57 comments

[ 3.7 ms ] story [ 119 ms ] thread
A great way to very slowly upgrade everyone to Windows 10.
Not really. We've already been installing only security updates, in light of the instability problems and silliness like the GWX campaign. It looks like this might be the point at which we consider installing Windows 7 updates to be a higher risk than not updating at all and just switch the whole thing off.

My concern is whether they will stop shipping the separate security updates that have already been released, which are useful for patching a new system on first boot.

Windows 7/8.1 users are not going to be happy, its one of the reasons they are sticking with the older OS.
I just hope its not part of some plan to sneak in windows 10-style spyware onto older windows versions, by bundling it up with important security updates one pretty much have to install. At least the windows 10 upgrade we could say no to.
If you're referring to the telemetry in Win10, similar telemetry was patched into Win7 a long time ago.
In theory, aren't those individual update packages removable?
Yes. Incomplete list for Windows 7: 3015249, 3022345, 3068708, 3080149, 3175249.
But on Windows 7, you could choose not to install updates you didn't want or to uninstall them later, and many people did.

The obvious suspicion here is that bundling the changes is an excuse for Microsoft to force updates people don't want, Windows 10 style, onto people whose Windows 7/8 systems currently allow them to choose.

Does anyone know what's in the telemetry yet?
It looks like this change happened around April/May 2016.

Which coincidentally is when my infrequently booted windows install started crashing in the middle of windows update. (Update enabled, 10 min uptime. Update disabled, Days, with sleep/hibernate/wake cycles)

(I'd suspect hardware, but the linux install that's normally running has its uptime only limited by rebooting for kernel updates)
So much better than the current system. Frankly, it should be able to bring system files to a desired state, rather than installing numerous updates.
It's not clear from the article, but will we be able to cherry-pick and uninstall updates we don't want? Does the roll-up show as one update in Windows Update or can we cherry-pick and uninstall anti-feature updates and leave the security updates?
Apparently not:

> This means that the ability to pick and choose individual fixes to apply will be removed; they'll be distributed and deployed as a singular all-or-nothing proposition.

(comment deleted)
> Microsoft will also create security-only updates that include all the security fixes released each month, without any reliability or feature changes. These updates won't be cumulative. They will only be offered via WSUS and SCCM; WU users won't see them.

Can anyone use WSUS and SCCM, or are these licensed separately, e.g. with Windows Server?

Could the US FTC require that security updates be delivered separately as a condition of sale, i.e. cannot be bundled with non-security updates? They are already studying mobile device security updates, https://www.ftc.gov/news-events/press-releases/2016/05/ftc-s...:

"In order to gain a better understanding of security in the mobile ecosystem, the Federal Trade Commission has issued orders to eight mobile device manufacturers requiring them to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices. The eight companies receiving orders from the FTC are: Apple, Inc.; Blackberry Corp.; Google, Inc.; HTC America, Inc.; LG Electronics USA, Inc.; Microsoft Corp.; Motorola Mobility, LLC; and Samsung Electronics America, Inc."

Both require running on Windows Server, WSUS is "free", SCCM is "very expensive".
Thanks, can Windows Server 2003 be used to run WSUS for updating Windows 7 clients?

Edit: looks like a user or device CAL (Client Access License) is needed for each Windows 7 instance that is connecting to WSUS to receive security updates.

Edit2: it may be possible to manually copy security-only update files from WSUS to unmanaged Win7 clients that have no CAL.

> can Windows Server 2003 be used

2003 reached end of life on July 14, 2015...

We did have WSUS running on our 2003 Secondary Domain Controller servicing Windows 7 and 2008 Server clients just fine. But as another poster said, 2003 is seriously EOL so the latest versions of WSUS might not work.
There was a time, at one point, when MSFT qualified that CALs were not needed for WSUS if the underlying Windows Server version did not require CALS: http://www.wsus.info/index.php?showtopic=5592

Getting definitive licensing answers out of MSFT has proven difficult for me. I've gotten varying answers from different people in the past (not necessarily about this topic). MSFT definitely keeps things vague, IMO, to keep their options open.

The last W10 update broke my Wifi. So buyer beware...
Hi, can you please give more details? What computer was this? What broke? And if you fixed it, how did you fix it? Thank you.
This will cause happy times when a single update in the bundle starts causing problems and render your system in non-working state.

Good that MS never shipped a crappy update like that. /s

Another big "fuck you" and taking away control over own machines.

>Another big "fuck you" and taking away control over own machines.

Considering how poorly the average end user maintains their machines and the sheer quantity of malware out there, taking away control over their own machines is the kindest thing MS can do.

I'm not talking about end-users, but admins.
But what about people who aren't average users and do know how to look after their machines properly?

Microsoft have caused a huge number of serious problems with Windows 7 updates over the past year, many of which could be avoided by not installing a bad update.

Welcome to modern personal computing. There are only two types of people, users and developers. And developers consider all users drooling idiots that needs to be protected from themselves. Power users, admins, none of those exist in the eyes of the developers.

And you see this across the board, from Microsoft to Apple, and even among the Linux user space developers.

That's really no excuse. We're developers, and yet we manage not to abuse our users or treat them like idiots. If our little company can do it, I'm sure others can.
>But what about people who aren't average users and do know how to look after their machines properly?

Callous as this may sound, what about them? As technical professionals, you know as well as I do that we have to design for the worst or average case, not the best case. Put another way, wearing a seatbelt is mandated by law, no matter how good a driver one is.

And don't get me wrong; I find the additional restrictions on consumer versions of Windows 10 to be tremendously irritating too. But that doesn't change anything.

It seems likely that most of the user base of Windows 7 Pro is in that category. It's the version you get as a power user or small business, when you need more flexibility and control than the Home version offers but you aren't big enough for Enterprise and all that comes with it. So even the average user of Windows 7 Pro probably is technically competent and probably does have good reasons for using that version.

Obviously Microsoft can choose to shaft those people anyway. After all, what are they going to do, sue? However, in doing so, it's going to further alienate a substantial and influential part of its user base. There are going to be consequences for that in the long term, or possibly even the not-so-long term if they start bundling essential security updates with other potentially undesirable things very soon as part of this exercise.

This encourages worse behavior. If an update breaks your XP era business software, and it's cumulative, you now have only one choice: Stop using your business software or stop updating Windows. Most businesses will stop updating Windows. Rather than blocking one bad update.

I actually had a vendor tell me LAST WEEK that the solution to their software not working was to uninstall one Windows Update from two months ago temporarily while the issue is resolved. That's a plausibly reasonable scenario, unless, as you can guess where this is going, you have Windows 10 deployed. Then the "solution" becomes "remove all cumulative updates for the last two months", which is a colossal joke and non-option to which my answer was "uh... no".

You are 100% correct, but there should be an option, which the vast majority of people will never both to look for, for power users to switch back to individual updates.
Had something close to that the other day. Windows was trying to update my GPU driver, failing, and causing a automated recovery. "Fun" times.
Is this so that they can bundle the Windows 10 nagware into the bugfixes?
They already did that a few months back, one critical IE security also reset the "disable GWX" registry keys.
I don't know what MS did to the update system in the last year, but every time my system goes to check updates, it runs at 100% on one CPU for hours. Usually after waking it from sleep or a cold boot.

I've run the "Problem Fixer" utility for Windows Update, deleted the update cache, and all the other recommendations with no success. I end up killing the wuauserv service to free up that CPU.

It used to work 100% fine until the Windows 10 nag/forced upgrade debacle started being pushed out.

Same here, only in my task manager its listed as a service host process which is pegging one core at 100%. I didn't understand what it was for months until I must have let it finish because I wasn't doing anything CPU intensive and I got a Windows Update message. Funny thing is that after I clicked to see what updates were available, it had to do the whole process again!

This is the last version of Windows I will run.

We've had some similar problems with Windows Update on our Win7 systems in recent months as well. On a many-cored workstation it's an annoyance. On an older laptop with a dual core CPU, it's crippling.

Like others posting here, we see the service host process spinning an entire core at around 100%. That keeps the CPU clock speeds and power draw up all the time as a notable side effect.

This seems to be a separate issue from problems with Windows Update taking hours to check for and/or apply the updates themselves.

Great, looks like I have both problems.
Glancing at the stack traces with symbol server downloads enabled, it looks like there's a n^2 or potentially even exponential algorithm being run during the checking phase - checks are run both passively and when actively applying. There's something very wrong with the design of the algorithm - it obviously doesn't scale. Bigger, fewer patches may simply be reducing the size of n.

IMO a better approach would be to offload the work to MS: upload a list of applied updates and let the cloud do the crunching. Much higher chance of memoizing and reusing work that way too. It's a sign of MS's client oriented culture still sticking around.

Yes, its under one of the many svchost processes that Win7 likes to throw up.

And indeed, it wasn't until I loaded up Process Hacker to find out exactly what process was gobbling the CPU.

On my laptops, I usually run "net stop wuauserv" in a loop with a small sleep. If you're not actively choosing to update that day, it will kill battery life, heat up the machine and keep fan whirring for hours.

When I actually want to update, I start the update widget manually. Still takes many hours to update, but it's elective and can be run overnight on mains.

That generally matches what I'm seeing, except that my laptop dies after 10 minutes of it.
Sounds reasonable. But can't they keep them seamless? (silent) The other day I woke up, and out of nowhere I got the Anniversary Update (must have triggered during my sleep).

Desktop style messed up, taskbar messed up (IE and something else magically decide to come back), a few things added to startup, some new windows 10 Skype app trying to log me in without even asking (really?? and it basically "stole" the credentials from the regular app?? quickly uninstalled it), SkyDrive pops up and tries to do stuff, VirtualBox broken for some reason - had to reinstall, a few file associations reverted to defaults, and most funnily no obvious new features.

It's like someone searching through your house leaving a big mess behind without a decent excuse.

> and out of nowhere I got the Anniversary Update (must have triggered during my sleep).

I have noticed that thanks to UEFI (or something related to it) my laptop can no start doing things in the middle of the night even if i put it very firmly to sleep earlier.

The Anniversary Update (and previous Windows 10 edition updates as well) is basically a re-installation of the whole operating system with the settings from the old installation migrated to the new one.

This migration is not quite seamless, always a few options/settings that have to be re-done manually for me.

But that has nothing to do with this new cumulative security update model, it's not a full re-installation.

This is the biggest reason I stuck to Win 7. Windows update process is an abomination and can't understand how its allowed. Two of my other systems booted up and took 30 minutes for updates to install before logging me in. One is a PC stick and other is a desktop. Unacceptable waste of my time. I should be able to choose which updates.
Can you or someone suggest what to do after new laptops won't accept Windows 7 anymore?

At this point with new lap I just buy Windows 7 and Office 2010 and with limited updates first then turned off I'm a happy camper and hadn't had issue, virus or malware since 2007.

I tried Mac few times but for someone who loves Total Commander, I was totally lost :(

Will any Linux with decent GUI do it?

Windows 7 was extended to support Skylake. I'm not sure if Microsoft was backtracking after their original announcement or if limited Skylake support was part of their ultimate overlordian plan to have everyone switch to Windows 10.

Original: http://www.computerworld.com/article/3023533/microsoft-windo...

Later: http://www.extremetech.com/computing/225075-microsoft-gives-...

Whether Intel's new processor, Kaby Lake, is supported by Windows 7 I don't know. If someone does I would be interested.

Seems Microsoft's aggressive upgrade strategy has not ended even though the recent successful lawsuits.

Unfortunately, under Microsoft's current terms, it looks like OEMs won't be allowed to supply new machines with Windows 7 or 8.1 preinstalled after 31 October this year.[1]

So as things stand, if you buy a new PC with Windows after that date, you're getting Windows 10 preinstalled whether you like it or not. In some cases, it looks like downgrade rights might still apply, but that involves a lot of hassle and may depend on the willingness of your OEM to support it.

Whether the OEMs will actually stand for this, I don't know. Vendors we buy from still tend to supply Windows 7 Pro by default on new business laptops, for example, which suits us (small business environment) fine since we have no interest in moving to Windows 10. If Microsoft turns around in a couple of months and tells OEMs they can no longer sell what their customers want to buy, there's going to be a mighty fight.

[1] https://support.microsoft.com/en-us/help/13853/windows-lifec...

Windows Pro comes with downgrade rights. Buy 10 Pro, downgrade to 7 yourself.
As I said, downgrading that way involves a lot of hassle and potentially relies on the willingness of your OEM to support it. It's hardly an improvement on just buying a machine with the OS you actually want already installed and working, which is what we have today.
Yup. I made the jump reluctantly after running Windows 7 Pro workstation for years without issues. I did the upgrade to version 10 and have since had to recover or completely rebuild the install 3 times in 6 months. Each time after an update

Each time that Windows update comes in and forces me to update and shut down is a day I dread. This hardware worked so well under Windows 7 and causes headaches under Windows 10.

As a sysadmin at almost-Windows-only company, I am still kind of surprised at the state of updates on Windows.

On Debian, CentOS, or FreeBSD, server and desktop, I usually install all and any updates that are available, reboot if there is an update to the kernel (or libc) and move on.

The fact that there is even a need for "patch management" beyond "just ing deploy them already" is ... embarrassing for Microsoft, IMHO. But simply installing any and all updates that Microsoft publishes has shown to be a bad idea. So I really hope that at least using a WSUS will allow me to pick what updates get installed.

From the article:

> This means that the ability to pick and choose individual fixes to apply will be removed; they'll be distributed and deployed as a singular all-or-nothing proposition.

So, if this "update" contains the Windows 10 nagware or all that fancy new "telemetry" that I definitely do not want, I don't have an option...

I currently run Windows 7 on a VM on OS X, using it only to (a) digitally sign documents since the hardware key that is provided only works on Windows, and (b) do my annual IT returns with an Excel utility that again, only runs on Windows. Looks like (b) is no longer an issue - there's now a Java utility that does the same thing. Now if only I had a way out of (a), I'd get rid of Win altogether.