Windows Updates after reboot – which do I need?

Topic

New Reply

Hi,

I’ve just rebooted my computer (Windows 7 SP1) and need some help please.

I was in Group B before the reboot and Windows Update has just given me 202 important updates and 12 optional updates, some of these date back to 2011.

Some of the updates relate to .NET Framework , Preview of Monthly Quality Rollup, Security Monthly Quality Rollup and these date back to January 2017. The Cumulative Security Update for IE11 dates back to September 2016.

I know I need the Security Only Quality Updates and the Cumulative Security Updates for IE11, and the .NET Framework, but how far do I go back to get the proper protection.

Any help would be very much appreciated.

Janie8

Reply | Quote

Replies

Check out https://www.askwoody.com/forums/topic/quickest-way-to-get-windows-7-sp1-fully-patched/#post-118011

Happy updating!

Non-techy Win 10 Pro and Linux Mint experimenter

1 user thanked author for this post.

Janie8

Reply | Quote

Do not install any UNCHECKED updates. That will include ALL of the optional updates, ESPECIALLY those labeled “Preview.”

Are the updates you reference in the “important” list and CHECKED? Or they in the “optional” list?
What did you change to suddenly get all those updates? Did you start hiding the “Monthly Rollups,” as has been discussed lately?

The recommendations will depend on your answers to the questions.

UPDATE: If you meant REINSTALL instead of reboot, see below for instructions.

2 users thanked author for this post.

walker, Janie8

Reply | Quote

I think where Janie8 said “reboot” he/she actually meant “reinstallation.”

2 users thanked author for this post.

walker, Janie8

Reply | Quote

@Janie8: You may be interested in recent topic New directions for Win 7 and 8.1 patching.

2 users thanked author for this post.

walker, Janie8

Reply | Quote

If @MrBrian is correct, and you did a REINSTALL, here are my recommendations:

The older methods for a Clean Install need to be modified in the light of recent findings.
Four Topics you might want to become familiar with before you start are:
https://askwoody.com/2017/new-directions-for-win-7-and-8-1-patching/
https://askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/
https://askwoody.com/forums/topic/group-a-win-7-and-8-1-might-be-missing-updates-if-dont-hide-unwanted-updates/
and
https://askwoody.com/forums/topic/what-issues-can-result-from-hiding-a-windows-update/

The following is MY recommendation – not gospel, just the way I would do a Group B clean install. Others may have a different method.

Some of the settings external to Windows Update and in Windows Update that I use are found here:
https://askwoody.com/forums/topic/new-directions-for-win-7-and-8-1-patching/#post-139072
Set them before you go online if they are available. Some will not be available until after updates are installed.

For a Clean Install what I use (for Group B) is:
BEFORE YOU START
Download KB3020369, KB3138612, KB3177467, and KB3172605 for your bitedness

OFFLINE:
1. Install Win7. Reboot.
2. If your installer does not include SP1, install SP1. Reboot.
3. Open Administrative Tools\Services. Highlight Win Update Service and at top left click “Stop”
4. Manually install the four downloaded patches in the order above. Reboot.
5. In Windows Update Change settings – CHECK “Give me recommended updates the same way I get important updates,” CHECK “Give me updates for other MS produces,” and set updates to “Never Check”

ONLINE:
1. Check for updates
2. If you don’t want the telemetry updates, HIDE the ones mentioned at the top of AKB2000003. You will have to keep watching for these every time before you install updates. Particularly KB2952664.
3. To be sure you get all the necessary updates: HIDE the current “Security Monthly Quality ROLLUP,” check for updates, HIDE the next earlier “Security Monthly Quality ROLLUP,” check for updates. Repeat this procedure until you have hidden the “October 2016 Monthly ROLLUP.”
4. Download and Install manually from AKB2000003, the Security Only Quality Updates from Oct 2016 to current and the latest Cumulative Update for IE11. Reboot wait 5 min. & check for updates.
5. HIDE any other updates you don’t want to install (drivers, anything that has caused a problem with your PC, features you don’t want, etc)
6. Install everything else that is CHECKED in the “important updates” list. Reboot. (I like to do this in batches. (“Updates for Win7,”) reboot wait 5 min. & check, (IE11, .NET 4.5.2 or 4.6.1 ONLY, any additional “Updates for Win7,” and in the optionals KB2670838 Platform Update), reboot wait 5 min. & check, (any “Update for User-Mode Driver Framework”, Update for Kernel-Mode Driver Framework,” “Update for ActiveX Killbits,” and the latest Cumulative Update for IE11), reboot wait 5 min. & check, (“Security Updates for Win7”), reboot wait 5 min. & check, (“Security Updates for MS .NET”), reboot wait 5 min. & check, (anything else that is CHECKED in the “important updates” list), reboot wait 5 min. & check.)
7. Repeat #5 and #6 until there is nothing left that is CHECKED in the “important updates” list.
8. HIDE any UNCHECKED important updates that you don’t intend to install in the future.
9. Reboot. Wait 30 minutes. Run Disk Cleanup, click “Cleanup System Files,” be sure Windows Update Cleanup is checked, click OK.

UPDATE UPDATE
For a clean install GROUP A:

Follow Group B instructions with these changes:
BEFORE YOU START – additional – Under “Change settings” be sure “Give me recommended the way I get important” is CHECKED.
Skip Step 4 – you do not need to download and install install the security only updates.
In Step 6 – you do not need to download and install the Cumulative Update for IE11
Add Step 7.5 – UNHIDE all the “Security Monthly Quality Updates for Win” and install any that is offered CHECKED in the important list, reboot wait 5 min. & check.)

EDIT to move the IE11 Cumulative Update install from Step 4 to Step 6 after the IE11 install. (You can’t update something that has not yet been installed 🙂  )
EDIT to add Group A

4 users thanked author for this post.

Microfix, Jim1878, walker, Janie8

Reply | Quote

PKCano,

I was hoping you might answer a few installation questions for me. First let me say that I appreciate your immense effort and contribution to this forum. It’s been invaluable to me in keeping Windows 7 alive.

I have done many Group B fresh installs/reinstalls of Win 7 Pro x64 since all this started with cumulative updates. I’ve went back and hid the cumulative (Group A) rollups and found all the missing security updates on all established machines that needed that once that process was better understood, so I am familiar with that. I’ve done several fresh installs lately using the four KB’s you list in your post above. The process I follow is to install the four KB’s in the correct order, then install all the security updates that came up in Windows update, then install the Security Only Quality Updates for Group B, then follow up, as you discuss, with everything else basically as you list it.

After I read and reread your post, though, and I apologize, but I am not clear on your process, despite how well you document it. So you check for updates, hide the telemetry updates, then do the process of going back and hiding all the Security Monthly Quality ROLLUPs, until nothing new is found. At the end of step 3 do you install what is found? It doesn’t say to do this. If not, then in step 4 you install all the Security Only Quality Updates, reboot, and check for updates, but nothing has been installed up to this point except those Security Only Quality Updates?

Here’s where I am confused. In my process I first install all the security updates and all non-telemetry updates up until the end of 2014 as per Canadian Tech’s approach. Then I do step 3 and install (or hide) what it found each step of the way. I have read all the monumental work you did in this thread: https://www.askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/ I found similar when I went through what you did. It seems like there was a lot more found when I did the regression before the Security Only Quality Updates were installed. As discussed elsewhere, it seems like some of these are not needed (even though the dates are way before) if the Security Only Quality Updates are installed. I was thinking I should install the Security Only Quality Updates and then do the regression.

So, I guess my questions are:

-As you start step 4, nothing has been installed from Windows update yet? Or do you install what has been found before starting step 3?
-The only time you mention Install is for the Security Only Quality Updates in step 4 and in step 6 when you mention ‘Install everything else that is CHECKED in the “important updates” list’, and so on. When do the slew of security updates first found, and the additional security updates found after the regression, get installed in this sequence?
-I realize maybe I am overthinking this, and perhaps your instructions are clear. Do you install the security Only Quality Updates as the first items installed (outside of the four KB’s installed offline earlier), and the long list of security updates first found by Windows update are what you refer to like three-fourths of the way down in step 6? The reason I didn’t even consider that is because it is ingrained in me to always install the Windows update security updates first. I just assumed what you meant there was any additional security updates that have been found.

Again, I am sorry I just can’t figure this out from your highly detailed instructions. I follow the process as I outlined it and have no issues, but I would like to fully understand how you do it, and perhaps adjust my process, if it differs, or at least try to understand why you do it the way you do. It seems what I do somewhat close now, except for the Canadian Tech variation that I do to not install non-security updates dated after the end of mainstream support.

Thanks once again for the tireless work and effort that you and the other MVP’s do around here. I’m fairly tech savvy, but without this crew and website/forum I’d be a bare bones Linux user by now…

Reply | Quote

Jim1878 wrote:

So you check for updates, hide the telemetry updates, then do the process of going back and hiding all the Security Monthly Quality ROLLUPs, until nothing new is found. At the end of step 3 do you install what is found?

You hide the Rollups back to Oct 2016. At this point, all the old patches should still be in the queue. You haven’t installed anything yet.

Jim1878 wrote:

If not, then in step 4 you install all the Security Only Quality Updates, reboot, and check for updates, but nothing has been installed up to this point except those Security Only Quality Updates?

That is correct. There is one correction. On a clean install, you have IE8 (if I remember right) as the browser. You cannot install the cumulative update for IE11 at this point, only the Security only patches (Oct 2016 – present).

In Step 6, I give the order I like to install the patches in (in parenthesis). The IE11 Cumulative, that you cannot install in Step 4, should be inserted in the group after the install of IE11 and reboot. (It follows you can’t install an update for something that is not installed.) What I do to install the batches is UNCHECK everything in the important list, then CHECK only those updates in one batch at a time. Notice I start with the “Updates for Windows” patches, not the “Security Update for Windows” – they come later.

The reason I install the Security only updates (Oct 2016 to current) first in step 4 is that they supersede some of the older updates and the number you have to install in Step 6 is thus reduced.

Understand, the method I use is still evolving. As we understand the Update process better, things change. And my method may not be the same as other people’s method. If you look back at earlier posts, you will find differences.

1 user thanked author for this post.

Jim1878

Reply | Quote

Thanks for the quick and detailed reply PKCano. That clarifies things quite a bit. Once I saw how many things were being superseded by the Security Only Quality Updates I had decided I wanted to do those first. Now your process makes perfect sense to me. And I was wondering about the IE11 update, but I didn’t throw that in because I thought my post might already be a TL;DR as it was… So, at least my question prompted a clarification in your post, and that’s a good thing.

Can I ask one more question? I am about to start another fresh install, and I want to modify my process. Right now it makes the most sense to follow something close to what you are doing since your logic, given today’s knowledge, seems very solid. You said: “Notice I start with the “Updates for Windows” patches, not the “Security Update for Windows” – they come later.” What is the reason not to do the security updates as the first batch in step 6? Is it because some of the other batches might cause some of the security updates to be unnecessary? I would think not, but my skill level is quite a bit less than yours, so maybe you could comment on this? I’m not sure why I have such a strong desire to get the security patches done as soon as possible, maybe because I always sense my vulnerability having a system hooked up to the Internet unpatched, with no antivirus/security suite…

Reply | Quote

“Updates for Windows” contain system updates. Examples: updates to the WU engine, servicing stack, etc. Some are prereq’s tor other system fixes. So I do them first. That is why you install the four patches offline at the beginning – these are fixes for the WU process that keep you from having a 24hour search time to find over 200 patches.

The “Security updates for Windows” are security patches for the system updates you install first. You can’t fix a security hole if the hole isn’t installed.

1 user thanked author for this post.

Jim1878

Reply | Quote

That clarifies it for me quite well. Thanks for all the help on this PKCano, it’s much appreciated.

Reply | Quote

Why is KB3020369 installed when KB3177467 supercedes it?

Edit to remove HTML from cut/paste

Reply | Quote

Thank you all for your replies and the links you provided.

Sorry, I did mean a reinstall or a clean install.

In reply to PKCano, thank you very much indeed for your instructions, you have clearly taken a great deal of trouble for which I am extremely grateful.

I have hidden all the rollups and previews, and I haven’t installed any of the “optional” list, only the ones that were checked. I didn’t install the 4 KBs as you suggested for bitedness before I started unfortunately, could I install them now?

As to all the updates, I started to hide the monthly rollups and when I went back to the update list, they were there. Each time I hid one others kept appearing, so I waited and hid the lot.

Thank you also for letting me know which Security Only Quality updates to install, I will install October 2016 first and continue onto October 2017, and the latest IE11 cumulative security update only.

Many thanks
Janie8

Reply | Quote

The four I mentioned to install first were to speed up the searching. They may have been installed already. Check the “View installed updates” list (bottom left of Windows Update) to see if they are already there. Otherwise, you can try to install them, particularly KB3177467 (servicing stack) which has to be installed by itself.

Hint: Click on the column title for the updates to sort them in alpha order (like in Excel)

2 users thanked author for this post.

walker, Janie8

Reply | Quote

I have KB3138612 installed but not KB 3020369, 3177467 or 3172605. I will install the other two and install 3177467 by itself.

.NET 4.5.2 the update is dated 13.01.2015, should I install this one or should I get the latest one?
.NET 4.6.1 is unchecked and dated 09.02.2016, should I install this one or should I get the latest one?

Thanks again.
Jane

Reply | Quote

You don’t need both .NET versions. If 4.6.1 is unchecked, leave it so. The latest version is .NET 4.7. There were some problems with Win 7 initially, but I think most have been ironed out.

So choose 4.5.2 or 4.7, depending which you need for the programs you run

1 user thanked author for this post.

Janie8

Reply | Quote

I will install the 4.5.2 as you suggest. Unfortunately, I have no idea what programmes need .NET to run.

Thanks
Jane

Reply | Quote

I run an original windows 7 sp1 x64 home premium. I have downloaded and installed (4). Nets since December 2016. The last time I downloaded and installed 4.7. Net on the 14 May 2017. Although, all (4) are listed the only one that is actively running is the latest version. I have had no trouble with it at all. The. NET’S apparently are the morter that holds the windows system together so it runs in harmony and as one. I just have not found an understandable defination for. Net, that is for Non-geeks.

 

Reply | Quote

What Is the Microsoft .NET Framework, and Why Is It Installed on My PC?

1 user thanked author for this post.

walker

Reply | Quote