Replies

PKCano wrote:

[…] If your intention is to avoid the Meltdown/Spectre mitigation as a Group B patcher, you should stop updating with the December 2017 Security-only patches because after that even the Security-only patches have M/S mitigation.

@PKCano First things first.. I want to thank you for all the the guidances and experience you’ve been sharing with us on GroupB patching W7 & W81 for so long..

I usually manage to figure things on my own with some search and reading, but this Spectre/Meltdown mitigation VS groupB patching got still get me confused … Particularly about the relevence of avoiding installation of Secu-Only patches as recommended on your previous (quoted) post..

As a GroupB patchers (with relatively old and S/M-vulnerable CPUs), I chose to also avoid the current S/M mitigations available…

However, I’m not sure to understand your recommandation to avoid installing any post-dec 2017 monthly Security-Only windows patches, just to avoid the Meltdown/Spectre’s mitigations they contains..

Here’s my point.. From my reading, all of the current S/M mitigations can be disabled from the windows registry entirely.. If that is true.. why skipping any post-Dec2017 monthly security-only patches, which most-likely not contains only Meltdown/Spectre mitigation, but probably many other security resolution not related to Meltdown/Spectre at all as well…

Installing those shouldn’t prevent anyone from removing S/M mitigations afterward..
If so, wouldn’t it be advised to continue installing all of the monthly Security-Only patches just as usual, and instead, neutralize/defuse/remove the patch(KB)-applied M/S mitigations afterward , using either the registry directly.. (or the fabulous Robert Gibson’s “InSpectre” tool, which does just the same.) I’ve tested it personally on a W7 host and a Debian VM Guest (using wine).. both successfully removed all mitigations. All it does is basically applying the Microsoft’s provided Registry manipulations programatically..

That way, GroupB patchers can continue installing all and every Monthly Security-Only Patch as usual, while avoiding all of the undesired Meltdown/Spectre’s mitigations at OS-level (I do apply most Software-level mitigations too) (same for Hardware-Lvl.. ie: I did flash my ROM’s BIOS-UEFI firmware with my vendor-supplied M/S mitigation’s CPU-Microcode update)

Sorry for my english.. and the long post.. but I hope you get my point and provide me with some updated guidance/insight

TLDR:: Why not installing all of the monthly security-only patches as usual (including post-Dec2017), and defuse all of the mitigations afterward ?

thanks !

@Rydan
However, i’m not sure to understand why not simply download the two cab file “authrootstl.cab” & “disallowedcertstl.cab” @
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab & http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Then just extract the two stl files from those and install both stl files using either:
the right-click context menu "Install CTL"
or certutil: certutil -addstore -f root authroot.stl disallowedcert.stl ?

Also, how one would goes updating the “Trusted Publisher” & the “Intermediate CA” stores ? are those not relevent/applicable to update as well ?

Rydan wrote:

As rootsupd.exe was deprecated in favor of WU auto update and Enterprise CA…
You could get the trusted and untrusted sst files and import those.
(there are different options)

Awesome find @Rydan.. works flawless, thanks !
Where have you found your way to the shell scripting of this ? I couldn’t find anything on that matter from the provided online docu.

Thumbs up !!

OscarCP wrote:

More likely, a fairly long and adventurous one with many twists and turns of fortune have taught me to be cautious, but to avoid being scared of anything for too long.

Made my day..

1 user thanked author for this post.

OscarCP

Sorry in advance for such a blasphemic question, but really.. it’s still unclear to me whether or not GroupB are prescribed to integrate either of those two KB into their Gold Windows 7 x64 Installer Media Image:

• Service Pack 1 (KB976932)
• Enterprise Rollup Update (KB2775511)
• Convenience Rollup Update (KB3125574)

It does seems clear to me that SP1 is a sure go, but is it for GroupB, without any post-deploy “defusing” operations ?

please read my post entierely.. this is not persistent

PKCano wrote:

The instructions to put it back can be found at this Microsoft website […]

Thanks for sharing.

that script create a new service however.
The registry modif provided on bottom-most of the article is only persistant on WUA version 7.0.6000 and earlier. Are you aware of any registry workaround to it persistant on later version as well ?

MrBrian wrote:

Turn off Windows Defender Cloud-based Protection and Automatic sample submission in Settings > Update & security > Windows Defender.

Don’t see any such thing on Win7 ? Could this apply only to later OS ?

1 user thanked author for this post.

PKCano wrote:

Download KB3020369, KB3138612, KB3177467 and KB3172605
[…]

*confused* Ain’t 30220369 superseded by 3177467 as reported in MS Catalog (shown below).. To add to the confusion, the SP2 KB article still mention 3020369 as the prerequisite..

Thanks for the reply PK,

There’s so much FUD/confusion surrounding this kb.. But considering it could saves me from installing ~123 individual KBs It definitely worth figuring out..

PKCano wrote:

The general consensus here was it was for Enterprise use, no the general public.

It’s applicable for Ultimate as well.

Also, maybe as a reminder, or some trigger to further discussion, don’t you remember @Gonetoplaid’s post from earlier in May, which was a list including all of the individual KBs included within SP2(3125574).
Among those were:

• 5 are known/believed to contains telemetry: (KB3118401, KB3080149, KB3075249, KB3068708, & KB2999226).
• 5 are known/believed to cause/potentially cause issues: KB3102429, KB3133977, KB3080079, KB3006137, KB2970228

Some answer would be so appreciated..
I’ve lost track of the actual current recommendation on that infamous KB …

OS: Win7x64 Ultimate
Servicing stragegy: Group-B-hydrid (installed October 2016 RU), and maybe SP2, if I can get some insight of you guys..

Thanks

But should we take for granted that “not being able to install an update” means that it necessarily been superseded ? I mean.. It could just be another messy/broken supersedence chain by MS, or any other MS-flavoured-mess ?

2 users thanked author for this post.

HiFlyer, MrBrian

I was referring to the Catalog. I guess we can’t rely on it anymore just as WU..
How have you found out about KB4012212, KB4015546 & KB4019263 to supersede 3212642 ?

As a single-user consumer (in contrast to some corporate/sysadmin-context), I’ve never really gave an try at MS’s WSUS. It’s only recently, that I moved from using the basic idiot-proof (now “trouble-sure”) WU, to some mixed use of the Catalog (MUC) & their Bulletins .

But the more I hear about WSUS (along with other similar “more Corporate-Targeted Windows update management solutions), the more I feel like I should step-in, or at the very least give those a try.

But having not much experience with servers (yet open to), I’d be tempted to try the unofficial offline version WSUS Offline first.
I’d love to know your insight on this ? Sounds more like a fair “GO” or “NO-GO” to you guys ?

Everyone’s opinion are much appreciated, just try to back your claim with some source when possible.

PKCano wrote:

ON-GOING

Culprit might be my limited english here, i’ll have a look at the distinction of the “ongoing” word vs “up-to-date” . Thanks for specifying.

Just want to point out however, that I didn’t refer to the catalog’s availability of those KB listed here, but their relevence in regards to their “supersedence” & “B-Group” properties …