Group B – Win7/8.1 “Missing” updates, Hiding Rollups, Security-only patches

Topic

New Reply

I did some testing in response to the report that Group B was “missing” a large number of Security Updates by UNCHECKING (not installing) the “Security Monthly Quality Rollups” instead of hiding them.
If you get bogged down with the data, read the top and bottom text of Parts 1 and 2 and the synopsis in Part 3.

This Topic consists of three parts, separated into three replies, because of the length.

Part 1 – Hiding Rollups on a Clean Install
Part 2 – Installing Group B “Security Only Quality Updates” on a Clean Install
Part 3 – Implications, Observations and Conclusion

7 users thanked author for this post.

fl, walker, abbodi86, Elly, AJNorth, woody, ch100

Reply | Quote

Replies

Part 1 – Hiding Rollups on a Clean install

I saw a report that those following the Group B method of installing security-only patches resulted in a huge “missing Security updates list.” The list was generated by hiding the Oct 2016 – Sept 2017 Security Monthly Quality Rollups on a security-only up-to-date machine, then running a check for updates.

I decided to start from the other end – a Clean Install.

I did an OFFLINE clean install of Windows Home Premium SP1 32-bit. Still OFFLINE, I installed KB3020369, KB3138612, KB3177467, and KB3172605.
ONLINE, I set Windows Update to “Never Check” and CHECKED the box “Give me recommended updates the way I get important ones.”
I did a search for updates and recorded the numbers of the Updates. This is the “original important updates list.”

Starting with 184 important and 8 optional updates

1. Hiding 4038777 2017-09 Rollup (Sept), search for updates
186 important and 8 optional updates
Added updates
4034664 2017-08 (Aug) Rollup
3170455 Security
2798162 Win Update

2. Hiding 4034664 2017-08 Rollup (Aug), search for updates
187 important and 8 optional updates
Added updates
4025341 2017-07 (Jul) Rollup
2868116 Win Update
2929733 Win Update
3021917 Win Update (unchecked)

3. Hiding 4025341 2017-07 Rollup (July), search for updates
190 important and 8 optional updates
Added updates
4022719 2017-06 (Jun) Rollup
2840149 Security
3042553 Security
3121255 Win Update

4. Hiding 4022719 2017-06 Rollup (June), search for updates
191 important and 8 optional updates
Added updates
4019264 2017-05 (May) Rollup
3080446 Security

5. Hiding 4019264 2017-05 Rollup (May), search for updates
194 important and 8 optional updates
Added updates
4015549 April 2017 Rollup
2503665 Security
2957189 Security
3138901 Win Update

6. Hiding 4015549 April 2017 Rollup, search for updates
201 important and 8 optional updates
Added updates
4012215 March 2017 Rollup
2676562 Security
3108678 Security
3123479 Security
3146706 Security
3149090 Security
3156017 Security
3118401 Win Update

7. Hiding 4012215 March 2017 Rollup, search for updates
204 important and 8 optional updates
Added updates
3212646 January 2017 Rollup
3161561 Security
3177186 Security

8. Hiding 3212646 January 2017 Rollup, search for updates
207 important and 8 optional updates
Added updates
3207752 December 2016 Rollup
2570947 Security
3033889 Security
3087039 Security

9. Hiding 3207752 December 2016 Rollup, search for updates
211 important and 8 optional updates
Added updates
3197868 November 2016 Rollup
2993651 Security
3109094 Security
3164035 Security
3185911 Security

10. Hiding 3197868 November 2016 Rollup, search for updates
215 important and 8 optional updates
Added updates
3185330 October 2016 Rollup
2511455 Security
4164033 Security
3184122 Security

11. Hiding 3185330 October 2016 Rollup, search for updates
227 important and 8 optional updates
Added updates
3005607 Security
3033929 Security
3076949 Security
3124280 Security
3138962 Security
3145739 Security
3146963 Security
3168965 Security
3175024 Security
3178034 Security

I have not installed anything on this machine, simply sequentially hidden the Monthly Rollups. For all practical purposes, this is still a Clean Install.

So, at first glance, it would seem that simply UNCHECKING (i.e. not installing), but not hiding, the October 2016 -September 2017 Rollups, would leave the Group B participants with a large “missing Security updates list.”

Next, I am going to install all the “Group B Security Only Quality Updates”, leaving the October 2016 – September 2017 Rollups hidden. I want to see how many of these “missing security updates” will disappear, implying that they are actually replaces/superseded by the Group B security-only Updates.

7 users thanked author for this post.

fl, walker, AJNorth, woody, HiFlyer, Elly

Reply | Quote

Part 2 – Installing Group B security-only patches on a Clean Install

I did an OFFLINE clean install of Windows Home Premium SP1 32-bit. Still OFFLINE, I installed KB3020369, KB3138612, KB3177467, and KB3172605.
ONLINE, I set Windows Update to “Never Check” and CHECKED the box “Give me recommended updates the way I get important ones.”
I did a search for updates and recorded the numbers of the Updates. There were 184 important updates and 8 optional updates in the “original important updates list.”

Then I sequentially hid the Monthly Rollups from Sept 2017 to Oct 2016. On hiding the latest one and searching for updates, the next earlier one appeared in the important update list. In the end, all Rollups were hidden from Oct 2016 to Sept 2017.

Next, I searched for updates. Then I began installing the “Security Only Quality Updates,” beginning with Oct 2016 through Sept 2017.

Starting with 227 important and 8 optional updates

1. Installing 3192391 October 2016 Security Only Update, search for updates
221 important and 9 optional updates
Removed “missing” updates
3076949 Security
3124280 Security
3145739 Security
3175024 Security
3178034 Security
3138901 Win Update

2. Installing 3197867 November 2016 Security Only Update, search for updates
215 important and 9 optional updates
Removed “missing” updates
2511455 Security
2570947 Security
3033889 Security
3087039 Security
3164033 Security
3184122 Security

3. Installing 3205394 December 2016 Security Only Update, search for updates
210 important and 9 optional updates
Removed “missing” updates
2993651 Security
3108670 Security
3109094 Security
3164035 Security
3185911 Security

4. Installing 3212642 January 2017 Security Only Update, search for updates
210 important and 9 optional updates
Removed “missing” updates
NONE

5. Installing 4012212 March 2017 Security Only Update, search for updates
207 important and 9 optional updates
Removed “missing” updates
3146963 Security
3161561 Security
3177186 Security

6. Installing 4015546 April 2017 Security Only Update, search for updates
206 important and 9 optional updates
Removed “missing” updates
3146706 Security
3156017 Security

7. Installing 4019263 2017-05 (May) Security Only Update, search for updates
202 important and 9 optional updates
Removed “missing” updates
2503666 Security
2957189 Security

8. Installing 4022722 2017-06 (Jun) Security Only Update, search for updates
201 important and 9 optional updates
Removed “missing” updates
3080446 Security

9. Installing 4025337 2017-07 (Jul) Security Only Update, search for updates
198 important and 9 optional updates
Removed “missing” updates
2840149 Security
3042553 Security
3121255 Win Update

10. Installing 4034679 2017-08 (Aug) Security Only Update, search for updates
197 important and 9 optional updates
Removed “missing” updates
2929733 Win Update

11. Installing 408779 2017-09 (Sep) Security Only Update, search for updates
194 important and 9 optional updates
Removed “missing” updates
3170455
2798162

After installing the “Security Only Updates” with the Monthly Rollups hidden, I compared the “final important updates list” with the “original important updates list” to see how many of the “missing security updates” were still missing.

Of the original list of updates that Group B was “missing” by not hiding the Monthly Rollups, “final important updates list” still had these “missing” updates.
2676562 Security
3005607 Security
3033929 Security
3123479 Security
3138962 Security
3149090 Security
3168965 Security
2868116 Win Update
3021917 Win Update
3118401 Win Update

The fact that there were considerably fewer “missing” security updates after the installation of the “Security Only Quality Updates”, seems to imply that the “missing” updates are being superseded by the security-only patches. If that is the case, Group B may not be not “missing” as many security updates as was originally thought if they uncheck, instead of hide, the Rollups.

8 users thanked author for this post.

fl, walker, AJNorth, SueW, woody, HiFlyer, Elly

Reply | Quote

Part 3 – Implications, Observations and Conclusion

Implications:
1. The fact that there were considerably fewer “missing” security updates after the installation of the “Security Only Quality Updates”, seems to imply that the “missing” updates are being superseded/replaced by the security-only patches. If that is the case, Group B may not be not “missing” as many security updates as was originally thought if they uncheck, instead of hide, the Rollups.

2. Perhaps, the problem lies in the update supersedence chain. Windows Update is a mess, and it would not be the first time that the supersedence chain has been broken. Recently, we have had old updates show up in windows Update with some regularity. Are they really needed (“missing”) or is it because the supersedence metadata is not correct. The problem is, you are never sure.

3. I am not one for hiding updates. But once you start hiding the Monthly Rollups, you will have to hide them all, and keep hiding them in the future if you want to stay in Group B. That is, IF you are really “missing” updates if you don’t hide them. And hiding Updates may also involve hiding .NET Rollups as well if you want to install .NET security-only updates.

Observations:
 1. Who is going to generate and maintain the list of Updates that need to be hidden? If you don’t have a definitive list to go by, how are you going to know if you have or have not missed one. To me, an ever growing list of Updates to be hidden is shades of GWX.

2. Group B is getting harder and harder to maintain. especially for the average non-technical user, not only considering these findings but for other reasons. And there are updates, like the servicing-stacks, and even some .NET updates, that won’t show up in Windows Update as long as there is a pending, CHECKED, important update in the queue. These will have to be downloaded and manually installed from now on if the Monthly Rollups are not hidden. So, other stand-alone Updates will have to be added to the list of manual installs.

3. What worked for a Clean install for Group B in the past has now become a nightmare. I still haven’t come up with a procedure to replace my suggested Clean Install method. And it needs replacing.

Conclusion:

I am going to make an attempt to revise the Group B instructions and come up with procedure for a Clean Install.

But, to be honest, I am seeing Group B as a lost cause. I am coming to the conclusion that the Group B thing is not even for the half-way tech savvy average user, which includes most of the people trying to use it on this site. And trying to add .NET into the mix is just adding fuel to the fire.
I really don’t like the idea of hiding all those updates. And at this point I think the supersedence chain is as messed up as Microsoft itself. Without going through and checking version numbers of every critical file in Windows (an impossible task), I don’t think anyone really knows what they have.

In fact, I have converted all my machines, and those I support, to Group A, using other methods to curtail the telemetry. I am not going to stop all of it, and I certainly am not going to go to the extremes Noel Carboni does block it. I think I can reduce telemetry to a level I can live with using one-time settings that are easy enough for the average user to manage.

9 users thanked author for this post.

fl, walker, abbodi86, AJNorth, woody, ch100, SueW, HiFlyer

Reply | Quote

@PKCano I think that there should be less concern about avoiding updates and trying to control telemetry via Task Scheduler as already mentioned. Avoiding updates like KB2952664 raises another set of issues due to this update being updated itself often.
There are in reality only 2 scheduled tasks required to be blocked, while the other tasks often mentioned obey with the CEIP setting.
As I said in the past, this tool can provide further insight into optimising various versions of Windows and those guys are not the regular backyard optimisers often mentioned here and on other forums, but the real deal.
https://labs.vmware.com/flings/vmware-os-optimization-tool

3 users thanked author for this post.

fl, AJNorth, woody

Reply | Quote

Back when KB2952664 first appeared, I did some investigations and found one of the places it made changes was in Task Scheduler in Application Experience. For that reason I disable the tasks there.

1 user thanked author for this post.

walker

Reply | Quote

PKCano wrote:

Back when KB2952664 first appeared, I did some investigations and found one of the places it made changes was in Task Scheduler in Application Experience. For that reason I disable the tasks there.

Exactly so. 🙂

Reply | Quote

Thank you to PKCano for starting this thread. I haven’t read PKCano’s posts yet, but I will soon. I have also done a considerable amount of testing regarding this issue. I’ll post my results and commentary within the next few days. Within the past few weeks, I started a topic called “Unwanted Win updates must be hidden to ensure that you see all available updates,” but unfortunately due to site issues it’s now unavailable. Fortunately I saved most of my posts in that topic on my computer, and I will soon repost them.

4 users thanked author for this post.

walker, SueW, HiFlyer, Elly

Reply | Quote

“And there are updates, like the servicing-stacks, and even some .NET updates, that won’t show up in Windows Update as long as there is a pending, CHECKED, important update in the queue.”

This applies to Group A also. I have a screenshot illustrating this issue that I will post soon.

3 users thanked author for this post.

walker, HiFlyer, Elly

Reply | Quote

Please review my latest results on the hiding aspect of this new development.

https://askwoody.com/forums/topic/patch-tuesday-patches-are-out-2/#post-136658

Win 8.1 (home & pro) Group B, W10/11 Avoider, Linux Dabbler

1 user thanked author for this post.

HiFlyer

Reply | Quote

Are you asking why the .NET Framework monthly rollups aren’t on your list of hidden updates?

Reply | Quote

Those interested in technical details about supersedence may wish to read The different types of Windows update supersedence.

3 users thanked author for this post.

walker, SueW, HiFlyer

Reply | Quote

An anonymous post (now available at https://askwoody.com/forums/topic/missing-security-updates-as-from-ms16-027-in-group-b-fresh-installation/) intrigued me and caused me to further investigate. My conclusion: For Windows 7 users (and probably also Windows 8.1 users), when using Windows Update, you must hide all unwanted updates in order to guarantee that all available updates are listed. There are two different reasons for the need to hide unwanted updates: 1) In Windows Update, the presence of an unwanted update suppresses the listing of wanted update(s) that are metadata-superseded by the unwanted update 2) some updates need to be installed exclusively (i.e. by themselves).

7 users thanked author for this post.

GoneToPlaid, Cascadian, L95, walker, AJNorth, HiFlyer, Elly

Reply | Quote

It’s weird: I could swear that in the (recent) past we have been advised on this site not to hide recommended/important updates that are left uninstalled for fear of upsetting the supercedence. However it now appears that failing to hide such updates will cause problems. Personally, I just kept on hiding them because that’s what I’ve always done, without bothering whether it was politically correct.

Reply | Quote

See https://askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/#post-137006.

1 user thanked author for this post.

walker

Reply | Quote

A third reason has been found: In Windows Update, the presence of an unwanted update suppresses the listing of wanted update(s) due to the wanted update having attribute supersedenceBehavior=1, which seems to alter the usual rules of metadata-supersedence. Example: see https://www.askwoody.com/forums/topic/kb4088875-more-questions/#post-178544.

2 users thanked author for this post.

Elly, Cascadian

Reply | Quote

Background technical info: When you use Windows Update to check for Windows updates in Windows 7 (and I assume also in Windows 8.1), the following seems to happen behind the scenes (simplified version):

1. The Windows Update client gets a list of all applicable updates that are not installed on your computer.

2. Any updates in the list in step 1 that you have previously marked as hidden are removed from the list.

3. Any updates in the list in step 2 that Microsoft considers to be metadata-superseded (first type of supersedence at https://askwoody.com/forums/topic/the-different-types-of-windows-update-supersedence/) by any other updates in the list in step 2 are removed from the list.

In Windows Update you see the updates that remain after step 3 is done.

2 users thanked author for this post.

walker, Elly

Reply | Quote

And that should apply in the research that I did as well. So how do you account for the difference in the huge list of “missing” updates that are generated on a fully patched Group B install by hiding the Rollups, and the much smaller list from my findings?

Reply | Quote

My list in https://askwoody.com/wp-content/uploads/2017/10/2-Hid-all-Windows-rollups.png shows 9 updates that were applicable (not counting KB3177467 which was listed after installing those 9 updates and then rebooting). I didn’t start with a clean installation because I was merely trying to establish whether there are circumstances in which not hiding updates can cause a user who thinks they are up-to-date are actually missing applicable updates. If I were to try this test again at a later date, some of those 9 updates might no longer be listed, while other update(s) might appear which aren’t in that list.

1 user thanked author for this post.

walker

Reply | Quote

Supersedence isn’t as easily understood as I’d like it to be.

Strange how they disappeared like that.  The last time that happened was because I was hiding GWX updates & they got duped in the important list.  Since then I have not hidden anything to avoid similar occurrences.

That hide test I did with those rollups presented me with nothing useful.  Which leads me to believe that it might not be mission critical to how I go about updating group B style.  At some point I may even unhide the stragglers that didn’t disappear, shrugs indifferently.

Win 8.1 (home & pro) Group B, W10/11 Avoider, Linux Dabbler

Reply | Quote

Test: I started with a Windows 7 x64 Service Pack 1 virtual machine that had last been updated in September 2016 (thus had no Windows monthly rollups installed), had few if any security updates installed, and had many non-security updates installed. Then I installed all Important Windows updates except for the Windows monthly rollups. At this point no Windows security-only updates were installed.

Here are screenshots showing which Important updates were listed in Windows Update without hiding any Windows monthly rollups vs. hiding all Windows monthly rollups:

 

4 users thanked author for this post.

walker, Elly, HiFlyer

Reply | Quote

Many of the “missing” updates in my Part 1 section  were dated before Sept 2016 and would thus have been already installed on this machine. Unless you start with a Clean Install it seems your results could be skewed.

1 user thanked author for this post.

HiFlyer

Reply | Quote

‘Many of the “missing” updates in my Part 1 section  were dated before Sept 2016 and would thus have been already installed on this machine.’

That’s true for those that installed those updates before the existence of the monthly rollups. In other cases though, such as a clean installation, that won’t be the case.

2 users thanked author for this post.

walker, HiFlyer

Reply | Quote

Test: Continuing from post #136969….

Then I installed all Windows security-only updates (as of September 2017) and also the September 2017 Internet Explorer cumulative update. At this point, one might have expected this computer to be up-to-date on security updates, right (I did this test before October 10, 2017)? Wrong!

Here are screenshots showing which Important updates were listed in Windows Update without hiding any Windows monthly rollups vs. hiding all Windows monthly rollups:

 

3 users thanked author for this post.

walker, HiFlyer

Reply | Quote

Test: Continuing from post #136981….

Does installing any of the updates listed in image “2-Hid-all-Windows-rollups” of post #136981 install anything important? I used a program to note which files were present before and after installing those updates, and also got the Windows Media Player version in its user interface before and after installing those updates.

Here is a list of the changed executable files in folder c:windows\system32:

audiodg.exe    6.1.7601.17514    2010-11-20 06:24.28    126,464        old
6.1.7601.18741    2015-02-02 22:30.19    126,464        new
AudioEng.dll    6.1.7600.16385    2009-07-13 20:40.04    440,832        old
6.1.7601.18741    2015-02-02 22:30.55    440,832        new
AUDIOKSE.dll    6.1.7600.16385    2009-07-13 20:41.53    499,712        old
6.1.7601.18741    2015-02-02 22:31.05    500,224        new
AudioSes.dll    6.1.7601.17514    2010-11-20 06:25.44    296,448        old
6.1.7601.18741    2015-02-02 22:30.55    296,448        new
audiosrv.dll    6.1.7601.17514    2010-11-20 06:25.44    679,424        old
6.1.7601.18741    2015-02-02 22:30.55    680,960        new
blackbox.dll    11.0.7601.17514    2010-11-20 06:25.48    840,192        old
11.0.7601.18741    2015-02-02 22:30.55    842,240        new
cryptsp.dll    6.1.7600.16385    2009-07-13 20:40.24    79,872        old
6.1.7601.18741    2015-02-02 22:30.56    82,432        new
cryptui.dll    6.1.7601.17514    2010-11-20 06:26.00    1,065,984        old
6.1.7601.18741    2015-02-02 22:30.56    1,069,056        new
drmmgrtn.dll    11.0.7601.17514    2010-11-20 06:26.08    495,104        old
11.0.7601.18741    2015-02-02 22:30.57    497,664        new
drmv2clt.dll    11.0.7600.16385    2009-07-13 20:40.33    1,200,640        old
11.0.7601.18741    2015-02-02 22:30.57    1,202,176        new
dxmasf.dll    12.0.7601.17514    2010-11-20 06:27.26    5,120        old
12.0.7601.19148    2016-02-09 04:56.09    5,120        new
EncDump.dll    5.0.1.1    2009-07-13 20:40.37    283,648        old
5.0.1.1    2015-02-02 22:30.58    284,672        new
msdxm.ocx    12.0.7601.17514    2010-11-20 06:27.26    5,120        old
12.0.7601.19148    2016-02-09 04:56.09    5,120        new
msnetobj.dll    11.0.7601.17514    2010-11-20 06:27.06    325,632        old
11.0.7601.18741    2015-02-02 22:31.03    325,632        new
msscp.dll    11.0.7601.17514    2010-11-20 06:27.08    641,024        old
11.0.7601.18741    2015-02-02 22:31.03    641,024        new
pcadm.dll    6.1.7600.16385    2009-07-13 20:41.53    37,376        old
6.1.7601.18741    2015-02-02 22:31.04    37,376        new
pcaevts.dll    6.1.7600.16385    2009-07-13 20:32.05    8,704        old
6.1.7601.18741    2015-02-02 22:29.19    8,704        new
pcalua.exe    6.1.7600.16385    2009-07-13 20:39.26    9,728        old
6.1.7601.18741    2015-02-02 22:30.36    9,728        new
pcasvc.dll    6.1.7600.16385    2009-07-13 20:41.53    186,368        old
6.1.7601.18741    2015-02-02 22:31.04    188,416        new
pcawrk.exe    6.1.7600.16385    2009-07-13 20:39.26    11,264        old
6.1.7601.18741    2015-02-02 22:30.36    11,264        new
samlib.dll    6.1.7600.16385    2009-07-13 20:41.53    107,008        old
6.1.7601.23390    2016-03-15 19:16.10    106,496        new
samsrv.dll    6.1.7601.17514    2010-11-20 06:27.26    758,784        old
6.1.7601.23390    2016-03-15 19:16.10    760,320        new
spwmp.dll    6.1.7601.17514    2010-11-20 06:27.24    9,728        old
6.1.7601.19148    2016-02-09 04:54.38    9,728        new
tzres.dll    6.1.7601.23497    2016-07-08 10:32.47    2,048        old
6.1.7601.23511    2016-08-05 10:30.32    2,048        new
wmdrmsdk.dll    11.0.7601.17514    2010-11-20 06:27.30    781,312        old
11.0.7601.18741    2015-02-02 22:31.23    782,848        new
wmp.dll    12.0.7601.17514    2010-11-20 06:27.30    14,633,472        old
12.0.7601.19148    2016-02-09 04:57.04    14,634,496        new
wmploc.DLL    12.0.7601.17514    2010-11-20 06:16.14    12,625,920        old
12.0.7601.19148    2016-02-09 04:57.08    12,625,920        new

Some other folders had important file changes also.

So, does installing any of the updates listed in image “2-Hid-all-Windows-rollups” of post #136981 install anything important? Answer: Yes!

3 users thanked author for this post.

HiFlyer, Elly

Reply | Quote

Test: Continuing from post #136989….

So now we’ve installed all Important updates, right? No! I checked for Windows Updates again. Servicing stack update KB3177467 was now available. Notice that the Optional tab isn’t present in the screenshot below. Also notice from the Install Resources tab of https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=16740a04-df6d-4be3-b27f-f7cdb287ebf2 that Microsoft states that KB3177467 must be installed exclusively of other updates. Thus, I believe that Windows Update shows exclusive updates only when no other Important updates are listed. This is the second reason for my advice of hiding all unwanted (or at least all Important) Windows updates when updating Windows, and it applies to Group A also.

4 users thanked author for this post.

walker, HiFlyer, Elly

Reply | Quote

As a result of these issues, here is the algorithm that I now use when updating Windows 7 (I am in Group A):

1. Check for Windows updates.

2. Hide all Windows updates that you don’t intend to install now. If you hid any updates during this step, go to step 1.

3. Install desired Windows updates. Reboot if asked. If you installed any updates during this step, go to step 1.

4. (Optional) Unhide any hidden updates that you may want to install in the future, so that you don’t forget about them.

I wrote a .vbs script that hides all applicable updates that have a given description. For example, it can be used to hide all applicable Windows monthly rollups and Windows preview monthly rollups by targeting “monthly quality rollup”. I have used this script on my home computers. I will make it available if anybody requests.

Free program Windows Update MiniTool has a checkbox “Include superseded” that when ticked can be used to hide all unwanted applicable updates in one pass. Woody’s thoughts on Windows Update MiniTool are at https://www.askwoody.com/2017/in-praise-of-windows-update-minitool/. I recommend that Windows 7 and 8.1 users don’t use Windows Update MiniTool with checkbox “Include superseded” unticked to install updates due to this issue.

6 users thanked author for this post.

walker, SueW, woody, HiFlyer, Elly

Reply | Quote

My unofficial modifications to Group A and Group B instructions are at https://askwoody.com/forums/topic/new-directions-for-win-7-and-8-1-patching/#post-138998.

1 user thanked author for this post.

walker

Reply | Quote

I also did similar tests that show that the same metadata-supersedence issue can affect those who install the .NET Framework security-only updates and don’t hide the .NET Framework monthly rollups. More details are in a comment I wrote at https://blogs.msdn.microsoft.com/dotnet/2017/09/12/net-framework-september-2017-security-and-quality-rollup/.

3 users thanked author for this post.

HiFlyer, Elly

Reply | Quote

Question: Is everybody reading this who uses Windows 7 or 8.1 and doesn’t follow my algorithm from post #137001 missing applicable updates?

Answer: Not necessarily. However, I believe I have established that there are scenarios in which those who don’t follow my algorithm from post #137001 are missing applicable updates.

2 users thanked author for this post.

SueW, Elly

Reply | Quote

Some may recall reading advice from others on this site to not hide updates. I started a relevant topic earlier this year: What issues can result from hiding a Windows update?

I have seen no evidence that hiding updates causes any issues.

3 users thanked author for this post.

walker, Volume Z, Elly

Reply | Quote

Prior mention of these issues:

https://www.askwoody.com/forums/topic/comments-on-akb-2000003-ongoing-list-of-group-b-monthly-updates-for-win7-and-8-1/#post-117084

https://www.askwoody.com/forums/topic/is-the-group-b-approach-of-installing-security-only-updates-still-viable/#post-118228

https://askwoody.com/forums/topic/why-kb971033-should-be-uninstalled-and-hidden-on-windows-7/

https://social.technet.microsoft.com/Forums/systemcenter/en-US/8c86e58a-5e02-4037-a7be-b89a72f52898/how-to-decline-superseded-updates-correctly?forum=winserverwsus

Also note that the developers of WSUS Offline Update (not from Microsoft) appear to be aware of these issues; some of the “seconly” (i.e. security only) files at https://svn.wsusoffline.net/svn/wsusoffline/tags/wsusoffline11.0.2/client/static/ list pre-October 2016 updates that are needed for security-only users but not for monthly rollup users.

3 users thanked author for this post.

fl, Elly

Reply | Quote

@MrBrian
I have to ask these questions:
+ Is this procedure for most of the people on this site who are trying to follow Group B patching, and for the general user reading these Forums?

+ Who is going to generate and maintain the list of patches that shouldn’t be installed and need to be hidden? Or the list of hidden patches that need to be unhidden and installed ?

3 users thanked author for this post.

walker, HiFlyer

Reply | Quote

“Is this procedure for most of the people on this site who are trying to follow Group B patching, and for the general user reading these Forums?”

It’s the update procedure that I now use. I recommend that Group A, Group B, and any other update instructions be updated to mitigate these issues. I will certainly help if I am asked. Until the instructions are updated, immediately after following those instructions, readers can follow my algorithm to list updates that previously weren’t listed. The basic idea of my algorithm: any update listed in Windows Update should either be installed or hidden.

“Who is going to generate and maintain the list of patches that shouldn’t be installed and need to be hidden? Or the list of hidden patches that need to be unhidden and installed?”

I think there is no need for such lists. The updates that the previous instructions would have not installed (i.e. are unticked) should now be hidden, in my opinion.

1 user thanked author for this post.

walker

Reply | Quote

As an example, I’ll now explain why the March 2016 KB3138962 security update for Windows Media Player is not applied for some Group B users.

Fact #1: Read post #136954.

Fact #2: An updated version of Windows Media Player thus far has not been included in any of the Windows 7 Windows security-only updates. This is not a mistake by Microsoft because there apparently have been no security updates for Windows Media Player between October 2016 and September 2017.

Fact #3: All Windows 7 Windows monthly rollups since October 2016 have included v12.0.7601.23517 of Windows Media Player. The documented reason for inclusion of v12.0.7601.23517 of Windows Media Player is the non-security reason “Removed the Copy Protection option when ripping CDs in Windows Media Audio (WMA) format from Windows Media Player.” (The October 2016 Windows 7 monthly rollup includes the changes from the Optional September 2016 rollup.)

Fact #4: Since v12.0.7601.23517 of Windows Media Player is later than v12.0.7601.19148 that is installed by KB3138962, we can assume that v12.0.7601.23517 of Windows Media Player includes the fix in KB3138962.

Fact #5: Since v12.0.7601.23517 of Windows Media Player is later than v12.0.7601.19148 that is installed by KB3138962, and since both are security-related updates, it shouldn’t be surprising that Microsoft considers KB3138962 to be metadata-superseded by all of the Windows 7 monthly rollups since October 2016. You can see this by looking at the Package Details tab of https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=aa68972f-8750-4215-b225-330dcd851217.

Thus, if you had not installed KB3138962 before the October 2016 Windows 7 Windows monthly rollup was released on October 11, 2016, you will not see KB3138962 listed in Windows Update anymore after October 11, 2016 unless you hide all of the Windows 7 monthly rollups, because all of the Windows 7 monthly rollups metadata-supersede KB3138962 (Fact #5), and Windows Update doesn’t show available updates that are metadata-superseded by other available updates (Fact #1) . Since Group B doesn’t install the Windows monthly rollups, and since none of the Windows 7 security-only updates thus far have included Windows Media Player (Fact #2), perhaps you can now see the reason why some Group B users have a version of Windows Media Player before the version that KB3138962 installs, while Group A users have a version of Windows Media Player that includes the fixes in KB3138962 (Fact #3 and Fact #4).

4 users thanked author for this post.

walker, Elly, ch100

Reply | Quote

In short: KB3138962 applies whenever the September 2016 Rollup Update is missing.

Reply | Quote

Volume Z wrote:

September 2016 Rollup Update

I think I’m getting confused here – didn’t the rollups start in October 2016? I don’t believe there was a September 2016 rollup update, was there?!

Reply | Quote

The September 2016 rollup was actually the first monthly rollup in this series, but it has no security-related updates, and is an Optional update. From October 11, 2016 — KB3185330 (Monthly rollup): “This security update includes improvements and fixes that were a part of update KB3185278 (released September 20, 2016)…”

@Volume Z: I mentioned one of your posts in https://askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/#post-137008.

1 user thanked author for this post.

Kirsty

Reply | Quote

Hi MrBrian,

interesting enough the non-security KB3185278 supersedes the security KB3138962. The superseding capacity of the Security Monthly Quality Rollups toward KB3138962 is due to the September 2016 Rollup being included in them.

Regards, VZ

Reply | Quote

@Volume Z: KB3185278 for Windows 7 x64 doesn’t metadata-supersede (i.e. first type of supersedence) anything according to https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=22b15c08-6fe4-499d-81e1-6fd61ea756de. It’s probably true though that after installing KB3185278, KB3138962 will always be considered not applicable because all of its components are component-superseded (second type of supersedence) by the components already present on the computer.

See also https://askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/#post-137020.

Reply | Quote

It’s probably true that KB3185278 doesn’t metadata-supersede anything – but how to determine this other than referring to the Catalog only? :/

Reply | Quote

Microsoft declares which updates metadata-supersede which other updates. An alternate method of seeing this information is to use a script like this.

2 users thanked author for this post.

walker

Reply | Quote

@MrBrian

The first Windows Update rollup in the current series started in June 2016, being replaced by the July 2016 when it was found that the June 2016 update was faulty.
However, some people consider the current round of rollups being started in May 2016 with KB3125574.

Regardless, this is a lot of effort for nothing.
Most people should update monthly around the Friday after Patch Tuesday and stop being concerned with those issues.
Those maintaining ONE computer should update immediately though.

1 user thanked author for this post.

Reply | Quote

Post from abbodi86 (my bolding):

“I just noticed that KB3185278/KB3185279 rollups CBS name is Package_for_RollupFix (the name shown with Dism tool)
i.e. for win7 x86:
Package_for_RollupFix~31bf3856ad364e35~x86~~7601.23545.1.4

which is the same scheme used in Win10 cumulative updates to ensure old ones get superseded and removed automatically

so this officially makes September rollups the first Monthly Rollup Preview Update“

2 users thanked author for this post.

walker

Reply | Quote

There were earlier Rollups, but they were not cumulative. Group B was originally started to avoid the telemetry that MS was adding to Win7 and Win8.1, and to avoid the “cumulativeness” where you couldn’t choose individual patches. I believe the Oct 2016 Rollup was the first “cumulative” update, but MS didn’t start adding telemetry till the Nov 2016 update.

Just my own choice, I never avoided the Oct 2016 Rollup because I wasn’t as concerned about the content until MS started adding telemetry. I had always had recommended updates checked, so I wasn’t culling changes changes to the Windows OS.

1 user thanked author for this post.

Reply | Quote

I will now explain the first issue further.

Some pre-October 2016 updates are metadata-superseded by the Windows monthly rollups or .NET Framework monthly rollups. Group B doesn’t install the Windows monthly rollups. Some people also don’t install the .NET Framework monthly rollups. Windows Update doesn’t list applicable updates that are metadata-superseded by other applicable updates. Therefore, the presence of Windows monthly rollups or .NET Framework monthly rollups in Windows Update suppresses the listing of the pre-October 2016 updates that they metadata-supersede. In some circumstances, some of the pre-October 2016 metadata-superseded updates are still applicable (as of September 2017).

Hiding unwanted updates fixes this issue because of how Windows Update works.

2 users thanked author for this post.

walker

Reply | Quote

Purg2 wrote:

Please review my latest results on the hiding aspect of this new development. https://askwoody.com/forums/topic/patch-tuesday-patches-are-out-2/#post-136658

MrBrian wrote:

Are you asking why the .NET Framework monthly rollups aren’t on your list of hidden updates?

No, I just find it interesting that my update hiding experiment seems to have had different results.

MrBrian wrote:

Those interested in technical details about supersedence may wish to read The different types of Windows update supersedence.

To which my below statement was made.

Purg2 wrote:

Supersedence isn’t as easily understood as I’d like it to be. Strange how they disappeared like that. The last time that happened was because I was hiding GWX updates & they got duped in the important list. Since then I have not hidden anything to avoid similar occurrences. That hide test I did with those rollups presented me with nothing useful. Which leads me to believe that it might not be mission critical to how I go about updating group B style. At some point I may even unhide the stragglers that didn’t disappear, shrugs indifferently.

And for giggles & laughs, included here is the version of windows media player I have.

https://i.imgur.com/iAw4ElR.png

Perhaps the notion of hiding updates does not apply to the group B members that are up to date (for the most part) & have never done a clean install.  My experience tells me that nothing vital was missed & probably won’t be in the future.  I might be missing something in this discussion & will adapt accordingly if needbe.  You’ve certainly given me plenty to consider.  So I thank you for that.

Win 8.1 (home & pro) Group B, W10/11 Avoider, Linux Dabbler

Reply | Quote

You’re welcome :).

Different people can indeed get different results for the same operating system. Also, whether a given user is missing any applicable updates by not hiding unwanted updates can change from one month to the next.

P.S. Your Windows Media Player version seems to indicate that you are using Windows 8.1. I did my tests on Windows 7 x64 with Service Pack 1 installed.

1 user thanked author for this post.

Purg2

Reply | Quote

PKCano – Thanks so much for your efforts here.

But I take your advice that it’s time for someone like me to drop Group B and go with Group A.  I’m not a tech and I would never try to duplicate your steps above on my wife’s important SOHO machine.

What’s the right way to move from Group B to Group A?  Win 7 Pro 64-bit.

Since some time last year, I’ve been on Group B mostly but not religiously.  So over the last year there are a lot of your Security-Only Updates and IE 11 Only Updates but also a few of the all-inclusive Rollups.

What should I do now to move to Group A and not “miss” anything?

Thanks.

Reply | Quote

It is relatively easy.
1. Reset the SoftwareDistribution database by stopping the WU service and deleting the whole C:\Windows\SoftwareDistribution folder.
2. Scan against Windows Update and install everything offered, less those updates with Preview in title. You may skip those Optional updates, although I am in favour of installing them all, except for the above mentioned Preview updates. Scan repeatedly until there is nothing left. Install ALL Recommended updates too, no exception.

1 user thanked author for this post.

Reply | Quote

Here are the steps I took to move from Group B to Group A, with some additional information I use to reduce telemetry. What I’ve done is basically what @ch100 recommends with the exception that I leave the UNCHECKED optional updates list alone.

I switched over to Group A with the September patch set. I can tell you what I did and how I have my computers set up. Understand this is NOT gospel, and I’m certainly not telling anyone this is what they have to do.

Settings external to Windows Update (to reduce telemetry):
1. In Action Center\Maintenance\Settings – Windows Error Reporting is set to “Never check for solutions.”
2. In Action Center\Change Action Center settings\Related settings: CEIP is set to “No” and Problem reporting is set to “No.”
3. In Administrative Tools\Services – Diagnostics Tracking Service is Disabled. (If is’t not there, it WILL be installed once you start using the Monthly Rollups.)
4. In Administrative Tools\Task Scheduler\Library\Microsoft\Windows – all tasks under Application Experience, Autochk, and CEIP are Disabled.
5. Smart Screen Filter is turned OFF in IE11 in Win7/8.1 and on the desktop in Win8.1
6. Bing is not the default search engine in IE11 and IE11 is not my default browser.

Windows Update Settings:
1. CHECKED “Give me recommended updates the same way I receive important updates”
2. CHECKED “Give me updates for other MS products”
3. Windows Updates set to “Never” or “Let me choose when to download and install”
4. ONLY hidden updates are telemetry related: Win7 KB2952664/3150513, 3021917, 3068708, 3080149; Win8.1 KB2976978/KB3150513, KB3044374, KB3068708, KB3080149. Unhide everything else.

1. Search for updates. If the telemetry patches are not to be installed, check to be sure they are removed (hidden) before installing anything.
2. For Win7 only, UNCHECK MS .NET Framework 4.7 KB3186497 (reason: the Monthly Rollup for Win7 supplies the D3D Compiler that needs to be installed for .NET 4.7)
3. Install the patches in the “important updates” list (Monthly Rollup, .NET Rollups, MSRT, IE Flash (Win8.1) .NET4.7 (Win 8.1), Office, etc.). If  “Give me recommended” was NOT checked in the past, there may be a quite a few recommended updates. Reboot.
4. About 10 min. after login, search for updates. install any important updates, Win7 also install .NET 4.7 KB3186497, reboot.
5. About 10 min. after login, search for updates. install any important updates, reboot, repeat #5 until there are no important updates.
6. After the last reboot, wait 30 minutes. Run Disk Cleanup, click “Clean up system files” and be sure “Windows Update Cleanup” is checked
7. Now in Group A

4 users thanked author for this post.

jelson, walker, amraybt

Reply | Quote

Just a mention in relation to Error Reporting.
Make sure that this is configured for All Users.
Otherwise the system and all other users of the computer will still log errors and at minimum will fill the hard-disk with GB of useless information.

2 users thanked author for this post.

AJNorth, PKCano

Reply | Quote

PKCano and ch100 — many thanks again.  Some follow-up questions:

PKCano – you wrote BOTH pf these:

2.For Win7 only, UNCHECK MS .NET Framework 4.7 KB3186497 (reason: the Monthly Rollup for Win7 supplies the D3D Compiler that needs to be installed for .NET 4.7)   ….

4. About 10 min. after login, search for updates. install any important updates, Win7 install .NET 4.7 KB3186497, reboot.

So, as to KB3186497 , you’ve written both “uncheck” and “install”.  Please advise.

ch100 – You advise making sure Error Reporting is configured for All Users.  Where do I go to check or set this?

THANKS PKCano and ch100!

Reply | Quote

On Win7, the D3D Compiler has to be installed for .NET4.7
It is included in the Rollups, but not in the security-only updates that Group B does.
So – you uncheck .NET4.7 BEFORE you install the Rollup. You get the D3D Compiler included in the Rollup. Then you go back and install .NET4.7 (AFTER the Rollup/Compiler are in place).

Otherwise, you have to manually install the D3D Compiler.

1 user thanked author for this post.

Reply | Quote

PKCano – sorry but I’m a dummy.  Do you mean uncheck in Windows Components in Programs and Features?

Reply | Quote

No. We’re talking about Windows Update. Uncheck the update in the important list in Windows Update.

No mention here about Programs and Features.

Reply | Quote

So when I first see KB3186497 listed in the Important Updates, UNcheck it.  Then at the very end after all the other Important Updates are in and the PC runs OK for 10 mins, REcheck it and install it.

Reply | Quote

You can recheck it in the round of updates immediately AFTER you install the Monthly Rollup. Install Rollup in Step 3, install .NET4.7 in sStep 4.

Reply | Quote

PKCano – Question for after.

After I’ve moved fully into Group A and up to date with it, then let’s talk about next month:  Sometimes, the Defcon is to wait for some time while MS maybe fixes the problems in the new round of big fat Rollups.  However, sometimes there are real nasty risks out there and I want to do something faster to protect the wife’s important SOHO Win 7 machine.

So, how bad is it if I first run your security-only and IE 11 updates on the early side, wait for the Defcon to get better, and then run the Rollups for the same month?

Thanks.

Reply | Quote

The Rollup is three-part: non-security, security-only, and IE11 cumulative. So doing the Group B patches is doing 2/3 of the Rollup. So there is no problem there…..

Unless the IE11 CU has a problen (affects both it and the Rollup), or the security-only part has a problem (affects both it and the Rollup).

If there’s a serious threat, like WannaCry, you may need to go ahead. But otherwise, it’s better to wait for the DEFCON go-ahead.

Reply | Quote

PKCano and ch100 – All done on the first of two 7 machines.

On this one, the only two updates that actually installed were the two from this month: KB4043766 and KB4041681.

KB3186497 (related to the D3D  compiler) was NOT there before, did not appear on the update list, and is not there now.  Is that OK or should I go get it manually?

EDIT – On a final reboot after everything above was done, the machine said it was installing updates even though there were no more.  And on the reboot it got stuck on “Running Updates.  100% Complete.  Please do not turn off the machine.” for a long time.  Finally that finished, but there’s nothing new in the View Updates or Installed Updates lists.  Belarc indicates that KB4041681 apparently didn’t finish updating until after midnight, when I had thought both were done around 11:15pm.  WEIRD, MAN.

Many thanks.

Reply | Quote

Just be sure the ONLY hidden updates are the telemetry ones listed. UNHIDE anything else that is hidden. (Did you hide the .NET4.7 Framework patch?)

Reply | Quote

PKCano – thanks again for your help.  I confirm that the ONLY items that are hidden are the four telemetry ones you had listed above.  When I first followed your instructions last night, they appeared and I hid them.

KB3186497 (related to the D3D  compiler) was not in the two long lists of updates before I started, did not appear after I started, and still does not appear anywhere in connection with Windows Update.

HOWEVER, I’ve just run a Search through the entire hard drive, and in my Downloads folder, I have NDP47-KB3186497-x86-x64-AIIOS-ENU.exe with Modified Date 8/9/2017 and file size 60,144 KB.  So is it possible I ran it in August but it was superseded by something else I ran later?  Maybe I ran another recent global rollup for .NET that included it and so it no longer shows anywhere?  It is also NOT in Belarc’s long list of updates.

Should I run it again (or first re-download it from MS in case there’s a later version)?

Reply | Quote

Now that you are in Group A, you should not have to download or manually install ANYTHING. It should all come through Windows Update. All you have to do now is watch for DEFCON 3 or above!

1 user thanked author for this post.

walker

Reply | Quote

PKCano and ch100 – thanks again for your help immediately above.  I followed your instructions and converted the first of my two Win 7 Pro 64-bit machines to Group A last weekend.  So far no problems.

However, before I convert the second Win 7 Pro 64-bit machine to Group A, do you have any updates or further thoughts?  This second machine is the important one – my wife’s SOHO machine.  (BTW, it’s a Dell Optiplex 780 with 8GB RAM and an Intel Core 2 Duo E8400 @ 3.00GHz, an older machine that’s still OK.)

Thanks.

Reply | Quote

Make an image in case you have serious problems.
Also back up all (including AppData folder) under the User ID.
Just in case….

Reply | Quote

PKCano and ch100 – All seems to be good on my second conversion from Group B to Group A – my wife’s important SOHO Win 7 Pro 64-bit machine.

Once again, however, after all the updates and many reboots, and after I then did the Windows Update Cleanup, the next reboot gave me a screen saying “Configuring Windows updates – 100% complete – Do not turn off your computer,” and this screen stayed there for about 20 minutes!  Something about the cleanup triggers this.  But all seems well afterwards so far.  MAYBE this event is explained lower down on this page here: https://askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/#post-139441  ?

As with my earlier machine, KB3186497 was nowhere in sight – it was not in any list before, during or after this conversion.

Like last time, the two first Important updates were KB4043766 and KB4041681.  This time, however, after those first two, I also got KB3135445 and KB3138612 as Important updates, which I decided to install.  (I had hid them many months ago, on this machine only, but unhid them for this conversion.)  Those four were all.

Many thanks.

Reply | Quote

@PKCano:  This was a very detailed list, and you have presented it wonderfully.   I only wish I had the knowledge and/or experience to fully absorb it completely.   I made the wrong choice when the Group A versus Group B issues first became apparent, which has caused me a great deal of grief.  I have made a huge amount of progress, after having an “almost insurmountable” difficulty getting my “”Updating” problems repaired.

I’m in Group A, and got into this menu in error.   My apologies.

Thank you for the information you have posted here.    I will make a concerted effort to understand much more than I do now although I am in Group A, not Group B.   The information you have provided is most sincerely appreciated.    🙂

Reply | Quote

I think the best and only reliable way to identify the missing updates if any is to use a tool referencing Wsusscn2.cab https://msdn.microsoft.com/en-us/library/windows/desktop/aa387290(v=vs.85).aspx
WUMT, Belarc are few of those tools available to regular users.

2 users thanked author for this post.

SueW

Reply | Quote

I’ve been reading through this thread, trying to determine whether my own monthly Group B strategy needs to be tweaked (or trashed) based on what I’ve been reading here.  Oy — I’m thinking that I might be missing any number of Security Updates since October 2016.

Except for Windows 10-related updates, I have never hidden any of the Security Monthly Quality Rollups for Windows 7.  I have always unchecked them.  Always.  Also, I get Recommended Updates along with Optional Updates.

What updates, if any, am I missing?  Thank you, ch100, for reminding me about Belarc Advisor!

So I decided to run BA, after letting it update its database to 2017.10.11.1 (based on Microsoft’s 10/10/17 Security Bulletin Summary).

Note: I have not installed October’s Updates yet — waiting for DEFCON 3.

Here are the results, with my added descriptions following ‘ = ‘:

“These security updates apply to this computer but are not currently installed (using Advisor definitions version 2017.10.11.1), according to the 10/10/2017 Microsoft Security Bulletin Summary and bulletins from other vendors. Note: Security benchmarks require that Critical and Important severity security updates must be installed.

Hotfix Id     Severity     Description (click to see security bulletin)

Q2553338    Unrated    Microsoft security advisory (KB2553338) = Security update for Office 2010: October 10, 2017
Q2837599    Unrated    Microsoft security advisory (KB2837599) = Security update for Office 2010: October 10, 2017
Q3159398    Important    Microsoft security update (KB3159398) = MS16-072: Security update for Group Policy: June 14, 2016 <= hid: not on Home Edition
Q3213630    Important    Microsoft security update (KB3213630) = Security update for Word 2010: October 10, 2017
Q4011196    Important    Microsoft security update (KB4011196) = Security update for Outlook 2010: October 10, 2017
Q4040685    Critical    Microsoft security update (KB4040685) = Cumulative security update for Internet Explorer: October 10, 2017
Q4041678    Critical    Microsoft security update (KB4041678) = October 10, 2017—KB4041678 (Security-only update)

What I’m seeing is that all but one of these “missing” updates are October’s updates that will be installed after I get the go-ahead from Woody & Team.  What I am not seeing are any other updates due to not hiding the Security Monthly Quality Rollups . . .

I hope this helps in any further analysis . . .

Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'

Reply | Quote

Read the top and bottom of Part 2 of my experiment. The huge list of “missing” Windows updates dwindles to very few. But there are other considerations. The “Implications” and “Observations” in Part 3 are due to what I saw. the “Conclusion” is mine, the one I drew.

2 users thanked author for this post.

Elly, SueW

Reply | Quote

“What updates, if any, am I missing?”

My conclusion from https://askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/#post-136952: “For Windows 7 users (and probably also Windows 8.1 users), when using Windows Update, you must hide all unwanted updates in order to guarantee that all available updates are listed.”

Hopefully the algorithm at https://askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/#post-137001 does this.

1 user thanked author for this post.

SueW

Reply | Quote

Phew this is getting b***** complex, I really hate them for doing rollups and making it as annoying and confusing as this.

So we’ll need updated instructions on:

Group A Updates
Group B Updates

Recommended Hidden Updates (Telemetry etc).

I’ll probably give Group B a try when I reinstall and have seen some instructions, but they’re probably out of date now. I’ve seen PKCano’s list of Telemetry updates to hide, but unsure if this is the definitive list? (Whether there’s any others to be hidden too, such as the Windows Activation one). I have a good chunk of these hidden and can show you if you wish. Started hiding them yonks ago when 292664 came along and the GWX fiasco, tis when I started reading Woody’s posts to scrutinize updates before installing. Always trusted MS for everything but drivers before that..

Reply | Quote

For those that want to avoid hiding unwanted updates, here is an alternative update algorithm that utilizes the best aspects of Windows Update and Windows Update MiniTool:

1. Using Windows Update, check for updates.

2. Install desired updates listed in step 1. Reboot if asked. If you installed any updates during this step, go to step 1.

3. Using Windows Update MiniTool with checkbox “Included superseded” ticked, check for updates.

4. Install desired updates listed in step 3. Reboot if asked. If you installed any updates during this step, go to step 3.

Steps 1 and 2 aren’t strictly necessary, but are included to reduce the number of metadata-superseded updates installed.

4 users thanked author for this post.

walker, AJNorth, SueW

Reply | Quote

I, for one, am not averse from hiding unwanted updates (or from using this alternative).  However, now that there is the potential issue for those of us in Group B missing earlier updates for several months [and not willing to switch to Group A], is there a recommended method to finding those missing updates so that we can install them (without reinstalling Windows 7)? Or is this what the Windows Update MiniTool does?

Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'

Reply | Quote

Hiding all unwanted updates in Windows Update is one way to find out if there are any applicable updates that you didn’t know about. If you hide any updates in Windows Update, then you need to check for Windows updates again to see if more updates are listed. Keep repeating this process until all unwanted updates are hidden. For example, if you’re using Windows Update to hide Windows monthly rollups, then the first time you’ll see just the October 2017 Windows monthly rollup. Hide it. Then check for updates again. You’ll now see the September 2017 Windows monthly rollup. Hide it. Then check for updates again.  You’ll now see the August 2017 Windows monthly rollup. This could get tedious. Faster alternatives for mass hiding of Windows updates are 1) Windows Update MiniTool with checkbox “Include superseded” ticked 2) My script that hides updates with a given description. Also see https://askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/#post-137001.

2 users thanked author for this post.

AJNorth, SueW

Reply | Quote

Thank you, MrBrian 🙂  Although I haven’t hidden any Monthly Rollups, I had hidden all Windows 10-related updates as they presented themselves each month.  I’ve also hidden Daylight Savings Time-related updates as well.  I’ve kept a list of those hidden.

I think I’ll unhide what I’ve hidden to see what remains, and then decide what to re-hide.  I’ll also find out more about Windows Update MiniTool: I’m already reading https://askwoody.com/2017/in-praise-of-windows-update-minitool/ 🙂

Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'

1 user thanked author for this post.

MrBrian

Reply | Quote

PKCano wrote:

Of the original list of updates that Group B was “missing” by not hiding the Monthly Rollups, “final important updates list” still had these “missing” updates. 2676562 Security 3005607 Security 3033929 Security 3123479 Security 3138962 Security 3149090 Security 3168965 Security 2868116 Win Update 3021917 Win Update 3118401 Win Update The fact that there were considerably fewer “missing” security updates after the installation of the “Security Only Quality Updates”, seems to imply that the “missing” updates are being superseded by the security-only patches. If that is the case, Group B may not be not “missing” as many security updates as was originally thought if they uncheck, instead of hide, the Rollups.

Actually, Group B is not “missing” anything. Following are the details about your final list:

2676562 Security — Superseded by the April, May, June, August, September and October 2017 Security Only Updates.
3005607 Security — If you are on either Group A or B and if you download and try to install this update, then you will receive a message that “This update is not applicable to your computer”, as in superseded, yet not documented.
3033929 Security — Not superseded by anything.
3123479 Security — Superseded by the May 2017 Security Only Update.
3138962 Security — Not superseded by anything.
3149090 Security — Not superseded by anything.
3168965 Security — Not superseded by anything.
2868116 Win Update — Superseded by the September 2017 Security Only Update.
3021917 Win Update — Is a Telemetry Update which is NOT wanted by Group B.
3118401 Win Update — Update for Universal C Runtime in Windows which installs telemetry and is only needed if you want to run apps which are specifically designed for Windows 10. Basically, it is another version of KB2999226 which installs deep system wide telemetry.

DISM under the Command Prompt has an issue such that it can NOT list all installed updates on a Win7 computer. DISM will hiccup and cough once it reaches its configured limits. To see all installed updates, you either need to check the Installed Updates shown under Programs and Updates in Control Panel, or you need to use a 3rd party utility such as Belarc Advisor. The latter will also tell you what you are missing, including updates which you deliberately chose not to install.

When I build up a new Win7 SP1 machine and then update it, I install updates in groups which are based on the update original release dates, and on the update class — security updates and optional updates. I NEVER install the Convenience Update since it is riddled with bugs and since it installs telemetry updates.

Before I install any updates on a fresh Win7 SP1 install, I first perform some basic configuration, and then run several REG files which fix various inherent issues. In other words, my first step is to nip various issues in the bud. Then I start installing updates.

After installing even a very small group of updates, sometimes new relevant updates (based on the original release date) will magically appear when I have Windows Update check for updates after I rebooted the computer. Why does this occur? My guess is that Windows Update itself has a similar issue as the DISM issue I described above. The upshot is that one should never assume that they are done with updating their computer until, after installing updates, one actually checks for any new updates.

Note that you mostly can continue to install the next group of updates when building up a fully updated Win7 computer, without having to waste time checking for new updates. Yet there specific points during the process where you should check for new updates, in order to get “magically” found new updates which should be installed before moving on to the next batch of updates, based on their original release dates.

Once all updates have been installed, I double-check everything. Specifically, I make sure that I did not install an unwanted botched update or any updates which installed telemetry. I also make sure that the list of hidden updates matches my saved list of hidden updates. Once I have confirmed that everything is “good to go”, then I perform an incremental backup for the new computer, versus the full backup of the freshly installed Win7 SP1 OS partition which I made before any updates were installed.

Once the computer was fully updated and the incremental backup was completed, I then run Disk Cleanup’s initially hidden utility to remove all superseded updates from the computer. Doing so also cleans out information about failed updates, and update installations which were canceled by the user. The latter can present problems when relying on DISM error codes when checking whether or not specific updates are installed on a Win7 computer.

There is more than simply opting out of CEIP and disabling only two CEIP tasks, since there are other CEIP tasks which will still periodically run if they are not disabled. Opting out of CEIP merely prevents gathered telemetry data from being sent to Microsoft. All CEIP tasks must also be disabled, and all updates which gather telemetry must also be uninstalled as well. Yet this is another topic.

In summary, Group B is tenable, yet Microsoft makes Group B fairly difficult.

1 user thanked author for this post.

SueW

Reply | Quote

“3138962 Security — Not superseded by anything.”

As an example. KB3138962 for Windows 7 x64 is metadata-superseded by the Windows 7 monthly rollups.

Reply | Quote

MrBrian wrote:

“3138962 Security — Not superseded by anything.” As an example. KB3138962 for Windows 7 x64 is metadata-superseded by the Windows 7 monthly rollups.

That is most interesting. Yep, most of the Win7 Security Monthly Quality Rollups do list supersedence for KB3138962, yet none of the Win7 Security Only Quality Updates do. This is rather interesting, and it got my attention. I downloaded KB3138962, tried to install it on my primary Win7 x64 machine, and got this message: “Security Update for Windows (KB3138962) is already installed on this computer.” This computer shows that I installed KB3138962 on 03/08/2016.

KB3138962 is a “Security Update for Windows Media to Address Remote Code Execution”.

Keep in mind that I am on Group B. Group A includes not only updates for Internet Explorer, but also telemetry updates. Given that I also separately update Internet Explorer and that KB3138962 wasn’t subsequently updated, my guess is that KB3138962 had to be updated in order to address issues with Group A updates which gather telemetry and report to servers (some not controlled by Microsoft) which are located around the globe. This is just a wild guess.

Reply | Quote

You probably installed KB3138962 before the existence of the Windows monthly rollups that metadata-supersede KB3138962. Another possibility is that you installed KB3185278, which is an Optional update that strict adherence to Group B avoids. This post goes into more detail about KB3138962.

 

Reply | Quote

“Once the computer was fully updated and the incremental backup was completed, I then run Disk Cleanup’s initially hidden utility to remove all superseded updates from the computer. Doing so also cleans out information about failed updates, and update installations which were canceled by the user. The latter can present problems when relying on DISM error codes when checking whether or not specific updates are installed on a Win7 computer.”

Disk Cleanup (cleanmgr.exe) is a utility that has gone through many changes in its lifetime. Could you clarify if here you write about having it up to date with all applicable patches and improvements. Or if you are referring to the need to ‘run as an administrator’, either by selecting such in the GUI window, or running the command in an elevated prompt. Or third, some other aspect of the Disk Cleanup utility I am not familiar with before now?

Thank you for explaining.

Reply | Quote

GoneToPlaid wrote:

Before I install any updates on a fresh Win7 SP1 install, I first perform some basic configuration, and then run several REG files which fix various inherent issues. In other words, my first step is to nip various issues in the bud. Then I start installing updates.

I then run Disk Cleanup’s initially hidden utility to remove all superseded updates from the computer. Doing so also cleans out information about failed updates, and update installations which were canceled by the user. The latter can present problems when relying on DISM error codes when checking whether or not specific updates are installed on a Win7 computer.

There is more than simply opting out of CEIP and disabling only two CEIP tasks, since there are other CEIP tasks which will still periodically run if they are not disabled. Opting out of CEIP merely prevents gathered telemetry data from being sent to Microsoft. All CEIP tasks must also be disabled, and all updates which gather telemetry must also be uninstalled as well. Yet this is another topic.

Hi mate, can you give a few more details of the actions in these 3 paragraphs please? In guide form if possible.

I’m literally just about to start reinstalling W7 afresh now, so any further details on the extra tasks re: Telemetry, the “hidden Disk Cleanup function” and your initial basic config / reg files, what do you change etc? (I presume to only prompt for Restart is one of them).

Reply | Quote

Hello BobT,

I just sent you a PM.

Best regards,

–GTP

 

1 user thanked author for this post.

BobT

Reply | Quote

MrBrian wrote:

You probably installed KB3138962 before the existence of the Windows monthly rollups that metadata-supersede KB3138962. Another possibility is that you installed KB3185278, which is an Optional update that strict adherence to Group B avoids. This post goes into more detail about KB3138962.

Hello MrBrian,

Yes, KB3138962 was installed before the existence of the monthly rollups. Yet as mentioned and unlike the Group A rollups, none of the Group B Security rollups list KB3138962 as being superseded by any of the Security Only rollups. Only several of the Group A rollups list KB3138962 as being superseded. So again and only for Group B who has only installed the Security Only rollups, I stand by my claim that KB3138962 was never superseded for Group B followers.

No. I never installed KB3185278. It is not and never was installed, and it is in the list of my hidden updates since it breaks EMET.

Best regards,

–GTP

 

 

Reply | Quote

I agree with everything in your post.

Here’s the problem regarding KB3138962 and Group B: Those in Group B who didn’t have KB3138962 installed by October 11, 2016 – the date of the release of the October 2016 Windows monthly rollup – will not see KB3138962 listed in Windows Update because KB3138962 is metadata-superseded by the October 2016 Windows monthly rollup (unless the Windows monthly rollups are hidden).

Reply | Quote

anonymous wrote:

“Once the computer was fully updated and the incremental backup was completed, I then run Disk Cleanup’s initially hidden utility to remove all superseded updates from the computer. Doing so also cleans out information about failed updates, and update installations which were canceled by the user. The latter can present problems when relying on DISM error codes when checking whether or not specific updates are installed on a Win7 computer.”

Disk Cleanup (cleanmgr.exe) is a utility that has gone through many changes in its lifetime. Could you clarify if here you write about having it up to date with all applicable patches and improvements. Or if you are referring to the need to ‘run as an administrator’, either by selecting such in the GUI window, or running the command in an elevated prompt. Or third, some other aspect of the Disk Cleanup utility I am not familiar with before now? Thank you for explaining.

Here ya go. With Disk Cleanup, all I did was this:

https://support.microsoft.com/en-us/help/2852386/disk-cleanup-wizard-addon-lets-users-delete-outdated-windows-updates-o

Just follow the instructions. YET NOTE: You will not see any progress bar indicator or other messages. Just kick back and walk away, or sit there and wait, until you eventually see a message that it has finished. It could take up to 10 to 15 minutes, or considerably longer on older and slower computers.

Reply | Quote

Ah-ha I see. I presume you meant initially-hidden since it requires Administrator privileges for that option to show up? Or that MS added it over time.

Either way yes I have that option in my Cleanup Tool.

Reply | Quote

Sorry to be tedious, trying to make the step clear for all levels of users and readers of this site. I did the legwork, and reviewed your link to the Microsoft official outdated doubletalk. And I have concluded that this is not a mysterious function.

Back in 2013, as part of regular updating, an add-on to the Disk Cleanup Manager was provided by scavengeui.dll

It is a function triggered only under certain conditions. Not seeing it does not suggest there is a problem. If you have ever run Disk Cleanup with administrator privileges, and seen a checked box for Windows Update, then you have this function intact, and likely have for four years time. It is the reason that the NEXT shutdown/restart cycle will appear to install yet another update, even when you have not installed anything. That is Microsoft’s clear as mud way to show the activity has occurred, without actually explaining anything.

It is a useful step in finishing the update process. I apologize for my confusion over your initial description. I fear mine is not much clearer.

Reply | Quote

Yep, seems to only show up if you have administrator privileges, AND unneeded updates exist. If it can’t clean anything, it apparently won’t show the option.

Reply | Quote

See #137483 above

PKCano wrote:

6. After the last reboot, wait 30 minutes. Run Disk Cleanup, click “Clean up system files” and be sure “Windows Update Cleanup” is checked

It’s not a hidden mysterious function

1 user thanked author for this post.

SueW

Reply | Quote

No, it’s not – I use it routinely. A lot of debris ends up in there.

1 user thanked author for this post.

SueW

Reply | Quote

Hi PKCano,

I havent read whole thread, but think, I know whats about. Funny is, last 1-2 weeks, I worked for the same task. Since, there were some rumors about .NET 4.6.1, I decide to revise my offline installer.

I know, Windows Update offline has been done by others and maybe better, but, I wanted do it myself. When I saw the W10-upgrade-hell and what MS can do, if these really decide to push for something, I simply couldnt just wait what will happend, I made some colllection of BAT/BINs to install Win7 up to date and offline.

I maintain 2 basic directions, lets say one as Group A and second like Group B+NET. And 2 years, month after month, I updated it and after last news, I decided to make 3rd fork / GroupB+.NET, but 4.5.2 NET. But thats not important. I forked my files and simply started from scratch (I was thinking, they might be some obsolete KBs over the time). And I have found, there are some KBs, they are missing compared to prePatchocalypse state, so I started to investigate, line by line of my “code”. I checked missing KBs, search which SecurityOnly month patch has beed replaced with and maybe, result can be usefull for you.

About my installer – its splitted into these steps>

1. IE11 prerequisites, SP1 supredences fix
2. IE11, .NET, latest WUagent, kernel mode driver framework
3. WUA speed relevant updates, NET language pack
4. NET updates
5-8. Security KBs, those prePatchocalypse ones.
9. Selected optional KBs
10. some KBs with special care (KB2830477)
11. KBs (secu+optio) detected later as dependence
12. 10/2016+ SecuOnly rollups+IE,NET

I have versions of my installer many month old, so I decide to compare actual WUA scan with latest prePatchocalypse scan. And the result is appr. 30 KBs dissapeared, some has valid reason (replaced by some SecuOnly rollups) and those missing without SecuQua replace, they are very similar to your conclusion:

KB2544893
KB2965788
KB3005607
KB3033929
KB3076949
KB3109094
KB3126446
KB3138962
KB3149090
KB3168965
KB3185911

And just for records / I does not count on socalled SP2 and my telemetry ignore list contain these>  971033 (x64), 2952664, 2966583, 3021917, KB3035583, 3068708, 3080149, KB3123862, 3170735, 3184143, 3181988

If you need it, I can send detailed list of my installer from 9/2016

HzK

p.s. My opinion about Group B and strategy to patch:
1. set up exact 9/2016 state
2. minus those KBs, they are missing from scans today, but there is documented replace of some SecuOnly
Methods based on todays scans only / well, I dont trust them no matter how sofistically we study them today. Its todays version of M$ truth

3 users thanked author for this post.

AJNorth, MrBrian, PKCano

Reply | Quote

There are a lot of updates that are in both your “missing updates” list and mine.

Reply | Quote