Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Windows 7, 8.1 patches are up

    Posted on January 10th, 2017 at 13:05 woody Comment on the AskWoody Lounge

    OK, not exactly. Other than MSRT, there are no patches for 8.1, and only one small security patch (plus a Flash patch) for Win7.

    This month only we’re getting old-fashioned Security Bulletins (such as they are) plus the new Security Updates Guide.

    MS17-001 for Edge only – “important” (which means it isn’t really important)

    MS17-002 – Word 2016 and SharePoint Enterprise 2016 – critical

    MS17-003 – Flash Player but only on 8.1 and 10 – critical

    MS 17-004 – Only on Vista and Win7 – important

    Windows 7 

    January 10, 2017—KB3212642 (Security-only update)
    This update includes only security fixes. No new operating system features are being introduced in this update.

    January 10, 2017—KB3212646 (Monthly Rollup)
    Includes the Security-only update above, plus the non-security stuff in last month’s Dec. 13 Monthly Rollup.

    Windows 8.1

    “There are no security fixes or quality improvements for release on January 10, 2017. As such, there is no Security-only update nor Monthly Rollup release for this month.”

    That’s the lightest Patch Tuesday I’ve ever seen.

    Reminder: We’re still on MS-DEFCON 2. Wait to see what happens to everybody else.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Windows 7, 8.1 patches are up

    This topic contains 148 replies, has 2 voices, and was last updated by  woody 8 months, 4 weeks ago.

    • Author
    • #13484 Reply

      Da Boss

      OK, not exactly. Other than MSRT, there are no patches for 8.1, and only one small security patch (plus a Flash patch) for Win7. This month only we’re
      [See the full post at: Windows 7, 8.1 patches are up]

    • #13485 Reply

      Skip H

      Just updating WSUS Offline with version 10.9.

      It included KB3212646 (full rollup), dated 1-7-2017.

      This latest version of WSUS Offline has the option to download the “security only” updates, instead of the “quality rollups” updates.

      I’m re-installing a fresh copy of Win7x64 Pro for a customer, so will use the “quality” updates, as the customer will be on automatic update mode.

      When I do updates this way, the process of going from a fresh install of Windows 7×64 Pro to a fully patched (no extra MS software, like Office) system usually takes about 4 hours, never uses the Control Panel app of Windows Update until all patches have been installed by WSUS Offline, and is done with the system NOT hooked to the Internet until WSUS Offline is done installing the batch downloaded patches.

      Then running WU from Control Panel might find a few other “important” patches (and 70-80 “optional” ones), but does that in 5-10 minutes.

    • #13486 Reply


      Just the one security update for windows 7? When was the last time that happened? Have microsoft already given up on 7? I should be relieved there is only 1 update i suppose but i can’t shake the feeling it’s further corner cutting from them, i mean there have always always been at least an update for internet explorer but now there isn’t? My default reaction to whatever microsoft does these days is one of suspicion and not trust.

    • #13487 Reply


      “That’s the lightest Patch Tuesday I’ve ever seen.”

      Lol, no doubt some PHBs have slammed the brakes after the recent slew of college-dropout workmanship.

    • #13488 Reply

      Bill Ingram

      WOW! So far for Windows 8.1, only the ‘Critical’ Flash Player patch (IE 10 & 11; I use Firefox like you say, boss) & the ‘Important’ MSRT. I say “so far”; what’s to keep the ‘Softies from changing their hive mind & rolling something out before February’s Patch Tuesday?!

    • #13489 Reply


      I so far seen that I’ve got KB3212646 (Monthly Rollup) and KB890830 (Malicious Software Removal Tool) ready to install, but I don’t have the other update, KB3212642 (Security-only update) in there ready to install. In fact, I cannot see that update anywhere in my Win 7

    • #13490 Reply

      Ann in Keizer

      So the December updates for Windows 7/8.1 are still at Defcon 2, and the January updates are available. When December gets back to Defcon 3, can I just install those and uncheck the later ones?

      I’m not too worried because I don’t use Edge or IE, and I have Flash disabled in Chrome. Also, I don’t have MS Office. In fact, my PC is basically an Internet terminal. But I still want to keep it working and secure through 2020!

    • #13491 Reply

      Da Boss

      The situation will be much simpler. If you have Win7, there’s no Security-only update for January.

      When the MS-DEFCON goes to 3 (or even 4!), I’ll have full instructions.

    • #13492 Reply

      Da Boss

      The Security-only updates are only available from the Microsoft Update Catalog. Not to worry. Sit back, relax. When the time comes, I’ll have full instructions.

    • #13493 Reply

      Da Boss

      Highly unlikely – but it’s always possible, of course.

    • #13494 Reply

      Yuhong Bao

      MS17-004 is patching a denial of service attack on LSASS, which is probably not important for most home users. MS17-001 is a bit more important as it assigns data: URLs the proper origin in Edge.

    • #13495 Reply


      Do I take it we can consider Win8.1 a stable version now ? CBB perhaps 😉

    • #13496 Reply


      So after Microsoft’s long break, we have a holiday too in January.

    • #13497 Reply

      Da Boss


    • #13498 Reply


      Prepare for a shock patch for Windows 7 on March 14.

    • #13499 Reply

    • #13500 Reply


      Thanks for the heads up, I was wondering if WSUS Offline would ever update to pull ‘Security only’ instead of the rollups. Looks like I’ll start using that one again myself. Thanks!

    • #13501 Reply


      KB3212642 is the Jan security-only patch for Win7.

    • #13502 Reply


      Where have you been in the last few months? 🙂
      Windows 7 had been receiving one security update since October, sometimes one more update for .NET Framework

    • #13503 Reply


      December patches were at DEFCON 3 on Dec 29th.


      January patches are just now out – DO NOT INSTALL YET!!!!!

    • #13504 Reply


      Thank you Woody!

    • #13505 Reply


      KB3212642, according to Microsoft, is for Windows 7 32 bits. My machine runs Win 7 64 bits. Should I apply this update as well?

    • #13506 Reply


      No no, i’m not talking about the security only update that collects all of this months security patches into 1 update. I’m talking about the fact there is only 1 security patch for lsass and nothing else. Not even a security patch for internet explorer.

    • #13507 Reply


      So basically if you’re a home user on Win7, little reason to bother at all this month?
      Very very odd not to see at least an IE update. When did that last happen?

    • #13508 Reply

      Da Boss

      It’s all unprecedented, in my experience, at least since Patch Tuesdays started – what, 15 years ago?

    • #13509 Reply

      Da Boss


      There is not one good reason to install any of today’s updates. Wait to see if any problems crop up.

    • #13510 Reply


      It is called OCD in relation to Windows Update. There are few others of us affected 🙂

    • #13511 Reply


      Because IE11 has reached such a stage when there are no more (known) vulnerabilities.
      What is so unexpected?! 🙂

    • #13512 Reply


      Fyi, when I checked the Security Updates Guide/SUG about 2 weeks ago, there was no security updates displayed b4 Sep 2016. Today, when I check again, there was none for b4 Aug 2016 = M$ just added the Aug 2016 security updates to the SUG.
      WTH is happening.?
      Seems, most Win 7 security updates from b4 Oct 2016, can only be installed via Windows Updates, ie cannot be manually installed via M$ Update Catalog(except for the rollups from May 2016 onward, Servicing Stack updates, Windows Update Agent/Client updates, IE updates, etc). What if M$ Windows Update is not working properly or completely broken.?

    • #13513 Reply


      I see 🙂
      but the lack of security patches is for all, not just Windows 7

      it’s holidays, they did not feel urgent need to fix all security issues 😀

    • #13514 Reply


      I was worried about only seeing the monthly rollup and the MSRT this month… glad that’s all I should be seeing. And as you said, Woody, this is the lightest Patch Tuesday I’ve ever seen since I actually started paying attention to these things.

    • #13515 Reply


      After installing KB3212646 the sign-in button appeared after every reboot, eventhough I have no password on my system. And I had problems with other programms like Google Chrome. I deleted the update and everything is fine again. So I’m going to wait a while now.

    • #13516 Reply


      Windows 7 & 8.1 users:

      For those who do not visit here regularly,
      December 2016 patches for Win 7 & 8.1 are safe to install for respective Groups A and B.

      All January 2017 patches for Win 7 & 8.1 are on HOLD..wait until the go-ahead is given via DEF-CON indicator.

      Jeez it’s that simple!

    • #13517 Reply

      Sam H

      The Windows Update Catalog provides different versions of KB3212642 for 32-bit and 64-bit versions of Windows 7. The 32-bit version is 3.5 MB in size, while the 64-bit version is 6.2 MB. Make sure you see the “for x64-based Systems” in the catalog title.

    • #13518 Reply

      Da Boss


      A quick trip through the CVE list should prove enlightening…

    • #13519 Reply


      All updates “b4 Oct 2016” can still be obtained from MU catalog or MS Download center

    • #13520 Reply

      Jonathan Seymour

      The Security Monthly Quality Update for Windows 7 (KB3212646) (both x86 and X64) has been revised with today’s date (11th Jan 2017). Apparently the list of updates it replaces has been amended.

      One odd thing with this update; anyone else experiencing extreme slowness in IE11 when viewing the KB article for this update (https://support.microsoft.com/en-us/kb/3212646)? It works fine in Chrome, but on PCs with and without KB3122646 installed, that KB causes the IE11 tab showing it to run VERY slowly. Other KB articles work fine!

    • #13521 Reply


      I can remember one other month without an IE rollup, three or four years ago, I think.

      The Security Bulletins may be skimpy, but my WSUS is absolutely slammed. I’ve had about a thousand new patches in the last two weeks. Mostly language packs and other trash for FeatureOnDemand.

    • #13522 Reply


      Hmm does here to but it is a “humoungus” web page that gives Firefox & IE11 a bit of a hard time as well as a script error on Firefox. Also a “nag Msg” about Edge on Firefox again, not my favourite right now after its little snooping activities got revealed to me yesterday. Then again it really isnt my favourite as its just not ready for the “big time” yet.

    • #13523 Reply


      Confirm that the updates for Word 2016 and Windows 7/2008R2 were all revised. Also a patch which belongs to the Office 2016 suite for Sharepoint Enterprise 2016 was revised too.

    • #13524 Reply


      Also lots of expired older updates for Windows 7 which were probably due to be expired for a while, to alleviate the supersedence issue.
      KB3150513 for Windows 10 1511 is expired too.
      Remember this patch which updates definitions for KB2952664 on Windows 7.
      The functionality of KB2952664 for Windows 7 is built-in Windows 10.

    • #13525 Reply


      Too much files/info listed in the article
      it’s slow for me on all Browsers
      the list of files should had been gathered as downloadable .csv, as always
      but it seems the article is filled by some intern MS employee 😀

    • #13526 Reply

      Da Boss

      But only the metadata, yes?

      The patches themselves are all the same. I hope.

    • #13527 Reply


      InfoWorld.com used to have slow browsing for the same reason. It seems to be better now, or maybe Firefox got better at handling that sort of design. 🙂

    • #13528 Reply


      Do you synchronise Language Packs in WSUS?
      No wonder the WSUS gets slammed 🙂

    • #13529 Reply


      It looks like it is so. The supersedence list has changed and for the Word 2016 patch there seems to be a new title, or at least this is what MS says. The supersedence list update should probably be seen in the context of expiring tens of older patches.
      They are not re-offered, but for people who follow your MS-DEFCON advice, few revisions next day after release should not matter, right? 🙂

    • #13530 Reply

      Da Boss


    • #13531 Reply


      Great advice. Perhaps in future you could make a point of offering this unambiguous advice in the text of your article, rather than in the comments?

    • #13532 Reply

      Da Boss

      The banner at the top of this site – all pages – says the same thing, quite unambiguously.

    • #13533 Reply


      Hi I have these updates in my WU:
      • Dec 2016 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.62.
      • 30 individual Security Update for MS .NET Framework 3.5.1 from 2011 – 2016 are those included in the Dec rollup noted above?
      • Dec 2016 Security Monthly Quality Rollup for Win7
      • Security Update for MS XML Core…SP2 KB954430 ???
      • 11 Security updates for Win7 from 2014 – 2015
      • Update for Win 7 KB971033
      • Win7 SP1 KB976932
      • Windows Malicious SW removal tool

      I received advice (from another forum) to install .NET framework/security updates (not Dec quality rollup) but still have these questions and am just looking for more feedback/input. I appreciate everyone’s help/input.

      • I checked KB971033 but I don’t know if I should install it or not.
      • KB976932 is Windows 7 Service Pack 1, which I already have. I don’t know why it is coming up, unless it’s different than what is on my computer. Publish date is 2/12/15. Should I install it?
      • I assume I can click all updates to install at the same time? Or is there a sequence I should follow? I will choose the ones I want & hide the rest.

      I’m apprehensive about WU now, with good reason! I used to be a happy group A person 🙂 Now, I’m questioning everything. I have restore point set up and data backup, just in case. I have to patch for security updates, I think it’s imp, but it’s uncomfortable to think that may cause damage.

    • #13534 Reply

      Joe C.

      On Win 7 SP1

      In addition to KB3212646 in the January release in WU I got an update for Word Viewer KB3141490.
      (And the new WMSRT of course.)

    • #13535 Reply


      If the new window updates are cumulative why did:

      • KB2952664 : Compatibility update for keeping Windows up-to-date in Windows 7

      • KB3172605 : July-2016-update-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1

      • KB3179573 : August-2016-update-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1

      Show up as optional updates after I manually installed update (KB3212646 : January 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1)

      Also wuaueng.dll stayed at 7.6.7601.19161 instead of the newer version 7.6.7601.23453. Should I install the optional updates? One thing to note is that the last time updates were pushed to this computer was Aug 2nd, 2016.

    • #13536 Reply


      Woody, as the usual advice, is it MSRT, aside from the small snooping, clear to apply right now?

      Also it’s description states that it will run once after being download but I never noticed it running before… Does it somehow run silently on the background or it should pop some screen or prompt?

    • #13537 Reply

      Da Boss

      Usually MSRT runs quietly. Yes, I still think it’s worthwhile running the program – even though I must admit that it’s never caught anything on my machines.

    • #13538 Reply


      They are not fully cumulative yet
      for now, they only include all fixes from September 20, 2016 onwards

      in February or March, they will start adding previous fixes before September 2016

      the Monthly Quality Rollup is expected to be fully cumulative in several months, maybe September 2017 🙂

    • #13539 Reply

      Terry Pickleson

      Woody do you think the small amount of patches for this month were because of the holidays? I mean I don’t know how long in advance Microsoft prepares the patches. Also when will you update the DEF-CON status? I recently did a clean install of 8.1 on my laptop and am wondering when it’s safe to update.

    • #13540 Reply


      Today I saw that I can install an update for Bitsdefender KB915597 (definiotion
      Once it is installed, it can not be removed, say the information
      I am group B and install only security updates. What to do with this update?

    • #13541 Reply

      Da Boss

      That’s a Windows Defender update. I’ve seen some reports of problems, but you should be OK.

    • #13542 Reply

      Da Boss

      Yep, it’s undoubtedly because of the holidays.

      Hold off until the middle of next week. There’s nothing pressing this month anyway.

    • #13543 Reply

      Terry Pickleson

      Okay. Thank you. Although I did install the July 2016 Rollup to speed up the update scans. But it’s still taking forever to find anything.

    • #13544 Reply

      Terry Pickleson

      So will both bug fixes and security fixes be fully cumulative then? Will old patches for the .NET Frameworks also be added to the .NET Framework rollups? Also are Office updates cumulative? I don’t use MS Office, but I am curious.

    • #13545 Reply


      I think Terry is asking for advice in relation to a NEW installation.
      I would say install everything, i.e. Important and Recommended (and Optional would be a good choice, but that is up to your preference) until December 2016 or November 2016.
      Avoid January 2017 if you wish, until Woody says it is safe. To save time, you could install January 2017 too and uninstall if anything major comes up.

    • #13546 Reply


      Do you still have Office 2003 installed?
      KB3141490 is an update for Office 2003 and there seems to be one of those each month until about September 2017.

    • #13547 Reply


      I am expecting that at that time we will see the true SP2 named Update 1 or whatever, something similar to KB2919355 or if not, at least similar to KB3000850 (which would not be SP2).

    • #13548 Reply

      Terry Pickleson

      One more question. Do you think it’s plausible that Flash Player will be patched out of Windows 8.1 & 10 at some point? I mean with HTML 5 becoming the de facto standard and Flash just being a security hazard all around wouldn’t it make sense to patch it out? Or would it not be possible to patch it out?

    • #13549 Reply

      Terry Pickleson

      Thank you ch100. I’ll update then but avoid the flash update until Woody gives the okay.

    • #13550 Reply


      First rule – do NOT install ANYTHING with a Jan 2017 date yet. WAIT until the DEFCON number goes up to 3 or above.

      Second rule – do NOT check anything that is not already checked. This includes the older (2014-2015) updates that are probably in the OPTIONAL list. In fact, it is a good rule not to install anything under OPTIONAL because they are unchecked to begin with – especially if it has Preview in the name.

      Third rule – The updates with a December date were approved for installation on 12/29/16 here
      If you are in Group A (accept all MS has to offer), you install the December Security Monthly Quality ROLLUP KB3197869.
      If you are in group B (Security only patches) you need to download the Dec Security Only Quality UPDATE from the MS Update Catalog and install it manually.
      The links to the security patches are in the link above.

      Fourth Rule – those updates NOT CHECKED do not get installed. If you have installed the Security only update, when you run Windows Update, you UNCHECK the Monthly Rollup and install everything else that is ALREADY CHECKED dated before 2017 (Jan updates have not been approved yet). If the Monthly Rollup is not checked, it won’t get installed. DO NOT check anything that is not already checked.

      In general, the .NET, Office, Flash Player, IE, etc patches are OK to install – BUT NOT ON THE DAY THEY ARE RELEASED. MS releases patches on the second Tuesday – they may or may not be good. Wait until Woody sets DEFCON to 3 or above, indicating the patches won’t cause trouble, then install. Then go back to waiting.

      To see if you have SP1, click on the Start button, on the right RIGHT CLICK on Computer/My Computer and choose Properties. It will be at the top of the page.

    • #13551 Reply


      If you have the Viewer installed, you get updates for Office 2003. It is like a runtime version that lets you see the documents.

    • #13552 Reply


      Yes, the Monthly Quality Rollup will be cumulative
      .NET 4.x.x rollups are already cumulative
      .NET 3.5.1 rollups will follow the MQR rules and become cumulative eventually

      Offices updates are cumulative for each product/component they patch
      but they are not rolled-up, so we will still have a lot of updates

    • #13553 Reply

      Da Boss


    • #13554 Reply


      I think Flash support will be discontinued at the time Adobe will discontinue it and it is not much time left until then.

    • #13555 Reply

      Terry Pickleson

      I see.

    • #13556 Reply


      And of it did caught something, how are we supposed ro know? Would it pop something up or it would only show inside some log contained on that oddly named folders, which seems random, created by MSRT?

      Also is there a way I can verify that it is running at the moment or had been run recently?

    • #13557 Reply


      Thank you. I have some technical ability – but not enough to figure this out on my own. I am being overly-cautious bc I had problems with my new Dell for over a year. FINALLY got Dell to send me a replacement machine and now that my hardware issue is resolved, I am dealing with this WU issue!!! I just need it to work! Am afraid it’ll get broken again with a bad update (and of course snooping issue) – hence, my caution & concern:
      First rule – OK
      Second rule – OK
      Third rule – OK
      Fourth Rule – OK

      To see if you have SP1, click on the Start button, on the right RIGHT CLICK on Computer/My Computer and choose Properties. It will be at the top of the page. – I HAVE SP1. I DON’T KNOW WHY SP1 IS IN UPDATE LIST. I WAS GOING TO HIDE IT SO IT DOESN’T INSTALL???


      SECURITY UPDATE XML CORE SP2 KB954430 & KB9736788 – install?
      Activation services update KB971033 – install?

      And this one just came up – I don’t know if I should install it?
      Security & Quality, Nov 2016 Security Monthly Quality Rollup – KB3197868

    • #13558 Reply

      Da Boss

      If you see rollups in your Windows Update list, you have SP1. Don’t worry about it.

      You’re likely “Group A” – so just follow my advice (Check for updates set to “Never,” and “Give me Recommended Updates” checked), then run Windows Update. DON’T TOUCH ANYTHING – don’t check any boxes, don’t uncheck any boxes. Go ahead and install.

      Then wait until the MS-DEFCON level changes before installing the next month’s patches.

    • #13559 Reply


      ok. I am a Group B ‘wanna be’ 😉 But I get very confused due to my lack of technical expertise, which makes me Group A.

      I will do as you suggest, except question on SP1 update – leave it or hide it?

    • #13560 Reply


      I suspect the Dell replacement is recent if all those old updates are checked in the important list. So:

      For Group A (accept all MS offers)
      HIDE the Jan Security Monthly Quality ROLLUP. Install everything that is checked under the important list. When the computer reboots, wait 10 minutes, search for updates and install everything that is checked. Repeat this until there no more updates available.
      It the search takes over half an hour at any point, you will need to download two updates and manually install them, one at a time to fix it (be sure you get the one that says x64 if 64-bit is what you have):
      When there are no more updates, unhide Jan ROLLUP KB3212646 – but DO NOT INSTALL IT YET. Wait for DEFCON to change to 3 or above.

      For Group B
      If searching for updates is slow, download the two patches above and manually install them. Be sure it says x64 if you have 64-bit.

      HIDE KB2952664, 3021917, 3068708, and 3080149 any time they show up in Windows Update – these contain telemetry.
      You will need to install all the other CHECKED patches in the important list EXCEPT EXCEPT EXCEPT the Security Monthly Quality ROLLUPS from Nov & Dec 2016 and Jan 2017 if you are in Group B.
      Do NOT make it a habit to HIDE the ROLLUPS, but to get caught up do this: HIDE the Jan 2017 ROLLUP, search for updates again (the Dec 2016 ROLLUP will show up), HIDE the Dec ROLLUP, search for updates again (the Nov 2016 ROLLUP will show up), HIDE the Nov 2016 ROLLUP, search for updates again (the Oct 2016 ROLLUP will show up). Now, install all the CHECKED updates under the important list. After the computer reboots, wait 10 minutes, then repeat the search/install/wait 10 min until there are no more patches.
      Now you need the Security Only Quality UPDATE for Nov & Dec 2016.
      Download KB3197867 (Nov) and KB3205394 (Dec) and manually install them. (Type the number in the MS Catalog search box)
      Do another Win Update search/install/wait until there are no more updates.
      Unhide the Security Monthly Quality ROLLUPS (leave the other four hidden). The Jan ROLLUP should be the only one that appears – DO NOT INSTALL IT.

      That should be it.

    • #13561 Reply

      Da Boss

      Follow PKCano’s advice….

    • #13562 Reply

      Da Boss

      Try looking in your Update History.

    • #13563 Reply


      ok thank you!

    • #13564 Reply

      Perry Andrew

      Subsequent to installing KB3212646 for Windows 7-32 bit, I no longer get bubble saying “safe to remove hardware” when I use the disconnect feature located in the system tray. Although USB connected devices no longer appear in “Devices with Removable Storage,” there’s no way of knowing whether it’s truly safe to disconnect. The only way I can get the bubble to appear is by locating the connected device and ejecting it by right clicking in the context menu. I’ve tried rolling back my system to October 2016 (it works fine there) using a recovery disk, but I get the same problem after installing January, 2017 Security Monthly Quality Rollup KB3212646. Does anyone else notice this problem?

    • #13565 Reply


      This is the current Windows 10 behaviour.
      The only way to know if it is safe to disconnect USB storage is to check Windows Explorer or Device Manager for the device to disappear.
      If it is not safe to disconnect, then Windows would warn you, but it may take a while, so waiting for that warning may not be the most reliable method.

    • #13566 Reply


      No issue here

      KB3212646 actually do not have any new fixes related to USB or devices

    • #13567 Reply


      KB971033 – that one is a weird patch. It can cause Windows Activation issues for little reason. I would say avoid it unless it is specifically requested by one of the Microsoft sites. This is the only Important patch which can be avoided safely.
      KB976932 being re-offered is only cosmetic. It will install in fact a superseded patch KB2533552, which is better to accept to avoid as I said cosmetic issues. Functionally it does not matter if you install later patches like KB3020369 superseding it, but without it and until you install the later patches, Microsoft says it can cause blue-screens. Install KB976932 when offered.

      The best sequence to follow is to install manually first:

      After that use Windows Update as usual. At least until you get close to being fully patched, use the configuration of Windows Update to Never check for updates and check manually.
      Install about 25 updates at a time, start with all Important non-security (less KB971033), follow with all Security and in the end follow with all Recommended and Optional until there is nothing left.

    • #13568 Reply


      What is the meaning of
      “Offices updates are cumulative for each product/component they patch
      but they are not rolled-up, so we will still have a lot of updates”

      The Office updates come as msp files with new functionality added to the previous one. What does it mean they are cumulative but not rolled up?
      I would be very interested if there was a method to reduce the number of Office updates, like there is one for Windows Update when running Disk Cleanup.
      The Installer folder tends to keep all those copies for uninstall purpose, which again tends to become huge after a while, even for newer products like Office 2016.

    • #13569 Reply


      Didn’t i explained it before? 😀

      cumulative = latest msp supersede all previous patches for the same component defined by file name

      not rolled up = each component has its own msp, and it’s released separately
      only very few Hotfixes contained multiple msp files

      there are no automatic or intended way to clean Windows Installer PatchCache

      however, there are some reliable ways to clean older patches, manually or through a .vbs script
      i wrote a detailed post about it at MDL, but unfortunately it was lost in a hack delete 3 months ago (along with a lot of irreplaceable content)

      this link is close enough to mine
      i recommend the second one
      note that the WiMsps VBScript lists the used patches to keep, so you need to delete the non-listed files
      do not use the old Microsoft Utility

      there are one more truly manual way which works specifically for Office patches
      but it’s not easy to explain 🙂

    • #13570 Reply


      @ ch100 ……. Fyi, Perry Andrew was referring to “installing KB3212646 for Win 7” n not for Win 10.

    • #13571 Reply

      Perry Andrew

      I’ll just use “eject” from the windows explorer context menu. The “safe to remove hardware” balloon appears through this mode only. I’ll miss safely removing hardware via my system-tray though.

    • #13572 Reply


      Thanks 🙂
      Apologies if you explained it to me before, but I don’t remember and this is too interesting to me to have forgotten. 😀
      It is very likely that it was explained only on MDL before and unfortunately lost.
      The manual way which certainly works is to uninstall all patches until getting to RTM and run WU fresh. Or uninstall Office and reinstall followed by WU. None of those 2 methods are very professional I am afraid.
      I was under the impression that you were referring to products (not suite) like Word, Excel etc when saying about cumulative updates, but I understand now that it is about the component level and each product is made of many such components.
      Thanks again 🙂

    • #13573 Reply


      Thanks. This is interesting to know, so the baloon appears in Explorer, but not in the tray.
      My reference was about the tray behaviour, as I was not even aware of the Explorer functionality.
      I don’t see the Eject command in Windows 10 for anything other than CD/DVD. There may be a way to enable it though.

    • #13574 Reply

      Terry Pickleson

      One thing I’ve been wondering is the reasoning behind the whole “Don’t install anything that’s not checked off by default” philosophy. I mean is there any reason for that? Is it because the optional patches might break something? But don’t all updates carry that risk? I get the the telemetry and preview rollups, but why not hide those and install everything else?

    • #13575 Reply

      Da Boss

      If Microsoft doesn’t have enough confidence in a patch to mark it as “recommended,” I figure customers shouldn’t have to deal with its failures.

      MS has a long history of rolling out perfectly useless (or downright destructive) “optional” updates.

    • #13576 Reply


      I don’t, and have no control over what I filter. My “company” upstream does that for me, poorly.

    • #13577 Reply


      No need for apology 🙂
      i actually posted it here

      the linked list gives a more clear perspective of what i mean 🙂
      each .msp filename represent a component, all updates for this component are cumulative
      and some of these components represent a whole product/program, as noted in second column (i.e. Excel, Access, Word)

    • #13578 Reply


      As for the manual cleanup way, my way does not require any uninstall/reinstall 🙂
      it’s simply based on WICleanup method, but instead you do the verfication yourself and delete orphaned .msp files

      – go to C:WindowsInstaller
      – change view mode to Details (already default in W8 +)
      – right-click on the above properties bar, and enable “Title”
      – sort the files by Title
      – you can now see that certain .msp files have similar titles, with different patch version
      – for each of these similar .msp files, delete the older files with lower version, keeping only the highest one

      i know the explanation is not very clear without images, but i’m bad at that
      this method never failed me or caused any updating problems 🙂

    • #13579 Reply

      Perry Andrew

      The eject feature — through right-clicking in the explorer context menu — will not work if your USB device is an external hard drive with multiple partitions (there’s no eject feature available). In that case, I’m forced to use the system tray “safely remove hardware” feature. Again, there’s no balloon notification that it is indeed safe to remove. I’m sure this is a consequence of installing the Jan 2017 Sec. MQR KB3212646 for Windows 7. I’ve also tried to use the eject feature in control panel “Devices and Printers.” There’s no balloon-tip pop-up in the system tray indicating a safe hardware removal. As I mentioned previously, if I recover my OS from my December backup (I use Acronis True Image – has never failed me), the issue is resolved.

    • #13580 Reply

      Perry Andrew

      Thanks for the info. Yes, I have another PC using Windows 10, and the notifications are different in system-tray ejected devices. Unfortunately, this is a direct consequence of installing KB3212646 for Windows 7. Without going into detail, it’s likely that this update altered a registry key in HKEY_CURRENT_USER >> Software >> Microsoft >> Windows >> Current Version >> Explorer >> Advanced >> EnableBalloonTips. It’s not a simple fix.

    • #13581 Reply


      What I said is that Microsoft may intend to align Windows 7 with Windows 10 from that point of view.
      Most users including systems administrators are careless when it comes to ejecting USB devices and just pull them out. So I think Microsoft just changed the behaviour of the notification to be more aligned with the behaviour of the majority of users. I agree that this is annoying for those of us who care about the integrity of our data and devices and would take an extra click to eject safely.

    • #13582 Reply


      I think I know what you meant. They are not the Language Packs as such, but what comes in FeatureOnDemand on WSUS, I have recently looked through those options in WSUS for Win 10 and Win 2016. They should rather be part of the build, because those options tend to change when a new build is released and few weeks after if there are any fixes or additions, like the PanEuropean fonts.
      If you don’t have control… well, you just don’t. It is probably a practical way for the WSUS admins to push whatever they consider required, without considering the consequences for the users who receive the updates.

    • #13583 Reply


      I understand your explanation about sorting by Title and removing older versions.
      I tried to use Patch Cleaner instead of WICleanup which seems to be old.
      I will find out if it broke anything, no big deal, just reinstalling Office and repatching.
      The manual method allows certainly more control and it is likely to be safer.

    • #13584 Reply

      Toa Of Justice

      KB3212646 slowed down startup programs for me. After I uninstalled KB3212646, my startup programs went back to normal.

    • #13585 Reply


      Thank you. You say the best sequence is to install the 3 updates manually first. I have KB3020369 & KB3172605. You also said to install KB976932, which will install KB2533552.

      Do I install KB2533552 manually first, then KB976932 or just do KB976932 since I have the other 2? Doesn’t KB976932 install KB2533552?

    • #13586 Reply


      In addition to what Woody explained, sometimes unticked updates are just throttled at the Microsoft servers and after a while they will come back as ticked. Sometimes the WindowsUpdate.log would offer the reason, but it is in cryptic language and not everyone understands that 🙂
      Office Updates released on first Tuesday of the month usually come unticked on Windows 7 but install on Windows 10. That one is a combination of throttling with the known Preview intended behaviour.
      There is no single rule, but as it is generally adviced, if Microsoft pushes them as unticked, they generally don’t have such a priority to be installed that the user should override Microsoft’s intention, unless having a very clear reason.

    • #13587 Reply


      KB976932 itself is SP1.
      But more recent distributions packed KB2533552 as secondary package together with SP1 as mandatory fix.
      Install the three manual patches first and do not worry about KB976932 again because you will not see it again as required (if you already had Service Pack 1 installed).

    • #13588 Reply


      If you already have KB3020369, you will not be able to install KB2533552 manually, allow whatever comes on Windows Update, in your case KB976932.

    • #13589 Reply

      Terry Pickleson

      I see.

    • #13590 Reply


      ok thanks

    • #13591 Reply


      @Donna T.
      There has been a new development in Windows Update for the last 2 days. You may be able to install without following a particular order, but I would still advise to install those 3 updates or at least KB3020369 & KB3172605 until we have full confirmation. It is not harmful under any circumstances to install those updates first, only potentially inconvenient due to having to download and install manually.
      Details here:

    • #13592 Reply


      you should install KB3212642 not KB3212646 !!!

    • #13593 Reply


      I have the two update you mention above.
      I do not have KB2533552 – which you said I won’t be able to install manually because I have KB3023069 I also have SP1.
      I was going to install what is in WU list – which I noted in a post on January 12 at 11:31 AM. I hope that’ll be OK
      Really appreciate everyone’s help with this !

    • #13594 Reply

      Toa Of Justice

      That worked for me. Thank you.

    • #13595 Reply

      Bill C.

      I just found an interesting development on a former work colleague’s Win7-64 SP1 Home laptop after the update session for the January patches (Group A).

      She turns WU to “Never” right before patch Tuesday, and then waits for a the go ahead from an IT person at work as she was hit with the Intel BT glitch a few months ago and he helped her out and recommended she wait a few days for the updates. She had just gotten the go ahead to update and executed a manual WU scan and installed the January rollup and MSRT. Normally after the patching she returns the laptop to notify, but do not download/with give recommended updates unchecked.

      When she checked the Update History, it showed a sting of failed MSE updates, but the applet itself never showed a failed update. I told her to ask her friend first, but he was not familiar with MSE.

      I told her to leave the WU on never and uninstall MSE and reboot. I sent the URL to download the most recent version of MSE. She ran and installed it and I walked her though the settings and said wait a few hours and then run a quick MSE scan to see if it updated the definitions before the scan, and it updated successfully. Later in the day after getting the go ahead from her friend to set it back to notify only with recommended updates unchecked, she checked the Update History and found it had done an automatic definitions update successfully.

      What was interesting was that she said the WU system was no longer on Never, but was set to full automatic for updates with recommended updates still unchecked. I asked if it was possible she did not say OK and backed out without confirming and she said no. I asked her what version of IE she had and she said that too was set to allow auto updating.

      I installed the January rollup on the old laptop I was ‘gifted’ (now a Group A canary in the coal mine) and then checked IE and it too was set to update itself. I did not do an MSE uninstall/reinstall. Unfortunately, I had never checked the IE checkbox after the prior rollups.

      Has anyone heard of the January Rollup (or earlier) or the new MSE new installs resetting WU or IE update settings?

      Stay vigilant!

    • #13596 Reply


      @ Bill C ……. Installing MSE or some other M$ software will reset Windows Update setting to automatic. This is “normal”.

    • #13597 Reply


      Reply above is DonnaT. don’t know why it says “Anonymous”.

    • #13598 Reply

      Bill C.

      I understand some MS software did change WU if you asked for updates.

      However, I have reinstalled MSE at least 3 times on each of my Win7 machines and never had it change WU settings. Of these installations, only 2 were installs of the most current version. Even those installed on 2 different machines left the WU settings alone.

      I know because I religiously check WU settings as well as services.msc after all MS patching/updating since GWX.

      The only time I ever found a change in WU was when I installed MS Office a few years ago (pre-GWX), and more recently Office 2013 for a friend, and when I first upgraded to IE11 way back.

    • #13599 Reply


      Bill, do you have Win7 Home or Pro yourself?

    • #13600 Reply


      Hello Perry,

      KB3212646 is the January 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1. This rollup installs deep telemetry by updating the Universal C runtime libraries, as do the October through December Quality Rollups. I suspect that the updated C runtimes with telemetry are interfering with your USB drivers. So what you want to do is to uninstall the Quality Rollups and instead install the equivalent Security Only Rollups. Here is a link to my PDF which lists Windows 7 updates which are Win10 related, or which install telemetry, or which are known to cause other issues:


      For the Quality Rollups, see the Comments column which lists the Security Only KB update number which you can download from the Microsoft Update Catalog.

    • #13601 Reply

      Perry Andrew

      Thanks for that! I’m OK with using workarounds to safely delete hardware – for now. So far, unplugging my USB devices hasn’t caused any data failure on the drives. I did note that, when I do a properties-check on the connected device in Device Manager, the Removal Policy setting had switched from “Better Performance” to “Quick Removal (default).” I’ve always had my USB devices configured for “Better Performance.” So, I had to switch them all back. This is likely a consequence of updating to KB3212646. Odd! The deep telemetry needs to be removed from my system. I’ve noticed a substantial slow-down in browsing with Firefox, etc. I’m going to recover my OS from a backup pre-October 2016 and work from there with the Security Only Rollups. Such fun!

    • #13602 Reply

      Perry Andrew

      I forgot to ask. Do I need to recover my OS pre-October, and do the Security Only Rollups from that point forward? I can’t find the Security Only Rollups for October or November 2016 on Microsoft’s support site.

    • #13603 Reply


      @Gone to Plaid

      Many Thanks for the link to your PDF list.
      Have you any other goodies which might benefit a ‘clueless’ user?
      Always learning.

    • #13604 Reply


      It is your choice.
      I would say stay mainstream and install whatever comes to have your system as intended and fully supported.
      Other people would recommend otherwise.

    • #13605 Reply



      Maybe you should be certain of things before spreading them as facts

      Monthly Rollup do not contain Universal C runtimes, and those has nothing to do with telemetry, they are merely Visual C++ redistributables like other versions (2005,2008,2010,2012,2015,2017)

      apparently, you confusing Universal C with “Unified Telemetry Client”, which is included in the Rollup, but has no impact at all on the devices or system functionality

    • #13606 Reply


      Nah. You can sequentially uninstall the Monthly Quality Rollups which have telemetry, and then uninstall any other updates shown in my PDF file which installed telemetry, and then install the Monthly Security Only rollups. That might be faster than reinstalling from your pre-October backup since you would first have to back up all new data files since that last good backup.

    • #13607 Reply


      Alright. I was a bit confused. Nevertheless, with the December Security Monthly Quality Rollup accidentally installed instead of the Security Only Rollup, I noted a slowdown of my computers, apparently due to the telemetry which was continuously being gathered. This slowdown disappeared once I uninstalled that Security Monthly Quality Rollup and installed the Security Only Rollup. Just a guess, but I think that my antivirus program didn’t like dealing with the telemetry monitoring which was going on.

    • #13608 Reply


      Likely possible
      however, it’s very easy to disable telemetry service/logger:

      it won’t get enabled when you install new Rollup

    • #13609 Reply


      @ abbodi86 ……. About Universal C Runtime updates in Win 7, others believe they r connected to Telemetry n the Win 10 upgrade. …
      ElderN replied on Feb 01, 2016

      At least some of these SFC problems are because you have KB3068708 installed and if you were to read in the Additional information section about the update it is known to cause allegedly benign errors from sfc /scannow:


      No troubleshooter will resolve those problems, but you can try.

      That KB is part of the Windows Customer Experience Improvement Program (CEIP) and some folks think that participation is an attempt from Microsoft to spy on them, their system and their activities and choose to opt out of the CEIP.

      Many folks just blindly install all the MS updates that are offered thinking that they must really be necessary since MS is offering them to you so why not install them? Then when you read about what they do you might not be so thrilled with having them installed.

      There are a handful of other updates that are part of CEIP and also efforts by MS to get you to upgrade your system to Windows 10 so what you can do is if you have the updates installed, uninstall them and then hide them so you never see them again then see how your sfc /scannow behaves.

      Here are some updates that you might want to think twice about having on your system taken from this topic (as usual don’t pay any attention to the replies from the Microsoft engaged Support Engineer “experts”):


      Here is a list of updates you don’t need from Wilders Security Forum that you might also check out:

      KB2952664 Compatibility update for upgrading Windows 7
      KB2990214 Update that enables you to upgrade from Windows 7 to a later version of Windows
      KB3021917 Update to Windows 7 SP1 for performance improvements
      KB3022345 Update for customer experience and diagnostic telemetry
      KB3035583 Update installs get windows 10 app in Windows 8.1 and Windows 7 SP1
      KB3068708 (replaces KB3022345) Update for customer experience and diagnostic telemetry
      KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7
      KB3080149 Update for customer experience and diagnostic telemetry

      KB2976978 Ease upgrade to latest version of Windows

      KB2977759 Ensure compatibility to Win10

      KB2999226 Windows 10 Universal C Runtime (CRT) for earlier OS’s

      KB3090045 applies to some reserved devices that are upgrading to Windows 10 from Windows 8.1 or Windows 7
      KB3123862 adds capabilities to some computers that lets users easily learn about Windows 10
      Excerpted from …

    • #13610 Reply


      I spent a nontrivial amount of time investigating telemetry-related issues for recent “bad” Windows 7 updates. My recommendations are at https://www.askwoody.com/2016/care-to-join-a-win7-snooping-test/comment-page-2/#comment-110622.

    • #13611 Reply


      Well, others do not understand the situation, they just see the word “10” and start to panic 🙂

      UCRT is just a modern C runtimes, and it’s embedded/included in Visual C++ Redistributable 2015 and the upcoming 2017 version

      for Vista/7/8/8.1 it’s deployed as separate update package
      for XP (yes it’s supported), it’s part of the Redistributable package

    • #13612 Reply


      “Many folks just blindly install all the MS updates that are offered thinking that they must really be necessary since MS is offering them to you so why not install them? Then when you read about what they do you might not be so thrilled with having them installed.”

      I am only asking you one thing. When a new Service Pack is released, do you question everything that is included in that Service Pack?
      The updates released monthly are the same thing like Service Packs, only installed in an incremental manner.
      If Microsoft is to release a new Service Pack for Windows 7, they would include everything, including the telemetry patches and reset the base at some stage.

    • #13613 Reply



      I thought we were at Defcon 2, and were to “wait” to install anything. ??

      I see that KB3212642 (Security-only update) is listed, however no other information as to where to find the update.

      Not interested in installing anything right now, however wondering WHERE to locate this one.

      Thanks for any information on this. 🙂

    • #13614 Reply

      Da Boss

      Coming soon.

    • #13615 Reply



      Where can the KB3212642 (Security-only update) be found?? Haven’t seen anything yet about it.

      I’m not planning on installing anything, however need to know where to find this one. Would it be in the MS Catalog, under Win 7, x64?

      Thank you for your help. 🙂

    • #13616 Reply


      @woody: Posted this question elsewhere a few moments ago. My apology. Appreciate your prompt reply. Thank you very, very much!! 🙂

    • #13617 Reply

      Jim in Yakima
    • #13618 Reply

      Da Boss

      Hang on, though. Details coming shortly.

    • #13619 Reply

      Toa Of Justice

      Unfortunately, tonight I noticed the same slowdown of startup programs again. Uninstalling KB3212642 brought my system back to normal.

    • #13620 Reply


      @ ch100 ……. If M$ r to release a Win 7 SP2, which most users doubt M$ will, n publicly state that Telemetry updates r included, I would refuse to hv the SP2 installed on my Win 7 SP1 cptr.
      ……. This is no different from me previously perusing every important update from M$ b4 installing n … refusing M$’s Telemetry updates on my Win 7 SP1 cptr since Sept 2015 n later being in Group C/W(= refusing all updates from M$). Today, my non-updated Win 7 SP1 is still running fine – of course, together with safe-browsing practices n an AV program installed, … notwithstanding the many FUD from M$ shills/apologists.

      If M$ r to release a Win 7 SP2, they will likely hide their Telemetry updates inside the SP2 n won’t inform the users about them, in order to trick the users to ignorantly install their Telemetry updates(esp if they r NSA spyware).
      ……. This would be similar to how M$ hid their GWX KB3035583 inside the security update for IE 11, ie KB3139929, in April 2016 n tricked many tech-savvy Win 7 users into ignorantly installing the GWX/Win 10 scheduled upgrade.
      To each his/her own.

    • #13621 Reply


      May be slightly off-topic, but since v50+ Firefox it system overheads have ballooned. It regularly uses 900MB-1.5GB RAM on my Win7Ent system. I’ve tried all Ffx-suggested tips’n’tricks, to little effect.

      Then there’re the two quite large Flash processes, etc.

      IE11 usually maxes RAM needs at 350-500MB. WTF?

    • #13622 Reply


      It is the new “normal”.
      Consumers telling engineers what to do and there was so much pressure on the Firefox developers not to be left behind Chrome that they broke their own browser due to the fact that Chrome was using multiprocess and they didn’t.
      This means that like with Chrome, the users who will benefit will be those with huge resources and Internet bandwidth, while the others will have to catch up or be left behind.

    • #13623 Reply


      I noticed the same with FF and tried to fix it, to no avail. I usually check on occasion and if it’s really huge, I shut down FF and restart. Not very elegant, but I don’t know what else I can do except switch browsers. And I like FF. Do not like this new behavior!

    • #13624 Reply


      Ever feel like sometimes, you just wanna chuck all the devices and be free of all the nonsense? I do. 😉

      But I can’t (at least not right now) and I won’t. It’s not THAT bad, I just find it very tiring sometimes.

    • #13625 Reply


      “f M$ r to release a Win 7 SP2, they will likely hide their Telemetry updates inside the SP2 n won’t inform the users about them”

      This simply a false accusation
      all telemetry updates are announced clearly by MSFT

      do you think you will know about KB3075249 or IE11 one without such announcement? no.

    • #13626 Reply

      Da Boss


    • #13627 Reply

      Chris M

      I am group A. I have previously hidden KB3212646 as advised.

      Even though we have returned to DEFCON-3, I’m not sure I’d like to install KB3212646 yet without a comment from our great leader Woody on the “startup program slowdown” concerns.

      Thank you everyone for your feedback so far!

      Stay vigilant.

    • #13628 Reply


      @Donna T
      While it is better to leave it alone, the information is available.


      What most people who try to avoid Microsoft “snooping” are not aware is that currently the Firefox users are applied the same treatment by Mozilla in relation to the Electrolysis technology.
      The only way out only for a while is to use the ESR version, the equivalent of LTSB for Windows.

    • #13629 Reply


      Too much FUD here on this site and there are few posters who although are trying hard, have only a partial understanding of the issues involved, but genuinely believe otherwise.

    • #13630 Reply

      Perry Andrew

      It’s been about a week since my “remove hardware” issue. I really didn’t do anything of any significance to my settings. Now, My “safely remove hardware” balloon tip is working just fine. Perhaps Microsoft telemetry eavesdropped on this forum and secretly fixed it for me (joke). Well, maybe there’s some truth to that. At any rate, I’m really not sure how this problem could have fixed itself after one week.

    • #13631 Reply


      I hope it is ok to ask a question here about Dell updates. And if not, my apologies, I won’t do it again. I received an update message today from Dell – BIOS update, which I know can brick a machine if there are any issues and different driver updates. I’m thinking I should ignore it. I am not having any issues or problems and think: “if it ain’t broke don’t fix it” applies here.

      Plus I don’t trust Dell to push out correct updates either.

    • #13632 Reply

      Da Boss

      This is a great place to ask questions – and I promise I’ll have the Lounge built-out before too long, so it’s obvious where to post questions.

      Usually BIOS updates are good. If you have a Silverlake processor ( a computer you bought in the past couple of years), the BIOS updates are downright important.

      Frequently, BIOS patches are necessary to let other things update properly, including Windows and Windows drivers.

      I’d say go ahead and install it.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Windows 7, 8.1 patches are up

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: