Best way to get all the Group A patches applied

Topic

New Reply

Good question from JC: I will appreciate very much your help in the steps I have to do to patch my windows 7×64 Home Premium and office 2007, which la
[See the full post at: Best way to get all the Group A patches applied]

Reply | Quote

Replies

>If you’re in Group A – you don’t mind Microsoft’s snooping

Your mention of “snooping” made me wonder if maybe it would be a good goal for most folks to take all Group A patches then apply various privacy enhancing measures to mitigate the “Microsoft’s snooping” part.

A little over two weeks ago, after a 5 month hiatus from patching, I brought my Win 8.1 workstation, which I use all day every day, fully up to date with group A using plain old Windows Update. I did a few needed things like disable the Diagnostics Tracking Service (DiagTrack) service, ensure various scheduled tasks are disabled… I had already applied a number of other tweaks to eliminate telemetry and of course I have a firewall to block unwanted online connections. So far I’m not sorry I applied the Group A updates; it has been running stably, facilitating my work for 18 days now on the same bootup without any problems.

Conversely, I have a Win 7 system that’s used primarily as a server (though I do some software testing on it). But it’s not used to browse the web or do much of any “typical” user type stuff. That system hasn’t had any updates since May, and I don’t plan to give it any more. It’s solidly in Group W: The risk is low, so “if it ain’t broke, don’t fix it”.

-Noel

Reply | Quote

@JC First congratulations for moving into the professionals’ league and for stopping listening to FUD 🙂

Keep these steps for your reference:

1. Start clean and reset your Windows Update database.
a. Stop Windows Update service.
b. Delete the folder “C:WindowsSoftwareDistribution”
c. Restart the computer

2. Download manually from the Microsoft Catalog and install them in this order, one by one with restart between them if required (you may have some of them installed, which is OK):
KB2533552
KB2574819
KB2592687
KB2670838
KB2830477
Kb2857650
KB3020369
KB3138612
KB3172605
KB3177467

3. Run Windows Update and install ONLY Internet Explorer 11 (this may also be already installed).

4. Download from Microsoft Catalog and install KB3125574. This will take some time and allow it to complete the install correctly. You could monitor in Task Manager the process TrustedInstaller.exe and ideally restart only when the CPU use goes down to zero and after restart wait other 15 minutes or so until TrustedInstaller.exe completes its cycle by monitoring the same as above.

5. Run Windows Update and install all other updates, less those with Preview in name.

6. Keep updating every month after Woody says it is OK, i.e. follow MS-DEFCON recommendations and install only when MS-DEFCON changes to 3 or higher while also reading Woody’s notes for the relevant patches about possible conflicts or issues.

7. If you are pleased with how your computer works now and would like to have it so in the future, go to the right of this site and make a contribution to keep the site running for the benefit of all of us.

Reply | Quote

To JC – that’s a much more thorough approach. For someone in Group A, it’s the cleanest (if not the easiest) way to get updated. Thanks, ch100.

Reply | Quote

Just an added note:
The procedure above is optimally performed with the setting for Windows Update set to Never check for updates.
Not mandatory, but optimal and highly recommended, as it avoids the automatic scanning process to interfere with the manual procedure.
I would also recommend that Never check for updates to be set permanently for the same reasons and all scanning and installations done on demand only when needed.

Reply | Quote

Noel, while I think your measures of protecting your computer and network are somehow complicated for the regular end-user and maybe counterproductive for some of non-technical users, some configuration would be a next optional step for those deciding to move into Group A.

The basic configuration which I find necessary is to go under Control PanelAction Center and set Customer Experience (CEIP) to No – this is default in Enterprise Edition and maybe Volume License Pro and Windows Error Reporting to No for All users.

Reply | Quote

Why doesn’t he just get Windows 10? He is going to end up there eventually, instead of messing around now with Group A.
Windows 10 is probably still free, if you look hard enough.

Reply | Quote

@Woody,

Now here’s read that will be close to all AskWoody readers….

https://www.yahoo.com/tech/customers-took-stand-against-windows-171522288.html

Reply | Quote

Technically, the Win10 upgrade is no longer free.

Practically – that’s a different matter.

There are still LOTS of reasons to avoid Win10.

Reply | Quote

If no one “gave in” and assumed adoption of Win 10 is inevitable despite all the reasons it’s worse for users, then Microsoft would have to do better.

Somewhere between 40% and 50% of the world thinks Win 7 is still better.

-Noel

Reply | Quote

As a Group A Win 7 user I never had any intention of up grading to 10. If you remember MS was trying to force us to up grade by using the recommended up date to sneak unwanted 10 prep junk on us. After the free download ended they stopped pestering for awhile then tried to one more time to sneak it in again on recommended updates but many of us complained and they stopped again. I still don`t trust them. They want every one on 10. If I want 10 I`ll buy a new computer. I don`t check Recommended. I`ve hear “recommended” is being discontinued.

Reply | Quote

It wouldn’t surprise me if “Recommended” got the heave-ho. Microsoft has little left to recommend…

… “Do. Or do not. There is no recommend.”

Reply | Quote

Does anybody know what error 1067 — unexpected termination of service start — means?

I have installed TinyWall on a Win10 system without any problem, but on a win7 system its service does not start properly and issues the error. When I go into properties, it seems to start and stop continuously. I tried it 3 times , to no avail.

Reply | Quote

@Noel,

1. Is there a place where you list out all the tweaks you have made to eliminate telemetry (in addition to stopping the DiagTrack service)?

2. I thought that one of the big worries about the Group A monthly rollups was that some of the patches are introducing, or will introduce, telemetry that computer owners (even experts) cannot stop by normal means (which I guess is already the case in Windows 10).
Is that not a concern about the new rollups for Windows 7/8?

Reply | Quote

Windows 10 has nothing to do with keeping Windows 7 in good shape.

Reply | Quote

I think there will be nothing new in the Recommended category, but there is still plenty to be installed for those not up to date with the old patches.
Recommended and Important non-security have been in a process of merging for a while (they are all named “Update” after all) and Office has never had the Recommended category.

Reply | Quote

Precisely.

Reply | Quote

I used scripts to completely remove Cortana and Edge from Win10 151 and I have never applied any updates since I got the computer sometime at the start of 2016.

Does anybody know if I apply only the security patches how likely are they to bring back Cortana or Edge?

Reply | Quote

With them it’s just “required”, there’s no mamby-pamby “recommended, but it’s up to you as a competent adult to figure out what is better for your own situation” any more.

It’s like the statement at the start of British passports, it goes something like “the Queen requests and requires that you treat her subjects well”
(or whatever she is requesting and requiring of foreign governments).

Microsoft requests and *requires* that we allow all their updates,

or there’s gonna be a price to pay —
we will be actively contributing to the spread of malware around the world, we will be forced to pay more of our own money (for something… I forget what), we will lose time and sleep and thus be more likely to get shingles, and we will have to put a scarlet letter B, C, or W on our laptop carrying cases.

:-p

Reply | Quote

“the passage of text – which originated more than three centuries ago when the monarch stopped signing every passport in person…

[is, or at least it was until recently]

‘Britannic Majesty’s Secretary of State Requests and requires in the Name of Her Majesty all those whom it may concern to allow the bearer to pass freely without let or hindrance, and to afford the bearer such assistance and protection as may be necessary.’ ”

http://www.dailymail.co.uk/news/article-480940/EU-wants-rid-Queen-passports.html

Reply | Quote

>There is no recommend

🙂 (Except at AskWoody.com of course) 🙂

-Noel

Reply | Quote

Scarlet letters… oh, I like that!

Reply | Quote

I’d say the chances are between 100% and 101% – but that’s only a guess.

No question at all if you move from 1511 to 1607.

Reply | Quote

Keeping The Ship Afloat!
Thanks guys and gals for all your excellent posts.
Without Woody’s Windows Crew keeping a lookout we’d all be sunk!
Microsoft think they have a lifeboat.
They’ve named it “The Win10”.
It’s really called “The Hubris”.
They’re not smart enough to know the difference.
You and Capt. Woody most certainly are!

“I must go down to the seas again, to the lonely sea and the sky,
And all I ask is a tall ship and a star to steer her by…”
(Sea Fever by John Masefield via Captain James T Kirk)

Cheers!
sainty?⚓️?

Reply | Quote

@Woody

“There are still LOTS of reasons to avoid Win10.”

I am surprised to read that from you.
Would you elucidate please?

All the big PC web sites do not bother with Windows 7 or 8. They are always writing about what wonderful things Windows 10 has. So do you in your book.

Reply | Quote

My Win10 book is very careful to point out perfectly valid reasons why people might NOT want to run Win10. I, personally, run Win10 on my production machines, but I’ve come to terms with the two major problems:

> The snooping in Win10 is completely undocumented, and likely extensive

> It’s difficult (but not impossible) to keep Microsoft from applying updates you may not want

I realize the big web sites ignore Win7 and 8.1. Too bad, really, because the majority of Windows users are still running Win7 and 8.1, and likely will be for some times.

Reply | Quote

Only in reply to #2, I think it is correct that certain telemetry is almost impossible to stop in Windows 10 and Windows 7, unless using measures like those described by Noel in the posts about Sphinx software and even then, there is telemetry associated with Windows Update which is not possible to block with firewalls.
Most experts that I know are not so concerned with the telemetry as such and this is considered normal Windows functionality, however they have concerns related to excessive network traffic caused by telemetry and time-outs when the traffic is blocked and disruptions like those caused by forced automatic updates.

Reply | Quote

For Windows 7, I haven’t seen any evidence so far in my testing (https://www.askwoody.com/2016/care-to-join-a-win7-snooping-test/) that you need to do anything more than these two steps to stop the most undesirable telemetry-related behavior that Microsoft has introduced to Windows 7 in recent years:
1. Turn off operating system’s Customer Experience Improvement Program.
2. In Task Scheduler, disable task Microsoft Compatibility Appraiser, located in MicrosoftWindowsApplication Experience.

Doing those two steps seems to stop Diagnostics Tracking Service from communicating with Microsoft telemetry, and stops task Microsoft Compatibility Appraiser from using sometimes nontrivial CPU and disk resources.

Does anyone have any evidence that anything more than these two steps needs to be done in Windows 7?

Reply | Quote

So if we are in group A is it still recommended that we check the box “Give me recommended updates the same way…….”?

Reply | Quote

Then no updates and no upgrades. Until the aero scripts will work with 1607.

Reply | Quote

JC opened this discussion and we have not heard a peep from JC. Ch100 refers to him/her as “moving into the professional league and and for stopping listening to FUD”.

Quite honestly I am getting sick of this BS. If you choose Group A, then it is your decision and it has nothing to do with whether or not you are right or wrong or in the professional league or listening to FUD (whoever is producing the FUD) – it is what you think is best for you. Insulting users who are not Microsoft fanboys is not constructive.

JC, it would be nice to hear from you. I hope that all is working well for you.

[slightly edited -WL]

Reply | Quote

I just heard from JC:

Thank you very much.

I’m so sorry (morever when you have published in your web) but, unfortunately I had a typewritting mistake: is since April 2016 (not 2015), so I think is best to follow your procedure instead of proposal from ch100.

As network adapter I have NVIDIA nForce 10/100/1000, so I think I won’t be affected by Bluetooth issue.(Nevertheless I don’t use Bluetooth).

So, I have to turn off the internet, then install first KB 3020369 (I have checked and is not installed in my system) and after the KB 3172605.
Then turn the windows update on and the the internet back on and reboot.

Please, confirm me if I have understood the procedure.

Thanks again for your tolerance and help.

Reply | Quote

I hope JC gets up the courage to jump in here and post!

Reply | Quote

I personally do not check the “Recommended” box — never have. Although I’m now in Group A, I cab see that there are numerous “Optional” patches that have not been installed. That’s just the way I want it.

Others have suggested that the optional/recommended patches will at some point be merged into the “important” patches. Maybe so, but so far I haven’t seen any evidence of that.

Reply | Quote

MSU file Installers for kb 3172065 and kb 3020369 both hang with searching for updates on this comoputer. Am running as admin and have the proper file (64) Any help please.

Reply | Quote

I mentioned elsewhere about Windows Error Reporting. This is not telemetry, but similar as it sends data about the system back to Microsoft. I see it as an annoyance more than snooping. It also fills the C: disk in some situations with tens of GB of useless logs.
To completely disable the annoyance:
Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Error Reporting
Disable Error Reporting – Enabled
Prevent display of the user interface for critical error – Enabled
Some people may consider disabling MSRT reporting back and antivirus reporting back.
And I think this covers all telemetry in Windows 7 and Windows 2008 R2.

Reply | Quote

Yes, this is essentially the difference between Group A and B. In addition I would say, install Optional too (Group A), other than the preview updates. There should be only 3 Optional which are mentioned above and all are related to RDP 8/8.1 if the Convenience Pack is installed.
If you think that the difference between Group A and Group B is related only to the type of current patches, check what is happening in the background.
The Monthly Rollups contain Security + Important + Recommended, while Security Only updates contain Security (maybe + Important).
The latest Important update released as far as I know is KB3138612 and are likely to be no more for Windows 7 in the future. They are meant to fix Critical functional flaws and should be treated with the same priority like the Security updates or even higher priority. Some of them avoid blue screens in certain circumstances and this should tell you enough why they are more important than the security updates.

Reply | Quote

If you choose Group B you are supported only by Woody and not by the manufacturer, unless you have support agreement with Microsoft. End of story.

Reply | Quote

Even with patches installed up to April 2016 JC can follow my procedure, as I explained that there may be updates already installed.
Regardless of the procedure to follow, I think JC should reply here. 🙂

Reply | Quote

Disconnect the internet before running the installers.

Reply | Quote

Thanks for the reply Woody. I pulled the plug on the modem and the router and disconnected the Ethernet cable to the computer. Deleted the files, rebooted and downloaded again and tried again and both MSU installer files still hang immediately with “searching for updates on this computer” Not sure why. HP computer with Windows 7 Home Premium 64

Any ideas and help is appreciated.

Reply | Quote

I haven’t done a lot of research on telemetry issues outside of Diagnostics Tracking Service recently, but offhand I think there is also a setting in Windows Media Player, and a setting in Help and Support.

My focus recently has been about Diagnostics Tracking Service telemetry because that is the new Windows functionality that some are concerned about, and seems to cause some people who would otherwise be in Group A to not be in Group A.

Reply | Quote

Go to Control PanelAdministrative ToolsServices
Scroll down and highlight Windows Update Service
At the top left click on “Stop”

Disconnect the internet

Try again

Reply | Quote

Follow up! Tenth time is the charm. Possible causes are wifi restarting every time I rebooted and me not being smart enough to catch it and even though wifi and modem were unplugged I actually had to remove the Ethernet cable from the computer. I’m not the brightest with this stuff but I keep trying.

Appreciate your website Woody and all of the people that ask the questions and the people that help those like me.

Reply | Quote

@woody

All I say is, like the Borg, “Resistance is Futile”. By 2020, most of your readers will be on Windows 10, because they have nowhere else to go.
I don’t want to think about what Windows 10 (11?, 12?) will be like then as far as surveillance and adware are concerned.

Reply | Quote

@MrBrian,

There is the Office programs’ CEIP reporting that is not turned off by merely turning off the general computer’s CEIP, which you might want to put on the list of things that people can turn off.

There is an Action Center setting about sending reports back to MS which is in the “on” position by default and several of us here at AskWoody.com were surprised to learn about it a few months ago.

There is some kind of setting in the Media Player that I found about a month ago (it was the first time I had opened Media Player in my 2.5-year-old computer) that sends information to MS and I turned that off in the settings there.

When I took a good look at my computer’s Services in Task Manager a couple of years ago, I was surprised to find that CEIP had things that seemed to be scheduled and appeared to not be turned off even though I had opted out of CEIP (in the general place to do that) when I first got the computer, and when I checked it, it was still opted-out in that place.

—-
There have been past mentions and even threads here about the CEIP. Unfortunately searching here is kind of hard, but yesterday I found one thread where we’d talked about it:

https://www.askwoody.com/2016/microsoft-snooping-through-office/

(At that point in time I was using the usernames “D.” and “D.D.”; my comments were numbered 4 and 5 in that thread)

—
AskWoody.com contributor Manaka wrote last evening on another current thread here,

“Win 7 *does* have hidden telemetry, at least as far as the CEIP goes, and probably much further than that.
I.e., if you opt-out of CEIP, either during a fresh install or after, and then run an app like Anti-Beacon (as I did), you’ll find that only 2 or so of 7 or so CEIP settings have actually been blocked.”
https://www.askwoody.com/2016/how-windows-10-data-collection-trades-privacy-for-security/#comment-109982

Reply | Quote

just a thought – maybe in your appendage you could have the option for contributors to put next to their avatar (or screenname or however people will be identified) a scarlet letter telling everyone which group they are in, A, B, or C/W. there could be a little image of a laptop carrying case with the relevant letter in the corner of it.

even though generally i don’t like badges and awards and jokey things appearing next to forum avatars/icons/screennames, in this case it might save contributors from typing out for other readers where they are coming from in every other post, like “well, I decided back in October to be in Group A and (blah blah)”

Reply | Quote

@Anonymous,

“Quite honestly I am getting sick of this BS.

…it is your decision and it has nothing to do with whether or not you are right or wrong or in the ‘professional league’…

Insulting users who are not Microsoft fanboys is not constructive.”

======
I agree entirely.

I don’t want to sound like a broken record, so sometimes I pass by without saying this, so I’m glad that someone else has said it here.

Many readers will be thinking similarly, yet choosing not to say anything in order to concentrate on making constructive, positive comments.

—-
(I don’t know if Woody’s new forum is going to have up and down votes on posts….)

Reply | Quote

I don’t know, either….

Reply | Quote

I was thinking this afternoon about starting separate forums for A, B and W aficionados….

Reply | Quote

You’re right, although I expect there will be a tougher stance than the one for XP…

Reply | Quote

Or maybe just have up voting without having down voting, such as the Guardian’s website does. It’s less negative, but still conveys the thoughts of the readership.

Reply | Quote

>1. Is there a place where you list out all the
>tweaks you have made to eliminate telemetry (in
>addition to stopping the DiagTrack service)?

No, but I really should do a writeup. It’s on my list of things to do. Two of the biggest are that I have a big blacklist courtesy of my DNS proxy server, and the firewall doesn’t allow connections I haven’t pre-ordained. But once I’ve seen an attempt to contact an online server I strive to stop the system from even trying through tweaks, and have mostly been successful at that.

>2…telemetry that computer owners (even experts) cannot stop by normal means

Not sure what you consider “normal means”, but one can go from mild to wild – at one end opting out of as much as is possible via just the overt settings provided by Microsoft all the way to registry edits, firewall software, and DNS blacklisting. Obviously you could disconnect the computer from the internet entirely and no telemetry would ever get through. But I presume you imply “and continue to be able to do online stuff”.

In general I’ve proven that through very selective control you can get to virtually all the online goods and block virtually all the unwanted data upload.

By the way, my philosophy extends to web browsing. No sites other than those I explicitly visit are tracking what I do, and my browsing experience is all the better for it.

Ch100 makes the point that one may be subject to telemetry upload during Windows Update, assuming you choose to start it, but I believe in practice that that’s not entirely true.

Due to the quite different nature of telemetry reception and download serving, it looks like Microsoft uses different servers for the different activities. I am able to complete a Windows update without allowing a connection to statsfe2.ws.microsoft.com, for example.

-Noel

Reply | Quote

Thank you for your help. Much appreciated

Reply | Quote

You got this fixed, but this is a good place to add that, in addition to everything else mentioned, Windows Update should be set to ‘Never check for updates’ before trying to install these two updates to avoid getting stuck at the ‘searching for updates on this computer’ message. As I was reminded in my own thread about this issue a couple of days ago. (red face)

Reply | Quote

Thanks :). My two steps are in regards to only the “bad” updates from the recent two years.

Reply | Quote

@MrBrian and anyone else,

Of the optional choices regarding telemetry which computer owners have in Windows 7 and which you know about, from any time period, have all of them been mentioned in this brief exchange above, or are there any others that you know about that I can put on my list?

I’m not worried just about the last 2 years, but about how to set up my new computer to be covered for every Windows data-sending opt-out opportunity.

Reply | Quote

“Ch100 makes the point that one may be subject to telemetry upload during Windows Update, assuming you choose to start it, but I believe in practice that that’s not entirely true.”

I was only relaying what is implied in the documentation about telemetry in Windows 10 and Server 2016.

Also in a certain Microsoft article about troubleshooting failed WSUS updates while the failing computers use a proxy server, there is a recommendation that winhttp is configured to allow access through the proxy, which implies that there is data transferred between the client computer and the online server, even if the updates are downloaded from the internal WSUS server. The log file WindowsUpdate.log confirms the traffic to the online servers in those situations.

Reply | Quote

Of the ones I know about offhand, all have been mentioned in the comments in this article. But I’d recommend that you also review the relevant privacy statements from Microsoft:

Windows Vista Privacy Statement – https://privacy.microsoft.com/en-US/windows-vista-privacy-statement

Windows 7 Privacy Statement – https://privacy.microsoft.com/en-us/windows-7-privacy-statement

Windows 8 and Windows Server 2012 Privacy Statement – https://privacy.microsoft.com/en-US/windows-8-privacy-statement

Microsoft Privacy Statement – https://privacy.microsoft.com/en-us/privacystatement/

Reply | Quote

Update Services Privacy Statement – http://fe1.update.microsoft.com/microsoftupdate/v6/vistaprivacy.aspx

Reply | Quote

I noticed that you have not mentioned the task ProgramDataUpdater in the results of your research. This task is found in the same location with Microsoft Compatibility Appraiser, i.e. under MicrosoftWindowsApplication Experience

Both tasks Microsoft Compatibility Appraiser and ProgramDataUpdater are installed by KB2952664 and are not subject to CEIP controls, which is actually not claimed by Microsoft.

For those concerned with the effects of those tasks, it may be useful to disable both of them.
I personally don’t have a recommendation in that sense, as those tasks are trying to find issues with various third-party applications installed on the system and comparing the results with Microsoft’s database using telemetry.

All those things have been previously discussed many times, most details were provided previously by abbodi86, but they were never documented so well as MrBrian documented them.

Very well done! 🙂

Reply | Quote

I did mention task ProgramDataUpdater briefly at https://www.askwoody.com/2016/care-to-join-a-win7-snooping-test/#comment-109452:
“Interesting info: Installation of KB2952664 (the version that was current as of November 25, 2016) also changes the action for task ProgramDataUpdater (located in MicrosoftWindowsApplication Experience) from
%windir%system32rundll32.exe aepdu.dll,AePduRunUpdate
to
%windir%system32compattelrunner.exe -maintenance

[…]

P.S. During both tests I also manually ran all of the tasks listed at https://pubs.vmware.com/horizon-61-view/topic/com.vmware.horizon-view.desktops.doc/GUID-BE82165B-13BC-4FD9-A9CF-FBEF6343D98A.html except Autochk; I didn’t know about Autochk at the time of the tests. All 5 of these tasks completed within a few seconds each.”

I should probably do a test if any of these other tasks causes data to be sent to Microsoft telemetry.

@ch100: Thank you again for the kind words :).

Reply | Quote

I believe it’s actually the Application Experience service (not the Application Experience tasks) that is responsible for getting some older third-party applications to work properly with newer versions of Windows. See https://xato.net/the-application-experience-lookup-service-47c1ae394c3e for a less technical explanation, and the links at http://www.forensicswiki.org/wiki/Windows_Application_Compatibility for more technical details.

Reply | Quote

I guess the question is: What online servers are contacted, specifically?

statsfe2.ws.microsoft.com?

-Noel

Reply | Quote

I have removed Cortana from 1607 (along with all other Apps). I used my own script, so I can tell you definitively that it’s possible.

-Noel

Reply | Quote

Sorry for late response. Last December 6 I installed KB3020369 and KB3172605, according Woody’s method. After some minutes (max. was 5 or so) I received windows 7 and office 2007 updates and the November roll up. Then e-mailed Woody asking if I should install first the updates or the November roll up. Woody told me to try first with the roll up. Yesterday, December 9, I installed first the roll up and after the other win7 and office updates. Installing first the roll up did not any change to the other updates.
Thanks to everybody for all your previous comments.

Reply | Quote

I love it when a plan comes together….

Reply | Quote

Dear Woody – I’m in a bit similar situation as JC – my last WU installation was in July 2016 on Win 7 Professional SP1 OS. Based on your website, I’ve installed KB3172605 and initially WU showed several security update KBs dated Aug, Sep, Oct and Dec. But by the time I’ve been able to confirm those listed KBs were safe to install, the list had changed to show the December roll up for Win 7×64(kb3207752) and .Net(KB3205402)and KB3177186 (dated Sep) along with security updates for Office2007 and the new MSE (KB3205972).

Main questions: 1/ since I’ve not done any major updates, would this still keep me in “group B” for now? 2/ do I need to manually look for the Oct and Nov updates to download while waiting for the Dec patch be deemed safe? if so, please help with links and simple instructions. 3/ is it necessary to download the KB3205972 if I hadn’t had the problem with the right-click menu choice gone missing?

Thank you for your help and hope I have posted in proper place. —DP

Reply | Quote

1. Yes.
2. Yes.
For Nov: https://www.askwoody.com/2016/ms-defcon-4-get-windows-and-office-patched/
For Oct: http://www.infoworld.com/article/3136173/microsoft-windows/how-to-cautiously-update-windows-7-and-81-machines.html
WAIT for December
3. It’s always a good idea to update MSE, but I wouldn’t lose any sleep over it.

Reply | Quote

Thank you, Woody!I forgot to note that I did install KB3177186 that stay shown in the WU list. Also forgot to ask whether I needed to look for security updates provided in Aug and Sep or are those already rolled into the Oct rollup?

I had BSOD several times recently so will need to do backups before downloading from the links you gave. Again, very grateful for your help!

Reply | Quote

Update: got my backups imaged overnight and did the Oct and Nov security-only updates via link provided. Both times I checked for .NET security updates, WU did not show any except for the December-dated ones so plan to wait for the green lights on those. Please let me know if I need to look for Oct/Nov .NET security updates (and where to find them). Many thanks!

Reply | Quote