Say good-bye to individual patches on Windows 7 and 8

[Batu69]

Microsoft will change how patches and updates are delivered to devices running Windows 7 or Windows 8 starting tomorrow.

We have talked about the push towards all-in-one (cumulative) Windows updates in August when the company announced the change.

 

There is a bit of light and a lot of shadow when it comes to the new system that Microsoft has used for Windows 10 ever since the operating system launched.

Before we look at those, lets recap what changes and how that may affect your updating strategy.

October 2016 Windows updating changes for Windows 7 and 8

 

Microsoft moves from a one patch per issue update model to a cumulative update model known from Windows 10.

The company plans to release two patches in total for devices running Windows 7 or 8: the first is a cumulative security update that includes all security patches of the given month.

 

These security updates can be downloaded from Microsoft's Update Catalog.

Additionally, a single cumulative update is made available each month that includes all security and non-security updates. This update is made available via Windows Update, but also as a download from the Update Catalog.

 

For managed systems, updates are also available through WSUS or SCCM.

These monthly rollups are cumulative which means that they include all patches that were added to previous rollup updates. Microsoft plans to integrate all available patches -- that were published prior to October 2016 -- eventually as well so that a single monthly rollup patch installs all patches released for Windows 7 or 8.

 

Microsoft will make available certain updates separately. This includes update for Microsoft's .NET Framework, and for Internet Explorer 11.

Additionally, driver updates won't be included in those patches, and out-of-band security updates will be published as soon as they are available. They will be added to the next monthly rollup patch and security update automatically.

What's good about the change

If you look at the new patching strategy you will notice that patching will get easier on first glance provided that things work.

Users who update Windows through Windows Update need to install a single patch instead of several. This may be especially useful when a new system is set up as it may take a while for patches to be retrieved on first use of Windows Update.

The downside

Microsoft's new patching strategy is quite problematic for system administrators and many end users. The past has shown for instance that Microsoft does release patches every now and then that cause issues on the operating system. Some issues caused blue screens or endless reboot loops.

 

Users could remove the update responsible for that once it was identified, but that is no longer possible when the new updating system hits.

This means that you need to uninstall an entire month worth of security updates, or a monthly rollup update, to resolve the issue.

 

This leaves the system vulnerable to patched security vulnerabilities that did not cause any issues on the device.

Considering that it sometimes takes weeks or even longer to produce a working patch, this could leave systems vulnerable for a long time.

While that is bad enough, it gets worse.

If you don't trust Microsoft enough because of its actions in the past year -- Get Windows 10 or Telemetry are two headwords -- then you may not want those cumulative updates. The reason is simple: you cannot block updates that you don't want anymore.

 

If Microsoft would have launched the new patching strategy earlier, no one would have been able to block Get Windows 10 updates and Telemetry updates from being added to a running Windows 7 or 8.1 system unless Windows Update would have been turned off completely prior to the release.

 

Anyone who wants control over which updates get installed or removed cannot do that anymore. It is either all or nothing, with no middle-ground.

Your options

So what are the options that you have? There are three:

1. Use Windows Update and install a single cumulative Monthly Rollup patch that includes security and non-security updates.
2. Disable Windows Update, and download Security Patches through Microsoft's Update Catalog.
3. Disable Windows Update and don't download and install any patches.

If you pick option 1, you get every update that Microsoft includes in the monthly rollup patches. This includes all security updates, all feature updates and fixes, but also every Telemetry, privacy-invasive or next generation Get Windows 10 update the company produces.

 

If you pick option 2, you get all security updates but may still run into issues with these patches.You do need to download and install those manually through Microsoft's Update Catalog though, as you can't use Windows Update for that anymore.

 

You won't get feature updates, and likely won't get the majority of updates that you don't want either. Microsoft did include non-security patches in security updates in the past, which means that there is a theoretical chance that you still get unwanted updates.

 

Option 3 finally leaves your system vulnerable because of missing security updates. It is however the only option to avoid any unwanted updates on the device.

 

If you need additional information, Woody over at InfoWorld has you covered.

 

Article source

[luisam]

The onl

1 hour ago, Batu69 said:

If you pick option 2, you get all security updates but may still run into issues with these patches.You do need to download and install those manually through Microsoft's Update Catalog though, as you can't use Windows Update for that anymore.

 

The only way to access Microsoft Update Catalog is through Internet Explorer 6 and later; presume it works for Edge too. For IE haters this might not be "good news". Actually, I installed IE11 on Windows 7 only to have the option to access Microsoft Update Catalog.

 

Presume updates Microsoft will make available separately will include those of Office. At each update session I must "hide" all those "updates" for Office components I don't have installed, like Access, OneNote, Outlook, etc.

 

Now, the question, are these statement about monthly rollup patches facts or spleculation? I installed recently the cumulative patch for Windows 7 for May 2016; it was one big file but in Windows Updates they appear as about 60 individual files and each one can be deleted individually.

[banned]

So WinXP will still allow individual patch selection? If so I'm happy.

 

I can see the point of cumulative updates though. It keeps everyone on the same version of Windows which makes it less costly for Microsoft to debug. As usual, it's all about Microsoft.

[Karlston]

Woody's take...

How to prepare for the Windows 7/8.1 ‘patchocalypse’

Microsoft is changing the way it patches Windows 7 and 8.1. Here’s what we know -- and what to do to keep having Windows your way

October marks a watershed in Microsoft patching practices for Windows 7 and 8.1, and confusion reigns supreme. With the majority of organizations still holding off upgrading their fleets to Window 10, this “patchocalpyse” may have significant impact if you’re not prepared for the sticky details.

 

The upshot: Windows 7 and 8.1 will no longer receive individual patches. These will give way to two separate kinds of monthly updates: a security-only strain and a full collection of updates. The security strain isn’t cumulative; the full bundle is. Each has its own deployment method. KBs have been KO’d. Sounds simple, right?

 

The devil, however, is in the details, and for many organizations, it may be quite a devil indeed. Here we break down what you need to know about Win7/8.1 updates going forward, in hopes of helping you avoid your own “patchocalypse.”

Microsoft’s new Win7/8.1 patching strategy

Six weeks ago, Microsoft product manager Nathan Mercer kicked off a long discussion about new directions for patching Windows 7 and 8.1, and Server 2012 R2, starting in October. Details are available on the TechNet blog (and its 100-plus questions), but here’s the synopsis:

 

• Security patches will be combined each month into a single Security-only Update that can be downloaded from the Microsoft Update Catalog. Those with corporate networks can access Security-only Updates through WSUS or SCCM. Security-only Updates are not cumulative.
• All security and nonsecurity patches will be combined into a cumulative update, called a “Monthly Rollup.” The Monthly Rollup is accessible from Windows Update -- where most individuals get their patches nowadays -- or from Update Catalog (where anyone can download and install it), WSUS, or SCCM. When you install a Monthly Rollup, Windows Update downloads only the deltas.
• Microsoft will gradually add older patches to the Monthly Rollup. For now, don’t expect to see a big bunch of patches in the Monthly Rollup, but realize Microsoft is working in that direction.
• You can uninstall an entire Security-only Update or an entire Monthly Rollup. There are no individual patches, thus no individual patch uninstalls, and you can’t hide individual patches.

On the face, it’s relatively straightforward: No more individual patches, but two different kinds of monthly updates. Security-only Updates must be downloaded and installed, while the full collection can go through Windows Update. Security-only Updates are not cumulative; the Monthly Rollup bundle, including both security and nonsecurity updates, is cumulative.

 

Those who continue to use Windows Update will get all of Microsoft’s Windows patches. Those who turn off Windows Update can manually install security patches only. But in all cases, individual patches -- analogous to the KBs we’ve known for a decade -- exist only as bullet points in the documentation.

 

From there, the details get messy. Mercer acknowledges the following:

• .Net will be updated separately, with a combined security/nonsecurity .Net Framework Monthly Rollup, and a security-only update for the Update Catalog and WSUS.
• IE11 “will be serviced in both monthly rollup and security-only update,” but it isn’t clear whether IE11 patches will be included in the new Security Update and/or Monthly Rollup. We’ve already seen situations where nonsecurity IE updates have been included in IE security updates. The distinction could become crucial in the future.
• For those who aren’t on IE11, Microsoft won’t force you to move to IE11, but “we plan to eventually include patches for whichever version of IE you currently have installed in the Monthly rollup, similar to the .Net rollup.”
• Thankfully, driver updates aren’t included in either the Security-only Update or the Monthly Rollup.
• Out-of-band security patches will be posted as soon as they’re available, then be incorporated into the subsequent Security-only Update and Monthly Rollup.
• There will be no changes to the current patching method for Vista or Server 2008.

Mercer also offers a description of a Third Tuesday “preview” of the nonsecurity part of the Monthly Rollup. We’ll have to see how that works out.

The immediate impact

The most important note for most Windows Update users: You don’t have to change anything. The Automatic Update settings (that is, Automatically download and install, Download but let me choose when to install, Notify but don’t download, or Never check) work as they always have. The “Give me recommended updates the same way I receive important updates” check box works as it has before -- if Microsoft tags an update as “Recommended” and this box is checked, the update appears checked (ready to install) in the Windows Update list. If that box is unchecked, the update appears as unchecked in the Optional category.

 

Microsoft’s been working on the mechanics of the patching process for the past few months. You might not have noticed, but Microsoft already has support pages with the details for Win7 and for Win8.1.

 

Win7 and 8.1 patching has already started morphing. So far we’ve seen three Windows 7 nonsecurity update rollups -- KB 3172605 in July, KB 3179573 in August, and KB 3185278 in September -- that first appeared as Optional/unchecked patches, then were later updated to Recommended patches. As I explained a couple of weeks ago: “the general pattern is to have a cumulative update (er, patch rollup) released as Optional, wait a month to see if anything explodes, and if not, then change it to Recommended the next month.”

 

If you tell your machine “Give me recommended updates the same way I receive important updates,” the nonsecurity patch rollup won’t be installed during the first Patch Tuesday, but will be installed during the following month. That’s clever, and it looks like it’ll work. The only ones who will get stung by bad nonsecurity patches are the ones who go out of their way to check and approve unchecked Optional nonsecurity patches.

 

We haven’t seen any testing of cumulative nonsecurity patches or of bundled security and nonsecurity patches, but the pattern’s starting to come into focus.

Trust issues

The problem, of course, is that many individuals and organizations don’t trust the “install all of Microsoft’s patches” approach. Hard to blame them -- the Get Windows 10 lessons run deep, and many dislike and distrust Microsoft’s enhanced telemetry capabilities, which they equate with snooping.

 

The following simple approach to patching Windows 7 and 8.1, starting in October, is directed at individuals, but admins may find the demarcation helpful, too.

 

Win7/8.1 users fall into one of two camps: Those who trust Microsoft’s updates and those that only want security patches. Let’s call them Group A and Group B, respectively:

• Group A are willing to take all of Microsoft’s new telemetry systems, along with potentially useful nonsecurity updates.
• Group B doesn’t want any more snooping than absolutely necessary, and they don’t care about improvements like daylight saving time zone changes, but want to keep applying security patches.

A third group, Group W, doesn’t want anything from Microsoft -- no patches, no security updates, nada. I don’t recommend that you sit on the Group W bench, but it can be understood given changes Microsoft has made to Win7 and 8.1 machines, without our permission, in the past.

 

For Group A, patching is much easier: Set it once and forget it, unless there’s a big bug. For Group B, the snooping should be less -- but there’s no guarantee -- and the patching method is entirely manual. You can move from Group B to Group A, but as far as I can tell there’s no way to move from Group A to Group B without completely reinstalling Win7 or 8.1.

 

Microsoft has a history of mixing security and nonsecurity patches in arbitrary ways. That’s going to trip users and admins up alike if it continues to release buggy security updates, then fix the security update bugs in nonsecurity updates (see, for example, KB 3179573 in August and KB 3172605 in July). For now, let’s assume Microsoft will fix

Security-only Update bugs with Security-only Update patches. If they don’t, we’re going be in a world of hurt.

How to prepare for the patchocalypse

Starting with October Patch Tuesday patches, there are two very different approaches to patching Win 7 and 8.1 machines, and you need to choose sides. The details aren’t entirely known -- and are bound to change -- but in broad strokes, here’s what you need to do.

 

Step 1. Choose between Group A and Group B.

 

Choosing sides isn’t as simple as asking, “Do I trust Microsoft?” You have to ask yourself whether the additional hassle of manually installing security patches is worth keeping Microsoft’s new snooping routines off your machine. You also have to ask whether the benefits of the new nonsecurity patches (in recent months we’ve seen improvements to

 

Disk Cleanup, various bug fixes, time zone changes, performance improvements in odd scenarios, and several others) are worth the added exposure to Microsoft’s data gathering activities (about which we have no details).

 

Note that the snooping routines already on your machine will stay there, even if you choose Group B, unless you manually uninstall the routine. I won’t mention KB 2952664 by name.

 

Step 2. If you’re in Group A, set up Windows Update.

 

If you’re working on a machine that won’t ever get manually updated -- good ol’ Aunt Martha’s PC or one for the boss -- it would be wise to turn on Automatic Update. Contrariwise, if you’re working on a machine that gets lots of TLC, and you’re reasonably well tuned in to Windows news, I recommend you turn off Automatic Update. With it off, you’ll be able to watch automatic updaters install the latest updates, then decide for yourself when it’s time to get patches.

 

Turning off Automatic Update in Group A is a trust-in-Microsoft-but-cut-the-cards move.

 

In Windows 8.1’s desktop mode, hold down the Windows key and press X, then choose Control Panel. In Windows 7, using an administrator-level account, click Start, Control Panel. In both cases, click System and Security. Under Windows Update, click the Turn automatic updating on or off link. (Note: If you have Control Panel set to View by icons, click Windows Update, then on the left choose Change Settings.)

 

If you’re working on Aunt Martha’s PC, in the drop-down box choose “Automatic (recommended) Automatically download recommended updates for my computer and install them.”

 

If you want to cut the cards, select “Check for updates but let me choose whether to download and install them” or “Never check for updates (not recommended).” The two choices behave similarly, but the first one will (at least in theory) show a notice in the system tray, down near the clock, when new updates are available.

 

In either case, check the box marked “Give me recommended updates the same way I receive important updates” and click OK.

 

You’re done.

 

Step 3. If you’re in Group B, turn off Windows Update

 

In Group B, you don’t need -- or want -- Windows Update. There are many ways to turn it off, but the simplest and least invasive option involves using the normal Control Panel setting.

 

The method’s identical to Group A: In Windows 8.1’s desktop mode, hold down the Windows key and press X, then choose Control Panel. In Windows 7, using an administrator-level account, click Start, Control Panel. In both cases, click System and Security. Under Windows Update, click the Turn automatic updating on or off link. In the drop-down box select “Never check for updates (not recommended)” and click OK.

 

Now the monkey’s on your back to check for updates from time to time.

 

While we don’t have a comprehensive list of KB patches that you should uninstall, in order to minimize Microsoft snooping, there’s a raging debate going on at AskWoody.com. You’re most welcome to join in, but realize it’s not all that simple: A snooping patch to you may be a massive cleanup patch to me. Further, with the dearth of information emanating from Redmond and the absence of a definitive explanation from on high, we’re all guessing.

 

The best advice I’ve seen on reducing the effect of snooping patches that may already be installed on your machine comes from ch100, who recommends you first turn off the Customer Experience Improvement Program (CEIP).

 

Step 3.1. Click Start > Control Panel > Action Center.

 

Step 3.2. Under Related settings, choose Customer Experience Improvement Program settings.

 

Step 3.3. Choose No, I don't want to participate in the program, then click OK.

 

You can find details in any of my Windows 7, 8, or 8.1 books.

 

Then ch100 recommends you specifically uninstall three patches: KB 2952664 (or its Win 8.1 doppelganger KB 2976978), KB 3150513, and KB 3021917. Those patches are worth uninstalling because they seem to circumvent the CEIP setting. There’s a reason why those three patches don’t appear in the Win 7 “SP2” convenience rollup, released in May.

 

In short, for Group B, turn off Automatic Update, turn off CEIP, uninstall KB 2952664 (or KB 2976978), KB KB 3150513, and KB 3021917.

The next step

The actual process of updating is going to get a bit complicated over the next few months, not only because of the Group A/Group B distinction, but also because other patches -- .Net, IE, Flash -- will dribble out at undefined times.

 

Those in Group A who submit to automatic updating will have an easy time of it: Windows Update will kick in, like it always has, and install all the patches. If there’s a bad patch that kills something -- we seem to have those almost every month -- then the fix will likely arrive in the next month’s patches.

 

Those in Group A who want to wait to see if anything blows up before they install updates will have a slightly more difficult task. They need to wait until they’re comfortable applying the latest updates (watch the news on Woody on Windows and on AskWoody.com), then simply run Windows Update manually:

 

Step 1. Click Start > Control Panel > System and Security; under Windows Update, click Check for Updates.

 

Step 2. Don’t change anything -- don’t check or uncheck any particular update, don’t change any of your settings.

 

Step 3. Click Install updates. Windows will probably restart, so roll with the tide.

 

Those in Group B will have to check for new updates from time to time (again, look on Woody on Windows or on AskWoody.com), and when the Security-only Update has been tested by Group A, they’ll have to download the Update from the Windows Update Catalog.

 

At the moment, the Windows Update Catalog is a 1990s-vintage mess. With its dependence on Microsoft-proprietary ActiveX controls, it’s hard to get anything out of the Update Catalog unless you’re using Internet Explorer. Microsoft promises it’ll be fixed soon. Once Microsoft has straightened it out, I’ll update this post with step-by-step instructions. In the interim, you can get into the Windows Update Catalog using any browser, but the method’s convoluted -- and it isn’t clear what you should search for.

 

Until we get further guidance from Microsoft, you should choose between Group A and Group B, follow the steps above, making sure you turn off Automatic Update.

 

As it stands, we’re all headed down the cumulative update path. Win10 is already there; Win7 and 8.1 are about to follow. If you want one patch, you have to take them all -- and if one of them breaks something, you can only uninstall the whole kit ’n’ caboodle.

 

As long as all of the patches work right, everything’s fine. What could possibly go wrong?

 

Many thanks to ch100, aboddi86, Canadian Tech, and many other folks who helped formulate and flesh out this approach.

 

Source: How to prepare for the Windows 7/8.1 ‘patchocalypse’ (InfoWorld - Woody Leonhard)

 

InfoWorld - Woody on Windows

 

AskWoody.com - Woody Leonhard's no-bull news, tips and help for Windows and Office

[Stricken]

Just chiming in here,

Had a friend re-install Windows 8.1 on his Lenovo.

 

I was wondering why all the updates were combined,

No options to pick and choose.

 

Oddly enough I was looking for AMD drivers, hardware drivers through windows update.

It downloaded all the freaking MS patches. holy molly. 

 

I picked let me choose what I want to update.

- The only choice I got was to install everything >.<

 

 

[haxzion]

Lately the "Disable Windows Update and don't download and install any patches." option looks more sane.

But then again we are in nsaneforums aren't we? xD

[TheAslan]

Just wondering if we can download that combined update with WSUOFFLINE and then unpack that combined update and then install only the updates we want or need.

 

http://www.wsusoffline.net/

 

I haven't tried this yet because my Windows is up-to-date.

[Karlston]

7 hours ago, TheAslan said:

Just wondering if we can download that combined update with WSUOFFLINE and then unpack that combined update and then install only the updates we want or need.

 

Nice idea, but I doubt it. And because it's now cumulative updates, any discrete updates you've hidden or uninstalled in the past will be included in the first cumulative update you install.

 

It's the same disastrous take-it-all or take-none flaky Windows 10 methodology now inflicted on Windows 7 and 8.1 users.

 

Woody's post that I posted above is genuinely worth reading. Probably a few times to fully understand the options now, I've read it a few times and still adding to my understanding. You need to choose whether just to blindly let (AKA trust) Microsoft to install all cumulative and security patches (Group A), or take security patches only (no cumulative ones) manually via Windows Update Catalog (Group B), or consider your system stable enough right now and turn off Windows updates altogether (Group W).

 

Microsoft seem hell bent on ruining Windows for everyone.

 

For the record I've removed the Windows 10 installation on my newly built box because I've had enough of Windows 10's bugs, the gazillion system settings that need to be changed (more than once after updates reset them in favour of Microsoft and to my detriment), the flakyness of Windows 10 updates, and replaced it with Windows 8.1, fully patched (just a couple of updates hidden and UNinstalled) yesterday just hours before the new update strategy was rolled out.

 

I'm leaning towards Group B or W. Group B initially, and defer taking the security patches until the end of the month when I'm convinced by Woody and others that those security patches are (1) problem-free and (2) contain no sneakily added non-security patches. If and when the latter happens, I'll move permanently to Group W.

[TheAslan]

I'm gonna go with group W then, F Microsoft and their updates. I'm gonna keep my other drivers updated and my Kaspersky updated, I'm pretty sure my pc is safe enough.

 

Drivers I've download from station-drivers for the past 7 years already.

[PrEzi]

20 minutes ago, Karlston said:

 

Nice idea, but I doubt it. And because it's now cumulative updates, any discrete updates you've hidden or uninstalled in the past, will be included in the first cumulative update you install.

 

It's the same disastrous take-it-all or take-none flaky Windows 10 methodology now inflicted on Windows 7 and 8.1 users.

 

Woody's post that I posted above is genuinely worth reading. Probably a few times to fully understand the options now, I've read it a few times and still adding to my understanding. You need to choose whether just to blindly let (AKA trust) Microsoft to install all cumulative and security patches (Group A), or take security patches only (no cumulative ones) manually via Windows Update Catalog (Group B), or consider your system stable enough right now and turn off Windows updates altogether (Group W).

 

Microsoft seem hell bent on ruining Windows for everyone.

 

For the record I've removed the Windows 10 installation on my newly built box because I've had enough of Windows 10's bugs, the gazillion system settings that need to be changed (more than once after updates reset them in favour of Microsoft and to my detriment), the flakyness of Windows 10 updates, and replaced it with Windows 8.1, fully patched (just a couple of updates hidden and installed) yesterday just hours before the new update strategy was rolled out.

 

I'm leaning towards Group B or W. Group B initially, and defer taking the security patches until the end of the month when I'm convinced by Woody and others that those security patches are (1) problem-free and (2) contain no sneakily added non-security patches. If and when the latter happens, I'll move permanently to Group W.

 

Yeah, same as me - also going with B.

I bet someone will eventually create a tool / script that will automatically download all the relevant security updates and will install them in a batch - specially for the B group.

 

BTW - does anyone of you have an up-to-date ISO of 8.1 x64 (best would be AIO) with all the updates till yesterday pre-included ? 

Would be nice to have one just for the sake of safekeeping.

[Karlston]

1 hour ago, PrEzi said:

I bet someone will eventually create a tool / script that will automatically download all the relevant security updates and will install them in a batch - specially for the B group.

 

That would be very sweet, its author would gain the same kind of fame gained by Josh Mayfield, creator of the brilliant and hugely popular GWX Control Panel.

 

I suspect many have been trying for the last 14 months or so to unravel Windows 10 cumulative updates, sadly seemingly without success.

 

You have a PM. (Oh sorry..., not completely up to date, but the best I can find)