Windows 7 & 8.1 patchocalypse springs a few surprises

Topic

New Reply

I’m in catch-up mode here. I posted this two days ago. This should give you some perspective on how the patchocalypse is going, in real life. InfoWorl
[See the full post at: Windows 7 & 8.1 patchocalypse springs a few surprises]

Reply | Quote

Replies

Woody, there may be no links for the .NET security-only in the KB articles, but they are still in the Download Center. For example,
https://www.microsoft.com/en-us/download/details.aspx?id=54007
So if you can locate them, they are there; the trouble is the DC doesn’t have the kb in the url or the page title for the download page. I use a google search with “download kbXXXXXXX site:microsoft.com” and it is usually near the top of the list of results.

Reply | Quote

Hey Woody, We are starting to patch computers using SCCM at our company. We went with the “Security Monthly Quality Rollup for Windows 7” patch this month. However when I run Microsoft’s MBSA (Baseline Security Analyzer) it shows I’m now missing the patch “Security Only Quality Update for Windows 7”. Everything I can read says this is an either/or, you don’t apply both. I assume this is an error in MBSA with the new process bit wanted to get your thoughts.

Reply | Quote

I really don’t know enough about SCCM to tell you. Have you tried pinging patchmanagement.org with the question? Susan Bradley there really knows her stuff.

Reply | Quote

Have any of your followers had problems with the October updates, and especially either the new monthly rollup and/or the security only update for Windows 7 and 8.1?

I would have anticipated that the Internet would be overflowing with reactions to the new system, but that seems not to be the case.

Reply | Quote

See my recent e-mail along this line

Reply | Quote

Hey guys… I am in the process of doing a clean win7 install on 3-4 computers and to make the process easier was making an updated win7 install disk.

Here’s what I’ve got so far:

Win7_Pro_x64_SP1

KB3020369: April 2015 Servicing Stack
KB3125574: April 2016 Convenience rollup
KB3156417: May 2016 update rollup
KB3172605: July 2016 update rollup
KB3179573: August 2016 update rollup

KB3185278: September 2016 update rollup
KB3175024: September 2016 Security Update
KB3177467: September 2016 Servicing stack update

Where should I stop with the updates? Seems I remember September being iffy. Anything else I should avoid?

I’ve tried reading through the other posts but starting to get a little KB headache!!

I have absolutely no interest in M$ spying. Their creepy chat support people near demanding to use remote assist to help me with “advance fixes” that I did not NEED was bad enough. =/

Thanks in advance & be blessed.

Reply | Quote

Good stuff. Post it for everybody to see!

Reply | Quote

I haven’t seen a groundswell of swearing – but it frequently takes a week or more for the problems to flesh out.

Reply | Quote

Woody, thanks I just read this article. I am a little confused though, it seems like the KB2952664 snooping patch came separately or was it also part of the rollup patch through Windows update?

Is there any snooping within the Windows 7 monthly quality rollup?

I guess I am lucky as I have rarely had a problem with a patch breaking anything on my computer, other than the windows update being slow. Maybe it just occurs to features I don’t use. My biggest issue will always be the snooping. I do want to keep my computer updated but not at the cost of snooping.

Is there any site where it might be listed whether each new patch contains snooping or not. That would be a great resource!

Finally, I thought I found somewhere that WSUS is free. Is that true and can you make it work with your home computer(s)? Might be a better way than using the catalog.

Reply | Quote

Haven’t installed anything yet. Waiting Woody’s go ahead. Might not install anything

Reply | Quote

It appears separately from the rollup.

Snooping in the October Monthly rollup? I don’t know, and I’m not sure we’ll ever know. When it’s time to install the October patches, you pretty much have to decide between Group A and Group B.

http://www.infoworld.com/article/3128983/microsoft-windows/how-to-prepare-for-the-windows-781-patchocalypse.html

Reply | Quote

@Erik,

Regarding WSUS — I don’t know much about it, but my impression is that WSUS is something only large organizations have access to, not ordinary home-users.

Some people use a program created by a German I.T. magazine that is called “WSUS Offline” but it’s not a Microsoft service and it’s not something that Woody gives his readers directions for how to use. That program is free to everyone, apparently.

—
Regarding sites that talk about what Windows patches contain, and if there are any to avoid — AskWoody.com is one, of course, and there are many others, for example: GHacks, Sevenforums, WildersSecurity, WindowsSecrets, InfoWorld, most of the online computing “magazines”.

Reply | Quote

You can skip the KB3156417 and KB3185278 updates if installing the KB3185330 security monthly quality rollup. KB3185330 supersedes/replaces both KB3185278 and KB3156417. Also the KB3132391 update supersedes/replaces KB3156417, so you don’t need KB3156417 anymore.

The KB3177467 update supersedes/replaces the KB3020369 servicing stack update. If you already have KB3177467 installed, you don’t have to install the older KB3020369 update.

Folks, start running the “Windows Update Cleanup” feature from the Win7/8.1 Disk Cleanup tool to clean out old updates and reclaim some disk space (and reboot for the changes to take effect to those using Win7).

Reply | Quote

It is a known issue with stand-alone WSUS as well. I flagged it early to Woody and on the patchmanagemnt.org list, but as abbodi86 and others explained, it is “by design”, part of the new model of updating and not a fault. Unless Microsoft changes their decision and if you are in a hurry to be compliant in your oganisation, just install both patches to have the reporting correct.

Reply | Quote

@PKCano Is there a post on this issue? I am very interested to see your point of view about it.

Reply | Quote

It is all good for those willing to experiment, except for a detection issue encountered mostly by those using enterprise tools, generally outside of the scope for regular end-users.
For most users not interested in wasting time with experimenting, wait for Woody’s MS-DEFCON to change to 3 and above.

Reply | Quote

Check out the extended discussions on the Answers forum now over 50,000 views:

http://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-solution/f39a65fa-9d10-42e7-9bc0-7f5096b36d0c

There is also a new discussion started which will be interesting to people on Woody’s forum. It specifically starts out describing Woody’s Group A, B, and C.

https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-update-how-will-it-change-your-system/6d2ee7f8-908f-4ddb-8fd9-1eab55773141?tm=1476461665170

CT

Reply | Quote

Skip the May 2016 Conveneience Rollup. The supersedence cause problems at this stage.
If you insist on having it in the image, please search for abbodi’s posts about pre-requisites.
At minimum, BEFORE the convenience rollup, install:
KB2670838 – Platform Update
Next, in this order (RDP8/8.1 components):
KB2574819
KB2592687
KB2830477

Reply | Quote

MDL is the only reliable forum, Sevenforums/WildersSecurity/WindowsSecrets tends to spread FUD 😀

Reply | Quote

Woody, first I want to say thanks for keeping this blog up. Since I found it I have been reading a lot and learning! Anyways, you said we may never know if Oct may have snooping patches. Forgive me as I am pretty new to all this, I used to update everything until GWX came around and I found out about snooping, but how do people find out other patches had snooping such as KB2952664, etc. I have read about people who have some sort of software (what software I don’t know) that monitors internet traffic after a patch is installed and have seen that after a particular patch is installed, that they see packets going to a microsoft address. Can we not just check each patch for that as they come across?

As far as WSUS goes, I came across this web page regarding WSUS (again I may be a little naive as I am learning a lot about all this recently):
https://technet.microsoft.com/en-us/bb332157 It says download a free trial (I know its just a trial) and that you can upgrade SP1 to SP2 or install SP2 as a stand alone (ref: https://www.microsoft.com/en-us/download/details.aspx?id=5216) It does mention Windows 7 in the documentation but I don’t know what it all means. I wonder what would happen if you just tried it on a home computer?

Reply | Quote

WSUS is a tool used by system administrators to dole out patches. If you don’t have a domain, you don’t need it.

Snooping… that’s a tough one. Yes, there are tools that can monitor whether data is being sent. But there’s no way to know exactly WHAT data is being sent. Best bet is to just follow along here as we all find out what’s happening.

Most people just need to decide if they’re in Group A or Group B, then wait and follow along here as the situation unfolds.

Reply | Quote

MDL is highly reliable. If you listen to the right people. One of whom just posted this. 🙂

Reply | Quote

+1

Reply | Quote

THE FIRST PART
I’ve been curious with the new schizophrenic patch system to see if the
parts were equal to the whole or if the laft hand and right hand were
aware of each other. Apparently not, according to the test I just ran.
Win7 first.

KB3185330 (Oct Security Monthly Quality Rollup for Win7) and KB3188740
(Oct Security and Quality Update for .NET) show up in WU.

According to the MS Windows 7 SP1 history site, KB3185330 (Oct Monthly
rollup, or whatever) consists of KB3185278 (Sept rollup 9/20) and
security updates whose description match KB3192391 (Oct security only
update).
I assume the same would be true for .NET (you’ve seen the demonstration
for assume). KB3188740 (the Oct .NET Security and Quality Monthly
Rollup) should contain KB3179930 (Sept Reliability .NET update) and
KB3188730 (the Oct security only update).

So I installed KB3185278 and KB3179930, the Sept non-security half of
the equation. Rebooted.
Then I installed KB3192391 and KB3188730 the Oct security half. Rebooted.
When it came back up, I scanned for updates (which incidentally has been
fast since I used 3172605 as speedup).
Both KB3185330 and KB3188740, the full rollups, still showed up in WU as
checked important updates.
I ran Disk Cleanup, rebooted.
You guessed it, both are still checked importants.

So, either 1+1 does not =1 or the left hand and the right hand are not
aware of each other.

I’ll try this doing Security first and also on Win8.1, but I suspect the
answer will be the same.
Should be interesting for the people that try to switch from B to A!!

Reply | Quote

THE REST OF THE STORY

OK, here’s the rest of the results.
Win7 – Install Sept non-security KB3185278 (OS) and KB3179930 (.NET) first. Reboot
Install Oct Security-only KB3192391 (OS) and KB3188730 (.NET) after reboot.
You are still offered Oct full updates KB3185330 (OS) and KB3188740 (.NET) as checked important updates.

Win7 – Install Oct security-only updatesKB3192391 (OS) and KB3188730 first. Reboot
Install Sept non-Security update KB3185278 (OS) (no .NET) after reboot.
You are still offered Oct full updates KB3185330 (OS) and KB3188740 (.NET) as checked important updates.

Win8.1 – Install Sept non-security KB3185279 (OS) and KB3186208 (.NET) first. Reboot
Install Oct Security-only KB3192392 (OS) (no .NET) after reboot.
You are still offered Oct full update KB3185331 (OS) as a checked important update.

Win8.1 – Install Oct security-only update KB3192392 (OS) (no .NET) first. Reboot.
Install Sept non-Security updates 3185279 (OS) and KB3186208 (.NET) after reboot.
You are still offered Oct full updates KB3185331 (OS) as a checked important update.

Apparent implications (at this early stage, anyway)
1. If the security + non-security patches together are the same as the whole rollup, then we should expect the whole not to show up if the separate ones are installed. Either the whole is not equal to the sum of it’s parts, or there is no accurate sepersedence check at this point. This will affect people who install the non-security rollup early-on (for testing or out of ignorance) when it is an unchecked optional, then think they are OK to just install the security-only when it is released on patch Tues.

2. This will affect people that install the security-only rollup, then find they need something contained in the non-security one.

3. Even if you run Disk Cleanup (and reboot), which should resolve the supersedence issues, you are still offered the full rollups as checked important updates even after installing the Sept non-security rollup + the Oct security-only rollup. It seems two halves don’t make a whole.

4. KB3177467 seems to be superseded (ie, doesn’t show up in WU) if the Oct Security Monthly Quality Rollup KB is present as a checked important. But it does show up if a combination of the Sept non-security rollup KB3165278 + Oct security-only KB3192391 are installed and the Monthly rollup KB3185330 is hidden. Again it seems two halves don’t make a whole or it’s only checking against the latter.

5. I’m not touching KB3184143 with a ten foot poll – it’s hidden. The documentation says it “removes GWX” and it gives a list of the KBs involved. But if you read closely, I believe it doesn’t say it removes/uninstalls those KBs, it says it “REPLACES” them. With what????? I don’t trust MS with the WHAT.

Reply | Quote

Done – see below.

Reply | Quote

Thanks for posting!

Reply | Quote

@abbodi86,

I’m not an I.T. person, I’m just a home user who is a smart and capable person but who doesn’t care much about the subject of computers in and of themselves,

and I’m afraid that I have found ALL of those sites I mentioned to be very useful to me in the last 2 years.

And they do what I said above that they do, which is “talk about what Windows patches contain, and if there are any to avoid.”

Martin Brinkmann at GHacks, Susan Bradley at Windows Secrets, Woody and colleagues at InfoWorld, several with-it people at WildersSecurity — I’ve appreciated their information and their generalized/personalized help, absolutely.

One has to be discerning and not believe every commenter on a public site, just like one can’t trust everything people say on AskWoody, even if they are giving advice with the best of intentions.

I was recommending those sites to other home users, not to top-level computer folks.

—-
I don’t know what the abbreviation MDL stands for, but I’m sure it’s a great resource, and if that’s where you operate, I’m sure that you give excellent information there. 🙂

Actually, I don’t even know what the abbreviation FUD stands for, but I realize it’s something disparaging. ha ha.

Reply | Quote

(By the way, the comment of mine that began “@Erik, regarding WSUS” was one of the comments that I left on this site today that was treated by the system as from “anonymous” even though I was ostensibly “signed in” at the time.)

Reply | Quote

In case it’s useful for anyone, I posted the following hyperlinks about Windows updates on AskWoody in December and in April.

[Note: I have no idea if these sites will be helpful in the future regarding Windows patching/updating, now that the system has changed.]

=====
quoted from: https://www.askwoody.com/2016/its-not-time-to-install-windows-or-office-updates/#comment-80672

” …You asked whether there were other sources of information on the patches, and I thought I’d mention a few links that I check out every month before deciding which patches to install. They are of varying usefulness, and certainly none of them have been as helpful to me as Woody’s reports have been, but at least it’s something.

A. Susan Bradley author archives at Windows Secret (it appears that one must have a subscription to read most articles, beyond the first couple of paragraphs)
http://windowssecrets.com/author/susan-bradley/

B. Susan Bradley’s fabled Excel spreadsheet of patches (which, like some commenters said below, I also find a little confusing/awkward to use – even though I’m comfortable with Excel – and for the last couple of months, there haven’t seemed to be many notes about the Windows 7 and 8 patches)
https://onedrive.live.com/view.aspx?resid=C756C44362CD94AD!2257&ithint=file%2cxlsx&app=Excel&authkey=!AIOQkIu7flF7lPE

C. Martin Brinkmann’s overview of monthly patches (this link is to Nov 2015 – for other months, click on the bolded “Microsoft” word next to the publication date to see all his blog entries on Microsoft)
http://www.ghacks.net/2015/11/10/microsoft-security-bulletins-for-november-2015/

D. Wilders Security Forum’s running thread about “Bork Tuesday”
http://www.wilderssecurity.com/threads/bork-tuesday-any-problems-yet.370217/page-58

E. Windows Seven Forums’ subset of discussion threads on “windows updates and activation”
http://www.sevenforums.com/windows-updates-activation/

F. Softpedia’s articles by Bogdan Popa about Microsoft “patches and vulnerabilities”
http://news.softpedia.com/cat/Microsoft/Patches-and-Vulnerabilities/”
https://www.askwoody.com/2015/msdefcon-4-patch-watch-kb-3101488-clean/#comment-66301

Woody responded to that [in December], saying, “All of those are excellent sources…. ”

========

Reply | Quote

MDL = My Digital Life. You’re right – there’s plenty of chaff on MDL, but there’s also a lot of gold.

https://forums.mydigitallife.info/forum.php

Reply | Quote

@PKCano,

Thank you for posting your description – I know it took a long time for you to do your testing and to write it up so clearly, for us to read and learn from here.

As I read it, I was thinking that I am so glad to be a “late adopter” of technology, and glad that I only have 2 people’s computers to worry about — if Microsoft has made too complicated, or actually broken (!) their updating system, I can go with Group C and just bobble along in my own little tributary off the main river, but you I.T. folks have a huge responsibility to keep other people’s computers working perfectly, and this change in the Windows patching system must be such a headache for you.

Reply | Quote

Is what you folks are experiencing at odds with what Microsoft said about these updates?

(in October 7th’s “More on Windows 7 and Windows 8.1 servicing changes” at
https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/ )

“What’s expected if you install both updates?

Since all the new security fixes for a given month are available in both the security-only update and the monthly rollup, it’s important to understand the behavior that may been seen if you deploy both updates in the same month.

For example, assume you approve and deploy the security-only update and the monthly rollup that are both released on Update Tuesday (a.k.a. “Patch Tuesday,” the second Tuesday of the month).
This isn’t necessary, since the security fixes are also included in the monthly rollup, and it would generate additional network traffic since both would be downloaded to the PC.
But what would happen?
It depends on the installation sequence:
•If the monthly rollup fix installs first, the security-only update would then no longer be applicable to the PC, since the entire content of that security-only update would already be installed.
•If the security-only update installs first, the monthly rollup will still be applicable as it contains additional fixes (both non-security fixes and older security fixes) that are needed by the PC.

Depending on the management tool you are using to deploy these updates, this may be represented differently in the compliance reports provided by those tools.

As long as you install one or the other (security-only update or monthly rollup), the PCs will have the needed security fixes released that month.”

Reply | Quote

@Woody,

I have just had a look at a link that someone here posted today, to a post by Canadian Tech on the answers.Microsoft.com site.

It starts off, “Woody Leonhard has described the situation like this”,

but I was puzzled, because some of the subsequent wording there I had not specifically seen before in YOUR descriptions of the new Windows updating system (I’d not seen it on InfoWorld, not on AskWoody),
such as the term “potato peeler”,
so I was wondering if it were a direct quotation from you, or just a paraphrasing of your ideas…

and then a part of it seemed to have been clearly composed by CanadianTech (“It depends on whether I can find a satisfactory way for my 150 or so client machines to be updated. They are average Joes and Janes.”)

I am bringing this up here, because to someone who isn’t familiar with most of the articles that Woody has published on this topic, it would appear at first glance as if Woody himself had written the entire comment that appears there, and that the views and plans are all his own.

Of course the views are quite close to his own, but if they aren’t exactly his own words,
if I were a Microsoft person and I were predisposed to have a grievance against criticism, I might absorb those words and assume that Woody had published that entire comment _verbatim_ somewhere, maybe on his personal blog, and I might be kind of annoyed with him for some of the bluntness.

(I’m not saying that the bluntness is out of bounds; it’s not, in the scheme of things.)

And then Woody made a comment in the subsequent discussion, without explaining that the original post was partially a paraphrase of his ideas, rather than being a direct quote from him, and without explaining that another part of the original post was describing Canadian Tech’s own I.T. work and plans, and that Woody personally doesn’t have 150 Joes and Janes, etc.

I suppose that I’m saying that, “for the record”, in the wider tech-industry sense, the original post might benefit from being edited slightly, to make more clear what part of that original post was actually a quote from your pen/your voice, and what part consisted of comments about Canadian Tech’s own situation and own point of view.

…I mean no offence, and it’s very possible that my concerns hold no water at all, and that things are fine just as they are, which they probably are. 😉

Reply | Quote

Oops, I forgot to give the link I am referring to, it is:
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-update-how-will-it-change-your-system/6d2ee7f8-908f-4ddb-8fd9-1eab55773141?tm=1476461665170

Reply | Quote

So you are not a fan of WUMT 🙂

Reply | Quote

WSUS is free on a 180 days Windows Server trial basis. If you don’t mind reinstalling every 180 days, it is “free”.

Reply | Quote

@poohsticks
Thank you for the links which are a good reference in one place.
What abbodi says is correct strictly speaking and abbodi is the top poster on MDL in terms of quality and quantity of posting.
But there is a lot of useful information on many of the sites for which you posted the links, only the density of good information may be lower.
And I am convinced that what is good information for someone is not so good for someone else and this depends on many factors.

Reply | Quote

I think the .NET Framework patches, the full one and the security only are more or less identical, but this is not a rule for the following months.
The Windows Security Update patches are a lot more confusing in behaviour, as they are both offered to WSUS and SCCM and can be installed side-by-side, which is probably what a lot of admins who have high compliance requirements against tools like MBSA or similar will have to do to be compliant for October 2016.
I hope that Microsoft will review those patches and make the full monthly rollup supersede the Security Only.

Reply | Quote

At the subject of not installing early, is anyone aware that the Office patches have been reviewed already? I am talking specifically about Office 2013 which underwent a cosmetic change with minimal implications, but still…
KB3118352 – SharePoint Enterprise 2013
KB3118360 – Office WebApps Server 2013 farm-deployment
KB3118352 – SharePoint Enterprise 2013 farm deployment

KB3118345 – Word 2013 32 bit – this should affect everyone with Office 2013

KB3118360 – Office WebApp Server 2013
KB3118345 – Word 2013 64 bit

The numbers, although duplicated, are correct.

Reply | Quote

I think abbodi posted elsewhere about an IE patch (for September 2016?) which is included in the monthly rollup but still shows as required. The supersedence is not always handled correctly at patch detection time, but in the end I think the installers keep the components in order by installing only the latest version of each. Components meaning the dlls primarily and not the patches containing them. This means installing whatever Windows Update shows as required.
It is understood here that already determined as non-relevant patches do not need to be installed, KB2952664, KB3021917 (maybe).

Reply | Quote

Thank you. 🙂

Reply | Quote

“Check out the extended discussions on the Answers forum now over 50,000 views”

Wow!

Reply | Quote

It was merely a humor to loosen things up
no offense intended for any 🙂

Reply | Quote

1. 2. WU does not recognize the security-only updates, they don’t exist in its metadata
therefore, it require/request the Monthly Rollups to be installed explicitly, even if all the components in the rollup are already installed by other updates

that’s the same reason why WU still offer old updates superseded by installed Convenience Rollup

3. Monthly Rollup shares same components version with Security only and Sept non-security
CBS takes that as none of them is supersede, and Disk Cleanup won’t remove any of them

4, KB3177467 is an exclusive update that must be installed alone, it doesn’t allow or offered if there are other updating operations
meaning, if you install it and there are pending operation, you won’t be able to install any update until you reboot

5. How about it replaces them with clean components that don’t have the GWX code? 🙂

Reply | Quote

KB3179930 Sept Reliability update is for .NET 4.x family
KB3188740/KB3188730 Oct updates are for .NET 3.5.1 family
two separate products

but i do agree that for WU, the left hand and the right hand are not aware of each other 😀

Reply | Quote

Canadian Tech and Woody as well,

Excellent summary on the Answers Forum – I cannot reply there because I wont even sign up via MS (paranoia ?)

As I have previously stated I,m in Group C (or W). Since the start of 2015, have rarely installed a non-security patch, but would still like the opportunity to evaluate them as they come along.

The Monthly Rollup (the one with Quality plus non-security) is a no-go for me, but what about the Preview Rollup on the 3rd Tuesday. Doesn’t this contain JUST non-security patches which will be included in the following months’ Rollup and if so, is there some scope here ?

Doubt if the documentation will give much when released (based on previous non-security Rollups but what do you think ?

Reply | Quote

Just a hypothesis from me about the reasons behind your observations:

1. The equivalence of Oct full rollup to Sept optional + Oct security is only truly valid at this point. Eventually they have said that the full rollups will become cumulative, so at that point they will contain more than the sum of the corresponding prev month optional + current month security. WU is just not instructed to check equivalence, as the benefits will soon disappear.

2. The full rollups are also meant to be incremental (or would the proper term be differential – people so often misuse it that I am only certain of its intended meaning in mathematical contexts): they install only what’s missing (though at what point they determine what is missing I don’t know). So 3185330 for example is not a fixed compilation of updates, but rather an adaptive alias. If you install it after having installed 3192391 and 3185278, my guess is it wouldn’t actually change the system because it would be, for that system, just an empty container.

Reply | Quote

Haven’t been an IT person since ’99, but I did come up through IBM360s punchcards, Heathkits, Comodor64s and DOS. I’ve just tried to keep up with things.

Now I’m just a home supporter (mostly gratis) for club members, neighbors, family, friends, friends of friends, anybody who has my phone number or e-mail address – you get the picture.

About the best descriptor at this point is “Vieja.”

Reply | Quote

“that’s the same reason why WU still offer old updates superseded by installed Convenience Rollup”

This is my main objection about the Convenience Rollup. Even if I import the Convenience Rollup in WSUS with its supersedence rules built-in, the supersedence is still not correctly implemented and while it can be controlled, the effort required is not worth it.
Maybe v5 of the Convenience Rollup will fix those issues and will finally be published in WU and WSUS.

Reply | Quote

The net effect, though, is confusion, even for “techies” who are somewhat aware (see @Robert in #2 above). And if this has been confusing for us, how about most of the 1.5 billion Windows Users out there, well…

The Average Joe or Jane User doesn’t read blogs, forums or tech sites. They probably never opened the Control Panel or changed settings before the GWX fiasco, and that with constant babysitting. They can’t find files on their computer b/c they don’t use Explorer, have extensions turned hidden (default) and haven’t a clue about file structure. Most have Home editions, so no Group Policy, and Heaven help them if they touch the Registry.

The Users I support fall into the “Average” category (with FEW exceptions). They are incapable of dealing with what’s going on. For that reason, I have put them in Group A. But even further, set Win Update to Automatic and told them to forget about it. That is the only way the computers will get patched at all, and I believe security fixes, Flash and IE fixes, etc are necessary.

I know this is not the recommendation Woody would make. But there are just not enough hours in the day for me to micromanage all those I support. When MS breaks Windows with their idiocy, I will have enough to keep me busy.

Reply | Quote

Au contraire 🙂

That’s exactly the recommendation I would make. Users who aren’t involved in the care and feeding of their machines should be in Group A.

But they should also realize that Microsoft has complete control over their machines – including both potentially bad patches (GWX being a perfect example), and snooping.

Reply | Quote

One of the main issues experienced is that both Security Only and the Security Monthly Rollup can be installed side by side.
They still work correctly because the internal stack knows how to install them, it is only Windows Update detection which creates the confusion showing both installed, even if the first installed is the rollup and this needs to be corrected.

Reply | Quote

Is there much to be gained from supersedence when it comes to common components that are (supposedly) identical? Having them side-by-side allows one to manage them independently of each other. E.g, if both are installed, either can be uninstalled without affecting the other. And if the common components are actually shared, not duplicated, then the installation of security-only on top of full rollup amounts to only telling the system that those components also belong to it (so not to remove/rollback them unless both are uninstalled). As you write in your next comment, the installer keeps them in order. Even a reboot shouldn’t be needed. And as for deployment, fewer supersedence relations is simpler, hence better, isn’t it? I think I read somewhere here that if one could tell WU not to bother with supersedence, it just spurts out to whole list in seconds, with or without speedup patches.

Reply | Quote

Poohsticks, You are absolutely correct. I have modified the writing there to reflect the fact that I am putting this in my own words and from my perspective.

Thank you for pointing out my error. My apologies to Woody for not having it correct to begin with.

CT

Reply | Quote

We probably will see that when the Monthly Rollup become fully cumulative in 2017

Reply | Quote

I noticed that, specially the Word update, same for Office 2016
but afaik, only metadata changed, binaries still the same

Reply | Quote

I wrote about the scanning time and removing supersedence for testing purpose with a third-party software named Windows Update MiniTool.
The reason why supersedence is there is that instead of about 230 patches needed now (without the Convenience Rollup KB3125574 installed) you would need about 530 updates including the superseded, which would not be very practical. This is what people with very old systems patching regularly and without running Disk Cleanup would see. This is starting from SP1. I don’t even want to think about even older systems, before SP1.

Reply | Quote

Me, sure i am 🙂
at least it saves me from checking DataStore.edb with ESEDatabaseView to get .cab links 😀

Reply | Quote

Believe me, even telling them that doesn’t compute (no pun intended).

Reply | Quote

@abbodi86
You are right about KB3177467. It showed back up after the full rollups were installed as a solo install.

Reply | Quote

APOCALYPSE MASH?

MicroKurtz: a snail crawl along the edge of a straight razor. That’s my dream. Crawling, slithering, along the edge of a straight razor… and surviving.

Woody: 98? XP? Vista? 7? 8/8.1? 10? – I Was There, Man!

Woody “Hawkeye” Leonhard – The UK Salutes You!⛑✌??

Never Get Out Of The Boat, Mate!
sainty

Reply | Quote

Ah, so it was you who wrote about the minitool… please forgive me for not remembering that. Anyway, this is all largely academic with the new scheme, since we are not going to be accumulating hundreds of new updates any more, but just for the sake of clearing up my point/question, those ~300 that can be cleaned up (going by your numbers) are actually older versions of the components, and because WU keeps the old files to allow rollback, they actually take up space. Here with the rollup vs. security-only, whatever they have in common is identical, so if the installer is smart about it, the overhead should be minimal.

A much more substantial downside is the confusion, but that’s an issue of communication; e.g. the description that poohsticks refers to above describes the functionality of updating, while the various deployment methods apparently don’t implement that intention. If the assumptions about the install process on which I am basing all this are correct, MS could have explained that while it is functionally unnecessary, installing them side-by-side doesn’t hurt either.

Reply | Quote

Arghhh, it took me 5 months to find this pearl.
http://windows-update-checker.com/FAQ/ConvenienceRollupKB3125574-Issues.htm
Absolutely gold!
Well done to you all, Abbodii, PointZero, Komm

This is a must for anyone still contemplating to install the Convenience Rollup KB3125574.

Reply | Quote

Just kidding, it was a reference to WildersSecurity spreading FUD 😀

Reply | Quote

Amazing, ain’t it? Someone at MS probably looked at it and said “Oh %$#@@!” then promptly started fixing things. They haven’t quite done it yet. Doubt that they ever will.

Reply | Quote

Maybe there will be a v5 (currently v4) or a similar one renamed as abbodi86 says, sometime early next year.

Reply | Quote

On the day before October Patch Tuesday I ran Windows Update and finished installing a few remaining important updates for Windows. I left uninstalled a number of recommended and optional updates including September’s update rollup KB3185278. Its size was indicated to be 60.2 MB.

Today for the first time since then I ran Windows Update to check for new updates. KB3185278 was gone, presumably rolled into the October Security Monthly Quality Rollup KB3185330. Its size is indicated to be 119.4 MB.

Is the almost doubling in size the result of my not installing September’s rollup or will future Security Monthly Quality Rollups continue to grow larger and larger.

Reply | Quote

@Woody,
The title of this blogpost has a tiny spelling error – “pathocalypse” instead of “patchocalypse”.

Reply | Quote

I had a thought about this:

Why is MicroSoft still ‘fixing’ Windows 7? Didn’t the main life cycle already end in 2015?

I suspect MicroSoft of ‘slumlord tactics’, affecting/weakening the functionality of W7 and thus trying to force people a.s.a.p. towards W10 (or Linux for that matter, for I will never go for W10!)

Reply | Quote

Got it. Thanks!

Reply | Quote

The rollups will grow larger – but remember that Windows Update only “downloads the deltas” so the actual amount of data sent to your machine will only reflect the patches you don’t have installed.

Reply | Quote

And that’s ladies and gentlemen is FUD 🙂

please, do read a little about Windows lifecycle policy
https://support.microsoft.com/en-us/help/18581
https://support.microsoft.com/lifecycle/?p1=15510

Reply | Quote

I did not know that Windows Update only “downloads the deltas” but am very glad to learn that that is how is works.

Thanks.

Reply | Quote

I completely agree. I refuse to install any Windows update not labeled specifically Security, for that very reason. I’ve been refusing all non-security updates to Windows for more than a year now.

CT

Reply | Quote

http://professor.unisinos.br/linds/teoinfo/bdc.doc

Reply | Quote

@prk280: What are “deltas”??

Reply | Quote

When Windows downloads the deltas, it’s only downloading the pieces that your computer needs – not the whole update.

Reply | Quote

Thank you, Woody, for the explanation! 🙂

Reply | Quote

Good reading.
Thanks 🙂

Reply | Quote

I think your interpretation and poohsticks’ interpretation are entirely accurate.

The MiniTool is not actively promoted here because it is impossible to assess the usefulness of every tool on the Internet.
It is something which I found to be very useful for my research, it is promoted by other very good sites, but otherwise offers little advantage for the regular user against the built-in Windows Update.

Reply | Quote

Differential is the correct term, not incremental. Incremental would make the assumption that the previous bits are already there, while differential analyses what is already installed and comes only with the required “deltas”.

Reply | Quote

I just read the paper on BDC.

Thanks for the reply.

Reply | Quote

Hi woody. First, thanks for all the info and suggestions you provide. But was hoping you might help clarify something for me: after you change Msdefcon level for this month’s patches, assume you expect Group B folks (on Win7) to install “Security Only” updates for both Win7/IE (KB3192391) and .NET (KB3188730)…
but wondering what you–or posters abbodi86, ch100, pkcano, et al–might think about “Group B-inclined” folks (on Win7) installing the “Security Only” update for Win7/IE (KB3192391), but then using the cumulative rollup for the .NET framework (KB3188740)?

Reply | Quote

That’s the likely course for those in Group B.

Reply | Quote

My point of view is that the Group B users overcomplicate things for little or no benefit. I am totally in favour of Group A – the default Windows Update style of patching, with reservations (this means kind of neutral about them as I don’t really understand what they do in the practical sense, although abbodi86 has provided very useful technical details about each of them) about installing KB2952664 and its companion KB3150513 and KB3021917. You might also see recommendations to avoid KB3068708 and KB3080149 for the same telemetry related reasons.
Now I am asking you, if you decide to go the great lengths to stay in Group B, why would you then install a rollup for .NET 3.5.1 which is not Security Only?

Reply | Quote

Very good call
.NET updates are rarely harmful, and they are for sure don’t have any “snooping” components

Reply | Quote

@PkCano,

Much can be learned from Vieja. 🙂

Reply | Quote

@poohsticks:

I believe FUD = fear, uncertainty, doubt…

Reply | Quote

@ch100:

See, that’s kinda my point too! Why I have asked a couple of questions & am trying to learn.

Pre-Win10 I installed updates however M$ wanted them installed… After Win10 nagging me, updating 2 of my computers without “permission” (i thought i was telling it NO), and doing a bit of research then finding Woody’s site.

I found myself being more inclined to immediately defect from Group A & turned off auto updates. Felt I would be a Group B and would just watch this site & listen to what all you smart folks recommended. But it seems that trying to work around a lot of these issues is not as easy as being in Group B. =/

Reply | Quote

@poohsticks:

I tee-totally agree. i seem to have acquired a M$ headache just from trying to figure 1/4 of this stuff out! lol

Certainly makes me appreciate these IT Folks (Woody, ch100, abbodi86, etc. for taking some of the strain off my poor brain.

Reply | Quote

Tomorrow is the third Tuesday of the month. Should we expect to see the first preview rollup as indicated here:

https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/

Reply | Quote

Yes. I’m expecting to see it around 10 am Redmond time.

Reply | Quote

“Second” preview rollup
September rollup was the first

Reply | Quote

Thank you for confirming that. I have not installed any updates since just before last week’s “B week” update. My Windows Update will remain closed tomorrow.

Reply | Quote

KB3185330 and KB319231 have been revised.
The description of the revisions say for each “The set of updates superseded by this update has changed”.
I am still assessing if the supersedence issue between the Monthly Rollup and Security Only is resolved.
There is no Patch Tuesday C Rollup released yet.

Reply | Quote

I saw that they’d been revised – metadata only – but there’s no notice in the KB article themselves.

MS really blew the rollout for WSUS.

Reply | Quote

Smart.

Reply | Quote

It does not change the known behaviour of trying to install both on managed servers.
It may be just that after running Disk Cleanup for example, after the revision, the number of patches removed as superseded to be different.
The fact is that it does not correct the known WSUS behaviour which was the main complaint for the current round of patches.

On a different subject, I noticed that Susan Bradley mentioned in the Windows Secrets newsletter about the Excel 2016 patch being retired. I don’t use Office 2016 so I am not closely following it, but some of the readers here might use it and this may be of interest. It seems to be recommended by Microsoft to uninstall that patch.

Reply | Quote

About 3118373… I started looking at how that change affects Office 365, but dropped it as the whole thing’s complex – and I ran out of time.

Wonder what’s up? See https://technet.microsoft.com/en-us/mt465751

Reply | Quote

Too complex for me too 🙂
The fact is that KB3118373 is recommended to be uninstalled as it is considered faulty by Microsoft.
https://support.microsoft.com/en-au/kb/3198535

Customers reported that after installing October 4, 2016, update for Excel 2016. Some Excel 2016 workbooks stopped responding and returned the error.

“Microsoft Excel has stopped working”
Cause
Due to the severe outcome, we have stopped further release of KB3118373, update for Excel 2016. If you have already installed this patch please uninstall it.

We apologize for any inconvenience this may have caused. The fix for this regression as well as other fixes in KB3118373 will be included in the next public update for Excel 2016.

Reply | Quote

Yep. But it’d be very instructive to learn how/if they pulled it from Office 365. We’re going to see a lot of that with the new Windows patching method.

Reply | Quote

Yes, I agree. Thanks for the correction.

Reply | Quote

Todays’ updates at Download Center
DST and Timezone Update for Windows Vista (KB3192321)
October, 2016 Preview of Monthly Quality Rollup for Windows 7 (KB3192403)
October, 2016 Preview of Monthly Quality Rollup for Windows 8.1 (KB3192404)
October, 2016 Preview of Monthly Quality Rollup for Windows Server 2012 (KB3192406)

Reply | Quote

Topic: Uninstalling Rollups

If a rollup installed through Windows Update needs to be uninstalled, what exactly would get uninstalled? Let’s say, for example, that before November’s rollup is released, October’s rollup is installed on computer A but not on computer B. Subsequently, the November rollup is installed on both computers, computer A getting the November changes and computer B getting both the October changes and the November changes. Now assume that there are problems with some of the changes made in the November rollup and it needs to be uninstalled.

Presumably uninstalling November’s rollup would uninstall whatever November’s rollup installed on a particular computer. In the case of computer A that would be just the changes for November. In the case of computer B that would be not only November’s changes but also October’s changes which in this example I am assuming were not problematic.

If the uninstallation process works as in this example, then it would seem to be prudent to install each monthly rollup prior to the release of the subsequent month’s rollup. By doing so one could avoid uninstalling one or more prior months’ perfectly good changes when uninstalling a current month’s rollup should that become necessary.

Is my thinking on all of this correct?

Reply | Quote

Helluva good question – and I don’t think we’ll know the real answer for at least a couple of months. Microsoft may play it one way or another, but the proof’s in the potato chips.

Reply | Quote

Beware that the new rollups contain Unified Telemetry Client (aka KB3068708/KB3080149)

darn, they add it too soon 😀

Reply | Quote

Thanks.

Microsoft’s discussion in the article below under the title “The common concern: What if an update causes an issue?” is a bit vague.

https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/

Fortunately I have never had to uninstall any updates. I am just trying to think through as many future scenarios as I can before committing this month to join Group A or Group B (although I think I already know which way I will go).

As an aside, once I did have the unpleasant experience of reinstalling Windows 7 on a single core processor laptop (I can’t remember why I needed to). The updates took hours, sometimes overnight, there were multiple restarts, and it was then that I first came across the GWX popup which I removed by restarting the reinstallation process all over again being careful not to install the update responsible for the GWX popup. I now make system images and store them on external hard drives. I hope they work if I need them.

Reply | Quote

They have always been offered to all current server versions, so I don’t think anyone should start complaining again about how Microsoft treats end-users differently.

Reply | Quote

KB3192321 – Turkey ends DST observance

This update applies to the following operating systems:

Windows Server 2012 R2
Windows Server 2012
Windows 8.1
Windows Server 2008 R2 Service Pack1 (SP1)
Windows 7 SP1
Windows Server 2008 Service Pack 2 (SP2)
Windows Vista SP2

Reply | Quote

I uninstalled many times patches manually. The Component Based Servicing architecture is very resilient to this sort of procedure. The issues that everyone experiences with CBS are more related to the Microsoft not maintaining it actively and correctly, which is a requirement to keep it running smoothly when new updates are added to the stack.
The only downside to uninstalling later patches would be that you might have to reinstall other earlier patches due to the interdependencies. This is the same thing which is implemented by Disk Cleanup, only that Disk Cleanup tries to uninstall only superseded patches/obsolete components strictly speaking.
You should really check this thread on MDL https://forums.mydigitallife.info/threads/19461-Windows-7-Hotfix-repository/page1084?p=1283885&viewfull=1#post1283885

Reply | Quote

Win7-8.1 updates are catalog-only apparently

Reply | Quote

“reinstalling Windows 7 on a single core processor laptop (I can’t remember why I needed to)”

I once used Windows 7 on a Dell Mini with an Atom CPU, 1st generation. But it was never as bas as you describe it. It is true that there were not 500+ patches for Windows 7 released at that time like it is now.

Reply | Quote

Is Office365 the same with ClickOnce, Click-to-run or they are different things? Sorry, I am not yet familiar with the newer Office concepts and Cloud related implementation.

Reply | Quote

I don’t know ClickOnce, but Click-to-Run is a whole new world.

https://technet.microsoft.com/en-us/mt465751?f=255&MSPPError=-2147217396

Reply | Quote

You may be right, I am looking primarily in WSUS 🙂

Reply | Quote

ClickOnce is probably the web technology which is used to deploy web applications which is proposed to be used also for Office
https://msdn.microsoft.com/en-us/library/bb772100.aspx
https://msdn.microsoft.com/en-us/library/bb608591%28v=vs.100%29.aspx
It seems not to be a product as such.

Reply | Quote

One of two computers I maintain came with Office Starter 2010 preinstalled. A few years ago it converted itself to Microsoft Office Click-to-Run 2010 and it shows up as a separate protected Q drive.

I don’t know what it all means but it works fine.

Reply | Quote

I have done a Win7 install on a Dell mini, as well as many others of all kinds: laptops, desktops, old ones, new ones, new hard drives. I used an SP1 disk. There are not more than about 250 updates required. That is high number because I’m pretty sure it is closer to 215.

It could well be that some updates are in reality a set of updates, but that is not visible.

My process is to do the install with WU set to never and offline. After the install is completed, I then manually install KB3020369 and KB3172605. Go online and start WU. Within 15 minutes I have about 220 proposed updates.

I then look at the Windows Updates offered that are not labeled Security. If the update was issued before 2015, I accept it. If the update was issued after 2014, I hide it. I am rejecting about 40 updates. Proceed to the update phase. Takes from 2 to 6 hours depending on the system.

I then proceed to start WU again and do this again and again till no others are offered. Then I do a defrag.

I then install MS Office and do all of the updates offered. Again, until no more are offered.

I strongly discourage the installation of Office 365, 2013 or 2016.

No software installs of any kind have been done at this point, other than MS office and possibly others that are stable and will not change – such as old software.

Then a defrag, SFC, chkdsk. Then a system image. I’ve done this process probably 50 times in the last year, and likely another 50 to 100 over the last several years. I have never had a problem.

Monthly WU practice is to reject all non-security Windows updates. period. No Skype. No Silverlight. Virtually no Optional updates accepted.

I never do things like break updates into groups. I never had a problem with a Win7 install.

Incidentally, if you use a Dell SP1 disk to re-install in any Dell computer that came with Win7, it self activates.

One of my common practices is to replace a hard drive in a 5 year old laptop with a 7200 rpm drive. Always results in an amazingly fast computer the client is delighted with.

CT

Reply | Quote

⛑Woody Mate!??
Don’t want to be alarmist but found this.

Windows update KB3177467 crashes windows 7 causing system to boot loop
AngeloTh
AngeloTh started on October 18, 2016
See post history

http://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-update-kb3177467-crashes-windows-7-causing/96e864a7-7559-47a5-9a1f-fb7ffbacab9d

Seems KB3177467 is uninstallable too?!
Way beyond me but might be worth a look by you & yours.
Thanks to Def Con 2 I haven’t downloaded it myself.
Hope it may help if there is an issue for your Windows 7 crew.

Baton down the hatches…
Cheers!
sainty????

Reply | Quote

@Canadian Tech: “I strongly discourage the installation of Office 365, 2013 or 2016.”

My intuitions are with you on this, but I’d appreciate your elaborating on why you make this recommendation. (I’m going to be trying out a Macbook soon, and my university offers Office 365 for free, but I’ve been inclined to go with the Home & Student version instead, which has served me well on Windows computers.)

Thanks.

Reply | Quote

Office 365 is a rental deal. You do not own 365. By default, it stores you stuff in the cloud.

2013 and 2016 have had lots of problems, particularly with MS messing them up with bad updates.

I have not met a single person who did not find Office 2000, 2003, 2007, or 2010 that did not meet all of their needs. I my opinion, 2010 is the best version that will ever be created. At least 1/2 my clients are using the 2003 version. Another 40% 2010.

CT

Reply | Quote

It doesn’t crash and doesn’t cause a boot loop
the reboot simply stuck if the update is installed with other pending updates

Normal users getting it from WU will not face this situation, because the update won’t be offered unless all other updates are installed

however, IT admins who manages WSUS or similar tools are not aware of the update natural, and they deply it together with other updates, causing the stuck issue

Reply | Quote

@Marty I think Canadian Tech has the perspective of minimising his own effort in supporting a relatively large number of non-technical users and as such advising in accordance with that activity. It is not a generic recommendation, just sharing a certain experience which is suitable for that purpose.
I cannot advise you in particular in relation to Office 365, but if you are to use Office 2013/2016, there are a number of documents published by Microsoft and Spybot Beacon has done the research for you about how to avoid telemetry if this is a concern. Most professional sysadmins that I know do not take seriously those concerns about telemetry which apply to Windows as well, but there is information about how to block that traffic if required. My interest in telemetry and any less known traffic is more of an issue of how not to have traffic blocked by other devices (firewalls, proxy servers) which can potentially generate time-outs and slow performance.

Reply | Quote

There are over 500 patches if you include the superseded patches. This is what svchost.exe takes in calculation to result in the about 215 patches as you mentioned. With Kb3125574 installed and after running Disk Cleanup, in fact the number of patches installed is reduced to about 80. This is not a recommendation to install KB3125574 though, as there are few issues still unresolved and difficult to control unless someone who decides to use that path really knows this stuff in depth.
KB3020369 has been superseded for more than 1 month and anyone who reads this and is interested in continuing to update Windows 7 should install KB3177467 instead. This is the 4th generation Servicing Stack update since SP1 and a Critical Update.

Reply | Quote

So, AngeloTh is a sysadmin who deploys a patch to over 100 computers without doing a test in advance. There must be a piece of software or a non-standard configuration which produces that behaviour which is not well understood by our sysadmin. The number of replies is exactly 1 and comes from a posted who does not address the issue raised by the OP.
And this means everyone reading this thread and site should be terrified to install an essential patch allowing to continue updating Windows successfully.
I have to admit that you started your post with “Don’t want to be alarmist but found this.” which is reasonable and this makes your post useful in fact 🙂

Reply | Quote

There is no Office 2010 Click-to-Run as far as I know. How did it convert by itself?

Reply | Quote

@ch100

W7sp1x64

Was never offered 3177467 by WU up to 11th October (and have now switched WU off).

Would like to keep all options open, so do you advise I download it from the Catalogue and simply install by itself ?

Thank you.

Reply | Quote

I actually deployed it back in September via WSUS to about 25 Windows 2008 R2 servers with all the other patches for that month without experiencing the issue. Only in the last few days I was made aware of those issues and this is very much like the issues created by the deployment of KB3020369 back in April 2015.
Certainly to avoid any potential problems, all servicing stack updates should be installed separately, in particular by those users who are not completely up to date with all patches because it is difficult to predict the possible interdependencies.

Reply | Quote

I am not advising to install anything that does not come on Windows Update. Not even KB3125574.
Anyone who installs in a different manner than what I have just said, does not need my advice as they can either manage the potential issues themselves or can take advice from someone else. 🙂

Reply | Quote

There are, it’s called Office 2010 Starter
and when updates are published, it’s mentioned in Office Team blog 🙂
https://blogs.technet.microsoft.com/office_sustained_engineering/2016/10/11/october-2016-office-update-release/

Reply | Quote

I am really telling you that for the vast majority of users, “updating” Office is an expensive and unproductive expenditure.

CT

Reply | Quote

ch100

My recollection of the switch is a little cloudy. I recall repeatedly getting a small pop-up message in the middle of my screen. I was quite skeptical that it was from Microsoft. After several days of checking around the Internet I was convinced that the message was legitimate. Here is a link to a Microsoft article that shows and discusses the pop-up:

https://support.microsoft.com/en-us/kb/3016799

Tired of continually getting this pop-up and convinced that it was from Microsoft I clicked the “OK” button. (I was not quite accurate before when I said “it converted itself.”)

Here is another link to a Microsoft article that discusses Microsoft Office 2010 Click-to-Run:

https://support.office.com/en-us/article/Office-2010-Click-to-Run-Introduction-c6205d37-b00d-4f99-91bb-c37a1d78b21b?ui=en-US&rs=en-US&ad=US

And here is a discussion thread that illustrates the confusion and concern caused by this pop-up message:

http://answers.microsoft.com/en-us/msoffice/forum/msoffice_install-mso_winother/why-is-click-to-run-message-suddenly-popping-up/6100db13-0cc3-4cb4-a9bc-d2928b28021d?tab=question&status=AllReplies&page=1

Reply | Quote

You see only home users who have no connection to a business environment, not even Small Business Server/Windows Essentials and have a limited perspective and as such it may be targeted advice to a specific audience but can not be considered covering all situations.
There are versions of Outlook not working with the latest Exchange versions. Some people use Skype for Business (Lync), not available in earlier versions. They may be home users working remotely from home via Active Sync and need later versions to connect to the workplace. Same applies for Office 365 and there are many more examples. This industry is very agile and when Microsoft is releasing Security Only patches, they are just wasting valuable resources only for a PR exercise. There should be no Security Only release of the updates because those patches are incomplete and sooner or later anyone who understands or cares will install the full patches.

Reply | Quote

I am quite sure you are entirely correct.

CT

Reply | Quote

Hmmm

I realize what I am about to say is a bit far fetched. But, in light of the gigantic uproar from Microsoft’s user base and the obvious complete indifference to it, perhaps the real reason for all of this nonsense lies in another direction. Clearly the powers that be do not want a well informed citizenry. Currently thanks to the PC, the internet and dare I say the likes of Microsoft, citizen access to underlying facts and figures was until very recently at such high levels that truly informed decisions were within reach of the average citizen. Since the start of this presidential election cycle that access has been curtailed significantly. Witness virtually all 4 major search engines now actively controlling and manipulating searches and the social media sites actively censoring comments at here to fore unimaginable levels.

Obviously as the number of users that refuse these “roll-ups” increases the damage done by hackers (many of whom have been now been identified as state sponsored) will eventually reach a point that many individual machines will be rendered essentially useless. What if the powers that be want to create an online environment that is so fraught with “danger” real or imagined, that people, begin to limit their time online or turn away from the internet all together? Seems to me what Microsoft is doing is a great way to make some variation on this theme happen. What is that old saw? just because your paranoid, doesn’t mean they are not out to get you……………

Reply | Quote

Naw. From MS’s perspective, they’re just trying to streamline their support of dying operating systems.

Reply | Quote

+1 🙂

Reply | Quote