Patch Tuesday just hit

Topic

New Reply

And we get Security Bulletins! https://technet.microsoft.com/en-us/library/security/ms17-mar.aspx I count 18 of ’em…[See the full post at: Patch Tuesday just hit]

9 users thanked author for this post.

walker, JDeC, dononline, SueW, lizzytish, HiFlyer, Pepsiboy, Elly, Microfix

Reply | Quote

Replies

The link posted by Woody shows “Exploitation Detected” for CVE-2017-0149 (“Internet Explorer Memory Corruption Vulnerability”) and CVE-2017-0005 (“Windows GDI Elevation of Privilege Vulnerability”).

Reply | Quote

Did my edit fix the problem?

Reply | Quote

I meant that Microsoft’s info indicates that those two vulnerabilities have already been exploited.

1 user thanked author for this post.

woody

Reply | Quote

The INTEL – System driver is back. Are we OK with this or no?

Reply | Quote

NO.

Which driver?

Reply | Quote

I posted this a few days ago… checking…

AlexN wrote:

I do, however, have a *new* version of the INTEL thing, labeled “INTEL – System – 8/19/2016 12:00:00 AM – 10.1.2.80” which was released on March 11th and marked optional.

Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code

Reply | Quote

So when will the older updates start being incorporated into the rollups?

Also I saw this. https://blogs.technet.microsoft.com/windowsitpro/2017/03/14/unified-windows-update-history-for-windows-8-1-and-windows-7/

2 users thanked author for this post.

Microfix, woody

Reply | Quote

“March 2017 Security Only Quality Update for Windows 7” is KB4012212

2 users thanked author for this post.

JDeC, SueW

Reply | Quote

March Security Only Quality Update for Win8.1 is KB4012213

Reply | Quote

For Windows 10 “Anniversary”, we are taken to 14393.953…

So far in very brief testing I’m not seeing any problems with my updated Win 10 test system. It booted back up. The only issue is that the Aero Glass for Win 8+ add-on sensed a compatibility issue, and apparently downloaded symbols from the Microsoft servers to compensate, because it’s working.

Note that I have not had time to do any substantive tests yet. Those who rely on Win 10 should definitely heed Woody’s MS-DEFCON 2 setting and hold off updating for now.

-Noel

2 users thanked author for this post.

AlanH, Karlston

Reply | Quote

Noel. First, I want to thank u for all ur contributions on the forum. Good thing we have alot of top notch PC gurus. I have wind 10 anniversary 1607 just updated to 14393.953. I’m in group A but awhile back used to follow Woody and not install updates till cleared but, was just too time consuming. Any how looking at ur post on March 14th 2017 @ 12:56 pm on the 3 screenshots u show of Hide Updates, 2nd screenshot about creators update available ” show me ” and the last about a description of win 10 version 14393.953. My question is I don’t see the screenshot u have of the ” Hide Updates ” I remember reading about how to do this I believe not sure but, didn’t do anything with that. Is this why I don’t see this screenshot on my Windows Update Home screen or anywhere else in my Settings screen ? As I am in group A and this ” Hide Update ” things is just if u want to use it in one of the other groups??? Hope u understand my question. Thanks Noel

Reply | Quote

KB2952664 and KB2976978 are back! They are unchanged from the versions released a week ago, but they are probably of status Recommended now instead of Optional.

Reply | Quote

They are “recommended” CHECKED in the important update list

Reply | Quote

PKCano wrote:

CHECKED in the important update list

Not for me on Win 8.1 it wasn’t. I had previously hidden it, and I did not uncheck it before right-clicking…

It’s now hidden. Again.

By the way, I had some anomalies on the first bootup of my test Win 8.1 system after installing the other updates (e.g., some odd errors in the System event log, and the firewall didn’t start up right). A second reboot corrected all those it seems.

-Noel

1 user thanked author for this post.

woody

Reply | Quote

They’ll appear as checked if you have “Give me recommended updates the same way I receive important updates” selected in Windows Update.

2 users thanked author for this post.

Noel Carboni, zero2dash

Reply | Quote

I’m glad one of us remembers all those intertwined dependencies. 🙂

-Noel

Reply | Quote

Yeah, mine has 2952664, unhidden (no surprise), under Optional with the other 69 things listed there that I won’t install.
2 important updates, the March rollup and the March MSRT, which will both sit there in limbo until I install them in 2 weeks (or more).

The last few times I installed the Security Only update, the same month’s Rollup still appeared in WU, despite the Rollup’s previous fixes also being installed. I wonder if they’ve fixed that (probably not). You would think if the Rollup consists of Update A and Update B, and you installed Update A a month ago and are now installing Update B, that the Rollup would not appear. Then again, this is Microsoft we’re talking about.

Reply | Quote

Cumulative Security Update for Internet Explorer 9, 10, 11
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012204

Reply | Quote

Important for Woody’s Group B: The Microsoft Catalog download link listed in “MS17-006: Security update for Internet Explorer: March 14, 2017” (https://support.microsoft.com/en-us/help/4012204/ms17-006-security-update-for-internet-explorer-march-14-2017) is http://catalog.update.microsoft.com/v7/site/search.aspx?q=kb3218362 but the cumulative Internet Explorer update is actually at http://catalog.update.microsoft.com/v7/site/search.aspx?q=kb4012204.

Reminder: From https://blogs.technet.microsoft.com/windowsitpro/2017/01/13/simplified-servicing-for-windows-7-and-windows-8-1-the-latest-improvements/:

“Starting with February 2017, the Security Only update will not include updates for Internet Explorer, and the Internet Explorer update will again be available as a separate update for the operating systems listed above.”

8 users thanked author for this post.

MikeFromMarkham, AJNorth, SueW, lizzytish, HiFlyer, Elly, Microfix, woody

Reply | Quote

From “MS17-006: Description of the security update for Internet Messaging API on Windows Vista and Windows Server 2008 R2: March 14, 2017” (https://support.microsoft.com/en-us/help/3218362/ms17-006-description-of-the-security-update-for-internet-messaging-api):

“If you are running Windows Vista or Windows Server 2008, install this security update (3218362) in addition to security update 4012204, in order to be fully protective from this vulnerability.”

1 user thanked author for this post.

woody

Reply | Quote

anonymous wrote:

Important for Woody’s Group B: “Starting with February 2017, the Security Only update will not include updates for Internet Explorer, and the Internet Explorer update will again be available as a separate update for the operating systems listed above.”

Thanks for the reminder, it’s easy to forget amoungst the confusion 🙂

No problem can be solved from the same level of consciousness that created IT- AE

Reply | Quote

Wow, nice comprehesive list of patches to put on standby!

Thanks to all who put this list up so quick on AskWoody.com 🙂

No problem can be solved from the same level of consciousness that created IT- AE

Reply | Quote

I have a lot of great help!

Reply | Quote

Is there a way to tell what non-security “fixes” are embedded in the Security Quality Monthly Rollup for Windows 7?  And what (if anything) will prevent an update like KB2952664 from being embedded in one of those in the future, instead of being displayed separately as it is upon its umpteenth return this month?

(I apologize in advance if such issues have already been addressed; I haven’t been following developments all the closely.)

Reply | Quote

Information on the Security-Only UPDATES and the Security Monthly Quality ROLLUPS (Security + non-security) is on the Win7 History page

https://support.microsoft.com/en-us/help/22801/windows-7-sp1-and-windows-server-2008-r2-sp1-update-history

And on the Software Update Services page

https://support.microsoft.com/en-us/help/894199/description-of-software-update-services-and-windows-server-update-services-changes-in-content-for-2017

1 user thanked author for this post.

walker

Reply | Quote

Unfortunately the “update history” pages sometimes don’t list all of the non-security changes made. Example: On that list under KB3172605 the Windows Update client improvements aren’t listed.

Reply | Quote

Look at wording – it says “Key changes include:”. So, if MS believes adding telemetry is not a “key change”, it won’t be listed.

Antec P7 Silent * Corsair RM550x * ASUS TUF GAMING B560M-PLUS * Intel Core i5-11400F * 4 x 8 GB G.Skill Aegis DDR4 3200 MHz CL16 * Sapphire Radeon 6700 10GB * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit

Reply | Quote

Because these WU improvements were not introduced in KB3172605 itself, they are part of KB3161608, which got replaced by KB3172605
https://support.microsoft.com/en-us/help/3161608

rest assure that every “telemetry” change will be documented

1 user thanked author for this post.

walker

Reply | Quote

@PKCano:

Since I’ve gotten behind with everything I would appreciate it very much if you could verify the following as being “CORRECT”?   Is this the one for Win 7 x64 GROUP B, the SECURITY Only?

Win7 Security Only x64

http://download.windowsupdate.<wbr />com/d/msdownload/update/softwa<wbr />re/secu/2017/02/windows6.1-<wbr />kb4012212-x64_2decefaa02e2058d<wbr />cd965702509a992d8c4e92b3.msu

And is the following link correct for  Win7 x64, Group B, for the IE 11, update?

Win7 x64

http://download.windowsupdate.<wbr />com/c/msdownload/update/softwa<wbr />re/secu/2017/03/ie11-windows6.<wbr />1-kb4012204-x64_aae120b92b5160<wbr />44b82e6462288521e8974f8e2e.msu

The final question which I must have missed “somewhere” is:

Is it “safe” to download these now, or is it recommended to WAIT until the Defcon level is raised to SAFE?   Also I do not know exactly what “stand-alone” means.  (A REAL “dummy I am).

Thank you so much for all of the outstanding work you have done and for contributing tremendously to this site.       🙂   🙂   🙂

 

 

 

Reply | Quote

The time to download and install the updates is when Woody’s MS-DEFCON number is 3 or greater. So WAIT.
For further reference check AKB2000003 – I am keeping the links there up to date.
https://www.askwoody.com/forums/topic/2000003-ongoing-list-of-group-b-monthly-updates-for-win7-and-8-1/#post-98061

But to answer your questions:
Yes, those two links are correct for Group B. “Win 7 Security Only x64” is Security Only Quality UPDATE for Windows 7 and “Win 7 x64” under IE is the security only patch for IE11.

walker wrote:

Also I do not know exactly what “stand-alone” means.

This means the patch is not delivered through Windows Update, but must be downloaded fromt he Microsoft Update Catalog and installed manually. To do this:
1. Download the file
2. Go to Control Panel\Administrative Tools\Services. Scroll down and highlight Windows Update Service. At the top left click on “Stop” to stop the service.
3. Double click on the downloaded file.
4. After installation finishes, reboot the computer, log back in, and wait 10 minutes before doing anything else.

If you have any questions, come back here and get help.

2 users thanked author for this post.

JDeC, walker

Reply | Quote

PKCano:    Thank you so very, very much for your clear and concise answers to my questions.    Your knowledge is outstanding, and I sincerely appreciate you taking the time to reply to my questions.    You have really “made my day”!!  It’s wonderful that you so willingly share  your expertise.   It is appreciated more than words can express.    Thank you once again!   🙂   🙂  🙂

Reply | Quote

As far as I know, there isn’t, never has been, and never will be a definitive list of all of the non-security changes in the Monthly Rollup. Here’s the KB article for this month’s 8.1 Monthly Rollup: https://support.microsoft.com/en-us/help/4012216/march-2017-security-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2

It has a full list of security bulletins (which surprises me!) and nothing more.

Reply | Quote

hey woody.

New “magic” win32k.sys updates for Windows Vista SP2 to speed up Windows Update scans on Vista: KB4012497. Replaces KB3204723 & previous win32k.sys fixes.

And Microsoft is STILL publishing new MS security bulletins like they did with MS17-005 and earlier.

1 user thanked author for this post.

lmacri

Reply | Quote

Interesting. Wonder if we’ll see an update in wu.krelay.de ‘s list?

And the Security Bulletins – very strange given their send-off in January.

Reply | Quote

Are you sure that KB4012497 replaces KB320472? MS17-018 states “None” in the column Updates replaced.

ASRock Beebox J3160 - Win7 Ultimate x64
Asus VivoPC VC62B - Win7 Ultimate x64
Dell Latitude E6430 - Win7 Ultimate x64, Win10 Pro 22H2 x64 (multiboot)
Dell Latitude XT3 - Win7 Ultimate x86
Asus H170 Pro Gaming - Win10 Pro 22H2 x64

Reply | Quote

It is about Vista if you read @EP’s post and it specifically relates to the speed-up functionality.

@EP is one of the few people who keep Vista alive, while almost everyone else prefers to think that Vista does no longer exist.

Reply | Quote

Thanks. I know it is for Vista as I am trying to update a Vista machine and want to have a speedier update process. In the past whenever a “magic update” replaced an earlier one, it was always indicated in the Security Bulletin. Because this time it states “None” in the “Updates replaced” column, I am wondering how EP knows KB4012497 replaces KB320472.

ASRock Beebox J3160 - Win7 Ultimate x64
Asus VivoPC VC62B - Win7 Ultimate x64
Dell Latitude E6430 - Win7 Ultimate x64, Win10 Pro 22H2 x64 (multiboot)
Dell Latitude XT3 - Win7 Ultimate x86
Asus H170 Pro Gaming - Win10 Pro 22H2 x64

Reply | Quote

From here https://support.microsoft.com/en-us/help/894199/description-of-software-update-services-and-windows-server-update-services-changes-in-content-for-2017

MS17-018: Security Update for Windows Server 2008, Windows Vista, and Windows XP Embedded (KB4012497)

Locale: All
Deployment: Important/Automatic Updates, WSUS, and Catalog
Classification: Security Updates
Security severity rating: Critical
Supersedes: MS16-151 (KB3204723) on Windows Server 2008, Windows Vista, and Windows XP Embedded
Target platforms: Windows Server 2008, Windows Vista, and Windows XP Embedded

2 users thanked author for this post.

walker, Pim

Reply | Quote

Thanks. Apparently MS17-018 should be corrected.

(My apologies for the double post, I assumed I was logged in but I wasn’t. Therefore my original response was Anonymous. That one may be deleted if an MVP reads this and can do that).

ASRock Beebox J3160 - Win7 Ultimate x64
Asus VivoPC VC62B - Win7 Ultimate x64
Dell Latitude E6430 - Win7 Ultimate x64, Win10 Pro 22H2 x64 (multiboot)
Dell Latitude XT3 - Win7 Ultimate x86
Asus H170 Pro Gaming - Win10 Pro 22H2 x64

Reply | Quote

@PKCano:

This is enough to make me even dizzier than I already am.   I missed a lot being away from the computer for a while, so now I’m REALLY getting confused.    Guess I’ll just have to try to do my best.

Win7 x64:  Group B.

I hope there will be explicit instructions on  “checking for updates” and WHEN THE TIME COMES (Defcon Level SAFE)  know which ones to install.  Thank you for all of the detailed guidance – – – You provide a lot of very important information to us all!    🙂   🙂   🙂

Reply | Quote

Microsoft Security Advisory 3123479 (“SHA-1 Hashing Algorithm for Microsoft Root Certificate Program”) (https://technet.microsoft.com/en-us/library/security/3123479.aspx) was revised on March 14, 2017.

1 user thanked author for this post.

woody

Reply | Quote

anonymous wrote:

Is there a way to tell what non-security “fixes” are embedded in the Security Quality Monthly Rollup for Windows 7? And what (if anything) will prevent an update like KB2952664 from being embedded in one of those in the future, instead of being displayed separately as it is upon its umpteenth return this month? (I apologize in advance if such issues have already been addressed; I haven’t been following developments all the closely.)

They are all inclusive rollups so the chance of KB2952664 being included is probably 99.99%.

 

Reply | Quote

They are all inclusive rollups so the chance of KB2952664 being included is probably 99.99%.

This is non-sense and “fake news”.

Like Jim Morrison would say, “I think its a bunch of bulls**t myself”

2 users thanked author for this post.

Microfix, abbodi86

Reply | Quote

And I thought this was about Windows, not The Doors 🙂

No problem can be solved from the same level of consciousness that created IT- AE

Reply | Quote

I notice the Flash Player update “resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.”

No mention of Windows 7. Does this mean Windows 7 is more secure and therefore doesn’t need to be patched, or that they haven’t been able to fix the vulnerability in Windows 7?

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

Flash Player is incorporated into IE11 in Win8.1 and the updates come from Microsoft.

For IE11 in Win7, you need to download the Flash Player updates from Adobe.com

3 users thanked author for this post.

Pepsiboy, SueW, samak

Reply | Quote

Adobe Flash wasn’t baked into Windows 7 it was a third party addition hence no patch from MS.

[edit] you just beat me to it PKCano

No problem can be solved from the same level of consciousness that created IT- AE

2 users thanked author for this post.

SueW, samak

Reply | Quote

Ah! That makes sense. Thanks PKCano and Microfix.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

For those running Windows XP, in LTSB mode, there exist a number of security updates this month as well.

Reply | Quote

woody wrote:

And we get Security Bulletins! https://technet.microsoft.com/en-us/library/security/ms17-mar.aspx I count 18 of ’em…[See the full post at: Patch Tuesday just hit]

Woody,

Thanks for the comprehensive list and the big heads up ! ! I’m sure everyone appreciates all the hard work you do to help keep our computers safe.

Dave

1 user thanked author for this post.

ch100

Reply | Quote

Thank you PKCano for the direct links.

Just to confirm. All the SECURITY ONLY links show they come from *2017/02* folders (..msdownload/update/software/secu/2017/02/..) instead of the *2017/03* folders the cumulative update links come from. That is correct even though they are the March patches?

Also, the IE 11 links are listed as “Direct links for the IE 11 CUMULATIVE security patches:” but those are the SECURITY ONLY patches and not the MONTHLY ROLLUP ones right? Or are IE patches also cumulative for the SECURITY ONLY unlike the Windows ones?

Reply | Quote

KB4012212 (Win7)
32-bit or 64-bit

Yes, the 2017/02 folder (unless MS has it wrong on their site). Maybe held over from the non-existent Feb?

The IE security updates are included in the Security Monthly Quality ROLLUP. But if you are in Group B, they are NOT included in the Security Only Quality UPDATE so you have to download them separately. Group B has two updates from the Catalog as of March.

4 users thanked author for this post.

walker, ch100, SueW, lizzytish

Reply | Quote

“5 patches for Office 2010 (all security)” — Woody, I’m seeing only 3 patches for Office 2010 (all security): KB3178687, KB3178688 and KB3178690 on my WIN 10 1607 computers.

Reply | Quote

I am the anonymous poster for Intel Corporation – Display- 11/10/16 12:00:00 AM – 20.19.15.4549.  I am not computer savvy.

Windows 10 Home ver. 1607 HP pavilion desktop Intel(R) HD Graphics 5500, 2.2gHz 5th generation Intel Core i3-5020U Dual Core processor (Broadwell)

I hid all I received.  And, I will wait until Woody calls all clear to install, but I have questions on a couple listed below.

I received the Windows 10 updates Woody mentions, I also received the driver update, again – Intel Corporation – Display- 11/10/16 12:00:00 AM – 20.19.15.4549.  So, if I need it for the next version of Windows 10, I certainly won’t install until until I know that for certain, hopefully from this site.

After a hiatus of a few months, SilverLight appeared, again.  I do not have nor want  SilverLight installed, so I will always hide this as I have done many times.

I also got this smorgasbord :

KB2687440 – MS office update Infopath (I didn’t know I have Infopath, but I did find it in a search).  Do I have to, or should, I install it for a safety factor if I don’t consciously use this?  I may be using it, but I don’t know if I do.

3 MS Office 2007  Security updates, 1 Excel 2007, 1 Word 2007 and  2 MS Office Compatibility Service pack 3.

This was topped off by a Broadcom–Net-1/28/16 12:00:00 AM 7.35.344.0  Should I install this update if WiFi is working fine?  (seems as if it should have been installed already in my February 2016 computer purchase–I did have the wonderful (tongue in cheek) install done by the Staples guy (who even though was told to install 64 bit programs for stuff like Firefox, did them all with 32 bit–yes, I fixed those issues).

Thanks for all the help!

Reply | Quote

The big rollups promised starting with March 2017 including older patches for windows 7 / 2008 R2 and Windows 8.1 / 2012 R2 have not been released today.
Why? Will everything be delayed for one month because of the February 2017 glitch?
https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/

1 user thanked author for this post.

walker

Reply | Quote

See comments from February 8 at https://blogs.technet.microsoft.com/windowsitpro/2017/01/13/simplified-servicing-for-windows-7-and-windows-8-1-the-latest-improvements/.

2 users thanked author for this post.

satrow, ch100

Reply | Quote

Excellent contribution. I would like to see you not “anonymous”. 🙂

Reply | Quote

I would imagine Woody will want to write about this, I left in is Mail Box earlier…

Here is a peek:

https://blogs.technet.microsoft.com/windowsitpro/2017/03/14/unified-windows-update-history-for-windows-8-1-and-windows-7/

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

1 user thanked author for this post.

ch100

Reply | Quote

Excellent, thanks. 🙂

Reply | Quote

I’m excitedly awaiting them next Tuesday

it’s been 3 boring months 😀

1 user thanked author for this post.

lizzytish

Reply | Quote

😀

Reply | Quote

Could someone clarify please? Security Only Quality is not Security Only? If you haven’t patched IE since the new updating system, can you install the IE kb? What number kb is it?

Reply | Quote

You are worrying too much.
Just install the officially supported update Monthly Security Rollup which comes on Windows Update.
If you are confused, then the Security Only Update is not for you.

Reply | Quote

The correct full is “Security Only Quality Update,” shortened to Security Only, meaning the patch for Windows that contains only security fixes.

anonymous wrote:

If you haven’t patched IE since the new updating system, can you install the IE kb?

Since you don’t provide a date, I have no way of answering that question. Here is the information on the IE Update.

The Cumulative Security Update for IE is KB4012204.

Information can be found here by searching for that number https://support.microsoft.com/en-us/help/894199/description-of-software-update-services-and-windows-server-update-services-changes-in-content-for-2017

Or more specifically here https://support.microsoft.com/en-us/help/4012204/ms17-006-security-update-for-internet-explorer-march-14-2017

 

3 users thanked author for this post.

walker, woody, AlanH

Reply | Quote

PKCano – Thank You.

Reply | Quote

Have not had updates for office 2007 (enterprise edition) for some time.  Are these suitable for windows 7 or are they only for 10.   Should I update from the catalogue.  Thank you in advance.

Glenda Hewitt

Reply | Quote

MS Office is not the same as Windows.

Office 2007 is compatible with Windows 7/8.1/10. Office 2007 reaches end-of-life on 4/11/2017 – that means that after that date there will be no more patches. You should update it with all the currently available patches.

Keep in mind that there have been few patches released for anything in Jan or Feb this year. Patches should be available on Microsoft Update (Windows Update – give me updates for other MS products). If they are not, then information for those available is here

https://blogs.technet.microsoft.com/office_sustained_engineering/tag/office/

Reply | Quote

6 updates for Office 2007 today:

Antec P7 Silent * Corsair RM550x * ASUS TUF GAMING B560M-PLUS * Intel Core i5-11400F * 4 x 8 GB G.Skill Aegis DDR4 3200 MHz CL16 * Sapphire Radeon 6700 10GB * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit

Reply | Quote

anonymous wrote:

Have not had updates for office 2007 (enterprise edition) for some time. Are these suitable for windows 7 or are they only for 10. Should I update from the catalogue. Thank you in advance. Glenda Hewitt

I have Office 2007 Enterprise myself on W8.1. Will let you know later today, when I check it at home.

Antec P7 Silent * Corsair RM550x * ASUS TUF GAMING B560M-PLUS * Intel Core i5-11400F * 4 x 8 GB G.Skill Aegis DDR4 3200 MHz CL16 * Sapphire Radeon 6700 10GB * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit

Reply | Quote

Being a member of group B, I’m a little confused about which IE update I should be installing on my Win7 x64 system, with IE11.

According to the Microsoft Security Bulletin MS17-006 article found here,  https://technet.microsoft.com/library/security/MS17-006  it indicates that KB4012204 is for, “Windows 7 for x64-based Systems Service Pack 1 Security Only” and KB4012215 is for, “Windows 7 for x64-based Systems Service Pack 1 Monthly Rollup”.

The thing is, if you go to the catalog for KB4012204, it indicates that the download is a, “<u>Cumulative</u> Security Update for Internet Explorer 11 for Windows 7 for x64-based Systems”. The KB4012215 catalog entry indicates the download is the, “March, 2017 Security Monthly Quality Rollup for Windows 7 for x64-based Systems”.

Based on the titles of each of the two downloads, it would seem to contradict what the Microsoft Security Bulletin MS17-006 description indicates.

What’s even more confusing is, the size of  KB4012215 is 145.5 MB and the size of KB4012204 which is supposedly the cumulative update is only 51.7 MB…

That being said, which of the 2 updates should I be installing if I’m in group B?

Reply | Quote

KB4012215 is the Security Monthly Quality ROLLUP for Windows 7. This is for Group A. This ROLLUP contains the Cumulative Rollup for IE11 as well as Windows.

KB4012212 is the Security Only Quality UPDATE for Windows 7. It does NOT include the update for IE11. This is for Group B. Since the IE11 update is not included in this patch, Group B now has to download a second update to cover Internet Explorer 11.

KB4012204 is the Cumulative Security Rollup for IE11. This is for Group B.

From now on, Group B will need to download TWO updates from the Catalog to stay patched

6 users thanked author for this post.

lizzytish, walker, SueW, Microfix, abbodi86, twbartender

Reply | Quote

PKCano,

Thanks for the clarification it’s much appreciated.

Reply | Quote

4012215 is the full monthly rollup, which includes the IE patch, for group A. 4012204 is the separate IE patch, for those installing 4012212, which is the security-only patch and does not include the IE one.

Reply | Quote

Meep, ninja’d, and much more thoroughly too.

But on that note, no file hash info for 4012204, is there? (The SHA256, I mean, since the SHA1 is in the file name too.) For the security only rollup it’s there, for this it isn’t.

Reply | Quote

I’m going to guess Microsoft has to change the name of an inordinate number of files. Maybe this one was created before the SHA1 to SHA256 transitions and they just haven’t gotten around to it yet. 😉  😉

Reply | Quote

After installing the 3 updates without problems, my W10x64 is now downloading KB3176936, old service stack again for installing.
Anyone with the same problem?

Reply | Quote

I have a question for you Woody. It concerns Trusted Installer that is invoked by Windows to install the updates. I ask because I remember reading a comment on another thread made by one of your MVPs who suggested we give Trusted Installer time to do its thing. I took that as I should not interrupt it or bad things might happen. How would I know how long to wait?

In the past I let Windows Update take care of the installation and install of all the updates that were pre-selected by Microsoft. Having chosen Group B, I am now no longer depending on Windows Update to do this, as the ones I want come from the MS catalog.

This month I have the IE cumulative update and the security only update to install. How long should I wait between the first install finishing and starting the second?

Reply | Quote

If you manually install an update that requires a boot, you should go ahead and reboot the computer after the installation. After the reboot and login, rule of thumb is wait 10 minutes before proceeding to allow Trusted Installer to finish it’s work. But one way to gauge this is to open Task Manager and watch the CPU usage. Wait until it drops below 7-10% and stays there.

3 users thanked author for this post.

lizzytish, walker, ch100

Reply | Quote

You can install them both before restarting

i.e. install security only, when it prompt to restart, close
then install IE cumulative, when it prompt to restart, restart

5 users thanked author for this post.

lizzytish, walker, dononline, ch100, PKCano

Reply | Quote

Please see @abbodi86 post in context, only for the updates which are mentioned here in the post.
This should not be seen as generic advice as different updates may behave differently.

3 users thanked author for this post.

lizzytish, walker, dononline

Reply | Quote

@abbodi86 has much more insight than I do. Take his advice on this.

Reply | Quote

From https://en.wikipedia.org/wiki/Transactional_NTFS:

“Transactional NTFS (abbreviated TxF[1]) is a component introduced in Windows Vista and present in later versions of the Microsoft Windows operating system that brings the concept of atomic transactions to the NTFS file system, allowing Windows application developers to write file-output routines that are guaranteed to either succeed completely or to fail completely.[2] Transactional NTFS is also known informally as NTFS 6.0, because it was introduced with Windows Vista, which has internal Windows version designation NT 6.0.

Major operating system components, including System Restore, Task Scheduler, and Windows Update, rely on TxF for stability.”

“Hasn’t the problem of updates being partially installed until the next reboot already been solved by changes in Windows?” – https://blogs.msdn.microsoft.com/oldnewthing/20151211-00/?p=92501.

Reply | Quote

Normally TrustedInstaller continues where it was left.
However, if Windows update is configured on Never check for updates, there is a good chance that TrustedInstaller (and TiWorker which is an associated process in Windows 8 and Windows 10, not Windows 7) never completes its task, until the next scan which may take much longer that normal due to this configuration.
The other post mentioned was probably asking for the computer not to be restarted following any update, until TrustedInstaller becomes quiet.
This is monitored with Task Manager.
I think for regular users, the original recommendation from Woody for most users to select Check for updates but do not download has merit as it allows TrustedInstaller to do its work in the background. Users who are fully patched until the last month (Group A) should never have any issues with slow scans.
I personally prefer the Download but do not install configuration, but this has downsides as it may install at shutdown if the user does not fully understand its behaviour.

1 user thanked author for this post.

lizzytish

Reply | Quote

Did I not get the memo that said my XXX@live.com email (outlook) was going to be killed?  As of today 3/15 it says “last updated 4 days ago”.   I use Win  version 1607.

Reply | Quote

Microsoft Silverlight KB4013867 appeared in my update list.  I do not want, or have Silverlight installed here.  Hidden.

I am on Windows 10 Pro 1607 “Anniversary”.

I looked in “Programs and Features”, also ran a registry search, and a file search to see if I had a hidden Silverlight install.  Nada.

Weird!!!

Security Update for Microsoft Silverlight (KB4013867) https://www.microsoft.com/en-us/download/details.aspx?id=54857

Windows 10 Pro 22H2

Reply | Quote

Microsoft Silverlight KB4013867 appeared in my update list.

You have the check box to check for updates from Microsoft Update selected.
If you have Office installed, you need that check box selected, but unfortunately this comes with Silverlight as another Microsoft product.
Does it force you to install Silverlight?

Reply | Quote

I’m another anonymous who 1st mentioned they got Silverlight.  I’ve hidden it on my win 10 1607 about 4 times now since a year ago February.  I don’t have Silverlight, and don’t want it.  I think MS is just trying to force it down our throats like so many other things.  I think they push it more before version updates.  I have not been forced to install it yet–I just hide it.

Reply | Quote

Yeah on Win7x86/64 Silverlight showed up here as well and as I dont use it, it either sits there or is hidden. If any of you dont want Silverlight (and I dont) and your contemplating a clean install in the future. You should be aware that youll get offered it about 13-14 times according to the versions out there. Its a pain on a new setup and it takes up room on an older smaller machine.

Reply | Quote

Same here.

Reply | Quote

Some of my early testing feedback, after having applied the March updates (group A style with a few exceptions) to Windows 7 x64 Ultimate, Windows 8.1 x64 Enterprise, and Windows 10 x64 Pro VMs:

Windows 7:

• The updates went in smoothly and quickly.
• SFC /VERIFYONLY passed.
• Brief tests of system functionality are all good. No problems found so far.

Windows 8.1:

• The updates went in smoothly and quickly.
• After the first reboot I saw an error message in the System event log implying the user registry was found corrupted and recovered. I also saw two other messages implying something went wrong with enabling event publisher “Microsoft-Windows-Kernel-ShimEngine/Operational”.
• I found my Sphinx Windows Firewall Control driver had not started.
• After a second reboot, all seems well, no errors were logged, and the firewall software was performing nominally. Based on this experience I suggest rebooting twice after the updates go in.
• SFC /VERIFYONLY passed.
• Development operations I typically do (e.g., builds with Visual Studio) seem to be functioning nominally.

Windows 10:

• A check for updates with the WUShowHide tool went smoothly and quickly.
• The update installation with the Settings App went smoothly and quickly.
• After reboot, Aero Glass for Win 8+ reported an incompatibility error and inability to find debug symbols for the new modules, but works okay anyway.
• SFC /VERIFYONLY passed.
• The Sphinx firewall software is performing nominally.
• Development operations I typically do (e.g., builds with Visual Studio) seem to be functioning nominally.
• O&O ShutUp10 did not show any privacy settings reverted.

-Noel

5 users thanked author for this post.

Geo, dononline, walker, ch100, woody

Reply | Quote

Hey Noel,

I was just curious about a couple of your procedures. Of course we have our own way of doing things. SFC, why only Verify? and why no DISM /RestoreHealth? 😀

W 8.1 Pro Test partition. All WU updates presented installed. All OKAY so far.
SFC /Scannow clean.
DISM /RestoreHealth on last released ESD W 8.1.3 Pro Clean
DISM /RestoreHealth on current MS Servers clean.
DISM Component Cleanup Clean.

W 10.0 1607 RR partition RTM CU and other Updates presented on WU Installed. All OKAY so far.
SFC /Scannow Clean.
DISM /RestoreHealth on CBB Released ESD Clean
DISM /RestoreHealth on current MS Servers clean
DISM component Cleanup Clean.

W 10.0 1703 RS2 IP Build 15058
Full ESD > ISO Created
UUP > Delta ISO Created

Delta ISO Install Pending but soon.

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

1 user thanked author for this post.

Noel Carboni

Reply | Quote

PhotM wrote:

SFC, why only Verify? and why no DISM /RestoreHealth?

I always like to know whether something’s wrong before giving a command that will try to correct problems.

If it passes SFC /VERIFYONLY why do more?

I have used the others in the past when I’ve detected problems. In this case there were none.

-Noel

1 user thanked author for this post.

ch100

Reply | Quote

Noel, 😀

Are you saying I am throwing caution to the wind? 😆 hehehe

Seriously, I have been doing it this way for years. The reason is I don’t want to take 2-3 times longer then necessary. If there is something wrong, I want it fixed. I also believe, especially earlier SFC, was more thorough in Scannow then in Verifyonly. That maybe different now, I am not sure. I simple applied this to RestoreHealth. Also SFC can come out clean but DISM may not.

Anyway I was just curious and not trying rearrange your thinking…..

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

You make a very good point about using a more thorough check, such as…

DISM /Online /Cleanup-Image /ScanHealth
-or-
DISM /Online /Cleanup-Image /CheckHealth

Do you know whether /ScanHealth encompasses all of what /CheckHealth shows? Or are both required, in order?

-Noel

Reply | Quote

Noel,

If I knew at one time, I don’t remember now. I just never use them, sorry. I can’t imagine that they are the same. To what degree difference, I just can’t say….

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Just a guess, but it looks from the output like /ScanHealth is a superset of /CheckHealth. The former took minutes to run, while the latter put out its result immediately.

-Noel

Reply | Quote

The most useful ones

dism.exe /online /Cleanup-Image /AnalyzeComponentStore
dism.exe /online /Cleanup-Image /StartComponentCleanup

dism.exe /online /Cleanup-Image {/CheckHealth | /ScanHealth | /RestoreHealth}

1 user thanked author for this post.

PhotM

Reply | Quote

You got that Right CH100,

I can’t live without any of them!!!

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

1 user thanked author for this post.

ch100

Reply | Quote

I am on my Delta ISO Upgrade to Build 15058.0 it appears health so far. It was as fast as a Full ISO or maybe a bit faster. It wasn’t that noticeable. Full ISO is between 15 to 20 minutes.

Have not run DISM of SFC yet though.

A very special Thank You to “abbodi86” for supporting his convertion software!!!! CUDOS!!!
I send somebody over here to get your software link as well and he said it worked great and was up and running in no time.

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

I just installed all the March Window Updates on my Exchange 2016 Edge server on Windows Server 2016 and the Exchange Transport won’t start:

 

Microsoft Exchange couldn’t initialize the Content Filter agent because ExSMime.dll couldn’t be initialized.

 

Failed to create agent factory for the agent ‘Content Filter Agent’ with error ‘Failed to create type ‘Microsoft.Exchange.Transport.Agent.ContentFilter.ContentFilterAgentFactory’ from assembly ‘C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll’ due to error ‘Exception from HRESULT: 0xC0630005′.’. Please verify the corresponding transport agent assembly and dependencies with correct version are installed.

 

 

1 user thanked author for this post.

woody

Reply | Quote

Which version of Windows Server? 2012R2 maybe?

Reply | Quote

Windows Server 2016Datacenter

1 user thanked author for this post.

ch100

Reply | Quote

This is interesting because what you report is actually Exchange components being blocked by an update for Windows and not an update made to Exchange.
I am wondering what incompatibilities may be there.
Exchange 2013/2016 are entirely built on .NET Framework 4.5.x and there were known issues with .NET Framework 4.6.x, at least until recently.
This is the reason why I asked about the OS, but I noticed that you mentioned that the OS is Windows Server 2016.
Windows Server 2012 R2 comes by default with 4.5.1 if I remember well, while Windows Server 2016 comes with .NET Framework 4.6.x

Reply | Quote

So I restored my Exchange server from backups and ran the updates again and after the reboot the Exchange Transport service still don’t start so I’m a bit stuck. The Google Foo I did didn’t help…

Reply | Quote

I haven’t been offered any Office 2010 updates yet on my Win7 machine with Office 2010 installed. Both my Win7 machines have Silverlight long since uninstalled but received an update for it (KB4013867). It’s hidden on both machines, along with our dear friend KB2952664.

The standard monthly roll-up KB4012215 caught someone on Windows 7 Help forum with a catastrophic boot error:-

https://www.sevenforums.com/news/405958-patch-tuesday-march-2017-a-2.html

1 user thanked author for this post.

woody

Reply | Quote

woody wrote:

And we get Security Bulletins! https://technet.microsoft.com/en-us/library/security/ms17-mar.aspx I count 18 of ’em…[See the full post at: Patch Tuesday just hit]

Woody,

As of this morning, I am showing 12 of them. Included is one for Silverlight. I don’t even have Silverlight installed on this machine. I guess it is just something else MS is trying to shove down my throat, AGAIN.

The way things are going, I probably will only install  or 4 of them and HIDE the rest. After the all clear is given, of course. Thanks, again for the comprehensive list.

Dave

Reply | Quote

Hello,

Yesterday on one of my pc after patch kb4012212 the file wow64win.dll

dated 09/02/2017  was  zero  kb instead of  362.496 kb .

I had to disinstall the patch !

Reply | Quote

Windows 10: March 15th 2017 Update KB3150513 for Windows 10 Version 1607

https://www.catalog.update.microsoft.com/Search.aspx?q=KB3150513

1 user thanked author for this post.

ch100

Reply | Quote

This is being offered on all versions of Windows. It is a compatibility definition update. A new release for Win10, but Win7 and Win8.1 are seeing the earlier version appear if they installed KB2952664 (Win7) or KB2976978 (Win8.1) with the recent updates. The latter are prerequisites. It is also showing up in Win10.

It appears as an additional update after WU install and reboot

4 users thanked author for this post.

walker, woody, Sailor, ch100

Reply | Quote

Thank you!

Reply | Quote

I think this is a late release, at least for Windows 10 1607.
It was not released in the original batch of files for Patch Tuesday March 2017.
Other versions were released in the past for Windows 10 1511.
To me, without having the full details, it indicates that the functionality from KB2952664 in Windows 7 is built-in at least in Windows 10 1511 and 1607. Otherwise we wouldn’t see KB3150513 being on offer for those versions of Windows 10.
There was no KB3150513 release for Windows 10 1507.

It makes me wonder if we should revise the advise for Windows 7 Group A model of patching in relation to KB2952664/KB3150513 in the sense that maybe we should let them be installed when KB2952664 moves to Recommended.

1 user thanked author for this post.

Sailor

Reply | Quote

I hated myself when I did it, but starting in December, I had people in group A install all recommended patches.

That still sticks in my craw.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

woody wrote:

I hated myself when I did it, but starting in December, I had people in group A install all recommended patches.

That still sticks in my craw.

I wouldn’t worry, Woody. Those who think for themselves will make their own decisions anyway, and systems really are hanging together pretty well (color me a bit surprised) with all of Microsoft’s recent accumulated work. I didn’t think they’d be able to pull it off, but maybe a lot of the smart, detail-oriented people who didn’t like where Microsoft management was going with the new OS moved over to older system maintenance.

-Noel

Reply | Quote

Appraiser KB2952664 and Telemetry DiagTrack are built-in Windows 10 since RTM

Both KB2952664/KB3150513 are only needed for upgrade
they have nothing useful for current Windows 7 (well, except providing MSFT with Appraiser statistics)

5 users thanked author for this post.

ch100, walker, woody, Sailor, PKCano

Reply | Quote

https://www.reddit.com/r/Windows10/comments/5zlk1z/march_14th_updates_screwed_my_computer/

Antec P7 Silent * Corsair RM550x * ASUS TUF GAMING B560M-PLUS * Intel Core i5-11400F * 4 x 8 GB G.Skill Aegis DDR4 3200 MHz CL16 * Sapphire Radeon 6700 10GB * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit

1 user thanked author for this post.

woody

Reply | Quote

They should report this on the Reddit Win10 cumulative update gripe thread

https://www.reddit.com/r/Windows10/comments/5zdwlb/march_windows_10_cumulative_updates_are_out/

Microsoft monitors that forum – and helps!

Reply | Quote

Anyone getting WSUS failures with the new patches?

WSUS has been rock solid over here and suddenly now with three March patches (KB 4014329, KB 4013418 and KB 4013429) – I get this:

“Client computers are installing updates with a higher than 25 percent failure rate. This is not normal.”

This appears in the event log on the server when I manually check for updates from a Windows LTSB 1607 or a Enterprise 1607 workstation. Both stations are configured correctly and have been reporting into WSUS correctly and regularly.

I also see all three March patches for 1607 have a big red X on them within the WSUS console – with a blurb “The update failed to install on 2 computers”?

I have checked the update server – all is well. IP is correct. Machine is pingable from the clients. Ran the Windows Troubleshooter etc etc.

Appreciate anyone checking in that is updating via WSUS and has had success.

Cheers!

Sonic.

 

1 user thanked author for this post.

woody

Reply | Quote

I was hoping to get a response directly here in the Lounge, but it looks like we don’t have the expertise on board.

You should definitely post this on Susan Bradley’s patchmanagement.org mailing list. All sorts of WSUS victims, er, gurus, hang out there….

Reply | Quote

All right, installed both the IE update (yesterday) and the security only bundle (less than 1h ago) on my Win 7 32-bit, no obvious issues at the moment. Had a couple of odd errors in event logs after yesterday’s reboot, plus the expected ones, but the odd ones didn’t seem connected. And I expected yesterday to be odd, because I hadn’t rebooted in 3 months (91 days, 2 hours and ~41 min to be exact – which I’m thinking is quite a feat for a Windows system), also had a pending antivirus update which had been quietly waiting for a reboot for a couple of weeks, and hadn’t even installed the December .NET updates, plus of course the small January security only patch.
So first move was use Windows Update to install that .NET patch and the MRT, then reboot, give it a while, install the January security patch and the IE update, reboot again. Then waited till today for the March security patch. Tried the usual things I do and a couple of tests, nothing seems awry so far.

Reply | Quote

Downloaded KB4012212 for my Windows 7 x64 PC, and the installation is failing with a pop-up window claiming that “This update is not applicable to your computer.”

The IE11 update and the Office updates installed earlier just fine.

What am I missing?

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

First thing comes to mind: check to see if you installed KB4012215 the Security Monthly Quality ROLLUP. If so, the security-only UPDATE will give you that message if you try to install it.

Second thing, check the bittedness of the file you downloaded. There will be x86 or x64 in the file name. Does that match your computer 32-bit or 64-bit respectively?

1 user thanked author for this post.

walker

Reply | Quote

Check and check: I did download the update with the right bittedness (x64), and I haven’t installed 4012215 (Windows Update is still offering it for download).

??

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

Hmmm. I’m running out of ideas. Try reboot, wait 10 min after login, stop Windows Update Service, try manual install again.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Only thing I can add is make really sure it’s the right file by checking hash too.

For the built in tool, open a command prompt window and run:
certutil -hashfile [path_and_filename] SHA256

Should output

e9 8d 6c 7f 09 c8 ab c5 9e da 19 88 80 07 46 75 a7 07 41 5d bd db 69 4a 4a 4a 6a 98 df 63 a7 c8

If that’s so and 4012215 isn’t installed, really have no idea why it could possibly not work.

Reply | Quote

I was wondering whether the failure might be down to a workaround/mitigation already in place for one of the included patches, there are partial workarounds listed for 2 of the Critical patches:
Windows DLL Loading Remote Code Execution Vulnerability – CVE-2017-0039 https://technet.microsoft.com/library/security/MS17-012
Multiple Windows SMB Remote Code Execution Vulnerabilities https://technet.microsoft.com/library/security/MS17-010

Reply | Quote

PKCano’s suggestion (reboot, stop the Windows Update Service, and try to install again) did the trick. Thank you!

The other suggestions are also appreciated, thankfully it didn’t come to that.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

2 users thanked author for this post.

walker, satrow

Reply | Quote

For info only. Using Windows 10 Home and based on the few comments of those that haven’t had any problems, I made an image this morning and went for it. Took 20 minutes total from start of the download to the complete install and so far, nothing negative to report. Seems like all went well.

Reply | Quote

Meh, seem to have some trouble on all three of my Win 10 machines. Hangs at 95% download for updates on one, the other failed twice to install KB4013429 and finally found a Windows update reset tool that seem to fix it. Funny my oldest desktop with a Hazwell CPU i3 updated without issues. It was only a KabyLake notebook and a Dell Mini desktop that had issues. Well I guess you had to figure after taking a month off that Microsoft couldn’t do a smooth roll out of updates. That company has totally gone down the wrong path with updates. I think their image is worse than ever now, and it won’t help sell users on Windows 10. too many of these flubs and people will avoid Win 10 like the plague. I sort of wish I did looking back.

1 user thanked author for this post.

dononline

Reply | Quote

My WSUS issues just got a bit more strange. After my earlier post this monring – I decided to “unapprove” the 3 Windows 10 1607 patches on the WSUS server.

As soon as I did that – and then manually pressed Check for Updates on my 10 Win 10 workstations – they ran thru the check motions normally and reported back that they were up to date. Which they should be (assuming nothin new was found on WSUS).

Then just moments ago – I approved just one of the three patches (KB 4013429) – the cumulate update patch – and clicked Check for Updates again. Instantly I get the error message attached….

Then  if I “unapprove” this file – and do another manual check – it goes fine. Just what the heck is going on here?

Oddly – for a brief second before the above error appears – I can see a quick reference to the actual Cumulative Update file descriptor etc – which disappears and is replaced by the error above.

And over in the update history – the following failures are record…

 

Any ideas?

Sonic.

Reply | Quote

How-to Geek not happy either:

https://www.howtogeek.com/298940/microsoft-please-stop-breaking-my-pc-with-windows-10s-automatic-updates/

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

Suggestion: Try converting the post to text before cut/paste-ing.

1 user thanked author for this post.

samak

Reply | Quote

NOT to pit colleague against colleague, in her 2017.03.16 Patch Watch column for Windows Secrets, Susan Bradley is recommending the installation of the OS March security patches KB4012215 (Win7) and KB4012216 (Win8.1), as well as the Office security patches (not the optional updates); curiously, for Windows 7 she has this:
Windows 7 KB4012215
7 gets only security fixes

The March release for Windows 7 only includes security updates. This month update includes fixes for Windows DVD Maker, Microsoft Graphics Component, Windows kernel-mode drivers, Windows Media Player, Microsoft XML Core Services, Windows OS, SHA-1 deprecation for SSL/TLS certificates, Internet Explorer, Windows kernel, Microsoft Uniscribe, SMB Server, Windows Hyper-V, Internet Information Services, and Active Directory Federation Services.

 

For my machines, and those of my clients, I shall continue to hold-off until the Oracle of Brentwood and his able associates also issue their imprimatur.

1 user thanked author for this post.

ch100

Reply | Quote

@AJNorth
Susan Bradley is targeting a different audience, which is sysdmin/sysengineer type.
Woody is targeting mostly the home user audience.
However there is no conflict as there is a lot of overlapping and if you can follow both and if you can make up your own mind, it is probably the ideal situation. As a good example of how Woody is supporting the enterprise users, just follow the recent CRM 2011 related posts and notice how successful were those threads, which provided a very good solution in only 2 days from the release of the problematic patches.
I think this is the only public site which provides a solution until now.
While Microsoft originally issued that solution as it is their duty to do so, they prefer to keep it private at this stage and work on individual cases. However, not everyone can afford to pay Microsoft for custom solutions and the fact that there is a public forum posting a possible solution, even if it is early and only experimental at this stage, is a very good thing. Good developers can take it from here and fine tune further if they find it necessary.

For the purpose of this forum, you should support Woody’s approach.
If you post on patchmanagement.org, where Woody posts often, you should support Susan’s approach.
I would say it is a matter of courtesy for the host of each site. 🙂

2 users thanked author for this post.

walker, AJNorth

Reply | Quote

@ch100

Thank you for your reply.

Yes, I certainly appreciate that each forum has its own subset of followers; still, there is quite a bit of overlap — and well before reaching the horizon, both approaches do usually tend to converge. (The matter of CRM 2011 is point well taken.)

My post was intended to reflect that there are other readers of both (and even additional) forums for whom some of the same questions may arise.

As is the nature of knowledge, when confronted with issues that may not strictly resolve with absolute objectivity, then some degree of art enters into the equation which one then uses in conjunction with the science to balance the various parameters involved and arrive at a solution (even if only interim).

And, of course, trust — which for Susan and Woody (together with their respective cadres of highly-skilled and conscientious associates and contributors) is implicit — and never in doubt.

To borrow something from those old enough to remember (or younger fans of Old Time Radio), once again with Windows this is akin to Molly warning Fibber, “Don’t open that closet door, McGee!”

1 user thanked author for this post.

ch100

Reply | Quote

Please do not construe this as any sort of criticism, much the pitting of two collegial professionals against one another, but in her Patch Watch column dated 2017.03.16, Susan Bradley has given the go-ahead to install some of the March security updates, including KB4012215 for Windows 7 and KB4012216 for Windows 8.1, as well as the various Office security updates. For KB4012215, she writes:

“The March release for Windows 7 only includes security updates. This month update includes fixes for Windows DVD Maker, Microsoft Graphics Component, Windows kernel-mode drivers, Windows Media Player, Microsoft XML Core Services, Windows OS, SHA-1 deprecation for SSL/TLS certificates, Internet Explorer, Windows kernel, Microsoft Uniscribe, SMB Server, Windows Hyper-V, Internet Information Services, and Active Directory Federation Services.”

Which is odd, as there are clearly both the Quality and Security Only roll-ups for Win 7 (with a stand-alone IE update for the latter).

For my own Windows boxes, not to mention those of clients, I shall hold-off on any updates until we’ve moved from DEFCON 2.

 

[Woody, not sure what happened to my post from two hours and thirty-odd minutes ago; it seems to have disappeared after I edited it. So, if this turns out to be a duplicate, then please delete one of them.]

Reply | Quote

Personally I think it’s too soon to tell whether the March patches cause havoc amongst any particular audience.

There could be some, for example, who updated earlier this week and lost system functionality entirely, or lost network connectivity. They’re not necessarily back online with their war stories yet. The patches are only a few days old!

Others might not know why their systems became unstable (or more unstable, in some cases). Not everyone runs a tight ship and they might just view what’s happening to them this week as another step toward reinstallation of the whole thing.

And certainly no one does everything their system can do every day. Maybe there are classes of applications that are only run occasionally (e.g., monthly tasks) that are utterly broken but as it happens few have tried them yet. Yes, it’s a big, statistical world. But Windows is a BIG, complex blob of software!

Personally, I update my virtual test systems right away, but often wait nearly a month to update my critical working systems. I do my OWN testing on virtual machines as well as online research – before choosing to (or NOT to) install a particular set of updates on my hardware.

Finally, let’s not forget that individual users and systems have specific needs… Sure, it sounds like bunches of things are fixed in Windows 7. I have a particular system that’s running Windows 7 and has a very specific use as a server, and doesn’t get interactive use. For that it’s already utterly reliable and efficient. Microsoft hasn’t fixed anything I need for that system, thus that particular system continues running with updates deferred indefinitely, and only if something I really do or will need is documented in the updates will that change.

I suggest that Woody’s MS-DEFCON system – which Woody usually only switches to 3 or higher after some weeks of observation – is being operated adeptly and with seasoned insight few folks – even including other respected journalists – have.

-Noel

5 users thanked author for this post.

HiFlyer, AJNorth, walker, JDeC, Seff

Reply | Quote

Good advice, Noel.

I usually wait a while before I even do the “check for updates”.   (Paranoia perhaps? ).     Then once everything is there to review, I await the Defcon number going up to 3 or above before taking any action.   Thank you the information you have provided.     🙂  🙂  🙂

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Just wanted to report back – my issues (WSUS errors n such) were the result of some very incorrect client settings.

After I removed all these settings and reset my Win 10 clients correctly – they are all downloading and installing the patches from WSUS with no issues.

Sonic.

 

 

Reply | Quote

Security Update for Microsoft Excel 2010 (KB3178690) has some issues 😀
https://support.microsoft.com/en-us/help/3178690

it’s not pulled

1 user thanked author for this post.

woody

Reply | Quote

Just posted this as far as I can get it out.

https://www.askwoody.com/2017/excel-security-patch-ms17-014-for-excel-2010-kb-3178690-triggering-crashes/

Man, they messed up another one….

Reply | Quote

https://www.ghacks.net/2017/03/14/microsoft-security-updates-march-2017/#comments

This site has users from different Windows versions having severe trouble with latest patches. Anyone read anything additional?

Reply | Quote

It may be too late in the game for anybody to read this and reply to this thread, but regarding the installation of KB4012212 — it went well, but (when re-enabled) Windows Update is still offering KB4012215. I thought that installing the one would make the other one disappear?

No biggie, I can always just hide the update, but I’m curious.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

regular Windows Update never recognize Security Only updates

just the managed environments like WSUS/SCCM have the ability to choose between Security Only and Monthly Rollup

3 users thanked author for this post.

Cybertooth, walker, ch100

Reply | Quote

OK, I’ll hide it then.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

An interesting item in the rollup previews for Win 7 and 8.1 released today:

“Enabled detection of processor generation and hardware support when PC tries to scan or download updates through Windows Update.”

Sources:

https://support.microsoft.com/en-us/help/22801/windows-7-sp1-and-windows-server-2008-r2-sp1-update-history

https://support.microsoft.com/en-us/help/24717/windows-8-1-and-windows-server-2012-r2-update-history

https://support.microsoft.com/en-us/help/22811/windows-server-2012-update-history

 

1 user thanked author for this post.

Elly

Reply | Quote

This update was released on March 21: “DST changes in Windows for Northern Cypress, Mongolia, and Russian Saratov region” – https://support.microsoft.com/en-us/help/4012864/dst-changes-in-windows-for-northern-cypress-mongolia-and-russian-sarat. This update is available in WSUS and Microsoft Update Catalog, but not in Windows Update.

Reply | Quote

Preview Rollup already have it

Reply | Quote

Then it will be in the next monthly rollup.
No need to install early, unless living in one of the affected time zones or doing business in that part of the world.

Reply | Quote

On March 23, 2017, Microsoft released these two new non-security updates:

KB3191564 – “Update for Windows Management Framework 5.1 for Windows 8.1 and Windows Server 2012 R2” – https://support.microsoft.com/en-us/help/3191564/update-for-windows-management-framework-5-1-for-windows-8-1-and-window

KB3191565 – “Update for Windows Management Framework 5.1 for Windows Server 2012” – https://support.microsoft.com/en-us/help/3191565/update-for-windows-management-framework-5-1-for-windows-server-2012

Both of these updates are available only on Microsoft Update Catalog.

Reply | Quote

anonymous wrote:

On March 23, 2017, Microsoft released these two new non-security updates:

By the Release Notes: Windows Management Framework (WMF) 5.1 Release Notes

KeithB | Last Updated: 1/31/2017

https://msdn.microsoft.com/en-us/powershell/wmf/5.1/release-notes

anonymous wrote:

………

Both of these updates are available only on Microsoft Update Catalog.

If you really like using the Catalog one can BUT this might be a bit nicer:

Install and Configure WMF 5.1
https://msdn.microsoft.com/en-us/powershell/wmf/5.1/install-configure

OR

Microsoft download center

For those of you that haven’t been following the following information this may very well may be new BUT it was actually released in January.

PowerShell- Learning Virtually on MV Academy & MSDN Channel 9 from Videos, eBooks and Blogs
https://www.askwoody.com/forums/topic/powershell-learning-virtually-on-mv-academy-msdn-channel-9-from-videos-ebook/

…….

Windows PowerShell

Automating the world one-liner at a time…
https://blogs.msdn.microsoft.com/powershell/

Windows Management Framework (WMF) 5.1 Released
https://blogs.msdn.microsoft.com/powershell/2017/01/19/windows-management-framework-wmf-5-1-released/

Update January 27, 2017: .Net version info updated.

“We are pleased to announce that we are releasing the Windows Management Framework (WMF) 5.1 via the Microsoft download center.

WMF 5.1 upgrades Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 to the PowerShell, WMI, WinRM and SIL components that were released with Windows Server 2016 and Windows 10 Anniversary Edition.

You can find out more about the WMF 5.1 release in the Release Notes.

Please note that for Windows 7 and Windows Server 2008 R2 the installation instructions have changed significantly. Please read the Install and Configure topic in the release notes. We have removed the requirement for pre-installing WMF 4 on Windows 7 and Windows Server 2008 R2, but to do so we had create a script for checking the prerequisites that accompanies the MSU in a ZIP file. WMF 5.1 requires .Net version 4.5.2, and cannot be installed on Windows 7 or Windows Server 2008 R2 if WMF 3.0 is installed. This affects only Windows 7 and Windows Server 2008 R2. The Install and Configure topic in the release notes provides details on using the script.

As always, we welcome your feedback on PowerShell and WMF via our UserVoice site.

Thank you –”

The PowerShell Team

…….

I was almost caught on this, I had even Downloaded the MSU but when I started my usual cross checks, I found I have the same KB’s and information I had in January. In short if you already have WMF 5.1 there is nothing to see here folks.

However, with the extra talk of DISM lately, maybe it is a good opportunity to become more aware of Powershell and Powershell ISE.

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

2 users thanked author for this post.

Elly, Pepsiboy

Reply | Quote

Crysta,

Just 1 QUICK question. Is WMF 5.1 FASTER, SAFER, MORE RELIABLE, or EASIER to use than the Catalog?

Thanks for the in depth article on the subject.

Dave

Reply | Quote

Golly Pwpsiboy,

I am not sure I really understand what you’re asking????

WMF’s are what is downloaded for installation of Powershell, Powershell ISE(both x86 & x64), as well as the group of stock Modules and Scripts. The most important ones in my opinion are PowershellGet and PackageManagemet Modules that allows one to get established with Repositories for the purpose of expanding ones Module and Script collection.

There are 3 ways one can download the WMF I.x, one is from the Catalog which MS is getting more and more complete it seems. For the more experienced to advanced user there is probably little difference between them BUT for somebody whom has never been in the Catalog, is could seem very foreign. If one tries searching around in the Catalog and they haven’t found the list of search terms, etc, that can be very daunting.

Therefore, many people may feel more comfortable using one of the other methods to download WMF’s as well, in general, other things that MS makes available. Is the Catalog going to become more of a common repository, I do not know BUT surely they can do better then their antiquated Catalog approach.

My teaching guide is not meant to be in depth. Instead it is a starter for the beginner to novice. Woody’s article mention at the beginning is a starter for the novice/mid user to more advanced entry but even his is not meant to be in depth.

Sorry to poop all over you premises, but I believe in complete and clear answers designed to teach(albeit more verbose then a seasoned writer).

I hope this helps get you started in a much more competent CLI than CMD is. As I pointed out in the Post, PS ISE is a great way to start since it’s semi GUI. Yes, I know that, the more advanced user see it as an avenue to develop scripts BUT it is also designed to be used in a non development way as well, like I use it too.

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

1 user thanked author for this post.

Elly

Reply | Quote

Crysta,

OK, I guess I misunderstood what was being talked about. My mistake. Sorry.

Dave

1 user thanked author for this post.

PhotM

Reply | Quote

No Problem Dave,

No need to be sorry about what you don’t understand. Hopefully you learned something and are willing to stick your toe in a little deeper. Powershell as a USER is really not that difficult just different. I DO NOT Develop in it even though I use the ISE allot.

It is very Powerful even for a novice user like myself…..

--------------------------------------

1. Tower Totals: 2xSSD ~512GB, 2xHHD 20 TB, Memory 32GB

SSDs: 6xOS Partitions, 2xW8.1 Main & Test, 2x10.0 Test, Pro, x64

CPU i7 2600 K, SandyBridge/CougarPoint, 4 cores, 8 Threads, 3.4 GHz
Graphics Radeon RX 580, RX 580 ONLY Over Clocked
More perishable

2xMonitors Asus DVI, Sony 55" UHD TV HDMI

1. NUC 5i7 2cores, 4 Thread, Memory 8GB, 3.1 GHz, M2SSD 140GB
1xOS W8.1 Pro, NAS Dependent, Same Sony above.

-----------------

Reply | Quote

My comment doesn’t show, so I’ll try again —

I read Woody’s “Patch Tuesday” entry on March 14.  So, on my Win 7 Pro 64-bit machines, I installed just four security-only updates – KB 890830, 4013867, 4012204 and 4012212.

But more than two weeks have now passed, so do we think that the full roll-up is OK?  (March, 2017 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4012215).)
Has anyone’s PC melted after the full roll-up?

Many thanks to Woody and all here for looking out for us !!!

Reply | Quote