotfixes Microsoft has issued this month.
          Group B is getting almost impossible to follow unless you are extremely computer literate. That is why we have been recommending people choose otherwise.

          4 users thanked author for this post.
        • #182013

          i will decide monday at the earliest if i patch windows 7. i also wait with office 2010 patches.

          anyway, patching on windows 8.1 notebook is finished. groub b security only windows patches and office, flash, defender and msrt patches installed. 10 in total. after another reboot this curiosity i mentioned earlier remains: snooping patch kb2976978 appears BOTH as checked important AND as unchecked optional… that’s weird…

        • #182017

          Hide both of the snooping patches

          3 users thanked author for this post.
        • #182026

          Would it be a good idea to install KB4099467 as well to mitigate the possible BSOD on logging out issue?  I assume it’d be best to install it last if so?

        • #182037

          “Would it be a good idea to install KB4099467 as well to mitigate the possible BSOD on logging out issue?  I assume it’d be best to install it last if so?”

          I consider whether to install KB4099467 a close call. I chose not to; I haven’t experienced the issue that KB4099467 fixes yet. For those that install KB4099467, I think it’s best to do so in this order:

          1. Install KB 4088875 or KB 4088878. Do not reboot.

          2. Install KB 4099467. Reboot.

          6 users thanked author for this post.
        • #182160

          so if installing kb4099467 would make this sequence:

          Follow this order
          1. kb4099950
          2. kb4088878
          2.a. kb4099467
          reboot
          3. kb4100480
          4. kb4096040
          reboot
          office 2010, msrt, …
          reboot

          right?

        • #182182

          “so if installing kb4099467 would make this sequence:”

          Looks good to me.

          1 user thanked author for this post.
        • #182601

          i just recently installed KB4100480 to my pc win 7 64bit. my last security rollup is January rollup. i didnt install february or march rollup yet. is it okay?

          my update sequence

          1. January rollup

          2. KB4100480 (checked, important)

          after install that KB4100480, only february rollup that showup in my windows update

          i read this https://www.computerworld.com/article/3268133/microsoft-windows/get-the-march-patches-for-your-windows-machines-installed-but-watch-out-for-win7.html

          and woody said that the total meltdown fix bring bug from march updates. is it better to uninstall it? or should i be okay? and about IE patches, do i need to install it too if i never use IE myself?

        • #182662



          @heybengbeng
          :

          That update sequence is ok.

          “woody said that the total meltdown fix bring bug from march updates”

          Here is my analysis of KB4100480.

          “about IE patches, do i need to install it too if i never use IE myself?”

          Yes you should.

          “after install that KB4100480, only february rollup that showup in my windows update”

          Regarding KB4088875, see https://www.askwoody.com/forums/topic/ms-defcon-3-win10-customers-should-install-march-updates-but-win7-victims-have-some-soul-searching/#post-182184.

        • #182918

          @MrBrian

          “Here is my analysis of KB4100480.”

          so from what i read from your analysis :
          IE, NIC and SESSION_HAS_VALID_POOL_ON_EXIT (ab)” stop error is not included in KB4100480. well so far i didnt use IE(my IE still IE8 i think), and no bsod so far so i think its good.
          and since my pc is win 7 64bit i5 3470 i think i should be okay from PAE and SSE2 known issue right? well at least with your analysis i now know my pc should be okay 🙂

          “about IE patches, do i need to install it too if i never use IE myself?”

          “Yes you should.”

          any reason why i should update IE if i never use it? i think my IE still IE8 tho. this is my first time updating windows. so far i only update security rollup(May 2017,January 2018) ignoring other important and optional update

          so i guess its better for me now to wait till good patch rollup come out right? since based on your analysis January rollup + KB4100480 should be okay(at least Total Meltdown got patched) and shouldnt give me known issue from March update. so i guess i will wait and see if April or May rollup is good or not.

        • #182937

          Internet Explorer (IE) was integrated into the Windows Operating System, by Microsoft. Even if you don’t use it, since it is part of your OS, you need to keep it updated.

          There are problems that we are dealing with, the last three months, that are related to bugs in the patches that Microsoft has issued. Those are the ones related to NIC, causing network connection problems you refer to. They are potential side-effects of patching.

          There are other problems that you might not be aware of, but are vulnerabilites to malware or viruses, that are patched by the Security Only, or security part of the Rollup patches. You wouldn’t be aware of them, until after your system is compromised, but the patches help avoid getting them in the first place. Actually, some are so sneaky, you could be compromised, and not be aware of it, and be spreading bad stuff to others. You could go years and not get any (depending on your browsing and downloading habits) even if these openings to malware exist on your system… but it is probably better not to be vulnerable.

          It would be wise to review how you are patching, and make sure your system is up to date.

          Non-techy Win 10 Pro and Linux Mint experimenter

          1 user thanked author for this post.
        • #183343

          Hi Elly,

          if its for security then isnt installing security monthly rollup is enough ( thats what i did so far since it said it will include every security update on monthly rollup), thats what makes me confused

          if i read this article : https://support.microsoft.com/en-us/help/4096040/cumulative-security-update-for-internet-explorer-march-23-2018

          it said those IE cumulative fixes already included in monthly security rollup, so i assume that cumulative IE update should include security and non security update. while security update for IE etc will be included in monthly security rollup, the non security update wont be included right?

          correct me if im wrong since im new at this updating windows thing :(, this is just me assuming from what i read

          so installing monthly security update should be enough or not if the user never use IE anyway to get any benefit like new feature or improvement from IE non security update(which included in cumulative security for IE), since the security update for IE included in monthly rollup

           

        • #183348

          The Monthly Rollup contains three parts: non-security updates, security updates, and the IE11 Cumulative.

          Those who do not install the Rollup need to install the Security-only update and the IE11 Cumulative. So they get two of the three parts on the Rollup.

          1 user thanked author for this post.
        • #182370

          Thanks PkCano, this is very helpful. I’m afraid though, that I installed kb4088878 before installing kb4099950, which was optional for me so I didn’t notice it. I did install kb4100480 after installing kb4088878, but was never offered kb4096040. Have to say this must be the busiest forum thread I’ve seen in a long time!

        • #182076

          Susan Bradley says of kb 4096040. “Only install if you have installed the March Windows 7 updates”. As I have no intention of installing the March Windows 7 updates, I assume that means I don’t need kb 4096040 either. Is that right? Many thanks.

        • #182103

          @The Surfing Pensioner: Do you want to install a March 2018 cumulative update for Internet Explorer or not?

        • #182180

          Strange question. As I said in my previous post, Susan Bradley advises not to instal kb 4096040 unless you are installing the March 2018 Windows 7 updates – presumably the March roll-up or security patch. I intend to install neither, at least not at the present time. If her advice holds, therefore, I should not install the March 2018 IE cumulative update either. I am simply asking whether we have consensus on that point. Please let me know if I’m not being clear.

        • #182183

          @The Surfing Pensioner: There is more than one March 2018 cumulative update for Internet Explorer; there is also KB4089187. I’m not sure if you’re trying to avoid just the Windows 7 March 2018 update, or all of Microsoft’s March 2018 updates.

        • #182193

          As I have said, I do not intend to install the Win 7 March 2018 update at the moment. Neither have I installed kb 4089187, due to reported bugs. However, I would normally update my IE provided the latest cumulative update appears bug-free. In my circumstances, Susan Bradley would seem to advise against this. Do you agree?

        • #182259

          @The Surfing Pensioner: KB4096040 has the fix for an issue in KB4089187. You probably wouldn’t experience this issue. It’s your call as to which to install.

        • #182297

          What the information on kb4096040 actually says is that: ” This security update resolves several reported vulnerabilities in IE 11 running on Win. 7 SP 1. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in IE. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures. This security update also includes improvements and fixes for IE 11 that resolve the following issues: IE 11 does not start after you install the March 13th 2018  IE cumulative  update for IE.” – Which sounds to me as if kb4096040 potentially includes security fixes that might well be an asset. Kb 4089187 on the other hand, as stated here, is a buggy update which kb 4096040 was issued (amongst other things) to fix. I’m (thankfully) not stupid enough to install it and I’m very surprised to read you encouraging any Win. 7 user to do so, since it cripples the browser. I was unsure whether Susan Bradley’s advice against installing kb 4096040 unless one is also installing the Win. 7 March 2018 update (roll-up or security) was to be taken unequivocally but, since you appear not to know the answer, I shall err on the side of caution and follow it. Come the April 2018 IE cumulative update I shall be up-to-date, anyway.

        • #182314
          1 user thanked author for this post.
    • #181967

      What order should Windows 7 Group B install these updates?  That is if it’s safe to, seeing as the Master Patch List still advises holding off installing the security-only update.  I’m pretty certain the NIC script goes first, but I see fixes for BSODs and such.  Considering I already have the Total Meltdown fix installed, I don’t think I’ll have to reinstall it since Windows Update, from what I read on here, should be smart enough to not overwrite it.

       

      I also apologize if this is a double post, had a connection error trying to send this.

      • #181970

        The answers to your questions will be in the ComputerWorld article linked on the main blog page once it gets published.

        1 user thanked author for this post.
        • #181982

          I see many of you asking for the order of updates to install and right now my recommendation is:

          If you have any January through March update installed, make sure KB4100480 is installed.

          Otherwise go into add/remove programs and roll back to December’s KB4054521 (security only) or KB4054518 (rollup) and then hang tight and keep our fingers crossed that April’s updates will resolve these issues.

          I did install KB4100480 as per Patch Lady’s March 31 post. (Above) I didn’t roll back to Dec.2017. Should I have rolled back? I have just read the Computerworld Article. Now I’m confused. Win 7 Pro x 64 i7 Haswell

        • #181999

          From Woody’s Computer World Article:

          “As of this moment, EVERY Windows 7 / Server 2008 R2 64-bit patch released this year opens a gaping security hole commonly called “Total Meltdown.” In addition, recent patches have a healthy collection of bugs that range from blue screens (STOP messages), to blocking Internet Explorer 11, to a particularly debilitating bug for folks running servers that leads to lockups due to SMB leaks.”

          That is EVERY Windows 7 64 bit patch… which means using any of those patches will open up an easily exploitable hole in your system… although they will ‘patch’ regular Meltdown and Spector vulnerabilities, that do not, as yet, exist in the wild…

          Hmmm… big, easily exploited hole that even novices can code for, or patches for relatively difficult exploits not in circulation…

          or, phrased differently…

          Huge risk (install patches)… vs. almost no risk (don’t install patches)…

          I’m not confused… I’ll go the almost no risk route…

          And I didn’t even address the other risks (BSOD) the patches have…

          The evidence for not patching gets stronger…

          But, as always, back up your data!

          Non-techy Win 10 Pro and Linux Mint experimenter

          7 users thanked author for this post.
        • #182206

          But, as always, back up your data!

          And not least your system drive/partition.

          Have never been more important in all the time of using computers.

          The irony is that it’s not in fear of virus, highjacks, malware etc. but… Microsoft.

          Sigh.

          4 users thanked author for this post.
    • #181961

      Should those of us in Group B (Win 7 Pro x64) with both Jan & Feb security only patches installed, just install KB4100480, then IE Security update for March, and then any Office 2010 patches from March and hold off installing March Security Win7 only update?

      • #181971

        The answers to your questions will be in the ComputerWorld article linked on the main blog page once it gets published.

        • #182284

          Woody’s Computerworld article doesn’t mention KB4100480.  As I understand the situation, there are two basic choices:  (1) Forget about KB4100480 and roll your machine back to the December patches; (2) Keep January/February patches and install KB4100480.

          2 users thanked author for this post.
        • #182285

          I did this one:

          (3) Install March 2018 updates and KB4100480.

          3 users thanked author for this post.
        • #182387

          Mr. Brian:   It was the KB4100480 that I was trying to find the number on.   I installed this one as soon as we were told to, which is one reason my “list”  is not matching yours exactly.  I will try to begin learning to do the “setting restore point”, or “back-up” before I attempt to install anything.   It may not be possible for me to do this.   If I can just get the knowledge to have deal with these kind of security issues.   Once false move and I’m “shot down”.     Thank you once again.    🙁

        • #182524

          Windows 7 normally sets a restore point automatically before installing updates from Windows Update.

        • #182905

          Windows system restore is very useful. However, don’t always presume it’s turned on! Check to make sure…

          https://www.online-tech-tips.com/windows-vista/enable-disable-system-restore-vista/

           

           

    • #181972

      Woody’s article in Computerworld went online a little while ago:

      Get the March patches for your Windows machines installed, but watch out for Win7

      https://www.computerworld.com/article/3268133/microsoft-windows/get-the-march-patches-for-your-windows-machines-installed-but-watch-out-for-win7.html

      4 users thanked author for this post.
    • #181980

      I am not feeling lucky, and am choosing to hold tight, Group B updating current to December 2017.

      Microsoft hasn’t been able to manage patching, and I can’t help hope that they realize that, and return to individual updates… three months of unsafe patching havoc, and soon we will be face to face with month four… and for me, the safest thing is to sit (temporarily, I hope) on the Group W bench.

      Non-techy Win 10 Pro and Linux Mint experimenter

      10 users thanked author for this post.
      • #181987

        Elly, I am feeling lucky and still holding on Dec 2017 updates, to see what April brings.

        Probably more showers!

        "-rw-rw-rw-" extreme computing
        5 users thanked author for this post.
      • #182283

        I’m with Elly.  My Win7 64b now restored to Dec 2017.  I suspect IE updates are a separate track not needing roll-back (guidance did not address), but I zapped those as well.  Don’t use IE anyway.  At this point, I am not willing to ass-you-me ANYTHING.  Like a 3rd or 4th  remarriage, waiting for M$ to miraculously set everything right in April seems to me the triumph of hope over experience.

        So I too now sit on the Group W bench.  And I’m not leaving until there is compelling reason to do so.

        Whoever came up with “When the going gets tough, the tough get going!” did not anticipate being Group B in 2018!  If she had, she would have written “When the going gets tough, the tough remain determined but follow a rational plan, and the reckless plunge into the unknown!”  I have to admit, though, the original phrasing is more catchy!

        May The Force be with us!

         

        2 users thanked author for this post.
    • #181985

      I’m on Win 7 x64 and I installed the March patch that should fix the whole exploit that Microsoft caused and wow… THAT was a mistake! That update made my machine glitch out and run extremely slowly, it took about 2 seconds just to open explorer, folders, files etc which made me crazy. I uninstalled the update and now things are running normally.

      7 users thanked author for this post.
    • #181986

      Hmmmm………………………….Who said ‘Group W’ was dead? I’d love to hear Canadian Tech on this little scenario!

      5 users thanked author for this post.
    • #181989

      Which updates are safe for people on 1709 to install?

      • #181992

        Read Woody’w article in ComputerWorld (linked on the main blog page)

        • #182047

          According to Woody’s Article he released today it says:
          Windows 10
          Go ahead and install all outstanding Win10 patches. They were re-released and re-re-released in March, and the current versions appear to be working OK. Heaven only knows what’s going to happen on April Patch Tuesday, so get the patches squared away now.

          Yet I am wondering about this found in the march 28th article regarding 1709 re-releases:

          https://www.computerworld.com/article/3216425/microsoft-windows/microsoft-patch-alert-windows-7-takes-the-brunt-of-march-patching-problems.html

          Version 1709 – the Fall Creators Update — saw an emergency fix, KB 4090913, on March 5, which fixed a bug introduced in the February round of patches (and rendered some machines unbootable); a “regular” Patch Tuesday patch, KB 4088776 on March 13; and a big out-of-out-of-band patch KB 4089848 on Thursday, March 22. The biggest complaints involve the usual chorus of patches that refuse to install, and driver problems. Reports of INACCESSIBLE_BOOT_DEVICE bluescreens are tapering off.

          So can you please tell me what updates are safe-Here is the ones I’ve hidden and deciding which ones to install tomorrow or sunday night.

          cumualtive update: KB4088776

          Update for win 10 1709 x64 based systems: KB401994 and KB4058043

          Update windows antivirus platform: KB4052623

          The other is adobe player and malicious software tool which I know are safe-i just need to know if the ones I’ve listed are safe to install.

        • #182064

          All I can do is requote Woody

          Go ahead and install all outstanding Win10 patches. They were re-released and re-re-released in March, and the current versions appear to be working OK. Heaven only knows what’s going to happen on April Patch Tuesday, so get the patches squared away now.

        • #182102

          Follow the steps in the article and you’ll be OK.

          There are lots of patches floating around. For 1709, run Windows Update and let it sift out which ones need installing.

        • #182133

          Woody, you may recall that I’m the guy on 1607 that, whenever Windows Update Service sniffs out that any of my three computers have the service turned on, up pops the Windows Upgrade Assistant and the upgrade to 1709 begins immediately, no questions asked. At least that’s what happened when I turned it on to check for and hide the March Updates with WUMT. I quickly unplugged my router and went through the process of removing all vestiges of what the Upgrade Assistant had done, and then used all the suggested ways I could find to block it from running again. Still, every time I turned on the Update Service, it immediately installed KB 4023057. I didn’t wait to see if the upgrade to 1709 still begins with no warning. I just went through the process of cleaning up after it again and haven’t turned on the Update Service since.

          As a result, I installed all the March updates manually by downloading them from the Update Catalog. Since this was my first time doing that, it took quite a while and much frustration getting everything figured out. Anyhow, I’m just wondering if MS is still force feeding us KB4023057 if the Update Service is turned on, and if it’s still forcing the upgrade to 1709? Have you, or anyone, heard anything about whether this is still happening?

        • #182630

          I can’t remember offhand what version of Win10 locked down staff PCs (that automatically reimage when rebooted) at work are, since I’m off today, but we’re still getting the forced upgrade attempted, necessitating shutdowns on those (the upgrade will fail anyway because of the blocks, and a reboot will reset the PC). They’ll get bumped up next month, and I did pass on the image file execution options debugger registry method to IT to block upgrades, as it is working for me (although I am biting the bullet and upgrading now).

          2 users thanked author for this post.
        • #182681

          “I did pass on the image file execution options debugger registry method to IT to block upgrades, as it is working for me (although I am biting the bullet and upgrading now).”

          I’m glad to hear that the image file execution options debugger registry method is working for you :). Which exe’s are you blocking with it?

        • #182846

          See my comments in the thread about blocking updates: I ran the script from pastebin by AveYo that was linked, without any modifications, although it was a recent version of the script as I download it over a week ago, when I started on the slow process of updating two computers that hadn’t been run in about a year, one with a bunch of programs on it and heavily modified that therefore took a while to prep (mine 😀 ). However, since my PC took a while to get ready and has been rebooted multiple times and has been online with the exception of the actual installation of the 1709 .iso, it was a good test of the script since MS did start sneaking on the prep patches before I yanked out my wifi adapter, uninstalled the one that snuck on, and ran the script. Interestingly, MS doesn’t wipe the registry settings when actually upgrading Win10, so you do have to remember to rerun the script to toggle updates back on to get fully updated after upgrading.

          1 user thanked author for this post.
      • #181993

        As per woody’s article, all windows 10 patches are ok see here

        For further specific versions of Windows 10 see Woody’s linked article see there

        "-rw-rw-rw-" extreme computing
    • #182003

      Just read the Computer World article.  I’m taking the advice I liked the most…if you don’t feel lucky, don’t do anything and hope MS fixes this mess in April with better patches.  It’s not worth the risk to take a chance and update.  The only checked patch I have is KB4100480.  I think I can live without it.  My backup plan is this…I have an appt at the Apple store this Sunday for a new iPhone battery.  While there, I’m going to start shopping for and considering an iMac.

      • #182106

        If you don’t have an overwhelming need for Windows – that is, if you don’t need to run a program that only runs on Windows – seriously look at Chromebooks, too.

        Google mines all your data. Apple doesn’t. That’s a dealbreaker for some. But if you’re using Chrome and Google Search anyway, the Chromebook is fine.

        3 users thanked author for this post.
        • #182394

          Women and children only!  Men go down with the ship.  The Carpathian is on its way.

          We're getting Sticker Shock everywhere now, not just car dealers.

          2 users thanked author for this post.
        • #182450

          It does seem like we’re on the Titanic sometimes ?. But it doesn’t bode well for the future of Windows…

        • #182714

          Here`s a suggestion.  You might want to move the deck chairs around the Titanic.  Will help for awhile.

      • #182430

        …or consider running Linux Mint on your current computer.

        Get a good backup of the whole thing, create a Linux Live DVD, and run it for a while, to see what you think. If you like it, click the Install icon.

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
        2 users thanked author for this post.
    • #182000

      If I’m in Group B (Win 7 Pro x64) with both Jan & Feb security only patches installed, should I in this order…> (1) install KB4100480, –>(2) then install IE Security update for March, and —>(3) then install any Office 2010 patches from March and—> (4) for now hold off installing March Security Win7 only update? Thanks in adv.

    • #182006

      Windows 7 Pro ( 1703 )…March updates went well and my Window 7 is staying right where it is. It’s running really well after rolling back to Dec.

    • #182007

      For those with 1709, is it safe to install the march monthly updates?

      • #182015

        Woody’s main blog article says that is the case.

      • #182027

        Woody has an opinion and that’s fine. However, since Windows 10 updates include all previous updates, it’s safe to wait until Patch Tuesday next week and let Windows Update take care of, especially for Windows 10 1709. If you hit the ‘Check for updates’ button now, you’ll only get the latest preview release of the patches (KB4089848 (OS Build 16299.334))! ‘Stable’ updates are shipped on Patch Tuesday only! All other updates are previews and you shouldn’t touch. So, don’t touch the switch, don’t touch the button, don’t touch nuttin.

        • #182029

          I doubt seriously that waiting four more days will hurt anything as far as the computer is concerned. But you might want to wait even a little longer to be sure there is no gotcha in the upcoming CU either.

        • #182110

          … and that’s precisely the gotcha. What if Tuesday’s patches are worse than the current ones?

          5 users thanked author for this post.
        • #182489

          You’re right! That’s why the best time to install Patch Tuesday updates is the day before previews get shipped (3rd Tuesday of the month). As soon as previews are out, it’s too late again..

    • #182021

      No, as of this time I still won’t patch my Windows 7 x64 systems as I consider this mess still not resolved to my satisfaction. They will stay at the December 2017 patch level for as long as necessary.

      I will, however, patch my Windows 8.1 x64 systems with the March Security-only updates soon.

      Hope for the best. Prepare for the worst.

      4 users thanked author for this post.
      • #182046

        This is exactly the way I plan to handle this mess now that I’ve uninstalled the January and February patches from my Windows 7 x64 desktop PC. Staying in Group B is getting more difficult by the month, but not impossible thanks to Woody and all the other knowledgeable contributors on this site. A big thank you to everyone.

        6 users thanked author for this post.
        • #182235

          We still have to patch the Win7 boxes at work for obvious reasons, but I’ve thrown in the towel on my home Win7 systems.

          Whether by sheer incompetence or malicious intent, Microsoft is dismantling (brick by brick) the previously-reliable, stable, and hassle-free experience that Windows 7 provided for so long. And I don’t believe it’s just Spectre/Meltdown related.

          I’ve upgraded all but two Win7 boxes at home to 8.1. The last couple are Group W effective immediately. Rolling back to December 2017, with no more ‘net access for those guys.

          My other tinfoil hat wonders how long it’ll be until Microsoft does the same to Win8.1.

          3 users thanked author for this post.
        • #182241

          My sentiments and thoughts exactly. How coincidental and opportunistic for an ailing PC market over the last few years.

           

          "-rw-rw-rw-" extreme computing
          3 users thanked author for this post.
        • #182317

          My other tinfoil hat wonders how long it’ll be until Microsoft does the same to Win8.1.

          I’m wondering, too. Win 7 has less than 2 years of extended support left. Win 8.1 dropped out of mainstream support in January & has less than 5 years of extended left. Sadly, when Microsoft can convince (or force) most of the remaining Win 7 users to upgrade to Win 10 Whatever, then Win 8.1 is the next target.

          2 Machines for Now!
          #1: Windows 8.1, 64-bit, back in Group A.
          #2: Getting close to buying a refurbished Windows 10 64-bit, recently updated to v1909. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
          Wild Bill Rides Again...

          3 users thanked author for this post.
        • #182550

          I don’t think that MS will ever get around to attacking Windows 8.1 like they have Windows 7.  Windows 8.x is in use by such a small cadre of users (on par with the number of users that are still using XP four years after it stopped getting regular security updates) that it seems to be below the radar.  Windows 7 is the big target.   Windows 8, as far as most are concerned, is already dead.

          The tech press has repeatedly told us (during the days when the “should I take the free upgrade to Windows 10” articles were all the rage) that while Windows 7 users may well want to avoid the upgrade, it’s a no brainer for Win 8 users to move to 10.  The message appears to have gotten through, as I’ve seen so many comments on various sites where people have written that as bad as 10 is, 8.x is worse.

          Naturally, I will always take that opportunity to point out why I think 8.1 is far better than 10, but it is shoveling sand against the tide.  It is obvious that the idea that 8.x is even worse than 10 is pretty widespread, almost considered common knowledge.  It’s just a small group of tech-savvy people who use 8.1 now; it’s kind of an open secret of sorts among people who know how to de-silly it and get the extra three years of support out of it as well as avoiding at least this one latest Microsoft “Oops!”

           

          Dell XPS 13/9310, i5-1135G7/16GB, Kubuntu 22.04
          Dell G3 15/3579, i7-8750H/16GB, Kubuntu 22.04

          3 users thanked author for this post.
        • #182683

          I hope you’re right about Microsoft not being too concerned with 8.1. It does make sense considering 8.1 never had significant market share.

          When Windows 8 first arrived, it did have serious issues. The 8.1 update made things better. I use Classic Shell to revive the full Start Menu, and I also disable all the Charms. Desktop Mode is the only mode in use.

          I’ve found Windows 8.1 to be faster and more responsive than Windows 7, especially on SSDs. Yes, there are still a few things I’d prefer were more like Windows 7, but Classic Shell helps a lot. It seems to be just as stable as Windows 7 now that it’s been out for a while. Compatibility seems to be similar to 7, with a few exceptions. As much as I love Windows 7, I am keeping it as a legacy system (and not connected to the Internet). It will be a sad day when 8.1 is end of life.

          I have five physical computers and four virtual machines. Only one physical system runs Windows 10, and that is used for gaming and for watching movies. This system matters the least to me when it comes to forced updates and telemetry grabs. There’s no real importance to any of the data stored on the gaming system. I’ve already moved to a Mac for my daily system, so I feel prepared for whatever Nadella throws my way.

          I believe that Windows 10’s personality will shift over the next 10 years into a pure SaaS. Think Office 365, but for a Windows OS. Enterprises will be the only folks who will have a higher level of control of their systems (as much as MS will allow). The rest of us will be on Windows Cloud or whatever.

      • #182126

        So far all the Win7x64 OS patches with a 2018 date have been poison. I’m standing pat at December 2017, maybe going to group W.

        3 users thanked author for this post.
    • #182022

      I am happy that march patch for those using 1709 is finally stable, but in my opinion for those like me, that are in 1703, we should skip 1709.

      there’s no guarantee that 1709 will be more stable after Windows shift its focus to 1803.

      Just someone who don't want Windows to mess with its computer.
      • #182052

        Sooo Zaphyrus all the patches are safe to install for 1709 for march even the double Update for win 10 x64 system and cumulative update?

        • #182068

          According to Miss.Susan and Mr.Woody, indeed they are finally safe to install. I have 1703, so I can’t really confirm that to you since I hate 1709.

          For those that want to convice me how good is 1709, I already gave up in 1709. so even if Mr.Woody and Ms.Susan says that it contain the secret of the holy grail I wont update to it, I will wait for 1803.

          Just someone who don't want Windows to mess with its computer.
        • #182134

          Well @Zaphyrus I still ponder about installing 1803, I’m gonna hide the feature update 1 min after 12pm on the 10th along with the other updates and debate when to install it. I have WUHide to hide updates and at least that gives me control over what I install on my computer. And also once any bugs or glitches that are in 1803 are fixed, I’ll wait until Woody gives the OK GO to install it. HOPEFULLY WINDOWS/MICROSOFT will not force people ot upgrade like they did a few weeks ago-Believe me I WAS A VICTIM OF forced upgrading. At least my computer installed 1709 perfectly (It’s only almost a year old come this june :3 and it’s a Lenovo Ideapad 320-WHICH I believe is a more sensitive, friendlier and durable computer brand than the others out there-It even has it’s own unique typing-like button on the keyboard than the usual stand alone press one. AND IT HAS A built in battery-almost like how 3DS and tablets have built in batteries.)

          But anyway if everything goes as smoothly on tuesday for me then I don’t have to worry and even in 4-5 months should windows force to upgrade me at least I know that it’ll be safe since they worked the kinks out. Hopefully during the 4-5 month while hiding the update, I’ll be accomplishing a lot in my real life time-including finishing my long-awaited poetry book and planning an open mic poetry night program (which got approved by my boss at the library :3 )

          As a woman with autism-for me I have a daily routine on how I care for my computer: Wake up, use a dust cloth to clean exterior (full detail on sundays), dust off mouse, lint clean the mousepad, plug in power charger, sign in, use ccleaner, advanced system care, disk cleanup, check for any updates using WUHide, sign into my sites and go about my day with either watching anime, writing and other stuff. For Patch tuesdays, I make sure to HIDE updates 1-2 mins after 12pm (My WU is disabled at the time since it only activates at 7pm at night which is convenient for me) and double check to make sure it’s all hidden even before work. Then I come home to check if WU is still disabled otherwise I disable and stop it if it switched itself back on.

          So you see I kinda take my computer routine quite seriously and special care for me, though I shouldn’t worry very much but again as an aspiring writer soon to publish her poetry book and doing other stuff on it, I can’t allow windows/microsoft to keep pestering or bugging me each time when they release new versions of their product. As long as I have this site, Patch Lady, Woody, PK and all of you users with all the 411 on the 911, then I have nothing to worry about.

        • #182156

          Since you have 1709, and  if its stable and everything works fine for you,   I advice to remain in 1709 as long as possible and wait until 1803 is stable. (I have 1703, therefore I only have the rest of this month, May, June, July,August and September to wait for it to be stable enough to upgrade)

          I thought I was the only one that checked updates with Wushowhide. instead of Windows Update.lol.

          As long as you do that and set your connection to metered, Windows Update won’t surprise you, at least in my computer it doesn’t run unless I ask for it.

          Just someone who don't want Windows to mess with its computer.
    • #182043

      This is something not mentioned in Woody’s Computerworld article, so I am asking here in case anyone knows:

      In order to close the “Total Meltdown” hole while keeping the Security Only updates of January and February I’ve already installed, is it advisable to do the following?

      Now (to fix another bug and to close the hole):

      Install (1) KB4099950 ; (2) KB400480.

      When it looks like the Security Only update for March finally is OK:

      (1) De-install KB400480 ; (2) install KB088878 (or whatever the Sec.Only KB number is then); (3) install again KB400480.

      Thanks in advance.

      Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

      • #182048

        In your case, assuming that you are using a x64 operating system, if you want to fix the Total Meltdown vulnerability, I would install KB4100480 now. There should be no need to uninstall KB4100480 later when you’re ready to install KB4088878. Before you install KB4088878, you should install KB4099950. You may wish to consider whether to install KB4099467. If you do decide to install KB4099467, it’s probably best to install KB4099467 after KB4088878 but without a reboot in between.

        5 users thanked author for this post.
        • #182073

          MrBrian & PKCano,

          Thanks, and yes, my PC’s OS is Windows 7 x64.

           

          Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

          MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
          Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
          macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

      • #182049

        I’m under the impression that you can leave KB4100480 installed and it’s newer files will not be overwritten but remain in place due to Smart features. I installed KB4088878 tonight after installing KB4100480 last wkend. I think MrBrian tested this and the files weren’t overwritten. So I’m hoping that’s the case and I’m protected from Total Meltdown.

        Group L (Linux Mint 19)
        Dual Boot with Win 7
        Former
        Group B Win 7 64 bit

        1 user thanked author for this post.
    • #182042

      Win7 x64 on Zbook 17 workstation. Strictly Group B. Had on-board all security only updates since the last Defcon 3 but had done nothing whatever since. (All roll-ups had been hidden as usual.)

      Decided to give it a whirl and crossed my fingers and toes. Did the revised March IE 11 update first. Then turned on Windows Update. Updated Defender first and installed that update individually.

      As Important and checked, had KB4099950 and KB4100480 offered along with the MSRT and various Office 2010 updates, some of which were checked. Each of the above were installed individually. A couple of unchecked Office patches were ignored but not hidden.

      Was NOT offered KB4088875, so assume that March roll-up has been pulled. Just hoping KB4100480 was a fix and not a Group A roll-up! Nothing in the documentation indicated to me that it was. Hmmm…

      As of yet have noticed no difference in function, fingers crossed… Such fun…, NOT. Turned Windows Update off until the next Defcon 3 or better, (fat chance). 🙁

      • #182077

        “Was NOT offered KB4088875, so assume that March roll-up has been pulled”

        KB4088875 has not been pulled. See https://www.askwoody.com/forums/topic/ms-defcon-3-win10-customers-should-install-march-updates-but-win7-victims-have-some-soul-searching/#post-182023.

        1 user thanked author for this post.
        • #182109

          Thanks. Hid the previews, however as Group B have no desire to install a roll-up. Just hiding previews, KB4088875 still doesn’t show. While installing only Security Only updates prior, I’ve still been offered the monthly roll-up every time…, except in this case. If KB4088875 isn’t being offered now, did KB4100480 supplant it??? Or do I still need KB4088878 at all?

        • #182272

          Group B still needs to install KB4088878 sooner or later.

        • #182804

          Perhaps hoping foolishly that MS will revise this update to correct the BSOD/Stop Error bug, et al. before taking this plunge or installing WITH the mysterious BSOD patch. Not a fan of BSOD’s especially on weekends or uninstalling updates. 🙁

          Related question, can you confirm whether the patch witch fixes the smart card error does ONLY that, or is a “roll-up” which triggers Group A, and whether or not this patch is even needed for my on-board smart card reader as I’ve strictly followed Group B, i.e. did only the roll-ups introduce that issue? I’ve read conflicting info and am confused. Thanks!

        • #182805

          The only fix for the Smart Card I’ve seen was issued as the 2018-1 Preview KB 4091290 – that is essentially a Rollup with the Feb non-security patches added on. @MrBrian might be able to say if the Feb or March Security-only updates fixed the bug.

        • #182885

          KB4074587 no longer is listed as having the smart card issue.

    • #182045

      Took the plunge on Win 7.
      Had already installed KB4100480 last wkend. Tonight, installed KB4088878, infer that KB4099950 was bundled with it, KB4096040, all from the catalog. Installed 3 Office security patches via WU. WU was offering KB2952664 as a checked important update. That is now hidden.
      So far so good. PC is functional, posting from it.
      Thanks to everyone here guiding this very difficult path.

      Group L (Linux Mint 19)
      Dual Boot with Win 7
      Former
      Group B Win 7 64 bit

      1 user thanked author for this post.
      • #182050

        KB4099950 was NOT bundled with the Security-only update and it should have bee installed BEFORE KB4088878.

        4 users thanked author for this post.
        • #182074

          Thanks for that. I just finished using a powershell command search and as you say, it’s not there. Oh well, doubt I’ll uninstall 4088878 to then install 4099950. I don’t use static IPs nor have a NIC issue so I’m hoping I’m good. I’m wondering, will this effect static IPs hereafter in the event I decided I wanted to use them at some point???

          Group L (Linux Mint 19)
          Dual Boot with Win 7
          Former
          Group B Win 7 64 bit

        • #182081

          “I’m wondering, will this effect static IPs hereafter in the event I decided I wanted to use them at some point???”

          I doubt it.

      • #182051

        KB4099950 apparently isn’t being bundled with KB4088878. Group B users should install KB4099950 before installing KB4088878.

        2 users thanked author for this post.
        • #182070

          Probably a dumb question:

          I was thinking 4099950 was irrelevant to me because I’m not on a network. But on second thought, does the fact that I have a Spectrum internet connection mean I’m “on a network” to the extent of making 4099950 advisable (before I install 4088878, which I’m holding off on for the moment)?

        • #182078

          I’m not sure but I think it’s better to be safe than sorry, and install KB4099950 before.

          1 user thanked author for this post.
        • #182079

          If  you have an Internet connection, you have a Network card in your PC. 4099950 corrects problems with network cards (NIC). So yes, it needs to be installed first.

          3 users thanked author for this post.
    • #182056

      So just to be sure the monthly roll up for win7 32bit is clean right? No memory leaks or bsod? As for my 64 bit machine I will hold off patching as I use it mostly for storage, I will install if indeed an exploit arises

      • #182065

        “So just to be sure the monthly roll up for win7 32bit is clean right?”

        I disagree. Of the issues listed at https://support.microsoft.com/en-us/help/4088875, there is nothing there that is noted to be specific to 32 bit or 64 bit except for issue “A Stop error occurs if this update is applied to a 32-Bit (x86) machine with the Physical Address Extension (PAE) mode disabled.”

        2 users thanked author for this post.
        • #182087

          It says there that the update is only made available if the machine has PAE enable, is this true or false? And does this mean the bugs apply to both versions of 7 ? Because from woody’s post on computerworld it makes it appear as if the 32bit version is less problematic than the 64 one

        • #182101

          “It says there that the update is only made available if the machine has PAE enable, is this true or false?”

          Good catch :). I didn’t notice that before. I don’t have any independent info if that’s true or not. That issue should only apply to those who use a 32-bit processor with the 32-bit version of Windows. 64-bit Windows users have the Total Meltdown vulnerability issue though.

          2 users thanked author for this post.
        • #182242

          I still wanna know tough, can I expect the same bugs on my 32bit machine as the ones popping up in  the 64bit update?

        • #182255

          Unless otherwise noted, in my opinion it’s best to assume that any given issue may affect either Windows x86 or Windows x64.

          1 user thanked author for this post.
        • #182313

          Ok thanks, I will wait till Monday to see if anything pops up then I will update

          1 user thanked author for this post.
        • #182523

          ? says:

          i must be the only operator of windows 7 32 bit with PAE disabled. after enabling PAE, KB4088875 appeared in microsoft updates on 32 bit win7 rescan. i previously had two blue screens on two intel powered machines trying to apply KB4088878. see post #176939 on 03/19/2018. i made the false assumption that since DEP was on i had PAE enabled. to enable it if needed:

          https://msdn.microsoft.com/en-us/library/aa366796(VS.85).aspx

          for PKCano, long live Linux!!!

           

          2 users thanked author for this post.
        • #183100

          Thanks for the info, a friend of mine also got a bluescreen on his 32 bit machine. I’ll hold off patching both my 32 and 64 bit machines unless of course some exploit gets released

    • #182057

      Big decision for some Windows 7 users either roll back to December or patch up for March.

      If you decide not to patch then go to Group W permanently IMO.

      I have patched up on 2 Windows 7 64 bit machines and my dual core laptop actually seems lighter as if it is not running as many background tasks and I am fighting the decision now to move this machine from group B to W.

      Can we trust MS on Windows 7 ever again? Is Windows 7 important to MS now?

      1 user thanked author for this post.
      • #182086

        Anonymous:

        The way forward, as I see it, is not trusting MS, but going along while taking precautions such as: back up, back up, back up. And make a restore point before every install.

        And, at least for people still with Windows 7 and 8.1, wait a few more months while doing that, to see what happens.

        It the situation does not improve enough by July or August, then I think it would be advisable to get as back up a non-Windows COMPUTER (or make a dual-boot install of a second OS in the now Win 7 machine). The second computer/OS could be either Mac or  Linux. Then start practicing with it, if not familiar enough already.

        And if one has Win 7, once we get to January and its end of life for support (o earlier, if things get much worse before that), I would say: it’s time to take the jump.

         

         

         

        Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

        MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
        Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
        macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

        2 users thanked author for this post.
    • #182062

      Windows 1607, question about KB4091461. Haven’t patched since December 2017. This update failed to install on the first try tonight, so I searched it up before trying again. KB4091461 seems to be an end of servicing notification. Does this mean that I don’t need it install it?

      • #182112

        Ah, it’s good to see another 1607 holdout in the Lounge! It seems like there are few of us left.

        I skipped KB4091461. All it is, as you say, is an end of servicing notification page that pops up every time you boot up your computer. Imagine how irritating THAT would get! There are no ill effects in just hiding it and forgetting about it.

        Just wondering … what are your plans for after April’s updates, the last for 1607? I haven’t decided yet, except to ride it out for a while and see how the unpaid beta testers fare who upgrade to 1803 when it’s released, which looks like will be around mid-April. I’m doing my best to work out a plan for upgrading every 18 months or so. Even that’s too often for me, but it’s much better than every six months, which is crazy.

        • #183323

          I haven’t decided either…I downloaded a copy of 1709 on a USB just in case, but I’m going to, as you said, ride it out for a while and see how 1803 will be. I would also like to maintain the once every 18 months upgrade frequency, whenever possible, don’t want Windows to take over my life at an upgrade every 6 months.

          1 user thanked author for this post.
    • #182082

      The information about KB4099467 (Stop Error 0xAB when you log off a Windows 7 SP1 or Windows Server 2008 R2 SP1 Session) seems to be pretty minimal both on the MS support page and elsewhere. This error apparently can be caused by either the March Rollup (KB4088875) or Security Only (KB4088878) patches.

      Does any one out there have any insight as to whether or not it should be installed? If I don’t install it but get the blue screen will I be able to boot up and install this update (KB 4099467) to fix the problem?

      Thanks.

      • #182085

        “If I don’t install it but get the blue screen will I be able to boot up and install this update (KB 4099467) to fix the problem?”

        I’m not sure. There are some other posts about KB 4099467 in this topic.

        2 users thanked author for this post.
        • #182111

          Well, based on your link below and the post immediately below the post you linked to, I’d be inclined to install KB4099950 as it seems to either do nothing or perhaps in some cases actually fix the BSOD. Might wait a day or two, though, to see if anything comes up.

        • #182114

          I think you meant KB 4099467, not KB 4099950?

        • #182130

          Yes, I did mean KB4099467. Thanks for catching that.

    • #182083
      5 users thanked author for this post.
    • #182094

      I decided to roll back all of my Windows 7 Group B computers to December 2017. Why? Because even though the March updates fix the Total Meltdown vulnerability which allows any program to read any other program’s memory and the kernel memory, the 2018 patches for Meltdown and the March 2018 patch (which introduces Intel’s new CPU microcode to fix Spectre), do NOT fix the BranchScope vulnerability which is similar to Spectre. In other words, it is back to the drawing board for Intel in terms of having to create yet another round of new CPU microcode which will prevent BranchScope. Do you all think that Intel will decide to do something about BranchScope? I don’t think so. I think that they will leave that up to the antivirus manufacturers since Intel can now claim that their solutions for both Meltdown and Spectre are done.

      It is worth noting that it probably is best to rely on Microsoft to bake Intel’s CPU microcode into Windows. Why? Because if you install a BIOS update from your computer’s motherboard manufacturer which prevents Meltdown and Spectre, most likely you will NOT be able to undo the installed BIOS update. It all depends on the motherboard manufacturer in terms of whether or not they will let you reinstall an older BIOS update. Some do, yet many don’t.

      If you all Windows 7 users decide to roll back to December 2017 for the time being, then here are some things to consider:

      1. Make sure that you only use the latest versions of the Crome and Firefox web browsers. The latest versions incorporate fixes which prevent Meltdown.

      2. Make sure that you get IE updated with the March 2018 Cumulative Update for IE. This is especially important for laptop owners who have activated LoJack for Laptops in the laptop’s BIOS. LoJack is a product of Absolute Software. LoJack is tracking software which is used by law enforcement to recover stolen laptop computers. The reason for making absolutely sure that laptop owners, and any desktop owners who have purchased LoJack, is that LoJack launches hidden instances of IE in order to use IE to communicate with Absolute Software servers. Several security specialists consider LoJack to be malware. I agree with them.

      3. Be really careful about whatever new software you decide to install on your computer. Why? It is not clear if antivirus manufacturers can detect software which tries to exploit Spectre or BranchScope before the software is actually installed. Detection of software which exploits these vulnerabilities might have to be done in real time, after the software is already installed and running.

      9 users thanked author for this post.
    • #182097

      Nice Computerworld article. You laid out all of the bones neatly on the ground for all to see.

      3 users thanked author for this post.
    • #182089

      Woody staff, pls stop all this chatter, and once and for all tell us what KB’s we should have as provided by MS and then what to do!!!

      Woody says “dont install anything not checked, and dont go looking for updates not downloaded by the Windows updater”.  Many seem to be seeking KB’s on their own.

      I’m in Group A and I previously installed January and February downloaded and checked updates. I have done nothing since. All that Windows is currently providing is one checked file KB4100480.  KB4099950 is unchecked and optional at this point.

      Earlier in the month I received KB4088875 (March) and then KB4088881(Preview) they were both withdrawn over one week ago and no longer appear on the updater. So as of this minute, I have only one checked update pending KB4100480.

      Anybody else?

      1 user thanked author for this post.
      • #182158

        You have already installed the January and February monthly rollups, and as such, are vulnerable to the Total Meltdown hole that they include. There is no one good, safe choice at this point… you are going to have to weigh the risks and decide what path to follow.

        Woody gives the following choices for Windows 7:

           – If you’re willing to wade through the hassles — blue screens, leaky memory, and a cornucopia of additional bugs — go ahead and install all of the CHECKED Windows updates. Realize that your machine may slow down, even if it’s still going strong after the January and February patches.

              -If you don’t need the headache, and you’re reasonably sure nobody’s going to attack you with a Total Meltdown push*, don’t do anything. Don’t install any of the March patches.

              -Otherwise, take Susan Bradley’s advice and roll back your machine to its state before the patching insanity started in January. You’ll lose some worthwhile fixes, but at least you won’t be wide open to Total Meltdown.

        I’m not being offered KB 4088875, the March monthly rollup, through Windows Update, either. It was there on patch Tuesday, but disappeared shortly afterward.

        Woody warns:
        “Realize that some or all of the expected patches for March may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. That way thar be tygers. If you’re going to install the March patches, accept your lot in life, and don’t mess with Mother Microsoft.”

        If you are not going to uninstall the January and February updates, you should probably install KB4100480, which mitigates the Total Meltdown vulnerability that is present in all Windows 7 patches so far in 2018… which puts you on track to follow  How to Apply the Win 7 and 8.1 Monthly Rollups. If you are going to follow the usual Group A updating, remember to install, reboot, recheck… and repeat until there are no new checked updates offered.

        Which ever choice you make… step forward, freeze in place, or go back to December… back up… make a restore point… be prepared to deal with any bugs… You should be prepared, anyways… we just aren’t used to patches being the problem we have to worry about.

        We all want to be in that lucky group that has no problems… Without a clearly safe alternative, every option has its risks… Come back and join the ‘chatter’ and help some other frustrated and confused person, by reporting what your choice was and what the results are, good or bad… You are not alone.

         

        Non-techy Win 10 Pro and Linux Mint experimenter

        8 users thanked author for this post.
        • #182262

          I only have KB4099950 in WU checked and a NET 4.7.1 installer checked. No other updates are being offered at this time. I don’t use static IP addresses so I’m not sure why that update is there. What would you suggest I do?

          Win 10 Pro v.20h2

        • #182264
        • #182323

          For the time being I am freezing myself at: Installed KB405689 & KB407458, Jan. & Feb. Security Monthly Roll-ups respectively. KB4100480 installed 1 week ago. No issues, machine performing fine. I am not willing to wade through the morass as I am definitely on the “low to fair” end of the techie scale.  Win 7 Pro  x 64 i7 Haswell

          PS What a long, strange trip this is compared to the days when I had MS Update settings at “Automatically download & install (recommended)” & never gave them a second thought.

          1 user thanked author for this post.
      • #182260

        @Anonymous, that is precisely the situation I am in with my Windows 7 x64 home desktop machines – only KB4100480 showing as important and checked (apart from the usual MSRT), with KB4099950 showing as unchecked and optional.

        Both KB4088875 (monthly rollup) and KB4088881 (preview monthly rollup) have vanished.

        The machine with Office 2010 installed also has 5 Office 2010 updates listed as important, including KB2965324 which is unchecked and a new offering since Patch Tuesday’s initial offerings, and KB4018314 which used to be unchecked but is now checked. I also received KB2952664 on both machines as an optional update and have hidden it for the umpteenth time.

        I’ve only resurfaced today after Miss Seff’s wedding so will keep an eye on things and mull them over, but my immediate inclination is to leave both working machines well alone until the April updates arrive in a few days time and then see how things pan out. There are other options clearly, including just installing KB4100480 to provide current fixes to the Jan/Feb rollups which I have installed, or uninstalling those rollups. PKCano’s advice here to install KB4099950 before anything else is countered by the fact that it is unchecked (and optional) on both my machines.

    • #182098

      I am Group B. W7/64. AMD chips

      EDITED (please keep on topic)

      I have JAN and FEB security-only updates plus KB4074587 (AMD specific FEB fix) installed. KB4088878 is an IED, not a patch. I have decided not to install it, possibly ever.

      In what patch was Total Meltdown introduced (in error) by Microsoft? I have read reports that it went undiscovered by Microsoft for several months and that they did not get around to addressing it until after the March patch was released. KB4100480 addresses total meltdown. So, JAN and FEB and MAR patches had the vulnerability? If that is so, KB4100480 should be installed after the JAN patch (or FEB or MAR).

    • #182108

      Maybe these questions are totally off-topic but since I read about them I’ve been wondering whether they might be important clues to the root causes of the ongoing Windows 7 / Server 2008 R2 mess that started January this year? Just saying…

      1. Spectre mitigations

      Windows kernel modules are being recompiled with a new Visual C++ directive (the /Qspectre flag) which inserts special assembly instructions acting as a “speculation barrier” by serializing execution on critical pieces of the OS core (identified as being “at-risk code”). Could these extra assembly instructions (LFENCE on AMD/Intel, CSEL/MOVS and CSDB on ARM) be in direct relationship with many of the freezes, hang-ups and BSODs that have been reported on buggy patches?

      Source:
      https://blogs.technet.microsoft.com/srd/2018/03/15/mitigating-speculative-execution-side-channel-hardware-vulnerabilities/

      2. Meltdown mitigations

      Kernel Virtual Address Shadow (KVA Shadow) represents a major change in the way the kernel isolates its memory contents from user mode. Could the “Total Meltdown” bug be a direct consequence of failing to properly implement the “shadowing” (mapping) into user address space of the selected minimal subset of privileged kernel code and data? Quoting Microsoft:

      “Mitigating hardware vulnerabilities in software is an extremely challenging proposition (…) In the case of rogue data cache load and KVA shadow, the Windows kernel is able to provide a transparent and strong mitigation for drivers and applications, albeit at the cost of additional operating system complexity, and especially on older hardware, at some potential performance cost depending on the characteristics of a given workload. The breadth of changes required to implement KVA shadowing was substantial, and KVA shadow support easily represents one of the most intricate, complex, and wide-ranging security updates that Microsoft has ever shipped.

      Source:
      https://blogs.technet.microsoft.com/srd/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/

      1 user thanked author for this post.
      • #182234

        Without any technical detail at all, it’s clear that big changes to the Windows Kernel, which has been stable for a long, long time, could destabilize something somewhere for someone.

        It’s just the nature of risk w/regard to complex systems. And make no mistake, Windows is the kind of insanely complex system that could only get as solid as it has gotten by having the entire world use it and Microsoft fix the bugs found in it for decades.

        To give a bit of perspective… By most measures, computers are at least 1,000 times faster than they were back in the early days. If your computer would typically crash once a day back then, a computer system of today running an OS at the same quality level would crash after only one minute. But they don’t, even considering that today’s systems are also much more complex than those back then. Frankly, it’s kind of amazing they got it working as well as it does for as long as it does (before January at least).

        -Noel

        4 users thanked author for this post.
        • #182306

          It’s just the nature of risk w/regard to complex systems. … By most measures, computers are at least 1,000 times faster than they were back in the early days.

          The story “Fail-Safe” originally appeared in three installments in The Saturday Evening Post on 13, 20 & 27 October 1962 (during the Cuban Missile Crisis), quickly followed by its publication as a novel; it was released as a film in 1964 (and the original screenplay performed live on CBS in 2000). This exchange comes early in the story:

          KNAPP: “The more complex an electronic system gets, the more accident-prone it is. Sooner or later, it breaks down… A transistor blows, a condenser burns out. Sometimes they just get tired, like people…”

          GROETESCHELE: “But Mr. Knapp overlooks one thing. The machines? are supervised by humans. Even if the machine fails, the human being can always correct the mistake.”

          KNAPP: “I wish you were right. The fact is the machines work so fast; they are so intricate; the mistakes they make are so subtle that very often a human being can’t know if a machine is lying or telling the truth.”

          And that was in 1962… .

          6 users thanked author for this post.
        • #182368

          “The more complex an electronic system gets, the more accident-prone it is…”

          A spade surely must be said to be a non-complex, non-electronic simple system and yet it’s definitely an accident-prone system!

          My big toe still has a scar from when I once tried to chop it off….

          The scars from using PCs and Microsoft are of a different nature and though I’ve been brought to tears from time to time, it’s never made me bleed. Thank you, Microsoft.

          Of course I’ll discount the little blood once lost due to trying to stop a fan with a finger… not my brightest idea.

          1 user thanked author for this post.
    • #182123

      A Windows 7  x64, group A non-techie user who has TRIED to stay up on all the mess with March patches but is still totally confused….YES…..even after reading Woody’s CW article.

      I have both Jan & Feb monthly quality/security rollups installed. March’s rollup came with the usual updates but I did NOT install it as I wait for the Defcon rating to go to 3 or higher. Before the all clear came the rollup DISAPPEARED never to return. Then a few days ago KB4100480 showed up and by the advice of the “Patch Lady” I installed it. She said that if we  DID NOT want to uninstall the Jan & Feb rollups that we “SHOULD” install the KB. Then shortly after I read that we had to install KB4099950 BEFORE KB4100480. Well KB4099950 didn’t show up in my updates until this morning long after I installed KB4100480, so how was I supposed to install that one first?

      My questions are did I do the right thing by installing KB4100480? Do I  install KB4099950 now? Or do I uninstall 0480, install 9950 and then reinstall 0480 or do I leave 0480 installed and just ignore 9950 for now?

      What about the March’s MSRT is that safe to install?

      Thanks in advance for any help with this confusing matter?

      2 users thanked author for this post.
      • #182159

        I think you’re OK. You do NOT need to uninstall 0480. When you’re ready to install KB4088878(the March Rollup), install it AFTER you install the 9950 update. At that point, you’re done, unless…

        …you also decide to install KB4099467. If you do decide to install it, do it right after you install the Rollup with no restart in between.

        What I’ve just described is exactly what I’m going to do. I haven’t yet decided whether to install 9467 because there is so little information about it. I’m waiting a day or 2 to see if any problems with it surface. At the moment, I’m inclined to install it since it seems to either do nothing or else perhaps prevent a BSOD. On the other hand, MrBrian decided to not install it (see his post above) and has experienced no issues because he didn’t.

        5 users thanked author for this post.
    • #182125

      Right after Woody started this thread today, I started my March catchup for a Group B W7 x64 Home system standalone. First off, I ran KB4099950, did restart, no problem. Next ran most recent IE 11, KB4096040, did restart, no problem. Then I ran the OS KB4088878, did a shutdown, no problem and restarted. Finally I finished with KB4100480, did a restart, no problem. Thanks again to Da Boss and the ensemble cast of gals and guys that maintain Group B viability. Break a leg!

      5 users thanked author for this post.
      • #182204

        Well done ??

        Group L (Linux Mint 19)
        Dual Boot with Win 7
        Former
        Group B Win 7 64 bit

      • #182355

        Where was your starting point – Dec. 2017 or Feb. 2018?

        Had you already installed 4100480?

        We're getting Sticker Shock everywhere now, not just car dealers.

    • #182132

      Something else to throw into this sorry mess:  https://betanews.com/2018/04/05/no-meltdown-spectre-patches-for-some-intel-cpus/

      In a document entitled Microcode Revision Guidelines, the chip-maker says that a wide range of processor families — equating to over 200 CPUs — will not receive any more updates. While the majority of the affected chips were on sale between 2007 and 2011, it’s safe to assume that a large proportion of them are still in use, meaning that a lot of systems will remain unprotected.

      So I am wondering (OK, asking) if or how this news affects what a Group B member running one of those Intel CPUs should do…

       

    • #182184

      Note to Windows 7 users: KB4088875 (Windows 7 2018-03 Monthly Rollup) is available on Windows Update, but there are unusual steps needed to see it. See https://www.askwoody.com/forums/topic/windows-update-not-offering-kb4074598/#post-182019 for more details.

      3 users thanked author for this post.
    • #182192

      Does the March Windows 7 64 bit Security update install a Microcode update?

      If that is a yes do we then need BIOS updates?

      After this mess I am losing the appetite for Bios updates.

      • #182247

        I was mistaken when I thought that the March update bundled CPU microcode since I thought that this would be how Microsoft eventually fixed Spectre. I was wrong. Instead, Microsoft rewrote the kernel and associated stuff by compiling new code using techniques which are supposed to mitigate against Meltdown and Spectre. Now I understand why the March update doesn’t prevent BranchScope which is a newly discovered vulnerability that is similar to Spectre.

    • #182219

      Otherwise, take Susan Bradley’s advice and roll back your machine to its state before the patching insanity started in January. You’ll lose some worthwhile fixes, but at least you won’t be wide open to Total Meltdown.

      Susan isn’t the only one thinking this way.

      I’ve had ZERO problems with my little Win 7 server that runs 24/7 since 9 days ago dropping back to pre-January patch level.

      ScreenGrab_SVN_2018_04_07_085320

      When I did so I saw my I/O speed go back up from a bit over 900 MB/second to where it was before the debacle, now over 1800 MB/second.

      There comes a time when, even ignoring risk entirely, demonstrated problems outweigh the potential reward of patching.

      How do you get out from under all the work it takes to keep providing “extended support”? You change the definition of “support”… I imagine that once a large majority of Windows 7 people start avoiding patches, they’ll just decide to shut down the servers, claiming that people don’t want their “support” any more.

      -Noel

      6 users thanked author for this post.
    • #182240

      Group B Win7 x64 Haswell-E (5th gen) chip

      I was very much in two minds whether to rollback to December or not but as I keep weekly disk images I thought I’d chance my arm and apply the March patches.

      So far, all seems well but I’ll be watching closely. One thing as well, there wasn’t a microcode update but looking at the KB it looks like they’ve abandoned anything before Skylake (though iirc Intel have produced Haswell code)

      One question, how reliable is the uninstall option?

      The reason I ask is that if this goes bang I can easily restore today’s disk image but that would still have Jan/Feb patches. I can of course use a disk image from December but that would mean having to update various software which has changed over the last three months so just uninstalling KB4074587 and KB4056897 would be much more convenient.

      • #182246

        It’s probably impossible to be sure everything you want and nothing you don’t want has been reverted, but I had no problem uninstalling the updates from my system. It’s not something I ever did before on any system, so I’m not sure whether a sample size of 1 even begins to answer your question, but it’s pertinent anecdotal evidence.

        -Noel

        4 users thanked author for this post.
      • #182249

        I uninstalled the Jan and Feb updates on all three of my Win7 computers without any issues. I don’t think you will encounter any issues if you have to go that route.

        4 users thanked author for this post.
      • #182250

        I did the uninstall option back to December a couple of days ago and so far everything is looking good with no problems. Because I used Disk Clean to cleanup system, I was missing some of the updates in my Add/Remove. I had to use Windows Update Mini Tool to locate and uninstall the Jan. and Feb. updates. After uninstalling each one I ran windows update and hid the updates I didn’t want until I was back to December. After I was back to December, WU offered about a half dozen updates and I had to research each one to decide if I wanted it or not. I installed the ones I wanted and hid the ones I didn’t. So far so good. WU is locked down and will be until this mess is sorted out, and if not it’s locked down for good. I did an image before doing this just in case things went wrong. My computer is now open to the Meltdown/Spectre joke, but I have my performance back. Installed new router for security and made sure firewall and virus protection was up to date.

        4 users thanked author for this post.
    • #182243

      First, major thank youS to Woody, Susan, and the many contributors to this fantastic forum!

      I have decided to face the music today on my “Group A” lowly Win7Pro SP1 32-bit machine (Intel Core2Duo E8400 3Ghz) after having successfully last updated it on 3/9/18 (Guess that puts me at Feb Group A level?).

      After reading through the many posts and Woody’s current CW article, I feel out of my depths despite having successfully kept this old machine alive and kicking through many adventures with you all.  I’m suddenly gun-shy to touch what appears to be a happy machine at the moment, but I’m aware the machine could be in some undesirable Jan-Feb state tho I gather this may be more of a 64-bit concern?  Could use a bit of hand-holding/reassurance of path forward (or backwards?) as a Group A groupie.

      Upon running WU from control panel this morning, the checked/Important category shows these 4 items:

      2018-03 Update for Windows 7 for x86-based Systems (KB4099950)

      MS.Net Framework 4..7.1 for Windows 7 (KB4033342)

      KB2952664 Update for Windows 7

      and MSRT (KB890830)

      Any guidance on whether or not to press INSTALL or perhaps backdate something and sit on sidelines?  Of course, I’ll pre-backup, set restore points and all that first…TIA!!

      • #182253

        Upon running WU from control panel this morning, the checked/Important category shows these 4 items:

        2018-03 Update for Windows 7 for x86-based Systems (KB4099950)

        MS.Net Framework 4..7.1 for Windows 7 (KB4033342)

        KB2952664 Update for Windows 7

        and MSRT (KB890830)

        Based on my reading of things and the recommendations I have seen from the patching gurus, I would proceed as follows:

        1. INSTALL KB4099950
        2. IGNORE KB4033342
        3. HIDE KB2952664. If possible, shred it to a fine confetti, bury it and spread salt over that ground so that it doesn’t grow back.
        4. INSTALL KB890830

        Good luck, whatever you decide to do.

         

        1 user thanked author for this post.
        • #182445

          Thank you, Cybertooth!  I will take the approach you suggest.  It does match what I’ve gleaned from all the recent commentary.  Grateful for your time:-)

          1 user thanked author for this post.
      • #182341

        You are right that 32 bit Win 7 isn’t subject to the Total Meltdown Security hole that is found in all the 2018 patches for Win 7, so you don’t have a need to mitigate for it, like 64 bit systems do… so no need to consider removing the January and February patches. That leaves you with the choice of waiting… or moving forward.

        There was a problem with NIC settings being replaced or static IP address settings being lost after you install KB4088875, that affects 32 bit as well as 64 bit systems, which would cause you to lose internet connectivity. By installing KB4099950 first, you would avoid that particular danger. You may find that after installing KB4099950, rebooting, and then rechecking Windows Update, that you are offered KB4088875 (March Monthly Rollup). Install, reboot, recheck… and keep doing that as long as you are getting checked updates.

        It would be important to install KB4100480 to mitigate the Total Meltdown, if you had a 64 bit system, but it doesn’t apply to you.

        KB2952664 Update for Windows 7 is a known telemetry patch that has been offered over and over again. If you have only recently come to AskWoody, and were using automatic updates, it is likely that it is already on your system (you can check under installed updates). For people that kept it off… and that started before the GWX push… it is a no-no… It is like a weed that you have to remove over and over and over, if you decide to get it off your system. Not everyone cares about telemetry, or wants to be vigilant. KB2952664 keeps coming back, sometimes unchecked, sometimes checked… It is, again, a decision that you have to make about your own system. You can take a look at Turning off the Worst Windows 7 and 8.1 Snooping, if you want to know more.

        As always, following How to Apply the Win 7 and 8.1 Monthly Rollups will give you step by step guidance to refer back to, if you get lost while updating. Woody refers you to it from his ComputerWorld article, when giving you the updating steps… it works…

        Sometimes you can be told to just apply certain patches… and it will be okay. I can understand needing a little hand-holding when there is a risk, no matter which way you choose to go. Perhaps the details here will help you make a good decision for your situation… but if it gets more confusing for you, follow Cybertooth’s do or don’t guidance for the patches you’ve been presented with… and may your patching be successful and uneventful!

        Non-techy Win 10 Pro and Linux Mint experimenter

        1 user thanked author for this post.
        • #182795

          Elly and Cybertooth,

          Thank you both for your very helpful guidance and thoughts to ponder.  Appreciate you both taking the time from your day to respond on my queries.  I’m all backed up, Disk cleaned up, System Restore point made and also un-installed that miscreant KB2952664 which I realized I had installed previously.  So, I think I’ve searched soul enough and am going to take the plunge with your suggestions in mind.  Will report results on “the other side” of the abyss…

          Hope all is well and that you both have weathered your “choices” favorably…

          1 user thanked author for this post.
    • #182256

      What a confusing time. I’m in Group A W7 x64 Home, Kb4088875, Kb408881 both disappeared last week, all that was checked was  Kb4100480 so I installed it today rebooted and so far ok. Last time I checked Kb409950 it was unchecked, today it’s checked. Do I uninstall Kb4100480 and then install Kb409950 or leave it as is and install Kb409950? and what about Kb890830?

      • #182263
        • #182289

          Thank you Mr Brian. I checked for updates again and  KB4088875 and KB4088881 are back in hidden and that’s where they will stay. I figure the computer is running fine so why upset the apple cart. Thanks again.

          Edit to remove HTML

        • #182300

          @MrBrian-

          In order to clarify for everyone, if we (Win 7 x64 users) have the January and February rollups installed AND we have already installed KB4100480 to prevent Total Melltdown, then we DON’T need to:

          1. Uninstall KB4100480

          2. Install KB4099950

          3. Install KB4088875

          4. Reinstall KB4100480

          in that order, correct?

          To me, it sounds like we should only have to steps 2 and 3 in that order, and that’s it, right?

          1 user thanked author for this post.
        • #182318

          “To me, it sounds like we should only have to steps 2 and 3 in that order, and that’s it, right?”

          Correct indeed. I did a test of this with one of the rollups, and posted about it somewhere on this site previously.

          1 user thanked author for this post.
        • #182381

          Anonymous #182300 here:



          @MrBrian
          , TYVM for the clarification. 🙂

    • #182266

      Is it safe for me to install all of the patches for Win10 v1703? Will Microsoft quietly reenable the Windows Update service and install stuff without my approval? Haven’t patched since October and I know I really need to patch… but at the same time I am not in the mood to be feature upgraded anymore.

      • #182359

        Per Woody’s ComputerWorld article:

        “Go ahead and install all outstanding Win10 patches. They were re-released and re-re-released in March, and the current versions appear to be working OK. Heaven only knows what’s going to happen on April Patch Tuesday, so get the patches squared away now.”

        90% of people have been moved to 1709, and for some of them, it happened forceably, as Microsoft ignored their settings. Be prepared to deal with that, one way or another.

        Strategically, this is the time to go ahead and update to 1709, because after Tuesday, 1803 will be what is available through Windows Updates. You could download a copy of 1709 now, even if you don’t install it, in case 1803 is full of bugs, and Microsoft won’t stop pushing you off 1703. Woody says he is staying on 1703.

        I’m just restating what Woody has already said… as it applies to your situation. There are no assurances that updating will go smoothly and that Microsoft won’t try and force an upgrade on you… in fact, the opposite might be true. But… this is the best we are going to get… for this month.

         

        Non-techy Win 10 Pro and Linux Mint experimenter

    • #182279
      1 user thanked author for this post.
    • #182288

      OK in Group A and  I have not uninstalled Jan or Feb updates.

      My Win Update showed only KB4099950 as Optional and unchecked, and KB4100480 as Important and checked.

      Early in the month Win Update showed KB4088875 and then as Optional KB4088881. About one week ago both were pulled or went missing.

      Per MrBrian’s advice that KB4088875 was not pulled, I followed the referrenced link but starting at step 5 since I already had the Feb rollup KB4074598 installed.

      Disregarding Woody’s advise to not check an unchecked item, I checked KB4099950 under Optional and installed (Step 5).  No problem

      Upon update recheck, KB4088881 re-appeared which I hid (Step 7)

      Upon update recheck, KB4075211 appeared which I hid (Step 9)

      Upon update recheck, KB4088875 re-appeared as Important but unchecked (interestingly at this point I reviewed my Hidden items which still shows KB4088881, but not KB4075211 it disappeared).  I also received KB4091290 a large Optional unchecked update?

      So I am sitting on KB4088875 (unchecked), KB4100480 (checked), KB4091290 (unchecked),  and no sign of KB4099467 (Stop error fix I have read about – where do I get this KB?)

      Should I proceed to install all the above, some of the above, or just KB4100480 and sit tight till April update?

      And what happens to KB4088881 that is hidden?

       

      • #182298

        KB4099467 is a Catalog-only update available at https://www.catalog.update.microsoft.com/Search.aspx?q=KB4099467.

        • #182371

          Regarding my post today at 11:07am

          Was hoping for more direction to bottom line questions, please.

          Thx

        • #182426

          Being in Group A and not having uninstalled Jan or Feb updates, you have a big, gaping hole in your security, called Total Meltdown… where the cure is potentially worse than the ill it was supposed to fix. KB4100480 is to patch those patches (and also the March Rollup, which carries the same problem forward)… and it is sitting there checked, and ready to go in your Windows Update.

          No one can make the decision to roll-back, stay put, or move forward, for you. What do you want to do?

          If you aren’t going to roll back to December (and there is no guarantee that the bad patches will get fixed, we are only hoping they will), you probably still need to install KB4100480 to fix the Total Meltdown vulnerability. I’m repeating this, because some people are freezing in place before this is done: Total Meltdown is a great big gaping hole that allows any program easy access to your system, no special expert black hat skills needed. Not having those patches (rolling back) is better than having them and not fixing them with KB4100480.

          Then you must decide whether to sit and hope and wait… or install March’s Monthly Rollup, KB4088875, proceeding with the normal Group A updating. If you are following the full Group A updating this month, you aren’t done until you have installed the checked updates, rebooted, rechecked Windows Update, installed andy checked updates, rebooted, and repeat until there are no more checked updates.

          There is a good chance that once KB4100480 is installed, KB4088875 will show up as checked. If you are satisfied that the major bugs have been addressed (and having read through things, you have as much information as the rest of us), you may decide to go ahead with Group A updating. You may want to add KB4099467 from the catalogue, just in case your system is vulnerable to the “Stop error”. As far as I have heard, there is no way to test for this ahead of time, and the “Stop error” is a BSOD issue… so it might be worth the extra step to avoid.

          Believe me, there has been a lot of testing going on, and if there was one good, clear, safe choice, Woody would have presented that, instead of telling us what the pitfalls are. There isn’t a better time to back up your data, as that should give you some sense of security if the choice you make ends up with a serious consequence. Microsoft isn’t giving, or doesn’t have a safe way forward. Their best efforts have thrown a fair amount of chaos our way. I am giving them the benefit of the doubt on that… at this time…

          And as to your last question… if Microsoft reissues an update that has been hidden, it will show up again if you run Windows Update… and if you decide to install it, and it hasn’t shown up again, you can unhide it… unless it gets pulled (and that is for reasons that mean you wouldn’t want it anyways). KB4088881 is the April preview… The April Monthly Rollup, will have those fixes, hopefully with any bugs ironed out… and it will probably (I say probably, because March’s Monthly Rollup didn’t show up for everyone) show up in your regular Windows Update, on next Tuesday. Woody, and most of us here, will wait and see what happens to the unpaid beta-testers, before he makes a recommendation regarding what to do with it. It does get a little confusing, because we are in April, and only just now deciding what to do with the March updates.

          Hope you feel that this more thoroughly addresses your bottom line questions… and do know that none of us are happy with these answers… just doing the best we can with what Microsoft throws at us.

          Non-techy Win 10 Pro and Linux Mint experimenter

          3 users thanked author for this post.
        • #182515

          @MrBrian I installed KB4099950 and KB4088875 (and then restarted) with no issues would that mean I don’t need KB409967? Or should I get it form the update catalog and install it?

        • #182670

          I don’t know for sure. I installed KB4088875 on March 25, and I haven’t experienced the issue that KB4099467 supposedly fixes. I didn’t install KB4099467.

    • #182311

      Trying to make sense of it all and follow all the good suggestions here has left me shaking my head and not sure which way to go.  I’m Group A Windows 7 64 bit with both the Jan & Feb rolls-ups installed.  Today in WU I have offered (and all are checked) 4100480, 4099950 and MSRT.

      If I decide to install these – does it matter which order I do them in, i.e., should 9950 be installed before 0480?  I always do MSRT last and assume this would still be the case here.

      If I don’t install them today or tomorrow, what happens on Tuesday when the April updates come out?  Do the 2 that I’ve mentioned disappear and will I have lost my chance to install them?

      Gosh- I wish this was easier.  I feel like I’m making a monumental decision here!

      1 user thanked author for this post.
      • #182320

        It shouldn’t matter what order KB4100480 and KB4099950 are installed in.

        If you don’t install the March 2018 updates before next Tuesday, by next Tuesday the March 2018 updates will be metadata-superseded by the April 2018 updates, but you can still install them via Windows Update by hiding the April 2018 updates. Don’t forget that you hid the April 2018 updates though.

        1 user thanked author for this post.
        • #182330

          Thanks MrBrian. Could you clarify if the 2 updates I’ve referred to are considered “March” updates? These aren’t the monthly roll up so I’m just wondering if they will in fact disappear on Tuesday?

        • #182337

          I’m not sure if either of those two updates will disappear from Windows Update on next Tuesday without resorting to hiding other updates.

          1 user thanked author for this post.
    • #182315

      My 7’s are patched, monitoring for issues.  I have a few Server 2008 R2 and I’m still holding back on those due to the SMB memory leaks.

      Susan Bradley Patch Lady

      2 users thanked author for this post.
      • #182373

        I’m curious whether you installed KB4099467 on your Win 7 machines and the reasoning you used in making your decision. This seems to be a largely overlooked update.

        I’m leaning towards installing it because one other poster has and it either didn’t do anything or perhaps prevented a BSOD. On the other hand MrBrian decided to not install it, and his expertise is absolutely not something to be ignored.

        • #182383

          I have more of a “safety net” than some of you because I make an image (using Macrium Reflect free version) immediately before installing Windows updates, and I am fairly confident that I will be able to restore an image because once a month as a test I do a restore immediately after making an image.

          4 users thanked author for this post.
        • #182439

          I run scheduled weekly Macrium Reflect images on my Win 7 box, and daily on my Win 10 box.  I image Win 10 more frequently because that is my daily driver at this point.

          Imaging should be a consideration before risking any updates, IMHO.  Knowing that you can roll a system back to it’s last known working state is a big anxiety reliever.  🙂

          The peace of mind is priceless.  Macrium Reflect is free, and a decent 1TB external USB3 drive can be had for around $50 USD.

          So if I hold off on updates, it’s just because I don’t wish to go through the hassle of a full restore, which usually takes me less than an hour…

          4 users thanked author for this post.
        • #182464

          Macrium Reflect: Once a month, instead of once a week. Simple, reliable, easy to use, does not intrude itself, unlike a lot of other crapware these days.  Maybe it’s because it’s from the U.K.

          I love Seagate Dashboard almost as much as Macrium; each morning, if I don’t sleep late, it backs up just the files that have changed since yesterday, and more importantly, they can be accessed without “mounting” an image.

          These, plus an online backup once every 30 days–the so-called “rule of three.”  As you say, the peace of mind is worth it.

          1 user thanked author for this post.
        • #182475

          @MrBrian – Sounds to me that you’re suggesting folks who don’t have a great deal of confidence in restoring an image should go ahead and install KB4099467. That would be fine with me because while I have an image, what I don’t have is a great deal of confidence or experience recovering from BSODs.

        • #182679

          I’m not sure because I don’t know if KB4099467 introduces issues.

          This may be helpful for those experiencing BSODs: 2000009: Getting out of a no-boot situation after installing Windows updates.

        • #182694

          I opted to install KB4099467 last night on my Win 7 Starter 32 bit test machine. Did the following:

          4099950 from Windows Update, no restart required or requested.

          4088878 from the Update Catalog, restart required but I didn’t because I immediately installed

          4099467 from the Update Catalog, restart required, and I did restart.

          Everything seems to be working fine, although I would note that the install of 4099467 was VERY slow and the restart took a long time even for an Atom chip.

          Another interesting thing is that after all of this Windows Update showed only 4099950 and 4088878 in the ‘view update history’ tab. 4099467 didn’t show up at all. I had no indication that anything went wrong during the above procedure, so I’m not too worried about it since I’m not having any issues. Also, I’ve noticed in the past that Windows Update doesn’t always show the latest Security Essentials definition update.

          2 users thanked author for this post.
    • #182316

      @MrBrian – One for you:

      Win7 Pro SP1 32-bit (in a VM)
      Was patched through Feb Rollup (4054518 Dec RU, 4056894 Jan RU, 4057400 18-1 Preview, 4074598 Feb RU)
      Optional list unchecked – Silverlight, HP-Image, KB3102429 (Azer/Menat currency)
      ALLOW Regkey in place (Bitdefender Free)
      I have monthly copies of VM up to 18.03/06, latest includes Feb RU

      Windows Update offers NOTHING (no Rollup, no Preview, no hotfix, not MSRT, not .NET – Nada, zilch)

      Manual download/install KB 4099950, reboot, search – NOTHING (nothing to hide to make Mar Rollup appear)

      Roll back – uninstall 4074598 (others not shown in installed updates), reboot, search. WU offers 4054518 (Dec Rollup and several older updates latest of which is 2016). No later Rollups, no Previews, no hotfixes.

      Installed Dec Rollup and older patches, reboot. Search produces nothing – no recent RU, no Preview, no hotfixes. It is now stuck at Dec 2017.

      Explanation? Suggestions?

      • #182324

        After you rolled back, did you check that the QualityCompat registry item is still present?

        • #182326

          Yes, still there

        • #182332

          Did you try resetting Windows Update?

          The old stop Windows Update service, rename SoftwareDistribution, restart Windows Update service and check for updates?

          Cheers!!
          Willie McClure
          “We are trying to build a gentler, kinder society, and if we all pitch in just a little bit, we are going to get there.” Alex Trebek
      • #182329

        Saving grace?

      • #182340

        Unless Windows Update is behaving fluky at the moment on the server-side, I would guess that your computer is having Windows servicing issues. I’ve lately been referring people to post at https://www.sysnative.com/forums/windows-update/ regarding such issues.

        • #182343

          Thanks, will pursue

        • #182396

          As a test, I just checked for updates on my Windows 7 virtual machine. Windows Update found 172 updates. No server-side problems in my case.

      • #182504

        @pkcano I would suggest having a look with WUMT, in particular with “include superseded” checked. You may be able to see a lot more with that setting done. This is useful for analysis and I do not necessary suggest to install the superseded patches, although sometimes this is the only way forward especially for computers which are behind with patching for a longer period and this is due to the known supersedence mess.

      • #182514

        EEErrrr….
        I’m embarrassed.
        I use paid av on the installations with which I access the Internet, but I have so many others that I can’t afford all, so I use Bitdefender Free on most of the test stuff.
        I had to shift av’s between conputers, uninstalled TMIS on the Win7 (which removed the key) and in the interim I manually added it back.
        So it was there all the time.

        Key = QualityCompat
        DWORD = cad ca5fe-87d3-4b96-b7fb-a231484277cc
        value = 0

        Computers are dumb – they do exactly what you tell them to do….
        Sometimes you just have to figure out what you told ’em.

        1 user thanked author for this post.
    • #182322

      Trying to get info on 2018-03 Update for Windows 10 Version 1607 for x64-based Systems (KB4089510) released on 3/21/2018. Windows Support says, “This update makes stability improvements for the Windows 10 Version 1607 servicing stack.” Doing a search, I see where there are reports of this update hosing Windows Server 2016. I’d very much appreciate any help as to what’s going on with this update. I don’t see it listed on Miss Susan’s nor Martin Brinkmann’s Patch Lists. Maybe I’m just missing the obvious. It wouldn’t be the first time! 🙂

      • #182331

        From https://support.microsoft.com/en-us/help/4088889: “Important When installing both the SSU (KB4089510) and the LCU updates from the Microsoft Update Catalog, install the SSU before installing the LCU”. Perhaps KB4089510 addresses the same issue mentioned in this post.

        • #182441

          Thanks, MrBrian. Since KB4088889 was the second CU issued on March 22 (I think KB4077525 was the first), and KB4096309 was the third one issued on March 29, I installed KB4096309. KB4088889 was never installed. However, since the update in question, KB4089510, is a SSU, should it be installed anyhow? In fact, since MS seems to be saying install SSUs before LCUs, I should have installed KB4089510 before KB4096309 … but I didn’t know it even existed until today.

          So, bottom line: Should I install KB4089510? If so, when?

          Thanks again for your time and help.

      • #182578

        Those reports are wrong, SSU never harm or hose the system
        on the contrary, skipping installing SSU is what cause other updates to fail or cause issues

        3 users thanked author for this post.
    • #182328

      Searched soul and installed March updates B style – arghh getting harder and harder to stay in group B.

      As others reported, my March rollup disappeared. When I checked for updates on 4-6, I was offered kb4099950 and kb4100480 and yes they were both checked.  I installed one update at a time, made a restore point prior to each install, rebooted after each install whether I was prompted to or not, and out of curiosity checked for updates after each reboot to see if the March rollup would be offered again. It was not offered. Below is the order I installed the updates which I know is not the same order recommended by others. Computer seems to be running fine.

      1. KB 4096040 (IE 11 dated March 23rd from catalog)

      2. KB 4099950 (I was offered windows update, but used catalog)

      3. KB 4100480 (I was offered windows update, but used catalog)

      4. KB 4088878 (March Security only for Win 7 x64 from catalog)

      Group B Win 7 x64 – Thanks Woody and others for your valuable research and advice.

       

       

      1 user thanked author for this post.
      • #182336
        • #182377

          Thanks @MrBrian. Yes, I read your article and followed every step (to get the March rollup to re-appear) except for installing KB4074598 (2018-02 Monthly Rollup) because I am in group B. I installed the group B style IE 11, Jan and Feb 2018  Security Only updates on March 5th.  I also ran disk cleanup on March 5th cleaning up about 2.6 gigs of system files. KB4088875 never to appear again.  Really don’t know why I tried so hard to get it to re-appear, since I was not going to install it anyway (smiles). Appreciate you sharing your research and helping others.

          1 user thanked author for this post.
        • #182385

          You’re welcome :).

          In that particular sequence, installing KB4074598 is a necessary step.

      • #182375

        Why would you be interested in the March Rollup when you’re in Group B?  Sounds like you’ve installed all the necessary updates (for Group B).  Congrats!

        Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'
        • #182384

          Thanks @SueW you are absolutely right. I was being obsessive and overthinking things. It bothered me that if  the the March roll-up was not being re-offered, I might be missing a prerequisite that also applies to the March Security only patch.

          2 users thanked author for this post.
    • #182352

      Being a  person who’s running 64-bit Windows 7, and being in Group B, I read Woody’s Computerworld article regarding DEFCON 3 very carefully. Like many others I was looking for guidance as to how to proceed or deal with the March Widows 7 Security Only, and IE 11 Cumulative Security updates. In the past I’ve always followed two basic commonsense rules that I’ve learned from following the advice given here on Askwoody. First, never install preview updates, and second never install unchecked windows updates. Up to this point that way of thinking has worked out very well.

      The problem is, at least for me, is that between Woody’s Defcon 3 Computerworld article and the various Askwoody threads pertaining to the March updates, I’ve been unable to determine the best way to deal with this issue. Between the various Hot Fixes and the randomly updated versions of certain March updates, there doesn’t seem to be clear direction on how to proceed. At this point there are 2 updates that I’m unsure of.  The first is KB4010048 which was first talked about here back on March, 29, Microsoft Patch Alert: Suddenly, Windows 7 patching is an unholy mess and here, Patch Lady – new update for Windows 7 KB 4100480. Having read both of those threads more than once, I went ahead and downloaded it from the Microsoft Catalog (was not offered in WU) and installed it on April, 1. It installed without issue… Since then I’ve viewed more recent posts suggesting that it would be better to roll back the window updates prior to January 2018 rather than install KB4010048 at all. Then I started seeing other posts indicating that KB4010048 was now being being offered in windows update. Then yesterday I discovered there’s a newer version of this update that’s dated April, 5, and is now a prerequisite for installing either KB4088875 or KB4088878, along with another prerequisite, KB4099950, which is the second update I’m unsure of.

      On April, 1 WU offered me KB4099950 as optional and unchecked update. Because it was unchecked I went ahead and hid it…  Yesterday I decided to unhide it to see if it was still unchecked. It was, and as such was re-hidden. This morning WU offered me KB4099950 once again… This one is dated April, 5, optional, written in italic, and still unchecked. Also the hidden copy of the update is no longer there.

      So here’s my conundrum… Does the never install an unchecked update still apply in this case, which means I can’t or shouldn’t install KB4088878, and is the fact that the installed version the KB4010048 update is an older version mean I have replace it with the newer version?

      As always any advice or input would be greatly appreciated…

      • #182367

        KB4100480 isn’t a prerequisite for installing KB4088875 or KB4088878. KB4099950 is a prerequisite for installing KB4088875 or KB4088878.

        Microsoft now categorizes KB4099950 as a Recommended update. The “Give me recommended” Windows Update setting that Group B uses causes all Recommended updates to be put in the Optional tab in Windows Update, and be unticked by default. The “Give me recommended” Windows Update setting that Group A uses causes all Recommended updates to be put in the Important tab in Windows Update, and usually (but not always) be ticked by default. In my opinion, KB4099950 would be a good occasion to violate the “never install an unticked update” rule.

        KB4100480 has not been reissued.

        4 users thanked author for this post.
        • #182405

          Whilst I’m grateful for this post, @MrBrian, I think it raises two important points.

          First, we shouldn’t assume that only Group B users set recommended updates in the way that you indicate. I’m a Group A user and my settings result in KB4099950 appearing as both optional and unchecked, and I’m pretty certain I’m not the only one.

          Second, your comment that “In my opinion, KB4099950 would be a good occasion to violate the “never install an unticked update” rule”  underlines the point I made in another topic recently to the effect that it’s crucial that all members of the team are seen to be playing the same tune. If some argue that unchecked updates should never be installed, while others argue that a particular case is an exception to that then we mere mortals won’t have a clue what to do for the best.

          I fully understand that these are difficult times, but if different members of the team give us different recommendations, how are we supposed to reach an informed decision on which recommendation to follow?

          1 user thanked author for this post.
        • #182419

          @seff

          I’m a Group A user and my settings result in KB4099950 appearing as both optional and unchecked, and I’m pretty certain I’m not the only one.

          I’d like to point out to you that you are not following Group A. From AKB2000004, the guidelines for Group A read:

          Step A1: Get your settings right.

          In Win7, click Start > Control Panel. In Win 8.1, press Win-X and choose Control Panel. Click System and Security. Under Windows Update, click the link marked “Turn automatic updating on or off.” Make sure Windows Update is set to “Never check for updates (not recommended),” then check the boxes marked “Give me recommended updates the same way I receive important updates” and “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows.” Click OK.

          If you were following Group A, KB4099950 would be important and CHECKED.

          3 users thanked author for this post.
        • #182428

          The problem is that there are always going to be lots of different ways of defining the different approaches, and while you’re clearly right in theory, in practice I regard Group A users as installing the monthly rollups through Windows Updates while Group B users install the security-only updates from the MS Catalog. Whilst that may not tick all the appropriate boxes in the correct way, it seems to me to summarise the basic difference between the two approaches. However, I fully accept that under the strict definition of the different groups I am somewhere between Groups A and B, albeit very much closer to A than B.

          In any event, if you follow the advice to set Windows Updates to “Never check for updates” then all the time you maintain that setting you are effectively Group W and are in complete ignorance as to what is being offered. I prefer at all times to know what is being offered to me, and only then can I contribute such information to this site.

          I always have my main setting on “Check and notify but let me decide when to download and install” because that way I can follow what’s happening, without ever having had an update automatically install unlike when people report having it set to “Notify and download but let me decide when to install”, while I have always followed the original GXW Control Panel advice to have “Give me recommended updates the way I receive important updates” unchecked. Maybe I need to change that particular setting if it’s generally felt that there are compelling reasons to do so.

          In any event, it’s useful to know that it’s that setting that determines why KB4099950 is checked or not, so thanks for that. It helps when considering the further response below from MrBrian.

        • #182443

          The reason I am Group B (Win 7 x64) is that, when one installs some updates by hand from the MS Catalogue, if later it turns out that there is something wrong with one of those updates, one can de-install it leaving the rest in place.
          When there is a problem with a rollup, one can only de-install everything, good and bad together.
          The main problem with being in Group B is that there may be updates fixing previous updates that are only available in the rollup. So far, nothing evil has happen to me because of that, at least that I can tell… So, still in Group B.

          Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

          MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
          Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
          macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

        • #182424

          I can fully appreciate that it’s confusing that different people here sometimes give differing advice about what to do. You could decide to always follow one particular person’s advice (if available), or you could ask the reasons why a given person gave particular advice, and decide for yourself which advice to follow. The “never install an unticked-by-default update” rule is not a rule that I personally agree with, and KB4099950 provides an excellent example of why.

          4 users thanked author for this post.
      • #182508

        @twbartender

        To shed some further light on your confusing situation (and that of MANY others, I’m sure) regarding KB4100480, here’s the wording of an explanatory note that’s in the KB article about this update:

        • This security update was updated on April 5, 2018 to address applicability issues in the original release of the update.
        • Applicability rules have been expanded for this update. Therefore, this update will be offered via Windows Update and Windows Server Update Service (WSUS) if any of the Security Only (SO) updates that are listed in the table above are applied.
        • No specific functional changes have been made to this security update. Therefore, no additional action is needed if this update has already been applied.

        Notice the last sentence in the last bullet point above. If it’s already installed prior to April 5th, you’re still good to go, no action is needed.

        In other words, they updated it, as you noticed, on April 5th, but only to expand the field of applicable Windows 7 SP1 and Windows Server 2008 R2 SP1 installations to include those folks who have installed the Security Only updates for any one of the months of January, February or March as well as the folks (already included) who have installed the rollups for those months.

        I hope that this post, along with the post above from @MrBrian, help clear things up for you and anyone else with the same question as you about KB4100480.

        R/

        Bob99

        2 users thanked author for this post.
    • #182351

      Win 7 x64, AMD processor, Group B, Rolled back to December.

      After reading through all this I’m trying to put together some instructions for myself if I ever want to start patching again and this is what I’ve come up with.

      Install order

      KB4073578 (assuming this replaced KB4056897)

      Restart

      KB4074587

      Restart

      KB4099950

      Restart

      KB4088878

      KB4099467

      Restart

      KB4100480

      Does this look correct?

      • #182427

        That order looks right, except the intermediate reboots aren’t needed. Don’t forget to install a March 2018 cumulative update for Internet Explorer also.

        1 user thanked author for this post.
    • #182360

      Strangely, KB4088875 has disappeared from my list of recommended updates for  Win 7 HP 64 bit.  It has been gone for at least 2 days now and maybe longer as I do not check WU everyday.  I did not install or hide, just not listed anymore.  I do see KB 4100480 and KB4099950 listed and checked.  Anyone else have this issue.  I have not installed any MS updates since the Feb updates.

      • #182364

        Note to Windows 7 users: KB4088875 (Windows 7 2018-03 Monthly Rollup) is available on Windows Update, but there are unusual steps needed to see it. See https://www.askwoody.com/forums/topic/windows-update-not-offering-kb4074598/#post-182019 for more details.

        2 users thanked author for this post.
        • #182401

          Indeed, but it appears from the various links that for the March monthly rollup to reappear requires the prior installation of an update – KB4099950 – that for some at least remains unchecked, and therefore according to Woody’s 1st Rule of Patching – if it isn’t checked, don’t check it – we won’t get to see the March monthly rollup!

          The more I read on this topic, the more I’m inclined to sit back and do nothing. Whether that is only until the feedback on next Tuesday’s April updates or beyond January 2020 into infinity remains to be seen.

          Microsoft have been making our patching decisions increasingly difficult for some time, yet perversely those decisions are finally beginning to be increasingly easy!

        • #182417

          See my post at 11:07 today – had the same situation, you need to check it and follow the trail is you want to get KB4088875.

          Still trying to decide what to do with now!

    • #182372

      And what happens to KB4088881 that is hidden?

      When it is reissued as the regular Monthly Rollup it will appear back in Windows Update…

      Oops… edited to correct my misunderstanding…

      KB4088881 stays hidden, unless you unhide it, or it gets pulled. Per PKCano, “It contains the current month’s Rollup PLUS the non-security package for the coming month (not the security package). So it’s basically a “preview of what’s to come.” Microsoft then adds the security package to it, and that becomes the next month’s Rollup.

      Non-techy Win 10 Pro and Linux Mint experimenter

      • #182418

        Thanks for that info

      • #182425

        The preview rollups aren’t reissued later as monthly rollups. KB4088881 will remain marked as hidden.

        1 user thanked author for this post.
        • #182433

          Oops, I blew that one…

          That means that when April’s Monthly Rollup is issued, it doesn’t matter that the preview is hidden… because the patches that are in it, are forwarded to the April Rollup?

          Non-techy Win 10 Pro and Linux Mint experimenter

        • #182455

          They’re different updates, with different update IDs, and different contents.

          1 user thanked author for this post.
      • #182459

        After installing KB4099950,  KB4088881 reappeared in optional updates unchecked.

        Win 10 Pro v.20h2

    • #182365

      Hi, I’m Windows 7 64-bit, i7-3770, with Jan and Feb patches installed.

      I’ve decided to follow, as I’ve always done, Woody’s recommandation, that is … do nothing; no March patching and no rollback.

      I’ll wait for new instructions from Woody.

      2 users thanked author for this post.
      • #182403

        Hi,

        i too am on Windows 7 64 bit and decided to dive right – in with the March Updates TODAY,after reading Woody’s post and thankfully everything went just fine.Still several hours later,No blue screens,No system slowdowns,Nada…A big thank you to Woody for his regular invaluable advice.

         

        Windows 7,Home Premium 64 bit - Lenovo laptop
        Group A - Intel (R)Core i7 Processors -

        ASUS Chromebook C213 12.5 inch
        64GB memory .

        iphone 6,need to upgrade soon,bugger !

        Reeder M7 Go 2019 Tablet !

        2 users thanked author for this post.
    • #182388

      Win 10 Pro 1703 – updated today, no issues so far.  🙂

      Hid KB4023057 and the feature update to version 1709, everything else for March has been updated.

      I believe I will follow advice and leave my Win 7 Pro box alone …

    • #182380

      I did search AskWoody.com (site, forums; Google search, on-site search) but did not find an answer to this question. My apologies if this has been A&A (asked and answered).

      How do I determine which Windows 10 Pro update I have, e.g., 1703, 1709, 1803?

      System Info says:
      Windows 10 Pro
      Version 10.0.16299
      Build 16299

      Thanks!

      Mark

       

      Edit to remove unnecessary system information

      • #182390

        You have Windows 10 v 1709, BUILD 16299. The 16299 indicates the Build which is indicative of the version 1709.

        2 users thanked author for this post.
    • #182413

      I have read Woody’s Computer World article and all the forum comments.

      If we choose Woody’s second option

      “If you don’t need the headache, and you’re reasonably sure nobody’s going to attack you with a Total Meltdown push*, don’t do anything. Don’t install any of the March patches”

      what do we do going forward?  Do we just wait for the April patches and a subsequent DEFCON 3 announcement?

      Thanks.

      2 users thanked author for this post.
      • #182438

        what do we do going forward? Do we just wait for the April patches and a subsequent DEFCON 3 announcement?

        Yep… if you are choosing the wait and see option… you get to wait… and see…

        Non-techy Win 10 Pro and Linux Mint experimenter

        6 users thanked author for this post.
    • #182422

      Group A Win 7 Pro x64…I did not install any of the Mar. updates and rolled back to Dec. using Windows Update Mini Tool. Everything is working smoothly. At this point I’m being offered via WU KB4091290 ( unchecked ) and KB4099950 ( checked ). Unless I’m missing something here, it appears that everyone is being offered something different even though their configurations are similar or the same. That would lead me to believe that there is no one answer that fits all to the many questions ( including mine ) that everyone has. I’m seeing others that rolled back as I did being offered completely different updates than me. This leads to the mass confusion that’s being seen here. Please correct me if I’m looking at this wrong   🙂

    • #182444

      I have  two win 7 64 bit computers.  Both of them had the following on them under windows update when I checked windows update today:  KB4018317 Outlook update, KB2965234Powerpoint update, (both of these were unchecked), KB4100480 2018-03 Security Update for Win 7 64 bit, Checked,  KB4091290 2018-03 Updated for Win 7 64 bit, Unchecked and KB4099950 2018-03 update for Win 7 64 bit.  This list was off the laptop which had been turned off for 9 days since I did not need to use it.  When I when turned on the laptop today it had the KB4088875 update but when I hit check for updates, it disappeared.  The resulting list was as stated above.  I checked the list on the laptop to the list on the desktop and they were the same.  After installing the checked updates including the updates for Outlook and Powerpoint, rebooted the computer and the only update available was the unchecked KB4091290.  I then read about the KB4091290 and found it was for the smart card issue that arose in February.  I’d like to thank Mr. Brian for his comment that you do not need to install this especially since I do not use smart cards on either of the computers.  Unless something else pops up between now and Tuesday,  I am going to sit tight until the craziness that starts again on Tuesday settles down and I get the directions and advice from Ask Woody–Thanks Woody and everyone else.

    • #182454

      FWIW,  I’ll add my experience

      Win7 Pro 64bit

      I installed in this order

      -KB4096040 (the initial March Win 7 IE Cumulative Security Update)… IE launched fine after update, so i skipped the replacemnt patch that was issued on 3/23

      -KB4100480

      -the March MSRT

      No problems encountered.  No detectable slow down, although not a power user.

      I assume the consensus is to hold on the “full” March Win7 Security only update until further notice, even though it is listed on the Group B page?

      Edit to remove HTML. Please use the “text” tab in the entry box when you copy/paste.

    • #182469

      I thought I’d put this info here if it helps anyone like it did for me.

      On my Main PC I have Windows 7 64 Ultimate Group B Pre January patches and things work great. My laptop came with Windows 10 so I am running 1703 and I will stay here for awhile until the dust settles with 1803, for now.

      I have not had any issues with being forced to 1709 so I thought I would explain how. I too have windows update set to CBB, 365 days and 30 days. I also use wushowhide to manage the monthly cumulative updates, but I also use WPD, you can get it here https://getwpd.com/ .

      I find this program does just about everything I want it to do to Windows 10. It disables telemetry (I know there is no way to completely shut it off) it makes it super easy to remove built in apps. I have Cortana disabled and I can still search. It allowed me to remove the useless Lock screen and helps me to tame windows update. Every time I install a monthly update I have to go back into WPD to shut off 4x telemetry settings.

      I have been thinking of installing Windows 7 on my laptop as a proof of concept that I can but if time doesn’t allow me to I am currently ‘content’ with how WPD helps me manage my Windows 10.

      I hope this helps someone like it did for me.

       

      Rock

    • #182470

      Don’t install the WIN 10 cumulative for 1709-When it was installed and needed restart, windows has to sign you otu due to a problem. I uninstalled the cumulative for march and now everything is back to normal. I hid the cumulative update so it doesn’t bug me or harm my baby again. I also did a defragment, advanced systemcare, ccleaner AND AN ERROR check afterwards.

      All other updates for 1709 has installed normally and my computer is taking time to digest and adapt to new updates, but everything is normal again.

    • #182482

      Well, I went through the most turgid rigmarole of patching, rebooting, and running WU several times now, and seem to have all the prerequisite patches, and I’m safe from IP address wipeout; now just the Big Bad KB 4088875 leers at me now, _unchecked_, and it’s a genuine standoff as we glare at each other.

      What gives me pause before downloading and installing that morass are two things:

      1. MS’s latest info on the March roll-up (4088875) has the warning, “A Stop error occurs on computers that don’t support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).”  I have NO idea what this means, nor any idea on how to ascertain if I have this function.  Can anyone tell me a method to determine if my system supports SSE2??

      2. KB4088875 is still unchecked, though “important”.  I have always wondered what determines an item in WU to be “checked” or “unchecked”; does it mean, “Kosher-no issues” if checked, and “look out, you still might hit the wall” if unchecked”?  As Groucho used to say, “Any questions?  Any answers?”

      3. If “unchecked” means “Not Yet Kosher”, I’m going to ignore the thing IF April’s rollup will contain everything OK in 408875, plus other things, good or bad.

      Any light thrown on the above deeply appreciated.   This is my only machine, and I simply can’t take a chance of BSOD’ing it.

      Thanks to all, again, who are slogging through this morass. (!)

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
      --
      "Sure I had a plan; Everybody's got a plan until you get hit in the teeth."

      -A Very Famous Boxer

      • #182495

        Hello Nibbled To Death By Ducks,

        It seems that you have been nibbled to death by updates! Your computer’s CPU supports SSE2 unless your CPU is rather old. One of my favorite handy dandy utilities which I use on my computers, and which I use on all of the office computers, is Piriform’s Speccy. Basically, Speccy shows you details about all of your computer’s hardware along with a lot of other useful stuff. Get the free version of Speccy directly from Piriform at the following link:

        http://web.piriform.com/speccy

        After installing and running Speccy, Speccy could take up to around 30 seconds to analyze the details of your computer’s hardware. When the analysis is done, then suddenly the main details will appear all at once on the main screen. When you see that, click on CPU. Doing so will take you to a details page which tells you everything about your computer’s CPU. Attached are two screenshots of Speccy’s results for my computer. One screenshot is the Speccy Summary page, and the other screenshot is the Speccy CPU details page. In the CPU details page in my screenshot, you can see which instructions my CPU supports. SSE2 is one of them.

        Speccy-Summary

        Speccy-CPU-Details

        4 users thanked author for this post.
      • #182502

        KB4088875 is the March Monthly Rollup. It is unchecked since it still has several issues. You should leave it unchecked for now. My next question is, what is the latest monthly rollup which you presently have installed on your computer? The only way to be sure is to go to Control Panel, launch Programs and Features, and then click on “View installed updates”. Sort the resulting list by Name, such that next to Name you see a small arrow pointing up. If the arrow is pointing down, then click on Name again to reverse the sort order. Now scroll down to the section which is labeled Microsoft Windows. Scroll down some more, and you will see a lot of entries labeled “Security Update for Microsoft Windows”. Each entry is followed by a KB number which is in parentheses. Scroll down the last “Security Update for Microsoft Windows” which you see, and tell us the KB number.

    • #182520

      MrBrian has advised to consider installing KB4099467 after doing so with the other March updates for Windows 7, x64. It fixes some strange problem that, so far, I don’t  believe to have had; touch on wood.

      When I went to get it from the MS Catalogue, found something unexpectedly confusing there:

      There was an update labelled for “Windows 7, x64”, but the information pop-up on that update said that it was for “AMD64 x86” machines.

      Now, we’ve already had the Patch Lady explaining the believe-it-or-not fact that “AMD64” = “x64”, regardless of who made the CPU chips in our PCs. But this is something else:

      As far as I know, “x86” is another way of saying “x32”, which is definitely not the same as “x64”.

      So, is there a contradiction between the update label in the Catalogue and the information on the update itself?

      Or, to put it somewhat differently: Will Patch wonders ever cease?

       

      Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

      MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
      Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
      macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

      • #182535

        There was an update labelled for “Windows 7, x64”, but the information pop-up on that update said that it was for “AMD64 x86” machines.

        Screenshot from the MS Catalogue:

        Architecture-AMD64_X86

        There is a comma, not a connector, between the two listings for Architeture.

        But… I really enjoyed, “Will Patch wonders never cease?” as it sums up my jaw dropping amazement when contemplating the mess I have to wade through to get family and friends updated every month this year.

        Non-techy Win 10 Pro and Linux Mint experimenter

        2 users thanked author for this post.
        • #182563

          Elly,

          I’ll take your word for it — and also Anonymous’, in the next comment down.

          But if my machine gets anything after I install the ambiguous KB4099467, from halitosis to shingles, to cardiac arrest, it will be on you. It will be totally on you.

          That said and until then:

          Thanks.

           

           

          Ex Windows user (Win. 98, XP, 7) since mid-2020. Now: running macOS Big Sur 11.6 & sometimes, Linux (Mint)

          MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
          Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
          macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV and Malwarebytes for Macs.

        • #182620

          But if my machine gets anything after I install the ambiguous KB4099467, from halitosis to shingles, to cardiac arrest, it will be on you. It will be totally on you.

          Given the choices that Woody summarized for us, I have rolled back to December, so installing KB4099467 isn’t on my agenda at all. I’m not recommending others follow my example… it just doesn’t appear to me that Microsoft and Intel have their act together regarding Meltdown and Spector vulnerabilites… and it is my style of managing risk to step back and watch it all work out. I’m hoping to go forward with updating, someday, but just not right now. I’m wishing those making other choices, all the best. I get triggered and anxious over all sorts of things, and the AMD64 terminology seems to bother you… I am hoping you are reassured that it doesn’t seem to be something you really need to be worried about, being unrelated to the AMD processor problems in January patches. I was simply addressing AMD64, x86 being listed, and trying to clarify that. There are enough things to worry about…

          Halitosis to shingles, to cardiac arrest… just don’t blame me if you don’t install KB4099467 and get a StopError BSOD after installing KB4088875… I trust MrBrian on this one. LOL.

          Non-techy Win 10 Pro and Linux Mint experimenter

          4 users thanked author for this post.
      • #182542

        @OscarCP

        <span id=”ScopedViewHandler_labelArchitecture_Separator” class=”labelTitle”>Architecture:</span> AMD64 , X86

        The above is directly from the “Overview” tab of the Microsoft Update Catalog entry for KB4099467. This simply means that the patch applies to BOTH 32 bit ( i.e. X86) and 64bit (i.e. AMD64) processor architectures, with each architecture (x86 and x64) having its OWN, SEPARATE version.

        In your case, simply click on the download button for the version that’s listed as “2018-03 Update for Windows 7 for x64-based Systems (KB4099467)” and you’ll get the version meant for 64 bit systems. You’ll notice that the file name of what you’re downloading begins with “windows6.1-kb4099467-x64” and then goes on with a long trail of characters after that, ending with the .msu suffix.

        The same holds true for ANY Microsoft patch listed that way in the catalog. If it says “Architecture: AMD64 , X86” it simply means that the patch you’re being shown, or told about, is meant for 32 bit and 64 bit systems. It also means that there is a separate patch for 32 bit systems and a separate patch for 64 bit systems, but they share the same KB number.

        This is simply Microsoft’s version of “shorthand” notation, in that they’re trying not to be too wordy. They’re trying to get the information out by being as brief as possible. At one time (within the last two or two and a half years), the Microsoft Update Catalog was meant only for IT professionals, not for the rest of us. That has since changed under Satya Nadella, as have many other things you’ve probably noticed coming from Microsoft.

        Any or all AskWoody MVP’s please feel free to correct the previous statement about the Update Catalog if it’s not completely accurate!



        @OscarCP
        , I hope this helps to stop your head from spinning now and in the future due to Microsoft’s apparently excessive brevity in describing the applicable processor architectures for patches in the Update Catalog. 🙂

         

        Edited for HTML.

        4 users thanked author for this post.
        • #182622

          Thank you for your much better explanation.

          Non-techy Win 10 Pro and Linux Mint experimenter

        • #182693

          This simply means that the patch applies to BOTH 32 bit ( i.e. X86) and 64bit (i.e. AMD64) processor architectures, with each architecture (x86 and x64) having its OWN, SEPARATE version.

          MS make software, not CPUs, better to say:
          “This simply means that the patch applies to BOTH 32 bit ( i.e. X86) and 64bit (i.e. AMD64) Operating System architectures, with each architecture (x86 and x64) having its OWN, SEPARATE version.

          1 user thanked author for this post.
        • #182956

          That’s right, because the processor is hardware (could be with Intel or AMD branding).

          The operating system is software, and the 32 bit (x86) and 64 bit (AMD64) architecture is part of the operating system.

          Even the ‘answer’ was getting it confused…

          Thank you!

          Non-techy Win 10 Pro and Linux Mint experimenter

          1 user thanked author for this post.
    • #182525

      GoneToPlaid, thanks so much for getting back to me!

      Downloaded the program, and it indicates support for SSE2. (Handy little thing, better than many seen in the past.)

      Last Security Update for Windows was KB 3185349 April 7 2018.

      Also, there’s another warning on 4088875 I missed the first time:

      “After you install this update, you may receive a Stop error message that resembles the following when you log off the computer:

      SESSION_HAS_VALID_POOL_ON_EXIT (ab)”

      Should I apply KB4099467 before applying KB4088875, if I should apply 4088875 at all?

      Many Thanks!

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
      --
      "Sure I had a plan; Everybody's got a plan until you get hit in the teeth."

      -A Very Famous Boxer

    • #182518

      I am in Group B Windows 7 64 bit and I am wondering what I should do with NET Framework Quality Rollup  to 4.7.1 dated 2018-02 ?

      I am going to install up to March security only including  KB4100480 and KB4099950.

      I assume then I won’t need April Security only even when Woody gives the Defcon go ahead.

      Thanks Woody and guys

       

      Edited for HTML. Please use the text tab when doing copy/paste in a reply.

       

       

      • #182538

        I assume then I won’t need April Security only even when Woody gives the Defcon go ahead.

        Why is that?

        Non-techy Win 10 Pro and Linux Mint experimenter

        • #182539

          I think he/she means that he/she doesn’t need to install them right away, and that like everyone here, will pay attention to the MS-DEFCON level changes.

          Just someone who don't want Windows to mess with its computer.
    • #182545

      As I write these words, this thread on the March updates contains 240 replies (and this one will make it 241). Could there be a more telling commentary on the current state of Windows patching?

       

      4 users thanked author for this post.
      • #182553

        actually its more like we are making sure rocks aren’t falling from the sky  and we are correctly protected in case rocks will fall in the future.

        Just someone who don't want Windows to mess with its computer.
    • #182568

      Help please!  I have W7 32 bit, ran WU and only got MSRT and the snooper kb2952664 as important. For recommended I got – kb4076492, kb4033342, kb3184143 and kb4099950. Also kb4075211 as optional, which I think is preview for Feb rollup? But I have all rollups successfully installed upto and including Feb. I hid kb4075211 and ran WU again and was offered kb4091290 as a recommended update it’s 137.7MB! Which is about the usual size of my rollups. This is the first time I haven’t been offered the monthly rollup, the last couple of months I’ve held my breath and took the plunge and installed what I thought I should, but this time I don’t know what to do for the best.

      Should I install, if so in what order or just leave March well alone, and wait till the end of April for (fingers crossed, prayers said) an improvement. I can’t afford to lose this netbook . All words of wisdom welcome at this point.
      Many thanks,  –   Watson.

      • #182582

        **kb4076492 is a .NET Rollup – safe to install if checked
        kb3184143 is a patch to remove GWX components (old) – no needed
        kb4033342 is the installer for .NET 4.7.1 – you can hold off on this one for now, install later when there is not all this chaos. Hide or uncheck.
        **kb4099950 is a required hotfix – install it FIRST before any Rollup
        kb4091290 is a fix for a Smart Card bug issued in Feb – if you are not using Smart Card ID it is not required.

        Hide any Previews that show up in the optional updates list (like you did kb4075211). See @MrBrian ‘s instructions here about getting the current Rollup to appear.

        So far.KB 4088875 (Mar Rollup) may appear as an unchecked important update.

        2 users thanked author for this post.
        • #182669

          PKCano – Thanks for the timely sage advice earlier! On my W7 32 bit i installed March MSRT, kb4076492 and kb4099950. Hid kb2952664, kb3184143 and kb3102429??? (forgot to mention that one). Reboots inbetween , ran WU again and am offered kb4033342 (checked) and kb4091290 (unchecked) – not installing either. I still have not been offered March rollup…??? Don’t know why, all previous rollups successfully installed. So i guess i wait until Defcon 3 for April as I’m Group A, that rollup will supersede the March one, yes? Will i be offered that one…? I hope April’s updates are easier (sigh) as I’m starting to swim out of my depth. Many thanks again,   –    Watson.

        • #182678

          Hide any Previews in the oprionals, search again – until there are no Previews left. March Rollup may show up unchecked.

        • #182696

          PKCano – I only had one preview appear, which i hid yesterday, kb4075211, today it’s not there anymore, in fact it’s no where to be seen. In hidden updates i have kb2952664, kb3184143 and kb3102429. In important updates i have  kb4033342 checked, kb4091290 unchecked. There are no updates in optionals, and still no March rollup….. Aah well.   –   Watson.

           

        • #182703

          Check @mrbrian ‘s post immediately below this. Cleck on the link and be sure you have done everything in his instructions.

        • #182682
          2 users thanked author for this post.
        • #182763

          Couldn’t do all the steps in mr.brians post as i have never been offered March rollup preview kb4088881, so i couldn’t hide it. Only preview i have seen is kb4075211 Feb rollup preview, which i did hide.  The other steps i have done, i cant hide what doesn’t appear – why does MS have to make things so difficult…..   (Tired) Watson.

        • #188670

          re: **kb4076492 is a .NET Rollup – safe to install if checked

          what if it is NOT checked?? it is listed under “important”, but no check.

          thanks

        • #188672

          Rule of thumb: DO NOT check anything that is UNCHECKED by default.

    • #182585

      About why it is so crucial to update, maybe.

      248 comments here, it seems like a lot is wondering about what to do, in what order and how to be safe agains this mess, some people(in January) even said that we should download a new bios update even before they where made to be safe against Spectre/Meltdown.

      In January i followed this page https://www.howtogeek.com/338801/how-to-check-if-your-pc-is-protected-against-meltdown-and-spectre/

      First downloaded Windows Management Framework 5.0 and that was the first time I ever used that program, pretty scary to mess things up. And with help from an youtube video in a language i dont understand https://youtu.be/46a1bcmjUyI

      Now with this Total Meltdown things got even worse https://blog.frizk.net/2018/03/total-meltdown.html

      I guess an informative video or a program to help us check if our computers have these vulnerabilities would be the best way for information about our security.

      Are we really safe if we have an certain kb file installed?

      I noticed that the IE security patches was not cumulative or is it, that is really stupid to have to install every patch since one year back, does it matter what order. With firefox i just download the latest update.

      And I never know if my firewall is safe either but that is an another question…

      Is our computer ok just because we dont see any problem?

      And big thanks for all the help and information here!

      • #182590

        The IE11 security patches ARE cumulative. The Win7/8.1 security-only patches ARE NOT cumulative, so each one has to be installed separately.

        • #182733

          If IE11 security patches ARE cumulative, then it makes things more confusing. I installed december 2017 patch first, rebooted, then installed every patch from may to november without any word that IE it was updated.

          So this means that I can Uninstall every IE security patch i installed and then install the latest one?? This would clean up my installed kb files.

        • #182738

          You do not have to uninstall anything. Just install the latest IE11 patch and you will be fine.

          1 user thanked author for this post.
    • #182593

      Win 7 Pro x64, Group B.
      Installed patches as follows in two sessions (this afternoon and evening, Sunday):
      1. 4099950, 4100480 (from Windows Update – had to tick 4099950)
      Forgot to Check for Updates afterwards.
      2. 4088878 (reboot – OK; Checked for Updates – no new ones found)
      3. 4099467 (temp. hitch as wouldn’t download from Catalog via Pale Moon browser – don’t know why; switched to Chrome, all OK)
      4. 4096040 (reboot – OK; Checked for Updates – no new ones found)
      5. Office 2010 patches x 4 (ticked ones only; no reboot called for; checked for updates: found 4018317 for MS Outlook, unticked)

      So far (late Sunday evening), all still OK.

      Dell Precision 3630 w/32 GB RAM, 500 GB (C:), 1 TB (D:)
      Window 10 Pro x64
      Internet: FTTC (Fibre to the Kerb)

      2 users thanked author for this post.
    • #182595

      HTH:

      Win7 Pro x64 SP1, AMD Phenom II X4, Group B

      wuauserv Disabled until searching and manually downloading

      Up to date through February.

      Dates and March updates:

      0401 KB4100480 from catalog

      0406 all four checked Office 2010 updates from WU

      (Soul search: not found)

      0407 imaged disk w/ Macrium Reflect

      KB4099950 from catalog (unchecked at WU, BTW)
      KB4088878 from catalog
      KB4096040 from catalog
      KB4099467 from catalog
      AOK after restart

      0408 first boot morning after — AOK.

      3 users thanked author for this post.
      • #182699

        Thank you so much!  You’re the first person to mention that you installed the four checked Office 2010 updates!  I’ve been waiting and waiting for some news about this, and you also confirmed that all seems to be AOK.  Thanks again!

        We're getting Sticker Shock everywhere now, not just car dealers.

    • #182598

      Updated my Win 7 Pro box today (Intel Core i3 – Sandy Bridge).  Only one important update was available, KB4100480, 2018-03 Security Update for Windows 7 x64.

      Was previously current with updates through 2018-02, except for the .NET 4.7.1 update, which I left unchecked.

      Security Update install went fine, but after the restart the desktop was very slow to appear, then was not responsive at all.  Let it run for a few minutes, then did a hard shutdown.  Was half expecting to need to reboot to safe mode, but everything was fine when the system booted up again.  Weird!

      Except for that initial hiccup, everything is functional and stable now.  🙂

       

      2 users thanked author for this post.
    • #182605

      I feel like I am going back to AskWoody School. I switched to Group A because patching was becoming a right pain. I’m a Windows 7 Home Premium 64-bit user with no network to worry about.

      I toned down telemetry and install the monthly rollups but left my settings as “check for updates but let me choose to download/install”, and unchecked the”give me recommended…” option.

      I always wait until Defcon 3 and/or advised by you to patch. So far things have worked out.

      I had KB4074598 and KB4056894 installed and added KB4100480 and the end of March after checking the forums. I haven’t had any problems.

      KB4099950 and KB4091290 were offered as recommended and unchecked. After
      reading the discussions about settings and those patches – and rereading AKB 2000004 – I changed my settings.

      KB4099950 shows up as important and checked while KB4091290 is important and unchecked.

      I will install the first and wait on the second. Does it “activate” once KB4099950 is installed?
      -firemind

      • #182617

        Hide any Previews that show up in the optional updates, then search again, until there are no other Previews. When you do this, some other updates may show up.

        1 user thanked author for this post.
    • #182615

      Hello, I want to ask some question

      I just recently updated my windows

      1. January rollup update KB4056894 (installed since january )

      2. KB4100480 (installed recently)

      I dont know if this sequence okay or not?

      and I read this article by woody https://www.computerworld.com/article/3268133/microsoft-windows/get-the-march-patches-for-your-windows-machines-installed-but-watch-out-for-win7.html

      As of this moment, EVERY Windows 7 / Server 2008 R2 64-bit patch released this year opens a gaping security hole commonly called “Total Meltdown.” In addition, recent patches have a healthy collection of bugs that range from blue screens (STOP messages), to blocking Internet Explorer 11, to a particularly debilitating bug for folks running servers that leads to lockups due to SMB leaks.

      Microsoft has released a fix for the Total Meltdown hole, but installing it brings along many of those creepy bugs.

      from what I know KB4100480 is for total meltdown right? so is it really bring bugs from march? since the statement on the article said “EVERY” and the 2nd statement said total meltdown fixes. and is KB4100480 already full patch for total meltdown? I read that march rollup supposed to partially fix it but KB4100480 added later or KB4100480 enough for total meltdown fixes?

      Edit to remove HTML: Use the ‘text’ tab in the post entry box when you copy/paste.

      • #182619

        If you have installed any of the Jan, Feb, and/or Mar Rollups or security-only patches, you need to apply KB4100480. Those patches opened another vulnerability called Total Meltdown that KB4100480 fixes. This is not the original Meltdown/Spectre vulnerability, but an ADDITIONAL one.

      • #182657

        “so is it really bring bugs from march?”

        Here is my analysis of KB4100480.

        • #182923

          Hi MrBrian

          “so is it really bring bugs from march?”

          “Here is my analysis of KB4100480.”

          so based on this analysis KB4100480 should be okay for win 7 64bit. i checked my procie and it have SSE2 and PAE issue only for 32bit so it shouldnt affect me i guess.

          and IE, NIC, and SESSION_HAS_VALID_POOL_ON_EXIT (ab)” file not included in KB4100480, so i guess i should be okay since my rollup is January. well i use my pc and so far now bsod, try to log off and its log on fine but im admin tho dont know if its another user log off since its home pc, and my IE not updated so its still IE8, never using it anyway but it wont matter if the file not included anyway xD

          and SMB and antivirus registry is already known since January rollup so i guess im just gonna wait till another good security rollup out i guess? rather than installing so many confusing things to fix March update bugs 🙁

           

           

    • #182621

      Question ? I just finished updating Win 10 Pro x64 ( 1703 ) and it updated the March updates and brought my version up to 15063.994 with KB4088891. Is this the right version ?? I’m showing that KB4088891 should be version 15063.997 on the MS update history page.

      https://support.microsoft.com/en-us/help/4018124/windows-10-update-history?ocid=update_setting_client

      • #182623

        I believe that is a typo on the pulldown. If you open up the link it says .994 (nad that’s what I got too)

        1 user thanked author for this post.
    • #182625

      I am Group A.  I have kept Jan and Feb installed and installed KB4099950 and KB4100480.

      I did all the gyrations and have March KB4088875 back as an Important update but MS has it unchecked.

      KB4099467 (catalogue update for Stop Error) reads to be not an option but a must, yet it is a manual procedure. So do I download and have it available in case I need it – in which case how do you install it on a Stopped Error computer (is this BSOD)?  Or install it before installing KB4088875?

      Anyone know what it does?  Can it hurt to install it whether or not it is necessary?

      • #182627

        If you install KB4088875 and decied to install KB4099467, then install it immediately afterward WITHOUT/BEFORE a reboot in between.

        • #182640

          Hmmm, but ususally one has to reboot to have an update complete installation.  So do the two of them sort it out during the install process and hopefully come back up with no Stop screen?

        • #182644

          If you reboot before  KB40999467, then KB4088875 will cause the BSOD. So you install KB40999467 beforehand to prevent it.

          1 user thanked author for this post.
        • #182660

          The upshot from PKCano is that you should ignore the reboot requirement by clicking cancel. And then you proceed to install the subsequent update as he recommended in order to prevent any potential BSOD after reboot.

        • #182717

          Understand the concept, but if I “install” KB4088875 and select cancel for no reboot – is KB4088875 “really fully installed”?  But then I am going to “install” KB4099467, then actually reboot.

          How do the two “not fully installed” KB’s sort it out in time. If enough of KB4088875 gets installed before KB4099467 gets installed; won’t KB4088875 throw a Stop Screen anyway?

          Are we sure this will work?

        • #182719

          They both get installed before the reboot, during the reboot and while the computer is restarting. So both are in place to prevent the BSOD.

          1 user thanked author for this post.
        • #182720

          “Are we sure this will work?”

          See the part of Mark Phaedrus’ answer from “As it happens” to the end at https://www.quora.com/What-would-happen-if-Windows-10-suddenly-decided-to-reboot-because-of-update-during-defragmentation.

        • #182739

          I went back to read the latest 3/17 MS KB4088875 wherein it referenced at the end the Stop problem and the need for KB4099467 so surprizing it is not listed as Important on WU.

          However, I also looked at KB4088881 the April Preview and the issues read identical EXCEPT the Stop problem is no longer listed as is the need to apply KB4099467!

          Did they include the “fix” in the April Preview?

        • #182794

          ‘However, I also looked at KB4088881 the April Preview and the issues read identical EXCEPT the Stop problem is no longer listed as is the need to apply KB4099467!

          Did they include the “fix” in the April Preview?’

          I think that KB4088881 probably doesn’t fix that particular stop error because according to KB4088881’s file list, it doesn’t include the updated version of file win32k.sys that is in KB4099467. KB4088881 does however fix the Internet Explorer issue that is also fixed in KB4096040.

      • #182674

        I installed KB4088875 on March 25, and I haven’t experienced the issue that KB4099467 supposedly fixes. I didn’t install KB4099467.

        If you want to install KB4099467, I think the best way to do it is install KB4099467 right after installing KB4088875, without a reboot in between. The reason for not rebooting in between is so that when the next reboot happens, the faulty parts of KB4088875 never become active because they’ve been replaced with the fixed parts from KB4099467.

        As with any update, the question is whether KB4099467 introduces any issues.

        1 user thanked author for this post.
    • #182631

      Hello all fellow sufferers!  Please be kind as this is my first time here!  I’m learning as I go with notebooks of instructions.  I am Group A.  I have installed  Jan – KB4056894, Feb – KB4074598, KB4100480.

       

      I redid the instructions to show “Give me recommended updates the same way I receive important updates” and that brought up KB99950 in the important updates which I have not installed.

      Previously, I had installed the March monthly rollup including KB4099467 which did not keep the computer from the BSOD so I uninstalled the March rollup and presently have installed what I have in the first paragraph.

      The March rollup KB4088875 does not show up.

      I would greatly appreciate your advice as to what, if anything, I should install now — and if so in what order.  Also, it has been suggested that after installing KB99950 and KB4088875 not to reboot and then after installing KB40999467 to reboot — am I wrong to believe that in Group A we don’t have the option to not reboot after each installation?  Thanks in advance — I am extremely security minded and not knowing what to do is stressful.

       

      • #182639

        In this case you should choose “reboot later” between KB4088875 and KB40999467.