Windows 7, 8.1 patches are up

Topic

New Reply

OK, not exactly. Other than MSRT, there are no patches for 8.1, and only one small security patch (plus a Flash patch) for Win7. This month only we’re
[See the full post at: Windows 7, 8.1 patches are up]

Reply | Quote

Replies

Just updating WSUS Offline with version 10.9.

It included KB3212646 (full rollup), dated 1-7-2017.

This latest version of WSUS Offline has the option to download the “security only” updates, instead of the “quality rollups” updates.

I’m re-installing a fresh copy of Win7x64 Pro for a customer, so will use the “quality” updates, as the customer will be on automatic update mode.

When I do updates this way, the process of going from a fresh install of Windows 7×64 Pro to a fully patched (no extra MS software, like Office) system usually takes about 4 hours, never uses the Control Panel app of Windows Update until all patches have been installed by WSUS Offline, and is done with the system NOT hooked to the Internet until WSUS Offline is done installing the batch downloaded patches.

Then running WU from Control Panel might find a few other “important” patches (and 70-80 “optional” ones), but does that in 5-10 minutes.

Reply | Quote

Just the one security update for windows 7? When was the last time that happened? Have microsoft already given up on 7? I should be relieved there is only 1 update i suppose but i can’t shake the feeling it’s further corner cutting from them, i mean there have always always been at least an update for internet explorer but now there isn’t? My default reaction to whatever microsoft does these days is one of suspicion and not trust.

Reply | Quote

“That’s the lightest Patch Tuesday I’ve ever seen.”

Lol, no doubt some PHBs have slammed the brakes after the recent slew of college-dropout workmanship.

Reply | Quote

WOW! So far for Windows 8.1, only the ‘Critical’ Flash Player patch (IE 10 & 11; I use Firefox like you say, boss) & the ‘Important’ MSRT. I say “so far”; what’s to keep the ‘Softies from changing their hive mind & rolling something out before February’s Patch Tuesday?!

Reply | Quote

I so far seen that I’ve got KB3212646 (Monthly Rollup) and KB890830 (Malicious Software Removal Tool) ready to install, but I don’t have the other update, KB3212642 (Security-only update) in there ready to install. In fact, I cannot see that update anywhere in my Win 7

Reply | Quote

So the December updates for Windows 7/8.1 are still at Defcon 2, and the January updates are available. When December gets back to Defcon 3, can I just install those and uncheck the later ones?

I’m not too worried because I don’t use Edge or IE, and I have Flash disabled in Chrome. Also, I don’t have MS Office. In fact, my PC is basically an Internet terminal. But I still want to keep it working and secure through 2020!

Reply | Quote

The situation will be much simpler. If you have Win7, there’s no Security-only update for January.

When the MS-DEFCON goes to 3 (or even 4!), I’ll have full instructions.

Reply | Quote

The Security-only updates are only available from the Microsoft Update Catalog. Not to worry. Sit back, relax. When the time comes, I’ll have full instructions.

Reply | Quote

Highly unlikely – but it’s always possible, of course.

Reply | Quote

MS17-004 is patching a denial of service attack on LSASS, which is probably not important for most home users. MS17-001 is a bit more important as it assigns data: URLs the proper origin in Edge.

Reply | Quote

Do I take it we can consider Win8.1 a stable version now ? CBB perhaps 😉

Reply | Quote

So after Microsoft’s long break, we have a holiday too in January.

Reply | Quote

+1

Reply | Quote

Prepare for a shock patch for Windows 7 on March 14.

Reply | Quote

Maybe the first big one will be the Preview on February 21?
https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/

Reply | Quote

Thanks for the heads up, I was wondering if WSUS Offline would ever update to pull ‘Security only’ instead of the rollups. Looks like I’ll start using that one again myself. Thanks!

Reply | Quote

KB3212642 is the Jan security-only patch for Win7.

Reply | Quote

Where have you been in the last few months? 🙂
Windows 7 had been receiving one security update since October, sometimes one more update for .NET Framework

Reply | Quote

December patches were at DEFCON 3 on Dec 29th.

https://www.askwoody.com/2016/ms-defcon-3-cautiously-update-windows-and-office/

January patches are just now out – DO NOT INSTALL YET!!!!!

Reply | Quote

Thank you Woody!

Reply | Quote

KB3212642, according to Microsoft, is for Windows 7 32 bits. My machine runs Win 7 64 bits. Should I apply this update as well?
Thanks.

Reply | Quote

No no, i’m not talking about the security only update that collects all of this months security patches into 1 update. I’m talking about the fact there is only 1 security patch for lsass and nothing else. Not even a security patch for internet explorer.

Reply | Quote

So basically if you’re a home user on Win7, little reason to bother at all this month?
Very very odd not to see at least an IE update. When did that last happen?

Reply | Quote

It’s all unprecedented, in my experience, at least since Patch Tuesdays started – what, 15 years ago?

Reply | Quote

Wait.

There is not one good reason to install any of today’s updates. Wait to see if any problems crop up.

Reply | Quote

It is called OCD in relation to Windows Update. There are few others of us affected 🙂

Reply | Quote

Because IE11 has reached such a stage when there are no more (known) vulnerabilities.
What is so unexpected?! 🙂

Reply | Quote

Fyi, when I checked the Security Updates Guide/SUG about 2 weeks ago, there was no security updates displayed b4 Sep 2016. Today, when I check again, there was none for b4 Aug 2016 = M$ just added the Aug 2016 security updates to the SUG.
WTH is happening.?
.
Seems, most Win 7 security updates from b4 Oct 2016, can only be installed via Windows Updates, ie cannot be manually installed via M$ Update Catalog(except for the rollups from May 2016 onward, Servicing Stack updates, Windows Update Agent/Client updates, IE updates, etc). What if M$ Windows Update is not working properly or completely broken.?

Reply | Quote

I see 🙂
but the lack of security patches is for all, not just Windows 7

it’s holidays, they did not feel urgent need to fix all security issues 😀

Reply | Quote

I was worried about only seeing the monthly rollup and the MSRT this month… glad that’s all I should be seeing. And as you said, Woody, this is the lightest Patch Tuesday I’ve ever seen since I actually started paying attention to these things.

Reply | Quote

After installing KB3212646 the sign-in button appeared after every reboot, eventhough I have no password on my system. And I had problems with other programms like Google Chrome. I deleted the update and everything is fine again. So I’m going to wait a while now.

Reply | Quote

Windows 7 & 8.1 users:

For those who do not visit here regularly,
December 2016 patches for Win 7 & 8.1 are safe to install for respective Groups A and B.

All January 2017 patches for Win 7 & 8.1 are on HOLD..wait until the go-ahead is given via DEF-CON indicator.

Jeez it’s that simple!

Reply | Quote

The Windows Update Catalog provides different versions of KB3212642 for 32-bit and 64-bit versions of Windows 7. The 32-bit version is 3.5 MB in size, while the 64-bit version is 6.2 MB. Make sure you see the “for x64-based Systems” in the catalog title.

Reply | Quote

HA!

A quick trip through the CVE list should prove enlightening…

Reply | Quote

All updates “b4 Oct 2016” can still be obtained from MU catalog or MS Download center

Reply | Quote

The Security Monthly Quality Update for Windows 7 (KB3212646) (both x86 and X64) has been revised with today’s date (11th Jan 2017). Apparently the list of updates it replaces has been amended.

One odd thing with this update; anyone else experiencing extreme slowness in IE11 when viewing the KB article for this update (https://support.microsoft.com/en-us/kb/3212646)? It works fine in Chrome, but on PCs with and without KB3122646 installed, that KB causes the IE11 tab showing it to run VERY slowly. Other KB articles work fine!

Reply | Quote

I can remember one other month without an IE rollup, three or four years ago, I think.

The Security Bulletins may be skimpy, but my WSUS is absolutely slammed. I’ve had about a thousand new patches in the last two weeks. Mostly language packs and other trash for FeatureOnDemand.

Reply | Quote

Hmm does here to but it is a “humoungus” web page that gives Firefox & IE11 a bit of a hard time as well as a script error on Firefox. Also a “nag Msg” about Edge on Firefox again, not my favourite right now after its little snooping activities got revealed to me yesterday. Then again it really isnt my favourite as its just not ready for the “big time” yet.

Reply | Quote

Confirm that the updates for Word 2016 and Windows 7/2008R2 were all revised. Also a patch which belongs to the Office 2016 suite for Sharepoint Enterprise 2016 was revised too.

Reply | Quote

Also lots of expired older updates for Windows 7 which were probably due to be expired for a while, to alleviate the supersedence issue.
KB3150513 for Windows 10 1511 is expired too.
Remember this patch which updates definitions for KB2952664 on Windows 7.
The functionality of KB2952664 for Windows 7 is built-in Windows 10.

Reply | Quote

Too much files/info listed in the article
it’s slow for me on all Browsers
the list of files should had been gathered as downloadable .csv, as always
but it seems the article is filled by some intern MS employee 😀

Reply | Quote

But only the metadata, yes?

The patches themselves are all the same. I hope.

Reply | Quote

InfoWorld.com used to have slow browsing for the same reason. It seems to be better now, or maybe Firefox got better at handling that sort of design. 🙂

Reply | Quote

Do you synchronise Language Packs in WSUS?
No wonder the WSUS gets slammed 🙂

Reply | Quote

It looks like it is so. The supersedence list has changed and for the Word 2016 patch there seems to be a new title, or at least this is what MS says. The supersedence list update should probably be seen in the context of expiring tens of older patches.
They are not re-offered, but for people who follow your MS-DEFCON advice, few revisions next day after release should not matter, right? 🙂

Reply | Quote

+1

Reply | Quote

Great advice. Perhaps in future you could make a point of offering this unambiguous advice in the text of your article, rather than in the comments?

Reply | Quote

The banner at the top of this site – all pages – says the same thing, quite unambiguously.

Reply | Quote

Hi I have these updates in my WU:
• Dec 2016 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.62.
• 30 individual Security Update for MS .NET Framework 3.5.1 from 2011 – 2016 are those included in the Dec rollup noted above?
• Dec 2016 Security Monthly Quality Rollup for Win7
• Security Update for MS XML Core…SP2 KB954430 ???
• 11 Security updates for Win7 from 2014 – 2015
• Update for Win 7 KB971033
• Win7 SP1 KB976932
• Windows Malicious SW removal tool

I received advice (from another forum) to install .NET framework/security updates (not Dec quality rollup) but still have these questions and am just looking for more feedback/input. I appreciate everyone’s help/input.

• I checked KB971033 but I don’t know if I should install it or not.
• KB976932 is Windows 7 Service Pack 1, which I already have. I don’t know why it is coming up, unless it’s different than what is on my computer. Publish date is 2/12/15. Should I install it?
• I assume I can click all updates to install at the same time? Or is there a sequence I should follow? I will choose the ones I want & hide the rest.

I’m apprehensive about WU now, with good reason! I used to be a happy group A person 🙂 Now, I’m questioning everything. I have restore point set up and data backup, just in case. I have to patch for security updates, I think it’s imp, but it’s uncomfortable to think that may cause damage.

Reply | Quote

On Win 7 SP1

In addition to KB3212646 in the January release in WU I got an update for Word Viewer KB3141490.
(And the new WMSRT of course.)

Reply | Quote

If the new window updates are cumulative why did:

• KB2952664 : Compatibility update for keeping Windows up-to-date in Windows 7

• KB3172605 : July-2016-update-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1

• KB3179573 : August-2016-update-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1

Show up as optional updates after I manually installed update (KB3212646 : January 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1)

Also wuaueng.dll stayed at 7.6.7601.19161 instead of the newer version 7.6.7601.23453. Should I install the optional updates? One thing to note is that the last time updates were pushed to this computer was Aug 2nd, 2016.

Reply | Quote

Woody, as the usual advice, is it MSRT, aside from the small snooping, clear to apply right now?

Also it’s description states that it will run once after being download but I never noticed it running before… Does it somehow run silently on the background or it should pop some screen or prompt?

Reply | Quote

Usually MSRT runs quietly. Yes, I still think it’s worthwhile running the program – even though I must admit that it’s never caught anything on my machines.

Reply | Quote

They are not fully cumulative yet
for now, they only include all fixes from September 20, 2016 onwards

in February or March, they will start adding previous fixes before September 2016

the Monthly Quality Rollup is expected to be fully cumulative in several months, maybe September 2017 🙂

Reply | Quote

Woody do you think the small amount of patches for this month were because of the holidays? I mean I don’t know how long in advance Microsoft prepares the patches. Also when will you update the DEF-CON status? I recently did a clean install of 8.1 on my laptop and am wondering when it’s safe to update.

Reply | Quote

Today I saw that I can install an update for Bitsdefender KB915597 (definiotion 1.235.23.0)
Once it is installed, it can not be removed, say the information
I am group B and install only security updates. What to do with this update?

Reply | Quote

That’s a Windows Defender update. I’ve seen some reports of problems, but you should be OK.

Reply | Quote

Yep, it’s undoubtedly because of the holidays.

Hold off until the middle of next week. There’s nothing pressing this month anyway.

Reply | Quote

Okay. Thank you. Although I did install the July 2016 Rollup to speed up the update scans. But it’s still taking forever to find anything.

Reply | Quote

So will both bug fixes and security fixes be fully cumulative then? Will old patches for the .NET Frameworks also be added to the .NET Framework rollups? Also are Office updates cumulative? I don’t use MS Office, but I am curious.

Reply | Quote

I think Terry is asking for advice in relation to a NEW installation.
I would say install everything, i.e. Important and Recommended (and Optional would be a good choice, but that is up to your preference) until December 2016 or November 2016.
Avoid January 2017 if you wish, until Woody says it is safe. To save time, you could install January 2017 too and uninstall if anything major comes up.

Reply | Quote

Do you still have Office 2003 installed?
KB3141490 is an update for Office 2003 and there seems to be one of those each month until about September 2017.

Reply | Quote

I am expecting that at that time we will see the true SP2 named Update 1 or whatever, something similar to KB2919355 or if not, at least similar to KB3000850 (which would not be SP2).

Reply | Quote

One more question. Do you think it’s plausible that Flash Player will be patched out of Windows 8.1 & 10 at some point? I mean with HTML 5 becoming the de facto standard and Flash just being a security hazard all around wouldn’t it make sense to patch it out? Or would it not be possible to patch it out?

Reply | Quote

Thank you ch100. I’ll update then but avoid the flash update until Woody gives the okay.

Reply | Quote

First rule – do NOT install ANYTHING with a Jan 2017 date yet. WAIT until the DEFCON number goes up to 3 or above.

Second rule – do NOT check anything that is not already checked. This includes the older (2014-2015) updates that are probably in the OPTIONAL list. In fact, it is a good rule not to install anything under OPTIONAL because they are unchecked to begin with – especially if it has Preview in the name.

Third rule – The updates with a December date were approved for installation on 12/29/16 here
https://www.askwoody.com/2016/ms-defcon-3-cautiously-update-windows-and-office/
If you are in Group A (accept all MS has to offer), you install the December Security Monthly Quality ROLLUP KB3197869.
If you are in group B (Security only patches) you need to download the Dec Security Only Quality UPDATE from the MS Update Catalog and install it manually.
The links to the security patches are in the link above.

Fourth Rule – those updates NOT CHECKED do not get installed. If you have installed the Security only update, when you run Windows Update, you UNCHECK the Monthly Rollup and install everything else that is ALREADY CHECKED dated before 2017 (Jan updates have not been approved yet). If the Monthly Rollup is not checked, it won’t get installed. DO NOT check anything that is not already checked.

In general, the .NET, Office, Flash Player, IE, etc patches are OK to install – BUT NOT ON THE DAY THEY ARE RELEASED. MS releases patches on the second Tuesday – they may or may not be good. Wait until Woody sets DEFCON to 3 or above, indicating the patches won’t cause trouble, then install. Then go back to waiting.

To see if you have SP1, click on the Start button, on the right RIGHT CLICK on Computer/My Computer and choose Properties. It will be at the top of the page.

Reply | Quote

If you have the Viewer installed, you get updates for Office 2003. It is like a runtime version that lets you see the documents.

Reply | Quote

Yes, the Monthly Quality Rollup will be cumulative
.NET 4.x.x rollups are already cumulative
.NET 3.5.1 rollups will follow the MQR rules and become cumulative eventually

Offices updates are cumulative for each product/component they patch
but they are not rolled-up, so we will still have a lot of updates

Reply | Quote

+1

Reply | Quote

I think Flash support will be discontinued at the time Adobe will discontinue it and it is not much time left until then.

Reply | Quote

I see.

Reply | Quote

And of it did caught something, how are we supposed ro know? Would it pop something up or it would only show inside some log contained on that oddly named folders, which seems random, created by MSRT?

Also is there a way I can verify that it is running at the moment or had been run recently?

Reply | Quote

Thank you. I have some technical ability – but not enough to figure this out on my own. I am being overly-cautious bc I had problems with my new Dell for over a year. FINALLY got Dell to send me a replacement machine and now that my hardware issue is resolved, I am dealing with this WU issue!!! I just need it to work! Am afraid it’ll get broken again with a bad update (and of course snooping issue) – hence, my caution & concern:
First rule – OK
Second rule – OK
Third rule – OK
Fourth Rule – OK

To see if you have SP1, click on the Start button, on the right RIGHT CLICK on Computer/My Computer and choose Properties. It will be at the top of the page. – I HAVE SP1. I DON’T KNOW WHY SP1 IS IN UPDATE LIST. I WAS GOING TO HIDE IT SO IT DOESN’T INSTALL???

THAT LEAVES ME WITH THIS INSTALL LIST: DEC SECURITY & .NET FRAMEWORK, SECURITY UPDATES FOR .NET FRAMEWORK (ABOUT 30 FROM THE LAST FEW YEARS), 11 SECURITY UPDATES FROM 9/2014 – 9/2016 – I was going to install these.

Questions:
SECURITY UPDATE XML CORE SP2 KB954430 & KB9736788 – install?
Activation services update KB971033 – install?

And this one just came up – I don’t know if I should install it?
Security & Quality, Nov 2016 Security Monthly Quality Rollup – KB3197868

Reply | Quote

If you see rollups in your Windows Update list, you have SP1. Don’t worry about it.

You’re likely “Group A” – so just follow my advice (Check for updates set to “Never,” and “Give me Recommended Updates” checked), then run Windows Update. DON’T TOUCH ANYTHING – don’t check any boxes, don’t uncheck any boxes. Go ahead and install.

Then wait until the MS-DEFCON level changes before installing the next month’s patches.

Reply | Quote

ok. I am a Group B ‘wanna be’ 😉 But I get very confused due to my lack of technical expertise, which makes me Group A.

I will do as you suggest, except question on SP1 update – leave it or hide it?

Reply | Quote

I suspect the Dell replacement is recent if all those old updates are checked in the important list. So:

For Group A (accept all MS offers)
HIDE the Jan Security Monthly Quality ROLLUP. Install everything that is checked under the important list. When the computer reboots, wait 10 minutes, search for updates and install everything that is checked. Repeat this until there no more updates available.
It the search takes over half an hour at any point, you will need to download two updates and manually install them, one at a time to fix it (be sure you get the one that says x64 if 64-bit is what you have):
http://www.catalog.update.microsoft.com/Search.aspx?q=3020369
and
http://www.catalog.update.microsoft.com/Search.aspx?q=3172605
When there are no more updates, unhide Jan ROLLUP KB3212646 – but DO NOT INSTALL IT YET. Wait for DEFCON to change to 3 or above.

For Group B
If searching for updates is slow, download the two patches above and manually install them. Be sure it says x64 if you have 64-bit.

HIDE KB2952664, 3021917, 3068708, and 3080149 any time they show up in Windows Update – these contain telemetry.
You will need to install all the other CHECKED patches in the important list EXCEPT EXCEPT EXCEPT the Security Monthly Quality ROLLUPS from Nov & Dec 2016 and Jan 2017 if you are in Group B.
Do NOT make it a habit to HIDE the ROLLUPS, but to get caught up do this: HIDE the Jan 2017 ROLLUP, search for updates again (the Dec 2016 ROLLUP will show up), HIDE the Dec ROLLUP, search for updates again (the Nov 2016 ROLLUP will show up), HIDE the Nov 2016 ROLLUP, search for updates again (the Oct 2016 ROLLUP will show up). Now, install all the CHECKED updates under the important list. After the computer reboots, wait 10 minutes, then repeat the search/install/wait 10 min until there are no more patches.
Now you need the Security Only Quality UPDATE for Nov & Dec 2016.
Download KB3197867 (Nov) and KB3205394 (Dec) and manually install them. (Type the number in the MS Catalog search box)
Do another Win Update search/install/wait until there are no more updates.
Unhide the Security Monthly Quality ROLLUPS (leave the other four hidden). The Jan ROLLUP should be the only one that appears – DO NOT INSTALL IT.

That should be it.

Reply | Quote

Follow PKCano’s advice….

Reply | Quote

Try looking in your Update History.

Reply | Quote

ok thank you!

Reply | Quote

Subsequent to installing KB3212646 for Windows 7-32 bit, I no longer get bubble saying “safe to remove hardware” when I use the disconnect feature located in the system tray. Although USB connected devices no longer appear in “Devices with Removable Storage,” there’s no way of knowing whether it’s truly safe to disconnect. The only way I can get the bubble to appear is by locating the connected device and ejecting it by right clicking in the context menu. I’ve tried rolling back my system to October 2016 (it works fine there) using a recovery disk, but I get the same problem after installing January, 2017 Security Monthly Quality Rollup KB3212646. Does anyone else notice this problem?

Reply | Quote

This is the current Windows 10 behaviour.
The only way to know if it is safe to disconnect USB storage is to check Windows Explorer or Device Manager for the device to disappear.
If it is not safe to disconnect, then Windows would warn you, but it may take a while, so waiting for that warning may not be the most reliable method.

Reply | Quote

No issue here

KB3212646 actually do not have any new fixes related to USB or devices

Reply | Quote

KB971033 – that one is a weird patch. It can cause Windows Activation issues for little reason. I would say avoid it unless it is specifically requested by one of the Microsoft sites. This is the only Important patch which can be avoided safely.
KB976932 being re-offered is only cosmetic. It will install in fact a superseded patch KB2533552, which is better to accept to avoid as I said cosmetic issues. Functionally it does not matter if you install later patches like KB3020369 superseding it, but without it and until you install the later patches, Microsoft says it can cause blue-screens. Install KB976932 when offered.

The best sequence to follow is to install manually first:
KB2533552
KB3020369
KB3172605

After that use Windows Update as usual. At least until you get close to being fully patched, use the configuration of Windows Update to Never check for updates and check manually.
Install about 25 updates at a time, start with all Important non-security (less KB971033), follow with all Security and in the end follow with all Recommended and Optional until there is nothing left.

Reply | Quote

@abbodi86
What is the meaning of
“Offices updates are cumulative for each product/component they patch
but they are not rolled-up, so we will still have a lot of updates”

The Office updates come as msp files with new functionality added to the previous one. What does it mean they are cumulative but not rolled up?
I would be very interested if there was a method to reduce the number of Office updates, like there is one for Windows Update when running Disk Cleanup.
The Installer folder tends to keep all those copies for uninstall purpose, which again tends to become huge after a while, even for newer products like Office 2016.

Reply | Quote

Didn’t i explained it before? 😀

cumulative = latest msp supersede all previous patches for the same component defined by file name

not rolled up = each component has its own msp, and it’s released separately
only very few Hotfixes contained multiple msp files

there are no automatic or intended way to clean Windows Installer PatchCache

however, there are some reliable ways to clean older patches, manually or through a .vbs script
i wrote a detailed post about it at MDL, but unfortunately it was lost in a hack delete 3 months ago (along with a lot of irreplaceable content)

this link is close enough to mine
https://www.raymond.cc/blog/safely-delete-unused-msi-and-mst-files-from-windows-installer-folder/
i recommend the second one
note that the WiMsps VBScript lists the used patches to keep, so you need to delete the non-listed files
do not use the old Microsoft Utility

there are one more truly manual way which works specifically for Office patches
but it’s not easy to explain 🙂

Reply | Quote

@ ch100 ……. Fyi, Perry Andrew was referring to “installing KB3212646 for Win 7” n not for Win 10.

Reply | Quote

I’ll just use “eject” from the windows explorer context menu. The “safe to remove hardware” balloon appears through this mode only. I’ll miss safely removing hardware via my system-tray though.

Reply | Quote

Thanks 🙂
Apologies if you explained it to me before, but I don’t remember and this is too interesting to me to have forgotten. 😀
It is very likely that it was explained only on MDL before and unfortunately lost.
The manual way which certainly works is to uninstall all patches until getting to RTM and run WU fresh. Or uninstall Office and reinstall followed by WU. None of those 2 methods are very professional I am afraid.
I was under the impression that you were referring to products (not suite) like Word, Excel etc when saying about cumulative updates, but I understand now that it is about the component level and each product is made of many such components.
Thanks again 🙂

Reply | Quote

Thanks. This is interesting to know, so the baloon appears in Explorer, but not in the tray.
My reference was about the tray behaviour, as I was not even aware of the Explorer functionality.
I don’t see the Eject command in Windows 10 for anything other than CD/DVD. There may be a way to enable it though.

Reply | Quote

One thing I’ve been wondering is the reasoning behind the whole “Don’t install anything that’s not checked off by default” philosophy. I mean is there any reason for that? Is it because the optional patches might break something? But don’t all updates carry that risk? I get the the telemetry and preview rollups, but why not hide those and install everything else?

Reply | Quote

If Microsoft doesn’t have enough confidence in a patch to mark it as “recommended,” I figure customers shouldn’t have to deal with its failures.

MS has a long history of rolling out perfectly useless (or downright destructive) “optional” updates.

Reply | Quote

I don’t, and have no control over what I filter. My “company” upstream does that for me, poorly.

Reply | Quote

No need for apology 🙂
i actually posted it here
https://www.askwoody.com/2017/ms-defcon-2-unknown-office-patches-on-the-horizon/#comment-113929

the linked list gives a more clear perspective of what i mean 🙂
https://support.office.com/en-us/article/81464cf1-8510-4ea4-9737-d65db89132ea
each .msp filename represent a component, all updates for this component are cumulative
and some of these components represent a whole product/program, as noted in second column (i.e. Excel, Access, Word)

Reply | Quote

As for the manual cleanup way, my way does not require any uninstall/reinstall 🙂
it’s simply based on WICleanup method, but instead you do the verfication yourself and delete orphaned .msp files

===
– go to C:WindowsInstaller
– change view mode to Details (already default in W8 +)
– right-click on the above properties bar, and enable “Title”
– sort the files by Title
– you can now see that certain .msp files have similar titles, with different patch version
– for each of these similar .msp files, delete the older files with lower version, keeping only the highest one
===

i know the explanation is not very clear without images, but i’m bad at that
this method never failed me or caused any updating problems 🙂

Reply | Quote

The eject feature — through right-clicking in the explorer context menu — will not work if your USB device is an external hard drive with multiple partitions (there’s no eject feature available). In that case, I’m forced to use the system tray “safely remove hardware” feature. Again, there’s no balloon notification that it is indeed safe to remove. I’m sure this is a consequence of installing the Jan 2017 Sec. MQR KB3212646 for Windows 7. I’ve also tried to use the eject feature in control panel “Devices and Printers.” There’s no balloon-tip pop-up in the system tray indicating a safe hardware removal. As I mentioned previously, if I recover my OS from my December backup (I use Acronis True Image – has never failed me), the issue is resolved.

Reply | Quote

Thanks for the info. Yes, I have another PC using Windows 10, and the notifications are different in system-tray ejected devices. Unfortunately, this is a direct consequence of installing KB3212646 for Windows 7. Without going into detail, it’s likely that this update altered a registry key in HKEY_CURRENT_USER >> Software >> Microsoft >> Windows >> Current Version >> Explorer >> Advanced >> EnableBalloonTips. It’s not a simple fix.

Reply | Quote

What I said is that Microsoft may intend to align Windows 7 with Windows 10 from that point of view.
Most users including systems administrators are careless when it comes to ejecting USB devices and just pull them out. So I think Microsoft just changed the behaviour of the notification to be more aligned with the behaviour of the majority of users. I agree that this is annoying for those of us who care about the integrity of our data and devices and would take an extra click to eject safely.

Reply | Quote

I think I know what you meant. They are not the Language Packs as such, but what comes in FeatureOnDemand on WSUS, I have recently looked through those options in WSUS for Win 10 and Win 2016. They should rather be part of the build, because those options tend to change when a new build is released and few weeks after if there are any fixes or additions, like the PanEuropean fonts.
If you don’t have control… well, you just don’t. It is probably a practical way for the WSUS admins to push whatever they consider required, without considering the consequences for the users who receive the updates.

Reply | Quote

I understand your explanation about sorting by Title and removing older versions.
I tried to use Patch Cleaner instead of WICleanup which seems to be old.
I will find out if it broke anything, no big deal, just reinstalling Office and repatching.
The manual method allows certainly more control and it is likely to be safer.

Reply | Quote

KB3212646 slowed down startup programs for me. After I uninstalled KB3212646, my startup programs went back to normal.

Reply | Quote

Thank you. You say the best sequence is to install the 3 updates manually first. I have KB3020369 & KB3172605. You also said to install KB976932, which will install KB2533552.

Do I install KB2533552 manually first, then KB976932 or just do KB976932 since I have the other 2? Doesn’t KB976932 install KB2533552?

Reply | Quote

In addition to what Woody explained, sometimes unticked updates are just throttled at the Microsoft servers and after a while they will come back as ticked. Sometimes the WindowsUpdate.log would offer the reason, but it is in cryptic language and not everyone understands that 🙂
Office Updates released on first Tuesday of the month usually come unticked on Windows 7 but install on Windows 10. That one is a combination of throttling with the known Preview intended behaviour.
There is no single rule, but as it is generally adviced, if Microsoft pushes them as unticked, they generally don’t have such a priority to be installed that the user should override Microsoft’s intention, unless having a very clear reason.

Reply | Quote

KB976932 itself is SP1.
But more recent distributions packed KB2533552 as secondary package together with SP1 as mandatory fix.
Install the three manual patches first and do not worry about KB976932 again because you will not see it again as required (if you already had Service Pack 1 installed).

Reply | Quote

If you already have KB3020369, you will not be able to install KB2533552 manually, allow whatever comes on Windows Update, in your case KB976932.

Reply | Quote

I see.

Reply | Quote

ok thanks

Reply | Quote

@Donna T.
There has been a new development in Windows Update for the last 2 days. You may be able to install without following a particular order, but I would still advise to install those 3 updates or at least KB3020369 & KB3172605 until we have full confirmation. It is not harmful under any circumstances to install those updates first, only potentially inconvenient due to having to download and install manually.
Details here:
https://www.askwoody.com/2017/has-microsoft-finally-solved-the-windows-7-slow-update-problem/#comments

Reply | Quote

you should install KB3212642 not KB3212646 !!!

Reply | Quote

I have the two update you mention above.
I do not have KB2533552 – which you said I won’t be able to install manually because I have KB3023069 I also have SP1.
I was going to install what is in WU list – which I noted in a post on January 12 at 11:31 AM. I hope that’ll be OK
Really appreciate everyone’s help with this !

Reply | Quote

That worked for me. Thank you.

Reply | Quote

I just found an interesting development on a former work colleague’s Win7-64 SP1 Home laptop after the update session for the January patches (Group A).

She turns WU to “Never” right before patch Tuesday, and then waits for a the go ahead from an IT person at work as she was hit with the Intel BT glitch a few months ago and he helped her out and recommended she wait a few days for the updates. She had just gotten the go ahead to update and executed a manual WU scan and installed the January rollup and MSRT. Normally after the patching she returns the laptop to notify, but do not download/with give recommended updates unchecked.

When she checked the Update History, it showed a sting of failed MSE updates, but the applet itself never showed a failed update. I told her to ask her friend first, but he was not familiar with MSE.

I told her to leave the WU on never and uninstall MSE and reboot. I sent the URL to download the most recent version of MSE. She ran and installed it and I walked her though the settings and said wait a few hours and then run a quick MSE scan to see if it updated the definitions before the scan, and it updated successfully. Later in the day after getting the go ahead from her friend to set it back to notify only with recommended updates unchecked, she checked the Update History and found it had done an automatic definitions update successfully.

What was interesting was that she said the WU system was no longer on Never, but was set to full automatic for updates with recommended updates still unchecked. I asked if it was possible she did not say OK and backed out without confirming and she said no. I asked her what version of IE she had and she said that too was set to allow auto updating.

I installed the January rollup on the old laptop I was ‘gifted’ (now a Group A canary in the coal mine) and then checked IE and it too was set to update itself. I did not do an MSE uninstall/reinstall. Unfortunately, I had never checked the IE checkbox after the prior rollups.

Has anyone heard of the January Rollup (or earlier) or the new MSE new installs resetting WU or IE update settings?

Stay vigilant!

Reply | Quote

@ Bill C ……. Installing MSE or some other M$ software will reset Windows Update setting to automatic. This is “normal”.

Reply | Quote

Reply above is DonnaT. don’t know why it says “Anonymous”.

Reply | Quote

I understand some MS software did change WU if you asked for updates.

However, I have reinstalled MSE at least 3 times on each of my Win7 machines and never had it change WU settings. Of these installations, only 2 were installs of the most current version. Even those installed on 2 different machines left the WU settings alone.

I know because I religiously check WU settings as well as services.msc after all MS patching/updating since GWX.

The only time I ever found a change in WU was when I installed MS Office a few years ago (pre-GWX), and more recently Office 2013 for a friend, and when I first upgraded to IE11 way back.

Reply | Quote

Bill, do you have Win7 Home or Pro yourself?

Reply | Quote

Hello Perry,

KB3212646 is the January 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1. This rollup installs deep telemetry by updating the Universal C runtime libraries, as do the October through December Quality Rollups. I suspect that the updated C runtimes with telemetry are interfering with your USB drivers. So what you want to do is to uninstall the Quality Rollups and instead install the equivalent Security Only Rollups. Here is a link to my PDF which lists Windows 7 updates which are Win10 related, or which install telemetry, or which are known to cause other issues:

https://www.dropbox.com/s/owla84eu5rpwi4f/WINDOWS_7_UPDATES_TO_AVOID.pdf?dl=0

For the Quality Rollups, see the Comments column which lists the Security Only KB update number which you can download from the Microsoft Update Catalog.

Reply | Quote

Thanks for that! I’m OK with using workarounds to safely delete hardware – for now. So far, unplugging my USB devices hasn’t caused any data failure on the drives. I did note that, when I do a properties-check on the connected device in Device Manager, the Removal Policy setting had switched from “Better Performance” to “Quick Removal (default).” I’ve always had my USB devices configured for “Better Performance.” So, I had to switch them all back. This is likely a consequence of updating to KB3212646. Odd! The deep telemetry needs to be removed from my system. I’ve noticed a substantial slow-down in browsing with Firefox, etc. I’m going to recover my OS from a backup pre-October 2016 and work from there with the Security Only Rollups. Such fun!

Reply | Quote

I forgot to ask. Do I need to recover my OS pre-October, and do the Security Only Rollups from that point forward? I can’t find the Security Only Rollups for October or November 2016 on Microsoft’s support site.

Reply | Quote

@Gone to Plaid

Many Thanks for the link to your PDF list.
Have you any other goodies which might benefit a ‘clueless’ user?
Always learning.

Reply | Quote

It is your choice.
I would say stay mainstream and install whatever comes to have your system as intended and fully supported.
Other people would recommend otherwise.

Reply | Quote

@GoneToPlaid

Maybe you should be certain of things before spreading them as facts

Monthly Rollup do not contain Universal C runtimes, and those has nothing to do with telemetry, they are merely Visual C++ redistributables like other versions (2005,2008,2010,2012,2015,2017)

apparently, you confusing Universal C with “Unified Telemetry Client”, which is included in the Rollup, but has no impact at all on the devices or system functionality

Reply | Quote

Nah. You can sequentially uninstall the Monthly Quality Rollups which have telemetry, and then uninstall any other updates shown in my PDF file which installed telemetry, and then install the Monthly Security Only rollups. That might be faster than reinstalling from your pre-October backup since you would first have to back up all new data files since that last good backup.

Reply | Quote

Alright. I was a bit confused. Nevertheless, with the December Security Monthly Quality Rollup accidentally installed instead of the Security Only Rollup, I noted a slowdown of my computers, apparently due to the telemetry which was continuously being gathered. This slowdown disappeared once I uninstalled that Security Monthly Quality Rollup and installed the Security Only Rollup. Just a guess, but I think that my antivirus program didn’t like dealing with the telemetry monitoring which was going on.

Reply | Quote

Likely possible
however, it’s very easy to disable telemetry service/logger:
https://www.askwoody.com/2016/win-7-8-1-c-tuesday-patch-rollup-previews-are-out-kb-3192403-3192404/#comment-102920

it won’t get enabled when you install new Rollup

Reply | Quote

@ abbodi86 ……. About Universal C Runtime updates in Win 7, others believe they r connected to Telemetry n the Win 10 upgrade. …
.
.
.
ElderN replied on Feb 01, 2016

At least some of these SFC problems are because you have KB3068708 installed and if you were to read in the Additional information section about the update it is known to cause allegedly benign errors from sfc /scannow:

https://support.microsoft.com/en-us/kb/3068708

No troubleshooter will resolve those problems, but you can try.

That KB is part of the Windows Customer Experience Improvement Program (CEIP) and some folks think that participation is an attempt from Microsoft to spy on them, their system and their activities and choose to opt out of the CEIP.

Many folks just blindly install all the MS updates that are offered thinking that they must really be necessary since MS is offering them to you so why not install them? Then when you read about what they do you might not be so thrilled with having them installed.

There are a handful of other updates that are part of CEIP and also efforts by MS to get you to upgrade your system to Windows 10 so what you can do is if you have the updates installed, uninstall them and then hide them so you never see them again then see how your sfc /scannow behaves.

Here are some updates that you might want to think twice about having on your system taken from this topic (as usual don’t pay any attention to the replies from the Microsoft engaged Support Engineer “experts”):

http://answers.microsoft.com/en-us/windows/forum/windows_7-update/unable-to-install-kb2952664-successfully/ec2eb30b-c478-42a4-852e-769f3f723263

Here is a list of updates you don’t need from Wilders Security Forum that you might also check out:

KB2952664 Compatibility update for upgrading Windows 7
KB2990214 Update that enables you to upgrade from Windows 7 to a later version of Windows
KB3021917 Update to Windows 7 SP1 for performance improvements
KB3022345 Update for customer experience and diagnostic telemetry
KB3035583 Update installs get windows 10 app in Windows 8.1 and Windows 7 SP1
KB3068708 (replaces KB3022345) Update for customer experience and diagnostic telemetry
KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7
KB3080149 Update for customer experience and diagnostic telemetry

KB2976978 Ease upgrade to latest version of Windows

KB2977759 Ensure compatibility to Win10

KB2999226 Windows 10 Universal C Runtime (CRT) for earlier OS’s

KB3083710
KB3083324
KB3090045 applies to some reserved devices that are upgrading to Windows 10 from Windows 8.1 or Windows 7
KB3112343
KB3123862 adds capabilities to some computers that lets users easily learn about Windows 10
.
.
.
Excerpted from …
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-kb3110329-fails-with-error-code/e1ed7e7b-ce78-416a-972e-15446bd90506

Reply | Quote

I spent a nontrivial amount of time investigating telemetry-related issues for recent “bad” Windows 7 updates. My recommendations are at https://www.askwoody.com/2016/care-to-join-a-win7-snooping-test/comment-page-2/#comment-110622.

Reply | Quote

Well, others do not understand the situation, they just see the word “10” and start to panic 🙂

UCRT is just a modern C runtimes, and it’s embedded/included in Visual C++ Redistributable 2015 and the upcoming 2017 version

for Vista/7/8/8.1 it’s deployed as separate update package
for XP (yes it’s supported), it’s part of the Redistributable package

Reply | Quote

@messager7777777
“Many folks just blindly install all the MS updates that are offered thinking that they must really be necessary since MS is offering them to you so why not install them? Then when you read about what they do you might not be so thrilled with having them installed.”

I am only asking you one thing. When a new Service Pack is released, do you question everything that is included in that Service Pack?
The updates released monthly are the same thing like Service Packs, only installed in an incremental manner.
If Microsoft is to release a new Service Pack for Windows 7, they would include everything, including the telemetry patches and reset the base at some stage.

Reply | Quote

@GonToPlaid:

I thought we were at Defcon 2, and were to “wait” to install anything. ??

I see that KB3212642 (Security-only update) is listed, however no other information as to where to find the update.

Not interested in installing anything right now, however wondering WHERE to locate this one.

Thanks for any information on this. 🙂

Reply | Quote

Coming soon.

Reply | Quote

@Woody:

Where can the KB3212642 (Security-only update) be found?? Haven’t seen anything yet about it.

I’m not planning on installing anything, however need to know where to find this one. Would it be in the MS Catalog, under Win 7, x64?

Thank you for your help. 🙂

Reply | Quote

@Woody: Posted this question elsewhere a few moments ago. My apology. Appreciate your prompt reply. Thank you very, very much!! 🙂

Reply | Quote

http://www.catalog.update.microsoft.com/Search.aspx?q=3212642

https://support.microsoft.com/en-us/kb/3212642

Reply | Quote

Hang on, though. Details coming shortly.

Reply | Quote

Unfortunately, tonight I noticed the same slowdown of startup programs again. Uninstalling KB3212642 brought my system back to normal.

Reply | Quote

@ ch100 ……. If M$ r to release a Win 7 SP2, which most users doubt M$ will, n publicly state that Telemetry updates r included, I would refuse to hv the SP2 installed on my Win 7 SP1 cptr.
……. This is no different from me previously perusing every important update from M$ b4 installing n … refusing M$’s Telemetry updates on my Win 7 SP1 cptr since Sept 2015 n later being in Group C/W(= refusing all updates from M$). Today, my non-updated Win 7 SP1 is still running fine – of course, together with safe-browsing practices n an AV program installed, … notwithstanding the many FUD from M$ shills/apologists.

If M$ r to release a Win 7 SP2, they will likely hide their Telemetry updates inside the SP2 n won’t inform the users about them, in order to trick the users to ignorantly install their Telemetry updates(esp if they r NSA spyware).
……. This would be similar to how M$ hid their GWX KB3035583 inside the security update for IE 11, ie KB3139929, in April 2016 n tricked many tech-savvy Win 7 users into ignorantly installing the GWX/Win 10 scheduled upgrade.
.
To each his/her own.

Reply | Quote

May be slightly off-topic, but since v50+ Firefox it system overheads have ballooned. It regularly uses 900MB-1.5GB RAM on my Win7Ent system. I’ve tried all Ffx-suggested tips’n’tricks, to little effect.

Then there’re the two quite large Flash processes, etc.

IE11 usually maxes RAM needs at 350-500MB. WTF?

Reply | Quote

It is the new “normal”.
Consumers telling engineers what to do and there was so much pressure on the Firefox developers not to be left behind Chrome that they broke their own browser due to the fact that Chrome was using multiprocess and they didn’t.
This means that like with Chrome, the users who will benefit will be those with huge resources and Internet bandwidth, while the others will have to catch up or be left behind.

Reply | Quote

I noticed the same with FF and tried to fix it, to no avail. I usually check on occasion and if it’s really huge, I shut down FF and restart. Not very elegant, but I don’t know what else I can do except switch browsers. And I like FF. Do not like this new behavior!

Reply | Quote

Ever feel like sometimes, you just wanna chuck all the devices and be free of all the nonsense? I do. 😉

But I can’t (at least not right now) and I won’t. It’s not THAT bad, I just find it very tiring sometimes.

Reply | Quote

“f M$ r to release a Win 7 SP2, they will likely hide their Telemetry updates inside the SP2 n won’t inform the users about them”

This simply a false accusation
all telemetry updates are announced clearly by MSFT

do you think you will know about KB3075249 or IE11 one without such announcement? no.

Reply | Quote

+1

Reply | Quote

I am group A. I have previously hidden KB3212646 as advised.

Even though we have returned to DEFCON-3, I’m not sure I’d like to install KB3212646 yet without a comment from our great leader Woody on the “startup program slowdown” concerns.

Thank you everyone for your feedback so far!

Stay vigilant.

Reply | Quote

@Donna T
While it is better to leave it alone, the information is available.

http://www.ghacks.net/2016/07/22/multi-process-firefox/
https://wiki.mozilla.org/Electrolysis

What most people who try to avoid Microsoft “snooping” are not aware is that currently the Firefox users are applied the same treatment by Mozilla in relation to the Electrolysis technology.
The only way out only for a while is to use the ESR version, the equivalent of LTSB for Windows.

Reply | Quote

Too much FUD here on this site and there are few posters who although are trying hard, have only a partial understanding of the issues involved, but genuinely believe otherwise.

Reply | Quote

It’s been about a week since my “remove hardware” issue. I really didn’t do anything of any significance to my settings. Now, My “safely remove hardware” balloon tip is working just fine. Perhaps Microsoft telemetry eavesdropped on this forum and secretly fixed it for me (joke). Well, maybe there’s some truth to that. At any rate, I’m really not sure how this problem could have fixed itself after one week.

Reply | Quote

I hope it is ok to ask a question here about Dell updates. And if not, my apologies, I won’t do it again. I received an update message today from Dell – BIOS update, which I know can brick a machine if there are any issues and different driver updates. I’m thinking I should ignore it. I am not having any issues or problems and think: “if it ain’t broke don’t fix it” applies here.

Plus I don’t trust Dell to push out correct updates either.

Reply | Quote

This is a great place to ask questions – and I promise I’ll have the Lounge built-out before too long, so it’s obvious where to post questions.

Usually BIOS updates are good. If you have a Silverlake processor ( a computer you bought in the past couple of years), the BIOS updates are downright important.

Frequently, BIOS patches are necessary to let other things update properly, including Windows and Windows drivers.

I’d say go ahead and install it.

Reply | Quote