Tuesday Was Microsoft's Last Non-Cumulative Patch

There was something unique about this week's Patch Tuesday. An anonymous Slashdot reader quotes HelpNetSecurity: It was the last traditional Windows Patch Tuesday as Microsoft is moving to a new patching release model. In the future, patches will be bundled together and users will no longer be able to pick and choose which updates to install. Furthermore, these new 'monthly update packs' will be combined, so for instance, the November update will include all the patches from October as well.
Last month a Slashdot reader asked for suggestions on how to handle the new 'cumulative' updates -- although the most common response was "I run Linux."

'Batch Tuesday'?

Wait -- since it's a cumulative update, are we going to call them 'batch Tuesdays' from now on?

Re:'Batch Tuesday'?

How aobut 'botch Tuesdays'?

Re: 'Batch Tuesday'?

Oooooh!!! It hurts, just like Windows updates!

Re:'Batch Tuesday'?

[donaldm]

Wait -- since it's a cumulative update, are we going to call them 'batch Tuesdays' from now on?

Obligatory "I run Linux."

Re: 'Batch Tuesday'?

[davester666]

Just something to keep you busy on Wednesday morning while your computer is reinstalling Windows.

Re:'Batch Tuesday'?

About time, tired of there being 3000 tiny updates when we re-image a machine. Just one blob, and done.

Re:'Batch Tuesday'?

You are a fucking moron. It will still be 3000 tiny updates, you just don't get a choice in which ones you get now. That's because Windows 10 is a beta test, tracking and marketing platform, not an operating system.

Re:'Batch Tuesday'?

kumpewterz are for dorks. go outside, get real with life.

Re:'Batch Tuesday'?

I prefer 'crotch Tuesdays'

But only yours, fag.

I am 9.5 inches long!

Re:'Batch Tuesday'?

[um...+Lucas]

There should be a single blog, yes. But there should also be the ability to choose which patches you want, if necessary. Say a particular graphics driver is known to kill a certain game, or a certain network update conflicts with a utility, there should be a way for advanced users do opt-out of them.

But then, Microsoft is trying to create an environment as closed as Mac, with user tracking beyond the pale of Google, accompanied a fee stream to rival any subscription service. It's not about what users want anymore, just about extracting maximal dollars.

Re:'Batch Tuesday'?

Look at who's talking.

Re:'Batch Tuesday'?

[Gr8Apes]

Why does anyone worried about privacy, security, or really "owning" their computer run windows anymore? It's time to accept that windows is no longer a consumer OS, it is a subscription service that allows you access to things you think you own, only as long as you pay the piper (that subscription payment will be coming, just wait for it).

To answer the question: If you want a AAA game platform, just buy your $5K game console and be done with it. Yes, like any console, it can do more, but at what cost?

Re:'Batch Tuesday'?

and do what, exactly?

Re:'Batch Tuesday'?

[OtisSnerd]

While will lead directly into Bitch Wednesday, as sysadmins try to recover all the Botched PCs...

Re:'Batch Tuesday'?

[Ol+Olsoc]

There should be a single blog, yes. But there should also be the ability to choose which patches you want, if necessary. Say a particular graphics driver is known to kill a certain game, or a certain network update conflicts with a utility, there should be a way for advanced users do opt-out of them.

Or even better, not make updates that have to be rolled back because they fuck up machines. It must be Stockholm syndrome or something akin, that so many people are so accepting of an Operating System that regularly screws the pooch in the computers. They even seem to think that getting their computers fucked up is a mark of superiority.

Ain't no need for that friends!

Somehow or another, OSX and Linux manage to not screw up people's computers often or at all. Using all three, my Windows machines Well, I'm down to one now are the only ones that work just fine one day, then after an update do not.

full discosure, Mac Mail got a little goofy for a little while, and one update made my Mac at the time a little jittery, but it was fixed pronto, and it noever stopped working

Getting rid of the W10 Dell I was using was a huge improvement, freed up time to actually do work, not get the computer to work.

But then, Microsoft is trying to create an environment as closed as Mac,

What is this "closed environment" people speak of? I can install any program I wish on my Mac. I run Windows 7 on it. I can run Linux on it. I don't often run Linux on it because it's already running Unix. But if that's a closed system, gimme that over Windows 10 any day.

It's not about what users want anymore, just about extracting maximal dollars.

Can't argue with ya there, although some times it seems like an abusive relationship between Microsoft and their users as well.

Re:'Batch Tuesday'?

[david_thornley]

Why does anyone worried about privacy, security, or really "owning" their computer run windows anymore?

Four reasons.

There is no satisfactory replacement. Linux isn't going to be usable until the desktop settles down some, there's a package manager that runs on most versions (perhaps with a converter to translate it into either a .deb or a .rpm), and more applications are available. Mac OSX is limited to a very few computer models, not including low-end ones, and there's limits on the available applications.

Microsoft produces Microsoft Office, and getting off that is difficult, because of the network effect, and some of the more advanced features, which are not duplicated in LibreOffice. There's other Microsoft software that is well designed for large business use, and AFAICT there aren't good F/OS equivalents.

Aside from Microsoft, there's lots of third-party apps written for MS Windows and nothing else. A large number of companies have dependencies on some of these applications. The general rule for selecting an OS is to get what runs the applications you want.

Inertia. Except for security, the issues you list are fairly new. It's going to take a long time to move over. There's lots of applications that would have to be rewritten to run on Linux or Mac OSX. There's really not that much pressure to move as long as large companies can still use W7 or W8.1.

Re:'Batch Tuesday'?

[Gr8Apes]

There is no satisfactory replacement. Linux isn't going to be usable until the desktop settles down some, there's a package manager that runs on most versions (perhaps with a converter to translate it into either a .deb or a .rpm), and more applications are available. Mac OSX is limited to a very few computer models, not including low-end ones, and there's limits on the available applications.

I'd agree. Linux shot itself in the foot with Gnome and the whole systemd debacle that made it look a lot less stable and usable than it should be. Had the distros focused on stabilizing and simplifying the end user experience instead, it might have had a chance.

Microsoft produces Microsoft Office, and getting off that is difficult, because of the network effect, and some of the more advanced features, which are not duplicated in LibreOffice. There's other Microsoft software that is well designed for large business use, and AFAICT there aren't good F/OS equivalents.

Other than some minor irritants with later Office releases that are designed to destroy compatibility I have had few issues with dealing with Office documents over the past 5 years of being MS free. And there's nothing new there, MS has been effectively leveraging MS Office since Office 95 to force updates and keep the competition limping along or crashing.

Inertia. ... There's really not that much pressure to move as long as large companies can still use W7 or W8.1.

Yep, the clock is ticking, although it was obviously years ago that MS was heading this way. In fact, the day Office 365 was announced, it was time to figure out how to remove MS from your stack. As for business applications, with few exceptions everything is moving to web-based data/application, so there's not much requirements to keeping you on windows. There's a reason IBM spearheaded its internal move to OSX across the board. The reason was that MS's plans were against any sane company's IT management policies.

Re:'Batch Tuesday'?

BS. Android is proof that people can and will switch and that an OS can gain lots of software very rapidly.

The days of Windows are numbered. People don't give a shit about their OS any more, they just care that it works.

Re:'Batch Tuesday'?

[Coren22]

Only if those sys admins are terrible at their jobs and don't do patch testing and deployment properly.

Windows 10 pro/enterprise has always had the option to delay updates until approved, you don't even need a WSUS server to manage that, though it does make it easier. If a sys admin is running Win 10 home in a production environment, I have to wonder about their professionalism and sys admin abilities.

Not sure you have a lot of options?

[King_TJ]

I think if the patches are bundled together now - you basically have to treat them as one larger patch. In other words, nothing changes except any time you find you did one and it breaks something, you roll the whole collection back until it can be rectified.

IMO, Microsoft's Windows Updates have been a huge, overly confusing mess for a long time anyway. I used to use WSUS to centrally administer them and for our small to mid-sized company, it became more trouble than it was worth. I like the advantage that you only have to download the patches once to the central WSUS server and then all the clients grab copies from there to save your Internet bandwidth. But in practice, our workforce is mobile enough that it's almost better we just let their laptops grab updates over the net from wherever they're at so they get patched more quickly.

Sifting through all of their patches and deciding when it was safe to "release" them was getting to be way more time-consuming for I.T. than it should have been. So often, you have slews of patches that wind up marked "superseded" by other patches, and there are weird dependencies too. Can't do certain patches unless you've done others first. (Why not automate all of that so any patch dependent on another one just auto-applies the required one as part of its installation?)

If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious. (It seems that it needs so many individual patches to get current, it overwhelms their updater service trying to sort through all of it and prepare to download them in the proper order?)

Re:Not sure you have a lot of options?

The fly in the ointment here is that Microsoft occasionally adds in zingers, such as the sequence of updates a while back nagging the bejasus out of you about 'upgrading' to Windows 10, resulting in some people inadvertently upgrading when they really didn't want to. That is the sort of thing that people are concerned about.

Re:Not sure you have a lot of options?

[MightyMartian]

Microsoft's resolve to alter its patch delivery schedule usually gets undermined the first time some major bug or security flaw is discovered, and it's forced to release an off-schedule fix.

Re:Not sure you have a lot of options?

That has been happening more frequently in recent times. Circumstances that make this move all the more frustrating.

Re:Not sure you have a lot of options?

[MightyMartian]

The way Windows 10 manages updates in general is frustrating. We have some dedicated Windows 10 Lenovo micro-PCs whose only significant job is show videos on some large flatscreen TVs, and we're constantly having to cancel out the update nag screens. GPOs that would seem to work don't always apply, so it just gets to be an annoying problem. I think the next set of such micro PCs we buy will probably have some small footprint version of Debian.

Re:Not sure you have a lot of options?

make a image or use the "SP2" roll up

Re:Not sure you have a lot of options?

[dbIII]

If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious

On the most recent one I did updating was completely broken. For days. Even printer drivers were unavailable. It turned that that turning updates off - rebooting - then turning them on again allowed that 8-10 hours or more.
The way it behaves changes frequently.

Re:Not sure you have a lot of options?

I just rebuilt a Win7 box last week, and the patching process only took about 2 hours. ~250 updates. Any idea why yours is taking approximately 4 times as long?

Re:Not sure you have a lot of options?

[jargonburn]

Not a big fan of how they try to force-feed you the updates. Have you tried setting the "Windows Update" service to disabled? IIRC, that will chop the update process off at the knees. If their only real job is outputting video, patching is something you could relegate to a manual task; might be less frustrating!

Re:Not sure you have a lot of options?

WHY are you using windows 10 as a single-purpose video player? there are SO MANY OTHER WAYS to do that.. most cheaper... much cheaper.. on top of higher reliability, easier management and maintenance and updating of content, and lower hardware investment.

you absolutely deserve every bit of inconvenience and embarrassment, even, when windows fucks up and puts your bsod on display, that you suffer for your moronic choice of software.

Re:Not sure you have a lot of options?

[tsa]

Let's wait until next week then.

Re:Not sure you have a lot of options?

They got the money to burn. Nice job.

Re:Not sure you have a lot of options?

[blind+biker]

The way Windows 10 manages updates in general is frustrating. We have some dedicated Windows 10 Lenovo micro-PCs whose only significant job is show videos on some large flatscreen TVs, and we're constantly having to cancel out the update nag screens. GPOs that would seem to work don't always apply, so it just gets to be an annoying problem. I think the next set of such micro PCs we buy will probably have some small footprint version of Debian.

Every time someone voluntarily went to a Windows 10 PC (even though there are alternatives), they have a horror story about it - but they characterize it as "annoyance". Example: "from time to time I lose my edits because the PC reboots without my consent. So annoying."

For me, all those scenarios are 100% unacceptable, and is why I keep installing Windows 7 (and then disable updates), and I keep around a few Windows 7 thinkpads.

Re:Not sure you have a lot of options?

If all they do is play videos, why are you updating them all the time. Disable the updates, unplug the network cables and leave them alone.

Re:Not sure you have a lot of options?

Microsoft released an update in July 2016 to fix the algorithm that deals with update dependency resolution. It was three separate updates: one cumulative, one dependency and the patch itself.

It took me from 7 hours of processing on a Intel i5 system to around 8 minutes for update searching. It worked on every system I've tried installing Windows 7 on, so I slipstreamed it into the iso files. You waste days of time updating Win7 systems due to the search period without these updates.

You can find the information by googling WU Speed patch or something similar, in short you install the following to fix WU:
KB 3020369 - April 2015 servicing stack update for Windows 7 and Windows Server 2008 R2 (Pre-req)
KB 3161608 - June 2016 update rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1 (Cumulative patch)
    * This installs KB 3161647 - Windows Update Client for Windows 7 and Windows Server 2008 R2: June 2016 *

* An optimization that addresses long scan time for updates that's reported on some computers.

Re:Not sure you have a lot of options?

[vtcodger]

If one has PCs in their care that have minimal/no exposure to the internet, is updating them at all advisable? It's clear that Microsoft can't QA their products adequately. And they are hardly alone in that. IMO, that probably makes updates a greater risk than malware.

Frankly the "cloud" is increasingly like an uncharted polar sea full of icebergs and rocks. Turning your navigation over to pilots who are questionably competent and quite possibly on drugs as well may not be a good idea. May be best to sail only close to home and only on days when the visibility is good and the seas calm.

Re: Not sure you have a lot of options?

I just reinstalled yesterday and it took less than an hour to get through all the patches. Sounds like you have crap bandwidth.

Re:Not sure you have a lot of options?

[perlith]

GPOs that would seem to work don't always apply, so it just gets to be an annoying problem.

Can you expand on the specifics of this? Which GPOs are not working as expected? I'm running Win10 Professional not on a domain and settings under Computer Policy > Administrative Templates > Windows Components > Windows Update still work as expected.

Asking because I don't want to be caught by surprise either at a particularly inconvenient moment.

Re:Not sure you have a lot of options?

or use wsusoffline

Re:Not sure you have a lot of options?

[Zocalo]

Then you're doing it wrong. You need to either, 1) slipsteam your install media with all the patches and do your build(s) that way, or 2) disconnect the network, install from SP1 media, reboot, then install the "Convenience Update" (KB3125574) (AKA SP2, released in April), reboot again, then connect it up and let it get the remaining post-April updates. Both approaches are far from perfect, and still have the odd glitch, but they are a lot more efficient than letting an new SP1 install try to patch itself.

Still not even remotely close to the efficiency of Linux's approach of an integrated download of any updated packages during the install, then a single reboot though...

Re:Not sure you have a lot of options?

[dbIII]

and still have the odd glitch

Indeed, which is why I had to do it the way I said in the end after an offline WSUS tool and other attempts did not work.
The way it behaves changes frequently, which is very annoying and means that what is good advice a month ago is often not relevant today.

Re:Not sure you have a lot of options?

[PsychoSlashDot]

I think if the patches are bundled together now - you basically have to treat them as one larger patch. In other words, nothing changes except any time you find you did one and it breaks something, you roll the whole collection back until it can be rectified.

To a certain degree, it's already that way.

This month, I have a customer with a Hyper-V cluster which one of the six patches screwed up iSCSI while backing up. And a customer with a Terminal Server which one of the six patches screwed up Terminal Services. And a customer with Exchange that one of the six patches broke Backup Exec being able to see inside the database to restore individual files.

Only in the case of the TS problem has it been tracked down to a single patch - by Microsoft. The other two batches, nobody knows which one is at fault. These are production machines and I don't have time to reapply patches one by one to help Microsoft isolate which one is bad. So yeah, after this unusually brutal month I'm okay with cumulative patches. I'm having to roll back batches anyway.

Re:Not sure you have a lot of options?

[WinstonWolfIT]

Every time someone voluntarily went to a Windows 10 PC (even though there are alternatives), they have a horror story about it

Hyperbole = bollocks. My partner and I are on W10, it's heaps better than W7 or W8*, and we have no horror stories. Almost everything I use auto-saves, apps reload on reboot, and I have enough discipline to save Notepad files or Sql Manager queries if I want to keep them.

Re: Not sure you have a lot of options?

What if the videos need to be changed frequently and simultaneously? You could have a set of cron jobs and copy the data from a USB drive, but that would be inconvenient as it would require someone to go to the unit, make sufficient ports accessible to attach the USB stick and attach a keyboard and mouse, input a sufficiently memorable password, etc*. If the units are 20 feet above a concourse then this would be very disruptive, or hazardous.

* You might make it aurorun a script on USB insertion, but in that case if the device is not 20 feet up you definitely need ports to be secured to avoid people running their own malware on it. If Jason Bourne is involved then 20 feet up is no obstacle.

Lack of network connection would also make monitoring centrally which machines are up inconvenient.

A solution other than Windows 10 might also make sense, but removing connectivity isn't necessarily sensible.

Re:Not sure you have a lot of options?

[Slashdot+Junky]

Yes, a computer should be getting updates if it ever connects to a network independent of whether or not it had internet connectivity. In this case, it is the other hosts on the network that create the risk.

Re:Not sure you have a lot of options?

[Slashdot+Junky]

Those videos may be updates occasionally with this done remotely. They may be served via a more sophisticated system where content is assigned as a channel with schedules all managed centrally. We have a system with 50+ player computers distributed across NA sites serving many more displays that shows locallized and national content. We refer to it as eTV, and the content is managed by communications folks both locally and corp folks and supported by IT. So, while what the computers do all day is single task, these must be on a network. Now, risk could be reduced through network configs on the hardware side that restricts what connections can be made among them.

Re: Not sure you have a lot of options?

Admins love to over complicate WSUS.

Because I don't have time for all that:

For desktop/laptops, they goto Windows update on the Internet. We don't even use wsus to report their status. Users are expect to keep their systems up to date, if they don't the risk is on them.

Servers, we cache what we need, everything is auto approved. Since we only have a few Windows servers (couple dozen), installing updates requires an admin to click install and reboot the box. We do 6 servers per week manually. If ms releases an broken update, chances are by the time a box is updated its been pulled/fixed by ms.

Re:Not sure you have a lot of options?

[DarkOx]

Right to for the right job. A dedicated video player should be just that. It should not be a PC. You would be way way better off with some purpose built raspi image on that hardware. I would not even recommend using full linux distro for such a chore.

Your best bet would have been to spec out a smart TV that could play the videos without having to hang anything off the back. Sure those things have their own security issues but if put a few switch port ACLs on there to make sure it only talks to the file sever or DLNA server that has the videos on it, than the risk is low.

Re:Not sure you have a lot of options?

[ddtmm]

If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious.

I think that was the intent.

Re:Not sure you have a lot of options?

[MightyMartian]

Smart TVs still don't have the range of video playing capabilities that VLC does, and are certainly not as network friendly, and generally, if they have any support for network file shares, that support is rudimentary at best. Having a fully functioning PC as the video player creates a lot more options.

Re:Not sure you have a lot of options?

[MightyMartian]

These are domain members, but off the top of my head, the GPO settings around automatic download and installation of updates at specific times never seems to apply consistently.

Re:Not sure you have a lot of options?

[l0n3s0m3phr34k]

VSS is your friend; or should be your customer's friend. We have it on a nightly scheduled on all our servers on top of Back Up Exec. They could roll-back to the previous night on a System State restore, disable auto-updates, at least until you had the time to do troubleshooting on the patches.

Re:Not sure you have a lot of options?

[Gr8Apes]

Yes, a computer should be getting updates if it ever connects to a network independent of whether or not it had internet connectivity. In this case, it is the other hosts on the network that create the risk.

Completely false. The only updates you need are specifically for the network stack and any applications that access the network. The rest are generally useless to you and may create problems. For instance, a bare XP from 2001 machine connected to a network behind a solid firewall and only running a text only mail client is relatively safe, as far as that system can ever be considered safe. It would not be any safer than a fully patched system running the same software under the same conditions.

Re:Not sure you have a lot of options?

[Gr8Apes]

Every time someone voluntarily went to a Windows 10 PC (even though there are alternatives), they have a horror story about it

Hyperbole = bollocks. My partner and I are on W10, it's heaps better than W7 or W8*, and we have no horror stories. Almost everything I use auto-saves, apps reload on reboot, and I have enough discipline to save Notepad files or Sql Manager queries if I want to keep them.

So you admit you take steps to guard yourself against purposeful OS actions and yet you claim that is merely an annoyance or less?

Re:Not sure you have a lot of options?

No, it's not better. Windows 10 = Windows 8 + spyware + bloatware + advertising - user control.

Re:Not sure you have a lot of options?

[epyT-R]

Sounds like a corporate setup so they probably integrate into AD. Also, systems like that practically need good video driver support to play back high res video without pegging the cpu and dropping frames. Linux is spotty with that at best (though it has been getting better).

Re:Not sure you have a lot of options?

your 'partner'? Just say 'wife/girlfriend/boyfriend'. Fuck that pc newspeak garbage.

Re:Not sure you have a lot of options?

Is it? Roku and Amazon fire are linux devices. Tivo is a linux device.

I think the AC's question is why you would use a full-blown OS for a dedicated video feed when there are many devices on the market that are much more specialized and with lower hardware costs than a full general purpose PC.

Re:Not sure you have a lot of options?

Then you're doing it wrong. You need to either, 1) slipsteam your install media with all the patches

Can you do this with official Microsoft-provided tools? Or do you have to get involved with dodgy 3rd party programs to build your slipstream system?

Not saying that microsoft isn't also dodgy, just that you've implicitly already decided to trust them with your decision to use windows as your OS, but that doesn't necessarily mean you want to expand your risk exposure by adding to the list of trusted vendors.

Re: Not sure you have a lot of options?

[Malc]

Great idea: leave a bunch of local root exploits available that can be leveraged once compromised by a zero day remote exploit.

Re:Not sure you have a lot of options?

GPOs that would seem to work don't always apply, so it just gets to be an annoying problem.

Can you expand on the specifics of this? Which GPOs are not working as expected? I'm running Win10 Professional not on a domain and settings under Computer Policy > Administrative Templates > Windows Components > Windows Update still work as expected.

Asking because I don't want to be caught by surprise either at a particularly inconvenient moment.

If you really want any control, your only option is enterprise. This is what microsofts endgame is truly targeting. Almost every update for windows 10 has nipped away at little things that make it almost unmanageable for 10 pro in a business environment. They started from the get-go with updates... long-term service branch only available to enterprise, and slowly worked in other things like taking the ability to control/disable the windows store, start menu options, etc.
Most smaller businesses wont really notice or care about some of these things, but as you start hitting medium and large companies or even smaller ones that want a fully locked down environment, you will quickly find it is impossible with pro, but MS will make it all good again for the low low price of an enterprise agreement /rant

Re:Not sure you have a lot of options?

[toonces33]

I did recently install a Win7 machine from scratch. After the install I installed the August rollup, and then ran windows update. That thing must have run for a full day before it concluded that there were only 24 updates that were required (half of which were .NYET).

Microsoft announced that they are going to do similar rollups for .NYET.

Re: Not sure you have a lot of options?

Any exploit would first have to make it past the firewalls and antivirus, which just ain't going to happen. Take off the tinfoil hat.

Re: Not sure you have a lot of options?

[Gr8Apes]

Great idea: leave a bunch of local root exploits available that can be leveraged once compromised by a zero day remote exploit.

And a zero day remote exploit wouldn't already have owned the system?

Re:Not sure you have a lot of options?

[lgw]

Somewhat unrelated, but how do you buy BackupExec these days? It seems to have moved to a new owner (again - I think this is the 9th), and they don't seem to be selling it directly, or even have pricing info.

Re:Not sure you have a lot of options?

[l0n3s0m3phr34k]

Veritas bought it, and they only sell through their re-sellers. It looks to cost around $800-$900.

Re:Not sure you have a lot of options?

If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious. (It seems that it needs so many individual patches to get current, it overwhelms their updater service trying to sort through all of it and prepare to download them in the proper order?)

They've changed something with their servers and now the clients waste a lot of resources doing nothing.
You need to install the latest version of the fix described in the first answer here.

Re:Not sure you have a lot of options?

[blind+biker]

Every time someone voluntarily went to a Windows 10 PC (even though there are alternatives), they have a horror story about it

Hyperbole = bollocks. My partner and I are on W10, it's heaps better than W7 or W8*, and we have no horror stories. Almost everything I use auto-saves, apps reload on reboot, and I have enough discipline to save Notepad files or Sql Manager queries if I want to keep them.

First of all, you're still making my case, as you imply that Win 10 reboots outside of your control. Beside that, a lot of people cannot save their work fast enough to be safe in such rebootey conditions - my SolidWorks assemblies easily take half a minute to save, sometimes much more (rarely, but it happens).

Re: Not sure you have a lot of options?

[Man+On+Pink+Corner]

What usually happens is something like the following: you have several Windows PCs on a LAN. One user on the LAN decides it's a good idea to open the quarterly_results.xlsx.exe attachment that came from the company's Nigerian branch. Or maybe they're curious to see what's on the thumb drive that somebody 'accidentally' left in the restroom. Every organization from the grocery store on the corner to the NSA has someone working for them who will think that's a good idea.

Now you have an exploited system inside the firewall. If any drives or other resources are shared among computers on the LAN -- which after is the whole idea behind a LAN -- the machines hosting those resources are at substantial risk. Even something as harmless as a shared printer can serve as a staging area for attacks.

This is why compromising Windows Update to turn it into a marketing vehicle was such a monstrous thing for Microsoft to do. Giving users an incentive to turn off automatic updates was just incredibly stupid and counterproductive. But they did it anyway, because, after all, "We're Microsoft. Who's going to stop us?"

Re: Not sure you have a lot of options?

[Ash-Fox]

Do any of those devices support active directory tied in with certificate authentication on WiFi and LAN interfaces?

Re:Not sure you have a lot of options?

Bingo - if admins got off their damn high horses and realised that all they'd been doing is 'job security' rather than 'solving problems', they'd realise what really happened is the amount of patches they have to test just fell through the floor. A number of MS products have been cumulative-only for a long time (Internet Explorer, Exchange and SQL Server all come to mind, and I'm talking for at least TEN years here) and nobody complains about those!

I wish MS had done this years ago. And, now, if there is an issue with a patch, chances are MS will just release a new version of said patch, and ideally start folding in all the other non-security and functionality updates in so there is some consistency out there.

How often does the OSS world release a 'security patch' in response to an incident, vs, simply ask users to update to the current release? We shouldn't be two-faced to this, let both OSS and Commercial worlds use the same 'security incident -> update to latest" model.

However, now, it's almost irrelevant, as the current generation (W10) has always been cumulative only.

Re:Not sure you have a lot of options?

[WinstonWolfIT]

Um, partner is an official designation in Australia.

Re:Not sure you have a lot of options?

[WinstonWolfIT]

In no way is that a horror story. Updates running overnight is more convenient than saving a file is inconvenient.

Re:Not sure you have a lot of options?

[Ol+Olsoc]

Yes, a computer should be getting updates if it ever connects to a network independent of whether or not it had internet connectivity. In this case, it is the other hosts on the network that create the risk.

Sorry, I have a Windows 10 off th einternet system. Now that it works, there's no way I'm going to screw it up with Microsoft W10 updates. On the computer I used to familiarize myself with W10, it's been bitched up three times now. P A vius is a lot less damaging than missing a deadline because teh computer stops working. At this point, Microsoft is included in the malware suppliers.

Re:Not sure you have a lot of options?

Wait until systemd starts nagging you to upgrade.

Re:Not sure you have a lot of options?

[ncc74656]

If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious.

That's why you slipstream updates into your installation image. Slipstreaming the various post-SP1 patch rollups as they're released will slash your installation time significantly, and there are only a relative handful of them at this point.

The only thing slipstreaming doesn't cover is updates to the .NET Framework. For whatever reason, they're not provided in a compatible format, but only as installer .exes. RT Seven Lite, however, will create an image that will run these installers (or others) in a post-Win7-installation step. It also facilitates slipstreaming the other updates, so it's useful to have on hand.

Re:Not sure you have a lot of options?

[Wolfrider]

--You can speed up Win7 updates A LOT just by using WSUS Offline Update. Download once, burn to DVD and update the client PC with that.

--Win7 "official" update process is horribly broken and CPU intensive, to the point where the CPU fan on a laptop I inherited had basically failed due to 100% continuous use.

http://www.wsusoffline.net/doc...

--Note that you may have to run the WSUS updater on the client multiple times and reboot/repeat, but this is still *much* better than doing it the traditional way. After updating, I'd recommend doing a full bare-metal backup with Veeam or Aomei or the like.

Re: Not sure you have a lot of options?

[epyT-R]

Thank you, exactly.

Re: Not sure you have a lot of options?

[Malc]

How about: a "correctly" configured system gets exploited remotely via a brute force dictionary attack that uncovers a weak password? Now you have a false sense of security and don't expect the unpatched local root issue to be exploited.

Re: Not sure you have a lot of options?

Do you remember Nimda? It used to copy itself to all the open network shares it could find.

Re:Not sure you have a lot of options?

[ripvlan]

Yup - totally living that. Superseded never made sense either - esp with a mix of "older" and "newer" installs. You couldn't decline an patch via the cleanup tool if it was needed. And then upgrading a newly deployed machine was difficult unless you spent the time to slipstream which was a pita.

A healthy mix of several OU Targets and I just keep pressing "Approve all" (after testing in a smaller group of early adopters).

I look forward to this change - not sure what the impact will be.

wow - a helpful and relevant /. post !!!

Re:Not sure you have a lot of options?

[RevDisk]

Did a fashion display a bit ago on Madison Ave for Fashion Week. PCs and Smart TVs do a crap job. Best solution for absolutely no fail, 24/7/365 displays is a dedicated video unit. We went with VideoTel unit for $300. Cheap, SD card for media and dumb as a brick, which is exactly what we wanted. BrightSign always more scripting and niftier features but costs more.

No updates, no way to hack without physical access, no nothing except playing a video on a loop. They automatically power up after power loss. Our units typically run for months without hiccups.

Re:Not sure you have a lot of options?

[RevDisk]

We tried Smart TVs for video players. Unreliable and we had lag between video clips. Didn't power on as smoothly as we'd like for recovery from power outage. Failed pretty much every "seamless solution" criteria we tried. They do actually make digital signage TVs, but they tend to be more specialized than generally desired.

A consumer TV and a dedicated video unit are cheaper, and we "toss" the TVs every year or so.

Re: Not sure you have a lot of options?

[david_thornley]

A zero-day exploit might not get root/admin rights on a system. It may be able to use local bugs to get those.

Re: Not sure you have a lot of options?

[david_thornley]

How about downloading and running random executables from reputable sites? Most putatively reputable sites display ads from some sort of service, and don't make sure they don't contain malware. There was one incident not too long ago where a lot of people were hit from the New York Times site.

Re: Not sure you have a lot of options?

[Gr8Apes]

A) the system is a limited functionality system to begin with, so lots of things wouldn't be on the system to exploit. B) zero-day exploits that I've seen all can leverage themselves into admin rights on windows without any additional help. If you can run arbitrary code on windows, you can root it.

Re: Not sure you have a lot of options?

PCs on a LAN are isolated by firewalls

I guess if your IT education consists of watching "Sneakers," you might have the impression that things work like that in the real world.

Re:Not sure you have a lot of options?

[Rakarra]

Sounds like a corporate setup so they probably integrate into AD. Also, systems like that practically need good video driver support to play back high res video without pegging the cpu and dropping frames. Linux is spotty with that at best (though it has been getting better).

If you use an Nvidia card with nvidia's driver, you're fine on Linux, and have been for a good part of a decade.

Re:Not sure you have a lot of options?

[Rakarra]

Have you never heard of domestic partners before?

Re:Not sure you have a lot of options?

[martinfb]

For those stuck with Windows, it is obnoxiously arrogant to now force ALL updates on a user. What if there is a specific patch I really do NOT want? What if there is a patch in that same update I need? I am screwed!

I think MS's move closer to "Big Brother" is totally uncalled-for, unethical, and a breach of trust. They need to be SEVERELY regulated; and I intend to push and lobby for the freedoms users deserve!

Re: Not sure you have a lot of options?

[david_thornley]

If you can escalate yourself to admin rights if you have the ability to run arbitrary code, and you're sufficiently confident to throw it out as a general truth, then Windows security sucks anyway.

Re: Not sure you have a lot of options?

Sorry to break this to you, Rip van Winkel, but it's 2016 and not 1986 any more. Computer networking doesn't work the way you imagine it does. You are a moron if you don't have a firewall on your router AND on every PC connected to that router. In fact, you would have to go out of your way to make it not be so with any modern equipment and operating system.

Re:Not sure you have a lot of options?

It's an official designation in the USA and Europe too, but people still don't use it because it sounds weird. Just use normal terms like "boyfriend", "girlfriend", "husband" or "wife".

Re:Not sure you have a lot of options?

[WinstonWolfIT]

In Australia, de factos refer to themselves as partners. Deal with it.

Re: Not sure you have a lot of options?

[Gr8Apes]

If you can escalate yourself to admin rights if you have the ability to run arbitrary code, and you're sufficiently confident to throw it out as a general truth, then Windows security sucks anyway.

Anyone can. Well, anyone that's spent even 3 days studying how to inject code into DLLs. Even today on any system pre win10, and likely with win10 also as the security hole is big enough to drive a planet through. It's the biggest issue with the architecture. If you can run arbitrary code that enables you to inject code into a DLL, then pwnage is guaranteed. Why? Because you could, at least before win10, inject code into a system DLL, and choose exactly where you wished to inject it, say, something like a network access method that's frequently run by a process with system privs. Guess what happens the second a system priv process hits that DLL in the future? TBH it's been a few years since I played with this and I believe AV and the windows calls have been hardened but the capability still exists. There's a reason I don't run windows anywhere and actively discourage it in places I work. I've cleaned up the resulting windows mess more than once in my past, and quite frankly I think I'd prefer the pain of systemd over a windows server environment any day of the week.

In other words..

"You want security patches? Welp, you're gonna have to accept Telemetry too."

Re:In other words..

I run Win95. Its so old no hacker bothers trying to hack it. And when some advanced hack does affect the system, all it does is crash it. Well, since Windows was actually designed for frogs ("reboot! reboot! reboot!"), and I've been doing that for decades, one extra system restart bothers me not-at-all.

Re:In other words..

This, just like the iPhone 7 backdoor.

Botchulism, see your local GMO.

Re:In other words..

[Z00L00K]

And this is what's most worrying, we don't really know what's in "Telemetry", and I have a feeling that it's going to be a problem.

And we can't figure out which part of a future monolithic patch that actually causes the system to behave bad, some patches aren't even possible to uninstall without a lot of hard work.

Re:In other words..

a b or c?

Re:In other words..

And that's the issue. Does the "convenience rollup" patch discussed above contain all of the telemetry updates? Do these new rollup patches contain the telemetry updates?

Or is this just a matter of watching and hoping they don't remake and add the telemetry updates later?

That's what I really need to know. Because I absolutely refuse to let Microsoft monitor my computer. And watch: I'd bet that the reason the government is staying out of this is because they've promised to share the data.

Re:In other words..

[vtcodger]

Personally, I thought Windows peaked along about Win95 OSR2 -- which was actually quite a good OS for 1997. Fast, compact, ran OK with next to no memory and was very reliable. Pretty much all downhill from there I think.

But what does one do for applications? And I should think the lack of USB support that works might be an issue.

Re: In other words..

[whopis]

Win 95 OSR2 has USB support.
It was only the retail versions that lacked it.

Re: In other words..

[demonlapin]

OSR2 had shit USB support that wasn't worth the trying. If your hardware was weak, run 95A (which was not much more demanding than 3.11). If you could handle it, run 98SE (a much more competent OS). Or, y'know, Linux, but good luck configuring it back then.

Re:In other words..

[RandomSurfer314]

How about writing a snail mail letter to Microsoft that you do not agree with any telemetry and demand that the EULA between you and Microsoft has to be changed accordingly. That way, Microsoft has only few options: Cancel the contract and compensate you for the loss of service provided by your license of Windows 7, not activate telemetry on your system, or install telemetry, which in this case would constitute illegal wiretaping that falls under penal law.

I'm sure that this couldn't possibly affect Microsoft much in the US, but in the EU this way of proceeding might give Microsoft's lawyers a headache.

Re: In other words..

[vtcodger]

W95 OSR2 USB support pretty much didn't work at all, ever. It took about five years for USB support in any OS to reach the level of being a crapshoot -- some stuff working flawlessly and other stuff not working at all. After 2002 or so, USB usually worked in Windows. Persuading Unixes to work with USB was a challenge.for another few years after 2002. Not that it couldn't be made to work ... eventually ... if one was patient enough.

Re:In other words..

[TheHappyHippo]

"You want security patches? Welp, you're gonna have to accept Telemetry too."

Probably true. Many of those who haven't switched to Windows Telemetry... err Windows 10 yet have probably also decided not to install the telemetry patches Microsoft have released for Windows 7 and 8.1. So, now you have to install them in order to get other updates.

Re: In other words..

2002 was when I started using Linux, never had a problem with USB.

Re:In other words..

[Zontar+The+Mindless]

Windows 2K was the bomb. When I saw what XP was like, though, I knew the writing was on the wall and switched to Linux when 2K fell out of support.

One of the very few decisions I've made in my life that I have never yet regretted, not even once.

(*looks over shoulder, smiles and nods* Yes, honey, you're one of those, too. Honest!)

Re:In other words..

You don't know what telemetry is in your Android or Apple phones either and you still keep using those. Idiot.

Re:In other words..

They're basically saying that Windows is just for games now. You shouldn't store or access any important documents on your windows system. Also, any games you play on a windows machine should be things you won't be embarassed about if you get doxxed on 'em.

Re:In other words..

[lgw]

2K had it right, no question. I never went down the Win95 road - I just used NT 4.0 as that was a very modern server OS for home use back in the day (when Linux was Slackware on 32 floppies). But Win2K gave NT a real UI, and a wide selection of games worked.

Re:In other words..

For my Android phone, yes, I absolutely know since Android is open source and I run a custom firmware compiled direct from the CyanogenMod and AOSP sources.

Now show me where to download open source Windows 10 or shut the fuck up, moron.

Re:ironically

[MightyMartian]

Which modern variant are you using that you have conflicts of this kind?

www.safer-networking.org/spybot-anti-beacon

Fight them in the userland, fight them in the host file, fight them in the router, fight them in the sewers... These telemetric bastards will pay.

Re:www.safer-networking.org/spybot-anti-beacon

[Z00L00K]

The hosts file is already circumvented by Microsoft.

If you really want to solve this then it's to force Microsoft to change every IP address they are associated with.

Re:www.safer-networking.org/spybot-anti-beacon

inb4 MS includes an update that hacks your router and removes the filters.

Re:www.safer-networking.org/spybot-anti-beacon

The hosts file is already circumvented by Microsoft.

Can somebody please tell APK? (Dear God, if this shuts him up, then maybe Microsoft finally got something right...)

response

[markdavis]

>"Last month a Slashdot reader asked for suggestions on how to handle the new 'cumulative' updates -- although the most common response was "I run Linux.""

Yep, still run Linux...
I install whatever I want, whenever I want, however I want, on what I want. My machine belongs to me.

Re:response

Although it's not clear how long that will be an option, considering the cock-up with some of the Lenovo machines that refused to allow you to install Linux...

Re:response

Yep, if only Lenovo wasn't the only PC manufacturer out there.

Re:response

[ArchieBunker]

More like Linux lacked a driver for the oddly configured SSD.

Re:response

Nope. More like Lenovo didn't publish the specifications.

Re:response

Like most Windows users, you are retarded. If you can not freely access or use your kit without someone else having the final word, it's no longer yours, it's been expropriated.

Which happens to be exactly what "secure boot" and Windows 10 is all about.

Re:response

You know you can use Secure Boot with Linux, right? There are certainly some advantages to Secure Boot with Linux, like knowing that the boot loader/kernel are as they should be.

Why don't people flip out so much about the locked bootloaders on Android devices, which pretty much does the same?

(This is a pro boot loader security post, not a pro-Windows post)

Re:response

Yep, still run Linux...
I install whatever I want, whenever I want, however I want, on what I want. My machine belongs to me.

Have you installed the newest Linux distro - Cartman Linux?
Their motto is "Whatever, I do what I want".

Re:response

Perhaps people think of their phones and their computers differently. Personally I wouldn't buy a phone unless I can unlock the bootloader.

Re:response

[markdavis]

>Their motto is "Whatever, I do what I want".

LOL- I like it

Re:response

[mysticgoat]

Yes, running Linux is still the best option, for most Windows users.

Obviously if you are required to use software that only runs on Windows --perhaps you are a photographer who has to submit his finals in Photoshop format-- then you are stuck in the Microsoft microbiome. Too bad.

But most Windows users are not being coerced into that submissive role; they could switch to something like an Ubuntu LTS and be happy --and more productive at lower long term cost-- than if they continue to pay to be a commodity in an obsolete and slowly failing marketeers' world.

good to fix the 2-3 reboot passes to get systems u

[Joe_Dragon]

good to fix the 2-3 reboot passes to get systems up today + all of the optional stuff that does not auto install.

Also all of the hot fixes as well.

Will there still be zero day fixes?

[Joe_Dragon]

Will there still be zero day fixes?

As in small updates for just that one fix mid mouth? and then for full one at the end of mouth?

Re:Will there still be zero day fixes?

[I'm+New+Around+Here]

You seem to have an oral fixation.

You should have your wife check that for you. ;^)

Can we get something like windows 10.01 10.02

[Joe_Dragon]

Can we get something like windows 10.01 10.02?

Or Windows 7 sp2 or SP1.5

Windows 8.2 or 8.1.5?

Re:Can we get something like windows 10.01 10.02

[sexconker]

MS won't release SPs anymore because all of their shit in place says SPs add to the support length of the OS.
That's why Windows 8.1 happened instead of Windows 8 SP 1.
That's why 7 had only 1 SP despite desperately needing another. It's so bad Windows Update doesn't work on a fresh Windows 7 install until it crashes twice over 36 hours. The third time usually works after another 8-12 hours.

Re:Can we get something like windows 10.01 10.02

actually, it's because "service packs" require testing and they don't employ patch testers anymore.

Re:Can we get something like windows 10.01 10.02

The length of time of a new windows 7 install isn't the infuriating issue. Its that while still applying windows patches, somehow it subtly introduces corruption into the patch database.

Re:Can we get something like windows 10.01 10.02

[Anonymous+Brave+Guy]

What is effectively Windows 7 SP2 is called the Convenience Rollup instead, probably because it avoids complications about extending support dates if a new Service Pack is released, and it's found as KB3125574. See my first post to this discussion for more about how to use it, including installing it without waiting an eternity for Windows Update to get its act together.

Re:Can we get something like windows 10.01 10.02

[Daltorak]

Can we get something like windows 10.01 10.02?

Or Windows 7 sp2 or SP1.5

Windows 8.2 or 8.1.5?

Sure. It's already there. Just gotta understand how Microsoft versions Windows now.

• - Think of "Windows 10" as a brand name, like "Mac OS X", instead of "the tenth version of Windows".
• - Run this from Powershell: get-item 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\' and you will see values like CurrentVersion (6.3), ReleaseId (1507, 1511 or 1607), CurrentBuild (10240, 10586 or 14393), and UBR (17113, 589 or 189 if you're fully patched)
• - You can also see those numbers by typing "winver".
• - ReleaseId and CurrentBuild will always be matched in any OS release. ReleaseId is the year/month; CurrentBuild is from their build system.
• - UBR is short for UpdateBuildRevision and it generally refers to the number of bugfixes applied on top of CurrentBuild. It jumps by a bunch every time a cumulative updated is released.
• - The CurrentVersion value of "6.3" might make you think that this is the fourth version based on the Windows Vista (6.0) kernel, but the reality is that they found a lot of software refuses to install if they try to increment it past 6, even if the software itself works perfectly on the newer version of Windows. So they deprecated this value in Windows 8.1 and it will always be 6.3.

(TL;DR: Mac OS X 10.11.6 == Windows 10 10.10586.589.)

Microsoft publishes a list of the cumulative fixes for Windows 10 and their Build/UBR numbers on their web site. They've never done this kind of a list for previous versions of Windows.

Re:Can we get something like windows 10.01 10.02

[sexconker]

Regular patches require testing too. The fact that they don't test anymore isn't part of it.

Totally coincidentally...

Tuesday was the last time I update Windows 7.

Microsoft Update Catalog is my new hero

[Anonymous+Brave+Guy]

For general information, if you're installing a fresh Windows 7 now (starting from SP1, presumably) then it seems by far the fastest way to get a system reasonably well patched is to install the Convenience Rollup (KB3125574) and if necessary its prerequisite (KB3020369) from the Microsoft Update Catalog. That immediately brings you up to somewhere around April 2016 in terms of patch level, and you can download the required files quickly from the Catalog site and then install them locally using WUSA without waiting around for hours while Windows Update does whatever its current broken mess needs to do now. The most recent time I did this was just a few days ago, and after doing that it was then another couple of hours for Windows Update to find the rest and install the remaining security updates, but at least it could be done in an afternoon instead of leaving the new PC overnight and hoping it might have found something by the morning. Spybot Anti-Beacon or some similar tool can still turn off the various telemetry junk that you can't now individually because it's all bundled into the CR update.

Incidentally, for those who would prefer to keep security patching their existing Windows 7 systems but not get anything else, there are reportedly (direct from a Microsoft source) going to be monthly security-only bundles as well, but you'll have to get those from Microsoft Update Catalog manually as well, they won't be advertised or pushed out through Windows Update. So it looks like the new SOP is to turn off Windows Update entirely (as a bonus, you get back that CPU core that's been sitting at 100% running the svchost.exe process containing the Windows Update service for the last few months) and instead just go along and manually download the security bundle each month to install locally.

Of course, Microsoft Update Catalog requires Internet Explorer 6.0 or later and won't run with any of the other modern browsers, but I'll live with using IE to access it if it means I get security-patched but otherwise minimally screwed up Windows 7 machines for another 3 years.

Also, it's been confirmed that this policy will apply to all editions of Windows 7. It's not an Enterprise-only feature and doesn't require the use of WSUS etc. Let's hope they stick to their word on this one.

Re:Microsoft Update Catalog is my new hero

[hairyfeet]

The Convenience Rollup is kept on my keyring USB stick as its just soooo much easier than dealing with a system that may not have had a patch on it in years.

And as far as these new crap "mega updates"? Just turn off Windows Update and use WSUS Offline which last I checked is doing just as you described and grabbing the manual security updates, only you get them nicely bundled with a script that will install them all (and do any reboots required) and shut down the system, hassle free. I highly recommend it.

Re:Microsoft Update Catalog is my new hero

[Hognoxious]

Have a few Win7 installs that I use rarely, so I tried to download it on Linux.

https://support.microsoft.com/...

sends you to

http://catalog.update.microsof...

which says

This website does not offer updates for the operating system on this computer. [no shit, Sherlock]
This website only provides updates for computers running Windows 2000 Sp3, Windows XP or Windows Server 2003 and later. If you prefer to use a different Windows operating system, you can obtain updates from the Microsoft Download Center."

So I click the link for the download center ...

go.microsoft.com/fwlink/?LinkId=10678

And from there

https://www.microsoft.com/en-u...

And then the link labelled "Microsoft Update"

http://www.update.microsoft.co...

Thanks for your interest in getting updates from us.

To use this site, you must be running Microsoft Internet Explorer 5 or later.

To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.

If you prefer to use a different web browser, you can obtain updates from the Microsoft Download Center or you can stay up to date with the latest critical and security updates by using Automatic Updates. [...]

I do indeed prefer to use a different web browser. So I click the link and it takes me to

https://www.microsoft.com/en-u...

Think I've been there before.

So this means you have to connect the unpatched install to the internet to download the patches while just hoping you don't get hacked? Sheer genius. I mean, it would be absolute madness to download a patch on one machine to use on another (or several others).

Re:Microsoft Update Catalog is my new hero

Just turn off Windows Update and use WSUS Offline

this.

it has been an occasional go-to tool for me for years now.. but promoted to full-time status now. due to this change by microsoft.

best part is, for those unlucky enough to need it.. windows 10 support. so disable that persistent windows update service on windows 10 and use *THIS* when you want to update, and on the connection you want to use to download up to 4 gigabytes at a crack on.. not when windows wants to (which is, like, all the fucking time).

Re:Microsoft Update Catalog is my new hero

[Zontar+The+Mindless]

I mean, it would be absolute madness to download a patch on one machine to use on another (or several others).

Well, this IS Microsoft, after all. Not only designing for the lowest common denominator, but effectively mandating that anyone who actually has a clue constrain himself to that level, regardless. They've only been doing this for about 20 years now.

I put up with it for 10 of them.

Re:Microsoft Update Catalog is my new hero

[l0n3s0m3phr34k]

Totally second WSUS offline, it's a life saver for those systems that just refuse to update.

Re:Microsoft Update Catalog is my new hero

[Hognoxious]

Thinking about this, I had similar problems when XP SP2 or 3 came out. My home connection was slow and flaky so I tried to download it at work, except my work machine was on W2K...

IIRC I eventually found some masonic sysadmin page with direct ftp:// links. Anybody remember those?

Re:Microsoft Update Catalog is my new hero

[King_TJ]

Yes, it's good advice to try to install the "Convenience Rollup" on a fresh Win 7 SP1 install before trying to update the rest of the OS.
But from my experience with that? You absolutely *do* have to install the prerequisite KB30203369 first, or else it won't do a thing. And when you download and run that prerequisite, it still has to go through some type of "searching for updates" process which seems to involve communicating with the Windows Update servers Microsoft hosts. I had a lot of problems with THAT process getting stuck for hours and having to reboot and try again once or twice before it finally went through.

Re:Microsoft Update Catalog is my new hero

MS are/have made it too hard to manage Windows systems.

Thank God the company I work at is 90% Mac + Casper/JSS to manage them. The Windows systems are so far and few between issues are rare.

Re:Microsoft Update Catalog is my new hero

[lgw]

So how do we know WSUS Offline isn't primarily a malware vector? This seems like the very best way to build a botnet: hijack Windows Update. Or, even if they're honest, what a target!

MS has clearly lost its way when 3rd-party Windows distros start looking like the best security practice.

Re:Microsoft Update Catalog is my new hero

[lgw]

Yes - IME you're totally screwed if your network stack is hosed, or you accidentally have the same IP address or hostname as another machine. What a mess.

Re:Microsoft Update Catalog is my new hero

Holy shit, man. Thanks. I had never known about this site. I've been picking through all my Win7 updates specifically to avoid all the Win10 trash MS has been dumping out forever, along with anything else that seemed suspect. Is it safe to say I can use this site to continue that practice? I know Win10 isn't free anymore, but MS pushes plenty of stuff I don't want/need.

Re:Microsoft Update Catalog is my new hero

[hairyfeet]

Uhhhh...can you read? Because that is really all you have to be able to do to check WSUS Offline since the GUI is really just a front end for some scripts which are in a folder appropriately labeled "cmd" so you can just open them in the text editor of your choice and see what its doing.

It also doesn't try to obfuscate in ANY way what it is doing or who it is calling if you are using the Offline Generator to generate an Offline Update client (it currently supports Vista-10 including the server variants, VERY handy to have) so when you launch it you get a standard command prompt where you can simply look at the screen and see its just calling the MSFT update servers and downloading the updates straight from the source.

Let me give you my personal assurance, I've been using WSUS Offline for so long I still have the DVD with the WSUS Offline for Windows 2K Pro and not once has there ever been an issue with any kind of spyware, malware, or even Windows Update issues because this doesn't use the WU client and just installs them manually via script. I can't even count how many clients I've used it on, easily in the thousands, and its one of those tools I'll always keep on my network share, its head and shoulders better than dealing with WU.

Re:Microsoft Update Catalog is my new hero

[lgw]

The attacker assured me "the GUI is really just a front end for some scripts". The attacker assured me the screen I see is "a standard command prompt where you can simply look at the screen and see its just calling the MSFT update servers".

This is the risk here. Has it been audited by security professionals? Do they have a process in place to discover that their code repo was hacked? The same applies to Linux distros, of course, where there have been issues (though few have been discovered).

To be fair, they're probably as secure as the MS bits they're built on, but still it's overall a sorry state of affairs.

Re:Microsoft Update Catalog is my new hero

[hairyfeet]

So you are literally arguing that command prompts are magic? Or are you arguing that you cannot read?

Because you don't HAVE to use the GUI if you do not want to, you can just run the scripts straight from the folder and simply throw away the GUI if you want as all it is doing is simply editing a script called "update" that is in the parent folder right next to the GUI. Throw away the GUI and run the script, which again you can just open in any editor and guess what? It does exactly what the GUI does, installs the updates with the conditional flags you chose. The options you choose? Again all just basic scripts with easy to read descriptors like "install DotNET" "InstallOfficeUpdates" and "MakeLogFile" and anyone who can read even the most basic script can read these quite easily as they are all laid out in classic "if this then that" script language with no attempts at any obfuscation.

So I'm sorry but now you are either just trying to sling FUD or you honestly do not understand how virii work and think computers are magical black boxes that some boogeyman can wave a wand and create a bug. Scripting is something anyone with any kind of IT knowledge or support background is not gonna have any trouble reading, the websites being called to download the updates are the Windows Update site owned by MSFT so unless MSFT gets their own update servers pwned there is no issue there, and once you have downloaded the updates no network or third party programs or even the GUI itself is required as it is simply manually installing Windows Updates from a command line.

Re:Microsoft Update Catalog is my new hero

[lgw]

What I'm saying is: this is a valuable attack surface for someone building a botnet. If most people use the GUI, then it won't matter that the scripts are clean if the GUI is dirty (obviously, just because a window that looks like a command prompt running scripts is displayed, that means nothing if it's all presented by the GUI).

There have been attempts to hijack Linux distros before, and hijacking Windows update is a key prize.

Re:ironically

[donaldm]

Which modern variant are you using that you have conflicts of this kind?

Well to be fair I did have a conflicting package in Fedora 24 (the only one I have ever had with this distribution) a few weeks ago and my options were 1) Update all other packages except the offending package. 2) Remove the offending package and reinstall at a later date. 3) Wait about two days for the issue to be fixed.

As least with Linux you have options so a two-day wait was not a big deal and also the package that I had the update issue with was one that I rarely used, but even so if I chose options "1" or "3" I could still use the full functionality of the package, it's not as if the conflicting package stopped working.

BTW. The AC comment was a troll since the did not appear to have a clue.

Re:ironically

I have used Ubuntu, RedHat and its downstreams. Conflicting packages are the exception, unless one has some oddball application that has its own stuff, and that isn't tough to resolve.

Cumulative updates? I don't see Canonical or Red Hat putting out a single .rpm or .deb file with every month of updates in it, and you either have to install the entire bunch of nothing, even if just a single program needs an update. Oh, it is relatively rare to need a reboot as well, barring a kernel update.

I will throw OS X into the mix as well. Even Apple is smart enough to not to force cumulative updates.

Cumulative and combined

[Calydor]

So what exactly are they going to do? Are we going to download the entirety of updates that have ever been released for Windows every month? That seems like a crazy waste of bandwidth, especially for people with slow or capped connections.

Re:Cumulative and combined

[hcs_$reboot]

Well, hopefully that will end the "system being at updates n-10, have to patch n-9, then n-8, then n-7 ....."

Re:Cumulative and combined

Their new trick is to make sure we don't just look at "complete security breach with integrated bonuses for you our friends at the NSA, not that you'd need this backdoor with the quality our security is about to fall to in this patch anyways", "you didn't really need a printer anyways" and "640gb storage should be enough for anybody" patches and just skip them in favor of only installing "Calc.exe no longer crashes that "launch manager" that is actually your laptop's brightness control" this week.

Re:Cumulative and combined

[l0n3s0m3phr34k]

Microsoft has shown, via the 6.5gb Windows 10 "upgrade", they care little about anyone's slow or capped connections.

Re:Cumulative and combined

[denbesten]

...Are we going to download the entirety of updates that have ever been released for Windows every month? ...

If you update online you get just the changes. If you download and install you get the whole thing.

Microsoft answered this and many other concerns on their blog last month. Your particular answer can be found in the comments.....

Nathan Mercer
September 15, 2016 at 8:37 am

... Monthly rollup will grow to be about the same size as Convenience rollup update. If you install via WU or WSUS you can take advantage of the Express feature to just have deltas going across the network. Security-only update will obviously be much smaller.

Re:Cumulative and combined

[fahrbot-bot]

In addition, from the same blog post:

Over time, Windows will also proactively add patches to the Monthly Rollup that have been released in the past.

Probably meaning telemetry and all the other things people have explicitly not installed (like Silverlight - for which "patches" appear in WU, even though I don't have it installed).

Re:Cumulative and combined

[fahrbot-bot]

Damn. Missed this bit of good news in the blog in my previous post:

Microsoft Update Catalog
The Microsoft Update Catalog website is being updated to remove the ActiveX requirement so it can work with any browser. Currently, Microsoft Update Catalog still requires that you use Internet Explorer. We are working to remove the ActiveX control requirement, and expect to launch the updated site soon.

Defer upgrades?

[ArtemaOne]

Does anyone know what will happen to those of us deferring upgrades? I got weird errors and lost my HFS partition last time it happened. Do we get a separate set of updates, or will we be forced to grab the anniversary update despite the bugs?

Re:Defer upgrades?

Unplug the network cable and don't upgrade. Install Windows in a virtual machine on Linux and disable the Windows networking, then set up shared directories with the Linux host.

Re:Defer upgrades?

[Impy+the+Impiuos+Imp]

The anniversary patch chose to install Friday when I shut down.

Re:ironically

Oh really? Name one.

XP Still Gets Individual Updates Until 2019

..and there are no backported W10 "telemetry"/etc updates either.

Miss Me Yet?

Re:XP Still Gets Individual Updates Until 2019

[gweilo8888]

No, it doesn't. Windows XP support ended in 2014, and not even security patches are provided by Microsoft any more.

https://www.microsoft.com/en-u...

Yes, you can shoehorn Windows Embedded Industry updates into XP, but that's only going to patch anything which was shared between the two. If a bug or exploit was specific to XP, it won't be patched. And there's no guarantee this trick will continue working next week, never mind a year or two from now -- Microsoft can close the loophole any time they want to.

Corporate suicide!

[Angeret]

Has anyone at the top of Microsoft figured that corporate suicide isn't an achievement they should be aiming for? They keep trying harder for it every year and eventually, with enough effort, will be proud recipients.

Re:Corporate suicide!

[nukenerd]

Has anyone at the top of Microsoft figured that corporate suicide isn't an achievement they should be aiming for? They keep trying harder for it every year and eventually, with enough effort, will be proud recipients.

No they won't die. Have you never seen The Terminator, Westworld or similar films and stories about The Thing That Won't Die ?

Microsoft is that - The Thing That Won't Die. No matter how much it is whacked, or whacks itself, it just gets up again like a zombie with even more wounds spouting pus over anyone who goes near it and keeps on walking and trampling with empty eye sockets and flailing arms, just like in a horror movie.

Re:Corporate suicide!

[gweihir]

So far it works for them. There are enough people that think Win10 is great. Of course, the corporate market is another story.

Re:Corporate suicide!

[fahrbot-bot]

Microsoft is that - The Thing That Won't Die. No matter how much it is whacked, or whacks itself, it just gets up again like a zombie with even more wounds spouting pus over anyone who goes near it and keeps on walking and trampling with empty eye sockets and flailing arms, just like in a horror movie.

(cough) SCO Group (cough)

Good for convenience, bad for large IT shops

[ErichTheRed]

Having done the end user computing engineering thing for quite some time, I've had to deal with Windows Update in places as large as 40,000+ PCs. There's a conundrum in the cumulative patching model -- it's super-easy for IT, but could leave some places more vulnerable.

The problem is that the more diverse a company's IT needs are, and the more proprietary software they rely on, the less able they are to just roll out a bundle of fixes to everyone and call it a day. I think Microsoft is forgetting how much some companies are relying on desktop Windows for line of business applications...it's almost like everyone there has drunk deep of the Cloud/Surface/Phone/Tablet/Web Services kool aid, and just assumed those crappy 20 year old applications have disappeared along with desktop/laptop use cases. In their minds, the only thing they have to make sure works correctly on site is Internet Explorer/Edge and Office.

Admittedly, updates are a confusing mess of semi-circular dependencies and it is very difficult for Microsoft to test even common combinations. But, making them all cumulative means this...Assume you have 10 updates in a bundle, 6 work fine everywhere, 1 breaks 40 PCs in Department A, 1 breaks the LOB app running on all 18,000 PCs you run, 1 breaks a behavior in IE some junky internal web app running on 2,300 PCs and 1 breaks the CEO's computer. All those computers have to wait until the problem is solved to get the protection for the 6 vulnerabilities, and they will continue to be unpatched since the bundle is cumulative.

The other thing I'm not a fan of is the removal of any sort of information about what gets patched. There used to be comprehensive descriptions of what was patched, and companies who knew what they were doing could direct testing to the right application groups. That's the other thing that's going away this month. We're a big Microsoft shop so we're pretty much resigned to upgrading to Windows 10...I guess we'll see what happens. Microsoft's been trying to cremate Windows 7 ever since early this year, messing with support dates and not backporting features. We'll see if Microsoft's "update rings" strategy that they're recommending everyone migrate to is workable.

Re:Good for convenience, bad for large IT shops

[RicktheBrick]

I did a factory reset on a laptop to get back to 8. It started out with 181 updates and took over 8 hours to accomplish this. I turned it on the next day only to discover there were 21 more updates. I do not know if it is windows 10 or slashdot software but to type in this comment I attach a external keyboard since if I type on the laptop keyboard it goes crazy on me making it most difficult to type. Microsoft's games are the worst. I was playing Treasure Hunter and all at once it quit on me I restarted the game only to find that it was like I never played the game therefore losing more than a month of playing it. My results are suppose to stored on the cloud so there should be nothing my laptop could to produce that result. I really do not want to start over if there is a chance that it will happen again. In the game one must get across the screen to find an exit but for some reason the exit is not visible unless on magnifies the screen to the max. There is a game of solitaire where one must accomplish a task within a certain number of moves. But they have auto moves that can not be shut off and do not help in winning the game. So one must hit the undue button a lot of times since the game will try to redo the moves after every move the player does. Does anyone at Microsoft even play these games as if they did they would certainly see how frustrating they are. I have seen a game that will display a screen just to have it replaced by another screen. They could not be bothered to delete that screen instead of just adding more software to load another. Yet they are trying to get people to pay them over $10 a year so that they do not have to watch commercials. Most of the commercials are there just to punish those who do not pay as one game will advertise another game and it does not matter if one already has both games. I am sure some of the advertising is for me since some are for a Michigan government site. So they must know I live in Michigan. There is a game called Jackpot. It is a free download but they will try to sell you a lucky charm. The most expensive one is $229. I can not imagine someone paying that much money on a free game. I just realized there is not a sticker on my laptop with the key for the OS. If my hard drives fails on me how will I be able to restore the OS on a new one. I guess I could buy a 32 gigabyte flash memory stick and backup the OS and than store it somewhere so that I can find it if I keep the laptop long enough for the hard drive to fail. I would think that they could design the bios so that it could reach Microsoft so that in case of a hard drive failure Microsoft would reload its OS with all of their updates. Quality software must be a crazy idea that Microsoft will not be able to ever accomplish.

Re:Good for convenience, bad for large IT shops

Or your company discovers the REAL cost of not updating their applications. That application in Department A, which is probably quite buggy and works only because of unwarranted assumptions it makes, suddenly looks extremely expensive now, doesn't it? That's because it is - the cost of maintaining a separate configuration just for Department A is simply much more painful.

You know in your heart the real issue is the application Dept A uses is buggy, you know the ideal fix is to fix those bugs, but you've never been able to convince the purse-string holders to spend the money to fix it once and for all.

  I do understand where you're coming from - I guess I'm just far more optimistic that MS will stay responsive with the patches so when there is a regression found, they'll be faster at releasing updated cumulative patches that both fix the regression AND the original issue AND add a new test case to their automated testing so you'll never see the issue again. Yes, this is optimism (and I understand your scepticism of this view), but lets hope it just results in less work for all of us.

(After all, if some of those apps are in support, no longer can vendors just say "we don't support patch xxx" , or "you can't install patch xxx until we say it's okay" because the operating system vendor says "install the patch or no support, full stop". This, hopefully, will get some vendors to lift their game and support patches in a timely fashion -- or fix their apps to obey the rules anyway. Yeah, I realise, this only helps for apps where the vendor isn't arrogant and still is under development - again, I hope for the best!)

Moron it's only for Windows update

See subject: Cut the crap already you fucking immature little unidentifiable little punk coward imbecile - morons like you can't make me "look bad" with your bullshit, fucker.

APK

P.S.=> You really REALLY need to get your fucking head beat in motherfucker... apk

Re:Moron it's only for Windows update

[Zontar+The+Mindless]

Hi Alex,

Despite our history, I'm here to help you out. No, really. So pay close attention:

Nobody needs to do anything to make you look bad. That's a trainwreck you're obviously quite capable of having on your own.

People bait you because it's well-known that you constantly scan Slashdot and other sites looking for people saying things about you. And they do it because they know that you will without fail rise to the bait. Q.E.D.

The only way for you to "win" this is not to play, but you are evidently too dense to figure this out, so you just keep coming back for more. And more. And more...

Workaround

[squiggleslash]

Apart from the obvious-but-snarky ("Install Linux! hoho I'm so clever!"), you can indefinitely postpone all Windows updates on all versions of Windows 10 by stopping (and disabling if you find a way) the Windows Update service.

Of course, you lose the security updates if you do that too. Whether that's massively important to you depends on how often you run executables downloaded from the Internet, and what TCP/IP services you run on your computer.

Obviously "No security updates" is a bad thing, but if Windows insists on installing an update that actually breaks your PC in some way, no security updates might be the better of two evils, especially if you don't use IE or Edge, run any externally accessible services, and don't run every executable you download from the Internet.

Re:Workaround

[gweihir]

That we even have to consider such "solutions" shows how fundamentally broken both Windows and the relevant consumer-protection laws are.

Re:Workaround

[lgw]

Of course, you lose the security updates if you do that too. Whether that's massively important to you depends on how often you run executables downloaded from the Internet, and what TCP/IP services you run on your computer.

Your security beliefs are about 10 years out of date, unless you consider JS to be an "executable downloaded from the Internet". Almost all malware targeted at home computers is "no click required": mostly malicious JS, but occasionally PDF, or even jpg (remember what that was a joke?), served via ad networks.

So "whether that's massively important to you" depends on whether the machine is used to visit any web sites that serve ads, unless you completely disable JS.

no security updates might be the better of two evils, especially if you don't use IE or Edge

Is MS combining OS and browser updates (and Office?) here? Or is it only the OS updates in the cumulative patch? (Pretty sure the browser and Office patches are regularly rolled into cumulative updates already, but independent ones).

ONLY on Windows update... apk

See subject: MS bypasses hosts only 4 Windows update (nothing else afaik, got proof of hosts not working in any other area? Prove it!).

* You MORONS spread blatant misinformation/disinformation & you don't care as you have nothing to lose being "ne'er-do-well" menials in this life (since you post under FAKE NAMES ONLINE like the snivelling worms with NO BALLS that you are!)

APK

P.S.=> There's a GOOD reason for that bypass of hosts for Windows update ONLY too - it's in case your hosts file is corrupted by malware (which APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?... prevents above & beyond WFP/SFP + ACL protections Windows already affords it)... apk

Re:ONLY on Windows update... apk

(since you post under FAKE NAMES ONLINE like the snivelling worms with NO BALLS that you are!)

As opposed to the guy who signs his AC posts.

Re:ONLY on Windows update... apk

You do realize your efforts are bypassed regardless (Only the most trivial of malware addresses are found in any 10 HOSTS file lists combined, and you're playing whack-a-mole with ever changing domains and ip addresses - yes, imagine that, malware using CDNs and instanced servers). Furthermore, if dnsapi.dll can be altered in any fashion by malware or else-wise, then your HOSTS file is useless. Microsoft's hard-routing of their IP addresses was found to even bypass 3rd-party DNS server software installed on the client machine (you know, the ones that also ignore HOSTS files unless you specifically tell them otherwise) as far back as Windows Vista, and I am sure malware creators are no slackers in that department, either (this also implies Microsoft has alternative methods to trigger open a connection to their mothership without your explicit permission that is only accessible by the OS itself).

the most common response was "I run Linux."

[flacco]

This is the correct answer.

Re:the most common response was "I run Linux."

[gweihir]

Unfortunately, I am also a gamer, so that does not (yet) work well. But I am strongly thinking about a gaming-only PC and a separate one for working on things, surfing, email, etc. with Linux.

Re:How about 'Bork my system'day.

[um...+Lucas]

I was going to ask if, by bunding updates together like this, is it going to make the lives of security researchers more difficult, as they can't simply diff the changed files of a particular security update? Seems I'm not the only one wondering this...

That's nothing. I can't even download ANY updates

I tried to log onto Windows Update, and NOTHING. It wasn't able to search out any updates at all.

MS old and bloated

It took me about 3+ hours to update patches and sp1 on a new windows 7 installation, yesterday. Than, I got stuck with "Checking for Updates" and tried fixing it with some patches that MS recommended. It did not work, yesterday, but it works today. I have been downloading 247(1.2GB) patches for the past 2 hours and I'm at 63% right now. I'm on 75/75 fios.

Slipstream patches into Windows 7? NA, It makes the OS run sluggish for some reason. I really hope MS new patching system brought online this October will improve the updating process. But, who am I kidding, installing their software applications such as Visual Studio 2015 community with update 3 takes about an hour. MS products are a bloated mess.

Re:MS old and bloated

[gweihir]

You are lucky. I updated my Win7 laptop a few days ago (had not found updates for a while and suddenly found them when on the net for a day). Took something like 20h to find all updates and another 10h or so to install them. Talk about fundamentally broken technology.

Re:ironically

[Zontar+The+Mindless]

Which distro is it that you use that has these issues? I'd honestly like to know, because I've been using Linux for 10+ years and I didn't know of any prior to being alerted by your post. This is important info which you shouldn't hold back!

Re:How about 'Bork my system'day.

I will be free from MS forever this coming Friday. Just in time I think.

If you want real freedom from almost all tracking try TAILS. For regular day-to-day use any end-user-oriented GNU/Linux distribution is sufficient. I have been using GNU/Linux as my primary operating system since January 2000 although I have used it beginning in September 1992. For the record, and honesty, I currently have Microsoft Windows 10 at home for general web browsing because at the moment the Vensmile i10 mini-computer is not fully operational with GNU/Linux. My Hewlett Packard Spectre 13 Ultrabook has been set-up in dual configuration mode (Microsoft Windows 10 Home Edition and Xubuntu Linux 16.04 LTS at least until I know whether I will need Microsoft Windows-only software for some assignments when I start a business intelligence analytics programme at college.

I take it we are going to get new spyware?

[gweihir]

I really see no other purpose to this than bundling spyware with security-updates. Seems running Windows securely and reliably is going to get even more difficult than, for example, Linux. (Although systemd is trying to change that...)

Re:ironically

[gweihir]

Maybe you are not able to _recognize_ Linux? Because that is not what other people experience...

Time to show everyone what a loser you are

"I created a throwaway account purely to mock you, APK" - by Zontar The Mindless ( 9002 ) on Friday April 18, 2014 @05:24AM (#46786131)

See subject & you admit creating "TrollingForHostsFiles" sockpuppet account to harass me with https://slashdot.org/comments.pl?sid=5053029&cid=46795419/ you pitiful psycho fuck!

(... + You've literally sent me a postcard too you little loony?)

* Get real & grow up + GET A LIFE loser...

APK

P.S.=> You're a fake name online do nothing punk loser I've trashed each time you try 'attack me' (especially on technical issues where you've evidenced yourself as INCREDIBLY WEAK & STUPID many times vs. myself, lol), nothing more (& you KNOW it)... apk

Maybe MSneeds better QA?

"Sifting through all of their patches and deciding when it was safe to "release" them was getting to be way more time-consuming for I.T. than it should have been."

Sounds more like a job for MS QA, not the people buying/using their product

Unlike YOU, Mr. NO BALLS?

I id myself & I'm not stupid to be in cookie + tracking script CHAINS fake name registered 'luser' accounts put on you.

* Plus, I actually do things like programs (& security guides) that folks like, UNLIKE LOSER "ne'er-do-wells" like you are... lol!

APK

P.S.=> Languish in your MENIAL crippleness loser - it's all "your kind" will EVER manage due to low intelligence & being lazy do nothing bitches... apk

Re:Unlike YOU, Mr. NO BALLS?

Your medication has worn off. Better get a re-fill.

Tired of manually inspecting every MS patch

Used to be MS security patches were for security, and you could just say "sure, install them all". Now ever since they added things like their anti-piracy nag screens, telemetry, Windows 10 nag screens, Windows 10 itself, you can't just auto-install all the "security" patches anymore. You have to go through every patch, one by one, inspecting what it does, and then checking through additional comments for any non-security items that also may have been tacked onto the patch. Keeping even just one Windows PC patched is now a pain in the ass.

Yay for having to manually manage and babysit the OS.

Finally!

[Moochman]

Finally! This is the way Apple has done it forever and it is sooo much nicer from a user experience perspective. Some may whine about having to accept everything MS wants to push at them, but it's time for them to deal with it and move on. The Windows update process has been essentially broken for the past two decades (>5 hour patch installs on a freshly Windows is *not* acceptable), and it's finally getting fixed. A momentous day.

Re:Finally!

Dude, my thoughts exactly. This is going to make things easier, quicker and simpler. The basic model around how Windows Update actually works has been broken for a long time.
I went to apply Windows Updates onto a Win 7 image that I created a bit over 12 months ago. They can't actually do Windows Update now as the patch catalogue is so big that Windows Update can't handle it, so the end result is that they can not fetch their own patches any more. Even when it did work, it was 2-4 reboots and hours of time to get them all. Nothing was more frustrating than Windows Update telling you there were only 3 updates to install - which it did, and then rebooted, and then told you there were now 24 updates to install. WTF?

Re:Finally!

[Ash-Fox]

Finally! This is the way Apple has done it forever and it is sooo much nicer from a user experience perspective.

From a user perspective, it's awful when you just want something that works and nobody can help you.

I still haven't figured out why Sierra users get "Authentication failed" when I see "opendirectoryd: ODNodeCreateWithNameAndOptions completed" in the logs and get errors like "opendirectoryd: ODNodeCustomCall failed with error 'Invalid credentials' (5000)" with no actual logging of the event happening on a fresh, new AD server (made just for testing this scenario). I even had Wireshark inspecting all the traffic from the Mac to try to determine what the issue is, no wrong DNS lookups, or connections to the wrong server etc.

>5 hour patch installs on a freshly Windows is *not* acceptable

Weird, updates are supposed to be automatically installed when installing Windows; which are significantly faster than doing it after Windows is installed.

Bigger issue

What happens when they release "telemetry" updates in the with critical security ones?
We'll have to remove the critical one too. This serves no real purpose other than to obfuscate the updates that we don't want and consider to be bad actors.
The finer grained control reduces bandwidth usage for MS servers so that's not the reason.
They can trivially replace a set of updates with a cumulative one so it's not about that either.
Hmm...Almost like they got upset that users are removing these telemetry updates and needed a way to force it onto machines.

Phantasyland 'if' bs... apk

"if dnsapi.dll can be altered" by "NoBalls"

See subject: I block 'em (eg shopperz) via hosts/firewalls before they enter.

sfc /scanfile=C:\Windows\system32\dnsapi.dll fixes it + check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters DataBasePath being %WinDir%\system32\drivers\etc vs.redirect

dnsapi.dll doesn't control hosts resolution - tcpip.sys (ip stack driver in kernelmode hosts is part of) does as resolver

I have it setup MINUS slower faulty w/ large hosts dnscache usermode service turned off saves RAM/CPU/I-O wasted on it via kernelmode diskcache use instead (pure kernelmode speed to IP stack in kernelmode too - no context switch speed hit).

I use Win7 - rest after = bs nobody wants.

"Only the most trivial of malware addresses are found in any 10 HOSTS files" - by "NoBalls"

Hostnames = used in 99% of malware (I see this data daily for decades) vs IP

APK

P.S.=> Hosts bypass by MS = ONLY 4 Win Update & you can't prove me wrong! apk

sheesh MS sucks

Started updating my Windows 7 sp1 at about 10:00 am this morning and it's not finished it's at 178 out of 247 patches, 6 hours. Why couldn't MS just create a small database for Windows 7/8/8.1 to keep track of what is and what is not installed(hardware, libraries, dll's, ect...) to make the update process way way way faster. I have installed more than 247 patches on linux at one time and it was over within 10 minutes. Running phenom ii x6@2700mhz(3200 Turbo), 8gb ram, 512gb HD, amd radeon HD 6570 1gb ram.

Does anybody know how long it takes for a Windows 10 build to install?

Taco Tuesdays

You don't kniow what you're gonna get.

This is going to become a huge security issue.

If MS forces everyone running windows to run Windows 10 and at a particular patch level, it makes it very easy for a malware with a zero day to hit everyone at the same time.

Previously there were different Windows OSes, at different patch levels, so affected by different exploits and bugs.

Now, you just have to target one exploit for the latest patch level and boom, everyone is vulnerable.

FACT: dnsapi.dll & dnscache

Dnsapi.dll = faulty w/ large hosts slow usermode dnscache I turn off "dnscache caches Domain Name System (DNS) names... If the service is stopped DNS names will continue to be resolved" FROM http://www.nirsoft.net/dll_information/windows8/dnsapi_dll.html/

Hosts = cached in RAM by local kernelmode diskcache subsystem (hosts is a data file w/ NO context-switch speed hit between it & the IP stack (tcpip.sys)) & NO SIZE LIMITS (known issue in dnsapi.dll/dnscache slower usermode service) in LOCAL SYSTEM RAM minus wasting resources on FAULTY slower dnscache/dnsapi.dll!

APK

P.S.=> W/ my 50 FAVORITE SITES WHERE I SPEND MOST TIME ONLINE placed @ the TOP of hosts for FASTEST POSSIBLE LOCAL RESOLUTION (faster vs. remote dns calls & many times less weight + power consumption & moving parts complexity of a local dns server)... apk

This is ANOTHER disaster waiting to happen

I can still feel the oops when SP1 for XP came out and "oops, we didn't think about machines more than one year old" which ranks right up near the top lamest excuses for creating a problem for admins as well as users. I am sure that there are some people reading this that are saying that the mess with SP1 will never happen again; however, it wasn't that long ago that Microsoft wanted or rather, demanded, that everyone upgrade to Windows 10. In the new model, there would not be a choice, you would have to upgrade one way or another. Want to keep Windows 7 and keep getting security updates until the end of support? Well, now you can't because you don't get to choose. I imagine they are doing it to defeat piracy by some means other than the online validation but perhaps they should name the new system Zune because one bad update and the whole thing will come down like a house of cards. What's worse, a large number of people will choose not to update resulting in an already unsecure os becoming downright dangerous: pick your poison, bad update or decreased security, this is a bad idea.

Your bullshit's BLOWN AWAY here... apk

See subject & this stupid (you blew it on dnscache/dnsapi.dll, failing badly) https://tech.slashdot.org/comments.pl?sid=9696817&cid=52962837/

* When WILL you /. menial chumps EVER learn you'll never get the best of me?

APK

P.S.=> LOL - you ALWAYS get the better of yourselves & that link above from this very debate proves it... apk

Thanks for that comment!

[Futurepower(R)]

I appreciate you making more clear why people don't switch away from Microsoft Windows.

Absolutely no way!!!

[martinfb]

For those stuck with Windows, it is obnoxiously arrogant to now force ALL updates on a user. What if there is a specific patch I really do NOT want? What if there is a patch in that same update I need? I am screwed!

I think MS's move closer to "Big Brother" is totally uncalled-for, unethical, and a breach of trust. They need to be SEVERELY regulated; and I intend to push and lobby for the freedoms users deserve!

Dear Microsoft: Get your unwanted crap out of my machine and my life. I, and I alone reserve the right to manage my PC and anything in it. It deeply offends me that you would take it upon yourself to go forcing things on PCs as a general rule; be it patches or Windows 10 upgrades. You need to be severely disciplined.