October marks a watershed in Microsoft patching practices for Windows 7 and 8.1, and confusion reigns supreme. With the majority of organizations still holding off upgrading their fleets to Window 10, this “patchocalpyse” may have significant impact if you’re not prepared for the sticky details.
The upshot: Windows 7 and 8.1 will no longer receive individual patches. These will give way to two separate kinds of monthly updates: a security-only strain and a full collection of updates. The security strain isn’t cumulative; the full bundle is. Each has its own deployment method. KBs have been KO’d. Sounds simple, right?
The devil, however, is in the details, and for many organizations, it may be quite a devil indeed. Here we break down what you need to know about Win7/8.1 updates going forward, in hopes of helping you avoid your own “patchocalypse.”
Microsoft’s new Win7/8.1 patching strategy
Six weeks ago, Microsoft product manager Nathan Mercer kicked off a long discussion about new directions for patching Windows 7 and 8.1, and Server 2012 R2, starting in October. Details are available on the TechNet blog (and its 100-plus questions), but here’s the synopsis:
- Security patches will be combined each month into a single Security-only Update that can be downloaded from the Microsoft Update Catalog. Those with corporate networks can access Security-only Updates through WSUS or SCCM. Security-only Updates are not cumulative.
- All security and nonsecurity patches will be combined into a cumulative update, called a “Monthly Rollup.” The Monthly Rollup is accessible from Windows Update -- where most individuals get their patches nowadays -- or from Update Catalog (where anyone can download and install it), WSUS, or SCCM. When you install a Monthly Rollup, Windows Update downloads only the deltas.
- Microsoft will gradually add older patches to the Monthly Rollup. For now, don’t expect to see a big bunch of patches in the Monthly Rollup, but realize Microsoft is working in that direction.
- You can uninstall an entire Security-only Update or an entire Monthly Rollup. There are no individual patches, thus no individual patch uninstalls, and you can’t hide individual patches.
On the face, it’s relatively straightforward: No more individual patches, but two different kinds of monthly updates. Security-only Updates must be downloaded and installed, while the full collection can go through Windows Update. Security-only Updates are not cumulative; the Monthly Rollup bundle, including both security and nonsecurity updates, is cumulative.
Those who continue to use Windows Update will get all of Microsoft’s Windows patches. Those who turn off Windows Update can manually install security patches only. But in all cases, individual patches -- analogous to the KBs we’ve known for a decade -- exist only as bullet points in the documentation.
From there, the details get messy. Mercer acknowledges the following:
- .Net will be updated separately, with a combined security/nonsecurity .Net Framework Monthly Rollup, and a security-only update for the Update Catalog and WSUS.
- IE11 “will be serviced in both monthly rollup and security-only update,” but it isn’t clear whether IE11 patches will be included in the new Security Update and/or Monthly Rollup. We’ve already seen situations where nonsecurity IE updates have been included in IE security updates. The distinction could become crucial in the future.
- For those who aren’t on IE11, Microsoft won’t force you to move to IE11, but “we plan to eventually include patches for whichever version of IE you currently have installed in the Monthly rollup, similar to the .Net rollup.”
- Thankfully, driver updates aren’t included in either the Security-only Update or the Monthly Rollup.
- Out-of-band security patches will be posted as soon as they’re available, then be incorporated into the subsequent Security-only Update and Monthly Rollup.
- There will be no changes to the current patching method for Vista or Server 2008.
Mercer also offers a description of a Third Tuesday “preview” of the nonsecurity part of the Monthly Rollup. We’ll have to see how that works out.
The immediate impact
The most important note for most Windows Update users: You don’t have to change anything. The Automatic Update settings (that is, Automatically download and install, Download but let me choose when to install, Notify but don’t download, or Never check) work as they always have. The “Give me recommended updates the same way I receive important updates” check box works as it has before -- if Microsoft tags an update as “Recommended” and this box is checked, the update appears checked (ready to install) in the Windows Update list. If that box is unchecked, the update appears as unchecked in the Optional category.
Microsoft’s been working on the mechanics of the patching process for the past few months. You might not have noticed, but Microsoft already has support pages with the details for Win7 and for Win8.1.
Win7 and 8.1 patching has already started morphing. So far we’ve seen three Windows 7 nonsecurity update rollups -- KB 3172605 in July, KB 3179573 in August, and KB 3185278 in September -- that first appeared as Optional/unchecked patches, then were later updated to Recommended patches. As I explained a couple of weeks ago: “the general pattern is to have a cumulative update (er, patch rollup) released as Optional, wait a month to see if anything explodes, and if not, then change it to Recommended the next month.”
If you tell your machine “Give me recommended updates the same way I receive important updates,” the nonsecurity patch rollup won’t be installed during the first Patch Tuesday, but will be installed during the following month. That’s clever, and it looks like it’ll work. The only ones who will get stung by bad nonsecurity patches are the ones who go out of their way to check and approve unchecked Optional nonsecurity patches.
We haven’t seen any testing of cumulative nonsecurity patches or of bundled security and nonsecurity patches, but the pattern’s starting to come into focus.
The problem, of course, is that many individuals and organizations don’t trust the “install all of Microsoft’s patches” approach. Hard to blame them -- the Get Windows 10 lessons run deep, and many dislike and distrust Microsoft’s enhanced telemetry capabilities, which they equate with snooping.
The following simple approach to patching Windows 7 and 8.1, starting in October, is directed at individuals, but admins may find the demarcation helpful, too.
Win7/8.1 users fall into one of two camps: Those who trust Microsoft’s updates and those that only want security patches. Let’s call them Group A and Group B, respectively:
- Group A are willing to take all of Microsoft’s new telemetry systems, along with potentially useful nonsecurity updates.
- Group B doesn’t want any more snooping than absolutely necessary, and they don’t care about improvements like daylight saving time zone changes, but want to keep applying security patches.
A third group, Group W, doesn’t want anything from Microsoft -- no patches, no security updates, nada. I don’t recommend that you sit on the Group W bench, but it can be understood given changes Microsoft has made to Win7 and 8.1 machines, without our permission, in the past.
For Group A, patching is much easier: Set it once and forget it, unless there’s a big bug. For Group B, the snooping should be less -- but there’s no guarantee -- and the patching method is entirely manual. You can move from Group B to Group A, but as far as I can tell there’s no way to move from Group A to Group B without completely reinstalling Win7 or 8.1.
Microsoft has a history of mixing security and nonsecurity patches in arbitrary ways. That’s going to trip users and admins up alike if it continues to release buggy security updates, then fix the security update bugs in nonsecurity updates (see, for example, KB 3179573 in August and KB 3172605 in July). For now, let’s assume Microsoft will fix Security-only Update bugs with Security-only Update patches. If they don’t, we’re going be in a world of hurt.
How to prepare for the patchocalypse
Starting with October Patch Tuesday patches, there are two very different approaches to patching Win 7 and 8.1 machines, and you need to choose sides. The details aren’t entirely known -- and are bound to change -- but in broad strokes, here’s what you need to do.
Step 1. Choose between Group A and Group B.
Choosing sides isn’t as simple as asking, “Do I trust Microsoft?” You have to ask yourself whether the additional hassle of manually installing security patches is worth keeping Microsoft’s new snooping routines off your machine. You also have to ask whether the benefits of the new nonsecurity patches (in recent months we’ve seen improvements to Disk Cleanup, various bug fixes, time zone changes, performance improvements in odd scenarios, and several others) are worth the added exposure to Microsoft’s data gathering activities (about which we have no details).
Note that the snooping routines already on your machine will stay there, even if you choose Group B, unless you manually uninstall the routine. I won’t mention KB 2952664 by name.
Step 2. If you’re in Group A, set up Windows Update.
If you’re working on a machine that won’t ever get manually updated -- good ol’ Aunt Martha’s PC or one for the boss -- it would be wise to turn on Automatic Update. Contrariwise, if you’re working on a machine that gets lots of TLC, and you’re reasonably well tuned in to Windows news, I recommend you turn off Automatic Update. With it off, you’ll be able to watch automatic updaters install the latest updates, then decide for yourself when it’s time to get patches.
Turning off Automatic Update in Group A is a trust-in-Microsoft-but-cut-the-cards move.
In Windows 8.1’s desktop mode, hold down the Windows key and press X, then choose Control Panel. In Windows 7, using an administrator-level account, click Start, Control Panel. In both cases, click System and Security. Under Windows Update, click the Turn automatic updating on or off link. (Note: If you have Control Panel set to View by icons, click Windows Update, then on the left choose Change Settings.)
If you’re working on Aunt Martha’s PC, in the drop-down box choose “Automatic (recommended) Automatically download recommended updates for my computer and install them.”
If you want to cut the cards, select “Check for updates but let me choose whether to download and install them” or “Never check for updates (not recommended).” The two choices behave similarly, but the first one will (at least in theory) show a notice in the system tray, down near the clock, when new updates are available.
In either case, check the box marked “Give me recommended updates the same way I receive important updates” and click OK.
Step 3. If you’re in Group B, turn off Windows Update
In Group B, you don’t need -- or want -- Windows Update. There are many ways to turn it off, but the simplest and least invasive option involves using the normal Control Panel setting.
The method’s identical to Group A: In Windows 8.1’s desktop mode, hold down the Windows key and press X, then choose Control Panel. In Windows 7, using an administrator-level account, click Start, Control Panel. In both cases, click System and Security. Under Windows Update, click the Turn automatic updating on or off link. In the drop-down box select “Never check for updates (not recommended)” and click OK.
Now the monkey’s on your back to check for updates from time to time.
While we don’t have a comprehensive list of KB patches that you should uninstall, in order to minimize Microsoft snooping, there’s a raging debate going on at AskWoody.com. You’re most welcome to join in, but realize it’s not all that simple: A snooping patch to you may be a massive cleanup patch to me. Further, with the dearth of information emanating from Redmond and the absence of a definitive explanation from on high, we’re all guessing.
The best advice I’ve seen on reducing the effect of snooping patches that may already be installed on your machine comes from ch100, who recommends you first turn off the Customer Experience Improvement Program (CEIP).
Step 3.1. Click Start > Control Panel > Action Center.
Step 3.2. Under Related settings, choose Customer Experience Improvement Program settings.
Step 3.3. Choose No, I don't want to participate in the program, then click OK.
You can find details in any of my Windows 7, 8, or 8.1 books.
Then ch100 recommends you specifically uninstall three patches: KB 2952664 (or its Win 8.1 doppelganger KB 2976978), KB 3150513, and KB 3021917. Those patches are worth uninstalling because they seem to circumvent the CEIP setting. There’s a reason why those three patches don’t appear in the Win 7 “SP2” convenience rollup, released in May.
In short, for Group B, turn off Automatic Update, turn off CEIP, uninstall KB 2952664 (or KB 2976978), KB KB 3150513, and KB 3021917.