MS-DEFCON 3: Time to get Windows and Office patched, but watch out for these buggy critters

Topic

New Reply

This month’s all-clear instructions are particularly complex. Refer to the InfoWorld article.

[See the full post at: MS-DEFCON 3: Time to get Windows and Office patched, but watch out for these buggy critters]

2 users thanked author for this post.

Elly, Morty

Reply | Quote

Replies

What I don’t get is that systems that didn’t have the ‘bad’ updates installed (meaning they were left alone and not affected) are still being offered the updates that fix the issues the ‘bad’ updates caused. Is it just me, or does that not make any sense? I would think, at least, that those machines wouldn’t be offered either update, since essentially one cancels out the other.

In any event, looking forward to your article Woody!

Reply | Quote

Yeah I was expecting to see supersedence in WSUS, especially on  3178690, but no. I’ve tested on a few computers rolling out both updates in WSUS with no issues. Will be rolling them out to rest of computers Friday.

Reply | Quote

WAIT for the instructions.
You don’t need KB3178690 – it should be UNCHECKED.
You will need KB3191855 – it’s good

But WAIT

2 users thanked author for this post.

HiFlyer, samak

Reply | Quote

Correct. I did not install KB3178690.

If you install KB3191855, then reboot and do a new WU search, KB3178690 will disappear from the WU list.

2 users thanked author for this post.

HiFlyer, samak

Reply | Quote

Yeah, to the same extent that if you install a fresh system you’re still offered the previews of past months that are, for any effect, obsolete.

 

Windows is broken…

1 user thanked author for this post.

HiFlyer

Reply | Quote

Looking forward to instructions for Win7!

1 user thanked author for this post.

JDeC

Reply | Quote

Reluctantly, I’ve decided to stop patching Windows 7 because, to put it simply, I just don’t trust Microsoft anymore and certainly not with my PC and data. It seems like the risks now outweigh the benefits of patching.. IMO, of course.

Woody, you have a good thing going here. It’s so nice to be able to read through so many messages by experienced people on both sides of this issue. I knew my way around DOS when I was 13 and even ran my own BBS (if anyone remembers those) for awhile, but everything I know about Windows was learned from snooping around under the hood and (cautiously) messing with stuff. It’s very unsettling to me that WU has become this mine field that needs to be tiptoed through to avoid the “bad stuff” and only get the good stuff. I don’t trust Microsoft not to slip things into patches widely considered safe without second thought, even if small piece by small piece, nor does W7 seem to need any patching anyway especially if you have security measures in place. When I ask myself “Is it really worth it?”, I just can’t make myself go along with it at this point. I feel that Microsoft is now the enemy and I shouldn’t take what it offers me anymore. The trust is gone.

Anyway, love the site!

3 users thanked author for this post.

Noel Carboni, Cousinjack, HiFlyer

Reply | Quote

One more for the Group W bench.

I’m really glad that so many people, with such divergent opinions, chime in here. There’s no one “right” way to keep Windows fed.

1 user thanked author for this post.

HiFlyer

Reply | Quote

I installed KB4012215, March 2017 Security Monthly Quality Rollup for Windows 7 SP1, on my system.  So far so good.

1 user thanked author for this post.

Chris M

Reply | Quote

Group A here, does anyone know if they fixed the bug that made mse flag false positives?

Reply | Quote

I’m not aware of any specific false positives for Microsoft Security Essentials, recently.

I do know that the VB-100 tests for MSE were much kinder this month.

Reply | Quote

You talk about it on your first article about this months bugs. You even left a link for a topic at ms answers started by one ThomasSpero https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/note-about-malicious-sofetware-at-the-bottom-of/a6f175ef-8c8c-47b5-949e-35f8d8c4e71e

Reply | Quote

If I read the thread correctly, it’s a transient (and erroneous!) detection that can be safely ignored. I bet with the latest MSE definitions, it doesn’t happen any more. Even if you still get the notification, it’s apparently wrong.

Reply | Quote

Roger that, i will install the updates later then, thanks for the reply.

Reply | Quote

I have 1 more question tough, they say mse starts auto scanning by itself, doesnt that mean mse will stay auto scanning and eating up my cpu ?

Reply | Quote

The MSE overhead is minuscule.

1 user thanked author for this post.

TheSuffering

Reply | Quote

? says:

another resounding win7 pro update success! As always many thanks to Woody and all…

Reply | Quote

W7 SP1 Group B, non-techie

“This month, for the first time, there are also patches (and a hotfix!) for Internet Explorer. …. AKB 2000003 lists them all.”
If I understand correctly, the hotfix is not required unless you have cumulative security update 4013073 on your system and are having problems with Microsoft Dynamics CRM 2011. See:
https://support.microsoft.com/en-us/help/4016446/forms-in-dynamics-crm-2011-are-not-displayed-correctly-after-kb-401307

If my understanding is correct, maybe the Group B instructions should be amended to clarify this point.

Thanks for everything.

 

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

I believe you need both KB4012204 and KB4016446.

2 users thanked author for this post.

walker, samak

Reply | Quote

I based my post on the quote:

“This update is required only if you are experiencing the symptoms that are described in the “Symptoms” section, and you have cumulative security update 4013073 installed on Windows 8.1, Windows Server 2012 R2, Windows 7 SP1, or Windows Server 2008 R2 SP1.”

I have no idea what Dynamics CRM 2011 is,  I’m not experiencing any symptoms and don’t have cumulative security update 4013073 installed. So I thought it was clear I didn’t need it.

Yours in confusion (not the first or last time either).

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

It doesn’t hurt to install both, even if you don’t use Microsoft’s Dynamics CRM product. (Dynamics CRM isn’t the only product zapped by the bad original patch.) I don’t use CRM, but I do install both.

It’s likely that next month, the new IE cumulative update will absorb the hotfix.

2 users thanked author for this post.

samak, SueW

Reply | Quote

Woody, I’m surprised you’re still recommending people install MSRT, especially after this: https://www.askwoody.com/2016/telemetry-from-the-malicious-software-removal-tool/

Just an observation.

I just used WSUS Offline, which installed both the Security-Only patch and the IE11 security patch.

1 user thanked author for this post.

walker

Reply | Quote

zero2dash:    Isn’t WSUS for “Administrators”??  I don’t have it, nor have I ever used it.

Also, can anyone provide instructions about “how” to uninstall an update?  I’ve never done that, however see it referenced a lot.   Thanks to anyone who can provide guidance with this.

Reply | Quote

http://www.ghacks.net/2014/12/11/how-to-remove-installed-windows-updates-and-block-them-afterwards/

Reply | Quote

I have managed to follow instructions for Group B (Windows 7) up to this point but this time I was left completely at sea. I tried to follow the instructions but nothing of what was written coincided with what I experienced when I tried. I could not find the links or the particular patch numbers referred to. I found this (somewhere) http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu
and that is what I did. I’m frustrated because there doesn’t seem to be a definite place to locate all these links to all these patches. I fully admit to my lack of knowledge and inexpertise and I think I have reached the limit of my ability to understand this patching process.

Reply | Quote

The link is in the InfoWorld article. It is in the Knowledge Base section here on this site.

https://www.askwoody.com/forums/topic/2000003-ongoing-list-of-group-b-monthly-updates-for-win7-and-8-1/

3 users thanked author for this post.

Elly, walker, woody

Reply | Quote

Thank you.  I think I had found the right thing a bit by accident.  I appreciate all you do very much.

Reply | Quote

Invaluable advice as usual from @Woody just in the nick of time as Win10Prox64 has a slew of updates sitting there and I was getting tired turning off the reminders. There is a registry key that will stop you getting reminders but it messes up the notifications, which if you rely on or use them, isnt good.

As theres a new version on the Horizon those on Win10Pro & above may wish to check the GPEDIT settings or any other update avoidance customisations for any change. Win10 has a nasty/strange habit of changing back settings unannounced it doesent like or feel should be there.

As an aside this afternoon while deleting a .PST file I noticed an XBOX folder spring back in to view before my eyes after removing it an hour previous. (Thats in the 15063 Pro ver.) errrm a little unerving to say the least. So a check on any customisations as it may be worth a Gander for peace of mind or getting “Shanghied” in to an unannounced upgrade. Strange beast this Win 10

1 user thanked author for this post.

HiFlyer

Reply | Quote

And as usual they sneaked the lurking KB3150513 right after patching win 10 1511

Reply | Quote

3/6/17 “B to A” — Win 7-64 Hm Prem: KB 4012215 Full March Rollup, 2010 Office, Word, Excel, MSRT x64 …. Successful Install…

I omitted Silverlight as last time  ( coincidence or cause ??? ) I had to use Macrium Image to restore Win 7 from a Never-would-load issue after I inst’d it by itself.

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

Reply | Quote

Just wanted to add my 2 bits and say thanks to Woody and PKCano for their invaluable help with the links for the appropriate patches for this month. Have just completed the updating on Win7 Pro 64bits in group B……. Security patch and 2 for IE plus 6 for Office 2007. Tomorrow will do our Win8.1 64bits machine which is in Group B as well. Many thanks again…….. much appreciated! LT

The truly rich are those who enjoy what they have. — Yiddish

1 user thanked author for this post.

Elly

Reply | Quote

I don’t see the KB 3150513 update in my Windows 10 1607, neither is it in my list of installed updates…is this normal?

Reply | Quote

KB4013429 is a prerequisite.  It will only show up after KB4013429 is installed.

Reply | Quote

Thanks a bunch! I will be hiding it after installing KB4013429.

Reply | Quote

after installing group b patch and these two ie patches searching for updates offers botched excel kb3178690 along with the fixed kb3191855. doesn’t latter make botched patch obsolete? or should i install it anyway? and there is a patch for silverlight (kb4013867) i vaguely recall reading some warnings regarding this patch. install this aswell?

Reply | Quote

KB3178690 is in the list. It should be UNCHECKED. Rule is DO NOT check anything that is not already checked. Unchecked patches don’t get installed. You do not need it.

KB3191855 should be CHECKED. It will get installed (and KB3178690 will disappear on reboot).

If the patch is a Security Update for Silverlight, it is because Silverlight is installed. If you don’t want Silverlight, you should uninstall it. If you want to keep it, it should have the security patch.

Reply | Quote

thx, i know about leaving unchecked boxes unchecked. but in my case on my 8.1 notebook both excel patches were checked. haven’t yet bothered updating the windows 7 computer so i don’t know what is coming towards me there…

Reply | Quote

Might be worth mentioning that I was also offered the Silverlight patch even though I uninstalled Silverlight long ago. It was optional and unchecked. Now hidden.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

Reply | Quote

in my case silverlight is installed (came with office 2010 i assume?) and it was checked on both win7 and 8.1, so i installed it on both computers. although i don’t use silverlight, i’m not going to uninstall it. saying “never change a running system”. btw, about that botched excel patch, on win7 machine it was not checked indeed. on 8.1 notebook on the other hand it was checked as mentioned above… strange…

Reply | Quote

One more question regarding “MediaTek Android device driver patch, “Microsoft – WPD – 2/22/2016 12:00:00 AM – 5.2.5326.4762”

How would I find out if it has been installed on my Win10 1607?

In fact, I want to confirm if it impacts Win10 at all to begin with. I wasn’t able to find anything in my update history, but I don’t know if it was somehow triggered unknowingly by another family member when they plugged in a device.

Reply | Quote

Win 7 HP, 64bit, SP1, Group B.  I’m not seeing any updates or patches for EI-11.  I’ve checked the MS Update Catalog, and there’s nothing on my WU.  If I were a Group A person however, I would get updates for IE in the big Group A Rollup.  There is talk here of an IE update being available, but I’m not seeing it.  I see everything else though.  What gives?

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

Reply | Quote

Charlie wrote:

I’m not seeing any updates or patches for EI-11.

You can download the updates by clicking the links in the article here
https://www.askwoody.com/forums/topic/2000003-ongoing-list-of-group-b-monthly-updates-for-win7-and-8-1/

You need the patch and the hotfix for the right version of Win.

3 users thanked author for this post.

Elly, Charlie, walker

Reply | Quote

I’m in Group A, windows 7 Home Premium. If I check the box to” receive recommended the same way as important updates”, KB2952664 will appear as a checked box to install. I’ve been consistent following group A instructions so far (since you invoked your A and B categories etc. for updating – thank you) – so it is ok this month for group A people to download this KB?

Reply | Quote

That update contains telemetry. If you are not adverse sending data to Microsoft, installing the patch will not be a problem. However, you may want to read about the telemetry/compatibility patches here
https://www.askwoody.com/forums/topic/2952664-telemetry-in-win78-1-kb2952664-kb2977759-kb2976978-kb3150513/

If you do not agree, you should right click on the patch and choose HIDE.

Reply | Quote

I’m in Group B, Windows 7 HP 64-bit. After installing the IE security update 4012204, IE 11 no longer passes the Logjam security test at Qualys SSL Labs. I also installed the Hotfix, which didn’t help.

Windows 10 Home 64-bit

2 users thanked author for this post.

SueW, walker

Reply | Quote

Let’s see if the problem goes away if you uninstall.

Go to Windows Update. In the lower left corner choose “installed updates”
In the IE section, uninstall the hotfix first, then the IE patch KB4012204.
Let us know if the problem goes away.

1 user thanked author for this post.

walker

Reply | Quote

Uninstalling the hotfix and update has solved the Logjam problem. I rarely use IE, but what should I do now?

Windows 10 Home 64-bit

Reply | Quote

Check back here in a while or tomorrow. We’re going to try to see if there’s a fix.

Don’t reinstall the updates.

3 users thanked author for this post.

Elly, SueW, Sportsman

Reply | Quote

Thanks – I’ll watch this thread.

Windows 10 Home 64-bit

Reply | Quote

I just posted this up on the main blog page. What failure(s) were you seeing? Any idea if it was the main security patch, KB 4012204, or the hotfix, KB 4016446?

Reply | Quote

The problem appeared for me after the required reboot but before I installed the hotfix. Installing the hotfix didn’t change the results. Logjam was the only test that failed, on IE 11. (Firefox worked normally.)

Windows 10 Home 64-bit

Reply | Quote

Try the suggestions here and see if it fixes the failure
https://www.askwoody.com/forums/topic/ie-security-update-kb-4012204-trips-a-logjam-security-test-warning/#post-105806

Reply | Quote

See other information on the Main Blog thread.

Reply | Quote

@PKCano:  Thank you for the instructions on how to “uninstall” an update.   Most sincerely appreciated!  

Reply | Quote

Sorry, everyone – you’re all going too fast for me.

On my Win 7 Pro 64-bit machines, is it now OK to install

March, 2017 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4012215) ??

Thanks

1 user thanked author for this post.

Reply | Quote

Yes, that update is OK to install

1 user thanked author for this post.

glnz

Reply | Quote

Thanks, PKCano0 !!

1 user thanked author for this post.

glnz

Reply | Quote

PKCano wrote:

Charlie wrote:

I’m not seeing any updates or patches for EI-11.

You can download the updates by clicking the links in the article here https://www.askwoody.com/forums/topic/2000003-ongoing-list-of-group-b-monthly-updates-for-win7-and-8-1/ You need the patch and the hotfix for the right version of Win.

Please forgive me while try to figure all this out.  I haven’t installed any Cumulative IE-11 updates since the Sept. 2016 which was shown.  Do I have to now download and install all of the ones I missed because MS didn’t include them in the “Security Only” updates or can I just (hopefully) install the March IE update?  Then this “Hotfix” whachamacallit – I’ll still need that too?  Yikes!  I feel a migrane coming on!

I’m not sure if anyone else feels like I do but this is awful.  Any further help/info. you can give would be very much appreciated.

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

Reply | Quote

Up until this month, the IE updates have been included in the Security-only patches, so you haven’t missed anything.
As of March, MS has separated the two and no longer includes IE in the security only update, so there will be 2 patches each month for Group B to download.
This month was an exception (we hope) and there is also a hotfix for IE.

Reply | Quote

Any advice on the Security Only Quality Update (4012212) for Win 7 x 64 ?

How about the March, 2017 Security Only Quality Update for Windows 8.1  x64-based Systems (KB4012213)?

Is it OK to install these on my machines?

I am in group B and admit I am not a tech wizard. I will stay in group B for as long as I possibly can. I have been installing Security only updates downloaded from the Microsoft Update catalog per instructed from the site wu.krelay.de/en/ (which I discovered on Infoworld)

I have a Win 7 desktop and two laptops running 8.1.

I have also been installing the Security Only updates on my parents  Win 7 desktop.

When their Win 7 laptop gave out on them they had to go with Windows 10 and it has been nothing but a nightmare from day one.

 

I have been following this since last year. Thank you all for the advice and guidance.

 

Reply | Quote

As of this month, MS has separated the update for IE11 from the security-only update for Win. The link to the downloads is here
https://www.askwoody.com/forums/topic/2000003-ongoing-list-of-group-b-monthly-updates-for-win7-and-8-1/

You will need to download the March patches for Win and IE11. There also is  a hotfix for IE this month (hopefully this is an exception). So, three patches for Group B for Win7 and three for Win8.1.

The above link will be updated  each month, so you can use it in the future for the downloads.

1 user thanked author for this post.

walker

Reply | Quote

Thank you PKCano.  Concerning IE 11 patch I do not use IE at all – ever – on my Win 7 pc . I do not have IE 11 even installed on my pc.

IE 11 is on my laptops as it was already installed when I bought them but I rarely use it ( I  use Firefox with Start Page) but I will install the patch.

Thank you again, I have book marked the link you provided and a HUGE thank you for keeping it updated for us  trying to stay in the B group. Some of us are just “regular” folks trying to maintain some  privacy.

Reply | Quote

Help! I’m not able to get KB4015438 installed for WIN10 1607

Everything else went through though.

The first time it failed during the installation stage.

I tried to install KB4015438 again, and the second time I was able to get it to complete the intall stage and to the restart stage. It failed at the restart stage, giving the following message: “We couldn’t complete the update. Undoing changes.”

Reply | Quote

Are you still having the problem? (It’s hard to tell if one of the later “anonymous” posts is from you.)

If so, don’t worry, it’s unfortunately a common occurrence. Most important is that you notify Microsoft of the problem. They may be able to improve cumulative updates in general by looking at your situation.

Post the problem here: https://www.reddit.com/r/Windows10/comments/5zdwlb/march_windows_10_cumulative_updates_are_out/

YOu could also scan the recommendations here:

http://www.infoworld.com/article/3066815/microsoft-windows/20-fixes-for-a-windows-10-update-meltdown.html

Reply | Quote

Hi Woody,

The problem has been resolved by running the Windows troubleshooter. I ran the troubleshooter a few more times to confirm if the issues identified initially by the troubleshooter had been resolved as it said, but it was still showing issues on the next runs. Nonetheless, the update was able to go through which is what matters. I will try updating another Win10 1607 machine later this week, and apply the same technique. Hopefully it’ll work as well.

Reply | Quote

Group B, Windows 7 Pro 64x
The IE11 patches kb4016446 and kb4012204 caused problems with Notepad++ – when closed, the program would hang with an odd display for several seconds before shutting down. I also saw problems with an old game (Starfleet Command: Orion Pirates). Uninstalling the IE11 patches while keeping the monthly security rollup kb4012212 seems to have fixed this.

Reply | Quote

I tried to duplicate the issue with Notepad++ v.7.3.3 and noticed nothing unusual. Win7Pro-64 SP1 Group B patching. I will try later today on the laptop.

No issues so far with any of the Group B March patches. I had no problem with the Logjam test page. Everything passed.

Reply | Quote

KB4012212 is the security-only update, not the monthly rollup.

Reply | Quote

Seeing the number of problems that may affect IE11, as a Group B user I shall just install the security-only update KB4012212 but not the IE cumulative security update KB4012204 at this time. I have said before that if any security updates cause problems then I won’t install them until they are fixed. If the problems are not fixed then the offending updates won’t be installed.

I will continue to wait and monitor the IE11 situation. Is it just my feeling that IE security updates (and Office updates, I don’t use Office now so problems with Office updates won’t affect me) seem to be causing problems all the time?

For a Group A user who encounter problems with IE11 he/she may have to uninstall the whole rollup KB4012215 (Windows 7) to fix the problems. I would have thought I almost never agree with Microsoft anything but this time I agree with Microsoft separating the security-only update and IE security update. I can patch the other security problems this month without installing the troublesome IE patch at this time.

Hope for the best. Prepare for the worst.

Reply | Quote

KB4016446 is also applicable to Windows 7 and 8.1 users who have installed the March 2017 monthly rollup. (I tested this scenario on Win 7 x64.)

Reply | Quote

I’ve been thinking about it lately and I’m starting to consider the idea of discontinuing patching for my own computer after April 2017 (even though I’m 90% sure I do qualify for updates still).

I feel like with this new Windows 10 Update and the recent push for people to update to W10, I think Microsoft is going keep slipping things into updates that will bog down W7 operations. I know that sounds a little like a conspiracy theorist but with all these telemetry measures, it’s only more intrusion from here.

I appreciate what people on this site do to dissect each update for W7 to see whether or not it contains something that’s intrusive or legitimate or buggy. I will always use this website for my Windows needs but I’m not feeling so confident about Microsoft and their intentions.

Reply | Quote

I fully updated my Windows 10 Pro x64 (1607) PC yesterday.  No surprises here.  Everything seems to be working OK.  The updates were fast & smooth, just one reboot and done.

However, I did take an image first, just in case

This is what I found when I checked for updates:

Windows 10 March 2017 Updates

Windows 10 Pro 22H2

Reply | Quote

Not sure if this is the correct place for this. If not, then move, delete.

Group B person. Win 8.1 Home 64bit. Cannot install March 2017 Security Only Update, KB4012213. Get the ol’ ‘couldn’t complete the updates, undoing changes’. CAN use Win Upd to install Office Upds, other items. CAN install both IE fixes for 3-17. No Logjam problem.

Ran Win Upd Troubleshooter, it ‘fixes’ error, 0x8024402c. Error detail for this error says RC_DataStore. Also says BITS problem, Type Net Helpmsg 2182 which points to IIS.

Ran sfc /scannow, it said it fixed some files but not all.

Ran DISM.exe /online /cleanup-image /restorehealth, it said it fixed files.

Have tried, I think, 6x. Tried again after each above fixes and repairs. All this, still no joy.

Sure would be nice to unbundle all the fixes rolled up into KB4012213.

Thanks.

Reply | Quote

I can ask some simple questions to begin with.

1. The patch you are trying to install should be this one. Correct?
http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu

2. Did you by any chance accidentally install KB4012216? Because if you did you should not be able to install KB4012213.

3. You installed the IE patches. The hotfix does not require reboot. Did you reboot anyway before you installed KB40122213 KB4012213?

4. Are you running any anti-telemetry software like O&O Shutup or Spybot AntiBeacon?

Reply | Quote

Thanks for the questions.

1) Yes, tried again from your link today. Same problem. Update dies @ about 90% mark after the restart process.

2) No. Understand the difference.

3) Yes. Tried KB4012213 before and after both IE fixes. No difference.

4) Had Anti-Beacon installed. It is gone now. Do not remember if I removed it or SFC or DISM did.

FWIW… My Win 7 x64 SP1 machine did ok with all appropriate fixes (KB4012212, etc.) My tablet w/ Win 8.1 Home x86 did ok also with Anti-Beacon installed. Ran SFC again today on broke machine. No errors.

Been a Group B person before there was a Group B. Have my own spreadsheet tracking mostly unwanted updates to our three machines. Been around since the ‘cloud’ was a dumb terminal in a room hard wired to a controller connected to a ‘channel’ on a mainframe and storage was 6 banks of multi-platter HDDs. Always learning something new.

Reply | Quote

OK, one more thing I want you to try before we go to the trouble of cleaning out the SoftwareDistribution folder. I have seen this work once before. It may, or may not, work here. But I think it’s worth trying first.

Uninstall KB4016446 (if it’s installed) and KB4012204 in that order.
Reboot your PC.
Wait 10 minutes after login.
Control Panel\Administrative Tools\Services – stop the Windows Update Service
Try to install KB4012213 again
If it is successful, you can close the the box and reinstall KB4012204. If it searches for a long time you may have to re-stop the WU Service.

If this is not successful, come back for further instructions.

Reply | Quote

Thanks for the suggestion. No change. Still dies @ about 90 to 96% mark as before.

Reply | Quote

OK, give me till tomorrow to put together the instructions. Check back in th e morning

Reply | Quote

What this procedure is going to do is clean out the datastore.
What will happen: It will erase your update history. If you have hidden any updates, they will no longer be hidden, so make a list before you start.
What won’t happen: It will not uninstall any updates. It will not erase the “Installed Updates” list.

1. In Windows Update, set it to “Never check for updates”
2. Reboot your computer, login, and wait 10 minutes without dong anything.
3. Control Panel\Administrative Tools\Services – stop the Windows Update Service, stop the Background Intelligent Transfer Service, stop the Cryptographic Services (highlight the Service, click on the “stop” link upper left)
4. Go to C:\Windows Rename the SoftwareDistribution folder to SoftwareDistribution.old
5. Reboot your computer

6. Login, wait 15-20 minutes without doing anything.
7. In Windows Update, Check for updates. It may take a long time.

DO NOT check anything in the “optional updates” list
DO NOT check anything that is unchecked in the “important updates” list
If you have been hiding the telemetry patches, the list for Win8.1 is here
It is not recommended to hide anything else. Unchecking an update means it will not be installed.
8. UNCHECK the Security Monthly Quality ROLLUP for Win8.1
9. UNCHECK any driver updates
10. Install the remaining checked updates
11. Reboot, login, wait at least 10 minutes without doing anything.
12. Check for updates
13. Repeat steps 8. through 12. each time unchecking the Security Monthly Quality ROLLUP for Win8.1 and the driver updates until those are the only things left.

14. In Services, stop the Windows Update Service.
15. Install KB4012213 manually
16. If it installs successfully, close the box. Install KB4012204. If it searches for a long time you may have to re-stop the Windows Update Service.
17. Reboot, login, wait 20 minutes without doing anything.

You should be good until the next time the DEFCON number is 3 or above.

Reply | Quote

PKCano… Thanks very much for all the time you spent on this for me. Appreciate it.

Reply | Quote

As far as I know, there is no need to wait a certain number of minutes after rebooting. Any pending Windows update-related processing that happens during a boot is happening while the “Configuring Windows Updates” message is displayed.

Reply | Quote

anonymous wrote:

As far as I know, there is no need to wait a certain number of minutes after rebooting.

Thank you for that reference again.

In my experience, after running Windows Update and rebooting, if I open the Task Manager, the CPU usage is higher than normal, in some cases very high. One of the processes causing the high resource usage is TrustedInstaller. The length of time before this subsides varies, but is longer with low end computers with slower CPUs, less RAM, and spinning hard drives (the average home PC).

If I talk to the average User about Task Manager, processes, TrustedInstaller, and CPU usage at 7-10%, I usually get a blank stare. So I simply say wait 10 minutes. Most people seem to understand that and that pretty much covers all bases.

For those reasons, I will continue to recommend that Users wait 10 minutes after reboot, particularly in the case of doing multiple searches for updates. Who hasn’t got an extra 10 minutes  

Reply | Quote

Microsoft Update Catalog is now available at https://www.catalog.update.microsoft.com/Home.aspx.

2 users thanked author for this post.

walker, woody

Reply | Quote

KB4012215 and MSRT now both satisfactorily installed on both my Windows 7 machines. No issues apparent, and both machines now pass the Logjam test with both Chrome and IE11 (the latter failed the test before the update was installed).

Thanks as ever to Woody and his gang of MVPs for the constant advice!

Reply | Quote

I survived another one, thank Heaven and thank you!

I was going to say Private Schiller reporting, but I caved in and joined Group A, so I’m not private anymore.

It went surprisingly fast, but it also said it was installing only four files. Funny thing is that I only see one on the installed file list. And this “Important” one was not installed:

Update for Windows 7 for x64-based Systems (KB3177467)
Download size: 8.9 MB
Update type: Important
Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
More information:
http://support.microsoft.com/kb/3177467

After missing Oct-Dec, here’s what I have now. (I don’t understand how the hotfix list works, it’s not really in date order.)

 

Security Update               KB3167679               Admin-PC\Admin          9/13/2016
Security Update               KB3168965               Admin-PC\Admin          8/5/2016
Security Update               KB3170106               Admin-PC\Admin          8/5/2016
Security Update               KB3170455               Admin-PC\Admin          8/5/2016
Update                        KB3170735               Admin-PC\Admin          3/5/2017
Update                        KB3172605               Admin-PC\Admin          3/5/2017
Security Update               KB3175443               Admin-PC\Admin          9/13/2016
Security Update               KB3177186               Admin-PC\Admin          3/5/2017
Update                        KB3177723               Admin-PC\Admin          9/13/2016
Security Update               KB3177725               Admin-PC\Admin          9/13/2016
Security Update               KB3178034               Admin-PC\Admin          9/13/2016
Update                        KB3179573               Admin-PC\Admin          3/5/2017
Update                        KB3181988               Admin-PC\Admin          3/5/2017
Update                        KB3184143               Admin-PC\Admin          3/5/2017
Security Update               KB3205394               Admin-PC\Admin          1/29/2017
Update                        KB3210131               Admin-PC\Admin          3/5/2017
Update                        KB976902                Admin-PC\Administrator  11/21/2010
Update                        KB982018                NT AUTHORITY\SYSTEM     2/15/2013
Security Update               KB4012215               Admin-PC\Admin          4/2/2017

 

Reply | Quote

Morty wrote:

And this “Important” one was not installed: Update for Windows 7 for x64-based Systems (KB3177467)

That is the latest servicing stack. It has to be installed by itself after all the other checked important patches are installed.

Go back in Windows Update, be sure it’s checked, and install it. If there are no other checked patches waiting to install, it should go ahead and install.

1 user thanked author for this post.

Morty

Reply | Quote

Go back in Windows Update, be sure it’s checked, and install it. If there are no other checked patches waiting to install, it should go ahead and install.

Thank you. Will do.

Reply | Quote

PKCano wrote:

Morty wrote:

And this “Important” one was not installed: Update for Windows 7 for x64-based Systems (KB3177467)

That is the latest servicing stack. It has to be installed by itself after all the other checked important patches are installed. Go back in Windows Update, be sure it’s checked, and install it. If there are no other checked patches waiting to install, it should go ahead and install.

Thanks again. I installed it and then found out I’m missing one more checked “important” update:

Update for Windows 7 for x64-based Systems (KB3150513)
Download size: 1.3 MB
You may need to restart your computer for this update to take effect.
Update type: Recommended
Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.
More information:
http://support.microsoft.com/kb/3150513

Now what?

Reply | Quote

That is part of the MS telemetry patches. You can read about it here and here
If you have not been hiding the telemetry patches, you can install it , or not. It doesn’t hurt anything. You don’t need it. It’s just not of any use unless you intend to upgrade to Win10.

1 user thanked author for this post.

Morty

Reply | Quote

PKCano wrote:

That is part of the MS telemetry patches. You can read about it here and here If you have not been hiding the telemetry patches, you can install it , or not. It doesn’t hurt anything. You don’t need it. It’s just not of any use unless you intend to upgrade to Win10.

Thanks again.

I think I’ll pass. I went Group A. Not AAA.

I’ll sit it out until the next wave.

1 user thanked author for this post.

AlanH

Reply | Quote

Any updated recommendations on the March security patches?

Reply | Quote

Hi,

I still have a machine (my parents’) which has not been patched with March updates, missed the window of opportunities for MS-DEFCON-3 as I was away. Should I still go ahead and patch this week (and somehow hide any new/April updates for MS Office 2007) seeing as Creator’s Update will be released next week? The machine is on version 1607, Win10 of course.

Reply | Quote

It’s not recommended to HIDE updates, If you uncheck them they will not get installed.
DO NOT check anything that is not already checked.
UNCHECK any patches with an April publishing date (when you highlight the update in the “important update” list, the date will appear on the right)

Then it is safe to go ahead and install the March patches in the way you usually would (Group A or Group B)

Reply | Quote

I don’t think Windows Update in Win10 gives me the option of checking and unchecking individual patches the way Windows 7 or 8 does.

That’s why I was asking if I should hide the April MS office updates temporarily, to avoiding WU installing April updates for Office 2007 if there’s any.

Reply | Quote

I missed the part about Win10.
There are no non-security patches for Office 2007. Only for Office 2013 and 2016.
But the March patches are good to install.

Reply | Quote

So I guess I don’t have to temporarily hide anything then. Such a relief! Thank you so much for your help! Really appreciate it!

Reply | Quote