MS-DEFCON 3: Get Windows patched, gingerly

Topic

New Reply

It’s time to get caught up on your patching. We have a few outstanding major problems with the latest round of Windows patches. The worst is an ongoin
[See the full post at: MS-DEFCON 3: Get Windows patched, gingerly]

Reply | Quote

Replies

Woody,
Your definition of sets (group A & B) for dividing update preferences based upon the level of MS snooping the user is willing to tolerate, is a useful first start given the fluid informational situation. A real interesting question with respect to MS telemetry objectives would be namely, how dynamic will the intersection of the group A and B sets be over time? As you have already noted, MS is playing loose with what is a security versus non-security update. I would suspect that if too many people opt for only doing the security updates, the payload for the group B users will contain most of the telemetry they wanted to avoid. I don’t see this as avoidable given the behavior that MS has displayed over the past year. This is in no way a criticism; the framework you set forth is as good as any to frame the decision making process. Thanks for the effort!

Reply | Quote

As an informational footnote, I installed KB3177225 on W8.1 X64 machine. Thereafter I manually downloaded and installed the hotfix patch, KB3187022, from the MS Update Catalog. [Please let me know if I edited this properly -WL]

Reply | Quote

That’s a helluva good question – does Microsoft consider a “security” patch a viable target for more telemetry?

I’m not sure we’ll ever know.

Reply | Quote

Is there an up-to-date list of updates to avoid for Windows 7? It would probably be good for those of us who are in group B to get to a safe baseline on non-security updates before Microsoft goes to update roll-ups.

Also, do you know what’s going on with patching Windows Enterprise? I can’t imagine that large companies will allow installation of patch roll-ups that are not fully documented. Is moving to Enterprise a way to stop the patch insanity?

Reply | Quote

The correct KB is KB3177725 which caused the double print problem. The hotfix KB3187022 supposedly fixes the issue and does not replace the former patch within the installed updates.

Reply | Quote

All I can say is that I have mixed feelings about the new update system… I’m more Group A, since I share your opinion about the MS snoop, I use both Chrome and an Android smartphone and that is already plenty snooping from Google there, so it’s really not bugging me… And needing to install less updates seems at some point really sweet, but on the other hand it means to sacrifice any ability to choose what is being installed… And there is where my Group B tendencies start…

Well… Aparently it’s not a flexible matter of choice… So I’ll try to not worry about it now, one day at a time… And it’s time for August Updates…

Right now, on my W7 Pro x64 system, I have 5 updates showing, 4 flagged as important and 1 as optional, they are KB3175443, KB3167679, KB3178034, KB3177723 and KB3179573. As far as the documentation for these updates tell they all seem quite straightfoward, except for the shadier “August Rollup”, which I’m not sure of it’s exact content. On your opinion Woody, are they all “safe” to patch?

Reply | Quote

Woody,
Your Group A recommendation for Win7 looks like a manual version of letting MS automatically update. Are you recommending this approach in case any updates turn out to be problematic? If this were to be the case, would we once again wait until the following month’s update to patch & do you anticipate this being patching one month’s worth at a time?

Reply | Quote

Just now, I successfully installed the August updates on two Win7 computers. The first attempt at using Windows Update took more than an hour to check for updates and still had not produced any results when I ended the process, so I followed Canadian Tech’s instructions and downloaded and installed KB3172605 first, after which WU concluded the check for updates in about five minutes.

Reply | Quote

It looks like you won’t have any choice about installing one month’s patches at a time.

Yep, the Group A approach is to live with the cumulative updates – I don’t see that there’s any other option – but wait until they’ve had time to stew for a few weeks.

Group B is very similar to what I’ve been recommending for months, although we no longer have to protect ourselves from the Get Windows 10 stuff.

In both cases, I don’t recommend using Automatic Update. Far better to wait – unless Microsoft turns off that ability, too.

Reply | Quote

If you’re OK with Group A, yes, go ahead and install all of them, including the August Rollup.

If you want to hold out for Group B, only install the clearly-identified security patches.

Reply | Quote

Surprisingly, it looks like Enterprise admins will be stuck with the same choices we have. They’ll use WSUS or SCCM or whatever – but they will be getting cumulative security updates, or cumulative security + everything else updates, all at a time. It’s going to make fixing Microsoft’s mistakes all that much harder.

As for updates to avoid… man, that’s a hard question to answer. There are many, many blocklists on the web. I guess the one I’d look to first is this one:

http://forums.mydigitallife.info/threads/64561-Remove-Telemetry-and-Windows-10-Related-Updates-from-Windows-7

Reply | Quote

Woody,

When you say : “There’s no way to move from Group A to Group B without completely re-installing Win7 or 8.1.”, do you mean :

– moving from Group A to Group B would break your install or be impossible, or :

– once you’ve gone Group A only once, there’s no way to kwnow what non-security, possibly telemetric “enhancements” you have accepted, and no way to get rid of them except by re-installing ?

Reply | Quote

The latter.

Group A and Group B are just my shorthand for the different paths that will be available. Any time you install a non-security cumulative patch, there’s no way to know what’s been stuck on your machine.

(Cynics would argue, rightfully, that you really don’t know with the security patches, either.)

Reply | Quote

So, is it not possible to block the snooping telemetry through a firewall?

Reply | Quote

For Win 7 opting for Group A; under updates other then automatic there are two choices one says to Check for up dates but let me choose to download and install. the other says download updates but let me choose to install. Which do you recommend? The other question now that the free 10 offer is over can I now check the box “Give me recommended up dates the same way I receive important updates.”

Reply | Quote

Yeah thats an awsome point i have wondered about that because the average security update never normally breaks the 1mb barrier just lately there have been a few hitting 3-4mb and a real dearth of smaller ones the other weekend on 10-8.1-7×64 more so on 10 strangely not too many on 7×86 its either a “rash” of viruses out there or M$ update “phobia” setting in, good article as ever.

Reply | Quote

sound advice about the windows drivers 1607 update (running on test vhd here) has developed a taste for downloding the intel thermal framework driver here, which according to M$ is now a 3 part driver (hmmmm just a one shot deal from HP) which, you guessed it, flagged the devices in device manger bright yellow. So off to the driver back up stick, reinstalled life was good. Not to be out done so easily another alert “ohh what now?” a security update update with the accompanying yep 3 part driver again! well this morning win7 x64 seemed to want to get in on the act trying to update a perfactly fine wireless driver and another intel driver (just the one) all suitbly ignored, did they get a brand new shipment of Dvrs at M$ or somthing? well they can be a good source of Dvrs for older machines but cheerfully ignore them after your running to your satsfaction.

Reply | Quote

This is all making my chest hurt. How about a “Group C” — checks emails first thing in the morning, then drinks ’till the sun goes down.

Reply | Quote

So Woody…..you are now recommending that IF we are in Group A that we should install the “optional” updates now too. Right? If so then I have 14 outstanding “optional” updates:
KB3087709
KB3102429
KB3118401
KB3121255
KB3133977
KB3137061
KB3138378
KB3138901
KB3139923
KB3140245
KB3147071
KB3161102
KB3172605
KB3179573
Are any of the above “optional” updates known to be avoided?
Thanks again and thank you to your loyal posters who keep all us ordinary Joes/Josies who would be lost without you all and your knowledge and all your advice!

Reply | Quote

Woody, hi —
Do you really mean (I’m in group A of Win7) to install all the optional choices too, starting now?

The instructions say:
important updates are available.” Make sure all of those patches are checked (they should be). Then on the left, click Optional, and make sure all of those patches are checked. Click OK, then Install updates.

Reply | Quote

In Nathan Mercer’s Aug. 15 Technet blog, he carefully avoided using the word “rollup” in connection with monthly Security-only updates. Unlike Rollups, Security-only updates will /not/ be cumulative, and you’ll be able to skip one or more months and then resume. Mercer specifically mentioned the ability to uninstall a Rollup, but when asked if Security-only updates can be uninstalled, he didn’t really quite answer the question. I hope that was an oversight, and that you will be able to uninstall Security-only updates.

So, there will be “cumulative security + everything else” updates (monthly Rollups) but there won’t be monthly “cumulative security” updates. It all seems clear to me and I’m a bit puzzled by the confusion, but then again I *am* getting on in years 🙂

It’s obvious that this new scheme can’t possibly accomplish the goal of eliminating patch fragmentation. There must be some other agenda.

Reply | Quote

Dear Woody,

I’m on windows 10 1511 fall version.

You stated KB3176493 may be glitchy, and how to fix it if it is.

What about the problems that came with KB3172729? Should we still install it?

Are all the August Microsoft Office patches safe to install?

These days there are so many large problems with the updates they can be devastating. And,the combination of devastation, and the timing is always an issue for me with major projects. I am sure I am not alone with this frustration, or sense of terrorism and fear I may not make deadlines and again end up in big trouble.

The threat of zombies may not be real in our actual world, but Microsoft has become the creator of, or is the infinite source of zombies for the MS user’s computer world.

Thank you for the update advice!

Reply | Quote

RE: “There’s no way to move from Group A to Group B without completely re-installing Win7 or 8.1.”, I’m not clear on this either. Prior to October, one could presumably opt for Group A, but then revert to Group B by uninstalling the optional updates. Maybe that won’t be possible starting in October, but only if “non-security” updates can’t be uninstalled once they’ve been installed.

Perhaps I’m missing something here; if so, please fill me in.

Reply | Quote

Is there any security patch from August that is critical? I mean, can I wait on them?

Does the IE security patch have any of questionable content added in?

Anyway, to be honest I am seriously considering of having Linux on dual-boot and disconnect the Windows from internet. I am nervous about that as I never had a dual-booting before.

Thank you, Woody 🙂

Reply | Quote

Hi Doc,

kb3175443 IE 11 – suggest you wait until September Patch is released – if no adverse comments – install. Have taken this approach for over a year with IE 11 security releases and never had a problem.

KB3167679 Password Change Failures – MS state that there are still known issues with this patch. I installed 18th August and have had no issues. The choice is yours.

KB3178034 Graphics – I always hide this type of patch and wait and see – not sure how important this is and so still watching.

KB3177723 Daylight Saving Time – Install, there’s no risk. I installed 18th August.

KB3179573 August Rollup – Optional. I didn’t install the May convenience Rollup KB3125574, nor June 3161608 (since withdrawn/submerged within July Rollup 3172605. These are all optional with little or no details of what they contain. As Woody has always suggested – don’t install optional patches.

WU takes just 10 minutes when I bother to run it. I prefer using the Monthly Security Bulletins to evaluate my Patch List and then download from MS Catalogue. It works for me.

Reply | Quote

I was more in group B. I have removed or not installed, and then hidden all the GWX related ‘updates’ and the known telemetry ‘updates’. Since GWX (the start of all this garbage) I have installed many of the optional or recommended ones that appeared innocuous. I did that on both my desktop and Lenovo laptop.

I was burned on my Lenovo laptop by the KB3172605 (and its predecessor KBxxxx608, since withdrawn), as they broke some Intel Bluetooth drivers. Both were rollups, so the exact cause is not determined, but uninstalling the rollup fixed the issue. I tried the new updated BT drivers from Intel, but they created severe blue screens at boot, necessitating a rollback, so those MS ‘updates’ must be avoided at all costs. The updates are installed on my non-bluetooth equipped desktop with no problems.

This moves me solidly to Group B. Since the cumulative MS ‘updates’ would refoist these assorted missing ‘updates’ on my machines, I have made my decisions. The desktop and laptop are both current with all the patches that are non-GWX, telemetry, or feature breakers. Both have Windows update now set from “Check and let me decide to download and install” to “Never Update”, but I have not disabled WU in Services.

I will check out the September releases and install accordingly, and then go back to “Never Update.” As I posted the other day, I remain concerned that MS will ‘update and improve’ the WU client to eliminate any choices. I suspect they may even try to justify it as a “Security Fix” to eliminate fragmented patching and open vulnerabilities. I figure if I can think of that justification, MS surely is planning it.

Update: Only 2 Win7-64 Pro machines left – gaming desktop and photo editing/GPS mapping laptop. All others are now running Ubuntu Linux LTS versions.

Reply | Quote

This was all foretold as long back as 1984. Skynet. Judgment Day. And if you say no to the big scary guy offering updates, you will hear “I’ll be back”. And you can count on that. I had already decided to install everything – Important, Recommended, Optional – from Windows Update. But I always, always, always take a system image backup before to give me a restore back option. And I will always wait at least a couple weeks after any new updates appear to see if problems with them are reported. So, in summary, Group A, wait at least a couple weeks after updates appear, and always make a system image backup before installing new updates.

Windows Update – can’t be bargained with, can’t be reasoned with. Doesn’t show pity, remorse, or fear. And it will not stop…EVER.

Reply | Quote

What about KB3139398 and KB3177725 – both of which I still have hidden? I’m leaning towards Group B for now.

Reply | Quote

Follow the instructions. If you have anything hidden, unhide it. You won’t be getting any “Get Windows 10” nagware, and the rest is debatable.

Reply | Quote

That’s certainly a reasonable approach.

Reply | Quote

A bunch of the “hide” patches have disappeared after GWX was over. The only ones I’m seeing now (and not consistently on all machines) are:
Win7
KB2952664 compatibility
KB3021917 telemetry
KB3068708 CEIP
KB3080149 telemetry

and

Win8/8.1
KB2976978 compatibility
KB3044374 enable upgrade
KB3068708 CEIP
KB3080149 telemetry
KB3140185 anytime upgrade

Reply | Quote

I haven’t seen anything critical, if you don’t use IE. But you should get patched because you never know.

Reply | Quote

I’m sure you’ll be able to uninstall the latest non-security rollup. I’d be surprised if you can go more than one level back.

‘Course, we don’t know.

Reply | Quote

You should install KB3172729. If there’s a potential conflict, it should refuse to install. See https://support.microsoft.com/en-us/kb/3172729 – and yell if you learn differently!

The August Office updates look good to go.

Reply | Quote

Yes, if you’re in Group A, go ahead and install everything. The Get Windows 10 threat is over. The only other crap floating around is additional telemetry. (The make-it-easier-to-upgrade-wo-Win10 patches should be going away, by and large, although they may have other benefits – thus I suggest you install them.)

Reply | Quote

Yes, that’s right. If you’re in Group A, install all of the optional updates. See my note above to Gideon.

Reply | Quote

+1

Reply | Quote

See the tab at the top of this page marked Automatic Updates, but the short answer is to set Check for Updates to “Never” or “Warn but let me decide.” It doesn’t matter what you have for the “Recommended” checkbox, because you’ll be manually approving every update.

Reply | Quote

I’ve seen a lot of people try – and don’t know of any real successes….

Reply | Quote

I know this may sound dumb but, how in the world do even find anything in that Microsoft Update Catalog mess. I mean sure, I found the malicious software removal tool, but that’s it, no cumulative ie update, and no security patches, & I was looking under Windows 7.

Reply | Quote

@Woody

Not completely ok, but already had the last rollup update and it was working aparently ok here I gave it a shot, let’s hope for the best.

@Old Dog

Thanks for the reply mate, a couple hours ago I just thrown all 5 updates inside my machine… I was insecure about both the rollup and the graphic component updates, but tomorrow I’ll be going on a trip, so I decided it was better to keep it up to date, since I don’t want to deal with it while I’m out. Also, the feeling that it all may be bundled up to me at a later point kinda pushed me to this decision… Again, hoping for the best…

Reply | Quote

Sorry nope. Both my 7 and 10 systems are not updating at all and there is a place of my body satella can kiss.

Reply | Quote

The people I helped get through the GWX push are the “average User” who just USES the computer. They will be put in Group A. What I have been doing to get their computers to some state of normalcy is:
Setting “Never check for updates.”
Unhiding the updates that were hidden during GWX.
Checking the “Give me recommended” box.
Fixing WU with a manual install.
Searching for updates.
I install everything that is CHECKED. (I figure if MS thinks the things that are unchecked or not “recommended” are important, they will roll them up or check them anyway).
Then I put WU on Automatic.

The way I figure it, the security patches are particularly necessary for that group of people, and that is the only way their computers will stay updated.

As for me, I’m not sure which group I’ll choose yet. I do know, if I choose Group A, I will continue to use “Let me choose” (for as long as it lasts) so I can see if the patch (singular) causes havoc before I install. Otherwise, it will be “Never check” or kill the WU service until the dust settles and a fix is available.

Reply | Quote

For the past year I have hidden patches; The Win 10 nagware and ALL optional updates. Does this mean that I should unhide and install all those fragmented updates? (sorry I am not tech savvy. I hope I make sense).

Reply | Quote

No, not cynics, realists.

Reply | Quote

Do you consider yourself “Group A” or “Group B”?

If you’re more inclined to “Group A,” yep, go ahead and unhide everything. You’re going to be getting it all in October anyway.

Reply | Quote

It’s a mess. Why do you bother? The Catalog’s only good if you know a specific KB number, IMHO.

Reply | Quote

Most of the updates that came with the GWX era have disappeared. The only ones I have seen lately (and not consistently on all machines) are:

Win7
KB2952664 compatibility
KB3021917 telemetry
KB3068708 CEIP
KB3080149 telemetry

and Win8.1
KB2976978 compatibility
KB3044374 enable upgrade
KB3068708 CEIP
KB3080149 telemetry
KB3140185 anytime upgrade

Reply | Quote

Luckily ‘Canadian Tech’s’ fix worked & I managed to get the august updates in through Windows Update.

As for Microsoft’s Update Catalog… I can so see that going the way of Windows Journal, unless Microsoft does a full revamp of the thing.

And if Microsoft decides to sneak more Win10 ‘crudware’ into updates, they are in for a nasty surprise… My GWX control panel is still fully armed.

Reply | Quote

What else that is in the optionals is drivers that break your machine, Skype, Silverlight. Do you REALLY mean to install ALL the optionals???

Reply | Quote

And all the language packs

Reply | Quote

After manually checking and installing my August Win 8.1 updates, I noticed that the list of installed updates did not include KB3172729, which I had specifically checked for install. Interestingly, KB3173424 (the non-security SSU) which I had NOT checked was installed. Apparently WU sensed that the prerequisite for the former was missing and automatically installed the latter. On my second attempt KB3172729 installed without issue.

All this windows update stuff is making my head hurt!

Reply | Quote

OK, I would believe with the right IP tables, and a good appliance firewall, one should be able to, but if you think it is not feasible…

Reply | Quote

from what I recall reading, at least on Win10 machines, some of the telemetry is sent via encrypted connections that bypass normal measures

Reply | Quote

@Woody: Would it be okay to install the updates I have pending now for August using the method I always use, and get everything set up to start with the September updates?

I’m not certain about going into the (Win 7) Updates to make the changes you have set forth. This will give me time to search for some of the hidden updates before I try to start anything as well.

Afraid I will make an error, and I need more time as the September updates will be out on the 13th. There are a few updates which have been hidden that had problems in the past too, so need to be careful, and it’s confusing. I would opt for Group A. Thank you for your help. 🙂

Reply | Quote

Thanks for the quick response Woody. I guess I lean “Group A”. I just finished unhiding/restoring all hidden updates. It took a little while, buy my computer did not explode. So that is good!

Reply | Quote

I am Group B2, uncheck everything and wait until security patches have been shown not to break s***. THEN install security fixes.
But not because of snooping, just because of Microsoft’s total lack of quality control. If we are getting omnibus updates, a legitimate security fix for a Windows vulnerability could break a totally unrelated component simply because the fixes will all be lugged in together, and you can get Microsoft only tests their fully-patched baseline for problems.

Reply | Quote

My advice is based on Woody’s statement that MS has not improved Win7 in any meaningful way in years. I see that as the end of 2014.

When I rebuild a system to SP1, when I get the list of proposed updates for Windows, I simply click each of the proposed updates that are NOT labeled Security to see the date on the right of the update. If the update has a date before 2015, I accept it. All non-security updates that are dated after the end of 2014 are hidden (not used).

I have been doing it this way for many months now. Not a single one has seen the dreaded Win10 mess and runs just fine.

For monthly updating, the following is what I suggest:

Set WU to NEVER and leave it that way.
One week after Patch Tuesday, start WU.
When you get the list of proposed updates, hide every single update that is not labeled security in the Windows section
Proceed to update

This technique has been in use by my 150 client computers for about a year now.

My plan would be in group b.
I am considering the possibility of never again using WU and disabling it forever.

I suspect the risk of spoiling a well running reliable Win7 system with MS fumbling, bumbling, and destructive updates may be greater than sacrificing all of their updates.

I am going to wait and see. For sure we will do nothing in October. All systems are already updated according to this process and the one described on my thread
http://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-solution/f39a65fa-9d10-42e7-9bc0-7f5096b36d0c And what I just described. We will be doing September the same way, guessing that the same KB is required to make it work.

CT

Reply | Quote

@Steven,

Nathan Mercer DID actually refer several times to the non-security patch-group, the one that is not cumulative, with the term “rollup” in that Q&A you are referring to:

Example:
“We are purposely releasing Security-only as a rollup but not cumulative like Monthly rollup is.”

—-
He also referred to the non-security group-patch (that will be distributed on the third Tuesday of the month), which he said will also not be cumulative, as a “rollup”:

“…we will also release a new rollup on the third Tuesday of the month, containing only new non-security fixes.”

—
Therefore, I don’t think there is any special meaning to draw from his use of the term “rollup”, since Mercer used it for all three of the monthly patch-groups during that Q&A: for the two non-cumulative patchgroups, and for the one cumulative patchgroup.

Reply | Quote

@Steven,

Regarding being able to uninstall a rollup, he said,

“Organizations can always uninstall offending updates”

“Q: If an installed Monthly Rollup causes problems due to the inclusion of a faulty patch, am I correct that I will be able to remove the entire Monthly Rollup by uninstalling it? A: this will function exactly the same as it does today.”

“Individual fixes contained inside a rollup patch cannot be separately uninstalled, but the rollup patch can be uninstalled.”

“you can still uninstall a rollup patch, its the entire rollup patch, not individual fixes included in the patch.”

So it seems, to me, that he is saying that the rollups will be able to be uninstalled. He did not say “only one type of rollup will be able to be uninstalled”.

—
What might have caught your eye was how he answered this question:

Q: “When the Monthly rollup is installed. Will there be the ability uninstall the Security-Only update for that given month?”

A: “Monthly rollup and Security-only update are 2 separate releases. If you install Monthly rollup you can uninstall Monthly rollup, but not the individual security patches contained inside the Monthly rollup.”

I don’t think that he was trying to intimate in that answer that if you install the security-only update, you will not be able to uninstall it later.

Rather, I think he was saying that if you install the Joint security and non-security rollup that you cannot later decide to uninstall only one half of it (either just the security half or the non-security half), but you have to install all of it.

Reply | Quote

Hi Woody – I’ve decided I’m in Group A.

One question….. one of the Important updates I have is “Office XP Service Pack 3” (52.3MB) under the heading “Office 2002/XP”.

This update has been in my list for over 12 months (2 years?), but just won’t install. I’m running Office 2007 on Win8.1 x64.

Do you have any suggestions on how I can either install this, or “make it go away”? Or do I just continue to ignore it?

Reply | Quote

One of the problems with their approach in introducing this new system (which doesn’t seem to be very thought-through on a number of levels)
is the inherent lack of clarity in the terminology they are using to describe this new malarkey.

Example:
Mercer’s term for what I am calling the Joint security and non-security patch rollup is:
“Monthly rollup”.

Well, that’s as clear as mud because they are going to have 3 *monthly* rollups: Joint security and non-security, Security-only, and Non-security only.

Monthly in the sense of “introduced once a month”.

Maybe in Mercer’s thinking, because the Windows Update way of installing updates is only going to be offered the one Joint rollup each month, that is called the Monthly rollup because it’s the main star of the show (and it is the only rollup that most average Microsoft customers will ever see or know about).

The other two rollups will be directed towards organizations, IT professionals, and people in-the-know like us Woodyites 🙂 ,
and will not be available through Windows Update,
but it will be available through some other Microsoft downloading voodoo that I haven’t become aquainted with yet.
[Yes, Woody has described it before, so just have a look around and you’ll be able to find more info about that manner of downloading Windows updates!
Woody will be describing it again, hopefully, in October, unless at that point he decides to sail off into the sunset with his merry Group A acolytes and says “Sayonara” to us Group B’s. 😉 ]

Reply | Quote

Woody thanks a million for all your invaluable advice over recent MS troubled waters. I have decided to again follow your lead and meekly accept Group A. All this MS tomfoolery has got to the point where I am about to dump MS and just rely on Google based tablets and smart phones that I already own and use.
I have used MS since DOS times and “the too big to fail” comment keeps ringing in my mind. Recall Kodak and Nokia!!!!
October may well be the camel that breaks the straws back.

Reply | Quote

Haven’t there been a small number of patches that are on a lot of the to-be-avoided patch lists that people have compiled since May 2015 that are defined as “security” patches?

If there have been warnings about a patch (that have been relatively-widely discussed and agreed upon on the various internet sources I have consulted about this issue of telemetry-and-Get-Win-10-patches-to-avoid),
I haven’t paid too much attention to whether that patch was called “security” or not when I decided not to accept it,
because I haven’t trusted MS to keep a purist attitude towards these arbitrary naming conventions/definitions when everything else they are doing has been loaded with spin and obfuscation.

This is one of the reasons I’m seriously thinking of not downloading any patches/rollups after September.

I suppose that would mean I’d be in
Group C, or perhaps it will be called Group B2:
people who have stopped accepting updates entirely,
due to well-founded fears about
1. telemetry/data-snooping/data-collection
2. operating system assault; being forced to move to Windows 10
3. mistakes and errors within the update rollups that could screw up the hardware or the software, and which might be so complex that fixing the machine is difficult or impossible for the ordinary customer.

Reply | Quote

Old Dog, in order to get your Windows 7 Windows Update to only take 10 minutes when you run it, have you had to install any “magic” patches since mid-July, such as Canadian Tech’s solution for speeding up checking on patches which Woody has recently endorsed?

Reply | Quote

@Woody, I am not sure, but I don’t think that you mentioned in your blogpost’s main instructions above that folks should unhide all patches now — but is that something that everyone should do now?
(Since according to Nathan Mercer, the Rollups system that starts in October will not offer people any new patches that require as a prerequisite any kb updates that those people had put into the “hidden” section of Windows Update prior to October.)

Reply | Quote

+1!

Reply | Quote

By my interpretation of what Nathan Mercer said ( https://www.askwoody.com/2016/the-fallacy-of-fragmented-patching-in-win7-and-8-1/comment-page-2/#comment-97339 ),

Woody’s Group A could choose to accept everything Microsoft wants them to accept (become “compliant”/drink the Kool-Aid) via 2 different paths:

Path 1: Install the monthly Joint security and non-security rollup, which Nathan Mercer confusingly calls the “monthly rollup”. This rollup has all updates, both security and non-security, and it’s also CUMULATIVE. So you can uninstall the last one that you installed, but you won’t be able to install several months in a row, such as October, November, December, and January, and then decide in February that you want to uninstall November’s rollup from that string: you are stuck with everything up to January.
However, maybe you can uninstall November, December, and January if you really need to get November’s patches off your machine — I expect they will have to allow people to do that?

Path 2: Do not install the Joint rollup, but instead install the other 2 monthly rollups, the Security rollup (available on the 2nd Tuesday) and the Non-security rollup (available on the 3rd Tuesday).
Apparently, neither one of those is cumulative.
So you have to do both of them every month continuously in order to replicate what the other people in Group A are getting when they do the Joint monthly rollup.
But the good thing about doing the 2 non-joint, standalone rollups is, you can skip a month of one or the other (for example, if there is a patch within a particular rollup that concerns you) and be allowed to keep going forward with installing new non-joint rollups in future months — at least, this is what Nathan Mercer implied in his Q&A.

If I were ever to be in Group A —
and I don’t think I would ever choose to be, but I am considering putting one of my relatives in Group A because there’s no way that they are going to be able to handle the complexity of going off-grid —
and if there were a choice in the matter between doing the cumulative joint security + non-security rollup versus doing the two non-cumulative security + non-security rollups each month in order to get the very same constellation of patches either way,
I would feel much more secure in taking the 2 “half” rollups every month and not letting Microsoft do anything that is “cumulative” to my machine. (Especially because eventually they are going to plug into your computer the past patches it was missing from the “kb” updating days.)

Reply | Quote

It’s not clear how they’ll handle prerequisites. That said, yeah, you might as well unhide all of your hidden patches.

Reply | Quote

You can try to install it, but if it doesn’t install, don’t worry about it.

I assume you aren’t using Office XP….

Reply | Quote

Sure, if you normally install security patches and pass over non-security.

Reply | Quote

Ooops. I need to backtrack a bit.

Reply | Quote

@PKCano,

I don’t know if my interpretation of the 2 different paths that Group A might be able to follow is correct, but it is here:

(at least I think that’s going to be it; the comment is still in the approval queue, but this is the comment number that has been temporarily assigned to it):

https://www.askwoody.com/2016/ms-defcon-3-get-windows-patched-gingerly/comment-page-1/#comment-97542

I have a relative I’m going to have to put in Group A, as there is no way I can hold their hand enough to be in Group B, but I’m going to try to keep that computer a bit less-enslaved by each month by pushing it down the non-cumulative fork of Group A rather than the cumulative fork.

…I do not know if my interpretations of Nathan Mercer’s utterings are correct or not, but I’m just trying to grope my way through this like all of us are. 🙂

Reply | Quote

@Woody and @Canadian Tech,

Canadian Tech wrote, “I am considering the possibility of never again using WU and disabling it forever.”

I am thinking of doing the same — would people doing this be in a Group C?

Or Group B+? B-?

Group T (for tinfoil)?

😉

Reply | Quote

@Woody – no I’m using Office 2007 Ultimate

Reply | Quote

Yes, I have read that as well.

Reply | Quote

KB3187022 completely replace KB3177725

Reply | Quote

Hi poohsticks,

No. I just so rarely install non-security patches, that I assume it was one (or several combining) that caused the problem in the first place, but thankfully they’re not installed on my m/c.

Reply | Quote

Hi Frahalean,

Woody is correct – you need the patch number. Try starting with the Monthly Security Bulletins. There really aren’t that many. Isolate those impacting on your m/c, then use the Catalogue to follow up the patch number.

Reply | Quote

@Woody, I have to disagree that we did not get new features in years. We got lots of Windows Update clients starting with June 2015 coming with new Group Policies, used by GWX Control Panel. Anyone remember that software? It’s been so long since then…
And we had the mother of all new ‘features’, transforming your PC into a phone, Windows 10 🙂

Seriously now, I think .NET Framework 4.6.1 was the last major new feature for Windows 7, and even that one can easily be ignored on the condition that .NET Framework 4.5.2 is already installed, this earlier version may even prove to be more reliable after all.

We are in extended support anyway and it is expected not to receive new features for Windows 7.

Reply | Quote

There are probably a few people like me who are in Group C – they don’t use Google and are very strict on privacy. The new updating system for Win7 is not for me, I fear. I’ll try using the security-only updates (with a delay) for a while and see how it goes.
In the meantime, Linux is being installed on one machine as a trial. For those like me who have been exclusively MS for a long time (since DOS 3.0!), the learning curve with Linux is steeper than you might expect. Give yourself plenty of time to set it up and get used to it.
As always, many thanks for your work that is so helpful.

Reply | Quote

@poohsticks,

I agree. At least the “half rollups” method gives me some sort of control. Time will tell.

However, when you currently uninstall a patch, it reappears on WU, and so you will need to then “hide” said offending patch.

Have a feeling that MS will remove the cumulative patches from MS Catalogue once they are consumed within the following months’ patch. May be prudent to keep a copy of (at least) the 1st two-three months’ cumulative patches to give yourself some options downstream.

Reply | Quote

Hi Karen,

The 1st patch in your list KB3087709 is not in the catalogue. If you meant KB3080079 – then it’s safe to install (RDS support).

The others are all harmless enough and may do you some good, although I would still not install but keep hidden:

KB3118401 – lets Win 10 Universal Time apps run on Win 7
KB3138378 – replaces Win 7 Journal app with Win 10 version
KB3161102 – ditto
KB3172605 – July Rollup
KB3179573 – August Rollup

Reply | Quote

🙂 Yep.

Reply | Quote

Then you probably have some utility that’s marked as Office XP based. Try to install it, and if it gives you any problems, fuhgeddaboutit.

Reply | Quote

Maybe Group W?

https://www.youtube.com/watch?v=b0a6iWHSWbA

Reply | Quote

@poohsticks, @PKCano:

Your relative is very fortunate to have your help.

I think I am going to lose (what little I have remaining) my mind. The more I read the more confused I become, and now I can’t even sleep at night. It is definitely adversely affecting my health. 🙁

Reply | Quote

I have that in mind which is why I searched for “Group C” on this page before innovating myself.

I’m not cynical but frankly between a Group A (all) and a Group C (nothing) not sure where the Russian roulette would be less favorable : that’s where Group B pops in, pertinent. But pertinent to what point? Still a roulette with better odds or zero risk?

One thing is sure, it’ll be between B and C.

Reply | Quote

I don’t know. I just don’t know any more. All this nonsense is killing me, and I’m only 33 …

If only MS would deliver an OS I’d actually want to use, everything would be all right. I’ll take Win10, without the telemetry and privacy violations, just give me choice about the updates, dammit.

Guess it’ll continue to be OS X–er, sorry, “macOS”–for the future, with an XP VM for the few Win32 applications that I need. It works, but for various reasons (Apple’s declining quality control, being primary amongst them, but also privacy issues of their own) I would like to cross back to Windows where, once upon a time, both quality control and privacy were at acceptable levels. I can’t while this malarkey continues. No, Linux isn’t really a choice with the current state of their accessibility tools.

Maybe I should just surrender. It would be so much easier that way. But I’d rather not …

Reply | Quote

I see a bit of a problem since a regular consumer would have only option, and that is Group A.

Microsoft’s annoucement was that security only hotfix is available for people who are behind a WSUS Server. Since us as simple consumers don’t have this option 99% of the time, there is no option for us to select Security Hotfix only since the KB in WU Client will contain both security and non-security fixes.

Reply | Quote

Woody
I’m all confused. I have Windows 7 on my laptop. I ran the updates today from August”s black Tuesday and all seems well.
I usually do what you recommend so I will probably go with Group A reluctantly.
Should I go back and unhide all the recommended and optional updates I have? There are 24 of them and run the updates or leave them hidden and unchecked?
What should I do with the setting”check for updates but let me choose whether to download and install them”? Should leave it like that or change it?
Final question I hope. When will this go into effect? With this months “Black Tues” on 9/13 or the following month in OCT?
Thanks a whole bunch
Sam

Reply | Quote

I would tend to view the distinction between Group A and B as a grey zone in the case of updating W7/W8.1 OS systems. Those folks that decide to do only the security related updates going forward are not very likely to be missing any OS feature or reliability improvements that would noticeably improve the user experience. They are most likely missing the expanded telemetry (phone home) channels that would make their OS a little more W10 like so that the Redmond data mining machine gets fed. The malarkey about patching fragmentation does not strike me as a major concern in that most MS patches that cause problems do so because of what I perceive as poor quality assurance testing. Some of the problems we have seen in the past year just leaves me wondering how the update ever got out the door. Be assured that the highway MS is designing only leads to W10 adoption or the abandonment of Windows as your primary PC OS.

Reply | Quote

I decided to talk this over with all our users. We only have one user on W10 and the remainder are W7 PCs of various vintage and application mix. We have a variety of connected peripherals.

The decision was unanimous for us –
disable Windows Update on all W7 systems at the end of September and install the monthly security-only updates from the MS Update Catalog. We will then monitor the situation over the next few months. We can always turn WU back on if the decision proves to be the wrong one. The other options (as we see it) does not afford us that.

The separate bundles and out of band non-security updates that come down via WU can be checked out on our test system. Hopefully the documentation will be useful (don’t laugh).

I wonder if MS will eventually merge some of those separate bundles that get delivered via WU. I can see the NET and IE bundles not remaining separate. Most of those updates are security only related.

Reply | Quote

Well it looks like Win7 is now defunct since I cannot control what I allow on my machine.
I have been dual boot with different linux distros for the past year, so far I can do everything save a few win only programs…ms access, vcds (for car), and some assorted outdated software. Internet access not necessary for those. I may consider the group B….however most likely group F (finished with ms updates)
I do appreciate all the hard work and info that you and everyone has contributed…I will stop by and see what is happening, possibly reconsider my position.time will tell.
Renée

Reply | Quote

Welcome to Group B!

Reply | Quote

Other than the obvious with regards to patching Win7/8.1, the footnote is also a very good tip for driver security.

Use the OEM/ manufacturers drivers, have previously ran into problems with Microsoft drivers and can be a potential pain to rectify.

Reply | Quote

The changes take effect in October, although we’re seeing preliminary signs of it right now (patch rollups).

If you’re going with Group A, yes, go ahead and unhide anything you’ve hidden.

Stick with “Check for updates but let me choose” or move to “Never check.” Looks like there won’t be any difference.

Reply | Quote

I’m essentially a *Group A* person. I have installed all critical and recommended (have a check mark) update over the last couple years that I have had Win7 installed.

I have not installed any optional (non-checked) updates, and no drivers of any kind.

I have 92 *optional* (unchecked) updates that have been showing up every month for a long time now. I have just ignored them.

If I’m reading your advice correctly, as a *Group A* person, I should now go and check all those *optional* (unchecked) boxes, and let Windows Update install all those updates.

You made this comment here: http://www.askwoody.com/2016/ms-defcon-3-get-windows-patched-gingerly/comment-page-1/#comment-97548

“Ooops. I need to backtrack a bit.”

But, I never have seen a *list* of optional updates that you have backtracked on! It’s so hard to know which updates are okay or not–the various lists are all slightly different–depending on the point of view of the list maker.

Does it even matter? Are all these current *optional* updates going to be in the future cumulative updates anyway?

As always–thanks Woody for your ongoing input and insight into all these issues.

Reply | Quote

I rolled it into the original post. I backtracked on installing Silverlight (you don’t need it) and Skype (which I haven’t seen in the update list recently). You also don’t want any driver updates, or any more language packs (which are only on Ultimate, I think).

I hope and pray Silverlight and the driver updates aren’t included in future cumulative updates.

Reply | Quote

No, the security-only update is available to anyone. It’s going to be harder to install, but MS has made assurances that’ll be an option.

Reply | Quote

Yes it is, but not via WU Client.

“Windows Update will publish only the Monthly Rollup – the Security-only update will not be published to Windows Update.”

As such, Group B users need to either be behind WSUS or download the security only patch from the WU Catalog. Which is an extra step compared to the rules proposed above for Group A and Group B.

Without this extra step both categories are equal since the selection in WU Client will only have the full roll-up of both security and non-security hotfixes, and this is why I consider that as a consumer, I don’t end up having much of a choice by being Group A or Group B, since relying only on the settings for WU Client will lead to identical results from my point of view.

Reply | Quote

Indeed. Ms has not been able to force w10 on everybody so they decided to do force it via cumulative updates u cannot block.

Reply | Quote

May be slightly off topic, but it is a security concern. I just recently received kb915597, and because of all of the update issues, I figured I should look it up. Turns out it’s been freezing PCs for the past year, so I decided against taking it. Will it be necessary for Group A? I’m ending up on the Group B side, but I’m just concerned if I take a security update, that will get thrown in and cause me a headache. Either that or I’ll have to take it first beforehand.

Not really sure what to do anymore now that things are different. Shame MS is moving over to this format.

Reply | Quote

Well, this sucks. Just tried to install the August security updates on my Win 7 SP1 x64
workhorse PC, and something went horribly wrong. The computer is stuck in a bootloop. Can’t even get it to boot in safe mode. Tried using install media to use system restore, but that keeps crashing too. Tried to use wusa from the command prompt to uninstall latest updates but that crashes with catastrophic errors. Looks like I’m going to have to restore latest full image backup with my Macrium rescue disk, after I copy all files newer than the backup to someplace safe. Going to be a long Labour Day this year…

Reply | Quote

@Woody

Re:https://www.askwoody.com/2016/ms-defcon-3-get-windows-patched-gingerly/comment-page-2/#comment-97565

“Maybe Group W?

https://support.microsoft.com/en-us/kb/3172729”

Huh?

Reply | Quote

“I hope and pray Silverlight and the driver updates aren’t included in future cumulative updates.”

What’s the problem? I thought you Group A types have already decided that MS knows best and that resistance is futile. Snicker, snicker.

Reply | Quote

@woody: Windows Vista will still be updated the old fashioned way and not follow the new cumulative update model for Win7 & Win8.1 in October 2016. Someone at MS had confirmed this here:
https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

Quote from Nathan:
“we don’t currently have plans to extend the Rollup servicing model to Windows Vista or Windows Server 2008. We continue to consider changes to Vista/2008 but technically there are complications that will make any changes on those platforms more challenging.”

So the silver lining for Vista users is that they’ll continue to be offered individual patches until extended support ends in April 2017, at least that’s how I see it.

Reply | Quote

@Woody: Can you define in what manner the “security-only” update will be harder to install?

There is so much to consider in making the “final” decision about this issue – – – it is very important that a user selects the proper Group (A or B).

Thank you for all of the information you, and others in the group are providing. Tremendous amount of additional work.

Reply | Quote

I have MS Office 2010 and have gotten updates for it since it was installed on my Win 7 computer. Earlier this year I stopped the “recommended” updates and now get only the “Important” ones – which contain the Office updates too. I’m assuming the Office updates are okay to install.

Do you have any idea where the Office updates will go after September? I’m hoping they stay with the Important or Security updates where they’ve always been. Wishful thinking on my part.

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

Reply | Quote

Included in my important updates is KB2673774 – Bing Bar 7.1 published 8/29/2012. I have left it unchecked for years and plan to continue to do so. I seldom use Internet Explorer.

Reply | Quote

Microsoft’s approach to updates reminds me of the Borg in Star Trek, “Resistance is futile.” Nonetheless, I’ll probably stay in the B to C camp until the cumulative updates shake out a bit. I’m almost inclined to simply shut down WU for good.

Reply | Quote

What does concern me with this stupid idea of cumulative updates is that if there’s a troublesome update then you have to halt all updates permanently

To give an example, KB3121461 causes a sfc /scannow failure on my system. I’ve seen others report it as well but it only seems to affect a small number of systems (I suspect maybe some Asus motherboards but I’m guessing here). Most pc’s it seems to run okay on but not mine.

So in effect come October I’m faced with the prospect of either not patching ever again or patching and knowingly accepting that it may permanently break the O/S.

I don’t expect MS to give me any special consideration but neither do I expect them to ram a faulty security update down my throat.

I’m really not sure if it’s outright stupidly by MS, though it seems that maybe they just enjoy punishing their users.

Definitely group B for me and maybe not even that.

Reply | Quote

That’s a great candidate for passing over.

Reply | Quote

I haven’t a clue about Office updates.

Reply | Quote

We don’t know the details yet, but apparently “Group A” can continue to get updates through Windows Update, while “Group B” will have to manually download and install the month’s updates.

Of course, that’s a wildly optimistic view of things, considering how many different updates will be available. How it’ll actually work in practice is anybody’s guess.

Reply | Quote

I think you’re right, but that’s going to look mighty awkward – KBs for Vista, not for Win7.

On the other hand, Office will probably go that way for a while, at least.

Reply | Quote

GACK! Stabbed to the heart.

Reply | Quote

OOOPS. Bad link. Sorry.

https://www.youtube.com/watch?v=b0a6iWHSWbA

Reply | Quote

OUCH

Reply | Quote

I have no idea what’s going to happen if a Windows Defender patch goes south…

Reply | Quote

I’m on Win7 Home Edition with two separate desktop machines at home, and am likely to be allowing free rein to the monthly combined updates and separate e.g. IE and .Net Framework updates that are offered as important and checked, but waiting as now for a couple of weeks for advice here and elsewhere on how they’re going. I’ll continue to ignore Silverlight and driver updates etc.

I haven’t yet decided whether to go for the non-WU security-only version or the WU security/non-security version. I guess I’d like to see what’s in the non-security part first, given that those are the updates I’ve mostly chosen (on advice) not to install previously.

What I don’t understand is why I would want or need to “unhide” and install the many updates I have previously hidden as unwanted, and yet that seems to be what you’re recommending, Woody.

Thanks as always for the advice.

Reply | Quote

Sam

If you regularly use to hide updates and the number of hidden updates that you count for now is 24 (not including the Language Packs if running Ultimate), chances are that your Windows Update is already messed up.
I suggest you to reset the Windows Update and start clean. You will lose the Windows Update history, but that one is just a cache not essential for functionality and can be reset by a number of other causes outside of your control, like Windows Update clients updates.

It works like this:
1. Stop (do not disable or change their default state) Windows Update, Trusted Installer, BITS services
2. Delete (or rename if you prefer to keep a backup copy) the folder C:WindowsSoftwareDistribution
3. Restart the computer.

After doing all those actions, there will be no hidden updates or corruption in your Windows update and you can go online and perform the updates.
Never hide updates again, except for very short term – only few minutes or hours for testing only. If you prefer to skip certain updates, just ignore them, but do not hide, as they often get revised, replaced or expired and by having hidden versions at the time when they get modified, you actually impact the Windows Update management of the updates and corrupt your system.

Reply | Quote

You cannot have 92 Optional Updates, unless you count the Drivers, Skype, Silverlight, Office 2007 Help files and/or Language Packs.
There are only 6 true Optional Updates, maybe few more including superseded, but under 10 anyway. 3 of them relate to Remote Desktop 8/8.1 which in turn have their own security updates (yes, security updates to optional updates which is quite normal). There are few others which have rather obscure functionality for most people, but are not harmful and I would recommend installing them exactly for the same reasons which Microsoft says in their blog.
You don’t select what comes in the original version of Windows or in a Service Pack don’t you? And a lot is unneeded functionality or components.

Reply | Quote

Skype, Silverlight, Bing Bar are not Windows Updates, but Microsoft Updates.
An interesting one is .NET Framework 4.x.
In Windows 7 it is not a component, does not follow the regular Windows Servicing Stack procedures, the updates are more like the Office Updates behind the scenes, while in Windows 8 and after it is part of the OS.

Reply | Quote

It will be replaced with another one in the next 6 hours. It happened with MSE few times and was largely unnoticed.

Reply | Quote

Office 2013 and 2016 at least have all the non-security updates as cumulative updates and this was the case for many months. However, behind the scenes, Office updates do not use the Servicing Stack model as they are not technically Windows components. I think they use the Windows XP style of updating which was different.
The older versions of Office are like Vista, on the way out and I think Microsoft patches them only when they feel that it is absolutely required.

Reply | Quote

Got about 98% back… Am definitely hiding the updates that caused the problem… Considering turning off updates entirely!

Reply | Quote

” Group W is where they put you if you may not be moral enough to join the Army”
Alices Restaurant, Arlo guthrie, 1968?

Reply | Quote

The IE and NET patches seem to be going OK.

If you’re in “Group A” might as well unhide evertyhing and get ready for teh cumulative updates in October. If you’re in “Group B,” there’s no need to unhide anything.

Reply | Quote

I’ve hidden it and fuhgoddenaboutit 🙂

Reply | Quote

@MikeFromMarkham,

“Just tried to install the August security updates on my Win 7 SP1 x64
workhorse PC, and something went horribly wrong.”

Can you list the security updates that you tried to install that caused this catastrophe?

TIA

Reply | Quote

So, Woody, are you throwing in the towel then? You’re not recommending Win10 now, are you? I’m surprised you’re in Group A.

I’m in Group B, leaning towards Group U (Ubuntu). Windows Updates are turned off on my machines. I do use Google, but it’s not taking over my computers to the extent that Microsoft’s whims can and would.

I’m most disappointed that we will have to revisit this on our domain at work very soon I’m afraid. I think it’s time to start up a WSUS server.

I keep thinking of going back to 10 and accepting fate but I can’t do it. I can’t risk having freezing machines (which the 10 AU did to one of our Visual Studio dev laptops at work).

Reply | Quote

OK, I admittedly am not as tech knowledgeable as many here, but if I were to opt for Woody’s Group A, how do I know to exclude driver updates? If they are rolled into some big lump with the rest of the updates how does one recognize them, let alone exclude them?

The driver updates worry me because my main desktop box – while still a powerhouse – is now just under five years old and even driver updates from some of my device manufacturers have caused crashes on my Asus mobo. I have to be really careful with all driver updates. If MS rolls some into their “rollups” I’m afraid my box might not survive but would require a reinstall of the OS.

Any advice?

Thanks!

Jim McGowan

Reply | Quote

Against my choice, I am now in Group A, all updates installed except the optional ones.

I had to do the routine to speed updating and, per their instructions, had turned off all updates. I then installed only the security ones.

After all that was done, I changed my settings back to “download updates, but let me say what gets installed.” Next thing I know, all the updates, except the optional ones, were installed. I’m now in Group A without my permission given.

Reply | Quote

I did

Reply | Quote

Download the update, which in this case if I understand well is Office XP SP3 and install it. I believe it fails because Windows Update tries to use the Express package and you may be missing few other components which come only with the full package. This was relatively common for Office few years ago.

Reply | Quote

No need to invoke malice when incompetence suffices.

Ms made a stupid bet on cutting costs by having users debug development. It failed big time and they cant put the cat back in the sack.

I don’t think they know how to fix this.
.

Reply | Quote

I patched 3 laptops today, all x64, one Vista, two Win 7. Thanks to Woody’s recommendation of Canadian Tech’s method (thank you Canadian Tech!) the two Win 7 machines took less than 1/2 hour each from start to finish. Using Dalai’s magic, the Vista took less than an hour.

Count me strongly in Group B. Due to old programs, the Vista box will become an air-gapped workstation next April. Maybe the Win 7’s will too at some point…

Thanks again Woody for all your efforts!

Reply | Quote

Skype is unfortunately in the list. But that branch is not maintained, so if anyone is tempted to install everything from Microsoft Update, there are 2 areas which are certainly to avoid:
– Language Packs (1-2 extra are acceptable, but in any case not all!!!)
– Skype

Reply | Quote

Sorry for missing Bing Bar, I think it has not been offered since Windows XP. This makes the previous list with 3 areas.

Reply | Quote

Is KB3172729, the security update for Secure Boot safe to install?

Reply | Quote

I have seen very few reports of problems after installing it. I say go ahead.

Reply | Quote

When you tell Windows to “Download updates but let me choose whether to install them” – that means the updates will be installed the next time you boot the machine (although there are some weird workarounds). The setting doesn’t mean what you think it means.

You’re far, far better off choosing “Check for updates but let me choose whether to download and install them” or “Never check for updates (not recommended).”

Reply | Quote

That’s probably the #1 concern among Group A folks. The short answer is: We don’t know.

I’m counting on benign neglect: Microsoft will stop pushing driver updates – or, if MS continues driver updates, they’re identified and distributed differently.

Reply | Quote

I’m not throwing in the towel. 🙂

Well, OK, I’m throwing in the towel, but I want to keep helping those in Group B. There are very good reasons for staying with Win7 and avoiding as much of the snooping onslaught as possible.

Personally, I moved to Win10 long ago for my production machines. It’s hard keeping on top of the Win10 shenanigans. I need to be buried in it every day.

Reply | Quote

Spybot Anti-beacon appears to block at least some of the telemetry.

Reply | Quote

Your advice for everyone with Win7/win8.1 includes installing all the security updates. I am running 64-bit Win7 Pro, and one the security updates was KB3177725 (the update with the printing bug) which I assume will show up for everyone on Win7/win8.1.

So let me suggest adding that people should also install the appropriate version of KB3187022 (the fix) from the Microsoft Update Catalog and that they can use the RSS feed trick and go to http://catalog.update.microsoft.com/v7/site/Rss.aspx?q=KB3187022.

Reply | Quote

@Louis,

As far as I can recall, I installed these 3 together: 3177393, 3178446, and 3178465.

When the reboot to finish the updates started, the Starting Windows screen appeared and then froze for a second, and then rebooted, etc.

Don’t know which patch(es) actually caused the problem, but next time I go near them, I will be making a full image backup before installing them one at a time!

Reply | Quote

As Woody often recommended, as far as drivers are concerned: get them exclusively from the manufacturer website. Never, never allow windows update to do driver updates!!

I have a few horror stories of my own as regards driver updtates from M$; like that year where an update borked 3 times in a row about 250 classroom and lecture hall machines. We are only two support techs for 500 classrooms, imagine those mornings where you suddenly get 200 support calls in about 10 minutes…

Reply | Quote

They’ve made it clear in the various responses that have been linked here that the combined update only relates to Windows issues and that external updates like drivers and Office etc will be kept separate. Check out Nathan Mercer’s Q and A responses below the article here:-

https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

Reply | Quote

I know this is a fluid and uncertain situation but the one thing that would absolutely drive me into Group B or lower is MS including third party drivers in the monthly cumulative non-security rollup. To me, that practice would be a bridge too far and would make the Group A path just a bit too dicey.

Reply | Quote

From your ET hillbilly, computer challenged friend: If I go “A”, I am in effect turning over my computer completely to MS? If I go “B”, I will lose my computer long before 2020?

Reply | Quote

Will we ever be able to get security only updates through WU after September or will we HAVE to use the windows update catalog to get them? Sorry if I’m asking a repeated question but I feel like I’m swimming in dark water here. (Especially since I had never even heard of the update catalog before talk of the update changes began.)

Reply | Quote

According to what we’ve seen, if you want to stay in Group B, you’ll have to:

> Turn off automatic updates, thus foresaking the WU service
> Manually download and install blobs of security patches, from the Update Catalog

Reply | Quote

“Group A” doesn’t completely turn your computer over to MS. But it does mean you’ll only have one choice when you decide to apply a month’s updates — Microsoft’s way.

If you can accept Microsoft’s snooping, that isn’t a bad way to go, providing you wait until it’s clear that the cumulative updates don’t harbor anything life-threatening.

If you go with Group B, you’ll be in very good company – I anticipate many enterprises will stick to Group B. I don’t see it going away before support of Win7 ends. And by that time, we’ll be in a completely different post-Windows era.

Reply | Quote

Agreed.

Reply | Quote

Thanks Woody, my biggest problem with all this (other than the update catalog not opening with Chrome) is that it almost seems like M$ doesnt really care if peoples systems are secure or not if we’re not okay with just giving up and doing things their way.

Reply | Quote

Microsoft has much less incentive to get people to update, now that the Get Windows 10 campaign is over.

Other than that, MS does care about mass attacks. We’ll keep getting security patches.

Reply | Quote

*sighs* I know your right, I’m just really frustrated. One last question then I’ll be out of your hair. If we’re willing to trust M$ and take everything they offer we can still get security patches through WU, am I understanding that correctly?

Reply | Quote

I have heard that MS has told Intel and AMD that they will not support the 7th generation Kaby Lake and AMD Zen processors for anything other than W10. As a result, Intel will not be providing updated chip drivers for W7/W8.1 OSs to appease MS. Inevitably, MS intends to kill of anything other than W10 if they can get away with it. My understanding is that Linux will support the new processors from Intel and AMD. If anyone knows more about this development, it would be interesting to get more details.

Reply | Quote

Just remember that it’s the same hollow threat MS made with Skylake processors. Took them just a few months to back down.

Reply | Quote

You have two choices for Win7 and 8.1 after October:

Group A = get all of the patches (security and non-security) delivered in one cumulative update blob, through Windows Update

Group B = get security-only patches in one blob, but you have to download and install them manually.

There are millions of details to be ironed out, but that’s the general framework.

Reply | Quote

Thanks Woody, I know your a very busy man. As sad as it makes me, it looks like I’ll be sticking to group A. Looks like I have some patches to install. Thank you very much for simplifying things for someone who is very quickly becoming afraid of technology.

Reply | Quote

Having very belatedly set my computer to “Never check for updates (not recommended)”, I can report that its performance has improved markedly. No more wasted CPU cycles, and MSE now updates its virus definitions regularly (as it failed to do when WU was constantly checking for updates).

This setting has been recommended by various parties on AskWoody, and I should have chosen it much sooner. Better late than never, though, and doing it now may preclude a big October Surprise.

Reply | Quote

@MikeFromMarkham, @Woody

“As far as I can recall, I installed these 3 together: 3177393, 3178446, and 3178465”

I also have a W7 SP1 x64 machine and I have NONE of those security patches you mentioned offered to my machine.

Reply | Quote

I certainly hope it will go the same way. I can see their perspective when it comes to W7 but in the case of W8.1, we are talking about essentially the same OS kernel as W10. I don’t know about others but I am having a hard time keeping up with all this stuff. It’s not my day job!

Reply | Quote

No need to fear it. But you need to understand it.

Reply | Quote

Why far better when Ms proves to be more dangerous than malware?

Reply | Quote

Other than security what exactly have updates added that’s worthwhile? And now security is a way to spy and force upgrades.

The more u accept as inevitable the more Ms will screw u.

Reply | Quote

Good one. I’m there too.

Reply | Quote

Do what I do stop Wu and focus on ur job.

Reply | Quote

One must not understand it one must ignore it.

Reply | Quote

There are some minor improvements to Win7 with non-security updates – the Azerbaijani manat, for example. 🙂

Reply | Quote

@Woody,

Hi,

Do you mean turn off WU or change the setting to “Check for Updates, but let me choose etc”.

You will need to know the Patch no before you can download from MS Catalogue. – or have I missed something?

Reply | Quote

At this point, “Check for updates, but let me choose” and “Never check for updates” are functionally the same thing. Turning off the Windows Update service is an option, but I don’t think most people need to do that.

Yep, you’ll need to know the patch number before you can download from the Windows Catalog. But “Group B” folks will only have to deal with one (or a small handful) of updates – they’ll be bundled together.

At least, that’s what we’ve been told. No telling how it’ll work in real life.

Reply | Quote

Hear! Hear! That is exactly correct. MS is more of a threat than malware. Invest in malware/AV and do not allow anything but Security updates, if that?

CT

Reply | Quote

@Woody: It is very confusing for me with reference to “Group B”. I do not know what RSS is, however I think I saw a reference to that that related to going to, and using the MS Catalog to install the updates. I could be mistaken since it’s been a while and there is so much information to read it makes it more difficult for the “non-techie” members.

It appears there could be serious problems with Group A, if there is a bad update installed and no way to ascertain what it is, nor help removing it?

Then with Group B, getting only the security updates, however this Group must go to the MS Catalog to obtain the updates and try to check them out for safety as well (?).

This is a nightmare I never could have imagined when I invested in various OS’s over the years. A “headache” that won’t disappear until we can decide which of the two options will be the safest. I’m not concerned with the “snooping” issue, it is only the safely of the computer (Win7 Home Premium). Like many, it’s the only one I have.

Thank you for all of the advice you consistently provide to us all. 🙂

Reply | Quote

@Louis, @Woody

Sorry, 3178446 should be 3178466

Reply | Quote

If safety is your only concern, and you’re going to stick with Windows 7 or 8.1, just follow the instructions for Group A. You don’t need to worry about anything else at this point.

Once we figure out how this works, the instructions will be easy. You’re thinking too much!

Reply | Quote

@Woody: No doubt you are correct about the “thinking too much”. I appreciate your common sense approach and good advice! 🙂

Reply | Quote

No, definitely home users should not install an update which is not on Windows Update. That one is only for sysadmins and only if they are affected by the print bug which is extremely unlikely.
For almost everyone else, wait for the update to be published as it is a good reason why it is not on Windows Update.

Reply | Quote

Good point, though I wouldn’t ascribe it to deliberate malice, rather total indifference to their customers.

Can’t blame them really, they know the vast majority of users will carry on blindly using Windows no matter how bad things get, so they can do what they like and know they can get away with it.

Sadly any sense of corporate decency died a long time ago.

I doubt much will change unless Linux starts to get decent developer support and goes mainstream, but that seems pretty unlikely.

Reply | Quote

This is the beginning of a long slide downwards to IBM/HP/Dell kind of status.

The C suite will get paid handsomely by the board for rising stock prices in the near term. C suite focus at MS is on the next 3 months or so. They are blind to what will/may happen more than a year down the road.

MS lost touch with “customer” years ago. They have no idea or interest in what customers think or want.

I can’t even count the number of computers that “Microsoft Senior Technicians” have ruined. Stories abound about people who called for support, paid for it, and ended up with a bricked PC.

I do not expect MS to ever behave differently, probably worse. It would take an unusual cataclysm for them to reverse course. Windows 7 IS the last good Windows. It is the gold standard.

Corporate IT should focus on Win7 and building an infrastructure that they can support using it. They will never get the kind of support they got in the past and are now on their own.

The only thing that could even get MS attention would be a wide-spread corporate IT rejection of Win10.

There are golden opportunities out there for someone to take advantage of the situation. Either with a Linux-based system that is man-on-the-street focused and/or people who will offer services to keep Windows 7 running cleanly and safely.

I can only imagine what Steve Jobs must be thinking now.

CT

Reply | Quote

@Woody: If I read everything correctly, it states that those opting for Group A, CANNOT switch to Group B.

I am being forced to continue to read as much as possible, and “re-think” which option to finally decide upon. Being unable to switch from A to B is very restrictive, and poses the question as to the “REASON”?

I will continue to read each and every comment relevant to this dilemma MS is forcing upon its users.

Reply | Quote

Woody,

I guess I’m in Group B (or maybe eventually, Group C — stop patching all together!).

First, are there still September Updates that will be offered coming before the big change in October? Or are the security updates we would have just installed with the current all clear by you be the last updates before the big change?

I *think* you’re saying that there’s no difference between selecting “Never check for updates” and “Check for updates but let me choose what to download/install” (or however those are worded) at this point. But wouldn’t choosing “Never check for updates” alleviate the high CPU, constant checking issue?

Up until now, to avoid that issue, I have been successfully manually installing the monthly kernel update, which someone usually posts the link to here. Should one more of those be posted this month too?

Thanks!

Reply | Quote

Yep, there will be updates in September. Remains to be seen how many will be rolled together. The big change isn’t supposed to happen until October.

You’re right, “Never check for updates” will alleviate the high overhead for folks who haven’t used the trick(s) to install the latest speedup patch(es).

Presumably there will be a new speedup patch coming next week. We’ll see.

Reply | Quote

You’re working too hard!

When you go down the Group A path, you’re installing everything Microsoft puts out there – including, presumably, additional snooping capabilities.

You can switch from Group A to Group B anytime you like – but the old stuff will still be there. It’s highly unlikely you’ll be able to remove earlier Group A updates, for more than a month or maybe two at a time. Nothing definitive, but I’d bet against it.

Reply | Quote

Was the bug only for Win10, or also for Win7 and 8.1?

I installed KB3177725 on two Win7 computers a couple of days ago. Out of curiosity I immediately checked whether they printed normally, and they do.

Reply | Quote

The bug only occurs in specific circumstances, usually when you use a third party tool to print – like a barcode printer.

The bug: http://www.infoworld.com/article/3112567/microsoft-windows/kb-3187022-fixes-ms16-098kb-3177725-but-not-for-windows-10.html

Current status on patches: http://www.infoworld.com/article/3114705/microsoft-windows/progress-report-where-we-stand-on-fixes-for-the-big-bugs-in-windows.html

Reply | Quote

Ok, I’m getting really confused as to what to unhide and install. I’m in Group A. Are we to Install All of the past Hidden “Recommended Updates” and “Optional” updates,some which don’t apply to my system and some which broke things? Do they need to be installed separately by date released? Such as rollups which started in June. There are posts that say to unhide them but I didn’t see where there was recommendation to Install them all. I’m assuming unhide them means to install them. I have heartburn knowing some of these updates broke things yet it is suggested we now install them, except for Skype, Silverlight, Language Paks, Drivers, etc. When I restored the hidden updates, KB2952664 came back! Isn’t that related to Win10? Can you please help me understand? I’m sorry if this was addressed earlier but there are now 187+ posts.

Reply | Quote

If you feel comfortable in Group A, yes, unhide everything, then let Windows Update take over. It’ll figure out the correct order.

I’m not aware of any outstanding patches with bad bugs. If you know of one, give a holler! Most of the patches that people hid have to do with telemetry, and if you’re going with Group A, you’re going to get plenty of that starting in October.

Reply | Quote

Thanks Woody. What about old KB2952664? Some of the non-security updates hidden for past year as recommended also had to do with time zone changes, journal removal, fix for Oracle sys drivers, etc. Is it okay to keep hidden the “Optional” updates from MS and just install the Recommended non-security updates?

Reply | Quote

OK, thanks.

Reply | Quote

@Canadian Tech We come from a different perspective and while sometimes our opinions diverge slightly, now due to overwhelming evidence, I don’t have any objections when you say that Windows 7 is the Gold Standard for a Microsoft OS. Unfortunately I don’t think that Linux on the Desktop is the answer for corporations.
It would take a miracle for Windows 10 to recover, but in that case would not be Windows 10 any longer, except for the name perhaps. As it stands currently, Windows 10 is another try in the line of Windows 8/8.1, probably slightly evolved when compared to Windows 8.1, but not so much. It is a flawed concept from the start to combine a Desktop OS with a Phone OS and although there are workarounds (Server 2016 as a Workstation, Windows 10 LTSB, uninstalling everything Windows Store related on Windows 10), it just does not look or feel right or is too expensive.
I believe that the future belongs to terminals connecting still to Windows Server as it has already become too complex for end-users to administer their own devices.
See a possible evolution here:
https://www.citrix.com/blogs/2016/05/04/citrix-customers-put-google-chromebooks-to-work/

Reply | Quote

That despite the monumental efforts by woody to make sense of Wu people are still confused is the best evidence that the mess is beyond comprehension. What is clear is that there is no justification for the effort to figure out what to do. It is a time consuming frustrating effort without visible benefits.

Rational users with average tech knowledge would be much better off discontinuing updates for good. That is the only thing that would force Ms to put an end to this although I am not sure that it can at this point.

Reply | Quote

You have a better way to reset your Windows Update than unhide old entries, as some may have already been retired by Microsoft and are left as orphan records.
Reset your SoftwareDistribution folder as I posted here previously few times or research the internet for details.

Reply | Quote

It is entirely clear that Drivers and additional products (MSE, Office, Silverlight, Skype, server product updates) have nothing to do with Windows Update rollup packs. Even .NET Framework 4.5.2/4.6.1 and which are additional products (only for Windows 7) will be updated separately.
If you don’t have the extension to Windows Update named Microsoft Update, you wouldn’t even know about all the other product updates, except for .NET Framework.

Reply | Quote

The main criteria for those updates that “broke” things is if they broke things on YOUR system. They break things on about 100 computers worldwide out of millions or tens of millions if not hundreds of millions, like the printing bug. If you are one of the unlucky 100, then by all means, stop updating until you fix the underlying issues.

Reply | Quote

Woody, could you please explain why you feel we should now unhide and allow the installation of many, many previously hidden updates purely because the system is changing in a month’s time? Why can’t we simply install the September updates as usual when advised it is safe to do so and then see what we’re offered under the new system in October?

If a post-October rollup update includes previously hidden stuff, so be it, but why do we need to be proactive in putting previously hidden updates back in the mix? I think that’s what’s puzzling some of us.

I think you’re wrong to assume that most of the patches that people hid have to do with telemetry. It has been pretty standard advice here and elsewhere that if patches were optional and unchecked they shouldn’t be installed without good reason. I have 43 hidden updates myself, 9 of them security ones hidden for good reason over the last couple of years.

Reply | Quote

If you hid a patch for good reason, there’s no harm in keeping it hidden.

But folks who intend to go with Group A in October might as well start taking advantage of any improvements in the patches. They’ll get the telemetry sooner or later anyway.

Of course, if you feel more comfortable waiting until October, by all means do so.

Reply | Quote

+1

Reply | Quote

Good point – but there’s no chance that MS will change the new cumulative update method.

Reply | Quote

If you’re in Group A, you’re going to get hit with all of those old updates sooner or later – you can hide them, but they’ll be overridden by the cumulative updates in October, going forward.

So, yes, if you’re in Group A, go ahead and unhide everything, including KB2952664. Let Windows Update sort through what’s been superseded, and update as usual.

If you’re skittish about doing that, there’s no harming in continuing the security-only patching. But you’re going to get hit with the old ones sooner or later.

Reply | Quote

@ch100 I don’t know of any Linux that comes close to a Win7 replacement. However, I believe if someone wanted to bad enough, they could come up with a Linux-based equivalent that could be a reasonable replacement. It just needs enough money, time, talent and good marketing. That leader would replace Gates.

I agree completely that Win10 is really Win 8.2.

I say again, Win10 will fail miserably just like its parent Win8 did.

The real question is can MS recover and what will they do to accomplish that.

Terminals may be in the future, but that is certainly not what I would favour. The reason the PC was born was because hardware became powerful and cheap. That is even more the case today.

CT

Reply | Quote

@fp I agree completely. In the real world the vast majority of people who stopped WU, will simply leave it that way. The ones that had let it run, will leave it that way.

WU is way to confusing and too much mental work for the average one to comprehend or even try to.

My advice to those people will be to set WU to Never and leave it that way.

Never means Never let Microsoft change your computer. It means you are in control. You can choose what to do and when to do it.

There are a few, like me who will interpret and make a path simple for their clients.

CT

Reply | Quote

Woody: I’ve seen references to unhiding updates, however, will they just be added to the “update lists”? The only time I’ve uninstalled a hidden update was to install it, and I wouldn’t want to be “forced” to install all of these at once without trying to check them out. Of course I could check them out in the hidden list however that would take “forever”.

(Yes, too much reading again, however I want to perform this task correctly). Apology for the bother.

Reply | Quote

@Canadian Tech: “I am considering the possibility of never again using WU and disabling it forever.”

Of all the alternatives and groups mentioned within the nearly 200 posts (and counting) here, @Canadian Tech’s is the only one that doesn’t roil my stomach. I think the group that best describes the one I’m joining is @poohsticks’ “Group T (for tinfoil)” .

I won’t be installing the August updates, nor September’s and for damn sure not October’s. And here’s where the tinfoil hat comes in — I seem to recall that there was at least one instance of MicroSnot coming into PCs — even though they were set to Never Check — and modifying (updating, upgrading, or whatever term they used) the Windows Update Service. I’m concerned that some stealthy stormy night, they will modify WU to take away the Never Check option, thus forcing all Windows PCs to swallow their ad-fueled force-feed strategy. This afternoon, with tinfoil hat firmly in place, I set the Windows Update Service in my main PC to Manual. By the next Black Tuesday, I will probably set the Windows Update Service in all the PCs I maintain to Disable. Perhaps that will stop or slow the process down.

Reply | Quote

1. Actually, there have been a few apparently non-snooping, non-upgrade updates since November 2015.

On my Win7 Pro x64 desktop, here are the non-snooping, non-upgrade (I think!) updates I’ve hidden since November 2015. I didn’t need them, but I don’t remember if there also were problems with any of them. All are Recommended. (I installed others I thought were safe and applied to my computer, like daylight saving updates.)

KB3107998 Remove Lenovo USB Blocker version 1.0.0.37 to avoid a system crash
KB3118401 Update for Universal C Runtime in Windows
KB3121255 “0x00000024” Stop error in FsRtlNotifyFilterReportChange; copy file may fail
KB3133977 BitLocker can’t encrypt the drive and the service crashes
KB3137061 Azure virtual machines don’t recover from network outage (data corruption)
KB3138378 Improves the reliability of Journal.dll by removing unused code
KB3138901 Users can’t access Internet when multiple users log on to Remote Desktop Services
KB3140245 Support for Transport Layer Security (TLS 1.1 and TLS 1.2)
KB3147071 Connection to Oracle database fails when you use Microsoft ODBC or OLE DB Driver

2. Woody, I can’t begin to express the gratitude I have felt to you over and over during this past year. I’ve faithfully followed your advice for many years, first on my 2002 WinXP Dell, and then on my beloved 3-year-old custom Win7 Pro i7 desktop, carefully configured to last till 2020. I thought the emotional roller coaster would be over after July 29, but no, you are still my computing lifeline! So here I am, a Group B senior citizen, hoping I can keep my Win7 computer safe on the net till 2020, anxiously studying Linux and Google alternatives just in case, and continuing to be deeply grateful to you for your sound advice and for providing a forum for truly informed discussion.

Reply | Quote

Sure but only bcoz there is no revolution, which is what it requires. Why should Ms stop the mess if everybody accepts it one way or another?

I am still waiting to hear what benefits justify the updates and the hassle associated w. It.

Reply | Quote

You’ll be fine with security-only updates: Group B will live and prosper.

It’ll take a while to get used to the new routine, but it shouldn’t be too tough.

Reply | Quote

If you unhide updates, then run “check for updates,” Windows Update will take a look at the updates you’ve unhidden and show those that are still germaine.

Reply | Quote

At the same time, though, if you don’t install security patches, you’re definitely at more of a risk. How much more is certainly open to debate, and depends on all sorts of things.

Reply | Quote

“When you tell Windows to “Download updates but let me choose whether to install them” – that means the updates will be installed the next time you boot the machine (although there are some weird workarounds). The setting doesn’t mean what you think it means.”

WOW! I had no idea that setting worked that way. You’re right the setting doesn’t mean what I thought it meant. I just thought I simply allowed them to download and it was up to me whether or not to choose ultimately to install them. That setting is misleading.

Reply | Quote

Thanks for the encouragement, Woody! I can deal with the catalog via Rss with Firefox. That should be much easier than this last year’s mess. I’ll just relax, forget Linux, and wait for your DefCon OK on the security updates. 🙂

Reply | Quote

Simple is not always optimal. 🙂

Reply | Quote

What most people here don’t understand, because it is not clearly explained by Microsoft and they have limited technical understanding of the underlying design, is that each update comes with certain versions of the Windows components, the .dll files, but .exe sometimes too. Regardless of the purpose of an update, it comes with its own versions, which are generally higher (later) than the previous ones. When Microsoft releases new updates, they test them against the so called baseline, which is their baseline, ideally the same with what is installed on end-user’s PC when fully updated. By not being fully updated and with versions consistent with Microsoft, this invites all sort of uncontrolled behaviour.
When there is a suggestion that Security Updates only will be released only on Microsoft Catalog, there is an implicit understanding that those releases are addressed to Systems Administrators and Software Developers (programmers) only, who are able to either fix unexpected issues or call Microsoft Support as part of Enterprise Agreements.
The same level of support and technical ability is not available to end-users except for those very few who are highly skilled. This means that most end users, especially those who are following recommendations without being interested in the technicalities behind those recommendations, would be better off by following the Group A guidelines.

Reply | Quote

God, I really am po’d at Microsoft for this. Will have to break down and try to learn Linux.
Hey readers… any recommendations for a good version of Linux for beginners?

Woody question: If we go to Group A, I guess that means we’ll be vulnerable for all the advertisements Microsoft will probably showering upon us as time goes by?

Reply | Quote

Woody more at risk is an illusion based on pre-w10 notions. That world is gone. Ms now causes more damage than any security risk.

Reply | Quote

@ Woody,

Well said – and this is what I suspect so many Group A subscribers have been waiting to hear from you.

Now all you have to do is explain to them how to identify and install the Monthly (non-cumulative) Security Update (1 month in arrears – high DEF Con rating) and I suspect most will convert to B Group membership.

(me – I’m “wait & see, then possibly B, c or “no updates”).

Like so many here have already said, thanks for all you have done to date.

Reply | Quote

I understand ur job. But I have to ask myself how productive is it for so many like u to put up an effort to defend from incompetence of Ms.

Reply | Quote

Yep, and as soon as I have details and the dust has cleared – late October, maybe November – I’ll publish full details.

Reply | Quote

I’ve always found the middle way – to wait for the patches to stabilize – the best method. There have always been risks from MS (hence “MS-DEFCON”) and always been risks from the outside. The question is how best to mitigate both.

Ain’t easy.

Reply | Quote

It’s possible (likely in my opinion) that Group A folks will get targeted ads. Remains to be seen if they’ll show up inside Windows.

Reply | Quote

Likely true. But they should also understand that they’re opening their machines up to more advanced “telemetry” than what they’ve seen before.

I hope to help Group A folks by telling them when to install the cumulative updates. That’s similar to what I’ve done for many years – since the XP times – before Get Windows 10 raised its ugly head.

Reply | Quote

Ab-so-lutely. Thus, the reason why I don’t recommend people use that setting.

Reply | Quote

@Old Dog: I think there are many who are leaning more towards “Group B” at the present time. It is a very complex issue, and much to consider over-all. Good luck to us all.

Reply | Quote

The Linux Mint distro is very popular and may be my next OS. I have also used Debian and CentOS and found them to be reasonably user friendly. On an old netbook I installed Lubuntu when support ended for XP and haven’t had any problems with it.

Reply | Quote

Stroll over to bleepingcomputer DOT com, head into the Linux/Unix forum, lots of good info over there.

Think about the applications you use on a daily basis, that can help drive some choices.

Reply | Quote

@ch100,

“…if they broke things on YOUR system. They break things on about 100 computers worldwide out of millions or tens of millions if not hundreds of millions,…”

With all due respect, you’re delirious.

“Hundreds” that you know about, hundreds of thousands, even millions, that have NO interest in finding blogs or websites to make their troubles known.

Hundreds of thousands or millions around the world who take their machines to repair shops or friends and we NEVER hear about all of their problems. Multiple MILLIONS of people around the word who have been jumping through hoops NOT to get taken down by an inept MS patch Tuesday barrage.

ch100, as you have stated, you’re not just “in the minority here”, you need to stop being a Microsoft apologist. You need to acknowlede that using a home computer or a small business computer should be, after all these years, PAINLESS for users. And Microsoft has made it anything but painless for hundreds of millions of people worldwide…

Your assumption that only “the unlucky hundreds” of people around the world were affected by the printing patch is just a head scratcher when a poster here, with hundreds of clients, had to take defensive actions to PREVENT a potential printing disaster. I guess being forced to take defensive measures to protect one’s business or personal data is the user’s issue and not the company that is actually causing the issues? Please, that’s an apologist’s approach.

Taking you advice to heart, many millions more people, who installed everything MS sent down the update chute (YOUR advice), would have had W10 FORCED onto their machines. The “install everything to keep updates running smooth” doesn’t fit with your “avoid the GWX Updates”…especially when no one knew for sure which updates contained GWX. You can’t have it both ways.

Your “install everything except these handful of updates” is a blatant contradiction. Promoting “install everything” and then listing “exceptions”, even one “exception”, puts your advice in the very questionable category.

How you can defend a company who changed a 50+ year old standard of an “X means close the window and take no further action” to “yes, install a new operating system on my machine”, is beyond my comprehension.

I’ve often said your technical knowledge is excellent but your continued defense of Microsoft’s indefensible policies is not excellent at all.

Reply | Quote

I would disagree.

I don’t agree with everything ch100 says, but he has a very good, consistent way of dealing with patching problems.

The truth is that none of us has any particular insight into the number of people with patching problems. Everything I’ve done, for more than a decade, has involved listening to people and their complaints. I don’t have any way of knowing if a particular bad patch affects thousands or tens of millions.

As for Microsoft… it really isn’t a question of Microsoft having indefensible policies. I think all of us would take that as a given. (Assuming you can even FIND their policies.) It’s a question of what you want to do with the products that are offered – and how much effort you’re willing to expend, in order to maintain your privacy. That’s true with Microsoft, as well as Google and Apple – and now, it appears, with LG refrigerators.

Reply | Quote

bleepingcomputer.com is a great resource for all sorts of things.

Reply | Quote

@ch100 If we followed your path, we’d all have Win10 AU now.

I, for one, will NEVER have Win10 on ANY of my production machines. I used to live and breath MS software from the early DOS days. With Win10 things changed.
I am of an age that values their privacy, MS does not. I might consider Win10 a descent operating system if it wasn’t for the breach of privacy, advertisements in my private space, monopolistic use of BING/Cortana, pushiness of their inferior Universal CrApps, use of my bandwidth for their benefit, forced update rollups, and never knowing what offensive additions they will come up with next. I no longer trust MS. I do not like their lying, unethical, conceited behavior.

Although I have put my “clients” (don’t know if the term is fitting for free support for friends, neighbors and family) back on Automatic updates because they would not get security updates otherwise, I feel guilty for making them victims.

Not everyone can afford a Mac. Not everyone is technically capable of the change to Linux. And most need more than a ChromeBook.

Reply | Quote

I wonder why, if we omit non-technical new MS way of doing business reasons, Microsoft doesn’t simply allow at least 3 months without issue with a patch before shoveling it in the mandatory package, a bit like it does with the things like Anniversary Update that you can defer for a while if you have the Pro Version. You could remove or uninstall patches for a little while until no more issues happen, but you run a common core of a lot of old patches. Then everybody has the same baseline plus a few differences until things are clearly ironed out. That would prevent issues like you send a patch that breaks something and you can’t remove it while you wait for MS to fix it. That solution doesn’t fix the issue that there might be some patches you never want, like those that add some customer experience improvements and the like, but that is another topic. However, you don’t have to choose between being behind on security or accepting everything and being unable to uninstall what doesn’t work.

I loved Windows but I am really annoyed by what is currently going on. I don’t need more trouble maintaining computers because MS resets our settings every 4 months with a new Service Pack / Windows 10 version that also disable more Pro features that prevents games, ads and other distractions. Ironically, Nadella recently said that he was working to make Small Business have the same tools as big enterprises to be more productive. I didn’t know Candy Crush was part of the productivity package of big enterprises. Right now, my experience with Windows 10 has only been more troubles and a computer that suddenly refused to start at all after a small forced update. I used to love computers, now I feel like I don’t have control anymore and I can’t just focus on my work if I don’t want to bother with them, because I never know what is going to happen to my machine.

I want to share a weird story. We updated a lot of Windows 8 computers to Windows 10, for fear of being too few running 8.1 at some point and have the same fate as Vista users when Adobe decided to not update Reader anymore on Vista even before dropping support for XP. All my Win 10 computers that are not connected to the Internet freeze randomly, about once a week. The ones that are connected to the Internet are fine. We have setups with dual hard disks for OS and Data, but we didn’t install the anniversary update. What is really odd is we have 2 PCs that freeze and then get their date and time reset in the BIOS to the install date of Windows 10. One was a PC that was perfectly fine running Windows 8.1 for a long time. Each Friday between 10 and 12, it freezes, and you can see the clock change on the fly just before. You reboot and then the BIOS clock is set to the install date of Windows 10. I tried manually updating the clock using the internal ntp server and it works without any issue. How weird.

Reply | Quote

This one has me stumped. Anybody seen this problem before?

Reply | Quote

Is that the time WU searches for updates?
Or maybe the time the clock syncs with the Internet server and it can’t find it?
Just some suggestions.

Reply | Quote

My clients think it is very productive. They have well running Windows 7 computers and have not experienced nor hopefully, ever will experience the turmoil created by MS incompetence. They hear their friends talk about the mess and tell me they are grateful for being vaccinated from it.

I fully realize that nothing I do or say will influence the 500 pound marshmallow (M$). But, their near $1000 investments will stay useful, mostly private and keep running for years ahead.

CT

Reply | Quote

@fp I could not agree more. The risk to stable running systems is far greater installing MS updates than from hackers.

CT

Reply | Quote

Thank you ch100. You actually just gave me a very convincing argument that Group B is risky and Group W is much less risky.

CT

Reply | Quote

Yes it is.

Reply | Quote

@Greycoat. You are absolutely correct. That is why I have staunchly insisted my clients set WU at NEVER. Never is the only way to gain complete control. A lot of people have a psychological problem with Never. Never does NOT mean never update. It means MS you are never going to make my decisions for me. I will choose when and what to update.

CT

Reply | Quote

@Woody,

“The truth is that none of us has any particular insight into the number of people with patching problems.”

I can’t change your opinion but if you believe, just as only one example, that the recent printing patch issue only affected 100’s of people “worldwide”…well, then there really is no room for discussion.

“Applying those percentages to Microsoft’s frequently stated claim of 1.5 billion Windows users worldwide gives a ballpark estimate of how many Windows XP users are still out there. ”

So, MSFT states that that they believe they have 1.5 billion Windows users worldwide.

https://redmondmag.com/articles/2015/04/08/windows-xp-usage.aspx

So, is the printing patch affected .001% of the 1.5 billion users that would mean 1.5 MILLION users were dinged by the patch. If the printing patch affected .0001% of the Billion Windows users were dinged, that would mean 150,000 users. One would have to get to a .0000001% rate to get to “hundreds of users” being affected that ch100 is alleging. Not a reasonable assumption at all and not very likely at all. If MS had an .0000001% failure rate they would be considered the greatest and most efficient company in the history of the world.

And again, we are talking ONE patch here, the printing patch, and not all of the BAD patches MSFT has released over the years to ALL of their users. And those patches, for many years, were encouraged to be “auto downloaded and installed”.

I’m sorry, no reasonable person, with any kind of tech or statistical background, should be giving the advice that any user should install ALL patches from MSFT given the obvious evidence we have seen over the years. That’s why I say that ch100, even with all his technical expertise, is a MS apologist. He has indicated in the past that he does make a part of his living related to MS and their products. And it infuriates me, on a personal level, that he has been giving his “all patches” advice when the evidence points in exactly the opposite direction. Again, “install all patches” would have sent my machine, and many, many other machines, to W10 without passing go.

And let’s not make this into something it is not…I am not attacking ch100 on a personal level, I am taking major issue with his advice…I am simply indicating that the evidence is out there (this post alone has over 200+ comments)if MS is given free reign on computers around the world with their patches and updating, there is and will be far more than “100’s” of machines affected. I can’t imagine that that point is even in dispute.

Reply | Quote

Anyone who is curious about trying a Linux distro for a test drive might consider running Linux in a virtual machine to get the feel of the UI. You can use VMWare Workstation Pro unlicensed as a free download and then set up several Linux distros to try them and see which one you prefer. You have no risks of screwing up your base metal Windows installation as Windows is just serving as the host system to run the virtual machine. If you decide it is not for you, just delete the Linux machine and uninstall the virtualization software and it is like nothing ever happened. It is a very low risk way to try out a Linux OS if MS is slowly wearing you down.

Reply | Quote

No question the printing bug affected many thousands – perhaps hundreds of thousands.

I’m very, very well aware of all of the bad patches Microsoft has released over the years. 🙂

I would never say “install all patches,” but I would say, “if you aren’t too worried about snooping, wait until the coast is clear then install the cumulative update.” If you are worried about snooping, don’t install any of the optional patches – but make sure you get the security patches, once they’ve had a chance to age.

Reply | Quote

Good questions…

Reply | Quote

Or create a linux live CD or flash drive and try it out.

Reply | Quote

If the machines are more then say 7 years old, try changing that 3 volt button battery on your mother board.

Reply | Quote

That was my original suggestion… weird, but it may cause those symptoms.

Reply | Quote

Along this line, I had some (non-security) updates from 2014 and 2015, even one optional update from way back in 2013, magically reappear a couple months ago. It was after I uninstalled one more recent update; I don’t remember which one.

Do you guys think I should hide them, install them, or will the cumulative updates in October go back to even 2-3 years and give them to me anyway? (Although I plan to at least start out in Group B.)

Thank you! -SBS

Reply | Quote

Unfortunately, the machines are less than 3 years old and one is brand new. I now have all of them (4 total) doing the same thing on all PCs not connected to the Internet. None of those connected exhibit that behavior. And usually when the CMOS battery is dead, you reset to like 2002, not August 2016 at the date and time of installation of Windows 10. I updated the BIOS and fully patched the system. Same thing. Weird.

I tried manually syncing with the time server (which is an internal ntp, not external) and it works well. Maybe it is the time WU searches for updates. I don’t know how to know when it does though.

Reply | Quote

If you’re going to start in Group B, only install security patches.

If you shift to Group A, sooner or later, Windows will get you caught up all the way.

Reply | Quote

Sounds to me like a power issue. If not the batteries(check them with a meter anyway) then you could have some wild power line variations. Being a former repairman, I have seen weird symptoms caused by power line variations.

Reply | Quote

Thanks Woody! I know that security patches only is the general rule of thumb, but just wanted to double check since these very old updates popped up. Thanks for the reassurance/reiteration. You’re greatly appreciated, always.

Reply | Quote

Are these running Win Enterprise? Pro? Business? I would figure Enterprise, except all would connect.

Reply | Quote

I’m not surprised at weird stuff happening when the CMOS battery dies. My 2008 eMachines computer died when the CMOS battery went dead. I changed the battery and it came back up again.

Reply | Quote

There is a known bug (or it is “by design” for those who are ready to accept that the design is actually the bug, not the implementation) with time setting and the scheduled task which runs weekly on Windows 7. The procedure to fix it is too elaborate for the regular user and I am not presenting it here for that reason. I am just pointing you at the KB describing the issue https://support.microsoft.com/en-au/kb/2385818
Just a warning, this is not easy to figure out and if there is interest I will provide a fully reliable procedure which should be a separate blog post in itself.

Reply | Quote

@Walker,

Chuckle… I’ve already lost most of my mind too! I am confused, too.

My relatives aren’t interested in this topic at all, though they do think I’m making it more complicated than surely it could ever be — so I think I’m going to put them on the safest Path A that I can, and torture myself with whatever Path B I can deal with (or go off-piste with Path “T”, for “tinfoil hat”!) 🙂

Many of us are in the same boat. It’s really great that we have found like-minded folks here at AskWoody.

Please don’t let it negatively affect your health — just make a couple of offline copies of all your important files as they now stand, continue to keep up with the news and advice here on AskWoody, do your best but don’t stress too much over it, and I think it will work out okay for us all, one way or the other.

Reply | Quote

They are running Pro.
I highly doubt it is a power issue. This is 4 different computers spaced very far apart in different rooms with separate circuits in a big office building. None of them had issues running Windows 8.1. Only when I upgraded to Win 10 they started to exhibit theses symptoms. All other PCs running Windows 7 in the office have no issue at all. And all of the PCs with issues have their date reset in the BIOS to the exact date and time Windows 10 was installed. Their date suddenly change, they freeze, then you press the reset button and the date is changed in the BIOS. I know it looks like Malware, bu tI highly doubt it. Those PCs have been installed with all reasonable security measures taken, alone behind a firewall, fully patched then installed with no Internet access, just like all the other PCs I have running Windows 7 with no issue. And those PCs didn’t have issues too when running Windows 8.1 prior to upgrading.

Reply | Quote

@Tudor,

I agree with you that most consumers will basically be confined to Group A because they will only know to use, or only want to use, Windows Update through their computer’s normal updating channels.

To go for Group B, it has been said by MS (in the Nathan Mercer Q&A and probably other places) that the non-cumulative security-only and non-security-only rollups will be accessible by the ordinary customer, as well as by big organizations and IT professionals, by getting them from the Windows Update Catalog.

My assumption, from how people here are talking about using the Windows Update Catalog, is that it’s not straightforward to use, but it’s do-able for the interested amateur.

Woody is warning here that the average customer may not *always* have access to that special way of installing the non-cumulative half-rollups, because everything is so murky and MS has been changing their policies regularly. So we have to keep in mind that being in Group B might not be open to us for the entire lifespan of our Windows 7/8, even if it will be at the beginning of their new updating system.

But I do expect that, at least at the beginning of all this hullaballoo, Woody will explain to the Group B people how to use the Windows Update Catalog to find the non-cumulative rollups. Come October, there will be instructions here (and at Woody’s InfoWorld platform, probably), and comments by others on what they are trying and experiencing.

And later on, if doing it the Group B way turns out to be too complicated for a non-professional, or if it ends up being closed off to ordinary customers, or if you simply decide to move over to Group A in order to save some of your own sanity/valuable time, then I think it is supposed to be very easy to move over to Group A at a later date.

In other words, if you have any interest in trying out Group B to start out with, I don’t think there would be much of a lasting downside, except for spending some extra time on it to get up to speed with the Windows Update Catalog process, in giving it a go.

[(And I even think that spending some time now to learn how to do path B as an ordinary non-pro customer, to be careful and try to limit Microsoft’s permissions on your computer, to install the safest group of patches in the smallest possible chunk, might pay off and *save time* down the road,
as Group A people are going to be at the mercy of not only the extra, excessive data-collection, but also of the greater chance that the all-consuming, cumulative, monster Group A rollup pathway might screw something big up with their computer (which the all-consuming, cumulative Windows 10 updates apparently have already done to some people’s computers).]

Reply | Quote

Sorry if I double post, I wasn’t sure my first post went through. Those are Pro versions in workgroup mode. I highly doubt it is a power issue. There are 4 computers exhibiting the behavior and they are in different parts of a big office building with different circuits. None of them exhibited the behavior when running Windows 8.1 and they started doing that as soon as I updated them to Windows 10. All other PCs in my office (many) are running Windows 7 and have no issue at all. The time is reset to the Windows 10 installation date and time. One of those 4 PCs never ran Windows 8.1 before and got installed with Windows 10 from the start.

ch100, thanks, but this seems to be more related to the trigger start aspect of the time service, which would maybe break the Win7 stations as well.

I know it might look like I was infected by malware, but all those computers were installed with security in mind, alone behind a corporate firewall, fully patched before being deployed internally with no Internet access, just like we installed all of our computers for the last 15 years.

Reply | Quote

I think your first post went through, but I’m approving both just in case.

Reply | Quote

@poohsticks:

I enjoyed the humor and excellent advice, including the encouragement. What a great “upper”.

I will be working on attempting to keep copies of important files, and continuing to review the options. It is really a serious dilemma for us “non-techies”. Thank you so much for the encouragement, and sharing your experiences and decisions. 🙂 🙂

Reply | Quote

Here’s how:

There is a small shiny coin cell battery in your computer. It is almost always the 2032 standard. This battery is recharged by your computer but has a life of about 5 to 8 years. This battery keeps constant power to the memory that contains today’s date & time as well as a lot of the features in your system. When it starts to fail, it commonly will start asking you to re-enter the date each time you startup.

For Notebook PCs it is likely going to be difficult to find the battery and will require a special part, requiring the services of a technician.

For Desktop computers, this is an easy change:
1.Unplug the power to your computer
2.Hold the ON button in for 7 seconds
3.Lay the computer on its side with the side where the wires are, down
4.Remove the side panel
5.Peer in there and you will see a shiny silver battery about 1/2″ in diameter. That’s the battery
6.Go to just about any store and buy a 2032 coin cell battery. They cost less than $5
7.Find a very tiny flat bladed screw driver (like one used for your glasses)
8.Very carefully pry the battery loose. It will pop up so be prepared to catch it.
9.Press the new battery in with the embossed markings on the up-side facing you.
10.Close the side panel
11.Turn it up vertical again
12.Start up the computer

Your computer will now need to have the date and time set but only once more — at least for this 5 years. You need to press F2 to get to the place where the date and time is stored. Put in current time and date. Close this the way it tells you to save what you did. You may hear more whirring and chugging while some of the stuff is again set up.

Once Windows is up and running again
1.Click once on the time/date in the bottom right corner
2.Click on Change date and time settings
3.Click Internet time
4.Click change settings
5.Select time.b.nist.gov and click the Update button — this will synchronize the computer clock with the US govt time labs system
6.Close

CT

Reply | Quote

Hi Woody:

Your original 04-Sep-2016 post states that “If you encounter very slow Windows Update scan speeds on Windows 7 or Vista, I suggest that you use Canadian Tech’s speedup method, posted on the Microsoft Answers forum.”

The KB3172605 update (July 2016 monthly update rollup for Win 7 SP1 and Windows Server 2008) recommended in Canadian Tech’s thread includes a hotfix for the Win 7 Windows Update Agent, but there is no analogous patch for Vista SP2.

Vista SP2 users must still use Dalai’s workaround at http://wu.krelay.de/en/, which continues to speed up Windows Update on my 32-bit Vista machine on Patch Tuesdays.

Reply | Quote

@Alex My reply was strictly in relation to @PKCano time sync suggestion as potential problem and not addressing your original issue.

Reply | Quote

@Alex This raises interesting questions. As you have already commented about my reply in relation to the w32time triggers, it would be interesting to understand if the behaviour of Windows 10 has changed since the Windows 7 implementation. The triggers configuration is in the registry, but it is not easy to be read directly. From a command, run As Administrator
sc qtriggerinfo w32time

Next, if the computers are in a Workgroup, maybe you should remove the triggers with

sc triggerinfo w32time delete

Check for associated scheduled tasks and disable them.

Set the time sync with ntp.pool.org and set SpecialPollInterval under NtpClient to 900 decimal (i.e 15 minutes)

Check if the issue still exists.

If you are not happy with the configuration which are presented and wish to rollback, run

w32tm /unregister
w32tm /register
w32tm /resync

Reply | Quote

@poohsticks “My assumption, from how people here are talking about using the Windows Update Catalog, is that it’s not straightforward to use, but it’s do-able for the interested amateur.”

Microsoft Catalog is in fact very usable. Some people like to overcomplicate things for emotional reasons like not using Internet Explorer for imaginary perceived security risks. If Active X controls are a real risk when browsing malicious web sites, how is it insecure to browse a Microsoft site with an Active X control created by Microsoft and running only on the Microsoft Catalog site in the default behaviour?
The other thing to know is that the http access is sometimes broken and the https browsing is far more reliable.

The real issue is that there is the extra step of selecting, downloading and installing manually. In particular the selection process may be challenging for some users who would be better off by using the mechanism provided by Windows Update.

Reply | Quote

Honestly Woody, I’m not sure how you can justify installing Windows 10 at all… It’s as if you’re saying…

Here’s what I recommend… You take the bust in the chops but forgo the punch to the gut, unless you’re feeling particularly chipper then you might opt for a swift kick in the shorts… but remember only select 2 of the 3 choices and never… blah… blah… blah…

I just don’t get it…

Reply | Quote

@David F,

Your situation of:

“…if there’s a troublesome update then you have to halt all updates permanently….
KB3121461 causes a sfc /scannow failure on my system. …it only seems to affect a small number of systems…. in effect come October I’m faced with the prospect of either not patching ever again, or patching and knowingly accepting that it may permanently break the O/S.”

Is similar to my situation — there was a Win 7 update about 2 years ago that was important and required, but it broke my system, so I had to uninstall it. I tried again, got the same result. I discovered that there were internet mentions of it as a patch that was seriously problematic for a small % of people. I even wrote a detailed question on the Microsoft support/help site, referencing the other online mentions of the problem, asking what I could do about it, and no one answered my question. I am still offered that patch today as very important, but I don’t feel that I can allow it to be installed because it’s just going to mess my computer up.

Notwithstanding my tinfoil leanings towards Group C / Pathway T, even if I wanted to be their most compliant customer this side of the Mississip’, due to that messy patch from long ago, I fear that it would not be workable for me to try to be in Group A.

Nor would I be able to remain in Group B, if, in the future, the non-cumulative, security-only half-rollup that they are planning for the second Tuesday of each month were changed to be cumulative — because it would try to install that problematic patch on my computer.

Reply | Quote

@Seff,

The reason I have brought up the idea of unhiding everything on the AskWoody discussions in the last week
is because of the following comment I made a few days ago about what Nathan Mercer wrote in his Q&A
(specifically, see the section of his comments that I put between ***stars***):

“reader question [to Nathan Mercer]:
“If an update that is included in a Monthly Rollup depends on the prior installation of an earlier single update which I chose to hide (i.e. not install) long before October 2016,
will I be prompted to install that parrticular earlier update (for example, by Microsoft’s identifying the earlier update by its KB number)?
Or will Microsoft install the necessary earlier update automatically through Windows Update?
Or will the attempted installation of the Monthly Rollup just fail without an explanation as to why?”

Nathan Mercer’s answer:
“If there are any pre-requisites that are needed to install a monthly rollup we will ensure they are documented in our release notes.
In general we try to avoid pre-reqs because it causes complexity for you and for us.
Any update with a pre-req is not applicable in Windows Update until the pre-req is installed.
***So if we did pre-req on an update that you had hidden, it would never show as being applicable to you.***”

I interpret what he wrote to mean that:

1. The computer owner will have to carefully read the release notes for each month’s Rollups, and cannot rely on any sort of automatic messaging popping up (while he/she is installing a Rollup patch) to warn the computer owner that there are parts of the current rollup patch that are secretly not being installed on this particular machine, simply because this computer is missing a prerequisite update.

2. If there are any old-style updates that you put in the “hidden” zone prior to October 2016, you can forget about ever being told about the existence of, or being offered, new patches relating to them (i.e., requiring them as a prerequisite) which exist in the monthly Rollup patch collection. Other people will get them, but you will not, and you won’t be warned that you are not getting them.”

from:
https://www.askwoody.com/2016/the-fallacy-of-fragmented-patching-in-win7-and-8-1/comment-page-2/#comment-97339

Reply | Quote

@Woody,

That’s so great that you “want to keep helping those in Group B.”

You don’t have to do that, it’s not the path that you have chosen for your own computer systems, and it doesn’t (except tangentially) help you hone your expertise regarding your Windows 10 work/writing.

I am one of many, MANY THOUSANDS of people who are deeply grateful for your help and guidance with Win 7/8 in recent years, and your outstandingly open, prompt, respectful, helpful communication with your readers/followers.

==================
To everyone — Woody has stated in the past that some ways that folks can contribute towards his work are:
1. Turn your adblockers off when you visit his articles at InfoWorld.com
2. Buy his published books about Windows — I think his 2nd edition of _Windows 10 for Dummies_ is out now.
3. Download and play his son’s game app 2Bee2: https://www.askwoody.com/2016/introducing-2bee2/

Reply | Quote

@Seff,
Regarding what Nathan Mercer seemed to say about how they are going to handle previously-hidden updates after they bring in the Rollup Regime in October,
please see the following comment I made earlier today:
https://www.askwoody.com/2016/ms-defcon-3-get-windows-patched-gingerly/comment-page-3/#comment-97834

Reply | Quote

@CH100,

“…they broke things on YOUR system.

They break things on about 100 computers worldwide out of millions or tens of millions if not hundreds of millions….

If you are one of the unlucky 100, then by all means, stop updating until you fix the underlying issues.”

–
Ha ha. Yes, it’s my problem that I have not yet *fixed* the underlying issues on my computer regarding how a certain Win 7 important update two years ago gave me (and some other people who commented about it on the internet — I couldn’t say if it affected ten or ten thousand people) the blue screen of death twice, and how Microsoft didn’t answer the reasonable and well-described question I put to them about this problem on their help/support website, therefore making it impossible for me to install that particular update on my computer.

Beyond my personal leanings towards not trusting Microsoft’s new updates when it comes to my security/privacy & not trusting that they won’t keep making big mistakes with their updates, just as they have continuously done in recent years,
even if I wanted to accept their new cumulative, make-me-compliant “Monthly Rollup” via Windows Update, I would not be able to, because of that important update from about 2 or 3 years ago which wrecked my machine when I tried to install it and which there is no solution for.

I paid full price for the hardware, I paid full price for the software, I stood up for this company for years against but-Apple-is-so-much-cooler nitwits, and I should not be expected to “fix” an issue as complicated as this.

Reply | Quote

@Louis – I see your points, feel your frustration.

Reply | Quote

I think I’m probably going to be in every group from C to Z (since I’m not, at least for now, firmly in either group A or B!) if they represent shutting down updates and going off the beaten path, but what does the “W” stand for in Group W? I don’t think I’ve seen that one described.
🙂

Reply | Quote

@PKCano,

Yu wrote: “Not everyone can afford a Mac. Not everyone is technically capable of the change to Linux. And most need more than a ChromeBook.”

This is my situation. I spent an entire day last week looking at my alternatives, and I am back to square one.

That’s what makes this all such a headache and a difficult situation that MS has dumped a lot of good, decent people into.

Like the banks during the 2008 economic crisis, Microsoft is “too big to …fail…”
(though I’d put some stronger words in place of the word “fail”!)

I am dependent on this set of knowledge and this system (not only hardware and software, but historical files, etc.) that I’ve built up over 29 years. Twenty-nine years.

There is nothing I can realistically move to.

For the others out there in the same boat, I share your pain. I am really glad that Woody allows us here to discuss our problems and share strategies.

I appreciate all the varied commenters and their comments here — one might not agree with every thought/attitude, but there is some tremendous learning and help going on here, and I think it’s great. My hat’s off to everyone.

Reply | Quote

@InMicroSLaLaLand,

You asked, “Hey readers… any recommendations for a good version of Linux for beginners?”

About 2 months ago, there were some really detailed reader comments on that topic within an earlier AskWoody.com discussion thread (Woody’s blogpost that day had not been about Linux, but some of the discussion turned towards the topic of Linus). Sort of an overview of what to look out for, and tips for doing it the easiest way possible.

You might do a search of this site for some of the search terms like “recommendations”, “linux”, “beginners”.

Reply | Quote

Join the Group W branch… er, bench…

https://www.youtube.com/watch?v=b0a6iWHSWbA

Reply | Quote

… and let that be the last word….

I think you’re both very frustrated. For good reason.

Reply | Quote

Thank you, thank you.

2nd edition of “Windows 10 All-In-One For Dummies” isn’t out yet, but it will be shortly.

2Bee2 players/evangelists MOST welcome!

I’ll continue to help Group A and Group B (and even Group W) for as long as I can. Nostalgia, eh?

Reply | Quote

If Win7 is good enough for you, by all means stick with it – and I’ll help you minimize the tough points.

I’ve decided that the snooping doesn’t bother me (I use an Android phone, several iPads, a Chromebook and the Chrome browser) so I’ve already thrown in my lot with the snoopers. If you aren’t willing to do that, I certainly understand – and sympathize.

It isn’t a question of taking one on the chops. It’s a question of understanding what you’re getting into, and making an informed decision.

Reply | Quote

And I’m about 90% sure we’re going to see a major re-design of the Catalog, in conjunction with the October update changes.

Reply | Quote

Good point – and thanks.

Reply | Quote

so many people not remembering Alice.
There was a NYC FM station that played it every Thanksgiving.

Reply | Quote

CentOS (RedHat clone) is good and professional too. A very good trade-off for all requirements.
However, if finances allow and there is a compelling need to move away from Windows, MacOS remains the gold standard.

Reply | Quote

Oh, okay, that’s where “group W” was introduced in the discussions here!
I am sorry to be dense.
I do remember now that I had seen a prior link in this thread to Youtube, but being a privacy curmudgeon, I have Youtube ips blocked on my Peerblock, so I don’t click on Youtube links (I just see a blank page if I do).

Reply | Quote

Think about our well-known KB2952664 as pre-requisite and KB3035583 (now retired and not regretted) or KB3150513.
If KB2952664 was never installed, then the other two were never offered.
What you say and in particular at item 2 is accurate. However, this is not related to any cut-off date like October 2016, as it has always been the case, see my example.

Reply | Quote

@poohsticks

@Woody “I am one of many, MANY THOUSANDS of people who are deeply grateful for your help and guidance with Win 7/8 in recent years, and your outstandingly open, prompt, respectful, helpful communication with your readers/followers.”

I subscribe to your statement and I would add Windows 10.
Thank you Woody 🙂

Reply | Quote

Mint went operational for me today on a usb
drive.There is one thing we Windows types
need which is Mint Essentials…you can get
a free download of it if you search.It
explains Mint in “Idiot’s Guide” style
and every chapter begins with “in Windows
they call this soandso,in Linux we call it
this…” .
Full directions are given on how to get Mint,
put it on a bootable dvd,or on a
bootable ‘writeable’ usb drive…you can
literally be running it in ten minutes
flat with no harm done to your Windows.
As always,only thing is getting the printer
to work but that is coming along.
At least you will have a lifeboat of sorts and
given what MS may or could do,it’s well
worth the time IMO.

Reply | Quote

It is rather opt-out than opt-in with that setting. You have to be careful when you click Shut Down.

Reply | Quote

You betcha – and thanks to all who participate! The info here on AskWoody is amazing….

Reply | Quote

You can block YouTube, but don’t block Arlo.

Wonder whatever happened to him…

Reply | Quote

@CH100: “this is not related to any cut-off date like October 2016”

But if you (by which I mean, any individual computer user, not you in particular) have individual kb patches hidden prior to October, and then you decide you want to be in Woody’s Group A and that you want Microsoft to bring you into “compliance” and to put your Windows updating on auto-pilot, you are going to expect that Microsoft will be able to see into every nook and cranny of your Windows Update history, the fragmentation, the needs of your machine, etc., and you are not going to realize that your manually having placed some kb patches into the hidden area prior to October will keep Microsoft from offering your computer any patches that become available in the future that would require one of those hidden patches to have been installed as pre-requisites.

In other words, I interpreted what he said to mean that Microsoft is going to honor your past requests to have certain old-timey kb patches hidden, and they won’t offer you anything relying on/building on those hidden patches in the future, even if your machine really should have them, even under their cumulative, monster “Monthly Rollup” that will level everything in its wake and seek to fill the fragmented gaps.

Is my interpretation of that incorrect? I have no idea, I’m just trying to interpret what Mercer said.

Reply | Quote

Okay, two points make a line, two points make a search! (Type in “Arlo” and “Alice” and you get the answer.)

https://en.wikipedia.org/wiki/Alice%27s_Restaurant
” “Alice’s Restaurant Massacree” is a record by singer-songwriter Arlo Guthrie, released as the title track to his 1967 debut album Alice’s Restaurant. It is notable as a satirical, first-person account of 1960s counterculture, in addition to being a hit song in its own right and an inspiration for the 1969 film, also named Alice’s Restaurant. The song is one of Guthrie’s most prominent works, based on a true incident from his life that began on Thanksgiving Day 1965 with a citation for littering, and ended with the refusal of the U.S. Army to draft him because of his conviction for that crime. The ironic punch line of the story is that, in the words of Guthrie, “I’m sittin’ here on the ***Group W*** bench ’cause you want to know if I’m moral enough to join the Army—burn women, kids, houses and villages—after bein’ a litterbug.” The final part of the song is an encouragement for the listeners to sing along, to resist the draft, and to end war.”

(Actually you gave me three points, with “Group W”. Well, four, with “bench”.)

—-
Group W Bench from: https://en.wikipedia.org/wiki/Moral_waiver

“The Group W bench, a key element of Arlo Guthrie’s 1967 folk song and extended monologue “Alice’s Restaurant”, is a reference to the moral waiver provision — the W stands for “waiver”; he described that key element of the work as a waiting area where he mingled with other potential inductees awaiting consideration under moral waiver. The Guthrie work made the expression “Group W bench” (or occasionally simply “Group W”) a catchphrase for non-conformity. Various websites, an analysis, modeling and research company, and a well established[5] “eclectic boutique”[6] in New Haven, Connecticut, take their names from it.”

—-
Woody, you wondered whatever happened to him – this appears to be Arlo’s own site. http://www.arlo.net/

Here is one tidbit from it:
“In 1991 Arlo purchased the old Trinity Church. It was Thanksgiving 1965 that events took place at the church which inspired Arlo to write the song “Alice’s Restaurant”.
Named for his parents, The Guthrie Center is a not-for-profit interfaith church foundation dedicated to providing a wide range of local and international services.”

—-
I was able to find a snippet of of the actual song (accompanying a radio interview of Arlo) that wasn’t batted away by my IP blocking — I do remember the song from hearing it on the radio when I was little in the 70s.
Seems like a nice interview at:
http://www.npr.org/templates/story/story.php?storyId=5028273

Reply | Quote

@ Woody,

Would appreciate your take on the following extract from Nathan Mercers’ article:

https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/

Please note that Nathans’ original Sep 1 reply has been edited, and no longer contains the bit about a 3rd Tuesday Release

“JBrown

September 1, 2016 at 6:52 am

Nathan, what release schedule will the monthly rollup and security-only patches follow starting in October 2016? Will these updates continue to be released along the existing Patch Tuesday schedule or will they be published on a different schedule?

Reply

Nathan Mercer

September 1, 2016 at 12:07 pm

Security-only update will be released on Update Tuesday, the second Tuesday of the month

Monthly rollups will also be released on Update Tuesday, the second Tuesday of the month.

Reply

Old Dog

September 3, 2016 at 4:02 am

Hi Nathan,

I quote “Monthly rollups will be released on Update Tuesday, the second Tuesday of the month. Additionally, we will also release a new rollup on the third Tuesday of the month, containing only new non-security fixes”

I don’t recall seeing any prior announcement of a “secondary” rollup.

Will this additional rollup released on the 3rd Tuesday of each month be subsequently superceded by the following monthly Rollup?

Thank you for your attention.

Reply

Nathan Mercer

September 6, 2016 at 8:57 pm

Monthly Rollup Preview is a new Optional Update available on Windows Update, WSUS and Catalog on the 3rd Tuesday

3 weeks later on patch Tuesday it releases as Monthly Rollup including the security patches from patch Tuesday. You can preview the new non-security patches before they release in Monthly Rollup.

Reply

Chad West

September 3, 2016 at 5:02 am

This 3rd Thursday roll-up. Can you elaborate on it more? Will this contain the same cumulative updates from the 2nd Tuesday minus the security-only updates?

Reply

Nathan Mercer

September 6, 2016 at 8:52 pm

Monthly Rollup Preview is a new Optional Update, that will be available on the 3rd Tuesday, that then releases 3 weeks later including the security patches from patch Tuesday, as Monthly rollup.

Monthly Rollup Preview will be available as an Optional Update on Windows Update, WSUS and Catalog”

Is there a glimmer of light here? If I can preview just non-security fixes 3 weeks prior to the Monthly Rollup (Security + non-Security), then I will have a list of the patch nos.

Currently (but sometimes only with workarounds) you can delete patches bundled inside other patches. Does this represent an opportunity to install the months’ non-security patches and then delete/hide some if they cause issues.

or am I just clutching at straws? Do I cancel my order for a Tinfoil hat?

Reply | Quote

A beginner’s question : suppose one makes the switch from Windows to Linux. My assumption is you could read and use your old files. Correct ?

Reply | Quote

I think one thing’s glaringly obvious: Microsoft is making this up as they go along. If there’s a cohesive strategy, it certainly hasn’t been articulated.

Frankly, I don’t have any idea what the $#@! is going on. And I expect that once we see the end result it’ll take Microsoft a month (or two or three) to settle on a new patching regimen.

Reply | Quote

So that’s what Arlo’s been up to….

Reply | Quote

It wouldn’t surprise me if, eventually, the cumulative updates (which will gradually tack on old patches) will, one day, install even those KBs that have been manually hidden.

Do I know that for a fact? No.

Reply | Quote

@rtc,

Be sure you search for Linux Mint Essentials to get the proper guide… There is another guide titled Mint Essentials that is for Mint financial software only.

Reply | Quote

Some files will be accessible. If you have an equivalent program in Linux you will be able to use the files.
Pictures, music, and videos are a piece of cake.

For example: You use Adobe Reader to view .PDF files in Windows. There are equivalent programs for Linux to open .PDF files.

If you have Office and use .DOC, .DOCX, .XLS, .XLSX, .PPT, etc in Windows, You can find an office suite like Libre Office or Open Office for Linux.

However, if you use Outlook you may have a problem as there may not be an email program in Linux that can deal with Outlook’s .PST files. If you are using Thunderbird, you should have no problem b/c Thunderbird works for both.

So the problem boils down to finding equivalents.

Reply | Quote

As noted by PKCano, many files such as music, pictures, etc. can be opened and used by various software suites which are available with Linux. There is also an application compatibility layer which can be installed with Linux which will allows Windows applications to be run on Linux. This application is called WINE and it essentially stands between programs using Winapi and a POSIX compliant OS such as Linux. In many instances, a windows program will run directly on Linux using the WINE program. It will not work universally but it is worth knowing about when you do your research. MS has spent a lot of time and effort trying to keep developers from porting their programs directly to Linux but that may start to change as the Windows ecosystem frays.

Reply | Quote

If your email is set up as IMAP in Windows and in Linux, then whatever is in the IMAP folders will show up in both Windows and Linux. If it’s in a local (non-IMAP) folder in your Windows email program, then the simplest solution is to move it to an IMAP folder. Then, in your Linux email program, you can move it from the IMAP folder to a local folder. By moving it to a local folder in your Linux email program, you will reduce the amount of storage space you are using in your IMAP folders — if you don’t do this, you might max out on space in your IMAP folders.

Reply | Quote

So, forgive the repeat of a question that’s probably been asked a million times already: Should I install the security patch 3177725 on 8.1 or not? It’s the only security patch I’ve held back on. Thanks, Woody!

Reply | Quote

Thank you, PKCano, Jim and Anonymous. My mail is retrieved locally into Outlook, and my email accounts are set to POP3. How does one move existing mails into an IMAP folder ?

Reply | Quote

I would like to give my opinion about the whole nonsense and huge uncertainty about where Microsoft is going.

First, Nadella has been appointed as CEO. Nothing against the person, but I think he is the guy associated with Bing, the cloud and the likes. Wasn’t Bing supposed to crush Google so bad MS was almost telling people to join Bing as fast as possible before Google wouldn’t exist no more (I caricature a bit, but still)? So this was such a success that he was the logical choice for CEO? Ummmm…

Ok, a fact now. The capitalization of MS grew 49% since Nadella arrived. This means: he does something that works or there is huge expectations that what he is doing is going to pay off later. Apparently, online services are picking up great.

So, if you are not happy with what MS is doing, I would say you need to not use any of their services when you can. App store and apps are still in a sorry state so it is not hard to never use them. Gaming might come to Linux using the new Vulkan thing so that should help some people jump ship later. If you really want the latest DirectX for now, you need Windows 10. If not, you could stay with 7 or 8.1 with no updates or security updates only if you don’t believe MS if going to shove down your throat customer experience features disguised as security updates. The real deal is MS Office for professionals. There is no valid substitute for some people. But this might transition more and more to a valid multi-platform online service too. Then Linux gets much more attractive for those users.

In theory, if you stick with Windows, it is possible to not patch it at all, disable updating and tracking services, then only run alternative softwares. No need to tweak your system again to remove the crap after each MS big update. If you value privacy, you use Firefox for a browser, Thunderbird for emails if you really need an email program and nothing from Microsoft except Office if you have to. Behind a good firewall router, not downloading random new softwares, running the free Microsoft EMET security tool, what is your real risk at home? Security problems are mostly coming from vulnerabilities that needs to be triggered. If you download illegal files or random unknown softwares, then you are definitely at risk, but even on a fully patched system with complete antivirus, you are almost doomed if you do that, as there are a lot of 0 days attacks anyway or new viruses that aren’t caught by security software. The biggest risk is the way you use your computer. Running a patched Firefox 64 (64 so EMET or Windows ASLR works properly) with Flash on ask-to-run and no other plugins on a non patched Windows might not be that big of a security risk for drive-by downloads. If you are scared, run it in a VM or sandbox for an added layer of peace of mind. Security is always brought up by MS when they get out a new system, but in reality, a lot of it is just for marketing purposes. They invent ASLR and put it in Windows, say it is more secure, but they disable it by default so it doesn’t break old softwares. They brag about new great security features, but they are not even available in the Pro version, only in Enterprise. In the XP days, they bragged about the new two-way firewall when a lot of people were running ZoneAlarm, but that was a big joke as nobody would ever take the time to manually configure the two-way firewall that wasn’t even able to tell you clearly on the spot when it blocked something and offer you the option to unblock it. Although in retrospect, ZA approach wasn’t sustainable reasonably anyway due to the proliferation of connected softwares and asking users to authorize new processes all the time makes no sense.

Even though I respect Woody’s position as a group A person, I am not a member of that camp, nor a member of the non patching camp, so I am a lost sheep. You see Woody, I don’t trust that nobody will ever get their hands on everything that Microsoft records somewhere about me and I don’t like that idea, even though my life isn’t that interesting. The NSA’s set of vulnerabilities they use to spy has just been disclosed by a group of hackers. Is MS that much better than the NSA to protect their assets? I would love to work in the MS environment but I am very uncomfortable with the privacy issues and not knowing what updates they are going to bring, plus the frequency of changes. Changes are generally not great for productivity. They make me loose time analyzing what I need to disable so it doesn’t do things I don’t want or get in the way. I need Office because I do complex work in Excel that LibreOffice is not even close to do in a satisfactory manner.
I am a dedicated patcher. I couldn’t care less for new Microsoft features, as I try to avoid using them as much as possible, but I don’t like security vulnerabilities, however small the risk might sometimes be. New features makes patching riskier as it introduces complexity and novelty all the time. Also, now that I don’t want to have Cortana, but I am forced to use it if I use Windows 10, I will have to download a third-party search? That is not nice. I don’t use Chrome even though it is a great browser, as Firefox values my privacy above everything. I don’t want to run a non patched system and since I have computer networks and normal users, I can’t rely on them for not screwing up their computer and then unknowingly send virus through vulnerabilities in sharing protocols or tcp stacks.

But all of you at home, I think it is possible to run a non patched system, tuned a bit to not receive anything new and then try to use the least amount possible of Microsoft things in order for them to get the message that there are people that care for what they did best before: a pretty good OS for doing personal or serious stuff, that doesn’t get in the way of whatever you want to do and help you get things done instead of recording what you type and say that is none of their business. Prediction: this will come out as a subscription-based option for 7$ a month. This might not sound that expensive, but in a world where OS are given for free, out of principle, I would try to put as much people as I can on Linux before starting to pay 7$ a month for the privilege of running my own computer. Ok, maybe for now you folks can get by using only the security patch for Windows 7-8.1 path, but when 2020 arrive and support ends, you might want to consider running unpatched instead of jumping to Windows 10.

If you don’t do gaming or don’t absolutely need Office, you should maybe really give Linux a try. Web surfing with Firefox, image manipulation with Gimp, listening to audio, this all works fine on Linux. Or just run unpatched Windows 7 if you know you are the kind of person who is already low-risk.

I think Linus Torvald said recently that using open-source is the only way to reduce the risk of having the undesired effects in proprietary software that will become more and more of an issue. China is doing their own version of Ubuntu. They rightly don’t want Microsoft and their forced updates and you don’t know what is inside the software running in their things because they can’t know what it is doing. The U.S. should also not use Kingsoft Office replacement as the Chinese government finance it and have some parts of code that might go contrary to U.S. interests. Without wearing a tinfoil hat, those are legitimate concerns for every country and their people (as Chinese themselves might wonder if it is such a great idea to only use government-sponsored software).

A final thought. I know two persons a long time ago that bought a computer with an early Windows XP. 3 years later I see them with completely unpatched systems (they disabled automatic updates). I think it might be a dangerous idea, but since it is gaming machines essentially, the harm might not be that bad if they get infected. Well, their computer were quite old by the days standards after three years, but they looked much faster than a lot of newer computers I saw that were fully patched. The tendency was to bring bloat along security updates at that time. At the end, Windows XP SP3 was certainly not the same light system than the first XP was. Food for thought.

So, for me, right now will be group B hoping I won’t get a nasty surprise, but I need to prepare for an alternative.

Reply | Quote

I’m a recent immigrant to Linux from M$-Windows and couldn’t be happier.

I read several positive reviews of a Linux distribution called Manjaro. Like many Linux distributions, Manjaro is available with several different desktop environments, with Xfce and KDE Plasma as the primary choices. I played around with both from their “Live USB” mode, to see what each was like.

For my taste, KDE Plasma was the easy winner. As a long time Windows user, it not only felt comfortable, it was fun! If you can spare 8 minutes, check out this YouTube clip that highlights some nice things about KDE Plasma:

https://www.youtube.com/watch?v=TXWUyUUx3ZE

Note: In the video you’ll see something called KDE Neon. KDE is an international free software community that produces lots of neat stuff. KDE Neon is an in-house project to showcase the KDE Plasma desktop and other KDE applications.

You can download Manjaro and their nice Beginners Guide from here:

https://manjaro.org/get-manjaro/

Enjoy!

Reply | Quote

@Wooody: Yes, it’s very obvious that this is is a potential disaster in the making in many aspects. What a total mess!

I have a question relevant to the hidden updates. I have no problem in researching and installing those listed (the majority of which were NOT security updates), however I have ONE which MS apparently has had numerous problems with in the past. It appears to be a “driver” for Intel.

I’ve only had this Win 7, Home Premium (new) since about Feb. 2014, and don’t know when this appeared in the updates. From what I have researched it appears that MS had serious problems with this, and from what little I’ve read about drivers, the instructions are to DL directly from the manufacturer NOT MS updates. This is is listed as follows:

Intel Corporation – Graphics Adapter WDDM1.1, Graphics Adapter WDDM1.2, Graphics Adapter WDDM1.3 – Intel(R) HD Graphics (92.1 MB). It’s been hidden, “optional”. I do not want to DL & install this one from MS, however do not know how to delete it from the hidden file.

Looking for “serious help” here, since MS will no doubt attempt to DL & install it if it’s in the hidden file. Thank you for any advice you can provide out of this quandary.
🙁 🙁

Reply | Quote

Yes.

Reply | Quote

@Old Dog,

Thank you for flagging those changes that have been made to what Mercer had already written in his Q&A, and for highlighting the new questions and answers that have been posted recently (including a good question that was asked by you, it appears!)

After reading the extracts you included in your post, although I am not sure what Mercer was going on about, it does seem to me that basically what he said last week is still what he is saying this week. This is my interpretation:

There will be 3 different rollups published each month.

1. My temporary, plain-speaking name for it: the joint & cumulative rollup
Mercer’s name for it: “Monthly Rollup”
containing: security patches and non-security patches
time period covered: is cumulative (having all prior and current security and non-security patches for the operating system in question)
date issued: 2nd Tuesday of month, which Mercer calls “Update Tuesday”
availability: in Windows Update, in Update Catalog, in WSUS

2. My temporary, plain-speaking name for it: the security-only, non-cumulative rollup
Mercer’s name for it: “Security-only update”
containing: security patches
time period covered: includes only the *new* security patches that have been released in the past month
date issued: 2nd Tuesday of month, which Mercer calls “Update Tuesday”
availability: in Update Catalog, in WSUS

3. My temporary, plain-speaking name for it: the non-security-only, non-cumulative rollup
Mercer’s name for it: “Monthly Rollup Preview”
containing: non-security patches
time period covered: includes only the *new* non-security patches that have been released in the past month
date issued: 3rd Tuesday of month (a date which Mercer doesn’t give a special name to)
availability: in ***Windows Update***, in Update Catalog, in WSUS
other information: it is an optional update; after this is released on the 3rd Tuesday of the month, 3 weeks later on the next patch Tuesday (2nd Tuesday of the month), this 3-week-old collection of non-security patches will be combined with the brand-new collection of security patches, and they will be blended in with all of the historical patches into the Monthly Rollup for that patch Tuesday. Mercer’s current reason for their going with this weird arrangement is that “You can preview the new non-security patches before they release in Monthly Rollup.”

It seems to me that most of his new information fits with, and fleshes out, what he said about the 3 rollups last week,
except for the part where he said that the one-month’s-worth-only, non-cumulative, non-security, “preview” update that will come out on the 3rd Tuesday will be available IN WINDOWS UPDATE as well as in the more esoteric venues of WSUS and Update Catalog.
I wonder if he mis-spoke about that.
To have this “preview” rollup presented in Windows Update seems like it will complicate the average user’s experience of Windows Update, if this little “preview” rollup will be sitting there alongside the official, giant, cumulative, joint Monthly Rollup. Why give the average user (who is reliant on Windows Update) two partially-simultaneous opportunities to download the same patches via two different rollups?

Reply | Quote

Items that are hidden are just hidden on your machine – and Microsoft can bring them back any time. I think it’s unlikely that old bad drivers will still be offered in Windows Update, but you can always try unhiding it, running Windows Update, and see if it gets picked up again.

Reply | Quote

If you consider yourself to be in “Group A,” go ahead and install it.

Reply | Quote

Thanks, Woody. No, I’m definitely a Group B kind of gal, so I’ll avoid 3177725.

Reply | Quote

@ poohsticks,

Thank you for your comments.

I agree with your points 1 and 2.

I view point 3 differently.

For me, the PREVIEW Rollup will contain NEW non-security patches that will be published in the FOLLOWING months’ Monthly Rollup. Hence its’ name – PREVIEW

MS seem to be giving us a heads-up of what’s coming. If you install early – no problem (that’s the MS take, not mine)- these new patches will anyway be in the following Monthly Rollup (Security & non-Security).

I would appreciate your take on whether this gives us an opportunity to manage non-security patches. If we have patch numbers in the preview, can we delete them ?

Reply | Quote

Good point about the risk that Microsoft itself may get hacked at some point, putting users’ personal information on the black market.

It my case this has happened with three vendors in the last couple of years, two of which are currently providing free identity theft services. Ask them whether this is tinfoil hat speculation.

Reply | Quote

Thanks for posting your take on a number of considerations MS has put on the table regarding patch management and the future od Windows. It is too early for anyone to draw firm conclusions as to what they can or may do in response to all of the forced changes. However, it would seem it is not too early to open one’s mind to the issues that need to be addressed and the viable alternatives that may be on the table. The real tragedy involved with all of this is that most users want a stable and secure open platform OS that they can utilize for whatever their general computing purposes require. MS is attempting to build a walled garden with UWP and the App Store and seems willing to break many things in order to get their way. I am personally not enjoying the ride.

Reply | Quote

I agree. It is the same reason a lot of people buy a Camry or an Accord. They don’t care that much about new features, fancy looks, coolness. They want stability, efficiency, reliability above all else and above all not waste time at the garage and changing cars every 2 years. There is a huge market there. Microsoft was the king of it and now they are destroying it to play catch-up with Apple.

Does it really work? I don’t understand not only there is still faith in this model at Microsoft, but there doesn’t even seem to be a doubt about it or a hint of a compromise to try to serve both markets. If you look at what MS did by copying Apple : the Nokia/Windows Phone, their lame App Store and their apps, nobody can say this works at all. After years the App Store debuted with Windows 8, its content is is still a poor replacement for any desktop app. MS is irrelevant in the phone business. You will do continuum with what? And what about this emphasis on the agumented reality as a productivity tool? Are they kidding us? I don’t see anybody at the office wearing a huge mask while interacting with others, nor putting on and removing their mask all the time to have the privilege of playing Minority Report. This is not business. Where are they going? The only thing that works is the productivity software online, but they didn’t have to break everything to have that going, just entice small businesses to exchange their internal Exchange server for cloud services. No need to force ads for games on them.

Reply | Quote

In addition to privacy issues….
One of my concerns has been that eventually someone will figure out how to contaminate Windows patches with malware and spread it through the peer-to-peer “get updates from computers on the Internet,” which is on by default in Win10.

Reply | Quote

Thanks ch100.

You guys here are amazing.

I looked into it after reading what you wrote and found some interesting pieces of info.

First, what seems to happen is the time syncrhonization gets triggered and the event viewer gets instantly filled with a message saying that an app changed the clock (and the clock is already changed to the installation date of Windows 10). Quickly, the event viewer breaks and this seems to freeze the computer.

Oddly, If I run the task manually, it returns a result of 0x420 but it doesn’t break anything. Also, if I go into the date widget and try to synchronize manually there by clicking on the button, it works and synchronize properly. Only when I let the task run by itself does it breaks everything. Remember I have no Internet access and the time server I put in the date widget is an internal time server. Never had an issue with it on Windows 7 or 8.

Looking at the sc qtriggerinfo w32time thing, I found that on Windows 7, it says two things, one to start the service (domain joined) and one to stop (no domain). Remember I don’t have a domain. On Windows 10, I have only start (domain joined).

What a weird bug. Unless a lot of people like me run some computers with no Internet access and syncing with an internal time server, I don’t see Microsoft fixing that anytime soon.

Next thing I am trying is to use the IP addresse of the ntp server instead of its name, just in case it makes a difference, then I will connect the PC to the Internet to see if it prevents it from breaking. I am sure now it has something to do with time synchronization as the last time the task is run always correspond to when the PC freezes. There is nothing I can get from event viewer unfortunately as it is filled with the same message.

Reply | Quote

Agree, I always disliked “WUDO” from the time I found out about it. It struck me as MS commandeering users systems for “bit torrenting” their OS updates because they wanted to spare their servers. Welcome to the MS “botnet” was my takeaway early on but I figured that was part of the price for W10 for free. The peer-to-peer sharing of wifi passwords was another act of beauty but has since been disabled because nobody wanted to use it.

Reply | Quote

@Anonymous
You have summed it up quite well. MS is a sitting duck for the next Bill Gates to come along. They are so out of touch with the market, it is unbelievable how a giant with such a lock on the market it committing suicide.

CT

Reply | Quote

I’ve been using Linux Mint on a laptop for months and I love it. It’s no good for gaming, but otherwise it’s really great and there’s almost no real learning curve. A vast improvement over Win 8 and 10, both of which I tried on it. I’d recommend the xfce edition for slower computers.

Reply | Quote

Ok I found it!

http://it-fixes.povolotsky.info/2016/06/windows-10-date-time-frozen.html

So it appears that Microsoft changed the way time synchronization works and if you are not connected to the Internet for a long time, it resets the time to maybe the last time you were connected to it. In my case, it fills the event viewer with error messages and freezes the computer.

The fix is easy. Look at the link provided. Thanks for all your help here. Woody, I think if someone asks you again about a weird clock reset to some quite recent date or freezing on PCs not connected to the Internet, you will remember that weird thing!

Reply | Quote

I think some vestiges of peer-to-peer network sharing is still there. You just don’t see it unless you do a custom install.

Reply | Quote

@Old Dog,

Regarding your question “I would appreciate your take on whether this gives us an opportunity to manage non-security patches. If we have patch numbers in the preview, can we delete them?”

I am afraid that I have no knowledge about that.

However, given the reasons that Microsoft is moving towards bundling the Windows 7/8 patches, I would suppose that the answer to your question probably will be:

Even if we could discern the individual patch numbers that are included in the non-security Preview rollup, that wouldn’t give us any ability to individually manipulate the individual patches — there would be no possibility of separating them, of installing, uninstalling, or hiding particular ones.
The rollups appear to be talked about like they will be solid, unimpenetrable chunks of patches. You either accept the whole chunk, or you reject the whole chunk.
As far as I know, not even an expert such as Woody would be able to hack into a rollup in order to handle the individual patches one by one (as they used to be managed in the old-style Windows Update that we will losing access to next month).

—–
About the “preview” rollup being issued on its own, 3 weeks before it’s bundled into the mighty, cumulative, Joint Rollup —
I am not sure why they’d do it this way — why they’d release that set of patches to everyone 3 weeks early — unless they are trying to get the early-adopters to suffer any inherent problems which that half of the month’s patches has, to report them and help MS get the bugs worked out in the 3 weeks before that set of non-security patches will be placed into the Joint Rollup on the following 2nd Tuesday.

What I find interesting about that non-cumulative, non-security “Preview” rollup is not the timing of it (three weeks off-kilter from the other two rollups), but its qualities of:
a. being non-cumulative (so it’s only one month’s worth of non-security patches).
b. being released to *everyone* openly via Windows Update, as well as WSUS and Update Catalog (in contrast to the other “half” of every month’s patches, the non-cumulative, security rollup, which won’t be offered on Windows Update).

Just for my modest circumstances/goals, the utility rollup number 3, the non-cumulative, non-security rollup which they will call “Preview” – appears to be that it might give me the opportunity to go for months without installing any non-security patches, and then allow me to install a particular month’s non-security patches if, for some reason, my computer would benefit from one or more of those patches that month — and not to have my computer simultaneously bombarded with all the historical, cumulative patching which would occur if instead I had chosen to install the Joint Monthly Rollup.

As a way to avoid the cumulative, historical hole-filling nature of the giant Joint Monthly Rollup, I don’t know if savvy customers will instead be able to install the two “halves” of each individual month’s updates, the non-cumulative non-security half (offered on the 3nd Tuesday of the month) and the non-cumulative security half (offered on the 2nd Tuesday of the month), and do that month after month,
to approximate everything about the Joint Monthly Rollup except for its cumulative “correcting” and back-filling of our past patching omissions.

On my own computer, I won’t be able to install the Joint Monthly Rollup – I couldn’t be in Group A even if I wanted to be in Group A – because there is a security patch from 2 or 3 years ago that just would not correctly work on my computer and it caused it to freak out (infinite rebooting nightmare then blue screen of death), so after trying twice to install it and researching the issue online (which was happening to other people with that particular patch, so it wasn’t just me), I had to leave that security patch off my computer for good. Ever since, it has been constantly recommended to me in Windows Update, month after month, but I can’t install it, or I guess that I would lose the use of my computer.
It appears that if I allowed the monster, cumulative, Joint Monthly Rollup coming in October to do whatever it wanted to do on my computer, it would see that missing patch, install it, and mess my computer up. So I don’t think that I could be in Group A, even if I wished to be. (Which I don’t wish to be.)

There are going to be machines out there like mine, which for some good reason or another could not coexist with a particular patch in the past, and I wonder if the Joint Monthly cumulative Rollup Update Extravaganza on the 2nd Tuesday of the month is going to knock out a bunch of computers around the world in one fell swoop the first time it goes “cumulative” (and not every customer will know what to do to fix his/her screwed-up computer).

Reply | Quote

I think peer-to-peer sharing of Wi-Fi was a lot worse than “nobody wanted to use it”. It was actually creating a big security problem by leaking passwords in certain contexts. This is the reason why it was abandoned, but you never know if it will not be revisited at some stage in the near future.

Reply | Quote

They may commit suicide in the end-user market, but this is very much outside of their control because of the very existence of Apple and Google in that segment.
As far as I am aware, Microsoft is thriving where they have no serious competition and this is in the Enterprise sector. They seem to be pretty comfortable in the Cloud market too, where they invested a lot while neglecting the Desktop OS which is apparently dying slowly, this is because of the rising of the phone computer, started with Nokia Symbian and now perfected by Apple and Google.
They can’t have it all!

Reply | Quote

I think you’re right. Looks like we’re going to get two undifferentiated blobs every month – one that’s security patches only (in a blob) and one that’s everything (in a blob). My guess is that KB numbers will disappear, along with any chance of uninstalling a specific patch.

Windows 10 works that way, sort of, with some notable exceptions.

Reply | Quote

Don’t we currently have KB numbers for Windows 10? After all KB comes from “Knowledge Base” and it is only a side effect that the patches which are documented by the articles have the same name to be easily identified.
If the KB id is going to disappear, how will we identify the updates? Even Apple iOS comes with a sort of version. Or the half-yearly patches will be simply named Windows 7.x.x.x?

Reply | Quote

Natively, only text files are readable and even they have a different line endings. You could start from here and follow the links http://www.cs.toronto.edu/~krueger/csc209h/tut/line-endings.html

Reply | Quote

@Canadian Tech. Wanted to tell you I passed your link on to someone in a group I’m in who was having diabolical trouble trying to update her laptop and others had passed on this tip and that and nothing was working and she was thinking of reinstalling Win7. She tried your method and it worked to her delight……….. she was so relieved and pleased and replied as follows:
*****************
Oh my sweetie!!!!
It goes! Just restarted my laptop after 31 updates!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Thank you from bottom of my heart!
Yay! I don’t have to reinstall the windows, can you believe it?
What a smart guy this one!

I saved his forum link and will return if I need to!I am doing an happy dance here….

Thank you again for sharing this with me!
I believe it was MS glitch after a bad update, cause it was updating frequently and suddenly it stopped after July 17…
I thought the MS is busy with Win 10 and doesn’t have any update but then it was too long so I knew I have a problem, as many other Win 7 users.

And now…it is fixed and I hope for good!

__________________________________________________

On another note…….. reading the comments below and above I thought following would be appropriate to all this……… and thank you Poohsticks for reminding me!

Percy Shelley’s “Ozymandias”

I met a traveller from an antique land
Who said: Two vast and trunkless legs of stone
Stand in the desert. Near them, on the sand,
Half sunk, a shattered visage lies, whose frown,
And wrinkled lip, and sneer of cold command,
Tell that its sculptor well those passions read
Which yet survive, stamped on these lifeless things,
The hand that mocked them and the heart that fed:
And on the pedestal these words appear:
‘My name is Ozymandias, king of kings:
Look on my works, ye Mighty, and despair!’
Nothing beside remains. Round the decay
Of that colossal wreck, boundless and bare
The lone and level sands stretch far away.[4]

Horace Smith’s “Ozymandias”

In Egypt’s sandy silence, all alone,
Stands a gigantic Leg, which far off throws
The only shadow that the Desert knows:—
“I am great OZYMANDIAS,” saith the stone,
“The King of Kings; this mighty City shows
“The wonders of my hand.”— The City’s gone,—
Nought but the Leg remaining to disclose
The site of this forgotten Babylon.

We wonder,—and some Hunter may express
Wonder like ours, when thro’ the wilderness
Where London stood, holding the Wolf in chace,
He meets some fragment huge, and stops to guess
What powerful but unrecorded race
Once dwelt in that annihilated place.[10]

REMIND YOU OF ANYONE ?? LT

Reply | Quote

The existence of Apple and Google in this market is not forcing Microsoft to “commit suicide” (in other words, to quite inelegantly rip their reputation and a gigantic customer base to shreds). Microsoft is the major player in that area.

They could nearly “have it all”, they can call many of the shots within the massive scope of their endeavours (this is not “out of their control”), they have a global monopoly in certain key areas of society and technology, they have a good business here which they are swiftly destroying in a cack-handed manner.

Reply | Quote

Ugh, every time my frazzled mind in a moment of weakness thinks, “Wait, what is so bad about the new computing regime that I’m putting SO MUCH effort into resisting? Does it have to be this hard, especially since my needs are so simple?”, another long-forgotten-by-me, concerning aspect like this one hoves into view. Sigh. This is such a losing battle.

Reply | Quote

Mercer talks about a third blob every month, the 3rd-Tuesday-of-the-month blob: a non-cumulative rollup which holds the non-security patches for the following month only, which he terms “Preview”.

Reply | Quote

@ poohsticks,

Thank you for some very perceptive remarks.

I’m also hoping that we will be able to install the non-cumulative Security only patches plus the non-cumulative Non Security patches.

If we install them one month in arrears, (ie Install Octobers’ in November etc), we will have the opportunity to Pass when MS push out the inevitable 1st catastrophic Rollup.

Like you, I don’t see how I can install the Cumulative Monthly Rollup. Never experienced your problem, but it can happen to us all, and I just won’t take that risk.

@ Woody,

I assume that MS will still have “internal identification for the individual patches – how else will they be able to subsequently modify a faulty one ? I’m hoping that someone out there will find a way of unpicking them, but recognise that it’s very unlikely.

Reply | Quote

Brings to mind another blob

{ excerpt from https://en.wikipedia.org/wiki/The_Blob )

The Blob.
1958 American horror/science fiction film….
The plot depicts a growing corrosive alien amoeba that crashes from outer space in a meteorite and engulfs and dissolves citizens….
[The ending goes like this:] Dave requests an Air Force heavy-lift cargo aircraft to transport the Blob to the Arctic, where it is parachuted to the ice. Dave says that while the Blob is not dead, at least it has been stopped.
To this, Steve Andrews replies with the last line in the film, “Yeah, as long as the Arctic stays cold.”
The film ends with the words “The End” which then morph into a question mark — suggesting that the Blob may return, ending the film with a cliffhanger.
Movie tagline: “Indescribable. Indestructible! Nothing can stop it!”

—
We could invite the whole top layer at MS on a fancy tour of that pioneering seed-saving facility in the Arctic and… gently cryogenic them until 2020?

Fatefully, “primary funding for the Trust [that runs the Global Seed Vault in the Arctic] comes from organisations such as the Bill & Melinda Gates Foundation”
https://en.wikipedia.org/wiki/Svalbard_Global_Seed_Vault

Reply | Quote

I doubt that there will be any capability to pick off individual patches.

Right now, in Windows 10, it can’t be done.

Reply | Quote

That would likely be an Insider Preview ring release – which has been so poorly managed in the past that it’s hard to believe it’ll be done well starting in October.

Reply | Quote

I’m guessing we’ll have a “KB” number – but one that identifies the blob as a whole.

But it’s only a guess.

Reply | Quote

“The existence of Apple and Google in this market is not forcing Microsoft to “commit suicide” ”

This is another way to say that they cannot effectively compete for the medium and long term. The Desktop OS concept is running out of steam, Windows XP had almost everything that was needed and Windows Vista and Windows 7 have been only cash cows for Microsoft, which could have easily updated Windows XP to achieve the same result. There is a good reason why Microsoft claimed that Windows 10 will be the last Desktop OS released by the company.

We should get used with this and move on at some stage, or use whatever is still available.

Reply | Quote

Nobody outside of Microsoft seems to know exactly and it is possible that even they have not finalised all details yet.

Reply | Quote

I wasn’t sure where to place this reply to cover this whole topic of patches and previews, but here goes.

Microsoft has been doing the PREVIEW thing for a good while. People have just not noticed it.

On the third Tuesday for at least a year or so (don’t know when I noticed it) the coming month’s non-security patches have been show up as unchecked optional updates. On the Monday before patch Tuesday, they disappear from the optional list and on Tuesday they show up as checked important updates. If you want to see this happen, there is one in the optional list, unchecked, dated 8/16/2016, KB3179573 (August rollup). It’s been there since the third Tuesday. If you leave it alone, I predict that it will drop out of the optional list on Monday or Tuesday morning, and will show up as a checked important when MS releases the patches (about noon Central Time)

Sometimes there are several like this. The only difference is as of Oct they will be ONE instead of several, and be called PREVIEW. Same difference.

Reply | Quote

It’s a setting under ToolsAccounts – in the server settings you have the choice to use the POP3 or the IMAP server for your email provider.

Reply | Quote

@ Woody,

I didn’t know that. Thank you. Guess I,d better stop believing in Father Christmas.

Reply | Quote

Woody I follow your advice re updating. I am fearful of the forthcoming system in October and I think I would definitely be a group B. I have always used WU. I have been trying to find out how to use WSUS and the MS update catalogue and have found it all very confusing. Do I actually have to install something to make either of these work. I’m sure there are others like me (not very computer clever) that don’t know how to use these options. I know you are busy but if it was possible for somebody to provide simple instructions how to run these it would be much appreciated.

Reply | Quote

You can only get at WSUS through a server attached to your network. The Update Catalog is a pain in the neck, but accessible from IE and any other browser ifyou know the tricks.

Right now, don’t worry about it.

When the time comes and we have some information, I’ll get very straightforward instructions out for those in Group A or Group B. I may even mention Group W.

Reply | Quote

Going with Group A and note your warning to avoid installing drivers. My W7 computers have optional updates for Kernel-Mode Driver Framework version 1.11…and User-Mode Driver Framework version 1.11. Are those considered drivers and to be avoided? Or something else with a tricky name and ok to install?

Thanks!

Reply | Quote

I’d disregard the name and install…

Reply | Quote

They are Frameworks to allow Windows 8 like drivers to be installed on Windows 7. I don’t know if they are useful for everyone, but they are certainly not harmful. They have been around for very long time and passed the test of time.
You can go ahead and install them.

Reply | Quote

@Glenda,

Like you, I am also not a computer techie, and I have also never used anything but Windows Update to get my Windows patches.

In addition to Woody’s answer to you, which says that people like us can relax for the time being, and when October rolls around, he will explain step-by-step how we can use the Update Catalog to get the update rollup that we want (if we want to be in “Group B” and only download the non-cumulative security-only rollup from there),

I just wanted to note something about the other off-the-beaten-path downloading option, WSUS.
As Woody said, WSUS is only for a pretty sophisticated setup that probably only I.T. folks would have access to, and that normal customers like you and I do not, and will not, have access to.
There’s been a little confusion about WSUS previously on this forum, because some people have discovered that there is an option called “WSUS Offline” that is open to anyone to use, and sometimes they think this means it’s the official WSUS that the I.T. folks work with — but “WSUS Offline” is not an official service of Microsoft, it is a third-party program/service that was started by a German computer/technology magazine, and it’s not supported by Microsoft and it’s not a sort of mainstream thing that Woody uses, nor recommends to us here.
(Some contributors to this forum do use the third-party “WSUS Offline” to get their Windows updates, and have reported that they have had success with it. I have not looked into that program myself. I’m not sure how “WSUS Offline” will adapt to the new Rollup Updating system in October.)

So I just wanted to point out that when people mention that the new security-only Rollup updates starting in October can be obtained via WSUS _and_ via the Update Catalog, they mean the official WSUS offered by Microsoft which is for complex computer setups that have their own server and so forth, while for most of us ordinary computer owners, the Update Catalog is going to be our only option (if we want to be in Group B, at least. If we want to be in Group A, we won’t need to do anything but continue to use Windows Update as usual.)

Reply | Quote

It is not unusual to have end-users confused by Technet articles. Technet is mainly targeted to Systems Administrators, but Power Users can also find the information very useful. This is why there are references to WSUS and Microsoft Catalog.
Most end-users should stick with Windows Update and not worry about technologies which they are normally not required to use or understand.

Reply | Quote

@poohsticks If you have passion for it, you can download for free the trial version of Windows Server 2012 R2 valid for 180 days and install WSUS which is a role component.
https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2
If you wait few more days, there will be a release of Windows Server 2016 which will be announced at the Ignite Conference and it comes with the updated version of WSUS. I assume that there will also be a trial version associated with that release.
And WSUS Offline will survive, because unlike what most people believe, the rollup patches have been with us forever, they are nothing new, only that starting with October 2016, Microsoft will try to make things more consistent (for them) and avoid some of the bad press that they had recently in relation to Windows Update. And hopefully we will have something to gain at the same time, because otherwise the bad press for Microsoft will keep on happening.

Reply | Quote

@Woody & @poohsticks:

I have not seen any reference to the “cut-off” date which starts on October 1st, insofar as having made a choice on Group A or Group B (and making the changes as indicated for the Group chosen). I would assume that BEFORE October 1st, the option for a specific Group should be made and those changes made. Is this correct?

Thank you for the clarification.

Reply | Quote

Actually, you don’t really need to choose between Group A and Group B until the October updates appear and we’ve had a chance to digest them. If you choose Group A right now, you might as well go ahead and install all of the updates for August and September. But if you’re sitting on a fence, just the security updates will do just fine.

Just turn off automatic updating, sit back and let’s see what happens.

Reply | Quote

@Woody: Thank you so much for the detailed advice. That is such a great help!! 🙂

Reply | Quote

Ok I also found this exaplanation of the problem.

https://support.microsoft.com/en-us/kb/3160312

Anybody has any idea why Microsoft would have added this feature in Windows 10? I am not sure I understand properly, but it looks like they use the time data from SSL connections to save an approximate date in the registry and reverts to it prior to use ntp servers for time???? Why would they do that?

Plus, as a workaround, they recommend to manually reset this saved date and time or plug back the PC to the Internet so it does some SSL connections and sets it to a legitimate value, but they don’t recommend disabling the whole feature, meaning they think it is important for some reason that I really don’t understand. Maybe a security check so a rogue program doesn’t throw your clock completely off? I don’t see the point and their workaround is not worth much if you alternate between running your PC on and off the grid, it will continue to freeze until you manually clear it each time…

Reply | Quote

It is known and broken behaviour starting with Windows 7 (or maybe Vista).
Event ID 0x420 in Task Scheduler is shown when the service is already started and the task tries to start it again. It does not break anything in Windows 7. The only thing broken is that for machines not restarted often and not on domain, the time tends to drift due to broken synchronisation. I don’t know why it freezes on Windows 10.
If you are not on the internet, you may consider the self-syncing setting, based on own BIOS which is setting the time source as NoSync. However you also mentioned that you have a reliable time source which you can use and which is better to use than NoSync.

Reply | Quote

@Alex
Thanks a lot for this post and the resolution to the problem. Excellent finding! 🙂

I think the bug, or “design” if we want to call it so, has to do it some checks about the validity of Root Certificates installed on the system, but it may well be related to telemetry.
This may create big problems to unaware administrators for computers installed and configured initially with Internet connection and later placed behind let’s say a proxy server configured with proxy settings only in a user context and not in the system context as well, the winhttp service. This is typical for many business networks.
I am wondering if the server equivalent which is due to be released in the next few days has the same design issue.

Reply | Quote

@Woody: Somehow KB2952664 got DL & installed. I clicked on the “remove” option, and the only updates shown there were all for Word, Office, etc.

My question: Is is possible to uninstall this KB2952664 somehow? I had it uninstalled once months ago, and now can’t locate a procedure to do it once again. I don’t know – – – it may not be possible.

ANY AND ALL ADVICE WILL BE APPRECIATED. 🙁 🙁

Reply | Quote

@Woody: UPDATE: I found the other updates, and will attempt to uninstall it now, and hoping and praying I won’t have a problem. My apology for not being more knowledgeable. Thank you for all of your advice and help.

It is appreciated more than words can say. 🙂

Reply | Quote

(See Walker’s update)

Reply | Quote

Have a look here:
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

Reply | Quote

Hi Woody, two, possibly related queries:

Despite installing only security updates five non-security updates also installed on my Windows 8.1 laptop during the August DEFCON 3 period. They were KB’s 3034348, 3095108, 3162835, 3177723, and 3173424.

I also installed KB3177725 as it was described as a security update.

Why did you associate KB3177725 with Group A for reader Teresa, above?

Being Group B aligned I would prefer to uninstall the non-security updates but am worried about breaking something. Any suggestions? Perhaps one at a time?

Thanks.

Reply | Quote

You should be able to uninstall all of the non-security updates, with no problems.

KB 3177725, as a security update, is part of both Group A and Group B. I really need to write this up in more detail!

Reply | Quote

@Woody: All went well with the uninstall.

**** Now I have a new PROBLEM – – – I installed KB3172605 on September 11th. It is on the “Installed list as being successful”.

***NOW – – – It is now showing up as “Optional” (29.2 MB), It is NOT checked, and is italicized.

What is the recommendation for this one now. I think in my notes that you okayed this one on on Sept. 11th, which is when I installed it.

I’m lost.

I have no idea why it is showing up again. Please advise. I’ve not DL & installed anything from the September updates yet.

Please advise, and thank you once again.

Reply | Quote

That one has reappeared. Just relax. We’re still at MS-DEFCON 2. Nothing pressing at the moment.

Reply | Quote

I uninstalled 3177725 this am as it seemed to be superceded by 3185911. Hope this helps

Reply | Quote

Woody wrote, “(WARNING: Don’t check Silverlight and Skype, don’t check any drivers – see below – and don’t check any language packs).”.

I understand about not checking drivers and language packs, but what is the problem with Silverlight and Skype updates?

Reply | Quote

If you check Silverlight or Skype updates, you automatically get the packages installed.

Very few people want Skype, in my experience – there are much better alternatives. Even fewer want Silverlight.

Reply | Quote

Glad to learn I was not the only one with these stuck scans, and that some brave folks came across solutions.

I know this has been posted some weeks ago, but I would like to thank you for the Canadian Tech link, I followed his (her?) suggestion, and I was able to update a Windows 7 machine prior the let-us-hope-things-dont-break new update model for the reminder of the “aging” OS support coming this October.

Reply | Quote

So I should skip the “security” update for Silverlight KB3182373? I think I installed Silverlight years ago for Netflix but apparently it’s no longer needed. Should I uninstall it? https://blog.mozilla.org/blog/2015/12/17/firefox-users-can-now-watch-netflix-html5-video-on-windows/

Reply | Quote

Yes, avoid Silverlight at all costs.

Reply | Quote

@Woody;

Re: https://www.askwoody.com/2016/ms-defcon-3-get-windows-patched-gingerly/comment-page-4/#comment-99357

“Very few people want Skype, in my experience – there are much better alternatives.”

Which are your first three favorites?

Thx, JF

Reply | Quote

I use Line, probably because it’s what I started using in Thailand many years ago. Works great.

Facebook Messenger is superior to Skype in many ways. For one, it usually works.

Third, I’d probably choose Viber, although WeChat is inviting. FaceTime if everybody has a Mac, iPhone or iPad.

Reply | Quote

Not necessary on Windows.
Apple Facetime
WhatsApp
Skype – big advantage, you don’t need a phone number and runs on all platforms.

Reply | Quote

I’m in a similar position. I installed Silverlight some time ago and have been installing the security updates ever since. But I have never knowingly used Silverlight. Does anyone know which products use Silverlight?

If I don’t use any products that use Silverlight, I’ll uninstall it.

Reply | Quote

Silverlight only works on Internet Explorer. It’s a Microsoft abomination that deserves to die.

Reply | Quote

That might well be the case. But I don’t want to uninstall it if it is needed by some Web site that I use frequently.

There is a similar situation with Flash Player. It is required by the BBC News Web site, which is my main source of news and provides my home page.

Reply | Quote

Silverlight is dying. The only place I’ve seen it used recently is on some obscure Microsoft sites.

Good overview here: https://en.wikipedia.org/wiki/Microsoft_Silverlight

The BBC still uses Flash? They’ve been testing HTML 5 for a full year now.

http://www.bbc.co.uk/html5

Reply | Quote

Woody, thanks for the BBC link which I have just read. It does state though, “We (the BBC) plan to continue supporting Flash on the desktop for at least the next few years.”.

Reply | Quote

The sooner Flash dies, the better off we’ll all be. Really.

Reply | Quote