MS-DEFCON 2: Make sure Windows automatic update is locked down

Topic

New Reply

With Patch Tuesday coming up tomorrow, it’s time to get your Win 7, 8.1 and 10 machines locked down. Turn off automatic updating using the techniques
[See the full post at: MS-DEFCON 2: Make sure Windows automatic update is locked down]

Reply | Quote

Replies

MS-DEFCON 2?
I suppose the downgrade for this month is largely due to the ongoing problems with Windows 10 and less due to the unresolved issues with Windows 7 in relation to printing and the inconsistent approach in resolving the Intel Bluetooth problem.

Reply | Quote

And Micro$**t still can’t figure out that WU 7.6.7600.320 needs immediate removal from all servers. Gotta wonder why they even have paid support teams.

Reply | Quote

Group A or Group B… Group B here, hopefully the ie update and malicious software removal tool goes in the security section.

Reply | Quote

I’m guessing that the MSRT will remain separate – and Microsoft has already bundled non-security IE updates with the security IE update, so I’d expect that to continue.

Reply | Quote

Question: Will prior outstanding updates (KBxxxxx) remain available after the roll-out of roll-ups? Just wondering, as it is my habit of doing a few per week to make sure there’s no bug/problem/mistep in the updates. Still have some to go before tomorrow.
And maybe you can advise on KB3175443 (52MB cumulative update for IE11). I just hate it when they’re that big.
Thanks

Reply | Quote

Firmly in group B.
If the dust clears and group B is too much of a pain to be in, I’ll start dual booting Ubuntu.
Find it hard to trust MS to manage updates for me at this point especially after the last 18 months of update fiasco one after another.

Reply | Quote

Nobody knows for sure, but I think it’s likely the old KBs will be around for a long time.

KB3175443 is a cumulative update – use Windows Update and you’ll only download the delta. I think.

Reply | Quote

I already made a firm switch to Linux Mint as the main OS on my laptop. When one sees the smoothness of updates in Linux distros, the tidiness of their software management, their speed and flexibility, one may very well wonder, what exactly is it that we pay MS for, if these distros are full fat operating systems written by no more than a handful of people at a time and released absolutely for free…

Reply | Quote

Group B Windows 7 HP & PRO user
with images at the ready and linux machines on standby.

..let the fun begin!
oh the joys..

Special thanks to Bill Gates, it was fun in the early days..not so much nowadays unfortunately.

Reply | Quote

Historical day, last time I will ever patch my one Windows 7 computer I still have left (You know, photoshop..), the rest of the fleet are all Solus now.

Reply | Quote

August and coming September Patch Tuesdays have and will have a member of Group C (no updates at all) face them.

As wisely advised here by Woody I’ll be thinking about making a choice between Groups, B & C (unofficial!) but certainly not Group A — Choosing Group A is definitive, choosing Group B leaves a margin for shifting to Group A later on, which I doubt but never say never.

Like all of us I’m really curious to discover October’s new Windows Update scheme, observe the reactions, read here users’ comments (Ah! Haha! Wow! Ooooh! No! and other sounds) before perhaps getting on the highway by January 2017.

Reply | Quote

>“Never check for updates (not recommended).” Not recommended by Microsoft,
>that is. Fully recommend by yours truly.

Agreed. But I don’t think that’s enough. Personally I’d suggest disabling and stopping the Windows Update service entirely until such time as you find an interest in updating again..

And… Since it is quite possible to set up a security environment that makes the out-of-box configuration a bad joke, it’s not unreasonable to start to think about a complete divorce from future Windows Update. I know Woody will have a problem with this extreme a view in general, but I believe I’m being reasonable – assuming a smart, seasoned user. I believe there are a lot of us.

My question is this:

Why look to Microsoft any more to improve your computing experience (through Windows Updates) on one of the older systems?

It’s simply no longer in their interest to do so.

They have FAILED if they’re not getting you into their App Store and spending money left and right. An older OS just isn’t going to do that for them. And they’ve shown they’re not above putting something akin to adware/malware on your system in pursuit of their goals. They can’t unring the GWX bell!

-Noel

Reply | Quote

It’s important to remember that the combined update that is being introduced in October is only in relation to the Windows-specific updates, with separate additional updates continuing to be offered for the other things like MSRT, .Net Framework, IE, Office, drivers etc. Any notion that there’s only going to be a single update each month is therefore rather misleading in that sense.

Anyone who disables WU i.e. opting for “Never” in the settings with the intention of installing the security-only update in the MS Catalogue is going to be missing out on a lot more than just the non-security aspects of the combined update on WU – always assuming that no non-security updates are included in the security-only WU of course!

Reply | Quote

This is really a big question. There have been few years since the trouble with this agent 7.6.7600.320 began.
It is worth mentioning that it was OK for a while after release and nobody seems to know the exact reason why it broke. It may not be the patch itself but external dependencies related to reorganisation of the Microsoft back-end servers.

Reply | Quote

IE will either be a category by itself or part of the bundle. There is no strict delimitation between security and non-security for IE as it is documented in many KB articles.
The IE monthly patch was a rollup in itself for many months if not years.

Reply | Quote

One potential problem with disabling the whole Windows Update service entirely may well be that the OS generally will not function properly without it – in much the same way that there are aspects of the OS that depend on IE even if that is never your active browser.

Time will tell, but I think it’s too soon to be talking about being in this group or that group, we need to see how the whole new update system beds down and what the actual consequences are of being in each group. It seems to me that the critical point is to ensure that no updates are happening automatically and to wait for several weeks to see how the October updates turn out before giving any real thought as to how best to proceed.

Reply | Quote

The old ones are normally superseded gradually but left around for a while, not forever, for those who still need them. They are made invisible by the supersedence/detection mechanism in WU. To make them visible again in WU, the later patch should be hidden, but due to complexity involved, this procedure is only asking for trouble, because in general there is no 1 to 1 relation between patches and it is more complicated. Sometimes Recommended or Optional updates supersede Security updates or the other way around.

Reply | Quote

There is rarely a free beer or free money.

Reply | Quote

Choosing Group A is not definitive. Patches can be uninstalled in a clean manner at any time, or at least 99.99% of them.
Can we make a deal?
I propose that nobody choosing anything other than Group A will be allowed to complain about poor functionality of their systems in 3 months starting from October 2016. This is because if they try to outsmart Microsoft, they should take responsibility for their actions too.
No updating at all is an acceptable functional choice with the responsibility of those deciding to follow that path shifted to security.

Reply | Quote

Noel, I think your approach is reasonable, but it is not for everyone.
This is what should be made clear, I suppose and is why Woody has a problem with that type of approach.

Reply | Quote

There is also Windows Server 2008 R2 which tends to go under the radar here. This is currently the main Windows Server Operating System used anywhere in Enterprise and Microsoft has to support it for a little longer, like it or not.
Windows 7 is just a limited version of the Server OS with license limitations hard-coded into it.

Reply | Quote

Will Microsoft have to do what Apple did, recalling Steve Jobs to the rescue? We need to write a petition to MS: “Bring back Bill Gates”!

Reply | Quote

They better bundle the IE update with security, otherwise there are going to be a lot of unhappy people.

Reply | Quote

Firmly in group b here, i can’t possibly fathom why anyone would trust microsoft after the past year to remain in group a. But if group b becomes too much of a hassle then i’m willing to move into group c and cut updates off at the knees.

Reply | Quote

It’ll be interesting to see how/if the cumulative updates can be uninstalled….

Reply | Quote

We can do it for Windows 10, so I am expecting to be able to do the same for Windows 7.
In fact we have had CUs for a very long time, only the scope was limited.
Few examples:
MSRT – just a scanner, not technically installed
IE security patches
Rollups for time zones
KB3125574 – Convenience Rollup Pack – this is likely to be the closest to what will come after October 2016

Reply | Quote

@Noel, @Woody

“Personally I’d suggest disabling and stopping the Windows Update service entirely until such time as you find an interest in updating again.”

How does one stop the Windows Update service “entirely”?
Do you mean double clicking Windows Update in the Services section and selecting “Disable” in the drop down menu?

If so, will that have an adverse effect on how W7’s OS runs when it does not communicate with MS’s update servers?

TIA

Reply | Quote

Sure, but to legally use Windows, you have to pay for a license, and what do you get in return? Microsoft squeezing every last cent out of their userbase and doing a very poor job of developing and maintaining an operating system. Not a great deal in my mind. And of course the development of the Linux kernel or any Linux distribution isn’t free, but I would much rather donate to that, than pay MS a single dime.

Reply | Quote

@Seff I think what you say is totally correct about the future updates.
Products which are not part of the Operating System, i.e. not bundled with Windows originally, will be treated separately.
A special situation is for .NET Framework 4.* which is part of the OS for Windows 8/8.1 but not Windows 7. The Framework will be updated accordingly. This is the case for Flash too, although not a Microsoft product.

Reply | Quote

That would be interesting. Maybe Bill should be the first to ask if he is interested.
Because unlike Steve Jobs, Bill Gates was not removed from the company, but rather removed himself when he considered that there were better people to take his place. If that was a good decision for the rest of us, this is subject for a hot debate. Because Microsoft is a lot more than a desktop OS company.

Reply | Quote

>One potential problem with disabling the whole Windows Update service
>entirely may well be that the OS generally will not function properly without it

What makes you think that? I’ve experience that says otherwise.

I should point out that there are responsibilities to “going off the update path”, such as ensuring your system isn’t a vector for malware and thus a threat to others. It’s not something that everyone can or should do.

FYI, as of right now I have two systems running, one on Win 7 x64 Ultimate that’s been running continuously on the same boot for 32 days, and Win 8.1 x64 Pro/MCE that’s been running for over 10. Both were rebooted when they were because of installs, not because of any problems.

-Noel

Reply | Quote

@louis

This is what Noel posted. Disable the service from the services console.
As for the other enquiry, re: Windows functionality, there is no definitive answer, or I am not aware of it.
This was discussed before and the conclusion was that while there are no observed problems with disabling the service, it is safer in general (because we don’t know) to just set the Windows Update Control Panel applet to Never check and leave the service as is, i.e. Automatic (Delayed Start).
I think Noel is concerned that at some stage in the future, Microsoft may take over and do something similar with what they did in Windows 10 and make it harder for the end-users to block future updates. To avoid this potential action from Microsoft, he takes the next step, which is disabling the service.
Like you, I would be interested to know what other people’s thoughts are about this approach proposed by Noel.

Reply | Quote

@Frahaleah,

You could probably have left out “otherwise” and “going to be”!

= There are a lot of unhappy people

Reply | Quote

@Seff,

For about a year, I’ve had my Windows Updates set to “never”, but that just means I do not want Microsoft ever to check for me,
while I myself – on my own schedule and when Woody says the coast is clear – check for updates manually once a month.

I think that Woody is recommending the “never check” setting on Windows Update just to keep us extra safe from any “helping hand/push/ultimatum” that Microsoft might want to give its customers towards making them download what Microsoft wants them to have, rather than what the customers want to have.

Reply | Quote

Perhaps Bill Gates would revert the current (proven) Microsoft OS business mantra of ‘if it aint broken, break it’ in order to syphon data,

back to..

‘where do you want to go today’ with control over OUR devices.

+1 for Bring back Bill Gates, with a new business model to syphon some of the Microsoft profits to the charities he upholds and believes makes a difference.

I would not mind paying for an ethical OS.
Microsoft EthOS (patent pending)

Reply | Quote

I have decided to delete my initial stab at a reply, and I’ll simply put a silent scream

:-O

————–
chuckle

Reply | Quote

@Louis,

Re: “will that have an adverse effect on how W7’s OS runs when it does not communicate with MS’s update servers?”

The other day in a prior discussion “thread” here, people were talking about how turning the relevant services off and being totally disconnected from MS’ servers for a certain length of time might invalidate their whole certificate or something (sorry, I don’t know the technical terms), which is a big pain to rectify, it seems.
Apparently, it definitely happens in Win 10 but maybe not as commonly in Win 7/8…. I don’t know myself, but it’s an important topic which has been brought up here before, and which more of us probably will want to be mindful of in the future.

Reply | Quote

I didn’t get the impression that Woody has “a problem” with any given approach that people might take (for their own lives).

He just wants people to make informed decisions (as much as they it’s possible to) and to avoid any avoidable pitfalls.

After he gives the step-by-steps for being in Group A and Group B, there isn’t much he can do for the people who’ll decide to go full-throttle “Group Tinfoil”,
besides to say that he understands why they have grave concerns, and that he agrees that some aspects of this situation are unfortunate, frustrating, unfair, privacy-invading, etc.

Reply | Quote

@Simpson,

“before perhaps getting on the highway by January 2017”

What highway are you considering — Group C? Linux, Apple, Chrome?

—–
—–
Or more a Neil Young kind of highway…

“They were hiding behind hay bales,
They were planting in the full moon
They had given all they had for something new

But the light of day was on them,
They could see the thrashers coming
And the water shone like diamonds in the dew.

And I was just getting up, hit the road before it’s light
Trying to catch an hour on the sun

When I saw those thrashers rolling by,
Looking more than two lanes wide
I was feelin’ like my day had just begun.

Where the eagle glides ascending
There’s an ancient river bending
Down the timeless gorge of changes
Where sleeplessness awaits

I searched out my companions,
Who were lost in crystal canyons
When the aimless blade of science
Slashed the pearly gates.

It was then I knew I’d had enough,
Burned my credit card for fuel
Headed out to where the pavement turns to sand

With a one-way ticket to the land of truth
And my suitcase in my hand
How I lost my friends I still don’t understand.

They had the best selection,
They were poisoned with protection
There was nothing that they needed,
Nothing left to find

They were lost in rock formations
Or became park bench mutations
On the sidewalks and in the stations
They were waiting, waiting.

So I got bored and left them there,
They were just deadweight to me
Better down the road without that load

[…]The motel of lost companions
Waits with heated pool and bar.

But me I’m not stopping there,
Got my own row left to hoe
Just another line in the field of time….”

“Thrasher” (song lyrics)
by Neil Young

Reply | Quote

Sure they would stay
all Windows 10 cumulative updates from July 2015 still available
likewise Windows 8.1 monthly rollups that were replace by KB2919355 and KB3000850

Reply | Quote

Looking at the WU service’s “Dependencies” I see there is absolutely nothing dependent on this service so I’m led to think disabling it would have no effect on anything else.

M$ would (likely) be the only ones to have the detailed answer to that though. I parenthesized the word “likely” because I have serious doubts on what M$ actually knows about their own stuff anymore!

Reply | Quote

Hey Woody. Take a look at Wired’s article ‘How Chromebooks Are About to Totally Transform Laptop Design.’

https://www.wired.com/2016/09/chromebooks-totally-transform-laptop-design/

A year ago I wouldn’t spend 2 seconds on an article like this, but now I read it enthusiastically.

As the Chrome/Android merger is implemented, and more powerful Chromebooks come to market over the next few months [i.e Acer Chromebook R13], the Chromebook base will explode.

Microsoft slams the door on its longtime customers, and Google opens another…much cheaper one.

Reply | Quote

Maybe a choice between A, B and C. The new more powerful Chromebooks now being merged with Android?

Reply | Quote

If you want to be SURE Windows Update does not try to change software on your PC, it only makes sense to stop the service and set it to Disabled in Services.msc.

Then, when Woody takes you back to Defcon 3 or higher, Enable it and start it again.

Just remember that in doing so you are taking on the additional responsibility for managing these transitions properly. It’s not a “set it and forget it” proposal. In other words, don’t forget to Enable the Windows Update service when you DO want to update – assuming you do again want to do so at some time in the future.

Why even consider this?

There is evidence that Microsoft has a back door, as during the time of XP/Vista “forced” updates were seen by some folks even on systems where they had made overt settings to not allow updates. I don’t know if that’s still the case, but we DO know from more recent experience that Microsoft doesn’t always have OUR best interests at heart w/regard to updates (e.g., GWX).

Let’s review why we’re here, reading on this site:

* We take an interest in managing our systems better than Microsoft does.

* We don’t trust them to unconditionally patch our systems without error.

* We want to learn better ways to run a computer system.

-Noel

Reply | Quote

That’s the whole point, Woody, that’s what made me hesitate between Group A and B and that’s led me to consider Group B and C (no updates at all) as the basis. I just can’t stand the idea of traveling with no return ticket and if cumulative updates appear to be as said not uninstallable then that will be a one-way ticket for maybe the best… and maybe the worst : how would I resume a non-bootable OS when the cause is an update and that cause is no longer removable (besides of course sys backup)? I’m not getting into that traffic, no way.

Reply | Quote

It’s true. The new ability of Chromebooks to run Android apps is a game changer.

Reply | Quote

+1

(Although I wouldn’t say “Group Tinfoil” – I’d press upon my best Arlo Guthrie voice and call it “Group W.” Sorry, I can’t do Neil Young.)

Reply | Quote

What do we get in return?

Up until now (i.e. up until the time of Windows 7):
* We got a very good quality OS, with regular updates that we could pick and choose from. * Great quality software.
* Very easy printer management.
* Enforcement of OS rules, which made everything easy to develop and which made everything work together amazingly well.
* We got a standardized environment that was not that hard to learn how to support.

The reason we got all of this is because Microsoft made money (lots of it) for their efforts, and because Microsoft was hungry to be the dominant player.

Something changed after Windows 7. Microsoft went from being hungry to be the dominant player, to using their dominance to force their way on everyone. So we’ll have to see how it goes from here on. But I’m not optimistic that Microsoft will retain their dominance.

Reply | Quote

Simpson said: “Like all of us I’m really curious to discover October’s new Windows Update scheme, observe the reactions, read here users’ comments (Ah! Haha! Wow! Ooooh! No! and other sounds) before perhaps getting on the highway by January 2017.”

You definitely make the case for waiting till the end of each month to install the security-only monthly rollup. I’m firmly in group B, and that’s what I plan to do.

It will be interesting to read all of the comments from those who went ahead and installed it as soon as it became available.

Reply | Quote

+1

Reply | Quote

Hi Noel,

I think (?) you are the person who has posted the direct link to the monthly “Security Update for Windows Kernel-Mode Drivers” so people could manually install that and stop the high CPU, constant searching for updates thing that happens each month. Can you post that again here?

Right now I’m set (as always)to ” “Check for updates but let me choose whether to download and install them” since September is *supposedly* going to be like any other month, and I’ll want to install that asap to stop the high CPU issue again.

But I’m also wondering if it’s better to set it to “Never check for updates (not recommended)” now (instead of waiting until October), but I’m uncertain if doing that, and then turning it back to “Check for updates but let me choose whether to download and install them” when there are updates for September to get (and after manually installing the kernel-mode update thing to stop of the CPU issue) will make weird things happening (or if it’s just better to leave it set as is for now).

Thanks!

Reply | Quote

I could not agree more. NEVER means MS you are never going to take over my machine. I have control. Never does NOT mean you will never update. It simply means you the owner of the computer are in control. I have had my 150 client computers set at Never for over a year now.

Once a month they get an email with instructions when and what updates to install. It is working extremely well. They are all running beautifully, and stable.

CT

Reply | Quote

Here’s a handy little tool I found on the Ghacks.net site. It’s called Ancile and can be used to disable a whole bunch of things like Telemetry updates and Microsoft Diagnostics Tracking.

Here’s the link: http://www.ghacks.net/2016/09/12/ancile-block-spying-on-windows-7-and-8/

Maybe Woody can play guinea pig for us and test it.

Reply | Quote

I switched to Linux about 6 years ago. I now use Mint on my 4 computers. I’m very pleased with the results. If you don’t need certain Windows programs then make the switch. You can start by downloading the iso file and burning it to a DVD, then boot it. There is a learning curve but there is so much good help on the Internet. If you come to Woody’s site then you probably have enough brains to make the switch. If you install Linux on a computer where the user is not computer savvy then they wont have any problems at all.

Reply | Quote

What are you implying, ch100, relative to Linux ?

Reply | Quote

Buy an Apple. That’s what I am going to do as soon as their new Mac Book Pro is available.

Reply | Quote

That would be a deal if the Group A does the same, not to complain about poor functionality of their system due to MS’ action. That is only fair if non-Group A can’t complain, neither can Group A. How about this, we shall accept the responsibility of our actions regardless the groups?

To be honest, with how MS played with the W7 and W8.1 past the year, I don’t see how going with the Group A would keep the system functional. If any, by the past action, it is more likely Group A would have to suffer from the slow morph of W7 to inferior copy of W10 (you might as well go to W10 since that would be safer and more functional in longer run than W7 with full MS control.) In the other words, MS is not working to improve W7.

Thus, the Group B is more likely to keep their system functional assuming there is no nasty surprise in the security only patches (to ensure that only Enterprise and maybe Pro could use it). It is merely more hassle but more secure and less likely for computer to have problems (in short term since MS is likely to test only “fully patched”, so there may be problems in future).

So the best thing to do is just to watch how the things go first before jump into Group A or B. Play it safe. See what Woody says. At least for us that do not have test machines or have full technical knowledge as to easily fix things.

Reply | Quote

Yep!!! Especially since Chromebooks outsold Macs for the first time in the first quarter of this year.

I suppose this is what Microsoft really intended for the Windows 8 Tiles and Metro apps for PC and Windows Phone.

But MS issue was the chicken or egg problem. Few users because of few apps. Few apps (or developers) because of few users.

This Chromebook thingy running Android could be bringing some real convergence, with access to millions of ready made apps

Reply | Quote

Microsoft is going to fade into the darkness. Much like AOL, Kodak, IBM, HP, and I am sure you can name many others. They are following the script perfectly. It starts with completely ignoring a strange being sometimes called customer. Proceeds from there to not just ignoring but proceeding against the best interests of that strange annoying being called customer that keeps beating on the door.

Sooner or later the customer finds another source for what he/she needs. One that actually wants to hear from the customer and listens carefully. Then proceeds to perfect their products to be attractive to what those customers actually want to buy.

CT

Reply | Quote

I would offer 2 concerns that are often expressed here. The first is privacy, an issue with some people to varying degrees.

The second is the sorry state of malware being vectored by Android apps. This would probably be addressed by reasonable caution, but it is my main concern with Android products.

Personally, I found past Chromebooks limiting, and it did not appear to be a real desktop alternative. However, if is getting better and more diverse, AND it helps give users alternatives to the Microsoft juggernaut I look forward to seeing how it goes. If it becomes just another OS with commercials (like Win10) I will stick with my Win7 until it breaks (or is deliberately broken by MS) and good Linux distros.

Reply | Quote

No thanks! But I’d be happy to report on any results….

The problem is in monitoring – how can we be sure that ANY tool keeps Microsoft’s mitts off?

Reply | Quote

I wish. But look at corporations such as Comcast, Facebook, and here in Canada, the infamous Bell. They gave up “customer care” long ago in favor of “customer fleecing”, but still seem to be surviving well.

Reply | Quote

Re the privacy issue. If you are resigned to giving up some information, who would you rather give it to?
My view is that Brin/Page/Google have done a lot of good and offered us many serious programs & services free [Google Earth, Google Voice, Google Docs, Google Translate, Google Fiber and on and on].
Seen any of that from Microsoft, Apple or Facebook?
The new line of Chromebooks coming out are available with core i3-i7 processors, Full HD screens and SSD’s [Acer Chromebook R13 etc].
As for as app security, I understand that Chrome OS is actually quite secure.
For a relatively small investment [especially compared to Apple] of $300-$500 I will be buying one to prepare for any transition that has to be made because of MS policies.

Reply | Quote

@Jim I strongly disagree with the “very good quality OS”, “great quality software” and similar points. Right now I am going through one hell on my desktop, where Windows is too stubborn to move the pagefile to my secondary hard drive (and spare the SSD some write wear), and another one on my laptop (dual-booted), where Windows Update works like it doesn’t. And this is just the tip of the iceberg – I could film a full-length documentary about how Windows sucks at being an OS.

“Enforcement of OS rules”? What kind of rules and enforcement are you talking about?

Reply | Quote

Maybe I have a similar point of view with Bill Gates few years ago, although Microsoft is now getting closer to the Open Source movement.
Think also about how some of the major Linux distributions have been adopted by certain governments with an interest in developing them further and you may find that your data, instead of going to Snowden’s previous masters, now will go to his current masters or elsewhere.

Reply | Quote

@Picky You may be right in theory, but someone following Group A, would in fact follow the manufacturer’s instructions and as such has the right to complain to the manufacturer which is obliged to resolve the problem if it affects a large number of users. Otherwise, who is going to provide solutions to custom approaches?

Reply | Quote

Group B is not likely to have a more functional system than Group A. Those who do not update at all are the most likely to keep the system as is, only that there are security risks involved.
A lot of people here ignore the fact that Windows 7 is a subset of Windows 2008 R2 which is used with server applications and Microsoft has no interest in upgrading it for free to the equivalent Windows 10 Server which will be released by the end of the month. Windows 2008 R2 will be supported until 2020 like Windows 7 and most patches are common, read identical, between Windows 2008 R2 and Windows 7 64-bit.

Reply | Quote

It happens in Windows 7 to some extent, but not on the scale that was reported for Windows 10. This may change with the push for global encryption via an update and it is indeed related to certificates.
There are few reasons for this implementation. Sometimes certificates get compromised and there is a list which is called Certificate Revocation List which needs to be checked from time to time to confirm that the certificates in use are still valid. Also so called root certificates have a limited lifetime and when they expire, they need to be renewed.
There are few KB articles with requirements for accessing certain internet locations.
In practice, even if it possible to have a completely disconnected system, it is complicated and this is not an easy task for most users.

Reply | Quote

woody: KB3172605 (July 2016 update rollup for Win7 SP1) is now offered at Windows Update as a “Recommended” update this Tuesday 9/13.

And KB3185911 (MS16-106) is the new win32k.sys security update for September 13 which can be the newest WU scan speed-up patch.

Reply | Quote

Is Chromebook turned into a phone now?!

Reply | Quote

Thanks!

Reply | Quote

Thanks, poohsticks. A few words calling an idea and the idea a song. A very nice song. Reading the lyrics appeared as a breeze on a hot summer day. I completely escaped until I read “Reply”, reminding me another reality.

Nice to escape this way- I appreciate it.
Some never get back to a highway, others never get off of it. Carpe Diem when we’re off, at least (can I afford to dream on a highway?). Running, speed, fast and faster may be thrilling but not sure thrill is happiness; perhaps searching for thrill is a way of forgetting unhappiness.

Art is happiness, always. Beauty, beauty of nature, of human nature as well, friendship, truth. Authenticity. To be and not to pretend. Simplicity. Happiness is possible.

Thanks again.

Reply | Quote

Concerning security issues with The All Seeing Eye possibly peering over your/our shoulder, with all the negative terrorism activities going on, and the real possibility of our security people looking for it to happen; I am really surprised the terrorists sometimes get away with it. I would think in today’s world, the National and International security people are watching us more closely and run all the gibberish and possibly intelligence through their security super-computers for sifting. I remember E. Gordon Liddy of the famed Nixon Henchmen stating the FBI do gather intelligence without the courts’ approval to gather intelligence knowing full well it cannot be used in court. They do it for the intelligence. Microsoft and especially Google do it for targeted ads with hopes of us spending our money on their supporters, I think. I would hope our security people are watching us a whole lot more closely and what better way to do it than through our internet provider people. They can get access to us no problem with a court order! So why are you people so paranoid about them monitoring you about the trivial stuff?

Reply | Quote

I also had KB3172605 as “Recommended” on my Win7Pro-64 SP1 desktop. It surprised me as I had installed that earlier on my desktop as it does not have any Intel Bluetooth.

I wonder why it is back and what has changed, if anything. It was a rollup and still lists the Bluetooth issue.

Reply | Quote

I am not as concerned about National Security agencies and Law Enforcement doing what they do in this country (US). There are guidelines and checks and balances for that.

What I do not want is for my online activities to be tracked so I can get commercials for garbage I am not interested in and thereby turning the online browsing experience and working at my PC into the ad cesspool that is commercial television and radio.

Reply | Quote

Well put, Bill C. That is exactly the point of my concern. TV and Radio for that matter have become an experience that is so polluted with junk that it becomes intolerable. In my car, I have a CD that plays the music I want to hear. There is one station that plays great music. I tune it in and listen. The first commercial (there will be 9), I tune in my CD.

TV is worse. The dumb insulting junk that shows up there is almost intolerable.

Windows 10 will turn into that same morass.

CT

Reply | Quote

Thanks EP. KB3185911 might be a useful solution for those still experiencing problems with Windows Update.

Reply | Quote

KB3172605 has been revised.

Reply | Quote

It is because as history proves, the information can arrive in the wrong hands without the proper checks in place and can be used for different purpose than it was supposed to be used initially.

Reply | Quote

Indeed it was for my Win 7Pro x64 box; the stand-alone installer (all versions) may be found at https://technet.microsoft.com/en-us/library/security/MS16-106 .

Reply | Quote

I think there’s a point about this mess that is being missed! Decisions re: deciding on Group A or B or perhaps even C, are based in large part on risk versus reward considerations. For the technically inclined, a malfunctioning or even a bricked computer may be little more than a fun challenge to resolve. This is certainly NOT the case for myself (and I’m sure many others on this list)! Recovering from a bad patch could easily exceed my diagnostic and restoration skills, leaving me without my computer. So, my thought process requires me to determine which is the greater risk to my computers — MS or malware. For me, it is the former!

And then there are the hidden patches that are known to be problematic to certain Dell computer configurations, of which I have two. These patches would be unleashed in a Group A scenario.

So, as much as I appreciate and depend upon the technical experts on this list to guide me, I do not consider it appropriate to over-simplify the choices that many of have to make. Nor do I feel that should I choose Group B, that any future problems are somehow self-inflicted and deserved. That is the deal that I would propose.

Reply | Quote

I have a computer on my desk today that I upgraded from XP to Win7. At the conclusion of the install, I manually installed KB3020369, then KB3172605. Windows update found the usual 200+ updates within 15 minutes.

CT

Reply | Quote

I look after 150 client Win7 computers. My clients are a mix of all kinds of users. Mostly not particularly technically competent. They look to me to guide them.

Any answer by Group C looks like it could be impossible for them to manage. For October, Group C will be it until I can find a way that may work to keep them in Group B, but it may be impossible.

The vast majority of Win7 owners who don’t have someone like me, if made aware of what is happening, will never use WU again.

CT

Reply | Quote

Woody, I’m getting the error code 8024402F when checking for Windows Updates. On top of that, Microsoft seemed to have changed the option “Check for updates, but let me choose whether to download and install them” to “Install updates automatically (Recommended) without my permission. And apparently, Updates were never checked. They were prior to today. Lastly, I’m unable to manually install the Security Update for Flash Player for Windows 8.1 (x64). It said “Some updates could not be installed”. How will I be able to check for updates if I can’t?

Reply | Quote

I’ve seen several reports from PKCano about inexplicable changes to the “Install updates” setting.

In general, though – it’s MUCH too early to install anything from the latest crop. Sit back and relax.

Reply | Quote

I fear you’re right….

Reply | Quote

I would suggest that the best approach for you would be to wait a little longer and apply patches retroactively. I am not discussing any other approach than Group A, as it is the only approach which I consider likely to generate a good outcome from an engineering perspective.
Unless you want to completely stop updating, which is acceptable and even less risky in the technical sense, if your system is stable and you don’t want enhancements at the time when you decide to stop updating. I have reservations to recommend this method though, but as you say, you have to put in balance risk and reward and take the path which is most useful for you.

Reply | Quote

@James,

You expressed the following so well —

“…as much as I appreciate and depend upon the technical experts on this list to guide me, I do not consider it appropriate to over-simplify the choices that many of have to make.
Nor do I feel that should I choose Group B, that any future problems are somehow self-inflicted and deserved.
That is the deal that I would propose.”

Reply | Quote

It’s the same group, or nearly the same group, I would think!

But I was too young in the 70s to have felt the impact of Arlo’s song [or to have felt most of the electric and tense wider social atmosphere of that time (except, strangely enough, having some vivid memories of watching the Smothers Brothers tv show, down to remembering exact images of skits and such, when I was aged in the single digits, sitting about 3 feet in front of a little B&W tv in the living room, and realizing that there was a lot of subtext, bravery, and anger going on in that show, and great disapproval directed towards it by my grandparents, etc.)], so for a feeling of Group W, all I can go on is the Wikipedia explanation, and it seems it describes people who have previously had some kind of arrest/criminal conviction/trouble with the law, and they are sitting on a bench waiting to see if they can get a “moral waiver” in order to join the military/join the war — this image and idea, while powerful, unique, and ironic in the context of Arlo’s true story behind the song, doesn’t fit how I see my situation regarding the Windows 7 updating awfulness, because I haven’t done anything wrong/illegal/mischievous vis-a-vis my computing life or Microsoft, and I’m also not trying to join anything that I’m not already a member of. I’ve been “law abiding”, I’ve stuck to my side of my contract with Microsoft, and I don’t want to join in their nonsense; I want to escape their intensifying grip, I want to dodge their universal “draft” into Windows 10 (and their conscription of the Windows 10 objectors into the Windows 10 “lifestyle” that they are imposing onto Windows 7/8 customers). I’m not on the bench, I don’t want Big Brother to give me a moral waiver to join anything. Of course, I don’t know what the alternative was for those guys like Arlo – if they didn’t wish to ask for a moral waiver, I don’t know what would have happened to them, especially considering the powerful wider social scenario, which as a female in a younger generation I realize that I don’t know much about — I have a feeling that there is more to the meaning of Group W for Americans older than myself than I have heretofore picked up on, and I don’t mean any offense.

Groups B-minus, C, Freedom, Highway, Tinfoil, Security-only, W: We’re all on the right side of the struggle, on the side of fairness, responsibility, privacy, safety, do-no-harm, justice, respect!

Reply | Quote

“If you are resigned to giving up some information, who would you rather give it to?”

But I am not resigned to giving up information, privacy or security! I want to give as little info as possible to any and all technology companies.

I don’t trust Google in the slightest, and although I have an Android phone out of necessity, beyond the text messaging, telephoning, alarm clock, and camera, I have every other included/required app turned off as far as the phone allows, and I have no optional apps installed (except for Norton Security, which came with my 5-device Norton subscription).

Maybe there are big things that I’m not taking into account, but it appears to me that, regarding my personal concerns about Microsoft’s current actions and plans, jumping over to Google/Chrome/Android in order to escape what Microsoft is trying to do to my Windows 7 setup would not provide me with more security, privacy, cost savings, ease of use (given the learning curve), or compatibility.

Having to store things in the cloud, having everything I type and search for be examined and mined and joined-up behind my back with other disparate pieces of information about me, dealing with annoying mobile apps —
I can’t see that going “Google” would be better for someone like me than joining Group A and just letting Microsoft take control. At least in the latter case I’d still have my machine set up the way I’ve got it arranged, plus my files where I know how to find them, my routines, my Win 7 and Office 7 old-fashioned reliability and comfort, my laptop ports the way I want them (including some that aren’t common anymore), my built-in cd/dvd thing, not have to spend $500 on new equipment and learn how it works, etc.

(That scenario of joining Group A as being preferable to me, when compared to moving to Google as my operating system, was just for the sake of argument, because I don’t think I could be in Microsoft’s Windows 7/8 updating Group A starting in October even if I wanted to be, because there is a recommended and important security patch that was released a couple of years ago that messes up my computer, and I can’t allow it to be installed, so it looks like Group A would not be an option for me — at least if Microsoft is going to make their mainstream, joint, 2nd-Tuesday, Monthly Rollup a cumulative and fragmentation-hole-filling affair.

Other than their recent get-windows-10 and telemetry patches, any of the minimal patching fragmentation that I’ve been forced to allow to exist on my computer has been necessary and (apparently) permanent. Otherwise, over all the years – up until the middle of last year – I have allowed them to install everything, even all the optional patches.]

Reply | Quote

What changed after Windows 7 was that Bill Gates (he was still captain of the Microsoft ship back then) tried to convince everyone that touch screen devices were the key to the future and that Windows 8 was the ideal OS to work with that kind of hardware.

However, hue and cry erupted from all four corners of the Earth when users discovered that the Start menu was now a screen populated by hundreds of funny looking tiles. There was no obvious Search utility and a lack of clarity as to how to use the layout efficiently with a keyboard and mouse virtually swamped Microsoft’s campaign to regain its dominant position in the world market.

I think Microsoft was a little peeved that hardly anyone shared their vision of the future and spent the next 12 months trying to undo the damage they’d caused to their reputation.

To add fuel to the fire, Microsoft’s first venture into the hardware market with the Surface tablets-come-laptops appeared in support of the Windows 8 concept, but turned out to be a dismal failure with thousands of them stacked up in warehouses unsold.

Windows 8’s successor 8.1 didn’t fare much better and when KB2919355 a.k.a. the Windows 8.1 Update appeared along with the threat that users of Windows 8.0 had to install it in order to receive future security updates, the Microsoft ship took a markedly list to starboard threatening to capsize completely when hundreds of users through no fault of their own were unable to install it. It took Microsoft about three month’s to sort that out if my memory serves me correctly.

And now with Windows 10 we’re into the next instalment of the Microsoft soap opera.

Reply | Quote

@ Evan,

For the 8024402F error try resetting the Windows Update components: https://support.microsoft.com/en-us/kb/971058

That worked for a user in the answers.microsoft.com forum who had the same error: https://answers.microsoft.com/en-us/windows/forum/windows8_1-update/windows-81-update-service-throwing-error/754cd333-0a2b-4e2f-93cd-480b40cc6193

Reply | Quote

Add to this story the great hoopla from MS about how sorry they were about 8 and the replacement was going to be so different they skipped 9 and went to 10.

In reality 10 is 8.2 and no better.

I predict 10 will eventually be deemed a repeat of the 8 failure. MS will have to extend 7 just like it did XP because of big IT pressure, mainly because just like Vista and 8, 10 is unacceptable.

What really bugs me is the myth that people are not buying PCs because they prefer hand-helds. The truth is that when Joe consumer went to his local WorstBuy to get a replacement PC and was offered 8, he gagged and found the next best thing.

MS is responsible at least in part for the great success of the iPhone/iPad. Interestingly, it failed completely in the hand held field.

CT

Reply | Quote

To Woody, and all commenters: If the internet is connected to our computers no matter what is going on Microsoft has control: all windows OS’s. MS is the greatest computer hacker in the world. Just my opinion after reading pages upon pages of complaints of MS intrusion.

Reply | Quote

+1

Reply | Quote

I don’t know how W10 will evolve in the long run but I feel the year ahead will be a pain. We have the MS CEO running around making statements like Windows is no longer a OS; it is now merely a service. A peculiar service I might add as we have to license the OS, oops service, and install the service on our own equipment. Unfortunately, MS is in a state of strategic confusion for which everyone is paying a price.

Reply | Quote

Simpson, still have the posteo account?

Reply | Quote

I’ve reconfigured WU to: “Check for updates but let me choose whether to download and install them”.

I didn’t choose the “Never check for updates” option because I need to know when M$ releases a Servicing Stack update.

And before I install any patches I always create a manual System Restore point just in case things go pear-shaped.

Reply | Quote