Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • September 2017 Group B Security-only patches for Windows 7/8.1

    Posted on September 21st, 2017 at 07:29 PKCano Comment on the AskWoody Lounge

    UPDATE: The Group B Knowledge Base topic, AKB2000003, has been updated for September.

    NOTE: Be aware that there have been problems reported with the IE11 Cumulative Update. Please read the discussion here and the following replies before installing.

    NOTE: We are still on MS-DEFCON 2. It is advisable to WAIT until MS-DEFCON 3-5 before installing the patches.

  • New Windows 7/8.1 updating method coming

    Posted on May 17th, 2017 at 14:06 woody Comment on the AskWoody Lounge

    It’s almost time to move the MS-DEFCON level, but when I do, I want to get it right – and get your input.

    As you all know, I’ve recommended “Group A” – install all Rollup patches – to folks who don’t mind the added snooping. I’ve also recommended “Group B” to those who want the security updates only. I’ve acknowledged, but not recommended “Group W” for those who never patch.

    The world’s changed since last October.

    With Shadow Brokers guaranteeing that major Windows vulnerabilities are coming every month – I call it “Malware as a Service” – Group W is just plain dangerous. It’s not an option. Sorry.

    Group B, which is based on Microsoft’s commitment to deliver Security-only updates every month, has gone from relatively simple to very complex. Officially, Internet Explorer patches have been broken off from the main download. There’s all sorts of confusion about .NET patches — which are Security-only, which Rollups? We’ve seen security patches released outside the monthly Security-only stream. There have been bugs in Security-only patches that were fixed outside of the Security-only stream. There’s a host of problems documented in this Topic.

    Group B isn’t dead, but it’s no longer within the grasp of typical Windows customers. Many of you reading this post are fully capable of sticking with Group B. Most Windows customers are not.

    Starting this month, I’ll mention Group B in my InfoWorld posts and the MS-DEFCON posts here — but I won’t include details. Instead, I’ll refer you to the AskWoody KB article AKB 2000003, maintained by PKCano. We’ll modify that AKB article with generic installation instructions. The MS-DEFCON level will apply to Group B folks, too, but the instructions most people see won’t include the Group B details.

    Which leaves me with new adornments for Group A. Starting this month, I’m going to recommend that just about everybody move to Group A, and install the Monthly Rollups (waiting until we’ve had time to thoroughly vet the patches, of course).

    For those of you who are sensitive to the manifest (but still undefined) snooping included in Win7 and 8.1 updates, I’ll include instructions for reducing – but not eliminating – Microsoft’s “telemetry.” As a reader here, I’m looking for your input, but keep in mind that:

    • What you recommend can’t hurt anything other than telemetry.
    • Novice “For Dummies” level users have to be able to understand what’s involved, and how to do it.
    • I don’t want to recommend a third party app. Yes, I know there are apps that block telemetry.

    There are three approaches that have caught my eye:

    • A short list of KB numbers, listing patches that should be removed. @PKCano has an example in the AKB 200003 documentation.
    • A simple batch script, like the one @abbodi86 maintains. The problem is that some people will have a hard time figuring out how to run it.
    • A combination of directions, as @MrBrian has proposed.

    I realize that Microsoft has promised that it will release a completely cumulative update for Win7 — a Service Pack 3, if you will, available through Windows Update — at some point in the future. I don’t think we have the luxury of waiting for Microsoft to get its act together.

    I think, given the Shadow Brokers promise, that we need to come up with a solution now — and pick up the pace, shortening the length of time between the release of Monthly Rollups and a go-ahead, through the MS-DEFCON level, when it’s safe to install.

    Don’t get me wrong. Automatic Update is still for your Great Aunt Martha, who doesn’t want to follow along, and can’t be trusted to apply patches consistently. For those of you who can take your patches proactively, waiting a week or two is still the best way to go.

    What do you think? What would you recommend for Group A anti-snooping instructions?

  • Is the “Group B” approach of installing Security-only updates still viable?

    Posted on April 25th, 2017 at 07:34 woody Comment on the AskWoody Lounge

    As promised, I’d like to start a discussion about “Group B” and its future.

    As I see it, the “Group B” approach to installing Security-only patches is becoming unwieldy, both for Windows 7 and 8.1 users. @PKCano’s list in AKB 2000003 is getting downright oppressive. And the recent experience with Microsoft blocking Windows Update on Kaby Lake and Ryzen processors has me convinced that the line between Security-only and Monthly Rollup is growing fainter.

    If you can explain to me why a Security-only patch would block Windows Update, I’d surely like to understand.

    I’d like to open the topic up to discussion. I don’t want to debate the validity of Microsoft’s telemetry/snooping garbage, er, features. Some people think it’s OK. Others (like me) think Win7 customers didn’t sign up for this abuse, and shouldn’t be subjected to it. But that’s beside the point.

    I’m also not changing my stance on delaying patches. Even with this month’s Word 0day, I still think most Windows customers are better served by letting the other guys get the arrows in their backs.

    What I want to know is if there’s a real, valid, easy way for Win7 and 8.1 customers to install Monthly Rollups yet opt out of most of the snooping.

    So… what do you think? I know the topic’s controversial. I know Linux doesn’t snoop (at least, not as much). I know ChromeOS is worse and macOS’s snooping remains open to debate. Is there a way to stay with Windows and not become part of the Win10 borg?

    I’m not looking for heat, but light. As always, ad-hominem attacks won’t be tolerated. Stick to the facts, please….

    Also, note well – I’ve already been assimilated. I use Win10 all day, every day, and have for years.

  • Group B and Patch blocklists

    Posted on April 6th, 2017 at 10:16 woody Comment on the AskWoody Lounge

    Good question from L:

    I’m in Group B and I’d like to ask a question about something I’ve been confused about ever since you posted it about a year ago. Back on March 11, 2016, you posted an article titled “Bad Patch Lists”, and in that article, you said “In the future, only install security patches for Win7 and 8.1. Don’t install optional patches.” My question is this: what about patches that Microsoft lists as “important” (but are not described as security patches)? These “Important” patches don’t fit into either the “optional” category nor the “security” category. For the past year since you published that, I’ve been unchecking the boxes for those “important” ones, so as to err on the safe side and not install them. Every month there’s about 4 or 5 of them that I uncheck in this fashion, but I always scratch my head and wonder whether I should have installed them. And again this month, I don’t see them listed in the Step B5 of your article, which is titled “Step B5: Get rid of problematic updates”. So can you tell me, should I install those ones that are described by Microsoft as “important” (but not described as “security” nor as “optional”)?

    Recall that March 11, 2016 was before the patchocalypse – there was no Group A or Group B at that time.

    The best approach is to follow the exact instructions that I give every month. For example, at the end of March I posted these directions.

    In broad terms, I have folks in Group A – the ones who don’t mind the snooping – install Recommended updates; while I have those in Group B skip the Recommended updates.

    The most important part: If you see something that’s checked, don’t uncheck it unless the instructions specifically tell you to uncheck. If you see something that’s unchecked, don’t check it, unless there are specific instructions to the contrary.

    If you see an “Important” update that isn’t checked, don’t check it – regardless of whether you find reference to it somewhere in the documentation as security or optional.

  • Microsoft fixes problems with Win7/8.1 “Group B” security-only patching method

    Posted on December 7th, 2016 at 13:23 woody Comment on the AskWoody Lounge

    Yes, MS has acknowledged the problem with fixing security-only bugs in non-security monthly rollup patches. And, yes, they say they’re going to fix it.

    Big news. Tell your Win7 friends.

    InfoWorld Woody on Windows

    UPDATE: It pains me to say that my interpretation of Microsoft’s post may be overly optimistic. See the comments here for details. It’s possible that the fix will only be made to the supersedence chain – not to the underlying patches. Sigh.

  • Windows 7 security-only “Group B” patching remains viable

    Posted on November 29th, 2016 at 04:50 woody Comment on the AskWoody Lounge

    There’s been a lot of confusion on the topic of “Group B” patching – the security-patch-only path that I outlined in October. Group B doesn’t want any more snooping than absolutely necessary, and they don’t care about improvements like daylight saving time zone changes, but want to keep applying security patches.

    I did, do, and still recommend that Windows 7 customers who want to keep their systems secure but don’t want the fluff should follow the Group B approach. It’s a path that’s been outlined and endorsed by Microsoft. It’s a patch path that many corporate admins are using to keep their systems going as we limp along to Win7’s patching demise in 2020. I expect Microsoft to continue to support the Group B approach specifically because of their corporate client base – those who still pay for Windows by the month. There’s no altruism or nostalgia involved; it’s a simple business decision.

    We’ve seen some bumps along the way (primarily bugs in security patches that are only fixed by non-security patches) but so far the transgressions haven’t been problematic enough, in my opinion, to jump to Group A (accept all Win7 patches) or Group W (don’t ever patch Win7).

    I received an email from L, who says:

    I’m confused by your November 22nd posting “The Case for Not Updating Windows 7 Ever”, and am wondering if you could please answer some questions.  I read the posting and kind of skimmed through the 206 comments (don’t have time to read them in detail).   My main question is:  are you going to keep providing us Group B people with instructions on what to do?   I’d like to stay in Group B as long as you provide instructions for Group B.

    Yes, I’ll continue to provide detailed instructions for Group B, for as long as my fingers keep working, or Microsoft cuts off patches, whichever comes first.

    Also I have a question about your November 23rd comment  in which you say “still, I recommend Group B for anyone who can follow the download and installation instructions…”.   Are you talking about the instructions that you provide or the instructions that Microsoft provides?   I can probably follow both,  but the problem lies in being able to find the Microsoft instructions, or even be aware that Microsoft has issued instructions.   I rely on you for interpreting and alerting us to Microsoft instructions.

    I’m talking about instructions I provide here on this site (and in my InfoWorld column) that take you step-by-step through the process of downloading and installing Win7 and 8.1 Security-only patches. Watch the MS-DEFCON setting, which I’ve been updating for more than a decade.

    Also,  when you say that you still recommend Group B,  it seems to conflict with your November 22nd posting,  in which you seemed to say that us Group B users should give up the plan of being in Group B (unless I’m misinterpreting your Nov 22nd posting).   Could you please comment on that also?   Perhaps you were only referring to non-techie Group B users discussed by Poohsticks in his November 24th comment,  but I’m not sure whether I fall in that category or the more technically-proficient category.

    If you only want security patches for Win7 and 8.1, and you feel comfortable following my “For Dummies” style step-by-step instructions, you should stay in Group B (until something gets horribly messed up, anyway – and if that happens, I’ll let you know, loud and clear).

  • Is it possible Microsoft will install telemetry in a Security-only update?

    Posted on November 16th, 2016 at 05:28 woody Comment on the AskWoody Lounge

    Interesting question from MA:

    This is a question about the “Group B” approach to safely updating Windows 7.

    If I understand correctly, the Group B approach is to install the security-only patches from the Microsoft Update Catalog rather than from the (formerly) beloved Windows Update. Things like .net patches would still be installed via Windows Update.

    Is it possible for a security-only patch installed in this way (from the Microsoft Update Catalog) to be a patch for, say, a telemetry function that has so far been evaded by using the Group B approach?  If this can occur, then what happens to the attempted installation of such a security-only patch?  In particular, is it possible that finding no target, this patch can then cause the unwanted telemetry function to be installed?

    My answer:

    Is it possible? Sure. In the post-Get-Windows-10 era, anything’s possible.

    But I think it’s highly unlikely. Microsoft has promised thousands of corporate customers that it won’t play games with the Security-only updates. It’s hard to imagine shenanigans that would cause Microsoft’s credibility with the industry to fall even lower. This would be one of them.

    Far more likely at this point is that Microsoft will introduce bugs in Security-only updates, which are subsequently fixed exclusively in the Monthly rollups, the Group A patches, which contain both security and non-security elements (and, potentially, added telemetry).

    I’m looking at one reported case now. If anything solidifies (and I can wrap my head around it), I’ll be sure to yell real loud.