MS-DEFCON 3: Get patched, but watch out

Topic

New Reply

It’s been almost a week since Microsoft re-issued the famed, feared “Get Windows 10” patch, KB 3035583. I still don’t see what’s different about it, b
[See the full post at: MS-DEFCON 3: Get patched, but watch out]

Reply | Quote

Replies

Woody,
The reference to the Office 2010 problematic update is incorrect. The Windows Installer issue resulted from an April 2016 update — MS16-039 https://support.microsoft.com/en-us/kb/3114566

Reply | Quote

Thanks! I’ll get it corrected right away.

If you have further details, I’d love to hear about it. Looks to me like there were two versions of Office 365 CtR released in May. Any further info?

Also, do you know of any reliable source for information about CtR updates? I see lots of Microsoft Party Line, but don’t see much about “real world” experiences.

Reply | Quote

Good advice about the “SP2” Convenience Rollup. I think it should be avoided as much as possible if not building images to be replicated in a relatively significant number. For a one off installation every year or so, Windows Update should do the job even if it may take few night to get started.

Reply | Quote

Just a quick one Woody…….. Went to install the May patches and I see I have KB3146706 that you spoke about last month. Find that strange that its come up this month. Also notice the date of the patch is
“published 12th/4/16” Is this the bad one ?? Should I leave it alone……. It was ticked as Important.
I’m on a 64bit machine Win7. I will hold off until
I hear back! Many thanks LT

Reply | Quote

Oh! and even MS spoke about and I quote :

“Known issues in this security update
• After you install this security update on a Windows 7 SP1-based system, you may experience any of the following problems: •The system slows down
•You cannot access folders under the Documents and Settings folder.
• You cannot modify permissions on the Security tab in a the Properties dialog box
• You may receive a disk write failure error message
This problem may occur when certain third-party DRM software is installed. The problem is known to occur with certain DRM software from Fasoo.com.

Contact the manufacturer of your software for more information about how to resolve this problem.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. “

Reply | Quote

We had about 10 important updates ready to go from the last time Windows Update was checked in May on our W7/64 desktop and KB3035583 was not on that list. It took 19 hours to get all 10 installed. The last one finished at about 10:30pm last night. Then we got the WU balloon popup – more updates are available.

In this list sent last night …
KB3035583 sent as important and checked.

Our W7/32 laptop got it as optional and unchecked.

Reply | Quote

Woody,

You say now it’s okay to install KB 3146706, because it’s been updated. But your article that you link to about this, while it says it was updated, actually states not to install it still. It’s only listed as Important, not Critical, so I am not going to install it until there is more clarification. (And how important is this update?) Thanks!

PS. Is there any heads up as to what the new “kernel update” will be in the next batch of updates that will stop the long checks for updates and high CPU usage this time around?

Reply | Quote

Woody – I have the GWX control panel installed and do not have monitor mode on – but am a little confused on how to run it – do you just have to open it up? I don’t really see a button to click that says “check” or “run”. thanks for all the great info

Reply | Quote

Woody, please clarify one point: you said “UNCHECK the boxes next to any items that aren’t specifically marked as “Security Update.” All of them.”

What about updates to Windows Defender? You’ve previously indicated that we should run those whenever they appear, but they don’t say the word “security” update. Thanks!

Reply | Quote

They will run whether you check them or not. But, yes, Windows Defender updates should be allowed through.

Reply | Quote

Thank you for your work

I have two questions. The first question is what non-security patch did MS put in the IE patch?

The second question is why should we install 3146706? I really don’t like the warning there and nobody here stated if it would works fine. Would the computer be fine if I do not install this patch?

Anyway, I am betting that the one of reasons MS retired IE outside 11 was that Vista and below could not have IE11. Thus, MS would be able to put in the little nasty surprises in the IE without worrying about the Vista and below. So IE patch is now both a security necessarity and trap at the same time

Thank you again, Woody.

Reply | Quote

Just open it up – just run it.

Reply | Quote

Microsoft has identified the conflict as being with a DRM package from fasoo.com. I know exactly nobody who uses that DRM package. Enough time has passed, and the hollers have fallen off, so I feel confident recommending that people install it.

Even though it’s listed as Important, sooner or later you should install it.

Reply | Quote

Yep. http://www.infoworld.com/article/3075480/microsoft-windows/microsofts-get-windows-10-app-kb-3035583-re-appears-for-no-reason.html

Reply | Quote

See my note previously. It’s not clobbering machines like it used to.

Reply | Quote

>What about updates to Windows Defender?
>…
>they don’t say the word “security” update.

It’s one of the great (and many) ironies of Microsoft and Windows.

If you don’t update them through Windows Update, Defender itself will go out and get them.

That’s actually a nice feature in itself, because it’s possible to disable Windows Updates entirely and still have definitions kept up to date. I have several systems that follow that path.

-Noel

Reply | Quote

Hey Woody, I very carefully only checked security updates for downloading/installing, including for other Microsoft products, and now I see non-security updates listed as installed for these products (Word, Excel, etc.) though not any Windows non-security patches. I am guessing that this is what you referred to when mentioning that some security updates had additional files. Should I be concerned? I don’t seem to be having any problems, except for a screenwriting program, which has a glitch in its ability to update its software (and I think that was already a problem. Thanks, as always.

Reply | Quote

On our w7/64 desktop the setting “Give me recommended updates the same way I receive important updates” is unchecked. However we got KB3035583 as important and checked.

Reply | Quote

OUCH. I wonder if Microsoft changed 3035583 from “Recommended” to “Important”? Can anyone confirm?

Reply | Quote

You should be OK. No, it isn’t supposed to work like that, but the Office patches (with the one Click-to-run glitch that I still haven’t figured out) went pretty well.

Reply | Quote

One of the IE11 patches included advertising capability, but I don’t think Microsoft ever implemented it.

Microsoft lists the non-security components of KB 3154070 at the top of the KB article. Nothing too alarming, but definitely not kosher, IMHO.

Reply | Quote

Win 7 x64 both Ultimate and Pro here Woody both set to never check and recommended unchecked. I just did a manual check for updates on both of them and 3035583 is still listed in the Optional group italicized with a date of 5/25/2016.

Reply | Quote

How about the rollup, KB3156418 for 8.1 users?

Reply | Quote

It’s not a security patch. Fuhgeddaboutit.

Reply | Quote

Very strange. That’s what I’m seeing, too.

Reply | Quote

Hi Woody – a big THANK YOU for your always fantastic work in looking after our computers.

Assuming KB 3146706 has now been cleared I still have a couple of suspect ‘leftovers’ from March/April – any comment on KB 3139398 and 3153171 ????

Reply | Quote

It is still under Recommended.

Reply | Quote

I am not convinced that Windows Defender or MSE will update regardless of the settings for Windows Update. They come on Microsoft Update when scanning and I think there is further testing required to prove it.

Reply | Quote

On my Win7 computer, KB3035583 was in the important updates and checked. I hid the update so I would not accidentally install it.

Reply | Quote

@Woody,

I’m not quite clear on KB 3146706…you indicated…

“Last month I warned about KB 3146706, but it’s been reissued and appears to be OK.”

Yet on my W7 SP1 64 list of Security updates it’s listed as being published 4/12/16.
If my machine is doing an auto check for updates daily [which it is], why is the “reissued” KB 3146706 not showing the 5/10/16 published date that the rest of the May updates are showing? Shouldn’t a reissued update show a current date?

Gottta tell you, I’m reluctant to install this 4/12/16 version. Whaddya think?

Reply | Quote

I got fed up with waiting for downloads and could not find a method to stop it looking.
So I could run your method of speeding the process.
Restarted computer run update and it said 11 updates to download.
I think I did this last month as well maybe a coincident that the first stage of looking was nearly complete.

Reply | Quote

How do you turn auto drive update off in windows 10? The dialog (which still changes the same setting in the registry) isn’t worded how it used to be.

Reply | Quote

*driver updates

Reply | Quote

Leave it overnight if you have to. (I assume you’re using Win7.)

Reply | Quote

I think the time date on the update is wrong. It was re-issued around May 3.

The original problem only appeared in China, and also apparently with some people who were using a specific DRM program. I wouldn’t worry about it, and install it.

Reply | Quote

Do you have “Install Recommended updates” checked in Windows Update?

Reply | Quote

3139398 is only for Windows Embedded. You probably don’t have Windows Embedded.

3153171 is a security update, and should be OK to install.

Reply | Quote

Group Policies:
Computer ConfigurationSystemDevice Installation
– Prevent device metadata retrieval from the Internet
– Specify search order for device driver source locations
– Specify the search server for device driver updates

Also you can always set a fake WSUS server under the Windows Update Group Policies.

Reply | Quote

Thanks Woody! Have updated the Important ones that I had. Included in that was the Russian time-zone update…….. which I thought was of no interest to me……. and unticked that……….but on going out of the window and going back I found that it had been ticked again. So it seems that if you want to ignore a certain patch and not install you would need perhaps to ‘hide’ it…….. which CH100 has already commented on not being a good idea. Unless of course you start the update without leaving that window/page. So anyway I just installed it. A few years ago I had a diabolical problem with my fonts (and they are mega important to me….. I play with graphics) and it was a result of a dodgy patch to update ROUBLES no less! And it took forever to find that an update had caused it, and MS’s fix, let alone sort it.
So I’m a little wary of these ‘obscure’ updates!
Thanks again for being the beacon in all this
hooha!! LT

Reply | Quote

Headed for the 3.5 hour mark on this fresh check for updates.

What’s this I hear about the massive (optional) service rollup causing OS corruption?

Anyone run SFC.exe and DISM on a clean install to double check this?

Reply | Quote

Just curious: KB3153731 is listed and checked for Windows 7×64, and it is the only non-Security update. I clicked the “More Information” link just to see what it is and…
It’s updated DST settings for Azerbaijan, Chile, Haiti, and Morocco. Why on earth is that an important and checked update for someone in the USA?! I mean, any update has the potential to cause problems, right? Why do they even bother with such updates for folks outside those areas?

Thanks!

Jim McGowan

Reply | Quote

Got caught up on May patches for 3 Windows PC’s today, two Win 7 desktops & one Win 8.1 laptop.

These stay set to “never check for updates, until Woody gives the all clear”

Took a disk image of each PC first, then manually checked for updates.

On each PC there was KB 3035583 among the list of optional updates, unchecked and italicized as recommended. Hid that one!

Installed the security updates, rebooted, and checked again. KB 3035583 was back again! Hid it again. Whack-a-mole

Everything is still running smooth…

Reply | Quote

I can understand that… many people in the US have friends and acquaintances in Azerbaijan. Seriously, Microsoft’s kinda caught between a rock and a hard place on that one.

Reply | Quote

I’m seeing reports of SFC triggering bad results, including several reports right here.

I would attribute those to bugs in SFC…

Reply | Quote

The Group Policies have the same bad wording and you have to test what is suitable for your configuration and also compare with what gets greyed out in the regular settings by setting the GP.
The drivers update behave in a different manner than expected sometimes and this is counter-intuitive to me.
It is like this by default, at least this is my understanding:
– If there is no driver for a device, then it gets downloaded automatically
– If there is a driver already installed and is suitable and functional, then updates are automatically downloaded only if an existing update is considered critical by Microsoft which in practice is very rare and more likely to happen immediately after major upgrades like 1511 or the Anniversary Update. The existence of the update is logged under the windows update log and can be found and downloaded from the Microsoft Catalog based on GUID.
– There is another situation which is not quite clear, when Automatic Updating of the drivers is blocked by Group Policy or in Control Panel, but the user right-clicks the device in Device Manager and asks for scanning for updates on the Internet. Then it seems that updates for drivers are installed without further asking.
I think the only safe way to block all driver updates from the Internet is to configure a fake updating server in the Group Policies for Windows Update, but in that case none of the updates would be available on Windows Update.

If anyone else has a different experience, understanding or can point to a document explaining this or different behaviour, I am more than happy to learn about it. It can be about Windows 7, 8/8.1 or 10 as there are many similarities although I think Windows 10 introduces few differences.

Reply | Quote

Running DISM how? Integrating the rollup in the image?
Noel Carboni noticed issues with SFC which I believe it is related to an older patch which had this bug and is now included in the current rollup. I don’t have proof about it, it needs to be confirmed one way or the other.

Reply | Quote

I think there is a misunderstanding here. This is actually a rollup update containing all the previous time zone changes and in addition the current changes related to Azerbaijan, Chile, Haiti and Morocco. It is true that any update can cause issues and if there are concerns, then it is better not to install it. In my experience it is safe to install and remove few superseded updates from the picture in the process of updating. This is why it is flagged as Important.

Reply | Quote

LT, I am very pleased that at least you read my posts Don’t take any of my comments as advice, they are only comments to Woody’s articles posted here, or on InfoWorld. Sometimes Woody posts my emails addressed to him which means he finds them of general interest for which I am grateful. Woody has the most authoritative approach to what needs to be installed as update and please follow Woody’s advice in this matter.

Reply | Quote

@Picky I really don’t like the warning there and nobody here stated if it would works fine. Would the computer be fine if I do not install this patch?

It works fine if you don’t have the software from fasoo.com which seems to be popular in some Asian countries or if you have a legit version of Windows 7. The computer would be fine without installing the update, however the computer may not be protected of the security hole which the update claims to patch.

Reply | Quote

@CH regarding your comment “It is still under Recommended.”

Every one of the Win 7 systems I own show two groups in Windows Updates named “Important” and “Optional”.

Where are you seeing a “Recommended” group? I’ve seen this stated many times here and it’s rather confusing.

Reply | Quote

The last time I was offered KB314706 it had been unchecked so I ended up hiding it.Blessed if I can remember what it was supposed to do now!

Reply | Quote

I did all the updates except the obscure time zone one on both my Windows 7 machines yesterday with no problems.

Thanks as always for the advice Woody.

Reply | Quote

woody says:
May 30, 2016 at 8:12 pm

Do you have “Install Recommended updates” checked in Windows Update?

On my Win7 64bit Home Premium computer, I have “Give me recommended updates the same way I receive important updates” checked in Window update settings. Important update setting is set to ‘check for updates but let me choose whether to download and install’.

Reply | Quote

“Installed the security updates, rebooted, and checked again. KB 3035583 was back again! Hid it again. Whack-a-mole ?

Everything is still running smooth…”
—————————————-

Me too (win7/64bit) – kb3035583 and kb3148851 after reboot – hidden again!

I didn’t do the speed up update trick either and 19 updates (after missing the last round) took a couple of hours to complete including reboot – seems fine to me.

Reply | Quote

Yep, that’s why the patch was checked.

Better to uncheck the box marked “Give me recommended updates…”

Reply | Quote

It’s a security update for something called OLE. https://support.microsoft.com/en-us/kb/3146706

Reply | Quote

It IS confusing. Windows has two groups – Important and Optional. In addition, each patch in each category can be checked or unchecked (“checked” means it’ll be install the next time Windows Update runs).

Microsoft releases patches in three groups – Important, Recommended, and Optional.

Inside Windows Update there’s a checkbox that says ““Give me recommended updates the same way I receive important updates.” If that box is checked, a Recommended update ends up in your Important list. If that box isn’t checked, the same patch appears in your Optional list, italicized.

Where a specific update is checked or not is a completely different attribute.

Reply | Quote

That’s exactly right.

Reply | Quote

Woody… a big thank you. I have hidden the updates in the list below. Other than kb2952664, and kb3035583 (appears twice), which updates can I unhide and install. Your advice will be greatly appreciated.
Thank You once again.

kb3146706 Important Security Update
kb3153171 Important Security Update
kb3156013 Important Security Update
kb3156016 Important Security Update
kb3156017 Important Security Update
kb3156019 Important Security Update
kb3153731 Important Update for Windows 7
kb2506928 Recommended Update for Windows 7
kb2660075 Recommended Update for Windows 7
kb2726535 Recommended Update for Windows 7
kb2923545 Recommended Update for Windows 7
kb2952664 Recommended Update for Windows 7
kb2970228 Recommended Update for Windows 7
kb2999226 Recommended Update for Windows 7
kb3021917 Recommended Update for Windows 7
kb3035583 Recommended Update for Windows 7
kb3035583 Recommended Update for Windows 7
kb3068708 Recommended Update for Windows 7
kb3075249 Recommended Update for Windows 7
kb3080149 Recommended Update for Windows 7
kb3118401 Recommended Update for Windows 7
kb2670838 Optional Platform Update for Win 7
kb2592687 Optional Update for Windows 7
kb3102429 Optional Update for Windows 7
kb3123862 Optional Update for Windows 7
kb3139923 Optional Update for Windows 7
kb3156417 Optional Update for Windows 7

Reply | Quote

I have always hid the “optional” updates once it’s established that they are not going to “convert” to something else. Is this the best way to deal with all of these “optionals”?

Also the “roll-up” I keep seeing referenced, isn’t for those of us who keep our updates current is it? Trying to get some guidance with this one. I don’t even think I’ve seen it in my update list. Haven’t started yet on the updating.

Any advice is always appreciated.

Reply | Quote

Oh! I didn’t think that there was any conflict in your advice with Woody’s advice, ch100…. sorry to be obtuse…… but possibly as I’m not as informed as so many are on this blog…… that what you said
about the fact that patches can be ‘lost’ when hidden and could cause problems down the track…. made me
think a while about it. I presumed that would be also Woody’s thoughts. And apart from hiding those dreaded GWX ones I try not to hide the others. In passing… I find the general tone of this blog is really something. The conversation flows…. the thoughts are good…. there’s so much to learn and understand and everyone is friendly! And…. of course all this reflects on our host, Woody, who is one of those who besides having such knowledge is also someone who shares it with us all. LT

Reply | Quote

One of my machines is a lightly used laptop running Win 7 Home Premium. It doesn’t get used every day, so once a week I’ll have WU search for updates. (I’m at “let me check and download”.)

What I’ve seen is that MSE will update itself while WU is searching for other updates. It’s actually a bit of a pain, because if you select the definition update in WU, you can get a conflict because MSE is already installing it.

Now, I’ll manually tell MSE to update itself before I tell WU to search. On a good day, MSE will be done before WU has its list ready.

Reply | Quote

i don’t see KB3146706 reissued in May updates list hmm

Reply | Quote

No need to hide anything – just keep them unchecked, and Auto Update turned off, and you’ll be fine.

Reply | Quote

I’m no expert on the subject – there are many people collecting lists of “bad” patches, and they have different criteria for assessing badness.

Reply | Quote

I currently have 6 updates for Windows 7(x86) hidden. My criteria are anything to do with “Get Windows 10”, “Telemetry”, or “enhancing the upgrade experience”.

They are as follows:
1. KB2952664 Compatibility update for upgrading Windows 7
2. KB3021917 Update to Windows 7 SP1 for performance improvements (in order to determine whether performance issues may be encountered when the latest Windows operating system is installed.
3. KB3035583 Get Windows 10 (Both of them)
4. KB3068708 Update for customer experience and diagnostic telemetry
5. KB3080149 Update for customer experience and diagnostic telemetry
6. KB3123862 Updated capabilities to upgrade Windows 8.1 and Windows 7

I have installed all security and optional updates for Windows 7(x86) to date, except for those listed above. I do wait for Woody’s all clear first, and then take a system image to roll back from, if necessary.

So far, everything is running smooth here. But as always, your mileage may vary based on system configuration, installed device drivers, and apps. That is why I always recommend a good strategy for system imaging.

Reply | Quote

Me too Daniel. 3035583 even went so far as to re-issue itself. By this I mean that my hidden one unhid itself & appeared in the optional list, then another one appeared in optional. One is smaller by 1 KB. Very strange seeing two there. Both of which I have rehidden again.

On another note, I had 3123862 unhide itself by appearing in the optional list. Called a “mystery” patch here (see older articles), it appears this update from February has been reissued.

Shows up unitalicized on my Win8.1 x64 home machine. While I don’t plan on installing it because of the optional nature, I still find the reappearance as odd.

Reply | Quote

@John W The list which you use is the same list that Noel Carboni posted recently and I think is the one which should be used as reference for those who do not intend to upgrade in place to Windows 10. Any other list is excessive and has updates which are not related to the Windows 10 upgrade issue. Noel posted another update KB971033 which is not related to Windows 10, but can optionally be avoided for other reasons.
Your approach to patching seems to be optimal and as you said, everything is running smoothly with that approach.

Reply | Quote

In addition to my comment above, I would suggest not hiding the undesired updates to allow Microsoft to dynamically manage those which are retired, one example being KB3035583 for which the older version will likely disappear soon. If keeping those updates visible is too much of a hassle and if hiding is not causing any issues, then you are likely alright keeping them hidden.

Reply | Quote

If you’re keeping updated the typical way you need not be concerned with the “convenience rollup”: KB3125574

In fact, on my test systems that package has consistently corrupted the system’s own integrity check (SFC), so I recommend AGAINST installing the “convenience rollup” at this time.

-Noel

Reply | Quote

Woody I have several questions i need advice with. I have Win7x64 Home Premium. April security updates yet to install in addition to May updates. Do I need to install KB3138612 plus KB3145739 for April first before installing April and May updates. Do I need KB3138612 to speed up searches for updates. KB3138612 is no longer in my list of updates. Then do I install KB3153199 first before installing May updates to improve performance. Also some of the security updates for April are no longer showing uo when May security update list appeared. Does that mean some May security updates have superceded some of those listed in April? I need to get caught up with Security updates. I plan on installing April updates first then proceed with May. I’m sorry I have so many questions but truly need advice.

Reply | Quote

I have already done that testing, and have been relying on that behavior for quite a long time now.

My firewall software and the event logs definitively show that once Windows Update is found unable to deliver the definitions updates, the AV software on Win 7 will just go out and get the updates itself via the mpcmdrun.exe program (described as the “Microsoft Malware Protection Command Line Utility”).

The only downside is that it will log an error in the System Error Log that “Microsoft Antimalware has encountered an error trying to update signatures.” The, less than 10 seconds later another message will be logged describing that the update has succeeded.

As an example, my Win 7 x64 Ultimate system, serving as a small business server, just today at 12:44 pm went out and got itself new definitions.

See the following screen grabs for supporting info:

http://Noel.ProDigitalSoftware.com/ForumPosts/Win7/FirstEvent.png

http://Noel.ProDigitalSoftware.com/ForumPosts/Win7/SecondEvent.png

http://Noel.ProDigitalSoftware.com/ForumPosts/Win7/FirewallLog.png

But I encourage you to do your own verification of this behavior.

-Noel

Reply | Quote

Yep, those patches will speed things up. At least on most systems.See

http://www.infoworld.com/article/3069693/microsoft-windows/windows-7-update-scans-taking-forever-kb-3153199-may-solve-the-problem.html

If you don’t want to install any updates manually, just run check for updates before you head out to lunch, or overnight. No harm done.

If there were security updates in April and they no longer appear, don’t worry about them. Supersedence may be at play.

Reply | Quote

While I didn’t notice corruption after installing the Convenience Rollup on fully patched systems, there is no need for it to be installed on such systems, it is not the intended use and as Noel found, there is always a chance to cause issues.

Reply | Quote

You would be safe using only Noel’s list and nothing else.
https://www.askwoody.com/2016/the-win-7-sp2-convenience-rollup-kb-3125574-might-actually-be-worthwhile/

Reply | Quote

Not having KB2670838 Optional Platform Update for Win 7 installed makes your system a lot less functional than it should be and in addition does not allow installing IE10 or IE11. With such a long list of omitted updates for no real reason, you would be better off functionally to install nothing at all except for Service Pack 1.

Reply | Quote

Woody: Thank you so much for your advice. I appreciate it more than words can express. I don’t know what any of us would do without your help!! You are “One in a Million”!!

Reply | Quote

You betcha. Spread the word!

Reply | Quote

I have come to the same conclusion. The only reason to “hide” something is so you don’t have to look at it again. Hiding is a waste of time (on top of which M$ regularly re-issues certain bad actors, countering the “hide”). If you’re unchecking everything except Security Updates, what’s the point, anyway?

Reply | Quote

When I update to IE11, KB2670838 installs too (I’m on 9 right now). As far as I can tell, you have to have KB2670838. I’ve had so many problems with KB2670838 and having to uninstall it from different family laptops, I’ve just resigned myself to having to stay at IE9. No one uses IE in the family, but the fact that everyone says parts of IE are used in the OS and it should be as up to date as possible. I’m not sure which is worse, then – insecure IE9 or all the problems with KB2670838.

Reply | Quote

I don’t keep lists, or refer to other lists, but I am aware of a few. Too much work, too little reward, IMHO.

I just use the “hide” feature to organize the patches that I have reviewed the KB for, and find to be potentially sketchy. Then I check everything else, including the optional patches and install them

If I were then to run into any trouble, I can reload the previous image in 30 mins or so and be back where I was …

Regarding the optional patches, there are a few bug fixes included in them. IMHO, I believe that keeping up with a rolled up to date OS, is the best way to avoid a “corner case” problem. One that may only appear to be affecting you. Because, for example, possibly the issue may have been fixed a year ago in an optional patch. But you have now deviated from the OS patch baseline that Microsoft engineers are testing with.

Reply | Quote

Thank You all.

Reply | Quote

If you have problems with KB2670838 and do not use IE, then staying with IE9 should be the best compromise.
You must have a very old computer to have problems with KB2670838, or maybe running certain software which does not like that update. Are you sure that you installed the latest drivers for your computer?

Reply | Quote

@John W Well done for having a computer running as it should and thank you for all your information which I think is useful to everyone else.

Reply | Quote

Woody,
I downloaded the two files for Win 7, 64 bit. I started Windows6.1-KB3138612-x64.msu running. And it’s been going for about an hour and a half. The bar on top says “Windows Standalone Update Installer.” Under that it says “Searching for updates on this computer” and the green phosphor stuff keeps moving across the gray bar. I’m just going to let it run now the rest of the night and hope that it finishes by morning.
I hope Windows6.1-KB3145739-x64.msu goes faster!
(By the way, is it not good to do what I’m doing now and use the computer while it’s attempting to update?)
Thanks for all your help!
Morty

Reply | Quote

I had enormous problems, too, but several people here have suggested other approaches that seem to work better. One is to unplug the internet connection while running the installer.

Perhaps others who have fared better than I did can chime in with recommendations…

Reply | Quote

Use John W approach at comment 6 and you will be fine… guaranteed.

Reply | Quote

Just noticed after doing May updates that the Restore function is not available (greyed out) for any of the items listed under ‘Restore hidden updates’. Windows 7 x64 Professional, Check for updates but let me choose, Recommended updates unticked. Is this related to recent updates? I know that I was able to restore hidden updates before.

Reply | Quote

I had exactly the same problem with it saying ‘Searching for updates on this computer’ forever. You will need to stop WU in Services before trying to download: Press the Windows key + R then in the Run box, type ‘services.msc’ (without the quotes), now in the Services window, look for ‘Windows Update,’ click on it once, then at the top of the pane on the left, click ‘Stop the service.’ You can now close Services and try the download again – which should only take a few mins. Win Updates will probably restart automatically afterwards, but if not, just go back into Services, click ‘Windows Update’ then ‘Start the service’ at top left.

It’s possible that setting WU to ‘Never check for updates’ might work in the same way, but I haven’t tried it.

Reply | Quote

Speaking of the never check for updates option, Woody, is there any point to using that option, especially if WU auto checks for updates & over-uses the CPU? I take it you’ve seen the recurring Windows Update using 100% cpu cases.

Reply | Quote

There’s no problem using Never check for updates — but then the monkey’s on your back to periodically check and make sure that security patches are installed.

Reply | Quote

Before running any standalone updates I open an elevated command prompt and run the command net stop wuauserv. After stopped, install the downloaded update.

Reply | Quote

After seeing Woody’s “okay” for patching May’s patches, I did so last night on one of 2 computers. (Will do the other one shortly.)

I had earlier manually installed the standalone patch that speeded up the Windows Update checking for May, so last night I just had to click once to check, and it labored only a couple of minutes before showing me the updates available.
I have something like 23 optional updates built up (old and new); didn’t even look at them this time around. None of the important updates were a surprise, based on what I’ve read from the experts to expect to see this month.
I had 5 Office ones that I installed first (as a set), and when I rebooted and checked again (from scratch), the new Windows Update check only took about 30 seconds, which was amazing!
I then installed about 6 new security ones that didn’t seem to have any reports of problems (as a set), then rebooted and rechecked, then I installed the 2 .net ones (last year I read advice from Brian Krebs at krebsonsecurity.com to install .net ones separately, so that’s why I do that).
I left about 3 or 4 of the “important” ones uninstalled, for various reasons.
It was quick, no troubles at all — finally!

—
I’ve been on alert because MS is reportedly really ratcheting up the GWX assault, but fortunately I have not seen any of the Get-Win-10 stuff, even though I don’t have the “GWX Control Panel” installed — and it may be because I have given any reputed GWX/telemetry-linked updates a wide berth over the past year.

I don’t expect that they are finished with seeking “novel” ways that are unencumbered with excessive ethicality to get what they want, by hook or by crook, and I sort of fear for my computer and my whole little MS/Windows procedure/set-up/files/knowledge that I’ve spent decades working with and investing hard-earned money in.

I hate that I have to feel so vulnerable about something so important to my life.

Our lives/ways of life/environments/societies have become more precarious in so many ways; the world does not need this further instability based on an oligopolistic company’s secretive whims/profit-seeking schemes/miserable government orders. And I don’t even think that is being over-dramatic.

Reply | Quote

Thank you Woody, Scribe and cyberSAR.
I saw Scribes and cyberSAR’s advice after I waited it out. Around 7 this morning, I had a message asking if I wish to install the update. I did. Went fine. Then I went through the same deal with the second update. After 10 (yes ten) hours, I got the same question: do I wish to install the update.
Is that two out of my three wishes? Or does Microsoft only do Wizards, not Genies?
Now on to the rest of the Windows update….
This time, though, I think I’m doing a full backup first!
Thanks again!

Reply | Quote

VERY good idea to keep a disk copy. Never know when you might need it again…

Reply | Quote

I hear ya! We really have all come to depend on our technology to help manage our lives in this modern, connected world. There is a lot of potential vulnerability built in to this way of life. Malware, network outages, server outages, PC problems, all can disrupt us in ways that were previously unimaginable.

But I have found that the best way to cope is to not over-think it. Have a back up plan and know how to use it. Test it occasionally to be sure you understand how to use it, and that it still works.

Regarding patches, I think other than GWX/telemetry-linked updates, that waiting a few weeks for the rest of the batch does no harm. That is why I rely on Woody’s “all-clear” signal. I feel by that point, MS has (hopefully) re-released any buggy patches. Well that, and my backups

Reply | Quote

With the settings on Never check… WU is no longer checking and your CPU is no longer running at 100% because of WU. On all other settings, the CPU is running high while svchost.exe does its scheduled run and it can take hours sometimes.
Did I misinterpret the meaning of your enquiry?

Reply | Quote

Hi Woody,

Been following you since I purchased my 1st book of yours for Windows XP for Dummies on my relatively ancient Dell Dimension 3000, since retired.

Thanks for all your help via your books but especially this real-time online help-site.

Reply | Quote

You betcha!

Reply | Quote

After having tested the latest updates on a Win 7 virtual machine, I patched my Win 7 system and it seems to be running fine.

The good news? I believe I’m past the problems with the long delays. Even though I normally have Windows Update set to “never check” on its own, when I started the Windows Update process this time around it found the available updates in just a few minutes. Installation was uneventful.

Just one more data point supporting MS-DEFCON-3.

-Noel

Reply | Quote

Well said, poohsticks.

I wonder… What more useful things could we do with our minds if we didn’t have to become such experts at protecting ourselves from the company we bought software from?

-Noel

Reply | Quote

Should one install these together, or if we were to install the Windows 10 updates one at a time, should one install KB3152599 after the cumulative update KB3155421?

Reply | Quote

If you’re running Win10, just take all of them as they come.

Reply | Quote

On my Win8.1 x64 home edition the restore hidden updates function has become disabled.

Yesterday it was fine, after installing updates & resetting important to “check but let me choose” & unchecking recommended.

Google said nothing on the matter, probably too new an issue. Restart = no joy.

Would someone please clue me in on what to do about it, thanks.

Reply | Quote

Don’t worry about it. If one of the updates gets re-released, it’ll show up.

Reply | Quote

Great, I can breathe again, thanks fella.

Reply | Quote

Here’s my list, narrowed to windows 7 only:

KB3035583
KB3123862
KB3146449
KB3022345
KB3068708
KB3080149
KB3075249
KB3090045
KB3150513
KB2952664
KB3021917
KB2977759
KB3081954

I’m open to discussion about any entry on this list (in fact, I’d love feedback on the list).

Reply | Quote

Thanks Noel.
I will add few things here.

If Windows Update is configured in Group Policy to go elsewhere, typically to what is called a WSUS (internal) server, all MSE updates normally check the same server.

In Windows 10 there are Group Policies built-in which can instruct Defender to go on Microsoft Update online with a separate schedule than the regular Windows Update, which means that if they are configured, those Group Policies over-ride the default behaviour.
Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows DefenderSignature Updates

In Windows 7 the same as above can be configured in Registry or through the Group Policies of Forefront Antivirus https://technet.microsoft.com/en-au/library/gg398027.aspx, however I did not test this scenario in detail.

Your testing and the post above from RCPete actually prove that Windows Update when triggered will do the definitions update by its own at the same time, while potentially running a backup process for updating.

What happens if Windows Update is configured for Never check for updates? This was actually why I raised the issue in the first place. I think that in such a configuration and only then, MSE or Defender will not update.

Reply | Quote

I’m stating the obvious but did you click on the box to the left of the hidden update to restore?

Reply | Quote

Yes, I figured that out too… that was it. Guess I got a little paranoid. Thank you GoTheSaints for you for your response and also to Woody and everyone who posts here. Most useful information. Keep up the good work.

Reply | Quote

Well, protecting ourselves can be a slippery slope down a rabbit hole. I try to keep it simple. But what is simple to me, is not necessarily so for others.

As the family IT tech, I gave up trying to support Windows on my senior parents computer. They went through 3 Windows PC’s over the years, but I was constantly getting calls about strange messages from their antivirus or firewall, or updates, or general PC security.

I went online and ordered a Mac Mini, had it shipped, and talked them thru setup in about 15 minutes. The calls dropped way off, except for periodic media rumors about Mac security updates. Life was good again!

Then one day about eight years later, their bank dropped support for MacOSX10.5, so what to do? Apple no longer supported that old hardware, so no upgrade path.

I went online again and ordered a Chrome OS Chromebox. It is nearly a drop-in replacement for the Mac Mini. Got it up and running in about 30 mins, by phone. The hardest part was installing the HDMI to DVI video cable. No worries now. Running as guest, the Chrome OS goes back to factory new every time it powers on. Nothing is saved, no way to catch malware.

Life is good again

Reply | Quote

Excellent choice. I recommend Chromebooks to my family members, too, unless they absolutely need to run a Windows-only program. Those are becoming increasingly out-of-touch, especially for home users.

Reply | Quote

For what it’s worth…

I’ve found I have to run a Windows Update check for updates before the Hidden updates become visible.

-Noel

Reply | Quote

I’m updating a friend’s Dell laptop Win7 32-bit SP1. It’s had the revolving door issue which was resolved last month by manually installing KB3138612 and KB3145739. But this month when I set it to “Check for Updates” it was back in the revolving door. I waited patiently, then went to see if both KBs were still there. Yep. So I tried a restart. Back in the door. Then I tried a total cold start. And when I rebooted and clicked on “Windows Update” on the menu, it came right up to “20 updates ready. . .”. No “Checking. . .”, no nothing else. Truthfully, this happened once before, before we knew about the manual install of the two KBs. At the time, I thought “what the hey, what happened” but it never happened again. That’s what made me try the cold boot this time. The Malicious Software Tool failed and I went back and picked it up after the restart. The only other change I made was to notice how hot the little laptop was getting when I had to wait so long for the “checking”. I got a cooling fan which was working for this update, if that makes any difference.
Kris

Reply | Quote

It’s like you need a scorecard to keep up with these changes!! KB3138612 and KB3145739 was the previous month’s Win Update fix. This time, it’s KB3153199. See this post listed below and the companion InfoWorld article for more info. Woody, you might want to update this current post (“MS-DEFCON 3: Get patched, but watch out”) to point to the “latest” Win Update fix.

https://www.askwoody.com/2016/windows-7-update-scans-taking-forever-kb-3153199-may-solve-the-problem/

http://www.infoworld.com/article/3069693/microsoft-windows/windows-7-update-scans-taking-forever-kb-3153199-may-solve-the-problem.html

Reply | Quote

OK, so here’s what happened.
I did the backup overnight on Thursday.
Then I waited until I was finished working on Friday and went back to Windows Update.
I followed the instructions of unchecking the non-security updates. (They were almost all Office 2010 updates.)
Then I looked at the optional updates and none were checked.
I was about to click OK to install the updates, but something told me I’d better take another look at the recommended updates. Sure enough, when I wasn’t looking they all got checked again. So, again, I unchecked the non-security updates and clicked OK.
I had 20 updates and they took just over an hour. The whole process — complete with rebooting and checking with GWX was around an hour and a half.
Thank Heaven and thank you!!!!!!
And that’s not all. When I turned on the computer tonight, I clicked on Update in Microsoft Security Essentials. (Recently I have needed to manually update it.) And it worked in a few minutes.
So it looks like mission accomplished!
Thank you again!
Morty

Reply | Quote

whew…

Reply | Quote

No dice. Still gray. My friends W7 laptop too. Did his updates last week as well.

Thanks for mentioning it though.

After disk cleanup which included a line item about windows update cleanup, I had high hopes. Me & bupkiss are becoming fast friends.

Reply | Quote

Cannot locate a post that referenced KB3148851 (Time Zone Change- Russia). This one appeared in April updates, and there was a reference here somewhere to not install it, and uncheck it. Listed as “Important”.

After that (since it was just listed as an “update”, and apparently applied to a time zone change), it just disappeared. Now TODAY (June 5th), it just appeared on the New Update List”, “checked”, and showing Important, again.

What is the recommendation for this now? Is it acceptable to hide it since I do not need “time zone changes”, or should I just leave it on the list?

I was clean and clear on all of the updates until today, and I have no clue as to where this one has been. Nothing shown as hidden and nothing shown as installed. Very strange.

Any guidance on this would be very much appreciated.

Reply | Quote

This comment is not about technical matters, but I thought I might pop in an unrelated newspaper article (which I stumbled upon just now, while checking out the latest Guardian articles before going to sleep).

from today, June 5th —
https://www.theguardian.com/books/2016/jun/05/windrush-host-33rd-world-pooh-sticks-championships

“Windrush plays host to 33rd World Pooh Sticks Championships,
More than 500 sportsmen and women compete to become World Pooh Sticks Champion on river in Oxfordshire.

Hundreds of enthusiastic competitors travelled to a small river in the Oxfordshire countryside hoping to win one of the world’s most coveted sporting titles – World Pooh Sticks Champion.

The river Windrush, in Witney, played host to the 33rd World Pooh Sticks Championships on Sunday, with more than 500 sportsmen and women of all ages taking to the bridge to drop their twigs.

Tactics varied between players – with some aiming for the sides of the stream, while others propelled their sticks into the middle.

Spectators watched the coloured twigs float along the five-metre course from the bridge, near St Mary’s Cogges, and under the rope finish line.

…Pooh Sticks came to life in AA Milne’s The House at Pooh Corner, published in 1928. In the book, Winnie the Pooh played the game with his friends – and, once, the group mistook the character Eeyore for a large grey stick.

Luckily, the Pooh Sticks races in Witney went without a hitch.

The event, which was organised by the Rotary Club of Oxford Spires, raised around £3,000 for local charities.

David Cameron, the prime minister and MP for Witney, was not there.”

I once lived a couple of miles from that town, but I don’t recall their having any Poohsticks events then, so I think the town is a relatively new venue for the Pooh Sticks Championships.

This is the only place where “poohsticks” is my username, so even though this site is not a discussion forum with an “off topic” section, I hope people won’t mind my random post about this.

Reply | Quote

Interesting!

Reply | Quote

It was an example of a KB that most people probably don’t care about. There’s nothing wrong with installing it, if you feel so inclined.

Reply | Quote

Woody:

Thank you so much for your advice on this one.

Your invaluable assistance is always very much appreciated! You always know the answers to a myriad of questions

Reply | Quote

Thanks, but I’m humbled by the voluminous knowledge of so many contributors here.

Reply | Quote

You are kind, Woody,

but I realize that it probably isn’t that interesting to most folks.

I saw a photo of the event today in an article on the Daily Mail online – it was just a small event, but nice for the children who participated and got certificates.

I do have a lot of fondness for Pooh and the stories and the gentle countryside he inhabits, but I’m not some kind of nutty oddball about Pooh.

I picked the name out of the air, after using “D.” and “D.D.” for a while here. I was trying to find something that wouldn’t have been taken by anyone else here, and that would make searching for my past comments easy (since D. is too ubiquitous, of course).

Reply | Quote

To Woody and/or other commenters —

I have a simple question (I have Windows 7, 64 bit, Home Premium version) —

Is it generally recommended to run Disk Cleanup as an “administrator” and to delete the Windows Update stuff that Disk cleanup says is old and unnecessary?

(I think that the Windows Update line is not presented as an option to delete in the normal Disk Cleanup, but only when Disk Cleanup is “run as administrator”.)

I’ve always treated Disk Cleanup with a lot of caution (I figured it’s better to keep around the old stuff like error logs and such, as long as there is plenty of unused space on my computer, which there always is), but I don’t know what the advice would be regarding the old/superseded Windows Update material.

Last year, before I was aware of the GWX and telemetry controversies, I did install one or two of the “dangerous”, foundational GWX updates and then uninstalled them. I expect they are in the Windows Update memory that Disk Cleanup is pointing out to me now.

I am not sure
– if it would be better to delete those old files altogether (perhaps so that MS wouldn’t be able to somehow reach into the crypt, so to speak, and raise them from the dead on my computer — maybe that’s far-fetched, but it sounds remotely possible to my non-techie imagination, if they keep ratcheting up their leave-Win7 pressure!)
– or if it would be prudent to keep all the old Windows Updates stuff in case of any future snafus (like if they stop offering direct downloads on the Microsoft site of old updates that have come and gone on my computer… note that I have never before been required to go find an old update and manually download it onto my machine, but I know that it’s been an option in the past, and that MS is tinkering around with narrowing or withdrawing various Win 7 facilities).

Thank you!

Reply | Quote

Unless you’re very tight on disk space, running a cleanup is kind of like cleaning a little spot on your local interstate.

I’ve never heard of Windows Update reaching out from the grave…

Microsoft, much to their credit, has continued to obey the registry settings that keep the Win10 upgrade at bay.

Reply | Quote

It’s a fun username, tied to something I’d never seen. Cool stuff.

Reply | Quote

CapnSalty got “his” restore button back 060316, so it got me to thinking that I might have done something similar. As in, didn’t check the box to light up the restore button. That was it, box checked, restore is back. I may have gotten the right-clicking method confused with the screen that lists important & optional, where we can right-click to hide an update. When I couldn’t do that in the hidden list I panicked.

After figuring “that” out, I unhid a bunch to experiment with what ch100 suggested about keeping the hidden ones to a minimum.

These are the five that I have left hidden on my Win8.1 x64 home machine: 2976978, 3035583, 3075249, 3080149, 3123862. They nearly correspond with the Win7 list of Noels.

3022345 has disappeared from my machine, as has 3133977 (ASUS bitlocker) & 3139929. That still bugs me a little. I can appreciate it if the system is purging old updates that have since been revised/replaced, or maybe M$ has realized an ineffectiveness & actually got proactive about things or figured out that an update got pushed out to machines that didn’t need it.

At any rate, things are better now. So thanks again to Noel for the rechecking idea & CapnSalty for the inspiration. And all the others who’ve given me some good ideas.

Reply | Quote

The bear reference combined with the event had me laughing. Good one poohsticks, heh heh.

Reply | Quote

is it safe to install KB3146706 ?

Reply | Quote

Latest I heard is that it conflicts with software from fasoo.com – and if you don’t have fasoo.com, you’re fine.

Reply | Quote

When did the malicious software removal tool start requiring you to accept a EULA? I refused it for April and May and guess it’s here to stay.

Reply | Quote

The MSRT seems to trigger a new EULA from time to time. No idea why, but I’ve always accepted it.

Reply | Quote

I HAD to uninstall KB2670838 because it was causing a bad image error and I could not figure out how to stop it. After uninstalling this update everything went back to normal. I don’t use Internet explorer and had to disable it. IE 10 and 11 are horrible because of this update. I’ll never reinstall it again. My system functions just fine without it and I removed it and hid it over a year ago.

Reply | Quote