Recommended Updates in Group B: Take them or leave them?

Topic

New Reply

I have seen @pkcano, @mrbrian and @ch100 all advise to take all recommended updates offered by Windows Update, but I haven’t found a compelling argument for this stance (with the exception of @ch100 mentioning missing some non-critical feature updates). The Recommended Updates topic tag links to a couple of old topics on the subject (click the link above, to see them), with divergent opinions.

Personally, I’m not interested in the daylight savings changes anywhere but locally, and have only ever taken recommended updates after researching each individually (same as I normally have with critical updates).

As I see many AskWoody readers have different methods of approaching this, and probably for different reasons, I would appreciate any wisdom they could share on the subject. Thanks 🙂

1 user thanked author for this post.

Elly

Reply | Quote

Replies

Not sure how much this will help.

When I assist my buddy with his W7 machine for monthly updates, we do it in a Group B fashion.

Since “security only” became the norm, the only updates we get locally through the windows update checker in the action center are the MSRT & the not so occasional .NET updates.  Those are the only two.  Nothing else is offered & we don’t hide any that we don’t install.

Otherwise, it’s the usual security only & IE updates from the catalog, also linked here.

I will not deviate from this methodology unless the entire process somehow goes [away].  Which is possible, though not probable at this point.

Win 8.1 (home & pro) Group B, Linux Dabbler

3 users thanked author for this post.

amraybt, Pepsiboy, Kirsty

Reply | Quote

From Is it impotant to install/download new windows updates?:

“Updates are classified as Important, Recommended, Optional, and Featured. Here’s what they mean:

Important updates offer significant benefits, such as improved security, privacy, and reliability. They should be installed as they become available, and can be installed automatically with Windows Update.

Recommended updates address non-critical problems or help enhance your computing experience. While these updates do not address fundamental issues with your computer or Windows software, they can offer meaningful improvements. These can be installed automatically.

Optional updates can include updates, drivers, or new software from Microsoft to enhance your computing experience. You need to installed these manually.”

I install most Recommended updates but I don’t install a few such as KB2952664.

Some Recommended updates actually are security-related, such as Support for urgent Trusted Root updates for Windows Root Certificate Program in Windows.

4 users thanked author for this post.

walker, Elly, woody, Kirsty

Reply | Quote

MrBrian wrote:

From Is it impotant to install/download new windows updates?: “Updates are classified as Important, Recommended, Optional, and Featured. Here’s what they mean:

Regrettably, those words don’t mean much when they come from M$.  They lost my trust.  I’m only hanging on until the machine quits or a bad update makes it unrecoverable.  When EOL happens, I’ll most likely go with Linux.

Win 8.1 (home & pro) Group B, Linux Dabbler

Reply | Quote

IN MY OPINION, we can get on a FOOL’S ERRAND very quickly when it comes to Patching anything Microsoft. There are many reasons for this. Two of the most prominent reasons revolve around complexity, both Microsoft itself, in numbers of people, and with Microsoft’s products with legacy, current, future Modules as well as rewritten Modules for new technology.

You are probably familiar with the adage “The Right hand doesn’t know what the Left hand is doing” well consider multiplying that by a 100, a 1000, a 100,000 depending on how many different developers, coders and said Departments, then Documentors and their Departments, analyzers, evaluators, various levels of Managers saying Ya or Na, the respected enterprise/government customers saying Ya or Na. Thus keeping track of all of that, is the proverbial nightmare.

Now Kirsty, you said “updates after researching each individually (same as I normally have with critical updates).” How reliable do you believe what you are researching really is? It is not really a rhetorical question but I am going to answer it anyway, “It really isn’t”. This is also why MS is not as complete as we would like them to be. They don’t want to step over somebodies invisible line OR stick there foot in to some gooey, multicolored, sticky mush anymore than you want to stick your foot into their PATCH/CU/UPDATE/UPGRADE. Does MS have some good individual people, of course they do, but they ARE bound by the culture microsoft and the “House that Gates” built.

Hopefully that expresses the ground work and where I am coming from. I watch Twitter and follow some very specific people and of course “PatchManagement.org LIST” and their WSUS List as well. I also run a TEST W 8.1 Pro partition which I usually install most everything on. Between those, I sound out the problem areas and where/in which KB(s) they are in. When an obvious problem arises, I add in the respective forums. One can try to plow through the Document and try to come up with some Nuggets OR they can go through the Binaries doing all sorts of comparisons and come with some flags, which all does feed the process but I have not seen much satisfaction in that(Except for Evil Hackers). There is not much satisfaction in hearing people yelling and screaming in the problem forums neither but I believe it paints a better picture in the end. As for MS LABELS, such as countries/time/specialties can be more misleading that helpful which is why MS manager  Michael Niehaus strongely recommends, install everything. I add, at which time you know there are also fixes to the problems found because NOBODY really knows what you will be loosing if you don’t. I have seen fixes for age old problems in the most unlikely patches.

This of course is seriously compounded with the introduction of the CU, Cumulative Update. It would be nice if everything could be accurately, specifically and completely itemized along with expanded notes, but this is a pipe dream on these huge projects. Could MS do better, maybe/possibly but don’t count on it.

At the end “of the Day”, I install everything…….

Best Regards,

Crysta

Edit to remove HTML

2 users thanked author for this post.

woody, Kirsty

Reply | Quote

MrBrian wrote:

From Is it impotant to install/download new windows updates?: “Updates are classified as Important, Recommended, Optional, and Featured. Here’s what they mean: Important updates offer significant benefits, such as improved security, privacy, and reliability. They should be installed as they become available, and can be installed automatically with Windows Update. Recommended updates address non-critical problems or help enhance your computing experience. While these updates do not address fundamental issues with your computer or Windows software, they can offer meaningful improvements. These can be installed automatically. Optional updates can include updates, drivers, or new software from Microsoft to enhance your computing experience. You need to installed these manually.” I install most Recommended updates but I don’t install a few such as KB2952664. Some Recommended updates actually are security-related, such as Support for urgent Trusted Root updates for Windows Root Certificate Program in Windows.

Mr.Brian
I recently had to replace my hard drive.  My windows 7 home premium 64 bit 2008 R2 server was reinstalled via Staples tech.
When I got  home I noticed that they had installed the “rollup” updates — Group A.
Also all the updates were not done (prior to October 2016).
I deceided to stay with Group A.
I caught up with updates that were not downloaded.
When I read your above post regarding urgent Trusted Root update, I checked to see if I had it installed.  I did not.  I also read that if you didn’t have KB3004394 ( which I didn’t)
then you didn’t need kb3024777 (which I didn’t have either).

Honestly, I think I will like the less hassle of updates being in Group A.  Just waiting for the defcon # to change for Nov. rollup update.

1 user thanked author for this post.

walker

Reply | Quote

KB3004394 isn’t available for Windows 7 anymore. More recent update(s) contain the file(s) in that update.

2 users thanked author for this post.

walker, dgreen

Reply | Quote

I was in Group B through Sept 2017 updates. But I have always had “Give me recommended” CHECKED from the very beginning. I also have “Updates for other MS products” CHECKED. I agree with Crysta. If you think your research is spot on, you’re fooling yourself. You don’t know what MS doesn’t publish/document (and lately, that’s been a lot).

That said, I do not install the UNCHECKED patches from “optional updates” list (these have included driver updates) nor the UNCHECKED patches in the “important updates” list.

I have moved to Group A, considering the findings on hidden/unhidden updates. The only updates I now have hidden are the telemetry-related updates as listed in AKB2000003.

All things considered, I have had no major upsets/crashes with my Win7/8.1 machines either in VMs or installed on hardware.

 

3 users thanked author for this post.

walker, Kirsty, dgreen

Reply | Quote

Recommended 2017 updates for Windows 7 or 8.1 documented at https://support.microsoft.com/en-us/help/894199/software-update-services-and-windows-server-update-services-changes-in fall into these categories:

1. Non-security fixes for .NET Framework.

2. Non-security fixes for Adobe Flash Player.

3. Other non-security fixes.

4. Microsoft .NET Framework 4.7.

Missing from the above list are updates such as KB2952664 and KB2976978 that were originally Optional updates but later became Recommended updates.

3 users thanked author for this post.

woody, walker, dgreen

Reply | Quote

MrBrian wrote:

Recommended 2017 updates for Windows 7 or 8.1 documented at https://support.microsoft.com/en-us/help/894199/software-update-services-and-windows-server-update-services-changes-in fall into these categories:
…
2. Non-security fixes for Adobe Flash Player.

Flash Player updates are in WU for Win8 and above, not Win7, of course. Win7 updates Flash Player from Adobe (although Win8.1/10 can also update from Adobe as well) 🙂

Reply | Quote

I have a few updates hidden…
The updates I have not installed are kb3186497 .net framework 4.7.  I thought I had read it could be problematic with Windows 7. it is recommended and checked.
Also I had hidden kb4049016 (net framework for nov), when I heard it was pulled.
I just unhid it (clicked restore) and checked for updates and it still is being offered as recommended and checked.
I thought it was pulled????

Reply | Quote

.NET 4.7 should be OK for Win7 now. I think the problems have been ironed out.

kb4049016 has been re-released. see
https://www.askwoody.com/forums/topic/a-real-turkey-of-a-thanksgiving-weekend-disappearing-patches-kb-4049016-and-9999786-new-patches-4055038-405524-and-how-its-all-tied-up-in-knots/#post-147803

3 users thanked author for this post.

woody, walker, dgreen

Reply | Quote

PKCano wrote:

.NET 4.7 should be OK for Win7 now. I think the problems have been ironed out.

I’m counting on it. When I wrote the MS-DEFCON 3 post for Computerworld early this morning, I couldn’t find any lingering problems. In the interest of simplifying (my instructions are far, far, far too long anyway!), I glossed right over it.

Reply | Quote

I am a “Service Pack” model” user, i take all updates as useful unless proven otherwise

i know this kind of group imay not suitable for productional environment, and it require a little knowledge and tinkering
but i actually enjoy exploring and experimenting updates 😀

as for the topic, i also see that recommended updates in WU should be installed (except the telemetry/appraiser ones of course)

3 users thanked author for this post.

woody, dgreen, Kirsty

Reply | Quote

PKCano wrote:

I agree with Crysta. If you think your research is spot on, you’re fooling yourself. You don’t know what MS doesn’t publish/document (and lately, that’s been a lot).

It’s an interesting concept that we should not trust the information MS provide about what their patches relate to, but we should trust them blindly to install all updates. That being said, if it was the case that their updates can be applied without a second thought, what would be the need of the MS-Defcon alert here? I only started checking on updates when I started experiencing BSODs after updating, which is how I ended up here in the first place 😉

I take the point that the roll-ups information are very scant on details (but roll-ups aren’t Recommended Updates).

I guess I come from a background of “if it ain’t broke, don’t fix it”. Another perspective was found in a recent post, which indicates not installing Recommended Updates won’t totally cripple an OS:

Canadian Tech wrote:

After a few years of struggling with the WU mess and watching as MS continues to be messing up royally again and again, I have decided that the risk of MS messing up my clients’ computers is almost certain. Whereas the risk of not applying any of MS updates at all is a far lower risk.
…
When re-building Win7 systems I use WU, but refuse all non-security updates issued after Dec 31, 2014 and all “roll-ups” I have a list of 20 or so Win10 related updates that I routinely refuse and/or remove.

From Canadian Tech’s post, I take that to mean no Recommended Updates in his patching routine.

Reply | Quote

If I read through this topic, I find most of the advice is to install the recommended updates.
It seems to me the opposite decision was already written in stone before the topic was posted.
Just saying.

1 user thanked author for this post.

Pepsiboy

Reply | Quote

PKCano wrote:

It seems to me the opposite decision was already written in stone before the topic was posted.
Just saying.

No, not at all. I was genuinely interested in who does what, and why. With so many sources of good information here, it seemed a good opportunity to make the most of it! 🙂

In fact, my approach seems to very closely resemble Noel’s (below), except I don’t test in VMs before loading on my production machine. You might say I’m a little more gun-shy than some, with my machines being production workhorses, all the while I’m very aware of the security risks posed. I do need to ensure machines keep on, keeping on.

Noel Carboni wrote:

I always vet all the ones shown by Windows Update (i.e., I follow each link and read about them, then I look online for folks who have identified problems).

Only when I have 1) researched them, 2) hid the ones listed above if/when they become visible, 3) tested the installation of the patches on my own virtual machines, 4) read about the experiences of others here and elsewhere do I finally put the updates on my hardware systems, which are critical to me and my business.

 
I’m very grateful for everyone that has taken the time and trouble to share their expertise and thoughts – my thanks to you all.

Reply | Quote

Hello Kirsty,

I’ve been Group B all along. I only install important updates, although I left out the telemetry ones, and any rollups. It is working on my Win 7 system, with no malware, and no other problems. It has been simple and smooth to apply every month, and has had no bad consequences thus far. I love my laptop, and use it day in and day out… and will probably continue to use it off line when Win 7 is no longer supported.

I know I’m in a very small minority right now, but as long as it is working, it gives me the best chance at leaving out the telemetry. In a way, there is nothing special I have to hide… but I have a firm and abiding belief in privacy as essential to freedom… and that means the freedom to opt out of being monitored and marketed.

It amazes me that “advances” in technology are not bringing new “features” and a faster and more secure system, so much as increasing Microsoft’s ability to limit my control over the computer I bought, and limit my choices about what I want to do with it… which is to say they are systematically downgrading their own products. I’ve said before that I’d be willing to buy a W10 system that allows all the telemetry and auto updating turned off… but in this day of great technological advances MS has decided not to offer that as a choice to small business or home users, and the Pro version isn’t what it used to be… In the “old” days, we were limited by the processors and memory and available programs… now we are limited by the operating system itself… without the option to upgrade to something configured and useful the way I want it.

So… I keep on keepin’ on, a lonesome Win 7 Home, Group B survivor…

Non-techy Win 10 Pro and Linux Mint experimenter

2 users thanked author for this post.

Steve, Kirsty

Reply | Quote

I install almost all of the Recommended updates, but not on the day they are released. Waiting awhile has these advantages:

1. Microsoft might yank a faulty update.

2. Microsoft might issue an update that fixes a faulty update.

3. Information on faulty updates might become known, and workarounds might be published.

3 users thanked author for this post.

Noel Carboni, Kirsty, woody

Reply | Quote

I have been following an “Almost Group A” strategy myself, on my critical systems… I install all updates listed with a very few exceptions – but ONLY after suitable testing.

There are things I simply won’t install, on general principles. My all-time “hide these updates every time they show” list is:

For Windows 8.1, hide these updates:

KB2976978 - Win 10 Compatibility update for Windows 8.1 and Windows 8
KB3035583 - GWX
KB3046480 - Update helps to determine whether to migrate the .NET Framework 1.1 when you upgrade Windows
KB3068708 - Update for customer experience and diagnostic telemetry 
KB3080149 - Update for customer experience and diagnostic telemetry
KB3123862 - Updated capabilities to upgrade Windows 8.1 and Windows 7
KB3173040 - Windows 8.1 and Windows 7 SP1 end of free upgrade offer notification

For Windows 7, hide these updates:

KB971033  - checks whether Microsoft wants to deactivate your system
KB2952664 - diagnostics for Win 10 compatibility
KB3021917 - diagnostics for Win 10 performance compatibility
KB3035583 - this one is GWX itself
KB3068708 - adds capabilities to easily upgrade to Win 10

I always vet all the ones shown by Windows Update (i.e., I follow each link and read about them, then I look online for folks who have identified problems).

Only when I have 1) researched them, 2) hid the ones listed above if/when they become visible, 3) tested the installation of the patches on my own virtual machines, 4) read about the experiences of others here and elsewhere do I finally put the updates on my hardware systems, which are critical to me and my business.

My thinking is this:

Somewhere in Microsoft a group of people maintain these older operating systems. They’re probably a level-headed bunch. However, there are only so many hours in a day, and it’s a pretty good bet that they test the most on systems with ALL the updates installed. Without having a sophisticated, dedicated testing organization on staff, the likelihood that Microsoft engineers have systems that are a mix/match of some updates and not others has gone down. The chance of one of theirs exactly matching one of ours is… Vanishing.

With software this complex, it’s a good bet that unexpected things happen from time to time. No human can wrap their head entirely around the entire system and get every detail right every time. So testing IS still important, and the likelihood that systems with ALL updates installed have had the most testing is key.

Over the decades Microsoft has tried quite hard to separate their software into modules with well-defined interfaces, or we wouldn’t have a prayer of being able to mix and match patches… In a way we’re lucky we have a choice at all. The fact that they DO separate some updates into a separate list, which they deem “optional”, says there IS some attention paid to maintaining that modularity.

TL;DR summary:

A system with ALL updates installed is likely to have been similar to those tested most thoroughly by Microsoft engineers, and making YOUR system most like THEIR systems is probably prudent.

That being said, if there are some things in the Optional list you absolutely can’t stand, don’t choose to install them – just understand the risks of doing so.

So far this has been working for me quite well. My systems are 100% stable and functional.

-Noel

5 users thanked author for this post.

Steve, satrow, Kirsty, woody, MrBrian

Reply | Quote

“A system with ALL updates installed is likely to have been similar to those tested most thoroughly by Microsoft engineers, and making YOUR system most like THEIR systems is probably prudent.”

I agree with Noel on this, and in fact Microsoft has explicitly stated that they test only with all updates installed.

 

2 users thanked author for this post.

Noel Carboni, woody

Reply | Quote

A reference: see image “Microsoft pre-release patch test environment (Fully patched)” at A Bit About the Windows Servicing Model.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

In checking the Recommended and Optional updates in a clean install, after installing all the Security updates, IE11, .NET, there were 60+ updates showing.

Some only applied as fixes for other patches (which hadn’t been applied);
some were hotfixes that stated they were only to be applied where certain bugs were present;
one was now irrelevant (re Windows Phone) and several weren’t relevant (South Sudan country setup, etc);
several (mainly from the last 2.5 years) stated they were incompatible with later installation of language packs, so I will not be installing those at this stage;
and lastly, one Woody had stated was a security risk, not to be installed (Windows Journal).

Reply | Quote