The fallacy of fragmented patching in Win7 and 8.1

Topic

New Reply

So go ahead, Microsoft, bring on the new world of Win7 and 8.1 cumulative updates. But don’t blame it on fragmentation. Don’t blame it on folks who we
[See the full post at: The fallacy of fragmented patching in Win7 and 8.1]

Reply | Quote

Replies

Amen, Woody!
Your points are perfectly on target and I might add that there has always been a permanent cadre of tech writers who are more than willing to carry the MS water bucket. Every version of Windows is billed as the “most secure” and will be able to feed your dog according to these folks. Face it; it’s media and it all hopes to get a piece of the MS promotional and advertising budget by fronting favorably for Redmond.

Reply | Quote

One could interpret Microsoft’s desire to “end fragmentation” and “increase quality” as the effort to eliminate third party software whenever possible.

Because after all, the only way to make sure that everything is “up to spec” is to buy from Microsoft.

In other words, they are trying to bring EVERYTHING under the control of Microsoft.

Reply | Quote

+1. No, +1 ^ 1000.

Reply | Quote

BRAVO !!!

Reply | Quote

Spot on, Woody. The current mess was brought on by MS themselves. Most people I set up pre 10 I would set up to automatically install important and recommended updates on their Windows boxes. But after a couple really dodgy 10 stunts, one can not afford to trust MS’ patches to be accurately described or rated.

Reply | Quote

Fragmented patching is a result of an untrustworthy OS vendor. I used to leave every single computer on Automatic Updating and I took every single patch they pushed out the door.

When GWX and telemetry data was pushed, I not only shut the door, I locked it and added a deadbolt.

If you want to return everyone to opening that door again, then you need to spend a few years re-building goodwill and trust. Until then, my doors will remain shut.

Reply | Quote

Some observations:

1. The argument Microsoft (and our friend @ch100) advances about fragmentation makes sense, at least conceptually.

2. Whether it matters in the real world is unknown and practically unknowable to anyone other than those who develop Windows.

3. Moreover, the risks of selectively patching have to be weighed against the clear and present danger of allowing M$ to take control of my computers.

4. The main reason I abandoned the “blocklist” approach in favor of accepting only security updates was that it seems more likely to minimize those risks. The hope is that security updates lived in their own world and are not dependent upon other updates. Why would they be categorized separately if they depended upon a non-security update?

5. Though Microsoft’s argument about fragmentation has some validity, it conveniently lends cover and support to their drive to get control, by depriving users of choices that currently allow them to defeat snooping and M$ malware.

Reply | Quote

Agreed on all points. It’s a complex situation.

Reply | Quote

Well said Woody….. you hit the nail on the head!
As you pointed out basically the only reason people are avoiding certain patches is because of the snooping and interference with our machines from MS…. while their initial statement when releasing Win10 purporting that mandatory updating would keep everyone secure on line…would have been great if the updating was of the kind that we had previously to Win10. Then no one would have argued about that too much. But unfortunately they are the ones who we need to protect ourselves from…….. they are the ones who are behaving as predators do…… stalking us and following us where ever we go…… and watching us and eavesdropping. In the real world we would be able to get a Court Order to stop them in their tracks and keep them at a distance.
LT

Reply | Quote

Woody, I read this in the article
“Back in June, we saw a harbinger of this new technique. As I explained at the time, you could get a new patch that would speed up Windows 7 update scans, but in order to install it, you had to install six completely unrelated patches — at least one of which has been implicated in increased snooping.”

Which patch in the speed up group from June was implicated?

Reply | Quote

The “Fragmentation” rationale is nothing more than a straw man argument.

This specious justification is another heavy-handed offensive action designed to further reduce MS maintenance costs and continue the erosion of users’ ability to control their own systems.

It’s a win/win for the Big Bully!

Reply | Quote

“The Servicing Stack (in other words, the Windows Update program itself), dynamic updates (“driver, component, and setup improvements during the initial setup”), as well as Windows Defender updates and the Malicious Software Removal Tool will all march to the beat of an asynchronous drummer.”

I found this bit confusing, even as a former drummer who was never knowingly asynchronous :)! I assume you are saying that these aspects will have separate updates, i.e. that any new graphics card driver, for example, will not be included in the single roll-up update? Is that correct?

What about the always potentially troublesome kernel mode driver updates, will they be tossed into the Russian Roulette chamber that is the single roll-up update, or will they be kept separate?

Reply | Quote

I wouldn’t be surprised if somewhere between now and February one of these month’s updates will be to disable our ability to uninstall updates whilst and give Windows 7 and 8.1 forced updates like Windows 10.

To Serve Mankind…

Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code

Reply | Quote

I am not sure the history of MS and Windows plays nicely with the notion that they are going to take a breather and attempt to rebuild trust among Windows users. I think it more likely that MS will continue to short circuit the user experience for Home edition users in the hope that they will pay upgrade/subscription charges to regain a semblance of what they are losing. As an example, I believe MS intends to let small businesses and individuals to upgrade to the Enterprise edition of W10 without the need to have a volume licensing agreement. The catch is that they will have to pay a monthly subscription charge of approximately $7.00 for the privilege of maintaining some semblance of control and predictability in respect of their system. It may be worth it for those who really use their systems in a work productivity manner, however, the main point is that MS is trying to evolve the business model to replace declining OEM licensing revenue. Pay attention; the use of Windows going forward is going to be more complicated for many people.

Reply | Quote

Yep, E3 is here and E5 is coming.

Reply | Quote

Reply | Quote

Short answer: I don’t know.

Longer answer: I don’t know, and there’s one kind of update I forgot to mention, the “compatibility definition updates.”

It’s unlikely that all of these kinds of updates will appear at the same time. Thus, asynchronous.

But the kernel mode driver updates will definitely get rolled into the monthly security update.

Reply | Quote

It was KB 3161647.

http://www.infoworld.com/article/3086811/microsoft-windows/microsoft-releases-kb-3161647-kb-3161608-to-fix-slow-windows-7-update-scans.html

Reply | Quote

“To Serve Mankind” — “It’s a cookbook!”

(This was from an episode of the Twilight Zone. Aliens came to “serve” mankind. They improved life on earth in every way imaginable, thereby enticing everyone to get on the spaceships and “visit” the alien planet. The aliens left a book behind, “To serve man”. The earth people finally translated it enough to realize that it was a cookbook, and mankind was going to be served next to the rice and gravy!)

Reply | Quote

If one listens to it with a fresh mind, Microsoft’s argument about bundling upgrades makes perfect sense. However, when one connects it to what they have actually done to destroy their consumers’ trust, it collapses.

If only we could blindly trust Microsoft to upgrade our computers with a big bunch of bits once a month, and live happily everafter…

Reply | Quote

Excellent summation, Woody. I shall be forwarding your W-o-W article to friends & family, so they are fully appraised.
I’m still observing DefCon-2, but at present have not decided what to do come October; hmmm, never update, or neo-Security** updates only. Looking forward to hearing what you recommend and also to reading the views of your regular Woodites.
One thing is for sure though, Microsoft can kiss my grits!!! Linux here I come!

(**may also contain sundry detritus)

Reply | Quote

“Fragmentation” or “Selectively patched” is another way of saying “Backward compatibility”.

“Fully patched” is another way of saying, “You will do things the Microsoft way”.

Reply | Quote

A great show.

https://www.youtube.com/watch?v=vrabZFhnBIA

Reply | Quote

Even Ed Bott seems to admit that this is exactly where Malwaresoft is heading…

http://www.zdnet.com/article/microsofts-new-business-model-for-windows-10-pay-to-play/

Reply | Quote

My less than geek mind says Windows 7, Windows 8.1 people lock-down, do not add to or loose anything on your computer and run constantly,GWX Control Panel AND hope that our control panel creator, Josh Mayfield, will send us an updates that can fragment the monthly update bundles and protect our computers from the onslaught of GWX 10 that MS is likely to hide in security updates and etc!!!!! MS has really shown us just how devious they can be.

Reply | Quote

Thank you Woody for giving voice to so many.

I have steadfastly prevented all non-security Windows updates from being applied to my client’s computers for the past year.

The following is what I just sent out to my clients attached to a link to your article, Woody:

===========
The Microsoft Windows world is really upset. There are good reasons for this.

Look out for some major changes to the way Windows gets “updated.” Microsoft is setting up to begin to treat Windows 7 and 8 systems as sort of less than competent Windows 10 systems. There is huge contingent that does not want this. The biggest contingent is the Corporate IT world. The noise is getting pretty deafening in the techie world of blogs and articles.

Woody Leonhard is sort of one of the leaders of the opposition.

I have been working steadily at helping my clients stay clean of this and so far have been pretty successful. Frankly, I do not know what October will bring. I don’t think anyone does. Its still pretty mushy. I will be trying my level best to find the way to stay clear of this mess that Microsoft is trying its level best to bring on us.

The crux of the question is does Microsoft have the right to treat the hardware we bought and the OS licences we bought as it they belong to MS to be used and manipulated to Microsoft’s best advantage. If you are a person who uses your computer to store and manipulate data you regard as confidential, you need to be very concerned about this.

Microsoft intends to treat our systems as ever evolving technology that they completely control. What you have at any one point in time is what Microsoft chooses to let you have. They are and will be installing massive data collection systems on our computers that feed the information gathering engines for Microsoft and its “partners.” If they have their way (and I and a huge contingent of folk intend to prevent), the Windows 7 system you have today will be nothing like the one you will have 3 years from now.

CT

Reply | Quote

Exactly! It’s perfect! We’re the humans in Microsoft’s next recipe for disaster.

Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code

Reply | Quote

Good stuff. Now if I could just figure out how things will really be in three years…

Reply | Quote

Thanks for the link! It’s a very worthwhile article.

Reply | Quote

Woody, thanks to you and others for the palliative care you have administered to us Microsoft victims. But, the reality is nothing you or any of us do or say,will matter in the least to Microsoft.
Modern corporate policy is no longer the old, customer is right, good customer care attitude.
It is the Comcast, Bell Canada, Facebook type approach that the customer will take what they are given and endure it. Companies like these have nightmarish customer relations, but they continue to grow profitability.
The only hope for change with MS is if the new roll-up format results in some humongous screwup across a wide range of systems resulting in a PR nightmare.
And even then…

Reply | Quote

More smoke and mirrors from Microsoft, Woody. Not even a mention that they might have some culpability in all of this.

Reply | Quote

The more blatant Ms becomes in its controlling and exploiting its customers the more convinced I become to stop Wu altogether. I now have one laptop on win10 pro set to defer all updates and I will do the same for my 2nd win7 one when it dies. It looks like security risk is smaller than that from me updates.

The only possible stopping of this crap is by corporate customers and it looks like they wont do much. If ure an individual user maximize the use of non-Ms security SW and stop Wu if the current system is sufficient 4u.

Reply | Quote

I was reading a post from a business person who owns a small sized accounting firm. The company runs their accounting application on W7 Pro and in the past a bad patch from MS knocked down the application. On uninstalling the single patch and hiding it they were up and running very quickly. Application tests indicated that they had to run without the patch, so it stayed hidden.

With MS wanting to get all OS’s fully patched, the offending patch will be an issue if it is unleashed and ends up in a monthly roll up. The alternative is to buy Enterprise licenses and paying a monthly fee so they can selectively manage updates. Now how does this fix the fragmentation problem?

Reply | Quote

Its called marketing and the proper term is bs.

Reply | Quote

Ms must be desperate to go to this length to screw its customers. It looks like they realized they’re losing their win monopoly cash cow, cant come w smtg attractive and their only option is to force the monopoly.

Given the apathy it may work.
.

Reply | Quote

Re 4: Given Ms behavior why on earth would u believe in security separation? The temptation to use it as a platform to impose Ms on user system will b too irresistible.

Reply | Quote

What speaks volumes is that no top Ms official has ever commented on the issue and complaints.

Reply | Quote

@Alex: And there you have it in a nutshell. This is my real concern. I see this as the greatest danger and a harbinger.

One of their rollups (KB3161608) killed by Intel Bluetooth but I was able to uninstall it. The Intel driver “fix” caused my machine to blue screen at boot, necessitating a rollback. The laptop maker has yet to release their version of the Intel ‘fix’.

When KB3161608 was withdrawn, the new replacement patch also cautioned about the Intel Bluetooth so I did not install it. Under the new regime of cumulative updates, I will have to endure this again and again, unless I stop updating or do security only via MS Catalog.

I strongly believe MS will remove current Win7 and 8.1 update flexibility built into the WU clients with these rollups. It will make it easier for them to do their updates. However it will also make it easier to degrade the Win7 / 8.1 User Experience (what remains) to pursue their goal of having Win7/8.1 users move to and “love” this folly known as Windows 10 or ‘Windows as a Service.”

Reply | Quote

And who will pour money into the rebuilding of the world from this disaster? Why, the Gates Foundation of course!

Ah, the irony of it all!

Reply | Quote

Gates Foundation has done a hell of a lot of good work.

Reply | Quote

Good point. But there are those who still deny such bad patches exist…

There’s a similar description here – https://www.askwoody.com/2016/details-about-new-cumulative-update-model-for-win7-and-8-1/comment-page-1/#comment-97106

Reply | Quote

Not sure Microsoft ever had a “customer is right, good customer care” attitude. But I understand what you mean.

Reply | Quote

With the passage of time and the Redmond taskmasters’ cracking the whip the likelihood of stupidity fades and malice becomes much more plausible.

Reply | Quote

Not considering the crossover between the home and enterprise MS experience – – Brave.

Reply | Quote

Naw. I just think they don’t look at it the same way we do.

Reply | Quote

Indeed it has, I wouldn’t suggest otherwise.

Reply | Quote

Haven’t seen it yet, except maybe once, as reported here.

Sure, the temptation will be there. Like it or not, those of us interested in avoiding conversion to Win10, pay-for-play, snooping, and all the rest are in a tug-of-war with M$, where we can expect that the company will continually push the boundaries of decency and unethical behavior.

That is not to say that there is no value in countering their moves to the extent that we can.

Reply | Quote

Isn’t that both stupidity and malice?

Reply | Quote

When one sees Microsoft putting so much ‘effort’ into (allegedly) trying to make things easier for users of an operating system (Windows 7) that they’ve been trying to kill off since the release of Windows 10 then they have to be up to no good in my opinion.

Reply | Quote

Hopefully the collapse of the MS empire

Reply | Quote

@wdburt1 Thanks for mentioning the first item. I take pride in the fact that I said about the fragmentation before Microsoft made it official. I am not working for Microsoft or associated with them in other ways than being certified in Microsoft Windows for a number of times which I have to check to remember. I see this issue from an engineering perspective. Anyone else who looks at Microsoft’s recent practices from a different perspective has a legitimate right to do so, especially after the debacle which was what any reasonable person would consider the unethical push for Windows 10.

Reply | Quote

I have a machine that has specialized NComputing software on it. I have a couple patches that I have set to not approved through WSUS because otherwise if those patches install, they break the program. It will be interesting to see how this plays out starting in October.

Reply | Quote

For a simple understanding, the Servicing Stack can be considered Windows Update in a larger sense, but it is not the client, is the foundation.
The strict definition according to Microsoft, taken from an older page about Vista is:
“The servicing stack includes the files and resources that are required to service a Windows image. This includes the Package Manager executable, the required servicing libraries, and other resources. The servicing stack is included in all Windows installations.”
https://technet.microsoft.com/en-au/library/cc749534%28v=ws.10%29.aspx
This makes it more obvious why patches like KB2533552 (which completes the installation of Service Pack 1) and KB3020369 for Windows 7 are mandatory for further updates and also due to their applicability can cause major problems including BSOD if released buggy.

Reply | Quote

The kernel updates were traditionally released as Security updates, so I don’t think there is anything unusual here. Nobody knows what the future reserves about the other updates mentioned, however to someone who follows this in detail is relatively obvious that Dynamic updates are not part of the Windows Updates (they only resolve specific problems found with installing certain software) and even can be uninstalled most of the times without being re-offered after the installation, Drivers are in a different category and they are not part of the servicing stack, .NET Framework updates have been documented as being updated separately, although updates and security for the .NET Framework will come bundled.
The only information we have is from Microsoft’s recent blogs and even that can be further changed or “tuned” at short notice or without any notice.

Reply | Quote

We can still uninstall Windows 10 updates
Until they get re-offered without us taking extra steps to prevent this from happening.

Reply | Quote

That’s assuming one downloads any updates. At this point I’m strongly leaning to the download nothing side.

Reply | Quote

I have a question: Is it possible to prevent M$ from accessing our Win7 systems and making changes without our knowledge/permission?

In other words, what is a sure-fire way to prevent this short of pulling the Ethernet cable?

CT

Reply | Quote

To be fair, Microsoft was not all that excited about the Windows 7 in the first place, as contrast with the Vista when it first came out. Not much press or ads about it as compared to the Vista and Windows 8, let alone the W10. If I remember correctly, it was the same with XP, which implies that more MS is excited about a product more likely it is not what we want.

Indeed, MS doesn’t seem to understand why we liked Windows XP and 7 at all. This was even before shift to the phone model.

I think that part of the problem is that the upper management of MS doesn’t have much contact with the people who uses the computer productively. They are part of political elites with large treasury. Thus very busy and on move constantly, so tend to use their phone much and do not see any point to desktop computer. They also forgot that we general users have limited budget, that we could not just buy new hardware and connection as they seem to think we could. MS’ actions makes sense when you realize they are limo liberals, all money and believing that they know better than rest of us.

I apologize for a rant (I am embarrassed). I am just frustrated and tired of the whole thing.

Reply | Quote

@Lizzytish,

A couple of weeks ago you mentioned here on AskWoody.com that you would shortly be celebrating your 80th birthday (if I recall correctly),
so I just wanted to wish you a lovely birthday, and give you a little cyberhug.

Reply | Quote

Do the following comments from Mercer’s Q&A fully answer the question about drivers?

(I realize it’s much more complicated than I know about, and I don’t know how a kernel mode driver works versus a graphics card driver and so forth
— but I’m just offering the below, because I skimmed through that Q&A a minute ago and remember that he mentioned how they plan to handle drivers.)

——
“Nathan Mercer
August 22, 2016 at 5:12 pm

no, this announcement does not effect driver updates. Driver updates are not included in Monthly Rollup or the Security-only rollup”

https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/#comment-10585

—–
“Nathan Mercer
August 23, 2016 at 6:43 pm

Driver updates are not included in either Monthly rollup or Security-only rollup updates.”

https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/#comment-10915

Reply | Quote

Like all monopolists.

Dk if ure old enuf to remember the original IBM.

Reply | Quote

I’m planning to completely disable MS updates on all my computers from October.

Reply | Quote

come on folks get with the programme here a terribly patched system is hindering M$s & affiliates ability to snoop on you. I mean what would you do with your computer if you didnt spend time deleting “crapware” suggestions and removing useless “fluff” apps? hell you may actually have time to get on with what you want it to do, that is if you didnt have to battle updates that provide little or no immediate apparent benefit to a system thats working just fine.

Reply | Quote

Same way. If you don’t approve the updates in WSUS, then they will not be installed.

Reply | Quote

Hello Mr. Leonard. I’m reading your site from time to time. Thank you for your blog.
–
Sorry for random questions, but i have a two:

1. about “important” update kb3138612 for WU client – i still keep it in “hide it” section.
Afaik, this update is for people who waiting&waiting at “search for updates” process. But i’m okayish(few minutes on regular day, and 20-30 minutes of searching on big-update-day)
Should i still install it?? (since it’s marked as “important”)

2. Also, i still keeping at gate rollup updates from the may(3156417(may), 3161608(june), 3172605(july) and 3179573(august)).
Should i install them too?

And if nothing wrong in those rollup updates, how i should install them correctly(to not fk up my system)? I mean, i can install them all at one time or should i install them step by step, in months order(first may>then june etc, if it’ matters)??

sorry for bad english

Reply | Quote

I say wait until the MS-DEFCON level turns to 3. Then let the security patches install themselves.

Reply | Quote

Yes, I’ll have to confess that I originally learned on IBM machines.

Reply | Quote

This might well be one of the most interesting non-technical comments which I have seen here.

Reply | Quote

Tonight I’ve read through Nathan Mercer’s Q&A
at:
https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1

and the following issues stood out for me —

A. He says that there will be three main rollup patches each month:

Security-only rollup: 2nd Tuesday of month

Monthly joint rollup (security rollup and non-security rollup together): 2nd Tuesday of month

Non-security rollup: 3rd Tuesday of month

The non-security rollup is the one I haven’t seen mentioned here.
I find it interesting that they will be releasing it a week after they release ostensibly the same non-security rollup within the joint rollup.

original:
“Nathan Mercer
September 1, 2016 at 12:07 pm
Security-only update will be released on Update Tuesday, the second Tuesday of the month
Monthly rollups will be released on Update Tuesday, the second Tuesday of the month. Additionally, we will also release a new rollup on the third Tuesday of the month, containing only new non-security fixes.”

===========
B. The next issue seems to me to undermine their stated strategy of eliminating the temptations of, and the very possibility of, computer owners’ having the temerity to conduct “fragmented patching” after they institute the new updating system in October.

Comment by Nathan Mercer:
“We are purposely releasing Security-only as a rollup but not cumulative like Monthly rollup is.”

Reader question:
“Will the monthly “single Security-only update” be cumulative, too?
That is, will November’s single Security-only update supersede October’s single Security-only update?”

Nathan Mercer’s answer:
“No. Security-only update collects all of the security patches for that month into a single update.
Unlike the Monthly Rollup, the Security-only update will only include new security patches that are released for that month.”

Reader question:
“If I choose to install Security-only updates for several months and then stop for one or more months, what happens if I want to resume installing Security-only updates?
Will I be required to first install Security-only updates for the missing months, or will I be able to resume leaving a gap?”

Nathan Mercer’s answer:
“we recommend you install all Security updates but you can pick and choose if you wish.”

??? He seems to be saying that:

1. The security-only rollup that is issued every 2nd Tuesday of the month will only include THAT MONTH’s security patches.
Apparently it will NOT be looking for any “delta” differences and inserting any missing patches into the computer’s “fragmented” patching history.

2. The computer owner may choose not to install a particular month’s security-only rollup, and future months’ security-only rollups will apparently (?) not insist on the missing patches from the skipped month being installed before they install their load of new patches.

This seems to introduce much more potential *fragmentation* into the windows patching process: Instead of scattered individual patches being left out/hidden/refused, entire blocks of patches (a month’s worth at a time) might potentially be left out if the computer owner decides not to accept that month’s security-only rollup (and not to install the joint rollup either, of course).

Will there be problems if one month’s security rollup is not installed, and then a later month’s security rollup that the computer owner tries to install needs to patch an area of the computer system that was already *supposed to have been* partially changed/updated by a “missing” month’s patches?
In that case, will the Windows Updating system simply tell the computer owner that there is an “error” and updating cannot proceed?
Or will it be sensible enough to announce that X month’s security rollup is a prerequisite to this month’s security rollup, and the computer owner should now install X month’s rollup first?

So, when Nathan Mercer wrote a little earlier in that Q&A,
“Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current”,
it seems that there he was only talking about the *JOINT* security and non-security rollup.

And what about the other half of the joint security and non-security rollup, the standalone non-security rollup, which will have to wait one week to be offered after the 2 big hitters have been unleashed?
Will that standalone half of the joint rollup also just be a month’s updates at a time, where the computer owner is able to pick and choose which months to install?
Will that standalone non-security rollup, like its sibling the standalone security rollup, have no built-in supercedence, no “one and done” kind of omniscient, omnipotent power to fix the poor computer’s historical fragmented wasteland?

Will excercising the ability to pick and choose which months’ standalone rollups to install or not install quickly create problems with computers’ functioning?
Will Windows Update simply refuse to soldier on when it is asked to apply a monthly standalone patch on a system where a prior monthly standalone patch was never applied, will it instruct us that we have to ‘install standalone patch from month x, then from month y, then from month z” before it will apply the current month’s standalone patch, or will it allow itself to be installed and possibly whitewash over some prior fragmented areas in the system that are missing some interim patches, without properly re-configuring those areas from the ground up?

=========
C. Based on readers’ questions, he identifies the following things that will not be in the three rollup patches (the joint rollup, the security-only rollup, and non-security-only rollup):

Internet Explorer patches (at least not at the start, he says)

Vista and Server 2008 patches

Office patches

Driver updates

Windows Defender updates

============
D. He says that some updates, if time-critical, will be released on their own, between Rollup Tuesdays:
“In some extreme cases, we will release security updates “out of band”.
In the new servicing model we will still be able to release security updates out of band if needed
and then they would also be included in the next monthly rollup and security-only update that is released.”

============
E. Nathan Mercer comment: “The rollups will start out small, but we expect that these will grow over time to something close to the convenience rollup size.
Users connected to WU or WSUS can use Express and only download the deltas each month.”

Does this mean that there will be a choice that Windows Update users will need to make on every Rollup Tuesday, between installing the “full” or the “express” version of the rollup? Or is “express” going to be the only option provided?

===========
F. Nathan Mercer comment: “If you only install security and critical updates, then you should use the security-only update rather than Monthly Rollup.”

============
G. Nathan Mercer comment: “The [Win 7 and 8] rollup model is similar to the cumulative updates being used with Windows 10.
These CU are improving the overall quality of the OS while also significantly reducing the rate of support calls.
So we consider the changes to be very successful and that’s why we are making similar changes with Windows 7 and Windows 8.1.”

It seems hard to believe that the rate of support calls they have received has been reduced in the midst of all the Windows 10 kerfuffles, but even if they aren’t getting as many calls from customers for support help, is that really the best indication of a “successful” program?
Maybe strongarming people into only having one option — “my way or the highway” — keeps them quiet, but if they are quiet, it doesn’t mean that they are happy, that they are without problems, or that your “you can have any flavor you want, as long as it’s vanilla” service is adequate for their needs.
In a relationship, if communication ceases, it might not mean that there is blissful harmony, it might mean that the silent person has had enough and is planning to escape.

=========
H. reader question: “If an update that is included in a Monthly Rollup depends on the prior installation of an earlier single update which I chose to hide (i.e. not install) long before October 2016,
will I be prompted to install that parrticular earlier update (for example, by Microsoft’s identifying the earlier update by its KB number)?
Or will Microsoft install the necessary earlier update automatically through Windows Update?
Or will the attempted installation of the Monthly Rollup just fail without an explanation as to why?”

Nathan Mercer’s answer: “If there are any pre-requisites that are needed to install a monthly rollup we will ensure they are documented in our release notes.
In general we try to avoid pre-reqs because it causes complexity for you and for us.
Any update with a pre-req is not applicable in Windows Update until the pre-req is installed.
So if we did pre-req on an update that you had hidden, it would never show as being applicable to you.”

I interpret what he wrote to mean that:

1. The computer owner will have to carefully read the release notes for each month’s Rollups, and cannot rely on any sort of automatic messaging popping up (while he/she is installing a Rollup patch) to warn the computer owner that there are parts of the current rollup patch that are secretly not being installed on this particular machine, simply because this computer is missing a prerequisite update.

2. If there are any old-style updates that you put in the “hidden” zone prior to October 2016, you can forget about ever being told about the existence of, or being offered, new patches relating to them (i.e., requiring them as a prerequisite) which exist in the monthly Rollup patch collection. Other people will get them, but you will not, and you won’t be warned that you are not getting them.

=======
I. Reader question: “Will these monthly rollups contain updates that will prompt me to upgrade to Windows 10 or not?”

Nathan Mercer’s answer: “No, GWX is not included in these rollups,
also the free Windows 10 upgrade offer ended after a year on July 29 just been.”

Reply | Quote

Yeah, beige clicky keyboard! C prompt, no mouse. good times.

Reply | Quote

So, according to your Infoworld article, Windows Update could display up to 10 different items:

– Security-Only Update
– Monthly Rollup
– .Net Framework Security-Only Update
– .Net Framework Rollup
– Internet Explorer
– Flash Player
– The Servicing Stack (Windows Update program itself)
– dynamic updates
– Windows Defender
– Malicious Software Removal Tool

Correct?

Reply | Quote

Thank you so much, poohsticks….. that’s v. sweet of you……. love the cyberhug! Our youngest son told us the day before yesterday that he’s arriving to be with us day after tomorrow! To me that’s the nicest present a mother could have! Our daughter is muttering about High Tea somewhere …. not sure where……. so I am in their hands! Although I notice a lot of places run High Teas or Afternoon Teas starting at 2.30pm …. that to me is off putting…. Tea should be at 4.00 at the earliest and High Tea should be between 5 and 6pm… for those that may remember High Tea was for children as they would be tucked up in bed when there elders would sit for supper or dinner which ever the case may be!
But of course those days are behind us!!! Thanks again for your birthday wishes….. poohsticks! LT

Reply | Quote

Those offending patches exist, however that software runs on Windows and not the other way around and as such, ideally it should be made compatible with the OS.
If this is not practical and there are enough situations when this is not possible, then stop patching. The computers need to be used for a reason and patching in itself is not that reason.
Patching is just a manufacturer’s offer to do a repair under warranty, not an obligation. This is what most people appear not to understand. The easiest way to stop patches being offered, even under Windows 10, is to Stop and Disable Windows Update service. The side-effect is that in such a situation the responsibility for the security and good functionality of the system shifts from Microsoft to the user/administrator taking such an action.

Reply | Quote

I envy you! Last time I had high tea was in Darjeeling – wonderful experience, and great tea!

Reply | Quote

I believe that’s correct, although we won’t know until it starts happening.

Microsoft has plans to, someday, roll the IE update(s) into the security/monthly updates, but heaven only knows how long that will be.

Reply | Quote

That is one vision of dystopia. Millions of people not in the workforce, retired, on disability, whatever. Millions of people filling the casinos that bankrupt states and localities fall all over themselves to promote. People looking for something to entertain themselves when in another age they would be working. People in love with their little handheld toys, even to the point that the driver tailgating you so close you can see her in the mirror is looking down at her lap. People who actually seem to enjoy buying a call blocker and programming hundreds of fast changing phone numbers to beat telemarketers. People with the attention span of a moth.

Reply | Quote

Ah! Darjeeling……. not that I lived there…… but lived in that area for quite a while as a child.
Memories!! The teas were something else!! A ritual to be enjoyed! LT

Reply | Quote

Agree.

Reply | Quote

I went through the process of updating two identical 2009 HP laptops from Win 7 x64 Home Premium to Win 10 as part of the freebie update.

These laptops are really only used for surfing and playing DVDs. I had been protecting them from Win 10 with GWX Control Panel (thank you, Josh Mayfield!).

For the first laptop (mine) the update went very smoothly, and ended up with the last 1511 build.
The second (my girlfriend’s), not so much. She rarely had the patience to let WU keep hers updated. I had to restore/reformat hers using the recovery disks, and I had the slow update issues.

Finally got it handled thanks to the advice provided here, and ended up again with the last 1511 build.

As I had no prior experience with Win 10, but knew beforehand about the privacy/telemetry issues, I followed the advice on a couple of good Youtube vids on turning everything off in the Privacy settings. I also used Spybot’s Anti-Beacon app, which amazed me when I saw all the telemetry being sent back to M$. I immunized both laptops from all telemetry. And haven’t turned either on since then, having read all the problems about the AU, etc. I’m waiting for the “all clear.”

At any rate, what this post is really about is the new? newish? telemetry in Win 7. I’m posting this from my main PC, an ~4 year old Win 7 x64 Home Premium desktop. I usually do a reformat/reinstall about once a year, and never opt-in to the CEIP. Or so I thought. Ha!

Last week, I thought I remembered seeing that the Anti-Beacon app worked from Win 7 on up to Win 10. So I installed and ran it and lo! only 3 out of the 45? 47? possible telemetry settings were being blocked, *including* only 4 of the 5 CEIP settings. Needless to say, all telemetry settings are immunized now.

Also present on this box are the 4 KBs referenced in the PCWorld.com article here: http://www.pcworld.com/article/2978239/windows/microsoft-slips-user-tracking-tools-into-windows-7-8-amidst-windows-10-privacy-storm.html.

But not for long! Uninstalling and hiding them in about 30 mins after I have some more coffee.

Again, Woody, thanks so much for all your advice! You are a boon to all of us seeking to keep M$ out of our personal business.

Also, a recommendation for those who haven’t used Anti-Beacon: It’s an eye-opening experience. It’s free, ad-free, and put out by people who have the same mindset of the rest of us here.

Reply | Quote

I spent a lot of time there, and in Sikkim. Wonderful places. Where were you?

Reply | Quote

Yes, but not all of the universe is dystopian! I see lots and lots of good things happening, too. Even if that stupid %$#@! smashed into my bumper while texting.

Reply | Quote

Hmmm, you made me interested in SpyBot’s tool now. I am normally not very interested in this kind of applications, but this one seems to be good, even if only for research purpose. I am wondering what additional functionality compared to a good firewall would it bring? Maybe specialised knowledge of Microsoft activity, which firewalls do not treat differently than any other network activity.

Reply | Quote

“The largest single group of people has turned off Automatic Updates and never update.”

None of this would matter if that were true.

Reply | Quote

– Security-Only Update & Net Framework Security-Only Update will not be offered through Windows Update, only MU catalog
– Flash Player is for Windows 8.1
– dynamic updates never been offered through WU, it’s downloaded by setup if you do an upgrade or new install

Reply | Quote

Bombay, (now Mumbai).. Karachi.. Kashmir… my father served in India and then Pakistan….grew up with camels, peacocks… spoke urdu, and sindhi like a native….my parents were very conscious of the disparity of wealth and health…. and were v. active in that area…… making a lot of friends there who if not themselves then their families still keep in touch with our family. After all these years seems like another lifetime! LT

Reply | Quote

Thanks for that detailed extract and summary, most useful.

I just have one question, if I may. When you quote “Users connected to WU or WSUS can use Express and only download the deltas each month”, what exactly are “deltas”?

Reply | Quote

Wow. That must’ve been an extraordinary experience!

I sporadically bummed around northern and northeastern India and Nepal in the 80s and 90s.

Reply | Quote

In my experience anyway, a large percentage of the people still on Win7 just don’t have Auto Update turned on, and haven’t checked for updates in the past year – or they had Auto Update turned on, then got scared into turning it off by the GWX debacle. Of course, I don’t have a lick of evidence to back up that observation.

Reply | Quote

I can tell you that I have 150 client computers that are all set to NEVER. They are however updated about once a month or so. No non-security updates are installed and have not been for a year or more. I can tell you they all work perfectly well.

I strongly advise the Never setting to all that will listen. It is the only practical way for the average person to take complete control.

I do have a question though: Is the Never setting in WU sufficient to prevent M$ from making changes without permission? OR, do I have to literally set the WU services to Disabled???????

CT

Reply | Quote

One has to be a masochist to have to read all this and figure things out. Rational people will just stop updating win10 altogether

Reply | Quote

Not sure if this helps, but while updating the HDD of a new Win7 Pro-64 laptop I was trying different WU settings to facilitate the manual WU speedup patching.

When I disabled WU in Services, it also disabled using the Windows Update Standalone Installer (error on my part to disable it. Off meant off, not disable.) When I just turned WU off in Services the standalone manual installer worked quickly as long as I was totally disconnected from online.

I suspect the Never setting is adequate NOW, but who knows how or when MS will provide an “update” that changes that. That is my fear based upon their past practice to insert GWX ads in an IE Security rollup, or non-security changes into a security patch. From long habit I never leave my machine running when not in use. I also disable wake on Lan in BIOS because I do not need it. As a result even when I had GWX on my system, it never downloaded anything. I am still running GWX.

Reply | Quote

I have used Spybot Anti-Beacon on two Win7 machines for about eight months now. It works great and as you say, is eye-opening.

Reply | Quote

Disable the BITs service as well.

Reply | Quote

It seems that there are many more objectives that MS is after than just avoiding patching fragmentation. Historically, most bad patches failed on their own merits and not because of fragmentation. Sometimes an installer might fail because of fragmentation but not all that often. I think MS would just like to morph protocols toward W10 so the recalcitrant W7/W8 users will realize resistance is futile.

Reply | Quote

@Seff,

Only yesterday did I learn what that term means in this context! ( https://www.askwoody.com/2016/details-about-new-cumulative-update-model-for-win7-and-8-1/comment-page-2/#comment-97310) So I am not sure if I’m right, but I think it goes like this:

Apparently in Windows Update, the “delta” is the change/difference between what your system already has and what the latest system should have.

As an example, if your computer already has updates 1, 2, 4, 6 installed, but not 3 or 5,

and Windows Update thinks that to be up-to-date your system should have all updates from 1 through 6 installed,
the “deltas” that it identifies in your case will be updates 3 and 5, which Windows Update will then go about installing so that your system is “compliant” with the latest Windows advice and practices.

Reply | Quote

Don’t forget Microsoft Office patches, which will be offered separately via Windows Update, according to Nathan Mercer.

Reply | Quote

I also am not a big fan of these types of 3rd-party apps, but, as you say, this one *is* good. The only other apps of this type I run are SpeedFan, CPUID HWMonitor, and CCleaner.

In regards to your question, when you run Anti-Beacon, and choose show Options/Details, it gets fairly specific about what types of data it is “immunizing” against, and from where. I also like that it uses a log and that you can undo any changes you have made at any time.

Reply | Quote

This question has been brought up on AskWoody before.

I think I recall that last month, someone who works in your industry and often talks sense here said he/she had finally moved to setting the WU service to disabled.

And I responded to that comment that I had decided I would also take that step.

(I had asked about this issue on AskWoody a number of months ago, but at the time people had given reasons for leaving the service running, so I had. I think now that the risk from MS’ meddling is such that I’m going to leave the service disabled most of the time.)

Reply | Quote

Totally subscribe to Woody’s observations. It is empiric for me too, but it seems to be accurate. One of the reasons is that the installation wizard in many situations, depending on what is selected in the final stages of the installation, leaves the Windows Update selection in an undefined state, which means not initialised, no Windows Update registry keys set and in some cases causing a weird random slowness with no apparent cause. Those systems don’t need to be updated to be fixed, only configured in one way or another. But they count for Never check for updates, although this is not configured.

Reply | Quote

In theory and at least as things are now, the Never setting should be the best setting for your desired configuration.
Disabling the service used to cause random unexplained behaviour in the past (before Windows XP and including XP) due to it being a kernel service, but now because it runs under svchost.exe it may have a different behaviour. I am not aware of any adverse effects due to disabling the Windows Update service in Windows 7 and this is a recommended setting by Citrix and VMWare for minimising load when running virtualised desktops (Citrix XenDesktop, VMWare View). However I would avoid it on principle, unless it becomes a must.
Even in Windows 10, the setting Never check when configured via Group Policy (Pro, Enterprise) does the job well without being overridden by Microsoft. However this can change and it is useful to monitor if for example a major update like the Anniversary Update does not reset the setting.
For many others here there are concerns about Windows Defender or Microsoft Security Essentials that they may not update if Windows Update is disabled. If there is internet access and there is no special business like configuration with managed servers (WSUS, SCCM) for Windows Update, then Defender and MSE have registry keys configured by default to update directly from the Internet, regardless of the Windows Update configuration or service status.

Reply | Quote

This is exactly what the Microsoft blogs state. I would mention in addition to @abbodi86’s post that WSUS seems to get special treatment and receive the Security only monthly update, although I wish it didn’t happen for consistency with Windows Update and for the simple fact that I am not in favour of selecting Security-only patches. This style of updating (plus the other few Important, non-security, non-recommended) is compliant with Microsoft’s own specifications though and perfectly acceptable for many or even for most people. It used to be for me too until about 1 year ago, when I realised how much added value is in some of the Recommended and Optional patches.

Reply | Quote

Yep, although I expect that to change shortly, too.

Reply | Quote

@Lizzytish, given your experiences and the social/cultural changes you have seen, you would be so interesting to chat with.
(But I already had thought that after Ozymandias.)

I got a chuckle the other day from your “we are a group of ‘enthusiastists’ (but google says that’s not the right spelling)”.

Funny how one can feel certain personalities shine through across the “wires”.

Glad to hear that your children are celebrating with you this week!

Thanks to Woody for letting us get a bit personal just for a moment, in order to highlight the special birthday milestone of a valued participant here.

Reply | Quote

I have to agree that even if not everyone would follow all the Anti-Beacon recommendations, at least it provides a reference for what is happening behind the scenes and make everyone interested, aware of the amount of snooping for Windows and Office.
I found that for my setup, on the Protection tab all CEIP Scheduled Tasks are blocked, but none of the other 3 settings are configured. CEIP Group Policy is not configured, however the equivalent setting is configured in the GUI, which means that one is a false positive.
I still have to determine what “Telemetry Group Policy” does in addition to the other settings and I suppose the “Telemetry Hosts” is an extra safeguard configured in the Hosts file against communication to the Microsoft data collecting servers.
On the Optional tab, pretty much the same situation, some configuration is already done for Office, other configuration is still to be determined how much extra value it adds.
Useful little tool!

Reply | Quote

@Manaka You may also like ThrottleStop from here https://www.techpowerup.com/downloads/2288/throttlestop-6-00
The TechPowerUp forum has many pages of discussion about the use of the tool. It can be just launched and used as monitoring tool without any effect on the system, or can be used as configuration tool for settings not visible in the BIOS. It is completely portable, no installation is needed.

Reply | Quote

There have also been some controversies about the organization.
I read about some approx. 10 years ago (after they had put up some interesting-sounding job postings at my former university) that did give me pause, but the specifics have disappeared from my memory, as per usual.

Reply | Quote

What you say may apply for Windows 7 or 8.1, but Windows 10 is still not a finalised product. As such, people using it hope that there will be improvements with every update. The even more rational thing is to discontinue the use of Windows 10 until it becomes a proper working operating system.

Reply | Quote

I would say it is absolutely accurate!

Reply | Quote

BITS would change its state regardless of the user setting, depending on requirements. If Windows Update service is disabled, then BITS does nothing. But it is worth trying disabling both just in case.

Reply | Quote

I think the fragmentation issue has been brought into discussion mostly due to the large number of complaints about slow or never completing Windows Update scanning which was correctly diagnosed among others, many years ago by Woody and Susan Bradley. The occasionally mentioned magic patches which fix the scanning one month or another are just workarounds for this state of the Servicing Stack. The complete answer (in the technical sense) is to be fully patched, which obviously raise objections on other levels.

Reply | Quote

On the subject of MSE….

According to the studies I read, MSE is one of the poorest of the pack in defending against all manner of threats. I do not use it nor do any of my clients.

http://www.av-comparatives.org/

http://www.av-comparatives.org/wp-content/uploads/2016/08/avc_factsheet2016_07.pdf

CT

Reply | Quote

The Office Updates (non-security) have followed this roll-up model for a while. I don’t know if it was announced officially, but a full round of Office Updates (non-security) using full update files (not Express) are about 1GB each month. This is like a full re-installation of Office every month, very much like the full updates for Windows 10. This is where the Express style of installation can assist the end-users and also the Microsoft updating servers.

Reply | Quote

@Canadian Tech,

I think it’s good that you have alerted your clients to this matter. You have explained it in easy-to-understand way, with sufficiently ominous tones.

How have they responded to it, in a general sense? Do they tell you that this makes them nervous, are they pretty sanguine, do they ask you how feasible it would be for you to to move them to a different computer system/software?

I wonder what organizations are doing to make sure that the data they need to keep confidential is kept locked away. One wouldn’t normally expect to have to worry about data-interception and collection from the manufacturers of one’s legitimately-purchased-on-the-retail-market hardware/software. Is this still quite a new area for businesses to get to grips with, or are they pretty sophisticated about it these days? (I guess it’s sometimes called air-gapping?)

I am actually going to forward your client letter to my relatives for whom I am unfortunately the closest thing they are ever going to have to an “IT person” (for their home/personal phones, tablets, computers).
In the past, I have mentioned the “big picture” of what’s going down with MS (and Google, etc.) a little bit to them, but articles like Bradley’s and Bott’s and Leonhard’s are too complicated for them, and they simply aren’t motivated to think about it too much, but your short, hard-hitting, suitably-unclear-about-the-future note, from an IT director to his clients, will perhaps help them to wrap their minds around why some people are increasingly concerned about what is happening to Windows 7.

Reply | Quote

Thanks!

Reply | Quote

Well, Nathan Mercer’s explanation of how the Rollup Patches are going to work from October clearly indicates that they are still going to allow fragmentation to continue, because of the 3 monthly rollups that will be available each month, only 1 of the 3, the *joint* security and non-security rollup, will be cumulative on a monthly basis and fight against previous and future fragmentation.

The security-only rollup and the non-security-only rollup both will, apparently, only involve the patches for that particular month, and customers can choose whether to install each month’s rollup or not.
(Installing later security-only or non-security-only rollups will apparently not fill-in the fragmented gaps left by deciding not to install a particular month’s security-only or non-security-only rollup.)

He also said that if you don’t have a particular patch already installed that is a prerequisite for a current month’s patch (within the patch rollup), you won’t be alerted to that situation, and the current rollup will just decline to give you that particular part of itself, and will just press on with the other things that it can put onto your computer. He said you have to *read the release notes* that accompany the rollup patches each month, to see if there are any prerequisite patches that must be in place on your computer for the current month’s rollups to give you their full bounty.

Not only is Microsoft’s new rollup patch plan allowing for a lot of fragmentation to continue at the choice of the customer (if they choose to install on a monthly basis one or both of the non-security-only and security-only rollups, rather than installing the cumulative joint security and non-security rollup), but Nathan Mercer seemed to be pretty okay with people choosing to ignore the cumulative joint rollup when he offered the comment, “If you only install security and critical updates, then you should use the security-only update rather than Monthly Rollup.”
If MS were SO concerned about people’s no longer being able to pick and choose what patches to install, I would have thought that Mercer would have spent more time explaining that even if you *think* you only want to install security and critical updates, even if that is what you have done in the past, that now it’s really in your best interest to install the joint, cumulative monthly rollup and leave Microsoft to know what is best for your system. (However, I realize that he was speaking to a highly technical audience in that Q&A, whom he’d be less inclined to lecture to.
However that didn’t stop some doublespeak from featuring, ha ha!)

Reply | Quote

My experience is that the average User had no clue that the GWX campaign was even going on (they either got Win10 by surprise or they didnt) and they have been on Automatic (default) because they have never looked in the Control Panel or at the Win Update settings.

They just USE the computer and get whatever it gives them.

Reply | Quote

I remember that I tried Spybot Anti-Beacon a few years ago, but I’d had a problem with using it.
To see what that might have been, I looked at their Wikipedia entry just now, and I think it must have been because my third-party internet security/anti-virus program had refused to let Spybot Anti-Beacon on my computer. It seems that some third-party anti-virus programs did not like it a few years ago, due to a bug in Anti-Beacon that they later fixed, so it probably is compatible with them now.

I had also seen some more general concerns expressed about Spybot, at the time when I tried to give the Anti-Beacon a whirl. Don’t remember what, but it was likely about safety/security.

In the following discussion, there are a few concerns expressed about it, regarding using it for Windows 10:
http://www.wilderssecurity.com/threads/spybot-anti-beacon-for-windows-10.379000/

A short discussion of it here: http://www.dslreports.com/forum/r30534607-Anti-Beacon-worth-installing

Long article (though a year old) from Martin Brinkmann here:
http://www.ghacks.net/2015/08/14/comparison-of-windows-10-privacy-tools/

Here are some privacy tweaks that can apparently be done to Windows 7/8 (with or without using a specialized third-party program):
http://www.ghacks.net/2016/06/12/donotspy78-windows-privacy/

Reply | Quote

That chimes with what I’ve read about it in the past couple of years.

Reply | Quote

It is even worse than that. I just in the last few days had a new client bring me her computer. She had no idea what OS was on it. She thinks she remembers that when she bought it, it had Win8. It now has Win10 and she has no idea how that happened.

This is a typical user and exactly the kind that MS roped in in their GWX campaign.

The outcome is that she now has a brand new computer with Win7 and it well protected from GWX.

CT

Reply | Quote

@poohsticks

To clarify: I do not service any business used PCs. These are all very typical Windows PC users. Ages vary from teen to oldster. Some in big cities. Some in small towns. I am a retired guy with over 50 years in the industry — just about Woody’s age. Those 150 computers all have win7. They are relatives, friends, friends of friends, neighbours, colleagues, etc. They get the service free and I really do look after them well. They trust me implicitly to look after their computers, and frankly if they did not, they would not be a client. Not a single one wants to even consider Win10. Many have looked at it, gagged and said no thank you. They are grateful that someone is protecting them from it.

In summary, I get a pretty good feel for what the general public experiences and how they react.

I strongly encourage them to do backups. I doubt that more than 10% do backups in spite of my warnings.

FYI, you can also point your “clients” to http://www.canadiantech.info. I have a very simple small site there that has in it about 120 pages of mostly simple explanations to common user questions written in similarly easy to understand words. It also has a techie section in which I maintain some late advice on how to solve some of the bigger questions around today.

CT

Reply | Quote

Are you saying that Office updates are already being offered as a rollup via the average-consumer’s version of Windows Update?

I don’t think I’ve encountered an Office rollup in my Windows Update — not that I’d know the difference, I suppose, if it looked like an ordinary kb number amongst all the Office updates I am offered every month — but then, if one of them were a rollup, would I be offered multiple Office kb numbers each month? I expect not.

However, I love and use Office 2007. Is the Office roll-up model that is already being offered just for the latest Office version (Office 2013 or 2016 or whatever it is)?

…Probably my clinging on to outdated but proven technology is going to save me some hassles, once again.
But the idyll won’t last, because the days of being able to use Office 2007 are numbered, because they end when access to Windows 7 ends.

Reply | Quote

We all know it, only that it is the most convenient option for many of us which do not believe much in the effectiveness of anti-virus products anyway. And many of us experienced very poor performance from highly rated anti-virus products due to their bloating, so just settled on what is thought by some to be the best trade-off.

Reply | Quote

@poohsticks:

Thank you very much for the numerous postings relevant to the present dilemma. We, the “average Joe users” do not have any idea of the best method to utilize when October 1st arrives in dealing with the update process.

Those most “computer illiterate” are the elderly, and very elderly, who only wanted a simple OS, such as Win 7, to use for simple tasks such as e-mail, etc. We know we are not knowledgeable enough to understand much of what is posted, including many acronyms we have never heard of before. There are a few who are in their 90’s.

Thank you for all of the information you have so graciously shared with us all. It is most sincerely appreciated.

Reply | Quote

do you really want to start a political war?

Reply | Quote

@poohsticks
Here is the official approach of the Australian Government in relation to securing the IT systems. I think it follows very closely the US Federal Government recommendations, but I am not familiar with those guidelines. You may be interested in researching those guidelines as reference for how large organisations are currently reacting to the IT threats.
http://www.asd.gov.au/infosec/ism/

Reply | Quote

@poohsticks:
“… As an example, if your computer already has updates 1, 2, 4, 6 installed, but not 3 or 5, and Windows Update thinks that to be up-to-date your system should have all updates from 1 through 6 installed, …”

To be even more precise, I would modify the last part of the statement to read:

“.. the “deltas” that it identifies in your case will be updates 3 and 5, which Windows Update will then go about *downloading and then* installing …”

In other words, WU would download ONLY updates 3 and 5, the “deltas”, NOT all six updates.

Reply | Quote

I don’t read the Microsoft blogs quite in the same way in relation to the fragmentation. There is a catch-up plan to fill in the gaps which will not happen overnight though.

https://blogs.technet.microsoft.com/windowsitpro/2016/08/15/further-simplifying-servicing-model-for-windows-7-and-windows-8-1/
“Over time, Windows will also proactively add patches to the Monthly Rollup that have been released in the past. Our goal is eventually to include all of the patches we have shipped in the past since the last baseline, so that the Monthly Rollup becomes fully cumulative and you need only to install the latest single rollup to be up to date.”

I think the monthly rollups will have the same function that they have always had, to fill the missing gaps in the differential way. Where this is not feasible and I mentioned this in another recent post, the full installation of the patch (i.e. not the Express version) will be applied to fill in the gaps.

Reply | Quote

You are right about the end-user behaviour. My post says actually that the setting is never configured by default, so it is in an undetermined state. it is neither Auto nor any other setting, just waiting to be configured. We may use different versions as reference though.

Reply | Quote

This is a solution to fragmentation.

Reply | Quote

Ain’t gonna happen.

Reply | Quote

I don’t think the rollup model applies to Office 2007, it certainly does for Office 2013 and 2016.

Reply | Quote

I think all those third-party programs which have anything to do with deeply modifying the default behaviour of an operating system would be considered harmful by other security tools at least until further clarification. The current version seems to be based primarily on Windows 10 and the features were ported back to Windows 7 and Windows 8.1 when the push for GWX started.

Reply | Quote

Unfortunately the whole internet world seems to be gearing towards phones. Web pages with tile like interface, ugh. I don’t own a cell phone and never will. But I do have 3 laptops, 1 desktop and 1 windows Transformer and am irritated with the state of things.

Reply | Quote

Then there’s the idiot in front going too slow veering into the next lane while looking down…

Reply | Quote

Thanks Woody and poohsticks for the kudo’s and memories of past times…. One of the things I’ve found in life is when you are among those who offer a freedom and generousity of life, as happens in this blog, that everyone excels in thought and expression of ideas…….. and makes for such an interesting time. And as someone pointed out there are users of computers in their 90’s no less……….. and I know some of them……… a great inspiration to us all!
May we all achieve such heights! And Woody again many thanks for this great opportunity you allow all of us! LT

Reply | Quote

Looks like a nice tool. I really like portable apps that you can carry around on a stick.
Downloaded it and also bookmarked that site, which I’d never been to. Information & Knowledge = Power, baby!

Reply | Quote

I’d used MSE for years, dating back to when an XP desktop was my main PC, up until about 2014, when I realized MSE seemed to be getting a bit long in the tooth, so to speak. I really liked that it was free, and that M$ actually produced a good A/V app.

Then I switched to Kaspersky Internet Security, and haven’t looked back since.

I also use Malwarebytes Premium for my anti-spyware/adware/malware needs, and am also highly satisfied with that product.

Yes, they are both payware, but I’d come to the point where I realized I’d need to “pay to play” to keep my PCs and data secure. One can find both of those products on nice sales at times.

Reply | Quote

And behold. Microsoft looked out upon the world and saw Pokemon Go. We can do it, Nadella said. We can do it with Windows 10!

Reply | Quote

Sorry, me again. I have three copies of Windows 8.1 Home and Pro I purchased between 2013-15, which are still downloadable on the Microsoft Store.
With the new rollups and all, what happens to these. Has Microsoft made them obsolete or dysfunctional?

Reply | Quote

They’re neither obsolete nor dysfunctional. They’ll work precisely as promised.

If you use them, you should definitely install all security patches. As for non-security patches.. that’s not a given. I hope to have some suggestions posted later today.

Reply | Quote

I, for one, can’t wait until there’s a fully functional AR headset with the Minecraft Dinosaur mod.

Reply | Quote

Currently, updates for the Microsoft Office Home and Business 2013 product on my Windows 7 machine are not done via Windows Update. Instead, they occur automatically. That can be annoying because they use a lot of internet bandwidth for a long time when they occur, due to their size. I now prefer to look for updates proactively, and if one is available I install it manually by using the following approach.

Open any Office application (OneNote, Excel, etc.), and click on the FILE menu. In the left menu bar, select “Account”. Under the title “Office Updates” the current version number is displayed. To the left of that display is a tile button labeled “Update Options” that provides a drop-down menu of choices, including “View Updates” and “Update Now”.

The View Updates option opens a website that shows the Current Version number, with Previous Version numbers beneath it. Compare that current version number to the one displayed previously via FILE->Account. If it is greater, then an update is available for you, and you can invoke it with the “Update Now” choice. But be prepared, because it will take quite some time to download and install.

Reply | Quote

BitDefender and Kaspersky are by far the premium tools in the industry and in particular targeted to home users.
I used the paid version of BitDefender for few years but while it was very good, I thought it was baby-sitting me too much. However this may well be exactly what most less technical end-users require.
There are many tools which would suit different preferences and computer work styles and this is OK.

Reply | Quote

Make sure you have Windows 8.1 Update 1 (KB2919355 – acting like Service Pack 1 under a different name) https://support.microsoft.com/en-us/kb/2919355 installed before following Woody’s recommendations. I think there are good chances that after more than 2 years from release, KB2919355 is already included in the ISO, but check it just in case. Windows 8.1 with KB2919355 is the current minimum baseline for that Operating System. You can use Windows 8.1 without KB2919355, but you would be on your own and if that patch was installed, would be the first question asked by any decent support person.

Reply | Quote

@ch100

Re:
https://www.askwoody.com/2016/the-fallacy-of-fragmented-patching-in-win7-and-8-1/comment-page-2/#comment-97435

“I think all those third-party programs which have anything to do with deeply modifying the default behaviour of an operating system would be considered harmful by other security tools at least until further clarification.”

Do you mean that MSRT might kill the ‘intruder’ if it blocked M$ ‘telemetry’?

Reply | Quote

Re: ch100

https://www.askwoody.com/2016/the-fallacy-of-fragmented-patching-in-win7-and-8-1/comment-page-2/#comment-97429

“Our goal is eventually to include all of the patches we have shipped in the past.”

ALL? Heaven help us.

Reply | Quote

I and my 150 client computers use only one product: Bitdefender Antivirus 2015. Note well it is not the full “protection” suite. It is an antivirus only product. Well it does have a thing called Wallet, but I shut it down on every install because it is just annoying.

I Have worked on literally hundreds of PCs. One thing I learned very well, early on was that if the PC that I was trying to diagnose had a “protection” product installed, if I removed it, the diagnosis became far simpler. The software was actively working to prevent my diagnosis.

Consequently, I will not tolerate anything but a pure antivirus product.

My reasoning is that the other stuff that comes in those packages mostly claim to do something that Windows 7 does, only better. What I have learned over these nearly 15 years doing this, is that those claims are purely wrong.

What you need is an excellent antivirus product and that is all.

This product is an out of the face one. It just lies there in the background and does its job very well. Very little user interaction is necessary.

For years I used the Norton antivirus product until they dropped it. After I switched to BD, client problems have dropped quite dramatically. Almost like the difference between XP and 7, from a support perspective.

CT

Reply | Quote

I don’t know if MSRT which is more like a file scanner, but there is a chance for MSE or Defender to over-react.

Reply | Quote

@SamH I think I don’t understand here: “Currently, updates for the Microsoft Office Home and Business 2013 product on my Windows 7 machine are not done via Windows Update. Instead, they occur automatically.”

I think it was meant to say “they DO NOT occur automatically.”

Sorry, I can’t find this:
“Under the title “Office Updates” the current version number is displayed. To the left of that display is a tile button labeled “Update Options” that provides a drop-down menu of choices, including “View Updates” and “Update Now”.

Do you use one of the Office 365 versions?

Reply | Quote

I used Avira few years ago, it used to be very light on resources and according to reviews, it had one of the most effective engines of its kind. Very pleased with Avira, unfortunately MSE killed it for me due to convenience and probably because I don’t think that the anti-virus products are as useful as it is claimed, especially for those having a reasonable understanding of what is going on in a computer.

Reply | Quote

I have an extra Win7 SP1 desktop computer in storage. It was purchased to replace another machine that proved not to need replacement. So far as I can recall, this computer has never been on the web to be updated, or at most it was updated once a few years ago.

Would this be a good time to do all the Security Updates? What am I in for?

I always expected that exposure to the Internet would ruin one of my two desktops (as it did with XP) and that this machine would be assigned to the Internet as originally intended. The off-web one still–I say this with fingers crossed–still works fine.

Reply | Quote

I’d be interested if Woody has tried Linux Mint on another computer?

Reply | Quote

Nope. I use Windows (various flavors), iOS, Android, ChromeOS and a bit of macOS.

Reply | Quote

I believe the next Monthly cumulative will include the previous month non-security rollup

Reply | Quote

@ch100 Let me provide some more context. The version of Office that is on my Dell laptop was preinstalled. When I click on the “View Updates” option, it takes me to the following website:

https://support.microsoft.com/en-us/gp/office-2013-365-update

That webpage reiterates the points I was trying to make. I hope this helps.

Reply | Quote

Yes it appears that you have Office 365. I am sorry, but I don’t know much about that branch of Office yet. It updates differently and has different issues.

Reply | Quote

It should be updating automatically….

Reply | Quote

I think I see all the parts of the puzzle now. Apparently this version of Office installs a service, officeclicktorun.exe, described as “Microsoft Office ClickToRun Service”, and it is responsible for updating Office, instead of Windows Update. There can be some time latency between the availability of a new Office update and its installation by Click-to-Run. And it does not provide you with any control over when that update occurs. I suppose that for machines that run all the time, the updates would occur overnight. But for my case (running on a laptop that is normally turned off) the updates would occur at the most inconvenient times, without any warning. And I would be left wondering, why is my machine suddenly running so slowly, and why is my modem working so hard when I am not running anything of significance? Only later would I realize that an update to Office had occurred. That is when I decided to start acting proactively, and I can usually discover the availability of an update before Click-to-Run does!
At any rate, if you have a service running on your machine named “officeclicktorun.exe”, it is not malware. It takes care of updating your Office installation, instead of Windows Update.

Reply | Quote

There’s merit to “don’t try to run a fragmented OS”, but it’s all arbitrary…

Microsoft chooses what goes into these updates, and how tightly coupled they are with other updates.

There is no question that it would be easier for them just to release bits and pieces of the OS so as to keep customer systems exactly up to date with what Microsoft has in THEIR baseline.

The real problem, which is being skirted entirely, is that PEOPLE DON’T WANT all of what Microsoft is doing, and being able to avoid some updates has been a way for those users to assert control.

Loss of that control is not “the answer”. Microsoft doing more of what users want is closer to it.

-Noel

Reply | Quote

+1

Reply | Quote

That is problematic with updates being rolled into one. If there is a security patch in the cumulative update that breaks the program, I would have to remove the whole cumulative update just to fix this issue. Which would be removing other important security patches, that is a security risk.

Reply | Quote

That’s precisely the problem – the Achilles’ Heel in cumulative patching.

No amount of hand-waving will fix it. The problem’s congenital.

Reply | Quote

There is no security risk larger than before installing the potentially broken patch. What can be said then about those deciding to stop patching completely? At least those who install and uninstall a broken patch will eventually be patched after few days when the update is fixed and re-released. If it is not fixed quickly and just expired or not even that, then obviously is not worth the effort from the Microsoft side and as such it is not quite such a huge risk.

Reply | Quote

@wdburt1 I don’t think this is a better or worse time than any other time to get updated if that computer is not used. What it should be taken in consideration though is the amount of trouble through which everyone has to go if patching is left too much behind. This is experienced by anyone installing new computers when they notice slowness or even the large amount of patches that are to be installed. The good thing is that from all our long discussions over here we have at least procedures in place to avoid most of the slow scanning or even failure to scan experienced not so long ago.
If you decide to go ahead and patch now, I think a good starting point is Dalai’s list of patches which includes the Canadian Tech’s approach plus few other patches. There is one difference between the two approaches in terms of the designated Windows Update client to be installed, but both are equally good for the purpose and eventually both should get installed at the end of the process.
If the list of patches to be installed is too long, you may wish to install them staged, 10-20 at a time, depending mostly on the amount of memory available on the system.

Reply | Quote

In the case of NComputing unfortunately, they simply tell you per their documentation on their website to not install the patches. So either you decide to install the patches which renders the NComputing program useless, or don’t install the patches. Not a good choice either way.

Reply | Quote

@ daniel
I tried that, but he’s got way too much on his plate… see: https://www.askwoody.com/2016/win7-and-8-1-to-get-cumulative-updates/comment-page-5/#comment-96093

Hope it helps is some small way?
G

Reply | Quote

Thank you, @Canadian Tech, for your reply, and for the link to your site.

The clients you look after sure are lucky to have you!

Reply | Quote

@CH100,

Thank you for providing me with that link.

(Are you from Australia? I hadn’t picked up on that in your prose.)

What a tagline:
“Australian Signals Directorate:
Reveal their secrets, protect our own”!

That’s at quite a serious level. I was just curious in a general sense about what typical small and medium-size organizations are doing about air-gapping, confidential data protection, and the like.

A couple of years ago I read some tips by security expert Bruce Schneier (sp?) about air-gapping.

I never expected that MS would sort of force me to do something like that (air-gapping) with my own Win 7 computer, if I wanted to be certain not to expose it to malware/viruses via the internet (if I’m not going to continue patching from Windows Update after September).

Reply | Quote

@Walker,
Thank you for your kind message.

Reply | Quote

@CH100,

What Nathan Mercer called the “Monthly Rollup” he described as a big, all-encompassing, cumulative rollup each month, including the security half and the non-security half of the new month’s updates, plus they intend to use it to insert all previous updates that have not been installed on the computer in question. That rollup will come out on the 2nd Tuesday of the month and it will be available on the normal, consumer-level Windows Update as well as the specialist way to get updates from the Catalog.

Nathan Mercer also described two other monthly rollup patches that will also be available. They will only be available from the Update Catalog, not Windows Update, but they are open to ordinary Windows customers to use (if they dare). Neither one of those other two rollups, Mercer appeared to say, will be cumulative. They will only contain that month’s patches, and no other prior patches. They will not seek to fill in any historical fragmentation that the computer is experiencing. One of them will be the collection of that month’s non-security patches, and it will come out on the third Tuesday of the month. The other one will be the collection of that month’s security-only patches, and it will come out on the second Tuesday of the month.
Speaking solely about those two non-cumulative “half” rollups, if the user chooses not to install a certain month’s “half” rollup, or to install it and then uninstall it, the user can go on in the future and install other months’ “half” rollups on top of that big hole in the update system — it will stay fragmented — apparently, according to what Mercer wrote during his Q&A.

That is why I say that Microsoft is furthering the opportunities for fragmentation by bringing in this 3-monthly-rollups system.
It will be a smaller crowd than before that has the time, ability, and interest to decline certain rollups and create holes in the computer’s updating history, but it’s not going to be only a tiny group of people if every organization of any size, every IT pro, and folks like those of us who follow Woody are going to have access to the non-cumulative security rollup and non-cumulative non-security rollup which (apparently) will be able to be installed, or ignored, on a monthly basis as the user sees fit.

I don’t know if I correctly interpreted what Mercer said, or if he was mis-stating the facts, or if he’s any kind of authority to listen to (though it seems that he is).

Reply | Quote

Yes, from Oz.

Reply | Quote

I am not familiar with NComputing but I did a brief search after your post. If it is about Virtual Desktops which get destroyed at log off and recreated at every boot, then the importance of security patching is minimised.
You have a decision to make. I would say go with the application provider recommendations and patch only when they recommend it. Then it is up to Microsoft to raise it with them if their recommendations are good practice.

Reply | Quote

Absolutely install KB3138612. It is one of the most relevant and useful patches released in the last few years.
All Important (not considering Recommended among them) updates must be installed as they fix critical functionality issues. There are not many in that class anyway. From my point of view, if no other patching is done, the Important updates are the ones to install with priority. They fix things, while the Security updates have the potential to break things. But both should be installed as minimum.
For all the other enquiries, follow Woody’s advice when the time comes.

Reply | Quote

Your interpretation of Mercer’s answers matches my expectations.

Wouldn’t it be nice if Microsoft came out and, you know, actually said it?

Reply | Quote

I think reason for “Update reorg” is – looking from their Corporate viewpoint…
They have BIG customers that pay per seat. They usually have an IT dept so require little interaction. Easy money as long as they can write code that works.

Then there is the general public who “require” support , lots of interaction and EXPECT a $99 OS to work flawlessly – for years. Oh, and be backward compatible with every program they’ve ever owned.

New mgmt looks at that on the whiteboard and says:
to run more efficiently/be more profitable we need to: ….

It’s the public that doesn’t ‘migrate all at once’ – for whatever reason.

THEY want one version of code that will run on all devices, eliminating need to support old OS, making it easier to sell ads (if only one flavor of ad needed) , better ‘spyware’ (whatever the tech name for THAT is) like Google , Amazon have for tracking users. ( hence the new browser)

IF they can get there and THEN THEY can just “stay current” with that one OS it’s gravy time.
On paper. Less support / more revenue to bottom line.

Reply | Quote

@Bob. That’s $99 times about 500 million.

CT

Reply | Quote

Not anymore. They let everyone GET from 7 /8 to 10 for FREE. NOW their angle is selling apps to these new Win 10 users.

Reply | Quote

With those patches installed it takes away multiple virtual desktops, you can only log in one session. One session doesn’t do me any good when in our case we should be getting 10 sessions. That defeats the whole purpose of the software. We haven’t used it for anything in quite some time. We will probably just get rid of it altogether soon. For those that rely on it though for a cost saving situation (labs, schools,etc) it is a sucky situation.

Reply | Quote

Don’t blame it on the sunshine
Don’t blame it on the moonlight
Don’t blame it on the good times
Blame it on the [Microsoft] boogie

Reply | Quote

In fact all big software companies make more money from supporting poorly written software by selling support agreements to large companies, than from selling software. Only smaller organisations have IT departments which are on their own.

Reply | Quote

Thank you ch100!

Reply | Quote