(Closed) Comments on AKB 2000003: Ongoing list of "Group B" monthly updates for Win7 and 8.1

Topic

Thanks for writing this @pkcano.

In my (Do Not Install) list I also have KB3022345 -SFC / corrupt files- (later replaced by KB3068708), I wonder whether you should also include this one as well?

http://www.infoworld.com/article/2981947/microsoft-windows/the-truth-about-windows-7-and-81-spy-patches-kb-3068708-3022345-3075249-and-3080149.html

gts

2 users thanked author for this post.

HiFlyer, ch100

Replies

I don’t believe KB3022345 is related to telemetry/snooping, which the list is excluding.
Also, KB3068708 should have superseded KB3022345, which would make excluding the latter unnecessary.

2 users thanked author for this post.

jelson, HiFlyer

At the time KB3022345 reared its ugly head it was put under the banner of “snooping” as well as the corruption it caused after running SFC.

http://sensorstechforum.com/uninstall-windows-update-kb3022345-a-k-a-diagnostics-tracking-service/

I suggested this update because if anyone was to restore to factory or start afresh on their computer it would be better not to install this update as well even though KB3068708 did supersede it not much later. To my recollection 8708 was shipped out a short time later because of the uproar over the corruption error after the lab rats had installed it.

In no way am I telling you how to suck eggs, only penning my (limited) knowledge on these types of updates.

gts

There was a huge list of updates to avoid during the GWX campaign that have since been superseded and/or retired. The above list is current updates that contain telemetry/compatibility that are likely to appear in Windows Update at the present.
If you are doing a clean install of Win7 SP1 you may see some of the older updates. But a clean install is a whole other ballgame not covered here.

3 users thanked author for this post.

Elly, HiFlyer, GoTheSaints

KB3022345 is no longer available, so the clean installs are safe.
See my other answer in this thread, because in fact you raised a valid issue.
KB3022345 should be added to the list, but for other reasons.

2 users thanked author for this post.

GoneToPlaid, walker

I think KB3022345 should be added to your list for Group B users for the sake of consistency.

A bit of background.
KB3022345 is the first in the series continuing with KB3068708 and KB3080149.
Because of KB3022345 was faulty, it was retired and replaced with KB3068708.
KB3022345 is no longer available, but it was not uninstalled from users computers who installed it, only superseded (made inactive) as long as one of the other later patches is installed.
The reason why I say this patch should be added to the list, is that at least in theory, someone could have installed it when available and stopped updating immediately after.
In such a situation, that user would have the Diagtrack service installed and not having the fixed patches released after.
Another situation would be when someone installed in the past all three patches.
When you instruct them to uninstall KB3080149 and KB3068708, then automatically KB3022345 becomes active if installed previously. DiagTrack service would still be there and in the worst case scenario, the user is left with a faulty patch reactivated.

EDIT: added relevant URLs
http://www.infoworld.com/article/2926179/microsoft-windows/microsoft-confirms-patch-kb-3022345-breaks-sfc-scannow.html
http://www.infoworld.com/article/2981947/microsoft-windows/the-truth-about-windows-7-and-81-spy-patches-kb-3068708-3022345-3075249-and-3080149.html

5 users thanked author for this post.

SueW, walker, HiFlyer, Elly, woody

I agree with you analysis that the patch (thus DiagTrack) can be on the computer and that it is a telemetry patch. But we are not considering correcting all the ills GWX imposed by uninstalling patches.

woody wrote:

If you see one of those patches in your list of updates, UNCHECK the box next to the patch, so it won’t be installed.

How likely is this to happen, whether the patch is currently installed or was never installed?

1 user thanked author for this post.

ch100

I think it’s highly unlikely, but it wouldn’t hurt to add KB3022345 to the list. Yes?

2 users thanked author for this post.

HiFlyer, ch100

Go ahead and add it.
But I don’t believe it’s going to show up on WU for people to uncheck.

2 users thanked author for this post.

jelson, ch100

I think we misunderstand each other, while we agree on the issue.
This patch is no longer offered as it is retired by Microsoft.
The issue is if some people installed it in the past and now they uninstall the patches that supersede it KB3068708 and KB3080149, they should go all the way and uninstall KB3022345 as well, only if it was installed.
When an updated patch (KB3068708) is installed, the old one (KB3022345) is not removed, only made inactive, unless the user runs disk cleanup or uninstalls manually.

We are talking about old installations here with hundreds of patches installed and which potentially have KB3022345 since the time when it was available, not about new installs.
It took about 1 month for this patch to be superseded and removed from Microsoft servers, so there is a good chance that some people installed it at the time when it was available, either by ignoring Woody’s recommendations, or by not even knowing that there are such recommendations somewhere on the Internet.

3 users thanked author for this post.

Microfix, Elly, HiFlyer

Thanks for this excellent compilation and guide.

CT

@Woody:

Is it all right to “hide” the January 2017 Security Monthly Quality Rollup for Win 7, x64 since I will never install it, or is it best to just leave it there?   Several “old” updates disappeared (drivers only) so only one of those remains.   All unchecked.  I’ve never seen any directions on what should be done with these “rollup updates” for win 7, when I am in Group B, and will never install them.  Thank you for all of your invaluable help, and the WONDERFUL Defcon 5 rating!     🙂   🙂   🙂

It is best not to hide the updates. Uncheck them before you install. The Jan one will go away when MS releases the next cumulative. (since it will be included in the next one)

4 users thanked author for this post.

Elly, SueW, HiFlyer, walker

@PKCano:    Thank you for responding…..   I was thinking along those lines, however wasn’t sure until I asked you.    Now I can proceed as I thought was proper.

🙂   🙂   🙂

Woody,

I was looking through my installed updates and found KB3021917 (installed 3/3/2015).  If I uninstall that, am I going to cause problems?  I seem to be running fine now.

Thanks, Chip

Hi Chip,
You should be able to uninstall KB3021917 without causing issues.
This article by Martin Brinkmann on ghacks.net may be of assistance to you.

You can uninstall without any worries.

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Uninstall it and it will go away gracefully, like most of the other Windows Updates.
If you are OK with it, there is very little need to uninstall it though.
It is not known to be harmful, only more or less useless.

Question: with those security only monthly patches, would all of them have to be installed one at time (with rebooting I assume) or can one simply install the latest one on the list?

The security-only patches are NOT cumulative. You have to install them one at a time.

So – install the first (earliest date), reboot if asked, install the next, reboot, install the next, reboot…….

1 user thanked author for this post.

Elly

Anon here from yesterday evening about the updates. Another question (which is probably redundant, but…): Does WU have to be enabled in order to download the security updates? I get an error message because I have WU disabled.

You can download the security-only patches from the MS Catalog with Windows Update Service disabled – because it is like downloading any file (music, e-mail, etc).
You can install the updates manually with Windows Update set to “Never check for updates.”

But to install the updates manually you go to Control Panel\Administrative Tools\Services, highlight the Windows Update Service and then click on “Stop” at the top left. You do not “disable” the service. It needs to remain on the normal setting, ie automatic or manual.

EDITed for content

1 user thanked author for this post.

walker

Many thanks for your help. I kind of figured it was that, but I wasn’t too sure about it. I did reset WU to Manual and did set it “stop”.

Links updated 3/14/2017

2 users thanked author for this post.

walker, radosuaf

Thanks for this list.
Sticking to Group B, I guess we should also avoid the Security and Quality Rollup for .NET Framework, so you could also add the Security Only updates to this list.

As of now, there’s only the December one, and it’s for Framework 4.6.2.

Win 7 – KB3205406

Win 8.1 – KB3205410

There is no reason to avoid the .NET updates. They are OK.

The Group B recommendations are to avoid the “Security Monthly Quality ROLLUPS for Windows”, and to download/install the “Security Only Quality UPDATE” and the security patch for IE11.

1 user thanked author for this post.

walker

Links updated 3/23/2017

2 users thanked author for this post.

walker, radosuaf

Are KB 4012212,KB 4012204, KB 4016446  and the net framework patch safe to download/install yet Win7,march 2017

The MS-DEFCON number is still 2 – which means to WAIT. There have been problems with some updates.

Woody will raise the DEFCON number to 3 or above when it is safe to install updates and he will publish instructions at that time.

Hi Guys …. I am in Group B security only am just a little confused regarding the IE ( hotfix) patch KB4016446 and wonder if it is necessary to apply to March Security only – KB4012204 ???

From reading – It seems to be more specific to the March Cumulative IE ( KB4013073 ) version

Hopefully someone can help

Thanks, Rick in Oz

You should find instructions here http://www.infoworld.com/article/3186679/microsoft-windows/update-now-microsoft-unloads-windows-and-office-patches-for-march.html

How did you know that the March 2017 IE Hotfix was available?  Where does MS post that info so smart people like u can tell dumb people like me that it exists?

 

P.S.  Thanks for providing the above info for the 8.1 group B’ers.

Here https://support.microsoft.com/en-us/help/894199/description-of-software-update-services-and-windows-server-update-services-changes-in-content-for-2017

2 users thanked author for this post.

Elly, Goofy

@PK,

Any thoughts on KB3177467? which seems to predate the Oct 2016 patchocalypse.

TIA

KB3177467 is the latest servicing stack for Win7. You should install that update.

Here’s the information https://support.microsoft.com/en-us/help/3177467/servicing-stack-update-for-windows-7-sp1-and-windows-server-2008-r2-sp1-september-20,-2016

It’s a stand-alone update, so will have to be installed by itself.

2 users thanked author for this post.

212louis, walker

Woody,
Well, KB3150513 reared its’ ugly head again this morning on our desktop machine and got HIDDEN again. I manually installed the March Security update and MSRT on both machines. SO FAR, no problems.
Many thanks to all that have helped me keep my sanity with all the MS garbage out there.

Dave

You also need the patch for IE11 (even if you don’t use it). It used to be included in the security patch, but no longer. So there will be two you need each month from now on.  Links to the download are here

https://www.askwoody.com/forums/topic/2000003-ongoing-list-of-group-b-monthly-updates-for-win7-and-8-1/

You should not hide the Monthly ROLLUP. If you uncheck it before doing WU install, it will be UNCHECKED and won’t get installed. Yes, it will come back checked on reboot, but if you leave it like that, it will be replaced by the next month’s ROLLUP. You just have to remember to uncheck the ROLLUP before you do installs.

 

3 users thanked author for this post.

Elly, JDeC, walker

Okay so for manual patches-We just gotta install the 3 for March manually and then scan Windows Update and hide the monthly roll thingy and also any of the KBS to watch out for if I’m correct. I’ll install the updates monday night and then do a scan tuesday night for updates and go from there-On the morning of tuesday and wednesday I’ll do a defragment and such so my computer is fine. 🙂

I like to ensure I get back some MB after doing the updates, but it’s easy to follow. Also it’s good to have this kind of system for looking out for windows versions updates-it’s easier to know which ones to install and not to install.

 

 

@PKCano:       Are the following to be downloaded from the MS Catalog?   It does not indicate what the first one is, however I think it is the March Security Only Update (?).

Mar 2017 KB 4012212 – Download 32-bit or 64-bit

Mar 2017 (IE) KB 4012204 – Download 32-bit or 64-bit
Mar 2017 (IE Hotfix) KB 4016446 – Download 32-bit or 64-bit

I’ve been away from the computer for several days, and it seems there have been a few problems I’ve not read about.   I will keep looking.  Thank you VERY MUCH for everything you have posted.    I hope the list  – – – –  Published 23 March 2017 rev 1.1 – – – is up to date?

Thank you once again for all of your hard work, and help with this monthly “process”.    🙂

walker wrote:

Are the following to be downloaded from the MS Catalog? It does not indicate what the first one is, however I think it is the March Security Only Update (?).

The list is up-to-date. Please note

woody wrote:

Here are the Security-only patches, starting in October 2016, when the “patchocalypse” took effect. Make sure you download and install the version that matches the “bittedness” of your machine.

In addition, there are links for the IE11 patches.
The links for March 32-bit or 64-bit will auto download the update for you.

1 user thanked author for this post.

walker

@PKCano:  Thank you very much for the information….   I’ve gotten behind because of illness and trying to get caught up is difficult, however with your most kind assistance I’m hoping it will all go well.   I am most grateful  🙂

@PKCano:  I could not locate a reference (I thought I saw) to the IE Hotfix  KB4016446.   I thought it stated that unless you had installed another update that you”DID NOT NEED” the KB4016446 Hotfix.

This is referring to the KB4016446, correct?   Thank you for your verification on this one.   Very much appreciated!!  🙂

Edited to remove contend

The reply you are looking for is here
refers to KB4016446

Received “Advanced Micro Devices, Inc driver update for AMD SMBus” today thru Windows Update — Important/Check Marked.  Under the heading, Window 8.1 and later drivers.  Never saw the and later drivers addition before.  Guess this might be needed if I was getting ready to go to Win 10 — *crickets*

 

I wouldn’t install it even if you are getting ready to go to Win10

Will it hurt your system if you install multiple patches before a restart? (such as installing 4012212, 4012204 and 4016446 THEN restarting.)

Install in that order. You may have to re-stop the Windows Update Service in between to keep it from searching for a long time.

1 user thanked author for this post.

Silver_Crow

Hasn’t the problem of updates being partially installed until the next reboot already been solved by changes in Windows?

1 user thanked author for this post.

There is no reference to “partially installed updates” in this thread. The link does not fit this case.

When is it safe to install multiple standalone Windows updates without a reboot?

1 user thanked author for this post.

SueW

Thank you so much!

I just sent a post beginning “I’m confused”.  Now I am even more confused.  I checked the top of the page before submitting the post to ensure that I was logged in.  When I pressed submit, it failed with the message “are you sure you want to do that?” (sounds like something out of a video game!).  I pressed submit again – this time it went OK, but when I checked I found that the message was “awaiting moderation”.  So – checked the top of the page again, to find that I had been logged out.  Is there a time limit involved here?

LH (in case this also gets me logged out).

Dell Precision 3630 w/32 GB RAM, 500 GB (C:), 1 TB (D:)
Window 10 Pro x64
Internet: FTTC (Fibre to the Kerb)

@LH
The easiest place to find the links is in the top post on this page, which is updated each month.

1 user thanked author for this post.

LH

Thanks.  That is in fact where I eventually discovered it.  Actually I was looking for the Microsoft source.

Dell Precision 3630 w/32 GB RAM, 500 GB (C:), 1 TB (D:)
Window 10 Pro x64
Internet: FTTC (Fibre to the Kerb)

1 user thanked author for this post.

Kirsty

Microsoft  Description of Software Update Services
https://support.microsoft.com/en-us/help/894199/description-of-software-update-services-and-windows-server-update-services-changes-in-content-for-2017

1 user thanked author for this post.

LH

Thanks for that.  I had been trying to find the IE update in the MS Update Catalog which is where I expected to find it – but got nothing.

However, I just tried it again and now it’s working ?!?!  I must have been doing it badly before.  Anyway, I’ve got it now.  Thanks.

Dell Precision 3630 w/32 GB RAM, 500 GB (C:), 1 TB (D:)
Window 10 Pro x64
Internet: FTTC (Fibre to the Kerb)

I’m confused (not unusual for me)!  I am on Win7 Group B.  I source patches each month from WU (important Office patches) and MS Update Catalog (Win7 Security Only and .NET patches) – but wait for the all clear before installing.  I completely missed the IE11 patch and subsequent hotfix.  Thanks to your post, I have now downloaded these (but not yet installed).

For my future reference, where are the IE Security Only patches to be found these days?  Not in WU, and I could think of no search parameters that were successful in MS Update Catalog.  I was sure that I had previously found these in earlier months since the October 2016 changes.

Apologies if this has already been answered – I am still finding my way around the new Lounge.

From https://www.askwoody.com/2017/simplified-servicing-for-windows-7-and-windows-8-1-the-latest-improvements/:

“Starting with February 2017, the Security Only update will not include updates for Internet Explorer, but the Monthly Rollup will continue to include updates for Internet Explorer.

In other words, if you’re in Group B, you’ll need to install the Internet Explorer update separately, starting next month. No change for those in Group A.”

I was aware of that.  I just couldn’t find the list of IE patches.  All OK now – see my response to @PKCano above.

Dell Precision 3630 w/32 GB RAM, 500 GB (C:), 1 TB (D:)
Window 10 Pro x64
Internet: FTTC (Fibre to the Kerb)

PKCano. Thanks again for this great entry. I have been gradually doing this for all of you 150 client computers. I’m about 1/2 way done. They were not previously updated since October.

Questions:
Are IE patches and the patches that fixed the patches, safe to install yet?
Are they going to re-issue fixed patches or just leave the mess the way it is?

CT

The IE patches for March are good. You need the hotfix only if your are running Dynamics CRM 2011.

3 users thanked author for this post.

Noel Carboni, HiFlyer, walker

Thanks for clarifying that.

CT

1 user thanked author for this post.

HiFlyer

@PKCano:  My most sincere apologies for overlooking your reply.   I have been seriously ill for almost 3 weeks, and when one is this sick for this long, it affects not only the body but the mind.   I am so humiliated by my faux pas.

I thank you so much for all of the outstanding, hard work you do for all of us on this website.   You deserve a BIG “GOLD STAR” for your exemplary contributions and I don’t know what we would do without you!!    🙂

PKCano, just to update you. I have completed my sweep of my 150 client computers using Oct, Nov, Dec, Jan security only patches. Also the IE patch and all Office patches prior to March. Also .net up to March. You saved me a bunch of time and provided some peace of mind.

Judging from the torrent of WU messes being served up by MS lately, I am not at all certain I will do any more updates.

CT

About these security only updates, where do they come from? Do Microsoft make them and why? I thought they started putting security, telemetry and all that in one single monthly update, why are they making security only updates aswell?

There are two methods of patching Windows.

Microsoft delivers the “Security Monthly Quality ROLLUP for Windows” through Windows Update to the PC. It contains both Security and non-security updates and is cumulative. Cumulative means that this month’s ROLLUP contains the previous month’s ROLLUPS. It is available to all Windows Users.

For those people who do not want the non-security, Microsoft provides the “Security Only Quality UPDATE for Windows.” It contains only the security patches. It is not available through Windows Update. The patches must be downloaded from the Microsoft Update Catalog and manually installed. Because it is easier to find, we provide links to the Catalog for these Security Only UPDATES each month.

In Woody’s terminology, those who install the ROLLUP are in Group A. Those who choose not to install the ROLLUP, but instead manually install the Security Only UPDATE, are called Group B.

5 users thanked author for this post.

Elly, JDeC, HiFlyer, walker, Canadian Tech

I just think it’s weird Microsoft would be kind enough to provide the security only updates when they’re doing everything they can to get people to upgrade to windows 10. I really hope they won’t stop doing this.

It is far from an act of kindness. They are doing it because they have little choice but to provide the support demanded by their large customers. However, this company now has a track record of untrustworthiness.

Don’t be surprised to find patches to security-only updates buried in patches of the other type.

It would be a mistake to assume this continued support.

Couple that with a clear track record of incompetent development of the Windows Updates themselves and it is clear that Updates of Microsoft products is a minefield.

CT

5 users thanked author for this post.

Elly, HiFlyer, walker, Noel Carboni

Could the first post be updated to reflect that info? That the hotfix is only necessary under those conditions.

This will be revised Tuesday (Apr 11) to reflect the April patches. I will add that then.

1 user thanked author for this post.

JDeC

Updated 4/11/2017

NOTICE: The patches for IE11 ARE CUMULATIVE

Edited to add IE11 information

3 users thanked author for this post.

JDeC, walker, Kirsty

We already know that security-only is not really security-only… I keep wondering if I should reinstall clean and join group C/W.

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Apparently this list only contains the “security only quality update” and the IE cumulative security update, but not other security only updates such as the .NET security only update KB4014985 released this month.

I believe the .NET security only update is not included in the “Security only Quality Update”. Therefore I am convinced that for complete Group B patching you have to apply the “Security only Quality Update”, the IE cumulative security update, and the .NET security only update (if there is one). Please correct me if I am wrong about this.

Is there a reason why the .NET security only updates are not included in the list?

Hope for the best. Prepare for the worst.

The .NET updates do not contain the MS telemetry and are considered to be safe for installation (at DEFCON 3 or above) for Group B.

Here is an explanation of the difference between Windows patches and patches for other MS software https://www.askwoody.com/forums/topic/group-b-and-patch-blocklists/#post-106970

PKCano wrote:

Here is an explanation of the difference between Windows patches and patches for other MS software https://www.askwoody.com/forums/topic/group-b-and-patch-blocklists/#post-106970

I see. It will be nice if they can also be listed here for us to download. Anyway, thank you for your answer.

Hope for the best. Prepare for the worst.

To James Bond 007 and PKCano –
Thanks to MS making this very confusing, your valiant efforts here to clarify are still hard for non-techs such as myself to follow. But I’m responsible for keeping my wife’s mini-SOHO as secure as possible, so I’m trying.

This month – April – I have NOT yet installed kb4014985 – which is security only (?) update for the .NETs for Win 7 Pro 64-bit.
However, James Bond 007’s question above seems apt. Should I install this?
PKCano – I think you intend us to wait until you’re at Defcon 3, and today we’re still at Defcon 1, so not yet?

ALSO, I downloaded the installation files from Windows Update Catalog, and it gave me FOUR files, not one. They are:

ndp46-kb4014552-x64_32e1c3af9a27962c93682fc66584803baa729782.exe
ndp46-kb4014558-x64_900b63e9c928af1224ba91e4a0d0a14cceee92f6.exe
windows6.1-kb4014573-x64_12e4991474e5150382f317efd3fcbd8a13090ce5.msu
ndp45-kb4014566-x64_95b57712424a36cac3fc2f27fcc12e4555a80afd.exe

Does that look right?
If I install, is there a particular order to run them?
Thanks again.

You only install the one for the version of .NET you have on your computer. Check which ver you have, then the information you need is here

1 user thanked author for this post.

walker

I’m new here. An old but thankful guy for all the expertise being shared here.

I successfully installed KB4012212 & KB4012204 shown at top of this forum (this was before the Apr additions). I’m using Win7 Pro SP1 64bit.

Having 5 of the 6 offending KB’s, I then went on to uninstall them & included KB3075249 having seen that referenced somewhere herein or elsewhere from a linked reference. I did this from the Control Panel Installed Updates listing. Everything went fine and restarting, whenever prompted, after each one. I reviewed the Installed Update list after each uninstall to verify its removal.

The last one (KB2952664) however is the problem. The Windows response message was the same as for all the others (successfully uninstalled). After the restart and checking the installed update list to verify it’s gone, I discover it is NOT! It remains listed, BUT now shows the then current date of 4/10/2017 as the installed date, NOT the previously shown date of 10/18/2016.

Is this a real issue? Is it readily (easily) solved? How? Thanks.

Yes, it’s a problem and No, it’s not easily solved. KB2952664 has had 23 iterations. When you uninstall one, the next one earlier shows back up. You have to uninstall all of them.

And – you have to keep them from getting reinstalled. In other words, you have to keep hiding them when they show up in Windows Update (the latest one is dated March of this year).

There is a command line uninstall, but you have to have the version number of each one to do it that way.

Edited to correct context

PKCano wrote:

Yes, it’s a problem and No, it’s not easily solved. KB2952664 has had 23 iterations. When you install one, the next one earlier shows back up. 

I think this should read “When you uninstall one…”

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

1 user thanked author for this post.

PKCano

KB4014661 is Cumulative update right ? that means if i install KB4014661 im no longer need to install KB4016446 and KB4012204 or any other previous released one ?

It is not clear at this point whether the IE11 updates form the Catalog are cumulative. So at this point I would recommend installing  – March first (KB4012204) then April (KB4014661). It won’t hurt anything to do this. When we verify one way or the other, the wording will be changed on AKB2000003.
You only need the hotfix (KB4016446) if you are running CRM 2011.

Update:

PKCano wrote:

Updated 4/11/2017

NOTICE: The patches for IE11 ARE CUMULATIVE

1 user thanked author for this post.

walker

@PKCano:

The MS-DEFCON 1 is what it’s set at now which means we should not install ANYTHING?

I’m up-to-date with March.

I have not checked out the latest “updates”, and haven’t seen anything other that what you posted about  April above (April (KB4014661).   I’m confused (my usual state) so just wondering what is transpiring.

Thank you once again for all of your wonderful help.  It is very much appreciated!  🙂

March updates are OK.
April updates are still on DEFCON 1.

2 users thanked author for this post.

wdburt1, walker

@PKCano:    Thank you for the clarification about the APRIL updates being on MS-DEFCON1.

Is it “safe” to install the April updates you have listed for Win7 (64).  I think there are 2 of them, one the Security Only, and one for the IE.    Is this correct?  Apologies for not understanding.

This is what’s on the list:

Apr 2017 KB 4015546 – Download 32-bit or 64-bit
Apr 2017 (IE11) KB 4014661 – Download 32-bit or 64-bit

Thank you for your clarification with this.   Your help is invaluable to those such as I, who are totally “lost” with some of these things.  Thank you so much for your patience, and your outstanding help.     🙂

 

April updates are on DEFCON1 – that means WAIT until DEFCON number is 3 or above

2 users thanked author for this post.

JDeC, walker

@PKCano:  Thank you SO much for verifying what I thought.  Your help is appreciated more than words can express.  You are indispensable, and highly esteemed by ALL!    🙂

1 user thanked author for this post.

Kirsty

Lifetime Cumulative, or Cumulative only from the new servicing rollup model circa oct-2016 ?

woody wrote:

As of March 1, 2017 there is also a download patch for IE11. The patches for IE11 ARE CUMULATIVE.

The IE updates were a part of the security-only updates until March.
They are cumulative since Oct 2016.

1 user thanked author for this post.

owdrtn

Anonymous from 4/12/2017 @12:35pm here (regarding KB2952664 above)

Thank you PKCano & samak for your responses. I’m most appreciative.

Just so I understand correctly, I’ll keep uninstalling as long as it keeps reappearing. Once it stops appearing, be sure to hide it if/when it shows up in Windows Update.

Just an FYI,

W7 x64, SP1, Chrome browser.

I recently encountered a never before seen MS catalogue “error” while attempting to download the April Security Only Update directly from the catalogue:

“windows update catalog error 8DDD0010”

After some googling around and ending up at the MS Community an answer was offered that allowed the download window to open correctly: Manually inserting https:// in the catalogue address bar in front of the www. Click “All Replies” and go to Page 3.

https://answers.microsoft.com/en-us/ie/forum/ie11-iewindows8_1/windows-update-catalog-error-8ddd0010/ffcd76a1-48d6-432f-a5a7-a2d1084c4efe

 

1 user thanked author for this post.

Elly

The patches for IE11 ARE CUMULATIVE

pkcano – many thanks for this thread!  I am using it to keep safe the two Win 7 Pro 64-bit machines in my wife’s mini-SOHO.  Also my own.

HOWEVER, last month (March), on another thread, two weeks after March Patch Tuesday, I asked whether Woody and you had given the green light to the FULL MS update, and you (I think it was you) said OK.  Then I ran the full update and all is OK on our Win 7 Pro 64-bit machines

In other words, I start in Plan B on Patch Tuesday and follow your list here, then if things look OK two weeks ± later, I go to Plan A.

So, which is the best thread on this forum to ask you two weeks later whether I can install the full update/Plan A (or whether you think there are still problems and I should continue to hold off)?

Thanks again!

When the DEFCON number at the top of the HomePage is 3 or above, Woody posts the instructions for updating and it is safe to install (following his instructions).

1 user thanked author for this post.

walker

glnz wrote:

In other words, I start in Plan B on Patch Tuesday and follow your list here, then if things look OK two weeks ± later, I go to Plan A.

@glnz- Are your Plan A and Plan B referring to updating Group A or Group B? Be aware that these Groups are two different ways of updating your computer, based on your needs and decision. Both Group A and Group B wait for Defcon 3 or above to install patches, but they install different patches. If you have been following the Group B updating of security only patches, and then install the Monthly Rollup for Group A, you have moved to Group A… The monthy rollup is cumulative and includes telemetry that Group B has decided not to install. Waiting to install patches isn’t dependent on Group… it just lets all the bugs be found by others, and hopefully fixed, before you install them, whether you are Group A or B.

So… you would check the Defcon number at the top of the Home page before installing any updates, no matter which group you have chosen. Installing before Woody gives the all clear will ensure your status as an unpaid beta-tester… and finding the possible bugs on your own system!

When Woody gives the all clear, he also does a post on updating for that month, what bugs were discovered and fixed, and links for instructions on updating. For example, the last time Woody cleared the updates was here: https://www.askwoody.com/2017/ms-defcon-3-time-to-get-windows-and-office-patched-but-watch-out-for-these-buggy-critters/

It alerts you to the change… and provides a link to the full instructions. At that time, you can follow the updating instructions for your Windows operating system, and Group choice.

Just waiting two weeks isn’t the same as waiting until it is cleared, although one would hope that the worst bugs are identified and fixed by then.

Some of the people here are technically able, and install the updates right away, and post their findings. If their system gets screwed up, they are able to fix it. So you will see that people are doing this, and reporting no problems, or if they are having problems. That doesn’t mean a non-techy like me will be jumping in and updating… until the all clear is given.

PKCano kindly maintains the list here, for people who have chosen to update via the Group B method, because the security only updates are not available through Windows update.

Forgive me if I have assumed wrong, and you already know all this. I’ve been sensitized to how newcomers to the site don’t understand what is being referred to, having referred many family and friends here, and then having to answer their questions.

Happy and safe computing to you!

 

Non-techy Win 10 Pro and Linux Mint experimenter

4 users thanked author for this post.

SueW, Kirsty, walker, HiFlyer

Thank you for this list. Please Note: ClamWin gave a warning for kb4012204 along the lines of “can’t filter win.exploit something”. What is going on? Have not installed. Not suggesting it is these links. Update: even worse Win.Exploit something 2017 listed for the IE update. Haven’t installed anything since October. Downloading these for a fall-back folder. So, probably a bit behind with all this. Thank you PKCano for this excellent resource. Please note I think ClamWin is a very good AV and I’m not that sure that these are false positives.

The links above are directly to the Microsoft Update Catalog.

1 user thanked author for this post.

JDeC

This is exactly the type of article I am looking for! 😀

Is there a post or thread that contains the direct links for the security only .Net patches like this excellent one for the Windows and IE ones?

I don’t believe there is currently such a page.
This topic was directed at Users who are trying to avoid the telemetry/snooping that MS is installing on Win7/8.1 in like fashion to Win10. Since it is believed that the .NET patches do not carry the telemetry, the cumulative .NET patches are felt to be safe to install.

Check here:

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4014985

 

Dell Precision 3630 w/32 GB RAM, 500 GB (C:), 1 TB (D:)
Window 10 Pro x64
Internet: FTTC (Fibre to the Kerb)

@anonymous #109848
Try this page, which details the information supplied by MS:
https://www.askwoody.com/forums/topic/windows-8-1-which-updates-needed/#post-109895

@pkcano, Request. I have a problem with your posting here. I need to send an email to my clients with a few selected links that you list here. Problem is that this posting is far to complicated to send them to. I need to simply send them the links. This posting does not have the links that I can do that with.

What you post is convenient for users of this site, but not for re-posting. Can you provide the actual links????

CT

If you right-click on the individual link and choose “copy link location,” then paste it into an e-mail, you can send them the individual link to the MS Catalog.

1 user thanked author for this post.

Canadian Tech

Thanks PK. In Windows 7, the selection is Copy shortcut.

CT

@CT
This is because you use IE, while @PKCano provided the same information for Firefox 🙂

@PKCano:  Is the list showing the update information now “up-to-date”?  The only one I see is the one showing published date of April 13th.  Understand there is information on InfoWorld too, and trying to figure all of this out is confusing.    I know I’m okay because I have “Ivy Bridge” or something like that because it was verified a while back.   I see we’re at Defcon 3 now.

Thank you for all of the hard work you do to provide advice to try to keep us “safe”.  You help is definitely outstanding.      🙂

This morning KB4014985 throws an error when you click on “Download”.

Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

KB4014985 also shows a new date of 4/18/2017

Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

This topic is about Group B. The .NET patches are found at https://www.askwoody.com/forums/topic/security-only-net-updates-for-april-2017/

Sorry

Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

Just want to thank you again for the work you put into this on going thread PKCano.

I just installed the April Security Only update KB 4015546 on my Win7 desktop and the Security Only update KB 4015547 on both of my Win8.1 laptops. I also installed the  IE11 update on the laptops (I don’t have IE on the desktop). I did install security updates for .NET too.

I follow this site daily and check for the Security Only patches every month as I will try to remain in “Group B” for as long as possible. Thanks to this site I have been able to do this.

PKCano,

Many thanks for keeping this thread going and keeping it updated for us.

I installed the April Security only updates listed last night. So far, everything seems to be OK. Please keep up the good work. Without it I, among many, would be overwhelmed by all the MS garbage (just being polite).

Dave

Thanks very much for this extremely helpful information.

Mac Mini v. 6.2 (2012) with Win10 Pro 64 bit v. 1809
MacBook Pro v. 3.1 (2007) with Win7 32 bit - Group B Updater

For Microsoft updates from April 2017 and later, one can also use Microsoft’s Security Update Guide to get download links for both monthly rollups and security-only updates. To display security-only updates, set checkbox “Security Only” to checked. The Product column contains links to monthly rollups.

Use the textbox to filter by operating system:

Windows 7 x64: use filter “Windows 7 for x64” (without quotes)
Windows 7 x86: use filter “Windows 7 for 32” (without quotes)
Windows 8.1 x64: use filter “Windows 8.1 for x64” (without quotes)
Windows 8.1 x86: use filter “Windows 8.1 for 32” (without quotes)

2 users thanked author for this post.

HiFlyer, LH

MrBrian,

Thanks for the link. Unfortunately, I am unable to find any ‘check box’ for “Security Only”. Did I maybe get on the wrong site?

Dave

Click on the link at the top that’s right for your version of Win and bittedness. They are security-only updates (except the ones marked IE11) direct download

2 users thanked author for this post.

HiFlyer, JDeC

I just tried https://portal.msrc.microsoft.com/en-us/security-guidance. It has a “Security Only” checkbox.

1 user thanked author for this post.

HiFlyer

Which is straight forward for all the updates  apart from the .net framework update ie for win7 sp1 x64 systems  running .net 4.6.1 it’s actually KB 4014558 that is required

https://support.microsoft.com/en-us/help/4014985/security-only-update-for-the-net-framework-3-5-1-4-5-2-4-6-4-6-1-and-4 this isn’t clearly shown

Started updating my machines today (now at Defcon 3), so far two HP machines (one lap top running Win7 Home Prem and one Desktop i5 running Win7 Pro both did an extra restart on the Windows Security only iinstall.  Ran the usual other stuff first (Net and Software Removal tool) which required a restart, then the Group B package which did a restart and configuring windows up to 100 per cent then then shut down and restarted and went to configuring windows and no percent count but finally the sign in screen.  Then ran the IE updates which restarted as expected.  Both machines have Intel chips.

Will be interesting to see if the behavior continues with the Dell i7 desktops and Dell i5 laptop which I won’t get to until tomorrow.

Since I’m running cableCARD tv tuners and Media Center I don’t really trust MSFT updates having been burned a couple of times in the past.

Yeah i noticed a double restart myself, i thought for a moment it had gone into the endless  reboot loop

Update on double restarts,  having completed seven machines, five of them had a double restart on the Win Security stand alone updater.  Win 8.1 pro did not (Lenovo laptop) and the new Dell i5 Laptop did not (couple of years old but just had to replace the HD and re-install Win7 Pro).

Have one machine left, but this appears to happen more often than not.

I ran “check for updates” today. I am still being offered the March 2017 kb4012215 (rather than April 2017 kb4015549) Security Monthly Quality Rollup for Win7 x 64 based systems. Is anyone else having this experience?

I am in group B, updates are current through March 2017 Security Only kb4012212, March 2017 Cumulative Security for IE 11 kb4012204 and IE hotfix kb4016446. I’d unchecked but not hidden the March Rollup per PKCano’s instruction, expecting it to be replaced with the April Rollup.

I have downloaded and am ready to install April 2017 security only kb4015546 and April 2017 cumulative security for IE 11 kb4014661, but wonder if I should do this IF MS has pulled April 2017 Rollup kb4015549 – it appears it is downloadable via the MS update history page.

Go ahead and install the April security-only and IE patches. With the vulnerabilities introduced by the Shadow Brokers, you need the protection.
Just be sure to uncheck anything that says “Security Monthly Quality ROLLUP for Windows“

2 users thanked author for this post.

wdburt1, JDeC

PKCano, is it unusual that April Rollup didn’t replace the March Rollup, since I didn’t install but didn’t hide the latter?

If you had hidden the April Rollup, the March Rollup would show back up. But since you didn’t hide either, I have no explanation.
I would go ahead and install the April security-only and IE patches. The March Rollup should disappear for sure when the May Rollup shows up if you don’t hide March’s. If that’s not the case, then we should try to figure what’s going on.

The reason last month’s Rollup disappears is because it is contained in this month’s Rollup, If you don’t hide Rollups, they are replaced (superseded) by the next later one.

1 user thanked author for this post.

ht

@ht

ht wrote:

I am still being offered the March 2017 kb4012215 (rather than April 2017 kb4015549) Security Monthly Quality Rollup for Win7 x 64 based systems. Is anyone else having this experience?

From my experience, after installing the current security-only monthly updates, I am still offered the Security Quality Monthly Rollups, which I hide. After hiding this month’s “quality rollup”, it becomes a game of whack-a-mole, being offered the previous month’s “quality rollup”, etc. etc. etc. It is safe to ignore the “quality rollup” you are being offered, if you choose to stay as Group B updating.

4 users thanked author for this post.

HiFlyer, Elly, JDeC, ht

Just finished installing Apr individual updates KB4015546 and KB4014661 without problem. Then ran WUD which revealed 9 important updates. I installed the Update for .NET 4.5.2 (KB4014559) also without problem. Thanks for all your help!

I’d appreciate advice/guidance on some of the other offered important updates:
1) Are MS Office 2007 security update KB’s 3141529, 3191830, 3191827, 3191929 and 3127890 (all dated 4/11/17) okay to install?

2) A Security Update for Silverlight (KB4017094, dated 4/11/17) appears. When I click on the link for more info I’m taken to a MS page with the message “This page doesn’t exist.” Below that message in grayed-out text the following appears: CV:xnH/iQbSKdED7YTP.O. Below that is the message “Try searching for what you need.” Typing in the KB4017094 in the search field produces some linked references that provide much less than helpful (in my opinion) information. Is this really something important to be installed?

Thanks for any insight/help you may have to offer on these two concerns.

Yes, you need to install the Office 2007 updates.

If you have Silverlight (a browser add-on) installed on your computer, you need the security update for it.
If Silverlight is installed on your computer and you don’t want/need/use it, it is OK to uninstall it, then you do not need the security update.

Author of #112890 here. Thank you PKCano.

Re Office Updates – Installed without problem.

Re Silverlight – It is on computer but I don’t know if its needed or used. I primarily use Firefox and Silverlight is no longer supported. IE11 only used very occasionally. For now its been disabled in IE. Whether to uninstall Silverlight or install its security update depends on my browsing experience with it disabled.

In running WUD this AM I was surprised to see a new cumulative security update for IE11 being offered (KB3008923 dated 12/9/2014). This update’s details window, package details tab shows 2987107 & 3003057 as the updates being replaced. None of these updates currently appear in my installed updates list.

Being reluctant to install a 2-1/2 year old update after just installing the most recent cumulative security update, I am again seeking your wise counsel. Thanks.

anonymous wrote:

In running WUD this AM I was surprised to see a new cumulative security update for IE11 being offered (KB3008923 dated 12/9/2014).

See the main Blog article on KB3008923. UNCHECK it if you are installing updates. Leave it alone. It caused problems in it’s day and has been superseded. No telling what’s going on with MS.

I will offer my 2 cents. When I see Silverlight on a client computer, I recommend it be removed. Then and only if they find they have a need for it, install it at that time. Silverlight is largely unused now.

CT

1 user thanked author for this post.

satrow

woody wrote:

starting in October 2016

Suggestion: the following part of this post: “starting in October 2016“

Might be relevent for those trying to catch up the B-Way on machine that have not been properly maintained prior to Oct-2016.

AKB2000003 Updated 5/9/2017

2 users thanked author for this post.

Elly, owdrtn

Well, here is more fuel for the fire.

I just opened Windows Update, and what a shock. There are no longer ANY hidden updates listed, and there are 9 Important and 6 Optional updates available.
Listed as Important and checked:
KB4014981 April Security and Quality Rollup for .NET Framework
KB3008923 Cumulative Security Update for IE 11
KB954430 Security Update for Microsoft XML Core Service Pack 2
KB973688 Microsoft XML Core Service 4.0 Service Pack 2
KB2952664 Update for Win 7 X 64
KB3068708 Update for Win 7 X 64
KB3080149 Update for Win 7 X 64
KB971033 Update for Win 7 X 64

Listed as Important Unchecked:

KB3021917 Update for Win 7 X 64

Listed as Optional:

KB4015552 April Preview Monthly Quality Rollup for Win 7 X 64
KB2574819 Update for Win 7 X 64
KB2592687 Update for Win 7 X 64
KB2830477 Update for win 7 X 64
KB3080079 Update for Win 7 X 64
KB3102429 Update for Win 7 X 64

No mention of KB4019263 Security Only Update or KB4018271 Update for IE 11.
Make me wonder “What did I miss, or why is MS messing with my machine?

Dave

Pepsiboy wrote:

No mention of KB4019263 Security Only Update or KB4018271 Update for IE 11.

These two patches are not offered through Windows Update. Only through the MS Update Catalog (or the links above)

Pepsiboy wrote:

KB2952664 Update for Win 7 X 64 KB3068708 Update for Win 7 X 64 KB3080149 Update for Win 7 X 64 KB971033 Update for Win 7 X 64

I wonder if you accidentally clicked on “Restore hidden updates”?

PKCano,

No, I did not click on “Restore Hidden Updates” by accident. I have not been in Windows Update for about 3 days. This afternoon I thought I’d check, WOW, what a surprise. Do you think I should hide some or all of them and carry on, or something else?

Thanks, in advance.

Dave

Pepsiboy wrote:

KB2952664 Update for Win 7 X 64 KB3068708 Update for Win 7 X 64 KB3080149 Update for Win 7 X 64 KB971033 Update for Win 7 X 64

I assume these were hidden. If so, re-hide them.

The rest you should leave alone until the DEFCON number changes to 3 or above. We’ve no idea what this month’s patches will bring at this point!

PKCano:   I started another message to you, however it disappeared so I will start it over again.  I don’t know what I did or didn’t do to get the stand-alone Security Only KB4019263 to install successfully.   It seems that there may have been changes to the method which I used in the past (just stopping the WU Service).   Running Win 7, x64, Home Prem.

I downloaded the update, and stopped the “Win Update Service), and then tried to get it installed.   It reflected that it was initializing, and then installing, however then there was a message that it “failed”.      Are there “new steps” to installing the stand-alone updates?  I did not attempt the IE Cumulative update, only the Security only.

I have no clue as to what I’m “doing, or not doing” to cause this problem.   Could you please provide guidance for me with this problem?  I definitely need these updates, however I must be missing something that may be “new”.   I most sincerely appreciate  your help.   I am totally lost and do not want to repeat any error I may have made.  I definitely did not click on the 32 bit, so that’s not the problem.    Thank you for any help you may be able to  provide.

There is nothing new in the procedure.
Look in the update history and see if either KB4019264 or KB4019263 are listed as “successful”
If KB4019264 is there, you will not be able to install KB4019263.
If KB4019263 is there and shows “successful,” you already have the update.
If neither are there “successful,” reboot the computer, wait 10 minutes after you login without doing anything, and try to install again.

1 user thanked author for this post.

walker

@PKCano:  I do not have either of these updates installed.  The one which noted “Failed”, KB4019263 is not installed, and I did not have KB4019264 installed (the Security Monthly Quality Rollup).    So I have neither of them.

Back in April I had my first “Failed” update, which was KB4014661.  This was the IE11 Cumulative update.    Nothing I did would get it successfully installed, so at that time we felt that the  next IE update  (KB4018271) would probably bring it back to where it should be.      After failing with the KB4019263 install, I did not attempt to install the May IE11 update (KB4018271).

If I’m understanding you correctly, I should attempt to DL & install the KB4019263  as follows:

“If neither are there “successful,” reboot the computer, wait 10 minutes after you login without doing anything, and try to install again”.

                 ***************************************

I hope to have time tomorrow to try that.  The first time I had the problem was on April 29th, and I attempted numerous times to get it installed without success.   I hope that this will do the trick.  Thank you very, very much for your most appreciated help!   🙂

 

I can see 4018271 already listed here (GroupB-approved KB list).
Have you guys gone over some audit/review of this KB in order to claim it’s free from telemetry?  (filelist review, network audit/lookup for MS phoning home, reg changes, etc etc..) ? I just find it weirds it’s getting listed here so quickly ..

a very brief look at the file included with this kb already show some “telemetry potential” ..
Diagnosticstap.dll
Javascriptcollectionagent.dll
Diagnosticshub.datawarehouse.dll
Ticrf.rat
Ieetwcollector.exe
Ieetwcollectorres.dll
Ieetwproxystub.dll
to name a few.. (note that I make no assumption here as I have no idea what those file actually does, windows doesn’t provide such information, and I haven’t nor intend to R.E/digg those, windows stole enough of my lifetime with their mess)

Perhaps it’s related to IE Site Discovery that is mentioned at Get started with Upgrade Readiness.

Hi all,

I’m not sure exactly where to post this question, but since this page is to do with updates, I figured it would be OK.

I got caught out last month, and my windows update was stopped when I installed one or other of the updates, I was told that Kaby Lake is no longer supported…..

I uninstalled those updates and it seems that my uninstall was successful…..

I have just received notification of updates , KB4019264, 4019112 and 890830.

I am loathe to allow M$ to use my computer for blackmail so I won’t install them until I get some kind of feedback.

Has anyone looked at them in detail, and if so, what is the verdict ?

Thanks !

Graphic design, Animator, Moviemaker, Editor and Photographer. Amateur computer techie.

Installing Win updates on Win 7 or 8.1 computers with Kaby Lake or Ryzen CPUs

Wall Street Journal has just now published a top-front-web-page article captioned “Major Cyberattack Sweeps Globe, Causing Disruption”.

It’s at this link :  LINK

If we’re on Plan B, are we protected?

You need to be patched through April – either the Rollup or the Security-only

1 user thanked author for this post.

Elly

@pkcano @woody
Who’s maintaining this list ? it’s being actively updated, but some listed KB are either missing or superseded by now.. reported a couple already but haven’t got any feedback, so I guess it’s useless to report them here again..

Click on the link. If the update is downloadable, it is still available in the Catalog. It has not been retired. This is an ON-GOING list.

1 user thanked author for this post.

walker

PKCano wrote:

ON-GOING

Culprit might be my limited english here, i’ll have a look at the distinction of the “ongoing” word vs “up-to-date” . Thanks for specifying.

Just want to point out however, that I didn’t refer to the catalog’s availability of those KB listed here, but their relevence in regards to their “supersedence” & “B-Group” properties …

It is ALSO up-to-date. The May patch is included and is relevant to Group B.
However, with the DEFCON level at 2, the May patching has not been approved.

1 user thanked author for this post.

walker

@PKCano:   Is it “safe” to CHECK for updates if you don’t install any of them?   I see references to updates that I don’t have listed because I have it set to “NEVER CHECK”, and only check for updates to see what’s been added.   I do not install anything at that time, only “check for updates”.

Because of all of the problems with the malware issue, I’ve been afraid to do my usual “check for updates”.   I’ve seen that some users appear to have their computers changed in ways that they did not direct, so I don’t know what to think anymore.

Thank you for the wonderful help, and guidance you provide to all who depend upon your outstanding expertise and knowledge!   🙂

For the sake of keeping things simple I’m suggesting to remove KB3212642, KB4012204, KB4016446 and KB4014661.

The January Security Only Rollup has turned out to be fully incorporated in (superseded by) any subsequent Security Only Rollup to date, i.e. Security Only Rollups of March, April and May.

No need to mention the Cumulative Security Update for IE  by definition supersedes any of its predecessors.

Regards, VZ

1 user thanked author for this post.

owdrtn

There are no Security Only ROLLUPS.
The rest are still downloadable from the Catalog and have not been retired. When that happens they will be removed.

2 users thanked author for this post.

HiFlyer, walker

Are you saying in order to be superseded, any given update also must be retired?

The January Security Only Rollup, that isn’t one, has been superseded by the March as well as the April and May Security Only Rollups, that aren’t ones, to the effect KB3212642 must be considered obsolete.

Regards, VZ

@PKCano only says that the retired/expired updates are no longer available in the Catalog which is correct. Nothing to do with supersedence in this matter.
Not all superseded updates are expired and not all expired updates are superseded. Some of the expired updates are retired because they were considered by Microsoft as faulty or problematic for a large number of users.
There may be instances when some expired updates are still available for few hours or days, but this is due to delays in synchronising the Catalog interface.
I believe, although I am not 100% certain, that the expired updates are still available for download by directly accessing the download URL (if it is already known), but are no longer presented in the Catalog GUI or any other normal software used for updating Windows.

3 users thanked author for this post.

HiFlyer, walker, owdrtn

Thanks for the lesson in update retirement practice.

Still the January Security Only Rollup has been superseded by the March as well as the April and May Security Only Rollups to the effect KB3212642 must be considered obsolete.

Regards, VZ

 

Please note the “rollup” is not security only:

PKCano wrote:

Microsoft delivers the “Security Monthly Quality ROLLUP for Windows” through Windows Update to the PC. It contains both Security and non-security updates and is cumulative. Cumulative means that this month’s ROLLUP contains the previous month’s ROLLUPS. It is available to all Windows Users.

For those people who do not want the non-security, Microsoft provides the “Security Only Quality UPDATE for Windows.” It contains only the security patches

Please note that what constitutes a rollup is its consisting of several updates, which is equally true for the Security-Only package. It’s an update as well as a rollup. The term “Rollup” is not exclusive to the Security Monthly Quality thing.

Volume Z wrote:

Please note that what constitutes a rollup is its consisting of several updates, which is equally true for the Security-Only package. It’s an update as well as a rollup. The term “Rollup” is not exclusive to the Security Monthly Quality thing.

Microsoft makes the terminology bad enough without superimposing a unique definition.

There are two kinds of monthly Windows 7 and 8.1 patches:

• Security-only updates, which must be manually downloaded and installed
• Monthly Rollups, which can come from Windows Update

Any other terminology only obfuscates an already bizarrely named system. The term “Rollup” has nothing to do with how many fixes are included.

Please, you’re confusing me – and I assume everyone else. Stick with the common definitions when you post.

3 users thanked author for this post.

HiFlyer, Alice, PKCano

Volume Z wrote:

For the sake of keeping things simple I’m suggesting to remove KB3212642, KB4012204, KB4016446 and KB4014661. The January Security Only Rollup has turned out to be fully incorporated in (superseded by) any subsequent Security Only Rollup to date, i.e. Security Only Rollups of March, April and May.

The practice of naming Security-Only Quality Updates and Security Monthly Quality Rollups so similarly was sure to cause confusion.

PKCano maintains a list of Security Only Quality Updates for Group B. These are the people trying to avoid telemetry for the most part. Security Only Updates are not cummulative, or superceded at this point, and each month must be updated for the operating system to be protected. That would include  KB3212642, KB4012204, KB4016446 and KB4014661. Each one is needed.

Those KBs are included in the Security Monthly Quality Rollups, which also have non-security updates in them. Group A updates by applying the current Security Monthly Quality Rollup, which is cummulative. So, if you are following Group A updating, you will have those KBs installed and you don’t need to go back and install them individually.

But, someone who didn’t update this year, and wants to be Group B, should install each of the monthly Security Only Updates, to be covered. For these people, PKCano’s list is accurate and needed.

Yes, this is a little complicated for someone to jump into new… but I’ve successfully brought reluctant friends and family up to date using this list, as well as following it myself month by month.

Review, and chose a Group… then follow instructions as posted by Woody, for how to update that Group. Don’t try to apply instructions for Group A (who can just update by installing the current Security Monthly Quality Rollup) with those for Group B (who must install each month’s individually).

There is a truth here, if you are careful in the naming. The KBs are all included in the Monthly Rollup, and that is cumulative and previous months don’t need to be installed. But that is only for Group A! The Security Only updates are not cummulative. Throw a little more confusion in, because there are .Net Security Only cummulative updates. Double check what is being referred to. Following instructions step by step has kept this non-techy safe and updated, with many thanks to the MVPs and Woody.

Non-techy Win 10 Pro and Linux Mint experimenter

4 users thanked author for this post.

HiFlyer, woody, Bill C., PKCano

Elly wrote:

That would include KB3212642, KB4012204, KB4016446 and KB4014661. Each one is needed.

KB3212642 has been superseded by KB4012212, KB4015546 and KB4019263 to date despite the Security-Only packages being non-cumulative.
KB4012204, KB4016446 and KB4014661 have been superseded by KB4018271 to date for the Security Update for IE being cumulative.

@ Volume Z

Still the January Security Only Rollup has been superseded by the March as well as the April and May Security Only Rollups to the effect KB3212642 must be considered obsolete.

Does this mean that a Win 7 Group B user who has just done a reinstall, does not have to install the Jan 2017 Security-Only update?

No you don’t, because in one or more scenarios you can’t.

You cannot install KB3212642 after KB4019263.

You cannot install KB3212642 after KB4015546.

You cannot install KB3212642 after KB4012212.

KB3212642 is fully included in, aka superseded by any of KB4012212,  KB4015546 and KB4019263.

Do not reject before trying yourself.

 

1 user thanked author for this post.

MrBrian

@volume-z
KB3212642 is a security-only patch for Group B. It is not a cumulative patch for Group A, so your information is in error.

woody wrote:

Security-only patches are not cumulative. You have to install each of them, one by one.

I didn’t say they are generally cumulative. All others must be installed one by one. The exception of KB3212642 is obsolete for being part of all of its successors.

Could you please supply an authoratative source for that information @volume-z?

MS Catalog is showing that only KB3212646 (the Group A patch) has been replaced by subsequent updates.

Only yesterday I wrote to a reply on another thread that the Catalog doesn’t indicate the supersedence. This leaves us with the challenge of accurate determination of supersedence of an update of our own, and I’m claiming that the sheer fact of KB3212642 not being installable after at least one other update is perfect proof.

I tested the claim “You cannot install KB3212642 after KB4015546” on Windows 7. It is accurate.

4 users thanked author for this post.

HiFlyer, owdrtn, Kirsty, Volume Z

Does the KB4015546 issue relate to https://www.askwoody.com/forums/topic/for-you-testers-heres-how-to-spoof-a-kaby-lake-processor-inside-a-virtualbox-win7-vm/#post-108029?

I suspect that even though the earlier update can’t be installed with the later update already installed, that the contents of the earlier update may not be installed.

Might it be worth using the MS Baseline Security Analyzer?

1 user thanked author for this post.

ch100

No.

It is always useful using MBSA or equivalent tool for the Group B users.

Thks @ch100

If/when the Installed Updates didn’t show the earlier KB number as being installed, it would seem a logical step.

1 user thanked author for this post.

ch100

The whole concept of following Group B based on lists if not managed is flawed.
Using MBSA or another tool having wsusscn2.cab as reference are ways to work around the lack of use of professional management tools and confirm the level of patching and the security of the computer, which is even more critical in the current circumstances.
Anything else is guessing and I am more than certain that a large number of those following Group B based only on lists of patches are not patched securely now after more than 6 months since that model was adopted.

I also had that experience due to a Belarc report showing it as missing.

1 user thanked author for this post.

Kirsty

If somebody can test and find out if Belarc uses wsusscn2.cab as reference as I believe it does, then it may be the reference tool to be recommended for Group B security compliance check.
MBSA might be out of date and not fully maintained for Windows 7 or later and require custom installation to make it working. However it is reliable and very good reference.

ch100 wrote:

MBSA might be out of date and not fully maintained for Windows 7 or later

Microsoft Baseline Security Analyzer 2.3 (for IT Professionals) :
“MBSA 2.3 runs on Windows 8.1, Windows Server 2012, and Windows Server 2012 R2, Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP systems and will scan for missing security updates, rollups and service packs using Microsoft Update technologies. To assess missing security updates, MBSA will only scan for missing security updates, update rollups and service packs available from Microsoft Update. MBSA will not scan or report missing non-security updates, tools or drivers.
Please make sure you are running the latest Build (2.3.2211) of MBSA 2.3 that we released early January 2015”

2 users thanked author for this post.

HiFlyer, walker

A minor annoyance

https://serverfault.com/questions/688617/windows-server-2012-r2-why-is-mbsa-2-3-failing-iis-check

1 user thanked author for this post.

Kirsty

@Kirsty:  Is this Microsoft BaselineSecurity Analyzer ONLY for IT professionals?   I think I’ve seen it referred to numerous times, and have the impression it isn’t for the ” computer illiterate” such as I am.  I try not to exceed my very limited knowledge by installing programs which are not directed at my segment of the users here.  Thank you for all of the information you post here.   It is sincerely appreciated.   🙂

It’s title says “for IT Professionals”, and I’m sure some savvy computer users would be able to utilise it without too many problems. But as you say, it is not something that is likely to help less experienced users.
(and thanks!)

I was referring to the Catalog. I guess we can’t rely on it anymore just as WU..
How have you found out about KB4012212, KB4015546 & KB4019263 to supersede 3212642 ?

With a little help from GoneToPlaid

https://www.askwoody.com/forums/topic/if-you-didnt-get-ms17-010-installed-six-weeks-ago-you-may-be-hurting-now/#post-114866

and some research of my own. 🙂

1 user thanked author for this post.

owdrtn

My brain is hurting.

There’s no such thing as a “Security Only Rollup”….

4 users thanked author for this post.

HiFlyer, Alice, Pepsiboy, PKCano

But should we take for granted that “not being able to install an update” means that it necessarily been superseded ? I mean.. It could just be another messy/broken supersedence chain by MS, or any other MS-flavoured-mess ?

2 users thanked author for this post.

HiFlyer, MrBrian

I did another test:

1. Installed kb3212642 and rebooted.
2. Installed kb4015546 and rebooted.
3. Ran Disk Cleanup of (superseded) Windows Updates and rebooted.
4. Uninstalled kb4015546 and rebooted.

After this, kb3212642 remained in the list of installed updates. So in some ways kb3212642 doesn’t behave like a superseded update.

3 users thanked author for this post.

HiFlyer, owdrtn, ch100

It does behave like a superseded update when uninstalled with March, April or May Security-Only present.

It doesn’t require a restart.

Perhaps the test that I did is not appropriate for assessing whether one update supersedes another.

Again, please try to keep the terminology consistent. In the Microsoft milieu, there’s no such thing as a “Security-only rollup”

3 users thanked author for this post.

HiFlyer, Alice, owdrtn

What if I was in line with Günter Born?

https://answers.microsoft.com/de-de/windows/forum/windows_7-update/sicherheitsupdate-kb-4019112-rollup-für-net/3be75526-ea2a-4fad-bdac-139b8e858135#LastReply

The English version of KB4019112 refers to a “Security and Quality Rollup”, not a Security roll-up

https://support.microsoft.com/en-us/help/4019112/security-and-quality-rollup-for-the-net-framework-3-5-1-4-5-2-4-6-4-6-

 

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

1 user thanked author for this post.

woody

You’re picking at nits.

In German, no less. Gott im himmel.

OK – I went nuts to backtrack and UNinstall rollups and reinstall security standalones to follow Group B.  Please take a look at the following sequence and confirm I’m OK (or not).  Windows 7 64-bit, and in the past I had installed both some of pkcano’s security standalones and some rollups.  I’m skipping “KB” to save time:

Tonight, I proceeded in this order and got certain results in this order:

UNinstalled rollup 4012215
Installed standalone 3192391
Installed standalone 3197867
Installed standalone 3205394
Then realized my UNinstall of rollup 4012215 probably revived earlier installed rollups, so I looked and UNinstalled more rollups in this order (using cmd wusa /uninstall /kb:xxxxxxx):
UNinstalled 3212646
UNinstalled 3207752
UNinstalled 3197868
UNinstalled 3185330
Then tried to reinstall these older standalones from pkcano’s list at top here – which I had previously installed at various times before today – BUT my PC said each of these was already installed and so I could not reinstall them:
3212642
4012204
4012212
4014661
4015546
4018271
4019263

SO my issue is this:  These final pkcano-security seven – which I had installed in the past and cannot reinstall today – are they really still installed even though tonight I UNinstalled some rollups that might have “included” them?  These seven do still show up as installed in the Windows Update installed lists as of their original (past) install dates AND same on Belarc Advisor.

Can I sleep soundly?  Or am I doomed?  Thanks.

If you have not uninstalled them, they are still installed. You should be protected from the current WannaCry/Wanna/Crypt problems since you have the March patches installed. Just sit tight on the May patches until the DEFCON number goes up.

1 user thanked author for this post.

glnz

pk – thanks twice.

But is there any safe way to test?

The installed updates list is correct.

PK – Just FYI that I ran MBSA (full report attached as a .docx) and it shows only that I am …

Missing  2017-05 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4019264)

So that looks good, I assume.  (Full report attached.)   Thanks.

EDIT – PK – Ran an MBSA (report attached as a .docx) but I am worried about the results.

1)  It says I am Missing   2017-05 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4019264)   Critical.  This was expected.

2) … but it does NOT list ANY of the seven standalone security updates I mentioned above as being installed.  (From 3212642 to 4019263).  This was NOT expected and is worrying.

So, do I need to install the KB4019264 2017-05 Security Monthly Quality Rollup just to be sure?

Thanks.

Group B does not install Security Monthly Quality Rollups for Windows.

Group B does install Security Only Quality UPDATES for Windows
Group B does install Cumulative Update for IE11

PK – Yes, understood, and thanks for your infinite patience.

My concern is only that, after I UNinstalled various rollups, MBSA does NOT show as “installed” the seven latest standalone Group B security updates.  My own Windows Update “installed” list shows these seven, but MBSA does not.

And I am unable to REinstall those seven.

Took my Win 7 64-bit PC offline, UNinstalled the ten Group B security updates I listed a few posts above and then REinstalled them.  They all now show in “View Update History” and “Installed Updates” with last night’s date.  However, they do NOT show in a new MBSA scan.  Instead, MBSA lists one missing update:  KB 4019264 2017-05 Security Monthly Quality Rollup, which I am avoiding as a born-again Group B person.

So MBSA pushes the rollups and skips some (related?) individual security updates.  Bad show.

And Belarc Advisor also shows the same ten standalone security updates as installed last night.  So just maybe I’ve put myself into Group B successfully.  (But in the end, how will we ever know?)

FYI – Belarc also shows the Sept 2016 rollup KB3185278 as installed two nights ago on May 15, 2017.  This makes sense because I UNinstalled all the following rollups that night, and so (I am guessing) the immediately preceding rollup is automatically reinstalled (or maybe just re-disclosed from hiding).

I briefly tested Belarc Advisor (latest version) last night with its latest security definitions on Windows 7 x64. It mistakenly listed KB4015546 as missing when KB4015546 was installed and KB3212642 wasn’t installed. When KB4015546 and KB3212642 were both installed, KB4015546 was correctly detected as installed.

Well, on Sunday I broke protocol and installed KB4019263 and KB4018271. SO FAR, no problems. I figure that if this continues another couple days I’ll install KB4019264 and see hat happens. Yes, I’m being careful to back up EVERYTHING before the installs just to be safe.

Maybe I’m being paranoid, but I’m trying to be cautious with all the scary stuff going on. I’ll post here with the results.

Thanks to Woody and everyone else for the tips and help.

Dave

2 users thanked author for this post.

Noel Carboni, JDeC

@Pepsiboy:  Having tons of problems with misplaced paperwork and can’t locate the instructions on “How to Do a Backup”.   Could you possibly provide the details?  Any and all help is appreciated.

The focus of this topic is Group B patching.

Please create a new topic to discuss backups
Thanks

2 users thanked author for this post.

owdrtn, walker

@PKCano:   My apologies, I will try to determine if there is a subject out there which could be utilized to refer on “back up directions”.   Thank you for all of your help!

walker wrote:

@pepsiboy: Having tons of problems with misplaced paperwork and can’t locate the instructions on “How to Do a Backup”. Could you possibly provide the details? Any and all help is appreciated.

 

Walker,

I back up to an external hard drive using “Click Free”. I’m not sure here to get it as my wife picked it up several years ago when I was on the road driving truck. Sorry I can’t be more help.

Dave

1 user thanked author for this post.

walker

Suggestion: It would be great if there’s also a list of the security-only updates for group B prior to the “patchocalypse” took effect, for those of us with fresh installs of Win7 machines, so that we also catch up with the older security updates.

anonymous wrote:

Suggestion: It would be great if there’s also a list of the security-only updates for group B prior to the “patchocalypse” took effect

Prior to the “patchocalypse” Microsoft issued individual updates. Only beginning in Oct 2016 did MS issue Monthly Rollups (including security, non-security, and IE11 updates) and Security-only Updates (the security-only part of the update). So there are no “Security Only Quality Updates for Windows” prior to October 2016.

1 user thanked author for this post.

HiFlyer

Thanks PKCano!

Is there a need to get those pre-“patchocalypse” updates if the machine is up-to-date with the security only updates in AKB9000003?

If so, what would be the recommended approach to get caught up with the updates prior to the “patchocalypse” for group B? Would there be a cumulative update or updates that would bring win7 machines up-to-date to the point before Oct 2016?

The best way to do it, if you want Group B is this:

Rules:
The only patches you hide are the telemetry-related listed above.
You DO NOT check anything that is UNCHECKED by default.
You check the box “Give me updates for other MS Products.
Set Windows Update to “Never check”

1. Run Windows Update.
2. UNCHECK all updates in the “Important list”
3. Hide any telemetry related updates.
4. Highlight each update and CHECK only the ones dates BEFORE Oct 2016.
5. Install the CHECKED updates. Reboot. Wait 10 minutes after logging in.
6. Repeat steps 1-5 until the only updates left are dates Oct 2016 or after.
7. Download the Security-only Updates from Oct 2016 until April 2017 and the April IE11 update. (you don’t need any you’ve already installed).
8. Control Panel\Administrative Tools\Services – highlight the Windows Update Service and at the top left click “stop”
9. Install the security only patches. beginning with the oldest, in order. You do not have to reboot between, just close the box. Install the IE11 update.
10 Reboot, wait 10 minutes after login.
11. Windows Update – UNCHECK only “Security Monthly Quality ROLLUP for WINDOWS” – Install the rest.
12. Repeat 10-11 untill the only thing checked that is left is the Monthly Rollup.

 

Edit to change content

3 users thanked author for this post.

HiFlyer, JDeC, Jan K.

Thanks PKCano! One more question regarding installing pre-October 2016 updates:

In step 4, (apart from the telemetry updates mentioned in AKB2000003) should I also check the updates that do not have “security” in its title, i.e. “updates for windows 7 for x86-based systems (KB3138612)?” What about older cumulative IE11 update (from 2014) if I have already installed the version from April 2017? There is also one for ActiveX Killbits (KB2900986).

In other words, with the exception of specifically mentioned telemetry updates, should I install ALL pre-October 2016 important updates?

anonymous wrote:

In other words, with the exception of specifically mentioned telemetry updates, should I install ALL pre-October 2016 important updates?

The answer is Yes, install the pre-Oct 2016 patches that are checked by default. The old IE patch is the only one that would be optional (ie, your choice). It is not necessary, but it won’t hurt anything if it’s installed.

Many thanks PKCano!

I’ve installed all the pre-October 2016 updates that are checked by default.

However, I’m still not able to install the January 2017 security-only update KB3212642. It indicates that this update is not applicable to my computer. Any way to install it? Other than this one, and the fact that I couldnt find the telemetry updates KB3022345 and KB3150513, I’m all up to date!

However, I’m still not able to install the January 2017 security-only update KB3212642. It indicates that this update is not applicable to my computer. Any way to install it? Other than this one, and the fact that I couldnt find the telemetry updates KB3022345 and KB3150513, I’m all up to date!

– The January 2017 KB3212642 was discussed before for the same problem and while it is not clear why it is rejected after other updates are installed, you can assume relatively safely that your machine does not need it. Group B is supposed to be managed by Enterprise tools like WSUS and if you don’t use WSUS or an equivalent patching tool, you can only make assumptions based on best information available and @PKCano does a great job in maintaining those lists.
– KB3022345 has been retired by Microsoft long time ago as it was faulty and is in the current list only because there is a chance that older Windows installations may still have it
– KB3150513 is offered only if you also have KB2952664. Think about KB3150513 like a current definition for an engine provided by KB2952664 if you make an analogy with an antivirus product. KB2952664 and an antivirus product do not serve the same purpose, but the delivery mechanism is similar. If you didn’t install KB2952664 as it is commonly advised on this site, then KB3150513 is not offered

Many many thanks!

You’ll have more fun trying to install the January Update last.

Also, you’ll want to ensure to run an appropriate version of the Windows Update Client. Install the April Update before initial search.

Regards, VZ

I have been doing Group “B” updates, but sometime recently my Windows Update settings have changed in that I now see in the Control panel on my WIN 7 PC that while I had the “Never Check for Updates …” option selected and the “Give me recommended updates …” unchecked, the checkbox and “Give me updates for Microsoft products and check for new optional Microsoft Software when I update Windows” option are no longer displayed/present. I would greatly appreciate if anyone could advise me as to what I must have done wrong and/or how to correct this? Thank You.

anonymous wrote:

the checkbox and “Give me updates for Microsoft products and check for new optional Microsoft Software when I update Windows” option are no longer displayed/present.

If you uncheck (accidentally) the “Give me updates for other Microsoft Products,” it will no longer be offered. The instructions to put it back can be found at this Microsoft website

This vbs worked great, and now I have that option back too. thx

..I had meant to put my screenshot in previous post, here it is now:
https://s23.postimg.org/totw7dcq3/screenshot.jpg

2 users thanked author for this post.

HiFlyer, owdrtn

How did you do it?

Takes a few seconds…

I went to the link he gave above, highlighted/copied the lines, and then opened a command prompt, and right click in the open area and clicked paste.. ..the lines were now there, and click enter. That’s it.

Then I clicked the Windows Update button to start it (it was closed) and clicked the ”Change Settings” tab, and as shown in my screenshot above with what I have circled in red, there now appears that new option that was not there before!

…ps, fwiw I used an Administrator Command Prompt and I have Windows 7 Pro

PKCano wrote:

The instructions to put it back can be found at this Microsoft website […]

Thanks for sharing.

that script create a new service however.
The registry modif provided on bottom-most of the article is only persistant on WUA version 7.0.6000 and earlier. Are you aware of any registry workaround to it persistant on later version as well ?

HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate
\PendingServiceRegistration\7971f918-a847-4430-9279-4a52d1efe18d

ClientApplicationID = My App
RegisterWithAU = 1

please read my post entierely.. this is not persistent

Thanks. Greatly appreciated!

 

Hi folks, I’m a newbie working with a windows 8.1 x 64 and in Group B.  So far so good with the step by step instructions except, (and I apologize for any repetition – went over article several times), I am unable to uninstall KB2976978 through Windows Update from Control Panel.  Did some searching online and found afew posts on other forums (Microsoft related) stating this update cannot be uninstalled.  Is there a way to uninstall KB2976978?  I haven’t had the confidence or experience working with registry; however, with a detailed list of instruction or link, I’m sure I can do just fine.  Thank you all for the help!

Try this:
Set Windows Update to “Never check”
Run Disk Cleanup\Cleanup System Files. – check Cleanup Windows Update and run the cleanup.
Reboot your computer. Wait 10 minutes after login.
Go to Windows Update and uninstall KB3150513 first if it’s there. Uninstall KB2952664.
Reboot – check that it’s there.
If not, check for updates and HIDE it if it shows up.

Correction.
I misread and gave instructions for Win7. You have Win8.1. KB2976978 may not be removable if you have a build from a later ISO. You can try the method I mentioned for Win7, but it may not be successful if you have the later build.

2 users thanked author for this post.

HiFlyer, ch100

anonymous wrote:

It would be great if there’s also a list of the security-only updates for group B prior to the “patchocalypse” took effect, for those of us with fresh installs of Win7 machines

That list would be too demanding to maintain. Rely on Windows Update. You will know   important Updates are preliminarily complete (Monthly Rollup excluded) when KB3177467 is offered.

However, you will not be offered KB3177467 with any Monthly Rollup available (unhidden). KB3177467 is a prerequisite for important KB3042058.

For now, you will not be offered all of KB3168965, KB3149090, KB3138962, KB3123479, KB3033929, KB3005607 (Security), KB3182203 and KB2718704 (Important) with any Monthly Rollup available (unhidden).

Above Updates have been replaced by Monthly Rollups only, going back to October 2016, and their offering will be suppressed in favor of the Rollup. They require manual installation or hiding of all Monthly Rollups.

. . . ” unable to uninstall KB2976978″

Followed PKCano instruction – May 20, 2017 at 5:25 pm and May 20, 2017 at 7:58 pm.  I couldn’t uninstall KB2976978.  I have a w 8.1 2013 edition, AMD A4-300 APU with Radeon ™ HD Graphics, 2.5 GHz.  Not sure if that info helps at this point.  I will continue following Group B info and see what happens.  I am thankful to all who have contributed to this topic.  And grateful for learning about updates, supersedence and telemetry.  Thanks again PKCano for all the help.

EDIT html to text

Please see my correction at #117057

Yes, thank you.  Attempted instruction from correction #117057.   It’s a no go.  I’m guessing I have a later build as mentioned earlier.  Hmmm, it will be interesting to see what happens.  Thank you.

I strongly urge those who are in Group B due to telemetry concerns to set the operating system’s Customer Experience Improvement Program setting to no. See step 1 at https://www.askwoody.com/forums/topic/2000007-turning-off-the-worst-windows-7-and-8-1-snooping/ for details.

I see only indirect mention of the following May 2017 Security-only (catalog-only?) updates for Windows 7 in this thread, above:

• KB4019263 – Security Only Update for Windows
• KB4018271 – Internet Explorer Security Rollup

I had to dig through the catalog to find these. I was thinking that providing such a list was kind of the purpose for this thread. Did I miss something obvious? That happens to me more than I like.

-Noel

At the bottom of the page AKB2000003

Thanks. I just didn’t see a way to get from this thread to there.

-Noel

Hi,

I’m grateful to see this ongoing list for Group B, thank-you so much! I’m non-tech, but stubborn, and I would like to stay in Group B to understand more about my systems. Eg, I don’t know what Net framework means, but I am motivated to learn more to keep my systems in shape for my needs.

Today I reviewed all security updates since Oct, and realized I had missed the Nov security only patch. It meant removing two patches, the Mar (Wannacry) & Dec’16 patches, applying Nov, and then catching up by reinstalling all after Nov, incl IE explorer 11 — although I will say that I did not update IE 11 for about 3 years on this Windows 8.1 Samsung ATIV 500T smartbook. Nothing ever happened, so I still have no idea what other software IE 11 affects? ; )

All was good, so I activated Windows Updates, and installed 4 important ones:  Net framework, IE 11 cumulative, MSRT, and Adobe Flash security update.

Issue #1:

After restart, the pointer for my touchpad immediately had trouble– freezing, etc, so I did a second restart; this resulted in a Blue Screen with: SDBUS_INTERNAL_ERROR

the message ‘promised’ a restart after collecting info, but it sat there, doing nothing. I forced shutdown and restarted, thinking I would need safe mode, but the normal start screen came up. I did a restore to a few days before. I have no idea what caused the blue screen, but am considering options now;  I had trouble before with this smartpad (Elantech?) after windows update, and I did the same thing, reset.

Other than smartpad glitches after certain Windows updates, and last one was a year and a half ago (?), my system has been perfectly stable for a long time, following the advice here since 2015 when I was so annoyed by Windows 10 intrusiveness, and I managed to eradicate all signs of it forever : ).

Issue #2:

I checked all previous security updates and saw that I had many “Failed” Important ones, the last of which were Sept 18th, 2016. Some updated the next day. I checked the ones that never did update from Sept 18th, and saw that they were all for 64 bit machines. Mine is 32 bit.   Question: is this a legitimate interpretation of the failed installations? I had other security update failures, most in 2016 when I was actively fighting with Microsoft by not allowing Windows 10 on my machine. My bigger question is: do I need to go back and install all those security updates? I am unsure if the instructions for updates after October, 2016, ie. install all security updates and install in chronological order, also apply to all security updates before?

My touchpad is not touchy at all until after certain Windows updates, which I have uninstalled twice before today, and then hunkered down with advice here to minimize the updates being installed.  Had no more issues, but important regular updates have not been timely for over a year maybe. I have read extensively and can’t find a solution for the touchpad itself.

Am willing to be scientific and install updates one by one to find the culprit, but it’s scary for me to see the blue screen, truth be told. I still have a hard time remembering how to boot in safe mode and what to do when I get there. : )

On Group B future: Also, as one who is not high tech but willing to work for it, I am willing to pay a small but reasonable amount regularly to keep in the loop and control my PCs future as a Group B member– I don’t expect those in the know to hold hands with the stragglers and offer valuable advice for nothing, is worth it to me to keep independent from Microsoft…. I have an HP mini PC Windows 8.1, bought last year and a new used Windows 7 Dell Latitude … to go with an as yet unopened Office2010, only for Word2010. I am a creative fiction writer and can’t stand the Office 365 complications. Both the HP mini and the Windows 7 systems have been purchased with an eye to keeping them running for years, offline after D-Day 2020. hehe.

Regards and much appreciation for AskWoody forums and savvy Windows users here! Dawn

 

dhardyindr wrote:

I checked the ones that never did update from Sept 18th, and saw that they were all for 64 bit machines. Mine is 32 bit. Question: is this a legitimate interpretation of the failed installations?

If you are in Group B and tried to install a 64-bit update on a 32-bit machine, it would definitely fail. Be careful when you download the security-only patches to get the right “bitedness.”

BSODs are usually caused by problematic hardware drivers. Go to the manufacturer’s website and update the drivers for your machine. Then try to install the patches again. You will need the model number and maybe the serial number.

1 user thanked author for this post.

dhardyindr

Thanks so much, PK! Will do. I assume you mean ‘all’ drivers, because for sure it’s only my assumption as to what happened with the smartpad. Back in Sept, I wasn’t trying to control the security updates, but checking all the ones Microsoft downloaded; I thought they ‘knew’ the bitedness of my machine.  🙂

Another idea occurred to me after the May updates. I downloaded an update for Flash, but I believe I uninstalled Flash from my computer a while ago, as per recommendations for security. It is not showing on my programs. Possibly I disabled it. Will check that. I use Flash only when I choose, through the browser.

I think it’s a good idea now to keep a dedicated notebook for all changes to my system. Problem with not being tech savvy is that the info/knowledge gained from overseeing my own systems is sporadic and not based in real understanding.  Like learning a language and at first only learning critical phrases, not yet absorbing the big picture. thanks again.

Sorry PK, Just replied re: BSOD after updates, but reply is awaiting moderation, not signed in. Cookies etc all go at shutdown.  dawn

 

Re: BSOD after updates and actions to follow recommendations from PKCano

PKCano wrote:

dhardyindr wrote:

I checked the ones that never did update from Sept 18th, and saw that they were all for 64 bit machines. Mine is 32 bit. Question: is this a legitimate interpretation of the failed installations?

If you are in Group B and tried to install a 64-bit update on a 32-bit machine, it would definitely fail. Be careful when you download the security-only patches to get the right “bitedness.” BSODs are usually caused by problematic hardware drivers. Go to the manufacturer’s website and update the drivers for your machine. Then try to install the patches again. You will need the model number and maybe the serial number.

Tried Samsung, patches not offered for my model #  from Thailand, given to me there by fam member end Nov 2014 who moved all personal computing to Apple. Researched more on other driver upload sites and discovered that only one driver was updated since then, Wacom Router  Mouse, Apri 2015.  AS at Nov 2014 tablet pen for writing was no longer working. No problems. The Elantech smartpad is working fine now; I did not update IE11, or Flash (I do not have installed now), or Visual Studio for Tools for Runtime.

All other security, MSRT, and Net Framework patches are updated in order now and system seems stable. I restarted after security patches, and after each of the above two. No idea why BSOD happened, and if due to Flash or IE11, I am reluctant to find out, only because I know nothing about booting in safe drive on Win 8.1. Have tried to understand last 2 days from online reading, but it seems quite convoluted. Will do it if necessary.

In device mgr, one series of driver has not worked from end Nov 2014, Intel Dynamic Platform & thermal Framework display participant driver, display driver, one more.

Around that time, I updated this Notebook to Win 8.1 from Win 8 and gave desktop Win 7 facelift. Not sure if coincidence, don’t know exact date, I was still in Thailand.

I have Office 365 still via same fam member acct, but only use my local acct, to avoid MS harassment as much as possible. Do not use interactively online; use Word 2013 as word processor. Changed settings to manual updates to avoid constant messages via banner on Word to upgrade to Office 2016. I did one Office update last year, for security, etc. via Word, manually, to sidestep automatic Office upgrades, was solution found after researching how to get rid of that horrible banner.

Now taking steps to stay offline as much as possible and see what happens with the Wannacry upset. Starting yesterday,  listen to music on Youtube via earbuds and an inactive smartphone with wifi, no google acct turned on, etc. So no need to have internet on while working. heheh more productivity bonus also. So will control online usage even more, for email, updates, etc. Changed Google settings after reading about security flaw here, so no automatic downloads.

Questions: (re: Important Updates)

1. Is it still important to update IE11 if not using other Microsoft products? No Edge, Flash, Silverlight, etc. I am reading one thread from this forum now, but I don’t understand why it is so critical. I do not want to waste anyone’s time explaining, but would love to be pointed in a direction if one exists, to read and understand.

2. How important to update Visual Studio 2010 Tools for Office Runtime? I did not update Office via Word yesterday; I did not update for maybe 2 years before March, no problems.

Thanks again for your help on this! I spent 2 days on this in all, and now know more about my machine, so am happy.  dawn

 

 

dhardyindr wrote:

1. Is it still important to update IE11 if not using other Microsoft products?

Yes, it is important to keep IE up to date even if you are not using it because it is an integral part of the operating system and other processes use it. Also, in Win8.1, flash is integrated into IE and is updates through Windows Update as opposed to a separate download/install (although you may have the Npapi Plug-in as a separate installation).

Office has had many vulnerabilities. It is a good thing to keep it updates as well.

2 users thanked author for this post.

dpwoodpecker, dhardyindr

Information for those of you Group B people who are contemplating a move to Group A.

I have recently “sacrificed” one each of my Win7 and Win8.1 VMs to see the effects of moving from Group B to Group A. Let me preface this by saying I have been more or less a hybrid Group B. I have hidden ONLY the telemetry patches as defined in AKB2000003. I do not hide the Monthly Rollups, I just uncheck them before installing. I do not install the drivers from MS, but they are all unchecked optionals. Along these lines, I do not check anything that is unchecked by default.
Since I did not install the telemetry patches, I did not have the Diagnostic Tracking Service installed. I have all the tasks under “Application Experience,” “Autochk,” and “CEIP” disabled in Task Scheduler. I have always had CEIP = NO
I have ALWAYS had “Give me recommended” and “Give me updates for other MS products” checked. I have seen no adverse effects. I have been lucky in that I’ve had no problematic patches on any my machines. Since Oct 2016, there have been few “optionals” other than the “Previews,” and all have been unchecked by default.

Since Nov 2016, I have downloaded and installed the Security-only Updates and lately the IE11 patches. These I have installed manually, then unchecked the Monthly Rollup in WU and installed the rest that were checked by default.

To make the transition, I unhid KB3068708 and KB3080149 on the Win7 and KB3080149 (KB3068708 was not hidden or offered) on the Win8.1 (@MrBrian now recommends installing them), then installed those patches along with the Monthly Rollup.

On the Win7, the tasks in the Task Scheduler under Application Experience, Autochk, and CEIP remained disabled. The Diagnostic Tracking Service was installed but was Disabled by default.
On the Win8.1, the tasks remained disabled as well. The Diagnostic Tracking Service was installed and was on Automatic by default.
CEIP = NO remained on both.

2 users thanked author for this post.

Cascadian, Noel Carboni

Sharing experience is greatly appreciated.

And of course there’s nothing now stopping you from disabling additional services if you want. I’ve found that the system will run fine without the Diagnostic Tracking Service enabled.

Out of curiosity, do you monitor communications at all? If so, do you see the systems now regularly contacting anything they weren’t before?

-Noel

No, I don’t monitor. But if it slows down I’ll know where to look, since that is the only change I’ve made lately.
BTW, I did disable the Diagnostic Tracking Service in the Win8.1 after the fact. If the VM increases in size drastically, (like blowing up a balloon with a hose pipe?), I’ll start looking for the data cache that can’t be sent .

Did a recent catch up of security patches (one by one) and they all went fine bar January which said was “not compatible with your machine” Win764bit.

Hope the January update wasn’t critical.

Group B

 

The January Update is more or less a negligible relic of a lackluster Patch Day. It’s a follow-up to KB3167679. So are KB4012212, KB4015546 and KB4019263. Considering the file size, KB3212642 seems to be nothing but a follow-up to KB3167679, making March, April and May Updates not only supersede KB3167679, but also that one’s January successor.

Regards, VZ

Thanks VZ, Really appreciate that help, Thanks! 🙂

In AKB2000003, Step B2 states that the Windows Update Service should be stopped before installing a downloaded patch.  Why?  In previous months, I’ve followed woody’s instructions for Group B in his InfoWorld articles and he did not suggest stopping the Windows Update Service.  And my patches appear to have installed OK without stopping the Windows Update Service.

In many cases stopping (not disabling) the service will shorten the “searching for updates” time. The service will restart on reboot.

Thank you for the reply. However, in Step B2, I don’t understand what updates you are searching for.

You first download the security-only patch and cumulative update for IE11 either by following the links in AKB2000003 or, as I do, directly from the MS Catalog. Then, you stop the Windows Update Service. Then you install the patches. And then you reboot. (This is my interpretation of the “substeps” in Step B2.)

So what updates are you searching for? It is not until Step B3 that you need to search manually for additional updates using Windows Update. And, by that time, the Windows Update Service will have been restarted.

The reference is not about using the “search for updates” link,
When you double click on the downloaded .msu file, if you watch the box that pops up, you will find that the update installer goes through the process of searching for updates for a period of time (short or long). You will see it more readily if you install the IE patch without rebooting. Stopping the service and then leaving the Services window open while installing can, in some cases, reduce this time.

OK, thank you once again. I’ll look out for this the next time I install a patch using a .msu file. As I stated previously, I’ve never stopped the Windows Update Service before running a .msu file (I use Start > Run… rather than double clicking) and I’ve never noticed any perceptible delay.

Has MS dropped the security only patches for .net framework 4.6.1 for win7 sp1 x64? as I’m only seeing the security and quality ones in their ms catalogue there was an April security only patch

April .NET security only was KB4014985. Here is the Catalog link

Has MS dropped the security only patches for .net framework 4.6.1 for win7 sp1 x64? as I’m only seeing the security and quality ones in their ms catalogue there was an April security only patch

https://support.microsoft.com/en-us/help/4019108/security-only-update-for-the-net-framework-3-5-1-4-5-2-4-6-4-6-1-and-4

Says that it’s for Win7 sp1  but the catalogue says it’s for 2008 server ???

I don’t see a MAY security only patch for Win7 .NET

Links to May security only .NET patches were uploaded last week, here:
https://www.askwoody.com/forums/topic/security-only-net-updates-may-2017/

1 user thanked author for this post.

HiFlyer

anonymous wrote:

Has MS dropped the security only patches for .net framework 4.6.1 for win7 sp1 x64? as I’m only seeing the security and quality ones in their ms catalogue there was an April security only patch

https://support.microsoft.com/en-us/help/4019108/security-only-update-for-the-net-framework-3-5-1-4-5-2-4-6-4-6-1-and-4

Says that it’s for Win7 sp1 but the catalogue says it’s for 2008 server ???

THANKS Anonymous – I did write to PKCano earler today about the EXACT same issue – earlier this week I was able to download NET Security Only patches 4014599 ( Net 4.5.2 ) and also 4014579 ( Net 3.5.1 ) and install them on my 3 computers – I then deleted them from downloads as I no longer needed them. Then a friend wanted me to install them on his machines but when I went to the Windows Update Catalogue they were NO LONGER THERE as individual downloads…… so I asked PKCano – if those individual patches had been pulled ????? …… something has happened ….

He advised to then use the Security ROUNDUP version …. something I was trying to avoid ….preferring the Group B Security ONLY versions

Kirsty wrote:

Links to May security only .NET patches were uploaded last week, here: https://www.askwoody.com/forums/topic/security-only-net-updates-may-2017/

Kirsty

I just checked kb4019108 on the Windows Catalog site.

That is listed as “May, 2017 Security Only Update for .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-based Systems (KB4019108)”

There is nothing for Security Only Update for .Net Framework for 4.5 Windows server 2008 R2 for May.  There is only a “rollup”.
Are they only offering a “rollup” now for .Net Framework?
and…. do I really even need .Net Framework?

Windows7 64bit Windows Server 2008 R2
I checked my programs and I have 4.5 version of .Net Framework.

See my post here and the related comments.
https://www.askwoody.com/forums/topic/ms-defcon-3-get-patched-and-brace-yourself-for-a-malware-as-a-service-future/#post-118487

3 users thanked author for this post.

Kirsty, dgreen, HiFlyer