(Closed Pt.2) Comments on AKB 2000003: Ongoing list of "Group B" monthly updates for Win7 and 8.1

Topic

AKB 2000003 “Ongoing list of “Group B” monthly updates for Win7 and 8.1″ was updated 6/13/2017 with June patches.

1 user thanked author for this post.

Pepsiboy

Replies

PK Cano i am not certain about what to download for June the security only one is kb 4022717 not kb 402219 for group b is that right?

You don’t mention what version of Windows.
For June, KB4022722 is the the Security only for Win7
For June, 4022717 is the Security only for Win8.1
See AKB2000003 for the right patch. Be sure the bitedness is right (32-bit or 64-bit)

And you need the patch for IE11 also.

1 user thanked author for this post.

woowoochow

Hello and thank you PKCano, Woody, Kirsty, and everyone else for all of your help with these patches!

Can you please clarify if it’s safe to patch through to June, or only through April?  On May 13, PKCano said the May patch has not been approved, and I’m not sure if the May and June patches are safe to install at this point.

I’m on Windows 7 Pro 64-bit SP1 in Group B, and I haven’t patched since September, but I’m catching up now.

I have a suggestion if it’s not safe to patch through to June: At the end of AKB2000003 where you list links to the monthly patches, please indicate somehow which ones have not yet been approved and should not be installed yet.

Thank you very much!

All the patches through May are OK to install (explanation to follow). Currently the June patches are on hold. So go ahead and catch up through May.

The explanation for the patching: the MS-DEFCON method. See the number at the top of the webpage. If the number is 1 or 2, the current month’s patches are on hold. The reason being, that MS has been issuing bad patches with some regularity lately, and we don’t want to be the Beta tester Guinea Pigs.

MS releases new updates on the second Tuesday of the month (Patch Tues). Shortly before this happens, Woody lowers the DEFCON number to 1 or 2 meaning don’t install this month’s patches yet. We wait, monitoring the Internet and reports here on AskWoody, to see what problems arise. This month (June) there is a printing problem in IE11 caused by the installation of the June Security Monthly Quality Rollup. The Rollup contains the Cumulative Update for IE11, so the stand-alone patch that Group B installs may also be involved. We are waiting to see if the problem is resolved.

Somewhere before the next Patch Tues, when we know where the Updates stand, Woody will raise the DEFCON number to 3, 4, or 5 along with instructions for patching. At that point, it is safe to install the current month’s patches.

For a full description of the MS-DEFCON system see the button in the menubar at the top of the site

1 user thanked author for this post.

1040ST

I just discovered on a Windows 8.1 box that I somehow never installed the original October 2016 patch for Group B– but have installed all of the other Security Only patches. Does this mean I need to reinstall everything chronologically, or if I just install kb3192392 am I ok to keep using this machine?

You can go ahead and install the patch. If it has been superseded, it probably just won’t install.

Any update on Jun 2017 KB 4022722 security only update is safe to instal yet, also is there a security only patch for .net framwork 4.6.1 this month, just the last time i installed the  version of it via WUS  i observed a few oddities, which went away after installing last months security only .net update

June patches are still on DEFCON 1 for a little while longer.

The last Security only patch for .NET 4.6.1 was issued in May.
.NET 4.7 was released in June, but there were some problems with Win7, so I would advise holding off on upgrading to .NET 4.7 for a while.

PKCano
First and foremost, thank you for all you do for us.

You do not have KB4022722 on your download list for Group B for June’s Security Only Quality Updates.
I downloaded the one you have listed but realized while it was downloading it was for Windows 8.1 64bit, not Windows 7 64 bit.

Are you not recommending KB4022722?

Windows 7 64 bit SP1 Windows Server 2008 R2 Group B

Also,  I’m considering seriously of going to group A in July.
Is there a thread that has all the instructions on how to go about doing that?
Or is it just a matter of downloading the group A rollup or…
am I in denial and it won’t be that simple. (sigh)

dgreen wrote:

Also,  I’m considering seriously of going to group A in July.
Is there a thread that has all the instructions on how to go about doing that?
Or is it just a matter of downloading the group A rollup or…
am I in denial and it won’t be that simple. (sigh)

Just use Windows Update and install the rollups for Windows, .NET Framework and all updates for Office if you use Office products. You should also install all older updates which are offered.
It is recommended for best experience and to get all enhancements released to date to check the box which says to show the Recommended updates as Important, but even if you don’t, you are still considered in Group A.

Please avoid installing KB971033.
I discussed this recommendation in another thread.

Note: If you hid updates in the past, unhide everything now, or better reset the Windows Update database to start clean, following instructions posted here before.

1 user thanked author for this post.

dgreen

ch100 wrote:

dgreen wrote:

Also, I’m considering seriously of going to group A in July. Is there a thread that has all the instructions on how to go about doing that? Or is it just a matter of downloading the group A rollup or… am I in denial and it won’t be that simple. (sigh)

Just use Windows Update and install the rollups for Windows, .NET Framework and all updates for Office if you use Office products. You should also install all older updates which are offered. It is recommended for best experience and to get all enhancements released to date to check the box which says to show the Recommended updates as Important, but even if you don’t, you are still considered in Group A. Please avoid installing KB971033. I discussed this recommendation in another thread. Note: If you hid updates in the past, unhide everything now, or better reset the Windows Update database to start clean, following instructions posted here before.

ch100
I purchased the computer in October 2013 from Staples.
It came with Windows 7 64 bit SP1 Home Premium Windows Server 2008 R2 x64 installed.

KB971033 was already installed (10/13/13).
A little leery about uninstalling this as I thought this proved I had a “genuine” windows 7.
I do not use Office.
A couple of weeks ago  I unhid all the updates and caught up on all the “security” updates dating back to 2014.
Other then Silverlight, these are the ones I have kept hidden.
The other updates that are unhidden are the previews and optional updates, which are in italic and unchecked.  I didn’t think I needed to install them.

 

If KB971033 was installed for such a long time and has not caused false alerts, then I think it should be left alone as is.

The problem with past hidden updates is that the local database in order to be accurate needs to have corresponding references to Microsoft Update servers. Old updates or faulty updates are often retired and if those retired updates have been previously hidden, they can no longer be unhidden, sitting there orphaned and may or may not cause issues down the track. If you are comfortable with this situation, then you don’t have to do anything. I am not comfortable with this situation and this is why I insist against hiding updates.
Th only easy way to recover and start clean is to remove the local database which is only a cached version of the configuration on Windows Update with supersedence relations, but dynamic, changing all the time when a scan is completed. By removing the local database and the folder structure surrounding it, a new local database would be built and some space would be recovered as older downloads in those folders which are no longer needed would be removed too.

The updates which you see in Italic are those Recommended and I strongly recommend you to install them. By ticking the box which I mentioned in the previous post, you would see them moved in the Important category, no longer under Optional.
But if you don’t want the Recommended updates (non-critical bug fixes or new features), you can live without. Expect some useful functionality to be broken, like Disk Cleanup or other functionality.
I don’t have a recommendation about Optional updates. They are called Optional to be left to the user’s choice. I install them all on Windows 7 (only 5 in fact), except for the Preview ones and those which are likely to move under Recommended which I install then. One such update is the dreaded latest version of KB2952664 which sits now under Optional but will likely move later under Recommended.
In relation to the Recommended updates, it is highly expected that in the next few months, a huge rollup comparable with the so-called SP2 KB3125574 to be released to include most previously released Recommended updates and possible some Optional updates. So you may get them at that time.

Think about SP1. It contains Security, Critical non-security, Recommended, Optional and the less visible hotfixes released until that date. Can you select what to install out off a Service Pack?

Silverlight is a different product which I install, but you don’t have to do the same. Silverlight is not part of Windows, it is an add-on which was supposed to be a competitor for Flash and it didn’t take off except for a very limited market. But now and then I encountered sites which require Silverlight. I don’t see a problem with it, like I don’t see for Flash if it is patched up to date and common-sense browsing is applied.
Hiding Silverlight and updates has the same problem which I mentioned before, as the relevant updates keep changing and you may encounter situations where you cannot manage your own Windows Update, because your cache has become out of sync with what is stored at Microsoft.

1 user thanked author for this post.

dgreen

AKB2000003 has been updated 7/11/2017 – July Group B patches

4 users thanked author for this post.

Pepsiboy, JDeC, samak, HiFlyer

PKCano wrote:

AKB2000003 has been updated 7/11/2017 – July Group B patches

Jul 2017 (IE11) KB 4025333 – Download 32bit or 64bit

IE11 ???

OOOPS! Fixed that mislabel
Thanks

1 user thanked author for this post.

HiFlyer

I just installed KB 4025333 4025337 for Windos 7 (x64). After rebooting my system I got BSOD. Started up in safemode and ran sfc /scannow. Rebooted in normal mode and again BSOD.

In the end I couldn’t fix it so uninstalled KB 4025333 4025337 using wusa cmd. Rebooted in normal mode and all is fine again

Edit: see clarification below

KB 4025333 is for Windows 8.1 not for Windows 7. I think the windows update system should not let you install it in the first place.

Do you mean KB4025337?

1 user thanked author for this post.

Skunk1966

Kirsty wrote:

Do you mean KB4025337?

yes sorry for typo

For Win7 you should be installing KB4025337 (security only) and KB4025252 (IE11).
KB4025333 is a Win8.1 patch.

PKCano wrote:

For Win7 you should be installing KB4025337 (security only) and KB4025252 (IE11). KB4025333 is a Win8.1 patch.

that’s why I apologized for my typo; I meant to mention KB4025337 from the start

Just checking the obvious – you did get the 64bit and not the 32bit, right?

PKCano wrote:

Just checking the obvious – you did get the 64bit and not the 32bit, right?

yes

windows6.1-kb4025337-x64_c013b7fcf3486a0f71c4f58fc361bfdb715c4e94.msu

Basically, that’s the very reason we have the DEFCON system – you have been a Guinea Pig for the rest.
I need the answer to some questions. Then we are going to wait a couple of days and see if there are other similar reports. If so, I may put your problem up on the main blog for comments\suggestions.

Windows home or other?
Hardware: brand & model, laptop/desktop, processor, graphics, age of PC, etc?
Security software: anti-virus, firewall, malware remover, exploit blocker, etc?
Assuming you installed the security-only last month with no problems, have you installed any additional software since then?

Thanks. Will let you know if I find information (or not).

1 user thanked author for this post.

Skunk1966

I have moved discussion of this problem to
https://www.askwoody.com/2017/july-11-security-only-patch-kb4025337-causes-bsod/

Please check this location also

Woody and PKCano – Regarding 2017-07 Security Only Update KB4025337, the MS web page https://support.microsoft.com/en-us/help/4025337/windows-7-update-kb4025337 says the following – what do you think?

After installing the security updates for CVE-2017-8563, administrators need to set registry key LdapEnforceChannelBinding to enable the fix for the CVE. For more information about setting the registry key, see Microsoft Knowledge Base article <u>4034879</u>.

See also  https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry .

I have a standalone Dell Optiplex dual-booting Win 7 Pro 64-bit and Win 10 Pro 64-bit.  It is NOT part of a domain – just Workgroup at home.  If I install Security Only Update KB4025337 for my Win 7 64-bit, do I need to change the registry as indicated in these articles?

Thanks.

Home users should not be concerned with LDAP. This caution is directed to network administrators in a business or Enterprise environment.

Personal opinion: I cannot imagine MS issuing an update through Windows Update that requires “Joe User” to edit the Registry when “Joe User” often has updates on Automatic, doesn’t know when they happen, and probably doesn’t know the Registry exists.

This patch implements new functionality which require registry editing only to take advantage of the new features. Without editing, that new functionality is not enabled. It is as simple as that and it is not the first update which implements this sort of thing.
In this specific situation, @pkcano is right, the functionality involved is relevant only to enterprise users.

I could well be wrong, but it seems that the registry edit is for Domain Controllers.  https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry

says –

“To help make LDAP authentication over SSL/TLS more secure, administrators can configure the following registry setting on a Domain Controller: ….”

I was browsing to get my laptop updated and saw a comment you had shared, PKCano, back in late May in reply #118127, about the necessity of updating IE11 even if the program is not being used as a browser. Hmmmph – I had never used IE even back while running on Windows XP so when I finally upgraded to Windows 7, I had uninstalled it. So please help:

1. Where can I safely download a clean “unbloated” version of IE11?

2. After install it, where can I find the necessary security-only WUs related to IE11? Are they cummulative or I would need to do a series of ones I’ve missed?

3. Do I need to set any key parameters in IE options for security purposes, even if I will never run the program as a browser?

4. How do I block so that IE is not get started as the browser by any programs/services? Firefox is currently set as the default browser and I have Chrome as secondary.

Many thanks! —DP

I recommend two steps be added to the Group B instructions:

1. Add step to turn off CEIP, just as was recently added to AKB 2000004.

2. Add step “Wash, rinse, repeat” similar to what is in AKB 2000004.

Done 7/30/2017

1 user thanked author for this post.

MrBrian

Group B Aug Security-only patches have been updated Aug 8 on AKB2000003

Cumulative Updates for IE11 have been updated Aug 8 on AKB2000003

2 users thanked author for this post.

walker, JDeC

@PKCano:   I see that it’s too late for me to do the updating I planned.    I intend to get into  Group A, if possible.  Since the we are down to DEFCON 2 again, I am assuming that I should keep it on “NEVER” check for updates.     I only see on new one, the Monthly Quality Rollup (group A), however I’ve never seen ANYTHING about the catalog update instructions for the IE11, and I’m very concerned about that one as well.  Is there a link which refers to the IE11 updates that I can use for guidance?  Thank you for any assistance you may be able to provide.  Wish I could have had the time to get everything updated, however it was impossible.  Once again “thank you” for all of your invaluable help.   🙂

If you are in Group A you do not need the IE11 update because it is part of the Rollup you will be installing through Windows Update.

@PKCano:  Thank you so much for that information!  That is “wonderful”!!  After my last fiascos (when in Group B) attempting the catalog update with the IE11, I felt that I had no opportunity to ever get it updated because of repeated failures.

Thank you, more than words can adequately express!!  I am a “Happy, Happy Camper” !!   🙂   🙂

 

I believe there is also a .NET update for .NET 4.6 and higher this month. KB4035510.

Got coffee?

The .NET updates are not part of Group B patches.
So far, KB4035510 is for manual download only. It has not been delivered through Windows Update.

1 user thanked author for this post.

walker

PKCano and gang – My Win 7 Pro 64-bit shows the following in Belarc Advisor.  I’m Group B.  Do you think I might be missing any updates for .NET?

Microsoft – .NET Framework Version 2.0.50727.5483 (32/64-bit)
Microsoft – .NET Framework Version 3.0.6920.5011 (64-bit)
Microsoft – .NET Framework Version 4.0.41210.0 (32/64-bit)
Microsoft – .NET Framework Version 4.6.1055.0
Microsoft – .NET Framework Version 4.7.2053.0 (32/64-bit)

If I’m missing anything, what do you suggest?  Thanks.

 

Are you concerned about having all the security fixes?

Be sure you have the latest version of Belarc Advisor v8.5c
Run it and allow it to download the update databases. In the upper right corner there is a list of Security patches if you are missing any. (I’ve had some of the older ones say “not applicable to your system”).

2 users thanked author for this post.

HiFlyer, walker

@PKCano:   Is Belarc Advisor v8.5c, safe, for all computers?  I’ve seen it mentioned previously, however just wondering if there have ever been any problems with utilizing it. Win 7, Group A (eventually I hope).

Thank you for your advice on this one, and all of the other expert and reliable information you provide.  🙂

Belarc Advisor is works on all Windows. It’s very informative.

2 users thanked author for this post.

Steve, walker

@PKCano:  Thank you so much for the guidance and advice on this.   I sincerely appreciate it.  Your expertise is absolutely outstanding!    🙂

I installed security-only KB 4034679 on Windows 7 Ultimate x64 this morning without any problem; after reboot no problems as far as I can tell up until now. Haven’t installed KB 4034733 (ie11 update) yet

The download link to KB4039884 (hotfix for dual monitor bug) has been added to AKB2000003 for those who need it.

Edit: Installing this hotfix has implications. See comments here and here before installing

NOTE: KB4039884 (hotfix for dual monitor bug) has been removed from AKB2000003

The updates listed here are not delivered through Windows Update, but they ARE legitimate updates. They must be downloaded from the Windows Update Catalog and manually installed.
They are for people who want to follow the Group B method of patching – security-only updates for Windows.

We are no Microsoft. We do not catalog all the updates everyone needs for all versions of Windows.

Please read AKB2000003 and AKB2000004 to see what this topic is about. Also, AKB2952664 will give you information about telemetry, which is one of the things Group B is avoiding.

For those of you in Group B – AKB2000003 has now been updated for September.

Please see September 2017 Group B security only patches for windows 7/8-1

Edit to add link and note update

2 users thanked author for this post.

dpwoodpecker, Elly

(My apologies if this is a duplicate since I don’t see my original post added.)

I’m in Group B and have just installed all security-only 64-bit Window 7 WUs given in this fabulous article. I have also left one checked box marked checked “Security and Quality Rollup for .Net Framework” and installed it along with checked boxes marked “security updates for Office 2007” (except ones for parts of the suites I didn’t install such as Power Point).

I was double-checking the installed updates list after yesterday’s updates and see that the .Net updates are all for 32-bit whereas my computer OS is Windows 7 Pro  SP1 (64-bit). I cannot remember whether the checked box for .Net update specifically stated the bit edition but for sure the Office 2007 ones didn’t specify the bit edition. I’ve attached snip tool screen shots of the installed updates filtered with ’32-bit’ text.

Please help: 1) do I first uninstall these 32-bit updates (at least those installed yesterday, both the .Net and for Office 2007)? 2) manually download and install the 64-bit editions of the .Net updates for installed frameworks?  and 3) where can I find the 64-bit versions for the 2007 Office to manually download?

Any help anyone can give soon is much appreciated. —DP

Edit to remove HTML
Please convert the Word document to plain text before cut\paste.
The HTML makes a MESS!

@dpwoodpecker

64-bit computers can run 32-bit applications. Most Office 2007 installations are 32-bit.

Windows Update is smarter than you are – it installed the right thing. If you try to download and install 64-bit where it installed 32-bit, it will simply tell you that it is not applicable.

The OS is 64-bit, but all the applications may not be 64-bit. When you download updates for Windows (Security-only Update and IE Cumulative Update) they should be 64-bit, but Office and .NET are not Windows.

You should be fine if you used Windows Update for everything except the Security-only Update and the IE Cumulative Update.

1 user thanked author for this post.

dpwoodpecker

Windows users (especially Group B) may be missing Microsoft security updates! (due especially to monthly rollups superseding some security-related updates from before October 2016)

why here is not a list of legitimate updates for windows 7?

 

and btw I have an account at askwoody

but I can’t get my password

and I forgot password option is not working

the email I registered with is ” win7forever2017@gmail.com

ok here is my idea

since there is not a list of KB’s that are ok to install

my intention is to basically download them one by one around 166 updates

without the telemetry and snooping updates

so the question is how I should chronologically installed ?

I assumed from the year up to present year?

I know it will take forever but here is the thing

if I’m doing this then I don’t have to worry about microsoft drop the support of windows 7

since I have all windows 7 updates saved on my secondary SSD

however I love this askwoody web

but it would be more simple for everyone

to have a full list of win7 updates that are ok to install

just saying…!!!

PKCano, are you going to update AKB 2000003 to show the Sept 2017 “Group B” monthly updates?  I understand Woody’s website and comments (bbPress) section were down for extended periods here in September but now everything appears to be returning to normal.    Woody’s blog entry “September Security patches for Windows and Office are out”, posted on September 12th, does show you (PKCano) advise KB4038779 is the Win 7 Security Only Quality update and KB4038793 is the Win 8 Security Only Quality update.

Please stop the emails!

 

5th attempt to unsubscribe from this thread.

Every time I see this thread, it shows Login at the top. I login and it says I’m already logged in.

Then I come to this thread – again and it shows Login rather than Logout.

There is no unsubscribe link at the bottom until I submit my post. All I see is a P on the left and a submit button on the right.

I have to say this is the weirdest forum software I’ve encountered.

After I submit the reply, I can edit and unsubscribe – again because I get a pink error box that says Error: Are you sure you wanted to do that?

Got coffee?

this is totally crazy

now I have to worry that Microsoft is handicapping Windows 7 on purpose in order to force me to upgrade ?!

that’s it I’m jumping on Linux right now

Tues, Oct 10, 2017

Group B Security-only patches have been updated at AKB2000003

2 users thanked author for this post.

Pepsiboy, grams

Important: Group B – Win7/8.1 “Missing” updates, Hiding Rollups, Security-only patches

The other day this came to my attention after perusing the innerwebs for CEIP info.

https://www.tenforums.com/performance-maintenance/16962-ceip-rundll32-exe-high-cpu-use-win-10-a.html#post346300

How does this relate to action center settings of other versions of windows like Win 7 or 8?  Or is it purely a Win 10 tweak and/or a high CPU phenomenon?

Am curious because those settings in my task scheduler are not disabled.

Win 8.1 (home & pro) Group B, W10/11 Avoider, Linux Dabbler

Personal settings:
On my computers, I have all tasks disabled under Application Experience, Autochk, and CEIP.
Understand that these is some of the setting I use to reduce telemetry – not necessarily a recommended list for anyone else.

1 user thanked author for this post.

Purg2

Interesting, I see what you mean about personal preferences & whatnot.  I get the impression that this could go a number of different ways.  Basically not something for general use or something I might’ve missed.  Thanks PK.

Win 8.1 (home & pro) Group B, W10/11 Avoider, Linux Dabbler

Thanks for the (safe) November updates. Thanks all the updates all the time!

My Win 7 and 8.1 machines have not been updated for over a year (it is now 1 Jan 2018), mostly for fear of bad patches.  @PKCano’s very helpful guide in KB2000003 (complete with download links(!) has made success possible.

Thank you!

Today on my 8.1 I completed installation of every patch listed in KB2000003.  All good so far.

I have questions.  These are about stopping Microsoft Update Service:
Purpose – to minimize search time during installation?
Apply To: all files in current List, including non-Security-Only (such as 4055038 dot matrix fix)?

Thanks for your help.

Yes, stop the Windows Update service before manual install to reduce search time. Disconnecting from the Internet can also help.

Install the Security Only patches (best in chronological order) and last the most recent IE11 patch (they are cumulative, so you need only the latest). You do not need to reboot between patches.

1 user thanked author for this post.

SeaYawl

“I have questions.  These are about stopping Microsoft Update Service”

I have several comments about this in Turn off Windows Update if you want to force-feed individual patches.

1 user thanked author for this post.

SeaYawl

What does “search time during installation” mean (Please don’t answer this in earnest)? The only way to drag out search time is to have Windows Update perform a search online, which you’re likely not to. Moreover, the Windows Update Service running is a prerequisite for installing .msu files. If stopped, applying any .msu file will restart it – of course without increasing search time.

With regard to installation of Security Only Updates, stopping the Windows Update Service is a useless practice.

1 user thanked author for this post.

SeaYawl

“Moreover, the Windows Update Service running is a prerequisite for installing .msu files.”

This is correct, but nonetheless stopping the Windows Update Service can speed things up because doing so stops previous Windows Update activities. It seems that Windows Update can do only one “job” at a time. However, I think that stopping the Windows Update Service should not be done in this context because doing so might cause problems.

2 users thanked author for this post.

SeaYawl, Cascadian

Whew! OK – How to manage Windows Update (WU) service while installing stand-alone updates is an unresolved issue.

The good news about healthy differing opinions is that I can choose my own path.

MrBrian pointed me to this link: Turn off Windows Update if you want to force-feed individual patches.

If I synthesize comments from MrBrian, Woody, ch100, DougCuk, I get the following:

• If an internet connection is available, the stand-alone update will activate WU to check with the MS Update servers. However, this communication is a waste of time, because the stand-alone update runs by itself without running WU.
• The stand-alone update will not activate WU if the internet is not connected.
• Also, the stand-alone update will not activate WU if “never check for updates” is selected.

I will go with my WU always set to “never check …” because it is easier than stopping Windows Update service, and disconnecting the internet.

Thank you all!

Here is a reason why one might want to be connected to the internet while installing a .msu.

I think the best practice for installing .msu files might be:

1. Set Windows Update to “never check […]”.

2. Restart computer.

3. Be connected to internet.

4. Install .msu files.

2 users thanked author for this post.

SeaYawl, Elly

If it’s true that stopping the Windows Update service can cause issues, another question is whether restarting the computer might also cause those same issues. The safest thing to do before installing a .msu might be to do nothing extra, which lets any ongoing Windows Update operations complete.

1 user thanked author for this post.

SeaYawl

8.1 x64
The Keep It Simple Option

I like it because it is simple. All that pointing and clicking to stop Windows Update service, for every manually uploaded file.. disconnecting the internet connection…

Microsoft Tech Net – The Windows Servicing Guy says “¬¬¬¬What is going on there is we’re checking the package to make sure it’s complete and pulling down any deltas that might be needed for the fix to your \SoftwareDistribution folder. Deltas are smaller packages that might be needed for the update to work properly.”

There it is. Per official (am I wrong about “official”?) Microsoft source, msu updates are designed to communicate over the internet.

Blocking that communication may shorten process time, but compromise fidelity of the update.

MrBrian’s Keep It Simple option suggests that setting update schedule to “never check for updates..” does not block necessary msu communication over the internet.

My Guess: Microsoft Windows is big and complicated. It tries to provide good service. It will do what it needs to do. OK you don’t want to be notified of updates (“never check..”); fine – we won’t notify you. You want updates? Due to variables, we need to have a conversation with your machine, to send you the right “deltas.”

Stuff goes bump in the night, lost in the ether. Woody helps us identify problem updates. AskWoody.com brings together a terrific community of helpful enthusiasm for the problem solving process. All is well.

In the meantime, I am inclined to take the simplest path possible, to see how that works out.

SY

In the tests that I did in the topic that I referenced, when there was no previous Window Update activity in progress when I installed various .msu files (including some large-sized .msu files), there were zero occasions in which there was a large delay before the .msu started to install. Also, when there was Windows Update activity in progress when I installed various .msu files, every time the .msu would not begin to install until the previous Windows Update activity finished. I welcome more tests by others.

2 users thanked author for this post.

walker, SeaYawl

8.1 x64
Windows Update Activity Indicator

What indicates that my Windows Update is active, or not?

Is the indicator the same for all Windows Update categories of activity?
• manual update from .msu file?
• checking over the internet for automatic updates (if I am not set to “never check…”)?
• performing a “Check for updates” that I have requested?
• other?

Thanks! SY

What I did to have previous Windows Update activity in my tests was manually start a Windows Update check for updates, and, while that was ongoing, try to install a .msu.

2 users thanked author for this post.

walker, SeaYawl

8.1 x64
Hide Update

I have manually installed all (Patchocalypse to 2 Jan 2018) Security-Only patches per PKCano KB2000003 (Thank you PK!). Remaining to install are the hundred or more updates that Windows Update thinks I should have.

If I understand correctly, the Hide Update function will block permanently (or until I un-hide) any update that I designate. It sounds handy for automatically watching out for telemetries and other known unfriendly updates. Must they be caught at the border, crossing from Microsoft Update onto my computer, in order to be added to the Hide Update function?

1. Is Hide Update a viable way to permanently block unfriendly updates?

2. Is there a way to preemptively add unfriendly updates to my Hide Update function before they show up at my border (surely there’s an app)?

3. Apparently individuals maintain lists of unwanted updates, and presumably check each new batch of updates against their list. If this is how it is done, must the list be re-invented for each computer? Where do I find source information for identifying bad patches back to, say, Patchocalypse?

SY

Hiding patches: they stay hidden until you restore them (which can be done on an individual basis by checking), or until you reset the Win Update datastore (at which time all hiden patches are restored).

There is information about the telemetry patches at the top of AKB2000003. They are pre-Patchoclypse (Oct 2016). You can hide whatever patches before that date you please. But after Oct 2016, everything is in bunches you can’t separate. The Monthly Rollup has three components – non-security, security, and IE cumulative. If you do Group B (security only) you need two of the patches (AKB2000003) but you do not get the non-security component. Group A adds the whole she-bang (Rollup). If you are in Group B, you should hide all the Monthly Rollups successively back to Oct 2016 (if the Rollups supersede other updates you won’t see the others until the Rollups are hidden) to be sure you get all the updates you need, and continue to hide them each month.

At this point, there is very little choice for hiding things you don’t want (unless they are older) because you can’t separate anything out. No way to hide them before they show up in Win Update.

You mean hiding updates programmatically?

You may be interested in this topic: New directions for Win 7 and 8.1 patching.

8.1 x64 Group B
Thank You For Responses

Roger your test methods and results revealing ways users can generate long delays before an msu file begins to update. Very helpful. It appears we have found that the enemy is sometimes us. Early on one could update and close a DOS file without saving, and all that work would be lost in an instant. We have been coddled since then. As we now dig deeper under the Windows hood, maybe there be alligators there.

Please disregard post: Windows Update Activity Indicator. I understand the concept. I’ll work it and gain experience.

Yes. Hiding updates programmatically is what I had in mind. At this point I know only about the right-click over each individual patch. I’ll read “New directions for Win 7 and 8.1 patching.”

Hiding patches: I’ve worked through the Security-Only and IE11 Cumulative listed in KB3000002. It went well. Also checked telemetries. Now I need to step into the unknown of 61 patches that Windows Update offers – in the first wave. I am vaguely aware that unfriendly updates may be included; also aware that many are useful and appropriate to have. I’ll hide monthly rollups. Then I’ll delve into the details of what’s left and come back with more questions.

Thank you all for so much great help.

I’m in transit for several days; will get back when I can.

SY

Hiding updates can be done programmatically. For example, see Windows Update PowerShell Module.

8.1 x64 Group B
Telemetry Patches: Uninstalled Patch Came Back

Among my previously installed updates, I Identified and uninstalled 2 of the 5 telemetry patches listed in KB2000003.

KB2976978 came back! – but now without the “Uninstall” link available under “Uninstall an update.” Further exploring revealed many other patches without the Uninstall link available.

My best recollection: At the time, I was somewhere mid-process in my first foray into Group B Security-Only updating (of every update Patchocalypse to 2 Jan 2018), when I decided to seek and destroy telemetry patches. Identified patches went away without issue. Later, on checking again for telemetries, I discovered the returned patch.

Are missing Uninstall links common or unusual? How can I uninstall the returned telemetry patch?

Thanks! SY

Hello, SeaYawl…

From previous comments you said you hadn’t updated for over a year, but didn’t specify how you had been updating prior to that…

It looks to me that your previous updating had already installed the update, which was from July 2016, but was last updated November 2017. You probably uninstalled the update, which left the earlier one…

As far as I know you have two options to get rid of it entirely since the uninstall option isn’t there…

One is to use System Restore with a restore date before July 2016 (or whenever you actually installed it… check history).

One is to save all your data on a separate disk, and do a clean reinstall, and update from scratch.

You might  still be able to live with it installed, if you are comfortable disabling CEIP. Some of the MVPs actually recommend this. Even Woody doesn’t see Group B updating as working for the majority of people. Noel recommends Windows10FirewallControl to stop unwanted telemetry and although it takes a little time to set up, it works smoothly after that… but the paid version is required to stop Microsoft. It gives a lot of comfort to know what is communicating where, and that I can stop unnecessary chatter…

I could be wrong, maybe someone who knows more could correct me.

I’m not suddenly a techy person, but have researched more than those around me, and have had to deal with computers from friends and family, in various states of updating and OS versions, and problems.

Rather than research everything they have and haven’t done, I’ve found it easier to do a clean reinstall. Gave me the shivers the first time I did it, but the options were something they couldn’t get to work right anyways, or take our chances. It went smoothly, but you have to go step by step. Just remember that for your data to be properly backed up, you need three copies… it could be cloud, USB, or external disk… but when you are doing a clean reinstall, the data on your hard drive is no longer one of those copies. Having three copies, on different media, mitigates against not being able to restore it from any one source. I like doing a clean reinstall… updating to the specs of the people using it (educating them on their choices)… and then doing an image of the drive to make it easier to return to an already updated version later, if there is a problem… then returning the data. We also look at what programs and apps they are using and don’t install the things that they don’t use. I make sure that the programs essential to what they do on the computer are there, and updated. It is amazing how much c*** that isn’t needed gets onto computers over time. The end experience is that they find their computer working better than ever… happy one, and all. I always have this feeling of dred that their computer will die on me, but that has never happened. I tend not to put hands on unless their choice is to fix or abandon it altogether… and make it clear that although I can follow these steps, I’m not an expert!

Hopefully your adventures in updating will be successful.

Non-techy Win 10 Pro and Linux Mint experimenter

Uninstalling ‘uninstallable’ Windows Updates

2 users thanked author for this post.

walker, Elly

Two pieces of information:

If the Win8.1 was done from the later ISO (not original issue), KB2976978 was part of that install and supposedly cannot be removed (though some claim it can with PowerShell). There has been discussion of this several times on this site – try searching (link on right of main blog).

Second, KB2976978 has been issued numerous times by MS. Even they have the same KB number, they are different versions. And some are optional and some recommended (also different). You have to remove ALL of them. Removing the latest lets the one it superseded show back up. So uninstall, then uninstall…. Or you can use PowerShell to search for all versions and make a batch commane to remove them – have to name all the versions, I think. What a pain!!!

2 users thanked author for this post.

walker, Elly

@PKCano:  It has taken me “forever” just to try to get to the “reply” function, however I think my question is relevant because it is so difficult to for me keep up with all of the various messages which apply sometimes to Group A as well as Group B.

I cannot keep up with both groups and since I am only Group A,  I would appreciate your advice on this question.   If I limit my self to only reviewing the Group A postings, it would make it much easier for me.   Does this sound plausible under the circumstances?   I also find that many users in Group B, are very computer literate whereas I am not.

Thank you for all of your many, very helpful postings to various subjects.   Your expertise is sincerely appreciated by all of us who depend upon your outstanding knowledge.   Thank you once again.    🙂

walker wrote:

I cannot keep up with both groups and since I am only Group A, I would appreciate your advice on this question. If I limit my self to only reviewing the Group A postings, it would make it much easier for me. Does this sound plausible under the circumstances?

Very much so. You shouldn’t have to worry about anything related to Group B updating.

1 user thanked author for this post.

walker

@PKCano:   I cannot say “thank you” enough for your wonderful reply!   This will be so much help, I am ecstatic!    🙂

You are one of our most experienced, and knowledgeable leaders on this website, and I thank you more than words can ever adequately express.     Thank you for being one of our ‘BRIGHTEST STARS”!      🙂  🙂

All here – I moved our two important SOHO Win 7 Pro 64-bit machines from Group B to Group A two months ago.  However, each month after Patch Tuesday, while waiting for Woody to give a Defcon 3 or better for the full roll-up Group A updates, I sometimes install PKCano’s Group B security-only updates (Win 7 and IE 11) just to do the security patching.  (Later, when Woody gives a Defcon3 or better for the Group A roll-ups, I let WU-MU do its thing.)

Now, Jan 14, 2018, before I install them, is anyone having problems with PKCano’s most recent security-only updates for Win 7 Pro 64-bit on his KB 2000003 ?

Thanks.

1 user thanked author for this post.

HiFlyer

glnz wrote:

Now, Jan 14, 2018, before I install them, is anyone having problems with PKCano’s most recent security-only updates for Win 7 Pro 64-bit on his KB 2000003 ?

The answer is yes, people are having problems. You should hold off installing the SO this month. The SO patch for Win7 has been reissued twice – original and two revisions. There are BSODs in some computers with ADM processors and/or video cards after installation. In addition, your anti-virus has to set a Registry key to signify it is in compliance with the patches – without the key you will not be offered Rollup or .NET updates in Windows Update (if you see the Rollup in WU, it is an indication that the key is set).

WAIT for Woody and DEFCON 3 this time.

1 user thanked author for this post.

HiFlyer

Thanks again, PKCano!  I’ll wait for our two important machines.

(FYI – I ran your two SOs on a third Win 7 Pro 64-bit machine and have no problems, but it’s a different model Dell Optiplex that I barely use, and so I won’t chance it on our two important ones.)

PKCano – still hold off on this month’s SO updates for Win 7 Pro 64-bit?  If you say yes, then I continue waiting.  Thanks.

WAIT till the DEFCON number is 3 or above.
Several of the older patches have had revisions. The newer patches haven’t been out long enough to be vetted. Things are a mess.

Woody will sort things out when the time comes and let us know what to install and where the pitfalls lie.

PKCano – still holding off on the SO updates for Win 7 Pro 64-bit?

(Wow – it will be March before we can finally install the ones for Jan!)

Thanks.

 

It’s Jan 23, and there’s still a big orange “2” at the top of the page!

PKCano – And now it’s Feb. 2 !!

My Win 7 Pro 64-bit machines are all Dell Optiplexes with Intel CPUs.  One of them has an nVidia graphics card – the others not.

Still hold off with the SO updates?  Thanks.

If I’m not mistaken, as of 2/2/2018 there is still a BIG 2 at the top of this page.

3 users thanked author for this post.

SueW, HiFlyer, JDeC

? says:

PKCano, have you updated XP? I put on KB4056615 (EOP Kernel API) and KB4056914 (ATMF.dll) however, the KB4054178 (.Net 2.0) KB4055229 (.Net 3.0), and KB4054173 (.Net 4.0) all failed using Microsoft update and from the catalog as stand-alones as well. Any ideas? This installation has .Net 1.1 through .Net 4.0 Client profile. I scanned MSFN to see what they said and it looks like the January .Net patches went in for them.

Thank you!

.Net 2 KB4054178 and .NET 3 KB4055229 installed without problem 1/14.

? says:

Thank you,

must be operator error over here, i’ll give them another try

? says:

i ended up ripping out .Net from v1 to v4 client profile as it would not respond to the .Net repair tool. i used Aaron Stebner’s .Net Framework Cleanup tool. probably don’t need any .Net at this late stage of the game. i also had KB4019276 (Update to add TLS 1.1 and 1.2…) in updates that adds TLS v1.1 and TLS v1.2 to IE8, at least in the registry and Internet Options advanced panel. no cyphers, yet to make it run.

Thank you, PKCano!

Seeking clarification please. I’m running Windows 7 SP1 and in Group B. My PC has an Intel processor. Regarding the security only updates for January 2018, I don’t need to install KB4073578. Correct?

See @MrBrian ‘s comment here

PKCano, mrbrian….

Maybe stupid question: Win7,Group B, IE fix install anyway, but concerning 01-2018 SecuOnly (KB4056897) and “unbootable AMD state” (KB4073578)

… according MS supp site and MS catalogue, those KBs are not replaced or replacing others.

But, isnt it interesting, those KBs have the same size – 36,2M x68 and 66.9 x64?

This sounds to me like KB4073578 is just “secu only 01-2018 version 2”, is replacing ver.1 (KB4056897) with some AMD related updates and the ONLY reason, it is not re-realased under original KB number is to make it more understandable for plenty upset people calling to support or to NOT officially admit – the GroupA needs (group B) secuOnly patch to prevent AMD problems and in general to avoid widely known existence of Secu only idea…

… just asking

anonymous wrote:

… according MS supp site and MS catalogue, those KBs are not replaced or replacing others. But, isnt it interesting, those KBs have the same size – 36,2M x68 and 66.9 x64?

@MrBrian did an analysis of the files in order to make the call on these Updates.

And see @abbodi86 ‘s comments here in post #165392

1 user thanked author for this post.

MrBrian

Woody created this topic that contains PKCano’s and my advice for the January 2018 updates.

PKCano wrote:

See @mrbrian ‘s comment here

I clicked on the link provided, and instead of taking me to the referenced post, I was taken to the first page of the topic and had to wade back and forth through pages and pages of posts trying to hone in on the page that contained the referenced post. Is that a result of the new system for displaying topic discussions?

Now for my original questions: if one were to install KB4073578, does it need to be installed before the regular Group B January patches, and should one reboot after doing the former and before proceeding to the latter?

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

HiFlyer

Cybertooth wrote:

I clicked on the link provided, and instead of taking me to the referenced post, I was taken to the first page of the topic and had to wade back and forth through pages and pages of posts trying to hone in on the page that contained the referenced post. Is that a result of the new system for displaying topic discussions?

Yes, that’s because threading was turned off. Links prior had only the post #. Links after have an additional “page #” in the URL. So links before (ALL of them unfortunately) are no longer valid. See the blog post about threading.

Cybertooth wrote:

Now for my original questions: if one were to install KB4073578, does it need to be installed before the regular Group B January patches, and should one reboot after doing the former and before proceeding to the latter?

Install KB4073578 in place of KB4056897 then KB4056568 (IE11) – you don have to reboot between. See @MrBrian ‘s comments here in #165666 and the one below.

1 user thanked author for this post.

Cybertooth

Cybertooth wrote:

I clicked on the link provided, and instead of taking me to the referenced post, I was taken to the first page of the topic and had to wade back and forth through pages and pages of posts trying to hone in on the page that contained the referenced post. Is that a result of the new system for displaying topic discussions?

Now for my original questions: if one were to install KB4073578, does it need to be installed before the regular Group B January patches, and should one reboot after doing the former and before proceeding to the latter?

First question: yes.

Second question: The order probably doesn’t matter, but to be on the safe side, I would install KB4073578 first. No reboot should be needed in between installing KB4073578 and the other update(s).

1 user thanked author for this post.

Cybertooth

I refer to the list of security only updates for Windows 7 in Topic 2000003 for Group B. The recent discussion about which of KB4056897 or KB4073578 in the January 2018 updates should be installed prompted me to review all the security only updates that I have installed since October 2016. The result is as follows.

Leaving aside the January 2018 updates, which I have not installed yet, I have in fact installed every single security only update since October 2016 EXCEPT KB4055038 in the November 2017 updates. In Topic 2000003, this update is described as “fix for dot matrix printers”. Furthermore, the KB4055038 article states “This update addresses an issue that prevents some Epson SIDM (Dot Matrix) and TM (POS) printers from printing on x86-based and x64-based systems.” and that the update affects, amongst others, KB4048960, which is the November 2017 security only update for Windows 7.

Now, I don’t have access to a dot matrix printer, which is probably the reason why I made the decision not to install KB4055038. My first question is, should I have installed it anyway?

Now, suppose, for the sake of completeness, I wanted to install KB4055038 after having installed the December 2017 security only updates, could I simply install it now? Or would I have to uninstall the December 2017 security only updates first, then install KB4055038, and finally reinstall the December 2017 security only updates?

TonyC wrote:

Now, I don’t have access to a dot matrix printer, which is probably the reason why I made the decision not to install KB4055038. My first question is, should I have installed it anyway?

TonyC wrote:

Now, suppose, for the sake of completeness, I wanted to install KB4055038 after having installed the December 2017 security only updates, could I simply install it now?

The security-only updates are not cumulative – each is stand alone. so you can install any of them whenever.
The one you did not install may contain other fixes beside the dot matrix printer problem. That problem was stressed b/c it was caused by a previous patch and was the most prominent fix.

1 user thanked author for this post.

TonyC

PKCano wrote:

The security-only updates are not cumulative – each is stand alone. so you can install any of them whenever.

Hmmm, now I thought it was the other way round. Because the security only updates are not cumulative, you have to install them in date order – first the October 2016 update, then the November 2016 update, and so on. (PS. I am aware that the IE11 updates are cumulative.)

PKCano wrote:

The one you did not install may contain other fixes beside the dot matrix printer problem. That problem was stressed b/c it was caused by a previous patch and was the most prominent fix.

Yes, I appreciate that point, particularly after the recent discussion regarding KB4056897 and KB4073578. The Microsoft documentation concerning these two updates is appalling in my opinion.

However, the KB4055038 article does explicitly state that it addresses “an issue”, that is ONE issue, and, apparently, only one file, namely Win32k.sys, is affected. Suppose the December 2017 security only update for Windows, KB4054521, had replaced Win32k.sys. If I were now to install KB4055038, wouldn’t that undo the change made by the December 2017 update?

TonyC wrote:

Hmmm, now I thought it was the other way round. Because the security only updates are not cumulative, you have to install them in date order – first the October 2016 update, then the November 2016 update, and so on. (PS. I am aware that the IE11 updates are cumulative.)

Windows servicing is “smart” enough to not replace newer files with older files.

1 user thanked author for this post.

TonyC

TonyC wrote:

If I were now to install KB4055038, wouldn’t that undo the change made by the December 2017 update?

The installation process takes into consideration file metadata and issue date. If a file supersedes an earlier one, it will over-write. If the existing supersedes, it will not.

1 user thanked author for this post.

TonyC

MrBrian wrote:

Windows servicing is “smart” enough to not replace newer files with older files.

PKCano wrote:

The installation process takes into consideration file metadata and issue date. If a file supersedes an earlier one, it will over-write. If the existing supersedes, it will not.

My thanks to you both. I didn’t know what you have just told me.

However, I am still trying to reconcile what you have just told me with the information in the following paragraph in Topic 2000003:

“Group B” Security-Only patches are not cumulative. In order to be protected, you must install all of them. Every. Single. One. By hand. More than that, you have to install them in chronological order — the October patch, followed by the November patch, followed by the December patch, and so on.

KB4055038 is a November 2017 patch and so, according to the quoted paragraph, it should be installed before the December 2017 patches, not any time afterwards. Or does the quoted paragraph refer only to the security only updates to Windows?

More than that, you have to install them in chronological order — the October patch, followed by the November patch, followed by the December patch, and so on.

You can skip that part

PKCano wrote:

You can skip that part

Well, if that sentence in Topic 2000003 is inaccurate, shouldn’t it be changed or deleted?

PKCano – Although we’re in Group A for my wife’s important SOHO Win 7 Pro 64-bit machine, I sometimes install your Security Only Group B patches while we wait for Defcon 3 for the big Group A patches.

Are the February SOs KB 4074587 and (IE11) KB 4074736 causing problems?  That machine also has Office 2003 (and Excel 2013)

Thanks.

There have been scattered reports, bot no big stand-outs like last month. A hint (not overwhelming) of problems with USB ports – if you have problems, uninstall the SO.

Windows 7. Should one or both of those be used? Meaning just install 4088835 as that is a newer version of 4074736 or only install 4088835 if affected by that issue? Thank you.

Feb 2018 (IE11) KB 4074736
Feb 2018 (IE11) KB 4088835 (released 2/22 fix MS Outlook Web App)

IE11 patches are cumulative – you only need one. KB 4088835 will contain KB 4074736 plus the fix for Outlook Web Apps.

If you are not using the Web Apps, KB 4074736 should be sufficient.
Next month’s IE11 CU will contain all and whatever fixes are for next month.

2 users thanked author for this post.

twbartender, JDeC