Some interesting observations about express installation files in Win7 from Gregg Keizer at Computerworld. Anybody care to comment on this? only some
[See the full post at: Windows 7 Monthly Rollups are getting bigger – here’s why]
|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
-
Windows 7 Monthly Rollups are getting bigger – here’s why
- This topic has 59 replies, 25 voices, and was last updated 7 years, 4 months ago.
AuthorViewing 22 reply threadsAuthor-
Anybody care to comment on this?
Yes – it’s time to start thinking about moving to Linux Mint, if you haven’t already done so.
Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server -
The choice is heading toward:
A) Go with Group A and just accept what Microsoft wants to load onto your system.
B) Stop updating Windows 7 entirely. It’s not a death sentence. If you want to continue using Windows 7 online, you can conceivably do more to enhance security than to just rely on Microsoft patches to keep you safe.
I’m on group A (with a few exceptions) up through November with my hardware Win 7 x64 Ultimate system, which functions primarily as a server. I’ve had NO problems with it. It’s supremely stable and runs for months without a problem.
I’m planning to stay on plan A until forced off.
I haven’t found any new problems with the 204.9 MB KB4054518 December update on my virtual Win 7 test system yet but I’m not done testing, and anyway I’ll hold off updating the above hardware platform to December’s level until more folks have had a chance to brave the waters and report back. Thank you kindly, Woody, for being a clearing house for such info!
-Noel
-
I download the monthly security updates from this site, but I am in no hurry at all to install them. My PC works perfectly for all I need it to do and I see no reason to subject it to MS’s updates. I am sure they will sneak things into them if they haven’t already for use at a later time.
I do know for sure that not updating is certainly NOT a death sentence as I ran XP for nearly three years with no updates and had zero related problems. My Win7 machine now runs great and I am very confident in my current security configuration which consists of a half dozen layers at least including good personal habits. I now consider windows updates a security risk and have the WU service disabled at all times as well as several other undesirable/unneeded services with no ill effects whatsoever. I have Defender enabled, but no longer use a third party AV solution and had to manually pry AVAST off my system.
So, windows updates are not necessary for normal system function nor are they a necessary part of a strong security setup which is also why I could care less about the EOL date for Win7. Chances are I won’t be using Win7 as my primary OS long before then anyway, so windows updates are optional only for me and I do not see the need to put my system in the hands of a corporation I no longer trust.
I used to not think much at all about Microsoft updating Windows for me not even when I first got this Win7 box and WU screwed up Win7 all by itself just letting it update on it’s own automatically. Combined with the GWX and being informed by sites like this one, I no longer trust MS with my personal property. I find it to be much more satisfying and secure to just take matters into my own hands and do it myself and am quite pleased with the results.
7 users thanked author for this post.
-
I totally disagree. I am on Group B, and much more on Group B than most. The Holy Grail of hacking used to be being able to implant into Firmware. This still is the Holy Grail for State Actors. Yet for Cyber-criminals, the new Holy Grail is the Cloud since breaching the Cloud has potentially infinity larger payoffs which might not be revealed for years.
Group A: Your computer contacts dozens of Microsoft servers AND third party servers which are located around the globe.
Group A is, at least for me, a major concern — especially since Microsoft has partnered with third parties to which telemetry is sent to. So imagine this if you are on Group A…
Your computer, on Group A, automatically sends telemetry data to several dozen servers which are located around the globe. Replies are sent to your computer. The Windows code on your computer, which receives all replies, has to be up to stuff to reject malicious responses and to prevent all types of buffer underruns and overruns, and without relying on DEP to provide such buffer and memory protection since DEP is easily defeated — as was proven well over a decade ago.
A 25 year old hack which installed a virus on all of our WinXP computers: Every time our computers updated their system times from online atomic time servers, an attack by a specific individual installed a virus via the momentarily opened ports on our computers which were expecting nothing more than an update for the current time from the Microsoft time server which was contacted. This went on for two weeks. The perpetrator was a professor at a university in England. On the final attack, we immediately called the professor’s phone number for his laboratory. He didn’t come to the phone, yet the attacks stopped immediately thereafter.
The point of the above story is to indicate to you that Group A Windows telemetry is not only sent to dozens of servers around the world, but also is sent through specific ports. And when those dozens of ports are opened such that the running telemetry code on Group A computers is running, then all that you have to rely on is the presumption that nothing nasty is going to come back through those same momentarily opened ports which the said running telemetry code can’t properly handle and discard before bad things happen.
If I were the Russian Mafia, then my focus would be on getting into JUST ONE of the Microsoft or third party servers which Microsoft’s Windows telemetry communicates to, after already figuring out what types of responses to all Windows computers will take down all AV and DEP defenses via bad code within Microsoft’s Windows telemetry code.
8 users thanked author for this post.
-
I understand your concern with allowing software to install directly from Microsoft’s servers, but do you really think such an attack could be kept secret for very long? A bit of awareness about what’s going on across the update world – such as what’s provided by this site – is all that it takes to be reasonably well-protected from a cloud-staged attack.
If you DO think that a really sophisticated actor could piggyback badware in an update and hide it for a long while, how is being on Group B any different?
You might choose to download particular KBs from whatever Microsoft site their web page chooses on a given date, wait a while, if you hear nothing bad download the same files again and compare with those you first downloaded, then only if they’re the same do you apply them? Thus you have some evidence that there has been no detection by others in the world of embedded malware. I suppose this could work for any set of updates – it really just shifts from “applied by the Windows Update Service” to “applied by you”. There could indeed be merit in that, but I do watch the servers contacted. It’s not quite as promiscuous a process as you make it out to be. These are the servers I found my system contacted to check, then install the December Windows Updates. Note that this is a minimal set, with telemetry servers (e.g., vortex.anything) already blocked.
[16-Dec-17 12:02:20] Client 192.168.2.44, www.microsoft.com A resolved from Forwarding Server as 72.247.3.187 [16-Dec-17 12:02:20] Client 192.168.2.44, crl.microsoft.com A resolved from Forwarding Server as 23.74.2.58 [16-Dec-17 12:02:20] Client 192.168.2.44, ds.download.windowsupdate.com A resolved from Forwarding Server as 13.107.4.50 [16-Dec-17 12:02:21] Client 192.168.2.44, fe2.update.microsoft.com A resolved from Forwarding Server as 191.234.72.188 [16-Dec-17 12:02:25] Client 192.168.2.44, download.windowsupdate.com A resolved from Forwarding Server as 8.253.45.239 [16-Dec-17 12:02:50] Client 192.168.2.44, crl.microsoft.com A resolved from Forwarding Server as 23.74.2.58 [16-Dec-17 12:04:16] Client 192.168.2.44, www.microsoft.com A resolved from Forwarding Server as 72.247.3.187 [16-Dec-17 12:04:16] Client 192.168.2.44, ds.download.windowsupdate.com A resolved from Forwarding Server as 13.107.4.50 [16-Dec-17 12:05:05] Client 192.168.2.44, download.windowsupdate.com A resolved from Forwarding Server as 204.2.178.184
There is ALWAYS risk in installing software you don’t know the contents of – and given the nature of security patches at least some additional risk if you don’t. Thing is, NO ONE can possibly quantify accurately – or even roughly gauge – these risks. The trick is to try not to fixate on one particular risk while ignoring others, and have fallback plans in place.
Thank you for sharing your perspectives on this.
-Noel
P.S., it’s also possible to avoid most telemetry gathered by web browsing. Look into uBlock Origin, for example.
-
-
I am group A as well through December with no problems at all. I have Windows 7 Home Premium x64 SP1 on a 4th generation Intel core i7 4770 processor and Haswell chipset. Although the security and quality monthly roll up says 240 mb as the size, only about 50 mb or less gets downloaded; so I am assuming that Windows Update is checking my configuration first and only downloading what I don’t already have from the cumulative update.
1 user thanked author for this post.
-
@MrBrian says you are correct
1 user thanked author for this post.
-
-
-
I thought if you hid the rollup in WU, you were offered the sec only update that month. Is that incorrect? I mean, granted – even if it’s still true, the problem is, most users in that situation are not going to know that they need to hide 1 update to get the alternate.
Oy vey.
The thing that irritates me about the rollups vs the sec only is, if you run sec only (a la group B), there’s no way to get the feature changes separately and piecemeal. That idea is already dumb.All this proverbial ‘shooting of the foot’ that MS has done over the last 18 months… do they even have a ‘stump’ left at this point?
-
The Security Only Quality Updates for Win and the Cumulative Updates for IE11 are NOT offered through WU. They are manual download/install only.
The Security Monthly Quality ROLLUPS for Win are offered through WU. If you have not installed them, hiding the latest Rollup will result in the next latest Rollup (one month earlier) showing up in WU because you have removed the one that superseded it. They are cumulative, and each month’s Rollup supersedes all the earlier ones.
-
You can’t get the security-only update via WU, no matter what you hide. You have to download it manually from the Update Catalogue and then use the Windows standalone installer. Actually I find updates installed this way slip in faster and more smoothly that those I download via WU.
-
-
Pre-GWX I always patched when notified. Even then I had it set to Notify, but let me choose to download and install, but that was mainly due to an experience in XP when WU and Symantec both tried to do an update simultaneously, resulting in needing to reinstall Windows (fool me once, and no more Symantec).
After getting educated on GWX, I did the same, but checked around, found this site! (and others) and got careful (again fool me once). I removed the GWX related updates. I am now group B, for the Security only and IE rollup, but use WU for .NET and Office 2010 and follow the DefCon system.
I have been continually served driver updates via WU for Intel and nVidia products. I have seen Outlook become nearly useless for anything that serves images from remote content. I will stay Group B as long as I have access to the AskWoody KB article 2000003 maintained by Woody and PKCano. I have no WU updates hidden except hardware drivers, and only the big 4 telemetry ones uninstalled (but not hidden). Review of my Windows logs do not show any issues that are unusual. I have not heard of any ‘improvements’ served by Group A, plus I have all the pre-2016 updates except the telemetry ones.
Again, at its core, it is a matter of trust and needs. My goal is to both not receive an “improvement” that tries to improve MS bottom line by making Win7-64 Pro or Office 2010 unusable, or undo a setting that repaired an old problem.
Win10 is absolutely not in my future. I do not wish to buy new hardware to replace good hardware that does not work under Win10 now, or get served obsolescence ‘as a service’ when MS wants me to buy a new CPU or chipset because they abandon my 17-960 and X58 (an Intel ME-free combination).
I now have only 2 Windows computers left, both a Win7-64 Pro desktop and a laptop. For routine mobile uses on travel, 80% of the Win7 laptop duties are now done with a brand new iPad Pro and my iPhone. All other PCs have been converted to Linux (Ubuntu 16.04LTS netbook, Mint 18.3LTS laptop, and LXLE on the soon to be gone obsolete HP desktop test bed.)
My recent Mint 18.3 Mate “Sylvia” on my wife’s i7 re-furb Lenovo laptop was the easiest Linux install to date. She likes it more than any PC/laptop OS she has ever used, although she is making noises about an iPad. It is lightning fast on the SSD, and will most likely be the OS of the new desktop. The only unsupported devices under Linux are my Canon digital SLR (probably a non-issue since it is not the camera, but support software that is the issue) and certain features of the Garmin GPS.
For those on Firefox and Thunderbird, migration between the Windows versions and Linux is so easy it is unbelievable. I can use any PC we have and the Browser is always the same.
Noel’s solution A updating is not my cup of trust, and his solution B is not a choice I would do willingly, but may be forced into to keep at least one Windows machine alive and kicking.
10 users thanked author for this post.
-
Noel’s solution A updating is not my cup of trust, and his solution B is not a choice I would do willingly, but may be forced into to keep at least one Windows machine alive and kicking.
Bill:
Have you ever tried installing VMWare Workstation Player on one of your Linux machines, and then installing Windows in it as a virtual machine? I have both Windows 7 and Windows 8.1 (with Classic Shell) virtual machines installed in my Linux Mint 18.2 64-bit computer. Sometimes there is a task which I simply don’t know how to perform in Linux, and so I can do it in one of the Windows VMs. For example, I wanted to print a couple of pictures to my Canon Selphy printer; but there’s no Linux driver for this printer, so I had to print them from Windows.
The Windows 7 VM is fast in every way; but accessing the host hard drive from the Windows 8.1 VM is slow (I set up the host hard drive for sharing so that I could store my VM data on the main hard drive.)
The reason I went with Windows 8.1 is because it has five more years of support from Microsoft, as opposed to Windows 7, which has only two more years.
You may find that running Windows in a VM is more appealing for you than running it as the host OS. There are two things I like about the VM approach:
* I can get into Windows without ever leaving Linux.
* I see Windows only when I need it; at all other times, I turn Windows completely off. In other words, Windows is the step-child in this case, rather than the parent. (Boy, that’s fun to say!)There is, however, one limitation with the VM approach that doesn’t exist when Windows is your host system: If you have a wireless printer, it will generally be easy to detect and install in Windows. But sometimes it can be impossible to install your wireless printer in Linux, unless the printer has first established communication with the router. So if you first install your wireless printer on a computer that has Windows as the host OS, no problem. But if you try that when Windows is a guest OS, you might not be able to do so, because the guest OS isn’t interacting directly with the external devices, but rather must pass through the Linux gateway. This is what happened with my Canon Selphy printer — Linux couldn’t see it, and so the Windows VM couldn’t see it either. (I ended up installing it as a USB printer rather than a wireless printer.) This problem didn’t happen with my Canon PIXMA MX490 printer, because that printer allows you to do the network setup via a USB cable. Then once the Windows VM was set up for wireless printing, Linux could see the printer and I was then able to set it up in Linux. But the Selphy printer doesn’t offer USB setup for wireless printing.
If you go the VM route, be sure to install it on a 64-bit version of Linux, not a 32-bit version.
Jim
Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server
-
-
That is a great article by Greg Keizer. Thanks Woody!
I have my personal take above. Hoever, the one thing I keep thinking about is sizes relative to the users internet access.
I used to edit a newsletter with photos and was always very careful to keep in under 500K if possible, out of respect for those who were not on cable broadband or other fast internet service.
How are people and companies in the non-broadband areas coping with these massive downloads and twice a year OS upgrades? From my pre-cable modem days these updates could put a PC out of commission for many hours or even days downloading huge files. It would be even worse when the install failes for a file issue or interrupted download.
There is also the issue of the amount of telemetry that is transmitted over a monthly basis (the basis many ISPs or telephone companies bill).
If they are on cellular data it is huge, and from my travels there are many areas that are not 3G, let alone 4G, LTE, or WiFi. I do not expect to see true high speed broadband for many areas in my lifetime due to lack of interest by corporations or governments to invest in anything except the short-term.
Just a comment on how rather than addressing and facilitating connectivity for all areas with the new tech devices, there seems to be those with blinders to those not in areas served by the major ISPs and Telcos.
-
There were comments in a recent thread regarding the size of the Security Monthly Quality Rollup. Apologies for not looking it up and giving proper credit. I started to contribute, then withheld after getting mired in the details. As I only look at a 64-bit installation of Win7sp1, I had forgotten the x86 was lighter.
I too have questioned the quoted size before downloading GroupA style, but for different reasons. Knowing the Microsoft definition of the word Rollup from the sometimes confusing corrections seen here at AskWoody, I expect it to continue growing. However, I do have a metered connection, and observe large file transfers because of that. Actually, I track usage daily with the goal of having Gigabytes available before end of month. So that I may treat myself to another new Operating System image file to test out while preparing to migrate to Linux.
In my experience, the traffic across the router is never as large as the quoted update size. Not by a long shot. The November SMQR was quoted at 203.4MB by Microsoft. Because the installation resets traffic volume statistics in Task Manager, I make arithmetic deductions from the router information to say that only 23MB of data were received through the router. I used to believe the quote was required disk space on the target drive to allow for installation, and a compressed file was transferred. But that is an amazing amount of compression, and this is not visual or audio media.
For a long time now, I have believed the transferred size is mitigated by only delivering what is required, despite the language used to describe the process by Microsoft. But how do they know what is required? The linked article describes the express delivery as being larger throughput because of the need to compare images before packaging. Since that is not what I observe, I conclude a mirror is maintained on that end, maintained by telemetry, and the comparison is made remotely before delivering the small package.
Another possibility is that the full size of 203.4MB is delivered in many pieces, ‘pushed’ without request, throughout the period of time from Second Tuesday until I decide to install the SMQR more than two weeks later. These individual pieces would be small enough to hide in normal use. An extra 10MB cummulative each day for eighteen days is around 8% of my normal daily use, averaged out. The 23MB transfer is simply the balance of the package not yet received. Noel Carboni has a sytem isolated and observed closely enough to shoot holes in this. But there may be a Hiesenberg-like uncertainty here. The isolation may be the reason for the lack of observation.
A less likely possibility is that I am the victim of a very benevolent man-in-the-middle attack. I welcome better information to describe my experience.
-
There were comments in a recent thread regarding the size of the Security Monthly Quality Rollup. Apologies for not looking it up and giving proper credit. I started to contribute, then withheld after getting mired in the details. As I only look at a 64-bit installation of Win7sp1, I had forgotten the x86 was lighter. I too have questioned the quoted size before downloading GroupA style, but for different reasons. Knowing the Microsoft definition of the word Rollup from the sometimes confusing corrections seen here at AskWoody, I expect it to continue growing.
I think that might have been me:
https://www.askwoody.com/forums/topic/december-patch-tuesday-is-out/#post-151605
https://www.askwoody.com/forums/topic/december-patch-tuesday-is-out/#post-151628
I too am confused about the cumulative rollups being incremental or differential. The file size is clearly written in WU, but it somewhat defeats the point of scanning the system for so long. It’s not just users wasting bandwidth by re-downloading a big chunk of the same thing each month, MS servers send it out. Wasting bandwidth is not a good business practice.
Also stuck with a metered connection but with a daily cap rather than monthly, I have been using WSUS-offline for over a year and haven’t checked data usage on WU for cumulative/rollup since the rollups started. I’ll test this out later this month, nothing beats proof over supposition.
1 user thanked author for this post.
-
-
-
For me, with an old 90 KBps DSL internet connection, it’s the difference between downloading 203,000+MB from WU taking around 45 minutes times two (two computers) versus downloading and saving the main Windows Security Only update (23MB) and the IE update (52MB) from the Update Catalog once. I can then use the saved update files on my other Win 7 computer. Beaucoup time saved! Then all I have to do is get the Office updates, etc. from WU and I’m done.
This is one of the main reasons I’ve gone the Group B route. The next route I go, if forced, is Linux!
Being 20 something in the 70's was so much better than being 70 something in the insane 20's -
Wow, I thought the 250KBps satellite here was bad. Whatever the speed, there is also the daily data cap of 450MB. We’re in group A with 3 Win 7 PCs so setting WU to never check and manually downloading the update to USB drive once (or WSUS-offline in our case) is essential. There are millions of us stuck with no better option in North America alone, some countries are much worse.
What happens to Windows users on slow, metered connections if they don’t learn the tricks? What about Windows 10 upgrades? Who doesn’t know someone running Windows 10 with no knowledge of settings beyond the most basic?
Chrome/cloud computing? Fuhgetaboutit. It’s easy to point the finger at Microsoft, but Apple and Linux need updates too. One nice thing about Linux Mint and Ubuntu, they don’t just download and install updates on their own (last I checked). For those with really slow, metered internet, Linux is likely the best option (apart from all the software/games and some hardware that only runs on Windows).
1 user thanked author for this post.
-
-
-
IMO – A compelling reason to have chosen Group B. These updates are tiny.
There are no new feature updates of any consequence for W7 at this time. Security Updates (not monthly rollups) and IE updates are all that is needed to keep a W7 consumer system secure until 2020.
There are several trusted online sites that provide direct download links to the SECURITY ONLY KBs, so all one has to do is click on them. No need to go to the MS catalog to get them.
The article from Gregg Keizer at Computerworld says it all. Installing the W7 monthly rollup is like installing an ‘SP2’ every month. And its growing. MS have not completely cleaned up W7 updates (prior to Oct 2016) as they originally promised to do – they made a start and then abruptly stopped. It is apparent that MS is no longer willing to invest time, talent and money in an OS that will be at end of life in 2 years.
I respect those who have chosen Group A. No need to send an assassin to take me out.
-
…. I’m Group B but I absolutely dread the day I might have to do a clean install on my 7 desktop or 8.1 laptop. As for 7, thank goodness for Simplix I guess…
I use the Simplix patch myself with doing clean installs of Win7. What an incredible it makes… only a dozen or so patches to install after 1st boot instead of well over 200. But it’s far to geeky for most users.
-
-
The monthly rollups are so big that they jam my 56KB modem.
1 user thanked author for this post.
-
If that’s a joke, it’s not funny.
If it’s not a joke, it’s not funny.
1 user thanked author for this post.
-
Funny whether true or not. Funny funny vs. funny ha-ha.
1 user thanked author for this post.
-
-
-
Group B (Win 7 x64) here.
I pretty much locked down my systems when the GWX fiasco began. I blocked many an update associated with GWX, telemetry and other potentially problematic issues plus unneeded features. I also deactivated certain tasks in the scheduler and disabled certain unneeded services as well. A bit of a paranoiac maybe…
Between GWX and patchocalypse, I only installed individual updates after careful research here and on other sites. Since October 2016, I’ve just installed the ‘security only’ updates, needed .NET updates and Office updates. Results: My three Win7 systems are running fine and do everything I need them to do. Lots of backup images, too.
If I ever have to reinstall from scratch, I will likely resort to using WSUS-offline or Simplix. I’ve got a copy of Simplix as of 9-17-2016 (just prior to patchocalypse) as well as the most current one that includes “feature updates” (should I chose to sort of join Group A).
Here’s a question, though: My understanding was MS would eventually start absorbing older and older updates into the monthly roll-ups – and probably deleting those from the WU site. Does anyone know whether they’ve started doing that yet – and if so – how far back prior to October of 2016 they may have gotten?
Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.
-
Here’s a question, though: My understanding was MS would eventually start absorbing older and older updates into the monthly roll-ups – and probably deleting those from the WU site. Does anyone know whether they’ve started doing that yet – and if so – how far back prior to October of 2016 they may have gotten?
No, they have not yet fulfill their promise to incorporate “old” patches/fixes in the Rollup
all updates replaced by the subsequent Rollups are only replaced because of new security or quality fixesthat being said, Since September 2016 rollup KB3185278 (the very first update in the Monthly Rollups series), almost 80 updates are replaced by monthly rollups
this include some request-only hotfixes -
-
What I have found is that stuff mailed from companies such as ad flyers, newsletters from organizations, notifications, etc. have images that are remote content. Outlook blocks the remote content, so the images show only as an outline placeholder with a small “X” in the corner. I found an advanced setting where you can go and select allow remote content, but I have been loathe to do that since it is Outlook and a part of Office with potential interactions and past vulnerabilities.
Thunderbird also blocks the images, but has an option to allow the content both case by case or by sender instead of a blanket setting.
The majority of commercial emails with images that are blocked also have a notice that if the images are missing to view the email in a browser.
I would estimate it was late 2016 when that started because that is when I began using Thunderbird for viewing the specific e-mail accounts that I use with commercial sites from which I want to get email and notices. That alone greatly diminished the amounts of unsolicited emails in the personal account. Due to the blocks happening suddenly, I suspect an Outlook update tightened up the settings.
Outlook is for more personal use, due to a large archive and some custom rules I created to route and archive certain types of email, but I have some commercial sites that predate Thunderbird and the unique email.
To minimize the Outlook archive, I have backed up all the older emails into a PST on an old XP machine that does not connect to the net, but is able to open the archives of Outlook.
When users have an Outlook PST file it is an issue that should be taken into consideration when considering an alternative OS or email clients. I am not a cloud type so the majority of my email accounts are on the HDD clients on my PC and do not remain on a remote server. The exceptions are the ones I access with the iPhone and iPad and/or use for 2 factor authentication notices.
1 user thanked author for this post.
-
-
-
All very well for Microsoft to do this in their MS-centric (US) world view.
But here in Australia, for example, lots of people have internet plans with very little bandwidth or slow connections.
So someone (like my grandmother, who only has the smallest data plan available because all she does is use email with relatives) can have her OS chew through 25% of her monthly allowance just by having Windows set to auto-update. Thankfully I do it for her via WSUS Offline via a USB stick.
But similarly, people who are stuck on mobile internet plans, a) they have their connection slowed right down when Windows decides to download the update and b) it costs them a fair chunk each month in their data plan.
Really wish Microsoft would not just assume that everyone that uses Windows has access to cheap, fast and unlimited internet.
No matter where you go, there you are.
-
There’s a few million of us in USA with nothing but awful ISP options at outrageous cost, but some countries have it far worse. I keep ranting about it here and everywhere I bother to post online, but there’s very little sympathy. In fact, there are trolls mocking those of us with no other ISP options.
Good for you finding WSUS-offline, same situation here on all counts. So what do those without similar help do?
Edit: r
3 users thanked author for this post.
-
-
-
-
-
-
-
From Windows Embedded OS Down-Level Servicing Model FAQ (my bolding):
“Q4. How can machines with size limitations download Monthly Rollups?
A4. We understand that some machines have size limitations. While either the Security Only Update OR the Monthly Rollup is necessary to be covered for critical security fixes for a given month, we recommend installing the Monthly Rollup because each update will only download the new delta fixes (for customers using Windows Update, or WSUS with “express installation files” support enabled). In addition, with new Monthly Rollups superseding those from previous months, disk cleanup will remove the older installed and superseded Monthly Rollups after a certain amount of time (see below Questions for further details). In comparison, the Security Only updates (which are not superseded by the subsequent Security Only update) will continue to reside on disk and not be replaced if any binaries are in multiple updates, which consumes greater space over time. Please note that removal of superseded updates happens automatically on Windows versions equal to or newer than Windows 8. For Windows 7, the user can apply the Task Scheduler to create a recurring task to run the disk cleanup tool.Starting February 2017, the Security Only update does not include updates for Internet Explorer. With this separation, the Security Only update package size is significantly reduced.”
From Further simplifying servicing models for Windows 7 and Windows 8.1 (my bolding): “From October 2016 onwards, Windows will release a single Monthly Rollup that addresses both security issues and reliability issues in a single update. The Monthly Rollup will be published to Windows Update (WU), WSUS, SCCM, and the Microsoft Update Catalog. Each month’s rollup will supersede the previous month’s rollup, so there will always be only one update required for your Windows PCs to get current. i.e. a Monthly Rollup in October 2016 will include all updates for October, while November 2016 will include October and November updates, and so on. Devices that have this rollup installed from Windows Update or WSUS will utilize express packages, keeping the monthly download size small.“
-
I agree with abbodi86’s comment that, as far as I know, the process of purposely incorporating older updates into the monthly rollups has not begun yet. The main reason the monthly rollups have been getting bigger is probably because there are files that exist in newer monthly rollups that don’t exist in older monthly rollups. As far as I know, the only reason for the inclusion of these files in newer monthly rollups is because they are needed for fixes introduced in the newer monthly rollups. Example: File usbhub.sys is included in the Windows 7 November 2017 monthly rollup, but is not included in any of the previous Windows 7 monthly rollups. The documentation for the Windows 7 October 2017 monthly rollup (should actually have been the November 2017 monthly rollup) lists: “Addressed issue where USBHUB.SYS randomly causes memory corruption that results in random system crashes that are extremely difficult to diagnose.”
-
With two years to go until end-of-life, I wonder if Microsoft will even bother fulfilling their earlier promise.
Sigh.
1 user thanked author for this post.
-
-
-
-
For Group A regular users it doesn`t matter. After your done with the update you go in and free up disk space. The update is around 200 mb and the disk cleanup gets rid of close to that amount.
1 user thanked author for this post.
-
Much ado about nothing, a comedy.
On one test system running Windows 7 that was fully updated via group A (freshly installed mid-summer 2017), the quality rollup and MSRT update via WU was a total of 33MB to download and install.
Mea culpa for all my complaints about these rollups, but even while downloading there was no indication that the download would be smaller than 204.9MB for the rollup. I haven’t used WU for anything but MSRT in over a year. My bad.
I could also blame WSUS-offline which I’ve been using for over a year to update 3 Windows7 PCs, requiring the full download each month for the rollup. I will keep using WSUS-offline in general since I really like the easy option for a fresh install with all updates before the PC touches the internet. There are other methods but WSUS-offline is almost fire and forget, with an option for security only updates and Office updates.
Keep calm and carry on?
1 user thanked author for this post.
-
-
-
I am Win7x64, Home Prem. I have a headache just trying to keep up with it all. The “topic” which references primarily Group B, has a lot of information relevant to Group A as well so it’s actually necessary to try to keep up with that list too.
I think I’m okay for the present, however I do have an Optional (unchecked) listed as a PREVIEW for the Quality Rollup NET.Framework for 2017-10). That is KB 4042076. It is dated 10/17/17.
Reason I wonder about that is that somewhere along the line I think it was recommended that the NET.Framework for 2017-11 should be hidden as it “didn’t matter”. That one is KB4049016 and it is the 2017-11 which is now in the Hidden List. That one was not listed as a Preview.
None of the Optionals were checked, INCLUDING one which is quite “old”. It is KB3102429, and do not recall when that one popped into the update list.
The Important updates were both checked, and are the MSRT, and the update to the Win Defender. I have not seen that either of these are now “safe” to install. So I unchecked those.
I only have 4 in the Optional list, and 2 of those are for “drivers” which I do not know anything about so I do not attempt to do anything until I know what they are, and whether or not they are safe. I am having vision problems at the present time, so hoping I did not make an error on the KB numbers.
Thank you to anyone who can provide information as to the importance of the NET.Framework updates. I apologize for my very limited computer skills.
1 user thanked author for this post.
-
Hi Walker – First, no need to apologize for your level of computer skills. It takes all types for the world to go ’round, no?
Here’s a link to the .NET MS blog for November. Right at the very top it says there are no security components in the November patch. I’m sure you can find blogs for other month’s .NET releases just by clicking on the big .NET BLOG at the top. These will help you identify which month’s patches have security updates. If I remember correctly September was the last month that had security updates.
I would recommend that you install any .NET updates that have security components.
For what it’s worth, I’ve installed all the .NET patches (whether or not they have security components) on my WIN 7 Pro sp1 x64 computers with no ill effects. I do wait until Woody bumps the Defcon rating up to 3 or more for any given month. Also, you may be remembering there were issues with the .NET 4.7 release back in July (I think). I waited until a couple months ago before installing that one.
Hope this helps, and good luck with your vision, too.
-
@Dr.Bonzo and @Paul:
My apologies for being so remiss in responding to your excellent messages. I have been “hit” by a “cold”. I had my flu vaccination quite a while ago, so it’s some other kind of bug. I now hope to begin to feel better, and have time to read your messages, which I sincerely appreciate you posting. Hope to improve enough to have the wherewithal to read, and “understand” all of your messages. Not feeling like running any races just yet.
Thank you both for your messages, which I sincerely appreciate.
-
@DrBonzo: Excellent reference from your message as follows:
“I’m sure you can find blogs for other month’s .NET releases just by clicking on the big .NET BLOG at the top. These will help you identify which month’s patches have security updates.”
This link appears to be extremely useful. I learn from the messages you, Paul, and others who are very computer literate post here and share with others. Thank you to you both for providing information which we may never find elsewhere.
I found my error in your name, DrBonzo, and have corrected it in this message.
1 user thanked author for this post.
-
-
Hi @Walker , glad to read that your computer is okay for the present. That is good. This reply will display narrow and so become long, but I did not want to redirect you away somewhere else yet. Before getting specific, I thought I might try to orient you in the general sense.
At the time of our comments now on 26DEC, the AskWoody clearance has been given with the large green indicator MSDefcon4 displayed at the top of all pages since last Friday. So please know that the KB4054518: 2017-12 Security Monthly Quality Rollup for Windows 7 for x64-based Systems is considered ready to install. If you consider yourself GroupA, this is where you should begin.
I hesitate to give more specific advice, because I know you recently did extensive work with MrBrian. I would not want to confuse the good work you have already done if I missed something along the way. There are some items in your description that seem contradictory to me. But I do not know if that is because of a faulty condition, or the way you have described your information, or that I am reading incorrectly.
Here now is the link to Woody’s blog article announcing the recent MSDefcon4: https://www.askwoody.com/2017/ms-defcon-4-time-to-get-patched-unless-youre-using-win10-fall-creators-update-version-1709/ , that has a link to Woody’s Computerworld article. In that article focus on the section headed ‘Windows 7 and 8.1 patches’ to help you decide which method you chose to follow. Woody provides links to more detailed directions for the method you choose.
I hope you do not feel I have laid out a goose chase to follow. Those are not helpful, and I do not want to make you feel that way. However it is important to read why certain steps and methods are done the way they are done; instead of me telling you the method that works for me, but might not work for you. I think Woody and his team have done a wonderful job making a complicated process as simple as it can be made from outside of Microsoft.
If you stumble in those directions, please start a new question topic to isolate the discussion about your computer out of these other comments threads. https://www.askwoody.com/forums/forum/askwoody-support/windows/windows-7/ask-windows-7-questions-here/
And now to gently suggest something that may be best for your specific needs in regards to your described limitations. If following the reading, and keeping track of the MSDefcon# level introduces stress into your life, consider that Windows 7 has reached the end of useful life for you. Reduce your stress. Apple and Google make very user-friendly items at prices that cover a wide range of affordability. Each of these makers take over the update process for you and offer simplified recovery. For a person who demands control or is concerned about privacy, this is a bad thing. But millions of users enjoy reduced stress by allowing the manufacturer to maintain the process.
In the time I’ve taken to write this out, DrBonzo had given accurate and helpful advice to treat the individual specific patches. If you have the ability, please follow that advice. It does in parts what GroupA will do for you by it’s cumulative design.
-
@Walker – My 2 cents worth about switching to another operating system:
I have no experience with chromebooks but from what I’ve read they’re very user friendly and secure. They’re a Google product so I’m not too sure about privacy. I don’t know whether a chromebook has the application programs you need or want.
I do have experience with Apple iMAC, having used one now for 3 months. You hear people say “They just work” and I agree with that. Updates are quite infrequent, but they go in with absolutely no drama. I did an update to a new operating system (Sierra to High Sierra) in 70 minutes start to finish and it was completely seamless. Everything worked exactly like it was supposed to. The iMAC is the desktop version of MAC and they have nice big monitors, 21 inches, I think. So that might help with your vision issues. MacBooks (Laptops) tend to have screens on the small side. If you can get to an Apple Store (or if there’s not one near you, try Simply Mac) you can check them out. And as a bonus be prepared for the sales staff to make you think that you’re actually important to them.
MACs cost a lot of money compared to PCs. I think the cheapest iMAC is about $1,100, but that does include the monitor. I think the cheapest laptop is about $900. You can probably find a refurbished one from Apple for 10-20% less. To me, it was worth the money simply for peace of mind. I’m still trying to keep my WIN 7 computers running, but I don’t feel the same pressure I used to knowing I have my iMAC.
Cheers!
-
Seconding, again, DrBonzo here. Apple has shown to be best at personal level assistance. It is part of the additional value reflected in the higher price tag. And would be my preference for you. I listed Google second as an option at a lower price point for their Chromebooks. The savings in money is offset by those privacy concerns. And I am not aware of Google offering a local storefront for hands-on assistance and tutorials.
And like DrBonzo, I continue to use my Windows 7. And recognize that Microsoft does not offer the same customer care that Apple does.
-
-
-
-
-
I agree with you about a once-monthly non-cumulative update. Since Microsoft wanted to get away from individual patches, a once-monthly non-cumulative update would have been far better than an all-encompassing update.
I also agree with your Service Pack idea. Every so often, Microsoft could release a Service Pack, which would be a clean implementation of all of the patches they have released up to that time.
Oh well. I guess we can dream about what was. I know over the years I have dreamed nostalgically about all of the companies and products that Microsoft eliminated on their way to the top. Now we can dream nostalgically about the “old” Microsoft.
Who would have ever thought?
Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server -
The whole point of this thread is that Microsoft is heading toward “our way or the highway” with regard to the granularity of updates. I really don’t expect them to pull back from their direction toward making all Windows Updates cumulative.
By all means, stay on group B as long as you can if that’s your pleasure, but without good reason – i.e., known, documented problems with running the latest from Microsoft – I don’t really see a justification.
Note that I *have* hidden several updates throughout time, so I’m not strictly on group A, but almost. Whether some of the most recent cumulative updates include them I don’t really know, but so far they’re not breaking anything for me, nor making my Windows 7 system more bloated or chatty online. I have a deny-by-default outgoing firewall setup so I know exactly what communications are being done.
Full disclosure: These are all the Win 7 updates I’ve never allowed to install:
KB971033 - checks whether Microsoft wants to deactivate your system KB2952664 - diagnostics for Win 10 compatibility KB3021917 - diagnostics for Win 10 performance compatibility KB3035583 - this one is GWX itself KB3068708 - adds capabilities to easily upgrade to Win 10
-Noel
1 user thanked author for this post.
-
I went off of Group B and onto Group A a while back, because it gave me too much of a headache to keep up with it. In fact, I wasn’t putting in the time and effort needed to keep up with it.
I personally believe that, if you are the average home user, you don’t have anything to worry about by being in Group A. The people who are getting snagged by rogue updates are businesses. Think about it — how many home users are still using dot matrix printers? (Remember that one last month?) But I’ll bet there are lots of businesses which still use dot matrix printers due to some odd business requirement, such as printing multi-page carbon-copy forms.
You might be justifiably concerned about telemetry; personally, I’m not, because my guess is that the only information Microsoft is collecting is related to security and stability issues. (We are, after all, Microsoft’s unpaid beta testers.) In my opinion, Microsoft is gathering less personal information from you than Google, Facebook, Amazon, or any of the millions of websites you visit which run Google scripts in the background.
Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server4 users thanked author for this post.
-
Much the same for me. Except that where I do agree the telemetry is likely helping troubleshooting, I wouldn’t call it beta testing. Microsoft has repeatedly, loudly and often, declared an end to further development of Win7. So they cannot really claim to be testing in that sense. And that is a good thing for Win7 users. Continued protection from new threats and breakage, without Redmond changing things, is a good combination for a couple more years.
1 user thanked author for this post.
-
Viewing 22 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Google’s Veo3 video generator. Before you ask: yes, everything is AI here
by 6 hours, 45 minutes ago
-
Flash Drive Eject Error for Still In Use
by 8 hours, 18 minutes ago
-
Windows 11 Insider Preview build 27863 released to Canary
by 1 day, 1 hour ago
-
Windows 11 Insider Preview build 26120.4161 (24H2) released to BETA
by 1 day, 1 hour ago
-
AI model turns to blackmail when engineers try to take it offline
by 5 hours, 17 minutes ago
-
Migrate off MS365 to Apple Products
by 6 hours, 6 minutes ago
-
Login screen icon
by 1 hour, 16 minutes ago
-
AI coming to everything
by 4 hours, 4 minutes ago
-
Mozilla : Pocket shuts down July 8, 2025, Fakespot shuts down on July 1, 2025
by 1 day, 17 hours ago
-
No Screen TurnOff???
by 1 day, 17 hours ago
-
Identify a dynamic range to then be used in another formula
by 1 day, 18 hours ago
-
InfoStealer Malware Data Breach Exposed 184 Million Logins and Passwords
by 2 days, 5 hours ago
-
How well does your browser block trackers?
by 1 day, 16 hours ago
-
You can’t handle me
by 16 hours, 4 minutes ago
-
Chrome Can Now Change Your Weak Passwords for You
by 1 day, 8 hours ago
-
Microsoft: Over 394,000 Windows PCs infected by Lumma malware, affects Chrome..
by 2 days, 17 hours ago
-
Signal vs Microsoft’s Recall ; By Default, Signal Doesn’t Recall
by 1 day, 20 hours ago
-
Internet Archive : This is where all of The Internet is stored
by 2 days, 17 hours ago
-
iPhone 7 Plus and the iPhone 8 on Vantage list
by 2 days, 17 hours ago
-
Lumma malware takedown
by 2 days, 5 hours ago
-
“kill switches” found in Chinese made power inverters
by 3 days, 2 hours ago
-
Windows 11 – InControl vs pausing Windows updates
by 3 days, 2 hours ago
-
Meet Gemini in Chrome
by 3 days, 6 hours ago
-
DuckDuckGo’s Duck.ai added GPT-4o mini
by 3 days, 6 hours ago
-
Trump signs Take It Down Act
by 3 days, 14 hours ago
-
Do you have a maintenance window?
by 1 day, 19 hours ago
-
Freshly discovered bug in OpenPGP.js undermines whole point of encrypted comms
by 2 days, 16 hours ago
-
Cox Communications and Charter Communications to merge
by 3 days, 17 hours ago
-
Help with WD usb driver on Windows 11
by 1 hour, 27 minutes ago
-
hibernate activation
by 4 days, 2 hours ago
Remembering Woody
