AKB2000011: Group A, Group B, and Group W — what’s the difference?
By @elly
Rev 1.0 | April 9, 2018
In October 2016 Microsoft fundamentally changed how it supplied patches to Windows 7 and 8.1. Woody, in an InfoWorld Article, “How to prepare for the Windows 7/8.1 ‘patchocalypse’” detailed the changes.
Since then, all security and non-security patches are combined into a cumulative update, called a “Security Monthly Quality Rollup.” The Monthly Rollup is accessible from Windows Update. The most recent Monthly Rollup includes all patches included in any Security and Monthly Quality Rollup since October 2016. It also includes patches for IE 11. Microsoft intends to gradually add older updates to the Monthly Rollup, so that (eventually) you could simply apply the current Monthly Rollup and bring your system completely up to date.
Security patches are combined each month into a single “Security Only” update that can be downloaded from the Microsoft Update Catalog, but they only include the security patches from that month, not previous months. They do not include feature updates. They do not include patches for IE 11. They are not cumulative. You must manually apply the Security Only patches from each and every month in order to be up to date.
In both cases, individual patches — analogous to the KBs we’ve known for a decade prior to this– exist only as bullet points in the documentation. Out-of-band security patches are posted as soon as they’re available and are then incorporated into the subsequent Security Only and Monthly Rollup updates.
Woody identified the following user groups when the new Monthly Rollup system was implemented, and continues to make patching recommendations accordingly:
Group A – willing to take all of Microsoft’s new telemetry systems, along with potentially useful nonsecurity updates.
Group B – doesn’t want any more snooping than absolutely necessary, and they don’t care about improvements like daylight saving time zone changes, but want to keep applying security patches.
Group W– doesn’t want anything from Microsoft — no patches, no security updates, nada. Woody said he doesn’t recommend that you sit on the Group W bench, but that it can be understood given changes Microsoft has made to Win7 and 8.1 machines, without our permission, in the past.
Before October 2016 individual patches could be skipped, whether because they included telemetry, or had a buggy effect on your individual system. They cannot be avoided in the Monthly Rollups. Security Only patches still have all security patches for that month, so the best you can do is avoid an entire month’s worth of security fixes.
You can move from Group B to Group A by installing the current Security Monthly Quality Rollup. Moving from Group A to Group B can be done by completely reinstalling Win7 or 8.1. People who have bugs they cannot tolerate in a particular Monthly Rollup, because of their individual systems, can apply the Security Only patches (skipping the one from the month that is buggy, if it is a security patch issue) from that point forward… and follow Group B patching in the future… but they will miss any other security fixes included in the Security Only update for that month.
If there is a bug in the non-security part of the Monthly Rollup, you could temporarily avoid it by installing the Security Only patch for that month. But… if there is a bug in the security part of the Monthly Rollup, it will be in the Security Only patch, too.
Each month, when Woody has had time to observe the results (possible bugs and fixes) of the patches issued on “Patch Tuesday”, he will post a Defcon level change, with a link to a ComputerWorld article detailing what patches are covering, any bugs, and any bug fixes. He continues to separate patching recommendations into Group A and Group B for Windows 7 and 8.1.
Choosing between Group A and Group B isn’t as simple as asking, “Do I trust Microsoft?” You have to ask yourself whether the additional hassle of manually installing security patches is worth keeping Microsoft’s snooping routines off your machine. You also have to ask whether the benefits of the new non-security patches (which have included improvements to Disk Cleanup, various bug fixes, time zone changes, performance improvements in odd scenarios, and several others) are worth the added exposure to Microsoft’s data gathering activities (about which they give little information). Woody recommends that most people follow Group A updating.
There is a summary of Group A updating at Knowledge Base Article 2000004: How to Apply the Win7 and-8.1 Monthly Rollups.
There is a summary of Group B updating at Knowledge Base Article 2000003: Ongoing List of Group B Monthly Updates for Win7 and 8-1. PKCano has added the Security Only and IE 11 patch links here, and very kindly updates this every month.
Group W gets ignored a lot, because they aren’t bothering to patch. This is risky. They generally run with good backups, and are technically able to restore from a recent system image without a problem. If you want to know why it was named Group W, and not given some other letter, check out the link Woody provided us at Post #35813.
