New Windows 7/8.1 updating method coming

Topic

New Reply

It’s almost time to move the MS-DEFCON level, but when I do, I want to get it right – and get your input. As you all know, I’ve recommended “Group A”
[See the full post at: New Windows 7/8.1 updating method coming]

7 users thanked author for this post.

walker, HiFlyer, flackcatcher, JDeC, MrJimPhelps, ch100, AJNorth

Reply | Quote

Replies

I still feel that group W is a reasonable option. You can install updates as needed, and forego the rest. Let me also expand upon that by saying that some AV’s (I know of Bitdefender) protected against WannaCry almost immediately, which was a great help to our corporate home office. In that regard, you may be unpatched, but depending on what your tertiary security measures are, it may not be as critical.

Furthermore, I’m curious (and have mentioned this before) of the idea that you can limit or remove the telemetry from group A. Again, as far as I know, the updates are “all or nothing”, and you either have them all (group A), or none (group B).

Group B is annoying compared to group A, yes. However, after being acclimated to group B since October 2016, I’m not abandoning it. IMHO, the easiest thing you can do (as a group B’er) is run Windows Update, see what updates you need, and then find the Security Only variants of each. Typically that’s 3 a month; 1 for Windows, 1 for IE, and 1 for .NET. Once done, hide the Security and Quality versions in WU. I can deal with that.

5 users thanked author for this post.

HiFlyer, samak, lizzytish, SueW

Reply | Quote

@zero2dash

Agree.

Bear in mind that in Oct 2016, M$ imposed monthly Security-Only Patches to accommodate the Enterprise-users who are very sensitive to non-security updates and who also happen to be M$’s VIP-goose that lay golden egg$.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Win 7, Group B – being in this group is a real pain in the butt.  But then I don’t like the possibility of having my graphics card, audio card, keyboard, or mouse updated without my permission.  Am I way off key or does this kind of thing not happen anymore?  It’s been what has kept me in Group B.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

4 users thanked author for this post.

HiFlyer, grayslady, JDeC

Reply | Quote

It certainly does happen.

With luck, we’ll be able to catch those early in the update cycle. I still figure it’ll take 2 weeks or more before the move from MS-DEFCON 2 to MS-DEFCON 3 (or 4).

6 users thanked author for this post.

Elly, HiFlyer, SueW, JDeC, Charlie

Reply | Quote

In 2017 you should update your drivers especially for old machines from Windows Update.
I know it is a controversial point of view, but it is the only way forward for old machines especially moving on through various releases of Windows 10.
By now everyone should plan to move on either to Windows 10 or leave Windows and return if they figure out that they didn’t choose wisely.
There is no perfect operating system and while MacOS is by far the closest to the ideal among the commercially supported ones, it is not perfect either.

Reply | Quote

I don’t see why.

Group B is a very reasonable strategy for the time being. What you suggest may become an issue when the old system starts to have problems, but not before then. It took me years to customize, optimize and set up app config that suits me and I am not gonna drop that and take few more years to redo it for no benefit whatsoever just to satisfy MS’s greed.

8 users thanked author for this post.

Elly, Charlie, David F, HiFlyer, owdrtn, samak, lizzytish

Reply | Quote

“By now everyone should plan to move on either to Windows 10 or leave Windows and return if they figure out that they didn’t choose wisely.” Does this statement go to the heart of the attack on the ‘Group B’ method of updating? The view expressed here reminds me of an argument I came to this website to escape, called GWX. I have been sensing the ethos of the Lounge change.

4 users thanked author for this post.

samak, HiFlyer, wdburt1, Capella

Reply | Quote

EOL for Win 7/8.1 is in 2020/2023, and not 2017.

Is M$-Windows Update a ‘ransomware’ to push Win 7/8.1 users onto Win 10?

Reply | Quote

Of course not.

Reply | Quote

ch100 wrote:

In 2017 you should update your drivers especially for old machines from Windows Update … By now everyone should plan to move on either to Windows 10 or leave Windows

Why would be WU better than manufacturer’s site? The only thing that is better about it is convenience – but the price you pay for it may seem too high for many.

99% of Windows software works on 8.1 (100% of software I am interested in), it gets all the necessary updates for the next 6 years – why would I need or want to change?

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

The Nvidia graphics update  today was listed as optional so it didn`t automatically  download.

Reply | Quote

For NVIDIA drivers, I always go directly to their download site: https://www.nvidia.com/Download/index.aspx?lang=en-us .

3 users thanked author for this post.

Charlie, woody

Reply | Quote

AJNorth wrote:

For NVIDIA drivers, I always go directly to their download site: https://www.nvidia.com/Download/index.aspx?lang=en-us .

Agreed. I never use Windows Update or any kind of vendor “automatic updates” for updating drivers, especially video drivers. I never install “Nvidia Update” or “GeForce Experience” when installing or updating drivers (updating drivers only when necessary).

However, since I run non-English versions of Windows, I can’t go to the Nvidia US site for drivers, as the US drivers do not support other languages. I need to go to, say, the UK or TW site to download the International drivers which contain support for multiple languages.

Hope for the best. Prepare for the worst.

2 users thanked author for this post.

HiFlyer, AJNorth

Reply | Quote

Excellent point (and my error); the link I should have posted is https://www.nvidia.com/Download/index.aspx (or even the main corporate site, for those who wish delve further: http://www.nvidia.com/content/global/global.php ). Thanks for pointing that out.

Reply | Quote

@AJNorth:   What is NVIDIA?  I don’t have it insofar as I know and have no idea what it is.  Thank you for any information you may have on this one.

Reply | Quote

@ walker

Nvidia is a brand of usually high-performance GPU(graphics power unit) adapter cards for gaming, video-editing, game development, etc. The graphics card needs a software driver to work, ie display things on the screen.
The other famous brand for GPU are AMD and Intel. GPU are mostly used in high-end computers.

For online gaming, if your computer is not powerful and fast enough to display game progress in milli-seconds(= fps = frames per second), you will lose the game because the screen display caused you to press a key a few micro-seconds slower than your opponents.

2 users thanked author for this post.

AJNorth, walker

Reply | Quote

@anonymous:    My apology for being so far behind with “everything”.  I knew I owed a big “thank you” to you for your excellent response to my question.    Thank you very, very much for taking the time to reply.    Your expertise and knowledge is sincerely appreciated!!   

Reply | Quote

For Group B I would recommend downloading SpyBot Anti-Beacon for telemetry because it is easy to use. I will wait a couple of weeks to download the updates.

Reply | Quote

Install what third-party software you wish on your machine, but do not come back for advice when your machine and registry keys are modified and you will not know how to revert to a good state.

1 user thanked author for this post.

walker

Reply | Quote

With due respect, CH100, your views are YOUR views. Woody’s Lounge works according to Woody, and
I believe he respects the other’s point of view and does not make disparaging remarks about them in the process. We are a diversified group coming from different points of view and opinion, and he encourages that because in the end we get to hear and discuss all sides of the argument. Maybe
that is what you intended by your remarks………… but alas it didn’t come over that way to me.
Just my 2 bits. LT

10 users thanked author for this post.

Elly, SueW, Cybertooth, HiFlyer, wdburt1, GoTheSaints, samak, Capella, Pim

Reply | Quote

@LT
Windows is a piece of engineering and using it as it was designed is not subject to a popularity contest.
If you or anyone else is in the fan business, that’s fine.
I am not.

Reply | Quote

So somebody recommends something (“For Group B I would recommend downloading SpyBot Anti-Beacon for telemetry because it is easy to use. I will wait a couple of weeks to download the updates.”) and all you can do is come up with some  comments?

Save those  comments and show some evidence why this recommendation is not a good idea.

Edit
Please follow the –Lounge Rules– no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

3 users thanked author for this post.

wdburt1, Cybertooth, HiFlyer

Reply | Quote

I don’t know what PKCano edited out of your reply but also in the Lounge Rules it stipulates “…dislike wading through reams of repetition…”. I’m sorry but I consider ch100’s stance as repetitive (even if I have taken this out of context) and aired in so many threads, we’ve all heard it many times before.

I respect ch100 and his knowledge / expertise but on the other hand he should respect ours whether it be wrong or right. We are free thinking individuals (we have that right) and do think for ourselves.

9 users thanked author for this post.

Elly, wdburt1, SueW, samak, Cybertooth, HiFlyer, Alice, Capella, lizzytish

Reply | Quote

@samak
We discuss Windows Update.
You come with a proposal for a third-party product which is not mainstream, at least not for those understanding Windows at a certain level and which actually breaks Windows functionality, functionality which you may need or not, but other users may wish to keep as it was intended.
Unless you monitor the registry keys and files which are modified by that software and explain to everyone which benefit this brings to the end user, then that software may produce changes which are not easily reverted by uninstalling.
This is a well known side-effect of installing and uninstalling many utilities and only very few behave according to the standards.

1 user thanked author for this post.

HiFlyer

Reply | Quote

@CH100 ……. my comments were not related to Windows perse………… it was simply your tone
and choice of words……. you could have perhaps worded your message more diplomatically.
That’s all. And I am certainly no FAN of anything ….. enough said. LT

Deal with the faults of others as gently as your own. — Chinese Proverb

1 user thanked author for this post.

HiFlyer

Reply | Quote

I agree with you – and that’s why I won’t recommend third party anti-snooping tools.

I would hate to say to normal Windows users “install XYZ to protect your machine from snooping” and then have XYZ screw up the machine, fail to work, or turn into something sinister.

Registry cleaners fall in the same category, for the same reason.

I took a big gamble with GWX Control Panel, and it worked out very well. But I got to know Josh, see where he was coming from, and work with him the whole time. In addition, GWX Control Panel was pretty straightforward, with known consequences (Josh reverse engineered and corrected Microsoft’s documentation). The anti-snooping software I’ve seen isn’t nearly as straightforward.

6 users thanked author for this post.

Elly, AJNorth, JDeC, SueW, ch100, HiFlyer

Reply | Quote

I have been using it, but I am not clear what it does and how effective it is. It provides no feedback.

1 user thanked author for this post.

ch100

Reply | Quote

One thing SpyBot AntiBeacon does is modify your hosts file to “sink” resolutions of certain site names, effectively blacklisting some Microsoft-initiated communications. To be clear, that’s a way to block some, but not others, and it’s not strictly necessary to use 3rd party software to do it. Here are the Microsoft entries I keep in my own hosts files:

# Unwanted Microsoft site contacts from IE

0.0.0.0  iecvlist.microsoft.com             # Compatibility view list, contacted even though deconfigured
0.0.0.0  ieonline.microsoft.com             # Something IE contacts that it shouldn't
0.0.0.0  r20swj13mr.microsoft.com           # Unknown why this is contacted by IE when being shut down

# Miscellaneous unwanted Microsoft comms

0.0.0.0  spynet2.microsoft.com              # AV and MSRT telemetry
0.0.0.0  spynetalt.microsoft.com            # AV and MSRT telemetry
0.0.0.0  wdcp.microsoft.com                 # AV and MSRT telemetry
0.0.0.0  wdcpalt.microsoft.com              # AV and MSRT telemetry
0.0.0.0  www.bing.com                       # Microsoft's intrusive search engine
0.0.0.0  bing.com                           # Microsoft's intrusive search engine

Thing is, there’s not just one “telemetry” communications stream. What Windows does online is much, much more complex than that! And you really DON’T want to block all the comms – there are some very necessary sites that need to be contacted regularly or ad-hoc, for example for the purposes of certificate verification, or the download of malware definitions.

Lastly, not every system has the same needs, because users have different uses for them, expectations from them, and run different software. Some commercial software has to do license checks online in order to continue to run properly (Adobe software for example).

-Noel

9 users thanked author for this post.

Elly, walker, AJNorth, BobbyB, SueW, ch100, HiFlyer, woody, MrBrian

Reply | Quote

Out of curiosity, do you know if any of MS “telemetry” communications streams skip the host file and communicate directly to a MS host?

1 user thanked author for this post.

HiFlyer

Reply | Quote

We’ll agree to disagree on this one. It is an acceptance of MS’s blackmailing users to accept telemetery and botched patches, which in most cases won’t protect because the malwarers are always several steps ahead of sw vendors.

The core problem for Group A for Win10 users is that it forces the users to upgrade their system together with the patching to whatever MS chooses to add to monetize Windows. That cannot be an acceptable solution whichever way you look at it. In the Win10 case, since you cannot avoid upgrades with just security patches you MUST take frequent backups and restore in case of attack. IMO that’s maybe a less convenient but safer and freedom-focused bet. MS should not be rewarded and encouraged for most eggregious behavior.

Those who want to use computers in total ignorance will choose Group A and take the consequences. Those who understand that a minimal effort is necessary to protect yourself from everybody trying to sc**w them  should make the effort and choose Group B for Win7/8 and Group W for Win10 pre-current version and take frequent system backups.

There is absolutely NOBODY and NOTHING in the current system that protects the public–all the mechanisms for that are dismantled–so people must start to realize that they must invest resources into protecting themselves. If they don’t they deserve what they get.

Edit for content

 

1 user thanked author for this post.

HiFlyer

Reply | Quote

fp wrote:

We’ll agree to disagree on this one. It is an acceptance of MS’s blackmailing users to accept telemetery and botched patches, which in most cases won’t protect because the malwarers are always several steps ahead of sw vendors.

Oh, I agree with you. Microsoft has control of Win7 and 8.1 machines. No question.

I also agree that Win7 customers didn’t sign up for this… uh, stuff. Microsoft has grafted  telemetry/snooping stuff onto Win 7 as a “bonus feature.”

Given that fact, I want to make the best recommendations I can for coping with the problems.

6 users thanked author for this post.

Elly, walker, SueW, HiFlyer, Alice, lizzytish

Reply | Quote

I am following Group B minus. A sort of in-between B and W. I apply security only patches as outlined by pkcano, but a bit later. Woody, your warning about MS17-010 was timely and painted the picture. I immediately instructed my clients to install that one.

At this point, the only hope for B is the pkcano instructions.

Group W still has an option to bail anytime they wish. It would be easy if it was warranted to jump to Group A quite quickly = really just one cumulative update.

None of my clients have Office versions later than 2010. I have refrained from installing those “updates” after January. I will eventually do them to, but only after I am confident the dust has settled.

So far, I have installed Oct, Nov, Dec, Jan and Mar security only patches, .net, IE for March, and Office up to and including January. In another couple months, I will likely make another update pass.

It has become way too complex for any average person to follow B. So, from a purely practical perspective, I do the updates on all those computers remotely for my clients.

Status: Not a single one of my 150 client Win 7 computers has had a whimper of a problem since last Summer. In fact, they are more stable than I have ever seen them. I should add that all of them use Bitdefender Antivirus +. Changing from Norton AV a couple of years ago has turned out to be a hugely good move. I have not seen a single infection since then. Bitdefender has turned out to have an outstanding product. It is so outstanding that I do not have to deal with their “customer service” which is nothing short of pitifully worthless.

CT

8 users thanked author for this post.

Elly, HiFlyer, woody, SueW, grayslady, wdburt1, ch100, NetDef

Reply | Quote

Spooky simularities between you and I . . . .

Like you, most of our clients are on Win 7 Pro, some are slowing moving to Windows 10 Pro and ENT (due to the fact that it’s become difficult to get new hardware that runs perfectly on Win 7.)

Almost all of our clients use Office 2010.

And, like you, Windows 7 seems to be doing VERY well lately, better than usual in fact.

Unlike you, we are keeping Office 2010 fully patched.

So far: no significant problems at all this year.  We are on Group A- (or B+) . . . see my other post below.

The last Office 2010 patch that gave us any real problem was back in 2015!  It was KB3114409 for Outlook 2010. ( I remember that MS yanked it within the week from the update service. )

~ Group "Weekend" ~

2 users thanked author for this post.

woody, ch100

Reply | Quote

Thanks for this. I evolved the “Group B” approach – or something very similar – for myself a year ago, on the suggestion of one particular P.C. technician, whom I was calling on at that time on a fairly regular basis to resolve various software issues which were rendering my computer difficult to use or to update. Discovering this website made life a whole lot easier, because instead of scratching my head and scrabbling around in the Update Catalog and Download Centre I could simply follow Woody’s excellent directions and links. The upshot? In the last year I have had no computer problems whatsoever – at least, nothing I couldn’t resolve myself with a little help from Google. I am no longer on first-name terms with all the P.C. technicians in my area, am far less stressed and saving a fortune. And you wonder why I don’t want to go back to installing everything that comes down the Windows Update chute!

3 users thanked author for this post.

HiFlyer, lizzytish, samak

Reply | Quote

Since backups are a must anyway, why isn’t increasing the frequency of backups good enough for B-7/8 and W-10?

Reply | Quote

@fp
Increasing the backup frequency (let’s say differential hourly backup for the sake of providing a real-life example, while minimising the load on the system during backup) is indeed a legitimate way to mitigate potential problems with malware if not patched.

The issues are:
– it is very difficult to backup in real time and some information would inherently be lost if a restore job is needed; in the example, only maximum of 1 hour worth of data would be lost; this may not be a significant problem for many environments
– considering that the previous issue is not significant, the complications related to scheduling jobs and the potential loss of performance during the backup jobs makes this approach less practical.

Otherwise, as I said above, this is a perfectly legitimate approach.

I appreciate that you mentioned this approach as a very good alternative to patching when this is not practical or desired.

Reply | Quote

The big concern I have over backups is the fact that any writable drive on a Windows machine (barring some approaches I haven’t encountered) is always mounted. I don’t see why it would be immune to mal-encryption.

On Linux, my backup drive is unmounted (not available, with only root having the ability to mount it) unless the backups are actually in process. The differential backups usually take under a minute unless I’ve downloaded a rather large source file. (note to self, check the next time you get Pale Moon source code).

Because of this concern, I’ve gone to an extreme version of Group W on my sole Windows 7 machine. It hasn’t been updated since the March Defcon reduction, but it hasn’t been on line. It’s not near the wired LAN, and I seldom activate wireless, and not when that machine is on. (I still have to disable the wireless adapter. I use sneakernet for printing and file transfer.) It’s a specialty machine, only used for running Quicken and a couple other applications that don’t have Linux alternatives. I’m not recommending this approach for anybody else, but it works for me.

Beyond plugging/unplugging the USB drive, is there a good way to keep a Windows backup from exposure to malware? Anybody considering moving from Group W to A or B should know…

Reply | Quote

I think Group B  should be left as is now, there’s nothing wrong with it, and has been very valuable advice, to change it  is letting this alleged hacker group (who could be MS paid) win ,

If you have a reputable  paid security suite installed on your  machine and also use other  tools to scan  files  such as Hitman pro, or Malwarebytes free versions, and you exercise some common sense and caution whilst using the internet  the chances are that you will not end up with ransomware  on your machine’s

14 users thanked author for this post.

Elly, JDeC, Cybertooth, HiFlyer, samak, Deep Lurker, lizzytish, Bill C., SueW, grayslady, wdburt1, twbartender, 212louis, Canadian Tech

Reply | Quote

Group B isn’t going away. I’ll still discuss it. But I’m going to recommend Group A for most Win 7/8.1 users, with additional advice for those who don’t want much of the snooping.

5 users thanked author for this post.

Elly, MrToad28, HiFlyer, Pepsiboy, lizzytish

Reply | Quote

That’s good, glad to hear that Woody. I’m one of the non-techy kind……… and so far I feel that I have been capable enough (thanks to you and PKCano) to keep my machines, both Win7 and Win8.1, in Group B successfully. As someone else mentioned 3 patches a month basically, with the Security, IE, and possibly .NET…..oh! and of course the Office patches. But honestly it’s not a big deal is it…… because you and PKCano do all the leg work for us……. it’s relatively easy.
Both my machines are running well……… and some of the stories that one is led to believe that if ones doesn’t update per Group A………. then you are looking for trouble…… and that some of the less technically minded are leading other’s astray with their biased opinions. At the end of the day, it’s up to each of us to decide and carry out what we think is best. For me right or wrong depending on which side of the fence you are on, Group B. is working for me and that’s where I plan to stay for the rest of the ride. Many thanks Woody and PKCano for your help…….. from one grateful Lounger with much appreciation. LT

I don’t know why I should learn Algebra, I’m never likely to go there! Billy Connolly

4 users thanked author for this post.

Elly, GoTheSaints, SueW, HiFlyer

Reply | Quote

I’m group A with a delay  using Spybot Anti-beacon to  limit unwanted telemetry. A few days after a patch  is released, I generally go to several sites to follow patching…infworld and askWoody are favorites. I also check if Microsoft is disclosing known  issues and  google “MAY 2017” PATCH TUESDAY “WINDOWS 7” issues OR PROBLEMS. If nothing ugly turns up,  I patch a test box after creating 2 restore points. I apply 1 patch at a time and create restore  points between patches. If nothing goes wrong, I follow same procedure 1 PC at a time of several days.

There are many sites that introduce and describe patches..redundant and not terribly helpful.

What would  be helpful would an  aggregation of  the real world problems people are having organized by operating system…I don’t  have Win 10 so I rather not waste time  reading about Win10 specific  issues.

Maybe some sort of poll might be useful.

Reply | Quote

woody wrote:

Group B isn’t going away. I’ll still discuss it. But I’m going to recommend Group A for most Win 7/8.1 users, with additional advice for those who don’t want much of the snooping.

Good. I can accept that. I will ignore your “recommendation” and stay with B. It is fine with me so far. I see no reason to change to A.

Actually, I can find the updates myself, with the help of lists that Microsoft has made up:
https://support.microsoft.com/en-us/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history
https://support.microsoft.com/en-us/help/4009470/windows-8-1-windows-server-2012-r2-update-history

So I can probably keep with B myself even if you stop discussing it here. But still your promise of keeping and discussing B is good. I am happy with your decision.

Hope for the best. Prepare for the worst.

2 users thanked author for this post.

SueW, The Surfing Pensioner

Reply | Quote

I can’t figure out how our model works on Woody nominations.  Group A- maybe?

We deploy critical security and definition updates the night they are released.

Normal security updates and Important updates weekly the Friday night after patch Tuesday.

Most other updates we defer until the last Friday of the month.

We never deploy Driver updates from Microsoft except for Microsoft devices (think Surface.)

Feature updates and Service Packs: Only when they get promoted to CBB (typically four months.)

 

~ Group "Weekend" ~

2 users thanked author for this post.

woody, ch100

Reply | Quote

Woody, the first seems simplest but how will you expect us to implement it?  “A short list of KB numbers, listing patches that should be removed. @PKCano has an example in the AKB 200003 documentation”?

Are we supposed to do the monthly Security-only updates or monthly rollup patches (as you recommend) and then afterwards remove the KB #s that you list?

My experience with removing patches has been worrisome, e.g. could not get into Win7 GUI and had to restore Windows.

Reply | Quote

You don’t have to remove anything.
That one is a sweetener for those paranoid types who believe in zombies.
Hope you are not among them and prefer to have a fully functional computer instead.

1 user thanked author for this post.

cmar6

Reply | Quote

> Hope you are not among them and prefer to have a fully functional computer instead.

This sentence in a MS context — I dk whether to laugh or cry.

1 user thanked author for this post.

HiFlyer

Reply | Quote

I don’t think I believe in zombies…. … but there are legitimate concerns about privacy that should be addressed.

Life would be so much easier if Microsoft would just tell us what data it’s collecting. Even if we got a dump of 1,966 data items – like we now have for the Creators Update Basic level Diagnostics setting.

I’m reasonably sure that the EU is going to take Microsoft to task for excessive snooping in Win10. It’s highly unlikely they’ll try to take on Win7.

Some people are more sensitive to privacy concerns than others. In the end, it may be a losing battle. But those who don’t want Microsoft to collect information about them should have a fighting chance at blocking the onslaught – particularly with Win7.

I remember the halcyon days of Dr Watson, and Windows asking politely if it could send data back to the mothership…

7 users thanked author for this post.

Elly, SueW, samak, Cybertooth, HiFlyer, Alice, lizzytish

Reply | Quote

My only concern with the suggested changes is that we appear to be moving away from Group B on the grounds that it’s become very complex while adding increased complexity to Group A whose supporters are the least likely (after those on automatic downloading) to want to get involved in such complexities as dismantling the rollups in order to e.g. remove the telemetry. I suspect that the main reason some of us opt for Group A is because it’s the simplest way of installing the updates we’re offered through WU rather than the more cumbersome approach of accessing individual updates in the MS catalog while allowing greater control especially over timing than is  provided with automatic downloading.

As a Group A user I’d personally prefer the Group A advice to be kept as brief and simple as possible, if people want a different way of approaching Group A rollups by way of dismantling the bits they don’t want then they should either switch to Group B or else have a link to separate advice elsewhere than in the main “Defcon raised” article.

4 users thanked author for this post.

woody, flackcatcher, grayslady, ch100

Reply | Quote

It is the right time, although a bit late if you ask me.
Unfortunately, promoting and maintaining Group B with huge efforts primarily by @PKCano since October 2016 has attracted a large number of users with limited understanding of the security implications of not doing it right and some of them are quite vocal in this sense and have influenced other unsuspecting users who now are getting confused not knowing who to follow.
To be clear:

– Group W is not an option
– Group B, while correct for securing the computers, altohugh less useful for resolving functionality problems, is only for those who use management tools. Technet and MSDN articles are not for amateur users who are not interested in the technical details. Technet is for IT Professionals (Engineers, Administrators, Enterprise support people). MSDN is for Developers and to some extent for the categories mentioned above. Anyone else can get information from those sites, but unless getting into the deep details, they should not generally follow Technet instructions. Group B style of updating has been presented and never recommended as the option of choice only on Technet.
– This leaves end-users who cannot design a method for themselves to use the old time tested Windows Update with its own quirks. Using officially supported methods like configuring Group Policies where available is acceptable and recommended if it resolves issues. Anyone who expects others to tell them what to do and what to install, is not suitable to follow Group B by definition.

Other considerations:

– Telemetry as malware is an urban myth.
– The “threat” to being upgraded to Windows 10 is another myth. Microsoft’s procedures for achieving this may not be ethical, but the end result useful to most end users who should be on Windows 10 already by now, or alternatively leave the Windows world.
– KB2952664 functionality is part of the Operating System for the latest server OS – see the frequent updates for its companion updating definitions KB3150513 for Windows Server 2016 and there is no reason not to install it.

What is good for organisations with 10,000 + users moving in mass to Windows 10 should be good enough for someone who has no idea about technology but somehow feels compelled to give advice in this matter, while expecting others to tell them what specific patches to install to suit their self-designed frame of reference.

3 users thanked author for this post.

gkarasik, flackcatcher, NetDef

Reply | Quote

I think you’re right – although it pains me to admit it.

ch100 wrote:

– Telemetry as malware is an urban myth.

True, but telemetry as snooping is not an urban myth. It’s a sign of the times, yes, but there are many people who, reasonably, don’t want to go gentle into that good night.

ch100 wrote:

– The “threat” to being upgraded to Windows 10 is another myth. Microsoft’s procedures for achieving this may not be ethical, but the end result useful to most end users who should be on Windows 10 already by now, or alternatively leave the Windows world.

The Get Windows 10 campaign was unethical. But we’re beyond GWX now. I don’t think Win10 is a “my way or the highway” version — people can still be productive with Win7 and (shudder) 8.1. That’s going to change over the next 2.5 years, as support for Win7 disappears, but for now, half of all Windows users are on Win7.

The problems with Win10, as opposed to Win7, are diminishing. Both now have an equally unwieldy patching model. At the same time, quality of patches is improving for both. Win10 snooping has decreased, largely as a result of EU threats, as Win7 snooping has increased. There are some very good reasons for staying with Win7 – program and driver compatibility being a main one. And there’s at least one reason for avoiding Win10, with it’s new-version-every-six-months forced upgrade pace. (Yes, I know you can skip one version, but only by stretching things quite a bit.)

I think in the next 2.5 years you’re going to see even more people dumping Windows – although all of the alternatives have congenital flaws.

ch100 wrote:

– KB2952664 functionality is part of the Operating System for the latest server OS – see the frequent updates for its companion updating definitions KB3150513 for Windows Server 2016 and there is no reason not to install it.

That’s a good point, but it’s open to debate for folks who don’t connect to Windows Server.

3 users thanked author for this post.

Elly, SueW, lizzytish

Reply | Quote

I’m in group A, on full automatic, for my two Windows machines (7 and 8.1). My 7 machine is dual-booted with Xubuntu Linux, and I rarely run Windows on that machine. I am currently setting up a disconnected (i.e. offline) VM in my Linux system, with W7 in the VM. No Windows updates needed, if it stays disconnected.

Here’s what I advise others to do:
1. Set your machine to check for, but not download, Windows and Office updates.
2. Wait about a week or two after the updates are released, before installing them on your machine, to see how it went for everyone else.
3. Be sure to do a full backup before installing updates.

I probably should practice what I preach, but I am lazy.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

BobbyB

Reply | Quote

Yep you do the same as I basically waiting for the fuss/problems about the latest crop of updates to die down. I run a multi-boot here in a similar fashion storing critical files elsewhere in other partitions/OS’s including off the machine if needs be. Should the “Horror of Horrors” occur necessitating a reinstall the back up images are updated to Oct 2016 and a couple of SYSPEPed images should I need to be further along on the reinstall curve. Yeah its a bit of work storing/filing stuff away each update session. Theres a fair amount of Maliase here also rather than go through a backup every crop of updates.
Just wondering if any of the exploits out there actually will infect .esd or .wim files as its a real breeze to reinstall/apply, I personally havent seen any mentioned anywhere.

Reply | Quote

Canadian Tech wrote:

It would be easy if it was warranted to jump to Group A quite quickly = really just one cumulative update.

Unfortunately we are not there yet.

Reply | Quote

Seff wrote:

As a Group A user I’d personally prefer the Group A advice to be kept as brief and simple as possible

The easiest way is the classical and the only supported way.

– Use Windows Update with the tweak that in most situations a delay is useful, either few days or follow MS-DEFCON which was designed specifically for that purpose.
– Install all Important patches. They are mandatory except for those unselected by default, which should be treated same as Optional.
– Install all Recommended patches except for those unselected by default, see above.
– Install selected Optional patches if needed or all if feeling adventurous. They are Optional.
– The only recommendation here is to not install the Preview Patches as they are a sort of later beta (i.e. release candidate) which will get rolled-up during the next main release. All other Optional patches are OK to install, but not mandatory.

This is general advice suitable for almost everyone following this site.

1 user thanked author for this post.

woody

Reply | Quote

Exactly.

Keep it simple like that for Group A, and let those who want to fiddle about dismantling this bit for telemetry and that bit for something else do so under Group B.

2 users thanked author for this post.

flackcatcher, ch100

Reply | Quote

I believe that’s the way to go….

Reply | Quote

Quote

There are three approaches that have caught my eye:

• A short list . . .

• A simple batch script, like the one @abbodi86 maintains. The problem is that some people will have a hard time figuring out how to run it.

I believe that abbodi86’s script isn’t maintained but always just works. So I would suggest that you recommend using abbodi86’s script and give a detailed explanation of what needs to be done in order to run it.

Advantage: the instructions remain the same every month.

2 users thanked author for this post.

woody, HiFlyer

Reply | Quote

Hi all, like on many blogs I follow, I am a lurker. A one-way, consumer only, that values every different viewpoint I find. I collect the thoughtful information, and distill it to arrive at my own opinion on what best fits my machine, in the way I use it.

The reduction in stress I have felt since finding this blog — hat-tip Canadian Tech and your efforts at the Win7\answers forum — is beyond measure. For my use, I find CT to be over-cautious. But I recognize why that is. I do not have to ‘underwrite’ the potential losses in a fleet of machines.

As a suggestion, I would feel most comfortable with the install all ‘important’, and disable bad ‘features’ after the fact. I recognize all the drawbacks in this approach. It is just my preferred balance point between maintaining operational status while minimizing impact. I regret I am unclear on how to label this approach in the current groupspeak. I think A- has been suggested, but see that that may be different.

My voice is redundant, because others with more knowledge are already going to make this happen.

Just as MSRedmond may license the use of their code but they do not own my machine, and GNU/Linux is a few keystrokes away. I respect your knowledge, ch100, and use it in my decision process.

Thanks for your time,
Paul

Edit
Please follow the –Lounge Rules– no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

2 users thanked author for this post.

woody, ch100

Reply | Quote

Apologies, Moderator.

I thought I had struck the proper balance. But I respect the task you have set for yourself.

Thank you,
Paul

Reply | Quote

You have defined the Group B as it should be. All important, no Recommended, all from Windows Update. You will get Recommended inside of the Rollups which are defined as Security and this is how it should be.

Reply | Quote

I fear you mistook me, which the edited portion would have made clear.

I respect your knowledge, not your approach. And plan to read more of same.

Regards,
Paul

Reply | Quote

I’m a user of Windows 7 Professional 64-bit.  I’ve been in what I call Group A# (A-sharp)  since November 2016.

I’ve been installing the roll-ups through Windows Update, but used a very simple batch file to disable telemetry.  I have another batch file to monitor changes to telemetry, but there have been none since I initially disabled it.

I also have not been installing any recommended updates.  Let’s not forget that GWX had that classification.

The two batch files I use are called FINDEYE (monitor) and POKEYE (disable).

FINDEYE.BAT

@echo off
cls
sc query DiagTrack
echo.
dir %ProgramData%\Microsoft\Diagnosis\*.rbs
echo.
dir %ProgramData%\Microsoft\Diagnosis\ETLLogs\*.* /s
pause

POKEYE.BAT

@echo off
cls
sc config DiagTrack start= disabled
sc stop DiagTrack
pause

POKEYE is simple and effective.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

What telemetry-related functionality is known to be present in the Windows monthly rollups that is not present in the security-only updates? Diagnostics Tracking Service is a known one, but Diagnostics Tracking Service might not be a gatherer of telemetry, other than telemetry related to the functioning of Diagnostics Tracking Service itself. (More research needs to be done on this.)

Reply | Quote

I don’t know.

You’re the expert.

1 user thanked author for this post.

ch100

Reply | Quote

I never investigated that question in depth. I’m trying to establish if there is a known factual basis for avoiding the Windows monthly rollups.

Reply | Quote

@MrBrian It is all imaginary if abbodi86 and few others which are well known here and I understand Windows well enough.
I understand that you are trying to prove everything, but there are people in this world who “feel” Windows to say so (I think you are among them, but you just try to be nice and provide an additional service to those who are not) . They are the types who would find a solution to any issue, find registry keys which are undocumented and “know” somehow if those keys have been implemented by the Windows designers and if it is worth looking for them.
Windows is as is while most of what is posted here belong to a political forum, not to a technical one.
Some people just don’t get it and confound the two.

Reply | Quote

In my opinion, those who want less telemetry, including those that are in Group B because of wanting less telemetry, should at least set the operating system’s Customer Experience Improvement Program setting = No.

4 users thanked author for this post.

ch100, JDeC, Noel Carboni, woody

Reply | Quote

Hi Mr Brian,

This action is often recommended but sadly without explaining how to do it. I have disabled Customer Experience Improvement’s subprograms in Task Scheduler but other than that I can’t find the program elsewhere ( it’s not in services) to turn it to NO .

Also it’d be great if I could get Windows Defender engine to update, even pausing ESET security I can’t get Windows Defender to start up at all. I’ve tried with Windows Update disabled and with WU enabled. ESET’s site was useless concerning this issue – no information about this windows defender issue at all.

I was hoping that it would magically update itself through some secret MS background updating service as suggested by Noel C’s experience but alas nada.

Thanks for everything you are doing on this site

1 user thanked author for this post.

MrBrian

Reply | Quote

anonymous wrote:

This action is often recommended but sadly without explaining how to do it. I have disabled Customer Experience Improvement’s subprograms in Task Scheduler but other than that I can’t find the program elsewhere ( it’s not in services) to turn it to NO .

Type in the taskbar Searchbox “Experience” (without quotes), click on CEIP.

For Windows Defender try:
Turn off ESET
Control Panel\Action Center\Security – there should be a choice to show malware programs on your PC. Turn on Defender, open and update

1 user thanked author for this post.

ch100

Reply | Quote

I recommend that those who are privacy-conscious look at Links: Microsoft privacy statements and Windows network connections to Microsoft.

3 users thanked author for this post.

Elly, Noel Carboni, woody

Reply | Quote

As i said, telemetry on Windows 7/8.1 is extremely overrated and exaggerated

it’s only a few components that can be easily disabled/neuturalized

i have not saw a solid proof that MSFT sneaks it in undocumented components

anyway, May the Force be with you

5 users thanked author for this post.

ch100, woody, lizzytish, gkarasik, PKCano

Reply | Quote

Look, a bad situation just got a lot more complex. Woody just wants us be ready for it. For what it’s worth, my I.T. team brought me and my staff the exact same message Woody did. If there is a silver lining to all this, it is every  tech company got a major head slap this week.  Best practices exist for a reason, and  throwing away years of hard earned knowledge comes with a price. (As my I.T. guys reminded me over and over, while discussing  updating policy.)

2 users thanked author for this post.

HiFlyer, woody

Reply | Quote

It’s Group A for me. I don’t care about telemetry.

I think MS has gone off the rails.

I will continue to use Win7 until a) I die or b) it dies.

GaryK

Reply | Quote

My thoughts on the script mentioned here:

1. The first part of the script nukes Diagnostics Tracking Service. My current thoughts are that this service should be kept enabled and not nuked, if it is true that Diagnostics Tracking Service does not gather telemetry (except for telemetry related to the functioning of Diagnostics Tracking Service itself). Third-party programs can use Diagnostics Tracking Service to transmit telemetry. Windows Defender can use Diagnostics Tracking Service to transmit telemetry, at least in newer version(s) of Windows. There could perhaps even be legal repercussions of disabling this service, although that would be best to ask a lawyer about.

2. The second part of the script deals with nuking Compatibility Telemetry Appraiser (installed in updates KB2952664, KB2977759, or KB2976978) . The problem with this is this is an after-the-fact action. The Compatibility Telemetry Appraiser is set to run at 3am every day, or the first available time after that. On its first run, a full load of telemetry is transmitted to Microsoft if the operating system’s Customer Experience Improvement Program setting = Yes. The better way to handle Compatibility Telemetry Appraiser, in my opinion, is to not install it (if possible).

 

2 users thanked author for this post.

ch100, woody

Reply | Quote

“Here is the full list of what I found for Windows 7 x64 that violates the operating system’s Customer Experience Improvement Program setting”

It’s debatable whether the Compatibility Telemetry Appraiser telemetry transmission mentioned in the link above (detailed here) is something to be concerned about. The CPU and disk usage that occurs due to Compatibility Telemetry Appraiser, which happens even when the operating system’s Customer Experience Improvement Program setting = No, might be the bigger concern.

 

 

3 users thanked author for this post.

BrianL, SueW, woody

Reply | Quote

Win7Pro-64_SP1 and MS Office 2010 here. Only 2 Windows machines left, as the rest have gone to penguins. I have evolved to a hybrid patching. I am group B+. I have not installed the big 4 telemetry patches. But I have also unhid them. I am solid B for the Monthly Security Only patch and the IE rollup patch via the MS Update Catalog. However, I am group A for .NET rollups, and use WU for Office 2010, but am very careful to check (here) for issues before I patch. I rely on Woody’s articles and the PKCano maintained AKB200003 documentation.

I download the monthly and the IE from the catalog when they are released. I wait until the dust has settled and then check to make sure the original update was not modified. The rest come from WU. My setting for WU is NEVER check, however I regularly check manually at the key times (Patch Tuesday, etc.) or if there is news. I do not ask for optional updates to be presented the same as important.

I also NEVER use WU for any hardware driver updates, but go right to the manufacturer site. I have also learned the hard way that unless the driver is a vulnerability or a new one gives MUCH greater reliability or performance, (or is needed to restore what a MS update broke) just let it be. (Besides most driver updates are to fix issues with newer OS or hardware and not older systems) Only Graphics drivers are routinely updated – but never via WU. The Intel WU and BT issue and the hard road to fixing it have been lessons well learned.

I have convinced some of the folks I know that unless they want to learn how to do and learn about non-group A updating, that Group A is best for them. For me B still works. My main objection to the telemetry and the big 4, other than spying without saying WHAT is being sent, was they caused a lot of disk thrashing and slowed down the PC by grabbing resources at the worst times. I have the article(s) about what is sent, but that is obtuse and vague Better to not facilitate than try to stop it after the fact.

I will keep monitoring MrBrian’s and Abbodi86’s techniques and scripts, since once I am comfortable doing that I suspect it is a worthwhile tool (and easier).

For me Win10 is not the future, for telemetry yes, but also as a rolling update OS it is not for me. I would love to be on the LTSB, and my Linux machines are all LTS (Long Term Support) versions. When it works, I want it to keep working.

5 users thanked author for this post.

Kathy70, SueW, HiFlyer, lizzytish, amraybt

Reply | Quote

Oy, this is starting to make my eyes spin around all loony toons or comedy anime style. I want to avoid being spied on.

That and wanting more of my old games to work is why I stayed on 7. That and “free” anything that usually costs like 100+ dollars rings alarm bells. NOTHING is ever free, there’s always a cost of some sort, using us as beta testers if nothing else, and I don’t really like doing free beta testing for someone on an OS.

The issue is this has me worried at this point. I’m not even sure if you can get win 10 for free anymore, this pc is a bit outdated to a certain degree now, my MOBO can’t even accept a better CPU than the one I have in it…..

I’m not really that good at this stuff, so should I just suck it up and install all MS updates not counting installing device drivers?

Edit: please respect the Lounge Rules

Reply | Quote

Relax, grasshopper. I’ll have full instructions when the time comes.

Reply | Quote

Thanks for the work Woody.

I have been in group B but I think it is getting too complex, for me as a relatively unconnected home user (of Win 7, XP and 10 around the house that I maintain).

I think I will now join group A, still watching the MS-DEFCON recommendation, and hope there would be a updated list of anything I should uninstall/delete (if I can) maintained.

I really don’t like to be snooped, as a matter of principle, and I’d rather err on the side of caution.

1 user thanked author for this post.

ch100

Reply | Quote

Having read some of the comments, and Woody’s recommendation to Group A, I’ll stay with group B plan; Windows 7×64 pro. This will be my last windows machine. Who knows, maybe we’ll all be running Android desktops in a few years.

As I’ve said often, snooping bothers me less than the bugs, crashes and blue screens that come too often with bad updates. Maybe it’s just me, but WU’s have too often created more problem than they solve. For the last few years of Windows XP, I went full Group W. I had few minor infections during that time. Yes, that was less painful than the botched updates.

I realize that the DEFCON system Woody uses is intended to avoid that very issue, but as I recently mentioned, an Office 2010 update caused all kinds of issues with Excel. I’ve hidden the offending updates. Point being the DEFCON system didn’t help with that one.

Never the less, Group B is just fine. I can handle the .NET updates, and avoid Internet Explorer like the plague (Firefox instead). Actually, I don’t see the problem. It’s simply a matter of doing the updates instead of having them done for you. When did computers ever NOT need baby sitting? Users seem to expect less care and maintenance, but that’s not the reality. It’s still in the hands of users. So what? A little extra fiddling each month.

Having been a novice tech support for an internet provider, I get it that many are baffled by their devices. So go Group A, it’s best. Don’t know if that adds anything to the conversation, but there it is.

3 users thanked author for this post.

woody, HiFlyer, lizzytish

Reply | Quote

(Just commenting on the post, didn’t read the other comments.)

This is a very unpleasant development and attitude to see. I was taking AskWoody to be mainly a for group B sort of thing, looking for the month’s links to show up right away in the post and then checking comments in it over the next 24-48h for (other) early installers of the security only Win 7 patch to see if issues are reported. Now one can assume that with the switch, there will be less of those comments in those posts as well, since they won’t be about that anymore.

And fail to see what the great difficulty with group B is if you keep to it month by month. It is an issue on a new install, but otherwise, each month you just have one security-only bundle, one IE patch and then, if it exists, you get to decide between using Windows Update for the .NET bundle, which should probably be safe, or getting individual security-only ones for the versions installed (which you’ll probably only need to figure out once, then write down if need be) if you want to be extra careful about that as well.

6 users thanked author for this post.

Kathy70, Cybertooth, HiFlyer, lizzytish, samak, Capella

Reply | Quote

anonymous wrote:

I was taking AskWoody to be mainly a for group B sort of thing,

Group B isn’t going anywhere! I’m just not going to write it up in so much detail, in InfoWorld. Those who want to be in Group B should be able to identify themselves in the write-ups, then click on the link to get detailed instructions, just as we have now – but with one additional hop.

BTW, in case I haven’t been clear, I’m a Win10 user. Have been for years. I don’t like the Win10 snooping, but I’ll put up with it. Until I’m ready to switch to ChromeOS or an iPad – both of which are looking more inviting every day.

6 users thanked author for this post.

Elly, AJNorth, davinci953, SueW, ch100, HiFlyer

Reply | Quote

just run this batch as scheduled task every other week or after updating:

https://github.com/inbi/wouc/blob/master/wouc_cleanup_tasks_services.cmd.txt

Reply | Quote

Background info (some of this info applies only to Windows 10):

Windows 7, Windows 8 and Windows 10 Telemetry Updates (Diagnostic Tracking)

Configure Windows telemetry in your organization

From the first link:

“There are a few more settings that you can turn off that may send telemetry information:

To turn off Windows Update telemetry, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM).

Turn off Windows Defender Cloud-based Protection and Automatic sample submission in Settings > Update & security > Windows Defender.

Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article 891716.”

1 user thanked author for this post.

woody

Reply | Quote

From the second link:

“In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows.”

Reply | Quote

I’ll wager I know what communications a desktop system does online as well as anyone, as understanding and controlling such communications is a passion of mine. A career in data communications and software engineering tends to do that to you.

Thing is, there’s not just one “telemetry” communications stream. What Windows does online is much, much more complex than that! Insanely more complicated.

Presuming you want to do at least SOME things online with your system you actually DON’T want to block all the comms – there are some very necessary sites that MUST be contacted by a typical system regularly, e.g., for the purposes of certificate verification, time sync, license management…

That’s not to say Windows can’t be made very private. I myself maintain Windows 7, 8.1, and 10 systems that don’t spill the beans online. But it’s no small, simple, turnkey task. Windows is a complex beast, and it takes some geek chops to do it along with ongoing effort.

As an example, here’s a list of all the sites my Windows 10 test system at LAN address 192.168.2.26, allowed to sit idle all day, contacted. I ran the command (on my Win 8.1 workstation) to search my DNS log at near midnight last night. You can see that the only communication initiated in the 24 hour period was to get the time from the National Institute of Standards and Technology via a task I have scheduled (I have disabled the out-of-box Windows time service).

Most folks, however, wouldn’t find my Windows 10 system, above, acceptable. Why? Because I have shunned all the Apps and cloud-integration entirely. But it DOES illustrate that the beast can be controlled, and my techniques are applicable to purely desktop-oriented Windows 7 and 8.1 systems also.

What have I found that it takes to accomplish this reduction/elimination of Microsoft-initiated online communications?

• Reconfiguration of all provided settings to their most private choices.
• Being willing to do without (or reduced function from) some services Windows seeks to provide.
• Configuration through the local Group Policy editor a number of settings.
• Configuration through the registry of a number of settings that have no UI.
• Disabling of scheduled tasks involved with telemetry and online comms.
• Disabling of services involved with telemetry and online comms.
• Adding entries to the hosts file to blacklist some sites.
• Watching vigilantly for any of these things to be reverted by updates.
• Outfitting with extra software to monitor and police communication attempts.

The list above may seem daunting, but we haven’t even gotten to the part where the devil is in the details. The lists of how to accomplish the above things are long and complex.

Ideally I imagine people want a fully private system that still allows them to do everything they want. That’s not gonna happen. You have to be willing to compromise.

What does one have to consider doing without?

• Apps. The very nature of Apps is that they’re web-integrated and they require an infrastructure to keep them functional. If you want to run Apps, stop reading now.
• Cortana. A personal digital assistant COULD work entirely from local data, but Cortana doesn’t. If you want a personal digital assistant that talks to you, stop here.
• Cloud-integration, such as OneDrive, except for user-initiated operations e.g., in a browser. The good news is that you can use a OneDrive server to store/retrieve files through a browser without ANY of the system-level integration
• Automatic updates. You have to be willing to install them yourself from the catalog if you want a truly subservient system.
• Some security features such as the “Smartscreen Filter”. But you can’t rely on luck; you need a GOOD alternate plan to stay safe online.
• Suggestions that pop up while you type. Your keystrokes are sent to Bing or Google or whatever search engine to make that happen.
• “Continuously online” communications / networking applications. If you don’t want your computer communicating with who knows whom, such cloud-integrated services (e.g., Skype) have to be avoided.
• Generally speaking, subscription and high-end commercial software communicates regularly online to do things like verify its licensing. Either you need to allow this or choose software that doesn’t do that.
• Some software seeks to be cloud-integrated (late versions of Office, for example). You have to avoid this software or specific features within it, and be able to differentiate wanted comms from unwanted comms. That’s no small feat!
• Online backups. Uh, no, get one or more external USB drives and make your own local backups, where you maintain full control of your data.

This has gotten long already, yet I’m sure there are things I’ve missed and I haven’t even begun to get into the list of actual technical things to do to get to a secure, private system that doesn’t try overmuch to send your data abroad. It’s a challenging task even for a career software engineer. It’s not going to be feasible at all to provide a “have your cake and eat it too, set it and forget it” solution for an average user.

-Noel

6 users thanked author for this post.

Elly, AlanH, MrBrian, woody, HiFlyer, owdrtn

Reply | Quote

(My apologies if this appears as a duplicate, I tried to edit the original and it appears to have disappeared when saved)

I suspect some of the submissions in this thread have been prompted by the weekend’s ransomware events, however nothing has in fact changed since Monday last week (or the week before)

Both Group A and Group B would have been protected since late March when DEFCON dropped to 3, it is now mid-May. Group W will know the risks they run and will mitigate (or accept) the risks accordingly.

Outside of that, anyone else that hasn’t patched clearly doesn’t care what happens and will suffer the consequences.

Group A is theoretically the least risky (until the next zero-day exploit), Group B carries a marginally higher level of risk though not necessarily significant assuming all the correct patches have been installed correctly and clearly Group W will bear some significant risk which they will need to manage.

Every single user in this forum is constantly at risk, right now, simply by using any form of IT and is simply part of the cost of using it. It is really down to the user to decide how comfortable they are with each level of risk, but risk will not go away, it cannot no matter which group you fall into.

9 users thanked author for this post.

Elly, SueW, samak, fp, Noel Carboni, woody, HiFlyer, lizzytish, PKCano

Reply | Quote

Your posts ended up in the Sp*m bucket. We think it has to do with the rapidity of the submit/edit/submit sequence. If you slow down and give the system time to update in between, it works better.
I retrieved them and deleted the duplicates.

2 users thanked author for this post.

David F, woody

Reply | Quote

Woody, Another aspect to this WU thing relates to the vast majority who give about as much thought to their PCs as they do their electric toothbrushes.

Many of those machines, maybe even the majority have not been updated either ever or in many, many months for a whole variety of reasons. Those users either are not aware of that fact and/or do not care. The biggest contributor to this quagmire is the update engine itself.

That means a lot of people who you will recommend take the A course, don’t even know or care that they are already W.

CT

3 users thanked author for this post.

AlanH, AlphaCharlie, Noel Carboni

Reply | Quote

So very, very true.

 

Reply | Quote

ch100 wrote:

– Group B, while correct for securing the computers, altohugh less useful for resolving functionality problems, is only for those who use management tools.

Strongly disagree.
Finding out what updates to install and running the .msu manually (or using a batch file and using wsus) is no different than using WU in Group A.

The onus is on the user to actually maintain, instead of it being done for them. That’s about the only difference IMHO.

ch100 wrote:

– Telemetry as malware is an urban myth.

Maybe not by definition, but for most people, telemetry is something they don’t want, and do want to limit or cut off entirely.

ch100 wrote:

– The “threat” to being upgraded to Windows 10 is another myth.

After the last 2 years, I’m not putting anything past them.
There is no upgrade program currently, yes; however, I see no reason to believe that they won’t possibly bring it back at some point.

ch100 wrote:

– KB2952664 functionality is part of the Operating System for the latest server OS – see the frequent updates for its companion updating definitions KB3150513 for Windows Server 2016 and there is no reason not to install it.

2 wrongs don’t make a right.
Secondly, a server OS should not be phoning home for anything other than updates.
MS can keep its nose out of the servers I manage just like they can keep their nose out of my personal workstations.

ch100 wrote:

What is good for organisations with 10,000 + users moving in mass to Windows 10 should be good enough for someone who has no idea about technology but somehow feels compelled to give advice in this matter, while expecting others to tell them what specific patches to install to suit their self-designed frame of reference.

Again, 2 wrongs don’t make a right.
Right now we have no plans on what to do at a corporate level.
I can assure you that upgrading every 7 box to 10 and ever 2008 R2 server to 2016 in our domain is not going to happen; not under my boss’ watch, and (if he quits), not under mine.
We’d be more likely to get a VL for 8.1 (which we probably already have) and create a corp image including Classic Shell, and upgrade all the 7 boxes to that.

4 users thanked author for this post.

David F, Cybertooth, HiFlyer, Alice

Reply | Quote

zero2dash wrote:

There is no upgrade program currently, yes; however, I see no reason to believe that they won’t possibly bring it back at some point.

I doubt that MS will bring back a GWX-like program at this point. They already have one – end of support. They’re also getting sued for the original GWX.

The upgrade is still free, by the way. Use any valid Win7/8.1 key and you can install and activate Win10 directly.

2 users thanked author for this post.

fp, NetDef

Reply | Quote

woody wrote:

… I’m reasonably sure that the EU is going to take Microsoft to task for excessive snooping in Win10. It’s highly unlikely they’ll try to take on Win7…

Oh! The upcoming privacy laws will have nothing to do with OSes… all that matters is, that if you collect any info on me or my behavior, you’ll have to tell me exactly which data – and where they “end”. Much more important to me is, that you can only collect, what I’ve allowed you to collect! And default answer is “no”, btw.

In other words: unless I in advance say “yes” to allow you to collect anything, that means, you collect nothing. If you still collect anything, then just wait form the hammer to fall.

The fines are not insignificant… so come May 25 2018.

3 users thanked author for this post.

samak, HiFlyer, Ascaris

Reply | Quote

The discussion went way off the rails at this point.

I’ve moved it to https://www.askwoody.com/forums/topic/split-new-windows-78-1-updating-method-coming/

Reply | Quote

woody wrote:

zero2dash wrote:

There is no upgrade program currently, yes; however, I see no reason to believe that they won’t possibly bring it back at some point.

I doubt that MS will bring back a GWX-like program at this point. They already have one – end of support. They’re also getting sued for the original GWX. The upgrade is still free, by the way. Use any valid Win7/8.1 key and you can install and activate Win10 directly.

Even if they do bring it back, unless a policy changes, you should be able to easily opt-out or block it.  In fact, if you have NOT blocked it using the supported method on a recently built machine on Windows 7 or 8.1 – you should go and do that NOW.  It should become a part of your build procedure.

Blocking the Upgrade option (formerly GWX) on Windows 7:

For stand alone machines:

-There’s Gibson’s Never10 at https://www.grc.com/never10.htm

– Or you can insert reg keys yourself,

– Or if you manage a network you can use Group Policy.

Apologies for referring to my own site, but for the last two above options you can follow the directions step by step to block upgrades here: (and I promise that if these steps change, I will update info there!)

https://networkdefend.blogspot.com/2016/02/disable-windows-10-upgrade-for.html

 

~ Group "Weekend" ~

3 users thanked author for this post.

woody, SueW, ch100

Reply | Quote

woody wrote:

The upgrade is still free, by the way. Use any valid Win7/8.1 key and you can install and activate Win10 directly.

I haven’t come across any site that would confirm it’s LEGAL. What if MS one day (when they reach 50 – 60% market share for example) decide all W10 installations activated after July 29, 2016 are deactivated (they surely have the info when activation was done), because the offer expired on that day (this is still an official MS statement)?

https://support.microsoft.com/en-us/help/12435/windows-10-upgrade-faq

 

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

Press Windows key and +

There. You’ve used an assistive technology.

It’s in Microsoft’s best interests to get you to move from Win7 or 8.1 to 10. They are well aware of the fact that Win7 keys will validate Win10 installations – and they’ve done nothing to stand in the way.

Nods, winks, blind horses.

1 user thanked author for this post.

b

Reply | Quote

woody wrote:

It’s in Microsoft’s best interests to get you to move from Win7 or 8.1 to 10. They are well aware of the fact that Win7 keys will validate Win10 installations – and they’ve done nothing to stand in the way.

Sure, fully agree. But you never know what happens, when W10 reaches 60% market share. Then they’ll tell you: “you activated past the deadline, we’re sorry, pay 50 USD or you’re left with not activated W10 or W10 S” :). With MS you never know.

They do allow to activate W10 with older keys – but they also keep the June 29th, 2016 deadline at their website – and you may expect it’s for a reason.

 

BTW, thanks for the tip – I just used the Magnifier :).

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

1 user thanked author for this post.

HiFlyer

Reply | Quote

Looks like Microsoft is going to use the same “if you use assistive technologies, you can upgrade from Win10 S to Win10 Pro for free” approach.

https://blogs.msdn.microsoft.com/accessibility/2017/05/18/windows-accessibility-what-to-expect-later-this-year/

We will provide assistive technology users with a switch to Windows 10 Pro from Windows 10 S at no charge as we continue to improve our built-in assistive technology and bring more assistive technology apps to the Microsoft Store.

That makes a lot of sense for Microsoft and for Win10 S customers. More nods and winks.

Reply | Quote

“There are some very good reasons for staying with Win7 – program and driver compatibility being a main one.”

And inertia.  If it works, don’t fix it. Why does this continually slip out of awareness? People have other things to do, a life to live, a business to run.  If Win10 works only about as well (0nly after you perform some major tweaks on it) as Win7, that’s NOT enough reason to take on all the other issues.

4 users thanked author for this post.

Elly, HiFlyer, AlanH, radosuaf

Reply | Quote

Bear in mind that most corporations who had previously leased/subscribed Win 7/8.1 Ent Volume Licenses have upgraded to Win 10 Ent VL for “free” and renewed their 3-year term M$ Enterprise Agreements and Software Assurance/Insurance. This kind of VL leasing/subscription is like Office 365 subscriptions which get free and perpetual upgrades as long as the subscriptions are paid to M$.
… So, the Windows system admins of such corporations running Win 10 Ent VL under lease/subscription tend to advocate for Win 10 because these admins are like saltwater fish who cannot survive without the saltiness of Win 10.

In comparison, most corporations who had paid more money to M$ to buy Win 7/8.1 Ent VL have not upgraded to Win 10 Ent VL and intend to stay on Win 7/8.1 Ent VL until EOL in 2020/2023, in order to get their money’s worth.
… Similarly for most home-users of Win 7/8.1, ie they have bought OEM or Retail Win 7/8.1 licenses and intend to stay on Win 7/8.1 until EOL in 2020/2023.
… That is why, after nearly 2 years of Win 10, there are still about 60% of Windows users on Win 7/8.1.

1 user thanked author for this post.

Elly

Reply | Quote

I was doing Group B on Windows 8.1 since January 2016, when I got the laptop. Only one non-security update, which I did have to do some searching on, for updating WU. It was easy under the old system of WU. And never had any problems. Its not like that now, with the “new” updating system. Yes, it can be done, and this site is great for information and how to. (If you can get the updates to install).

I can understand ch100’s stance on this, it would be easy to lose services and functionality doing Group B, and that is why he posts what he does. The thing is, its getting harder and harder, and maybe PKCano and others don’t want to do this forever. It really is easier to run Ubuntu and Linux Mint than a Windows system once you have learned a few things, compared to the updating paradigm we have now. (Not even counting problems with WU under the old system). (You would go into shock over how easy updates are on Linux). The other thing that readers here may want to think about is that Windows 10 is a rolling distribution, eats huge data, needs upgrading routinely. How many home users are up to this? What to do? It may be that users here would be better served by investigating either Ubuntu or Linux Mint while running 7 or 8.1 till 2020/23.

4 users thanked author for this post.

HiFlyer, SueW, ch100, wdburt1

Reply | Quote

” It may be that users here would be better served by investigating either Ubuntu or Linux Mint while running 7 or 8.1 till 2020/23.”

+1

This is something that I will continue researching.  How I long to be free of some of these issues.

Reply | Quote

My Microsoft security essentials update is back working .  I`m group A, Win 7 x64Home premium.  When I did the May roll up it quit updating.  I reinstalled MSE and it still did not up date for a couple days.

Reply | Quote

…so, if I just want to make sure I don’t get the often-botched first patches (the ones that makes all who install them into beta testers without knowing about it), but don’t really care enough about the snooping, how would I go about updating now?

Also: Have it become harder to patch for ‘Group B’ since last month (would explain the recommendation for many people to move to ‘Group A’), or is there another reason?

Yet another question: What is this about WannaCry I’m hearing?

Edited for content

Reply | Quote

Also

(I’m the person who posted #116672 asking about what to do and if Group B patching have gotten harder lately)

I have KB4012213 installed btw, does that mean I’m protected?

I also run Kaspersky Internet Security, and I would assume that as long as I don’t lose my common sense, I should be doing pretty well, no?

Reply | Quote

anonymous wrote:

…so, if I just want to make sure I don’t get the often-botched first patches (the ones that makes all who install them into beta testers without knowing about it), but don’t really care enough about the snooping, how would I go about updating now?

If you don’t care about the snoopoig, this describes Group A. Group A installs all the important and recommended updates. That includes the “Security Monthly Quality Rollup for Windows” that is delivered through Windows Update. That is the easiest – just wait until the DEFCON number goes to 3 or above (to avoid problem patches) and install everything that is checked according to Woody’s directions.

anonymous wrote:

Also: Have it become harder to patch for ‘Group B’ since last month (would explain the recommendation for many people to move to ‘Group A’), or is there another reason?

Group B patching has not changed at this point. However, downloading updates and manually installing them is beyond the ability of many Users, even many who try to follow that method. So they get confused.

anonymous wrote:

I have KB4012213 installed btw, does that mean I’m protected?

KB4012213 is the March Security Only Quality Update for Win8.1. Yes you are protected.

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Ah, so if I have done this before, there is no reason to go to Group A?

Does that mean the following instructions I wrote for myself some time ago is still viable?

“1. Check the Windows 8.1 and Windows Server 2012 R2 update history for the relevant file. (I’m using Win 8.1, just for the record.)

1a. Check around the net if there are problems with the relevant Security Only update, and act thereafter.
1b. Install if has been given a green light, wait if unsure.
—

2.Check for Updates via Windows Update.

2a. Ignore all the non-program-specific Security Rollups and whatever they are called.
2b. Ignore all Optional Updates unless they are for some reason explicitly relevant to a product i am using (within reason of course).

2c. Check around the net for more input on entries in the “Important” list concerning software like .NET, Office, Adobe Flash Player a.s.o., generally installing them unless a web search reveals major problems with one of them.
(BTW, should all “Monthly” Rollups be avoided, or just the non-program-specific ones?)

2d. Check around the net for more input on any other entries in the “Important” list, but avoiding them unless they seem relevant and/or critically needed.
—

3. If all is OK, install updates, check that things didn’t break a.s.o.
—

4. Keep an eye out on this website (and on the net in general), in case the situation changes.”

Reply | Quote

I see one glaring omission. The Cumulative Update for IE11 was included in the Security Only Quality Update for Win8.1 prior to March 2017. Microsoft has split that out to a separate update beginning in March. So you need the Cumulative Update for IE11, which must be downloaded and manually installed like the security only update for Win8.1.

anonymous wrote:

2c. Check around the net for more input on entries in the “Important” list concerning software like .NET, Office, Adobe Flash Player a.s.o., generally installing them unless a web search reveals major problems with one of them.

Barring problems, these should be installed if they are CHECKED by default.

anonymous wrote:

(BTW, should all “Monthly” Rollups be avoided

If you are in Group B, that is the current recommendation.

Reply | Quote

I’m really happy for your help!

Just one last question: Is it recommended/obligatory to restart the computer in-between installing each Security Update, or should it be fine with not restarting until all of them are installed?

Reply | Quote

If you are installing security-only updates for Windows, they are not cumulative, so you can just close the box and install the next one. I usually install the Cumulative Update for IE11 last, then reboot. The rest should be handled through Windows Update and it takes care of the reboots.

Reply | Quote

Just what I did Thanks again!

Reply | Quote

anonymous who just wrote in at 12:48

Set your Windows Update setting to NEVER…. Leave it that way permanently.

Go to http://www.askwoody.com to find out WHEN to update. Watch for the MS-Defcon rating that Woody sets. Read is advice there.

When it is time as he advises, start Windows Update and click check for updates. Since you have chosen Group A, accept all updates offered.

An additional bit of advice: Do NOT accept driver updates from the Windows Update. Driver updates should not be updated unless there is a specific problem you need to solve. Then only that update should be updated. Your source of driver updates should ONLY be the OEM of your equipment.

The specific update that dealt with Wanna cry is:
http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu
http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x86_6bb04d3971bb58ae4bac44219e7169812914df3f.msu

However, if you are in Group A, you will automatically be receiving the appropriate update anyway.

CT

2 users thanked author for this post.

Karlston, Noel Carboni

Reply | Quote

I see, thanks for your answer (even though I knew the things said in it already), but since Group B patching haven’t really changed, I think I’ll stay in that camp for now.

Reply | Quote

As a Win 7 home-user, I am staying put in Group C/W…

The SMBv1 vulnerability only affects those whose port 445 are open to the Internet and who are susceptible to email-phishing through unsafe-browsing practices. Eg the former infection method only affects Enterprise servers that subscribe to MS Remote Desktop Service = their port 445 are purposely set open to the Internet; it does not affect nearly all home-users and some Enterprise servers. The Wannacry hackers did not use the email-phishing method and only targeted Win 7 computers. Hence, only 200,000 mostly corporate computers (out of about 1 billion Win 7 computers = 0.02%) were affected worldwide by the Wannacry ransomware, eg the NHS, Renault and Spain’s Telefonica.

Port 3389 is open to the Internet if Windows Remote Desktop Connection is enabled, eg for M$’s tech support staff to access your computer through the Internet for trouble-shooting purposes. Similarly, port 8080 is open to the Internet if the router’s Remote Management is enabled. Hackers like to scan/ping for such open ports that give Remote Internet access because they carry Admin privileges = remote execution of malware.
Normally, only port 80 and 443 in home-routers are open to the Internet for http and https Internet traffic.

Anyway, I take personal responsibility for my choice, ie “To each, his/her own”. I practice safe-browsing and have my Win 7 Install DVD and System Image ready for any malware/ransomware infection since 2012. So far, so good.

Reply | Quote