Tuesday Was Microsoft's Last Non-Cumulative Patch

There was something unique about this week's Patch Tuesday. An anonymous Slashdot reader quotes HelpNetSecurity: It was the last traditional Windows Patch Tuesday as Microsoft is moving to a new patching release model. In the future, patches will be bundled together and users will no longer be able to pick and choose which updates to install. Furthermore, these new 'monthly update packs' will be combined, so for instance, the November update will include all the patches from October as well.
Last month a Slashdot reader asked for suggestions on how to handle the new 'cumulative' updates -- although the most common response was "I run Linux."

Not sure you have a lot of options?

[King_TJ]

I think if the patches are bundled together now - you basically have to treat them as one larger patch. In other words, nothing changes except any time you find you did one and it breaks something, you roll the whole collection back until it can be rectified.

IMO, Microsoft's Windows Updates have been a huge, overly confusing mess for a long time anyway. I used to use WSUS to centrally administer them and for our small to mid-sized company, it became more trouble than it was worth. I like the advantage that you only have to download the patches once to the central WSUS server and then all the clients grab copies from there to save your Internet bandwidth. But in practice, our workforce is mobile enough that it's almost better we just let their laptops grab updates over the net from wherever they're at so they get patched more quickly.

Sifting through all of their patches and deciding when it was safe to "release" them was getting to be way more time-consuming for I.T. than it should have been. So often, you have slews of patches that wind up marked "superseded" by other patches, and there are weird dependencies too. Can't do certain patches unless you've done others first. (Why not automate all of that so any patch dependent on another one just auto-applies the required one as part of its installation?)

If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious. (It seems that it needs so many individual patches to get current, it overwhelms their updater service trying to sort through all of it and prepare to download them in the proper order?)

good to fix the 2-3 reboot passes to get systems u

[Joe_Dragon]

good to fix the 2-3 reboot passes to get systems up today + all of the optional stuff that does not auto install.

Also all of the hot fixes as well.

Re:

[dbIII]

If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious

On the most recent one I did updating was completely broken. For days. Even printer drivers were unavailable. It turned that that turning updates off - rebooting - then turning them on again allowed that 8-10 hours or more.
The way it behaves changes frequently.

Re:

[Zocalo]

Then you're doing it wrong. You need to either, 1) slipsteam your install media with all the patches and do your build(s) that way, or 2) disconnect the network, install from SP1 media, reboot, then install the "Convenience Update" (KB3125574) (AKA SP2, released in April), reboot again, then connect it up and let it get the remaining post-April updates. Both approaches are far from perfect, and still have the odd glitch, but they are a lot more efficient than letting an new SP1 install try to patch itself

Re:

[dbIII]

and still have the odd glitch

Indeed, which is why I had to do it the way I said in the end after an offline WSUS tool and other attempts did not work.
The way it behaves changes frequently, which is very annoying and means that what is good advice a month ago is often not relevant today.

Microsoft Update Catalog is my new hero

[Anonymous Brave Guy]

For general information, if you're installing a fresh Windows 7 now (starting from SP1, presumably) then it seems by far the fastest way to get a system reasonably well patched is to install the Convenience Rollup (KB3125574) and if necessary its prerequisite (KB3020369) from the Microsoft Update Catalog. That immediately brings you up to somewhere around April 2016 in terms of patch level, and you can download the required files quickly from the Catalog site and then install them locally using WUSA without waiting around for hours while Windows Update does whatever its current broken mess needs to do now. The most recent time I did this was just a few days ago, and after doing that it was then another couple of hours for Windows Update to find the rest and install the remaining security updates, but at least it could be done in an afternoon instead of leaving the new PC overnight and hoping it might have found something by the morning. Spybot Anti-Beacon or some similar tool can still turn off the various telemetry junk that you can't now individually because it's all bundled into the CR update.

Incidentally, for those who would prefer to keep security patching their existing Windows 7 systems but not get anything else, there are reportedly (direct from a Microsoft source) going to be monthly security-only bundles as well, but you'll have to get those from Microsoft Update Catalog manually as well, they won't be advertised or pushed out through Windows Update. So it looks like the new SOP is to turn off Windows Update entirely (as a bonus, you get back that CPU core that's been sitting at 100% running the svchost.exe process containing the Windows Update service for the last few months) and instead just go along and manually download the security bundle each month to install locally.

Of course, Microsoft Update Catalog requires Internet Explorer 6.0 or later and won't run with any of the other modern browsers, but I'll live with using IE to access it if it means I get security-patched but otherwise minimally screwed up Windows 7 machines for another 3 years.

Also, it's been confirmed that this policy will apply to all editions of Windows 7. It's not an Enterprise-only feature and doesn't require the use of WSUS etc. Let's hope they stick to their word on this one.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[l0n3s0m3phr34k]

Totally second WSUS offline, it's a life saver for those systems that just refuse to update.

Re:

[lgw]

So how do we know WSUS Offline isn't primarily a malware vector? This seems like the very best way to build a botnet: hijack Windows Update. Or, even if they're honest, what a target!

MS has clearly lost its way when 3rd-party Windows distros start looking like the best security practice.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Hognoxious]

Have a few Win7 installs that I use rarely, so I tried to download it on Linux.

https://support.microsoft.com/... [microsoft.com]

sends you to

http://catalog.update.microsof... [microsoft.com]

which says

This website does not offer updates for the operating system on this computer. [no shit, Sherlock]
This website only provides updates for computers running Windows 2000 Sp3, Windows XP or Windows Server 2003 and later. If you prefer to use a different Windows operating system, you can obtain updates from the Microsoft Download Center."

So I

Re:

[Zontar The Mindless]

I mean, it would be absolute madness to download a patch on one machine to use on another (or several others).

Well, this IS Microsoft, after all. Not only designing for the lowest common denominator, but effectively mandating that anyone who actually has a clue constrain himself to that level, regardless. They've only been doing this for about 20 years now.

I put up with it for 10 of them.

Re:

[Hognoxious]

Thinking about this, I had similar problems when XP SP2 or 3 came out. My home connection was slow and flaky so I tried to download it at work, except my work machine was on W2K...

IIRC I eventually found some masonic sysadmin page with direct ftp:// [ftp] links. Anybody remember those?

Re:

[King_TJ]

Yes, it's good advice to try to install the "Convenience Rollup" on a fresh Win 7 SP1 install before trying to update the rest of the OS.
But from my experience with that? You absolutely *do* have to install the prerequisite KB30203369 first, or else it won't do a thing. And when you download and run that prerequisite, it still has to go through some type of "searching for updates" process which seems to involve communicating with the Windows Update servers Microsoft hosts. I had a lot of problems with THAT

Re:

[lgw]

Yes - IME you're totally screwed if your network stack is hosed, or you accidentally have the same IP address or hostname as another machine. What a mess.

Re:

[PsychoSlashDot]

I think if the patches are bundled together now - you basically have to treat them as one larger patch. In other words, nothing changes except any time you find you did one and it breaks something, you roll the whole collection back until it can be rectified.

To a certain degree, it's already that way.

This month, I have a customer with a Hyper-V cluster which one of the six patches screwed up iSCSI while backing up. And a customer with a Terminal Server which one of the six patches screwed up Terminal Services. And a customer with Exchange that one of the six patches broke Backup Exec being able to see inside the database to restore individual files.

Only in the case of the TS problem has it been tracked down to a single patch - by Microsoft. The other two

Re:

[l0n3s0m3phr34k]

VSS is your friend; or should be your customer's friend. We have it on a nightly scheduled on all our servers on top of Back Up Exec. They could roll-back to the previous night on a System State restore, disable auto-updates, at least until you had the time to do troubleshooting on the patches.

Re:

[lgw]

Somewhat unrelated, but how do you buy BackupExec these days? It seems to have moved to a new owner (again - I think this is the 9th), and they don't seem to be selling it directly, or even have pricing info.

Re:

[l0n3s0m3phr34k]

Veritas bought it, and they only sell through their re-sellers. It looks to cost around $800-$900. [google.com]

Re:

[ddtmm]

If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious.

I think that was the intent.

Re:

[toonces33]

I did recently install a Win7 machine from scratch. After the install I installed the August rollup, and then ran windows update. That thing must have run for a full day before it concluded that there were only 24 updates that were required (half of which were .NYET).

Microsoft announced that they are going to do similar rollups for .NYET.

Re:

[ncc74656]

If you do a fresh install of Windows 7 these days? The update process is PAINFUL! You'll literally need to leave the PC downloading updates for a good 8-10 hours or more before it finally starts doing anything obvious.

That's why you slipstream updates into your installation image. Slipstreaming the various post-SP1 patch rollups as they're released will slash your installation time significantly, and there are only a relative handful of them at this point.

The only thing slipstreaming doesn't cover is upd

Re:

[Wolfrider]

--You can speed up Win7 updates A LOT just by using WSUS Offline Update. Download once, burn to DVD and update the client PC with that.

--Win7 "official" update process is horribly broken and CPU intensive, to the point where the CPU fan on a laptop I inherited had basically failed due to 100% continuous use.

http://www.wsusoffline.net/doc... [wsusoffline.net]

--Note that you may have to run the WSUS updater on the client multiple times and reboot/repeat, but this is still *much* better than doing it the traditional way. Afte

Re:

[MightyMartian]

Microsoft's resolve to alter its patch delivery schedule usually gets undermined the first time some major bug or security flaw is discovered, and it's forced to release an off-schedule fix.

Re:

[tsa]

Let's wait until next week then.

Re:Not sure you have a lot of options?

[MightyMartian]

The way Windows 10 manages updates in general is frustrating. We have some dedicated Windows 10 Lenovo micro-PCs whose only significant job is show videos on some large flatscreen TVs, and we're constantly having to cancel out the update nag screens. GPOs that would seem to work don't always apply, so it just gets to be an annoying problem. I think the next set of such micro PCs we buy will probably have some small footprint version of Debian.

Re:

[jargonburn]

Not a big fan of how they try to force-feed you the updates. Have you tried setting the "Windows Update" service to disabled? IIRC, that will chop the update process off at the knees. If their only real job is outputting video, patching is something you could relegate to a manual task; might be less frustrating!

Re:

[vtcodger]

If one has PCs in their care that have minimal/no exposure to the internet, is updating them at all advisable? It's clear that Microsoft can't QA their products adequately. And they are hardly alone in that. IMO, that probably makes updates a greater risk than malware.

Frankly the "cloud" is increasingly like an uncharted polar sea full of icebergs and rocks. Turning your navigation over to pilots who are questionably competent and quite possibly on drugs as well may not be a good idea. May be best to s

Re:

[Slashdot Junky]

Yes, a computer should be getting updates if it ever connects to a network independent of whether or not it had internet connectivity. In this case, it is the other hosts on the network that create the risk.

Re:

[Gr8Apes]

Yes, a computer should be getting updates if it ever connects to a network independent of whether or not it had internet connectivity. In this case, it is the other hosts on the network that create the risk.

Completely false. The only updates you need are specifically for the network stack and any applications that access the network. The rest are generally useless to you and may create problems. For instance, a bare XP from 2001 machine connected to a network behind a solid firewall and only running a text only mail client is relatively safe, as far as that system can ever be considered safe. It would not be any safer than a fully patched system running the same software under the same conditions.

Re: Not sure you have a lot of options?

[Malc]

Great idea: leave a bunch of local root exploits available that can be leveraged once compromised by a zero day remote exploit.

Re:

[Man On Pink Corner]

What usually happens is something like the following: you have several Windows PCs on a LAN. One user on the LAN decides it's a good idea to open the quarterly_results.xlsx.exe attachment that came from the company's Nigerian branch. Or maybe they're curious to see what's on the thumb drive that somebody 'accidentally' left in the restroom. Every organization from the grocery store on the corner to the NSA has someone working for them who will think that's a good idea.

Now you have an exploited system ins

Re:

[Malc]

How about: a "correctly" configured system gets exploited remotely via a brute force dictionary attack that uncovers a weak password? Now you have a false sense of security and don't expect the unpatched local root issue to be exploited.

Re:

[Ol Olsoc]

Yes, a computer should be getting updates if it ever connects to a network independent of whether or not it had internet connectivity. In this case, it is the other hosts on the network that create the risk.

Sorry, I have a Windows 10 off th einternet system. Now that it works, there's no way I'm going to screw it up with Microsoft W10 updates. On the computer I used to familiarize myself with W10, it's been bitched up three times now. P A vius is a lot less damaging than missing a deadline because teh computer stops working. At this point, Microsoft is included in the malware suppliers.

Re:

[blind biker]

The way Windows 10 manages updates in general is frustrating. We have some dedicated Windows 10 Lenovo micro-PCs whose only significant job is show videos on some large flatscreen TVs, and we're constantly having to cancel out the update nag screens. GPOs that would seem to work don't always apply, so it just gets to be an annoying problem. I think the next set of such micro PCs we buy will probably have some small footprint version of Debian.

Every time someone voluntarily went to a Windows 10 PC (even though there are alternatives), they have a horror story about it - but they characterize it as "annoyance". Example: "from time to time I lose my edits because the PC reboots without my consent. So annoying."

For me, all those scenarios are 100% unacceptable, and is why I keep installing Windows 7 (and then disable updates), and I keep around a few Windows 7 thinkpads.

Re:

[WinstonWolfIT]

Every time someone voluntarily went to a Windows 10 PC (even though there are alternatives), they have a horror story about it

Hyperbole = bollocks. My partner and I are on W10, it's heaps better than W7 or W8*, and we have no horror stories. Almost everything I use auto-saves, apps reload on reboot, and I have enough discipline to save Notepad files or Sql Manager queries if I want to keep them.

Re:

[Gr8Apes]

Every time someone voluntarily went to a Windows 10 PC (even though there are alternatives), they have a horror story about it

Hyperbole = bollocks. My partner and I are on W10, it's heaps better than W7 or W8*, and we have no horror stories. Almost everything I use auto-saves, apps reload on reboot, and I have enough discipline to save Notepad files or Sql Manager queries if I want to keep them.

So you admit you take steps to guard yourself against purposeful OS actions and yet you claim that is merely an annoyance or less?

Re:

[blind biker]

Every time someone voluntarily went to a Windows 10 PC (even though there are alternatives), they have a horror story about it

Hyperbole = bollocks. My partner and I are on W10, it's heaps better than W7 or W8*, and we have no horror stories. Almost everything I use auto-saves, apps reload on reboot, and I have enough discipline to save Notepad files or Sql Manager queries if I want to keep them.

First of all, you're still making my case, as you imply that Win 10 reboots outside of your control. Beside that, a lot of people cannot save their work fast enough to be safe in such rebootey conditions - my SolidWorks assemblies easily take half a minute to save, sometimes much more (rarely, but it happens).

Re:

[WinstonWolfIT]

In no way is that a horror story. Updates running overnight is more convenient than saving a file is inconvenient.

Re:

[WinstonWolfIT]

Um, partner is an official designation in Australia.

Re:

[DarkOx]

Right to for the right job. A dedicated video player should be just that. It should not be a PC. You would be way way better off with some purpose built raspi image on that hardware. I would not even recommend using full linux distro for such a chore.

Your best bet would have been to spec out a smart TV that could play the videos without having to hang anything off the back. Sure those things have their own security issues but if put a few switch port ACLs on there to make sure it only talks to the file

Re:

[MightyMartian]

Smart TVs still don't have the range of video playing capabilities that VLC does, and are certainly not as network friendly, and generally, if they have any support for network file shares, that support is rudimentary at best. Having a fully functioning PC as the video player creates a lot more options.

Re:

[Slashdot Junky]

Those videos may be updates occasionally with this done remotely. They may be served via a more sophisticated system where content is assigned as a channel with schedules all managed centrally. We have a system with 50+ player computers distributed across NA sites serving many more displays that shows locallized and national content. We refer to it as eTV, and the content is managed by communications folks both locally and corp folks and supported by IT. So, while what the computers do all day is single

Re:

[MightyMartian]

These are domain members, but off the top of my head, the GPO settings around automatic download and installation of updates at specific times never seems to apply consistently.

Re:

[epyT-R]

Sounds like a corporate setup so they probably integrate into AD. Also, systems like that practically need good video driver support to play back high res video without pegging the cpu and dropping frames. Linux is spotty with that at best (though it has been getting better).

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[epyT-R]

Thank you, exactly.

In other words..

[Anonymous Coward]

"You want security patches? Welp, you're gonna have to accept Telemetry too."

Re:In other words..

[Z00L00K]

And this is what's most worrying, we don't really know what's in "Telemetry", and I have a feeling that it's going to be a problem.

And we can't figure out which part of a future monolithic patch that actually causes the system to behave bad, some patches aren't even possible to uninstall without a lot of hard work.

Re:

[vtcodger]

Personally, I thought Windows peaked along about Win95 OSR2 -- which was actually quite a good OS for 1997. Fast, compact, ran OK with next to no memory and was very reliable. Pretty much all downhill from there I think.

But what does one do for applications? And I should think the lack of USB support that works might be an issue.

Re: In other words..

[whopis]

Win 95 OSR2 has USB support.
It was only the retail versions that lacked it.

Re:

[demonlapin]

OSR2 had shit USB support that wasn't worth the trying. If your hardware was weak, run 95A (which was not much more demanding than 3.11). If you could handle it, run 98SE (a much more competent OS). Or, y'know, Linux, but good luck configuring it back then.

Re:

[vtcodger]

W95 OSR2 USB support pretty much didn't work at all, ever. It took about five years for USB support in any OS to reach the level of being a crapshoot -- some stuff working flawlessly and other stuff not working at all. After 2002 or so, USB usually worked in Windows. Persuading Unixes to work with USB was a challenge.for another few years after 2002. Not that it couldn't be made to work ... eventually ... if one was patient enough.

Re:

[Zontar The Mindless]

Windows 2K was the bomb. When I saw what XP was like, though, I knew the writing was on the wall and switched to Linux when 2K fell out of support.

One of the very few decisions I've made in my life that I have never yet regretted, not even once.

(*looks over shoulder, smiles and nods* Yes, honey, you're one of those, too. Honest!)

Re:

[lgw]

2K had it right, no question. I never went down the Win95 road - I just used NT 4.0 as that was a very modern server OS for home use back in the day (when Linux was Slackware on 32 floppies). But Win2K gave NT a real UI, and a wide selection of games worked.

response

[markdavis]

>"Last month a Slashdot reader asked for suggestions on how to handle the new 'cumulative' updates -- although the most common response was "I run Linux.""

Yep, still run Linux...
I install whatever I want, whenever I want, however I want, on what I want. My machine belongs to me.

Re:

[mysticgoat]

Yes, running Linux is still the best option, for most Windows users.

Obviously if you are required to use software that only runs on Windows --perhaps you are a photographer who has to submit his finals in Photoshop format-- then you are stuck in the Microsoft microbiome. Too bad.

But most Windows users are not being coerced into that submissive role; they could switch to something like an Ubuntu LTS and be happy --and more productive at lower long term cost-- than if they continue to pay to be a commodity

Re:

[ArchieBunker]

More like Linux lacked a driver for the oddly configured SSD.

Re:

[markdavis]

>Their motto is "Whatever, I do what I want".

LOL- I like it

Will there still be zero day fixes?

[Joe_Dragon]

Will there still be zero day fixes?

As in small updates for just that one fix mid mouth? and then for full one at the end of mouth?

Can we get something like windows 10.01 10.02

[Joe_Dragon]

Can we get something like windows 10.01 10.02?

Or Windows 7 sp2 or SP1.5

Windows 8.2 or 8.1.5?

Re:Can we get something like windows 10.01 10.02

[sexconker]

MS won't release SPs anymore because all of their shit in place says SPs add to the support length of the OS.
That's why Windows 8.1 happened instead of Windows 8 SP 1.
That's why 7 had only 1 SP despite desperately needing another. It's so bad Windows Update doesn't work on a fresh Windows 7 install until it crashes twice over 36 hours. The third time usually works after another 8-12 hours.

Re:

[Anonymous Coward]

actually, it's because "service packs" require testing and they don't employ patch testers anymore.

Re:

[sexconker]

Regular patches require testing too. The fact that they don't test anymore isn't part of it.

Re:

[Anonymous Brave Guy]

What is effectively Windows 7 SP2 is called the Convenience Rollup instead, probably because it avoids complications about extending support dates if a new Service Pack is released, and it's found as KB3125574. See my first post to this discussion [slashdot.org] for more about how to use it, including installing it without waiting an eternity for Windows Update to get its act together.

Re:

[Daltorak]

Can we get something like windows 10.01 10.02?

Or Windows 7 sp2 or SP1.5

Windows 8.2 or 8.1.5?

Sure. It's already there. Just gotta understand how Microsoft versions Windows now.

• - Think of "Windows 10" as a brand name, like "Mac OS X", instead of "the tenth version of Windows".
• - Run this from Powershell: get-item 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\' and you will see values like CurrentVersion (6.3), ReleaseId (1507, 1511 or 1607), CurrentBuild (10240, 10586 or 14393), and UBR (17113, 589 or 189 if you're fully patched)
• - You can also see those numbers by typing "winver".
• - Release

Cumulative and combined

[Calydor]

So what exactly are they going to do? Are we going to download the entirety of updates that have ever been released for Windows every month? That seems like a crazy waste of bandwidth, especially for people with slow or capped connections.

Re:

[hcs_$reboot]

Well, hopefully that will end the "system being at updates n-10, have to patch n-9, then n-8, then n-7 ....."

Re:

[l0n3s0m3phr34k]

Microsoft has shown, via the 6.5gb Windows 10 "upgrade", they care little about anyone's slow or capped connections.

Re:Cumulative and combined

[denbesten]

...Are we going to download the entirety of updates that have ever been released for Windows every month? ...

If you update online you get just the changes. If you download and install you get the whole thing.

Microsoft answered this and many other concerns on their blog [microsoft.com] last month. Your particular answer can be found in the comments.....

Nathan Mercer
September 15, 2016 at 8:37 am

... Monthly rollup will grow to be about the same size as Convenience rollup update. If you install via WU or WSUS you can take advantage of the Express feature to just have deltas going across the network. Security-only update will obviously be much smaller.

Re:

[fahrbot-bot]

In addition, from the same blog [microsoft.com] post:

Over time, Windows will also proactively add patches to the Monthly Rollup that have been released in the past.

Probably meaning telemetry and all the other things people have explicitly not installed (like Silverlight - for which "patches" appear in WU, even though I don't have it installed).

Re:

[fahrbot-bot]

Damn. Missed this bit of good news in the blog [microsoft.com] in my previous post:

Microsoft Update Catalog
The Microsoft Update Catalog website is being updated to remove the ActiveX requirement so it can work with any browser. Currently, Microsoft Update Catalog still requires that you use Internet Explorer. We are working to remove the ActiveX control requirement, and expect to launch the updated site soon.

Defer upgrades?

[ArtemaOne]

Does anyone know what will happen to those of us deferring upgrades? I got weird errors and lost my HFS partition last time it happened. Do we get a separate set of updates, or will we be forced to grab the anniversary update despite the bugs?

Re:

[Impy the Impiuos Imp]

The anniversary patch chose to install Friday when I shut down.

Corporate suicide!

[Angeret]

Has anyone at the top of Microsoft figured that corporate suicide isn't an achievement they should be aiming for? They keep trying harder for it every year and eventually, with enough effort, will be proud recipients.

Re:

[nukenerd]

Has anyone at the top of Microsoft figured that corporate suicide isn't an achievement they should be aiming for? They keep trying harder for it every year and eventually, with enough effort, will be proud recipients.

No they won't die. Have you never seen The Terminator, Westworld or similar films and stories about The Thing That Won't Die ?

Microsoft is that - The Thing That Won't Die. No matter how much it is whacked, or whacks itself, it just gets up again like a zombie with even more wounds spouting pus over anyone who goes near it and keeps on walking and trampling with empty eye sockets and flailing arms, just like in a horror movie.

Re:

[fahrbot-bot]

Microsoft is that - The Thing That Won't Die. No matter how much it is whacked, or whacks itself, it just gets up again like a zombie with even more wounds spouting pus over anyone who goes near it and keeps on walking and trampling with empty eye sockets and flailing arms, just like in a horror movie.

(cough) SCO Group [wikipedia.org] (cough)

Re:

[gweihir]

So far it works for them. There are enough people that think Win10 is great. Of course, the corporate market is another story.

Good for convenience, bad for large IT shops

[ErichTheRed]

Having done the end user computing engineering thing for quite some time, I've had to deal with Windows Update in places as large as 40,000+ PCs. There's a conundrum in the cumulative patching model -- it's super-easy for IT, but could leave some places more vulnerable.

The problem is that the more diverse a company's IT needs are, and the more proprietary software they rely on, the less able they are to just roll out a bundle of fixes to everyone and call it a day. I think Microsoft is forgetting how much some companies are relying on desktop Windows for line of business applications...it's almost like everyone there has drunk deep of the Cloud/Surface/Phone/Tablet/Web Services kool aid, and just assumed those crappy 20 year old applications have disappeared along with desktop/laptop use cases. In their minds, the only thing they have to make sure works correctly on site is Internet Explorer/Edge and Office.

Admittedly, updates are a confusing mess of semi-circular dependencies and it is very difficult for Microsoft to test even common combinations. But, making them all cumulative means this...Assume you have 10 updates in a bundle, 6 work fine everywhere, 1 breaks 40 PCs in Department A, 1 breaks the LOB app running on all 18,000 PCs you run, 1 breaks a behavior in IE some junky internal web app running on 2,300 PCs and 1 breaks the CEO's computer. All those computers have to wait until the problem is solved to get the protection for the 6 vulnerabilities, and they will continue to be unpatched since the bundle is cumulative.

The other thing I'm not a fan of is the removal of any sort of information about what gets patched. There used to be comprehensive descriptions of what was patched, and companies who knew what they were doing could direct testing to the right application groups. That's the other thing that's going away this month. We're a big Microsoft shop so we're pretty much resigned to upgrading to Windows 10...I guess we'll see what happens. Microsoft's been trying to cremate Windows 7 ever since early this year, messing with support dates and not backporting features. We'll see if Microsoft's "update rings" strategy that they're recommending everyone migrate to is workable.

Re:

[RicktheBrick]

I did a factory reset on a laptop to get back to 8. It started out with 181 updates and took over 8 hours to accomplish this. I turned it on the next day only to discover there were 21 more updates. I do not know if it is windows 10 or slashdot software but to type in this comment I attach a external keyboard since if I type on the laptop keyboard it goes crazy on me making it most difficult to type. Microsoft's games are the worst. I was playing Treasure Hunter and all at once it quit on me I restar

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gweihir]

That we even have to consider such "solutions" shows how fundamentally broken both Windows and the relevant consumer-protection laws are.

Re:

[lgw]

Of course, you lose the security updates if you do that too. Whether that's massively important to you depends on how often you run executables downloaded from the Internet, and what TCP/IP services you run on your computer.

Your security beliefs are about 10 years out of date, unless you consider JS to be an "executable downloaded from the Internet". Almost all malware targeted at home computers is "no click required": mostly malicious JS, but occasionally PDF, or even jpg (remember what that was a joke?), served via ad networks.

So "whether that's massively important to you" depends on whether the machine is used to visit any web sites that serve ads, unless you completely disable JS.

no security updates might be the better of two evils, especially if you don't use IE or Edge

Is MS combining OS and browser updates (an

the most common response was "I run Linux."

[flacco]

This is the correct answer.

Re:

[gweihir]

Unfortunately, I am also a gamer, so that does not (yet) work well. But I am strongly thinking about a gaming-only PC and a separate one for working on things, surfing, email, etc. with Linux.

I take it we are going to get new spyware?

[gweihir]

I really see no other purpose to this than bundling spyware with security-updates. Seems running Windows securely and reliably is going to get even more difficult than, for example, Linux. (Although systemd is trying to change that...)

Finally!

[Moochman]

Finally! This is the way Apple has done it forever and it is sooo much nicer from a user experience perspective. Some may whine about having to accept everything MS wants to push at them, but it's time for them to deal with it and move on. The Windows update process has been essentially broken for the past two decades (>5 hour patch installs on a freshly Windows is *not* acceptable), and it's finally getting fixed. A momentous day.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[MightyMartian]

Which modern variant are you using that you have conflicts of this kind?

Re:

[Zontar The Mindless]

Which distro is it that you use that has these issues? I'd honestly like to know, because I've been using Linux for 10+ years and I didn't know of any prior to being alerted by your post. This is important info which you shouldn't hold back!

Re:

[gweihir]

Maybe you are not able to _recognize_ Linux? Because that is not what other people experience...

Re:'Batch Tuesday'?

[Anonymous Coward]

How aobut 'botch Tuesdays'?

Re:How about 'Bork my system'day.

[um... Lucas]

I was going to ask if, by bunding updates together like this, is it going to make the lives of security researchers more difficult, as they can't simply diff the changed files of a particular security update? Seems I'm not the only one wondering this...

Re:

[um... Lucas]

There should be a single blog, yes. But there should also be the ability to choose which patches you want, if necessary. Say a particular graphics driver is known to kill a certain game, or a certain network update conflicts with a utility, there should be a way for advanced users do opt-out of them.

But then, Microsoft is trying to create an environment as closed as Mac, with user tracking beyond the pale of Google, accompanied a fee stream to rival any subscription service. It's not about what users want a

Re:

[Gr8Apes]

Why does anyone worried about privacy, security, or really "owning" their computer run windows anymore? It's time to accept that windows is no longer a consumer OS, it is a subscription service that allows you access to things you think you own, only as long as you pay the piper (that subscription payment will be coming, just wait for it).

To answer the question: If you want a AAA game platform, just buy your $5K game console and be done with it. Yes, like any console, it can do more, but at what cost?

Re:

[Ol Olsoc]

There should be a single blog, yes. But there should also be the ability to choose which patches you want, if necessary. Say a particular graphics driver is known to kill a certain game, or a certain network update conflicts with a utility, there should be a way for advanced users do opt-out of them.

Or even better, not make updates that have to be rolled back because they fuck up machines. It must be Stockholm syndrome or something akin, that so many people are so accepting of an Operating System that regularly screws the pooch in the computers. They even seem to think that getting their computers fucked up is a mark of superiority.

Ain't no need for that friends!

Somehow or another, OSX and Linux manage to not screw up people's computers often or at all. Using all three, my Windows machines Well,

Re:

[Z00L00K]

The hosts file is already circumvented by Microsoft.

If you really want to solve this then it's to force Microsoft to change every IP address they are associated with.

Re:

[Zontar The Mindless]

Hi Alex,

Despite our history, I'm here to help you out. No, really. So pay close attention:

Nobody needs to do anything to make you look bad. That's a trainwreck you're obviously quite capable of having on your own.

People bait you because it's well-known that you constantly scan Slashdot and other sites looking for people saying things about you. And they do it because they know that you will without fail rise to the bait. Q.E.D.

The only way for you to "win" this is not to play, but you are evidently too dens

Re:

[gweihir]

You are lucky. I updated my Win7 laptop a few days ago (had not found updates for a while and suddenly found them when on the net for a day). Took something like 20h to find all updates and another 10h or so to install them. Talk about fundamentally broken technology.

Re:

[gweilo8888]

No, it doesn't. Windows XP support ended in 2014, and not even security patches are provided by Microsoft any more.

https://www.microsoft.com/en-u... [microsoft.com]

Yes, you can shoehorn Windows Embedded Industry updates into XP, but that's only going to patch anything which was shared between the two. If a bug or exploit was specific to XP, it won't be patched. And there's no guarantee this trick will continue working next week, never mind a year or two from now -- Microsoft can close the loophole any time they want t