Security Only Updates vs Security Monthly Quality Rollup Updates!

Page 1 of 2 12 LastLast

  1. Paul Black
    Posts : 6,021
    Win 7 HP SP1 64-bit Vista HB SP2 32-bit Linux Mint 18.3
       New #1

    Security Only Updates vs Security Monthly Quality Rollup Updates!


    Good morning,

    On a clean install (other than: KB3020369, KB3125574, KB3172605 and KB3179573), is it best to install ALL the Security Only Updates from October 2016 to February 2018 or just the last Security Monthly Quality Rollup Update?

    Ideally, I really only want the critical and security updates and nothing else. I can run Windows update after the clean install and then install the ones that I want to.

    I am going to be creating a new install.wim file because this will drastically reduce the number of Windows updates (and the many hours downloading, installing and restarts needed) available when I run Windows updates and just really need to know which scenario is best.

    I say this with regard to telemetry and spying updates making their way into the clean install.

    There have been many many posts with regard to this but none seem to give a definitive answer!

    Thanks in advance.
    Last edited by Paul Black; 22 Mar 2018 at 17:03.
      My Computer
    Quote Quote

  3. iko22
    Posts : 2,798
    Windows 7 x64, Vista x64, 8.1 smartphone
       New #2

    Hi Paul, As far as I am aware, the windows update went through 4 phases: SP1, Convenience rollup update, telemetry updates, and the new rollup scheme (after August 2017). The new rollup scheme meant that a single monthly update would include the months updates rolled into one. The new rollups have a cumulative effect, so one months update cumulatively includes the previous months update.
      My Computer
    Quote Quote

  4. Brds7t7
    Posts : 1,797
    Win 7 Ultimate, Win 8.1 Pro, Linux Mint 19 Cinnamon (All 64-Bit)
       New #3

    Hi Paul, if you're going from a clean install and want all the Security-only updates and no rollups included, then I would use WSUSOffline to create the ISO before you attempt it all.

    Believe me, it's just a big PITA with clean installs now. WSUSOffline makes the whole process much easier. You can select Security-only updates instead of rollups when using the update downloader.

    WSUS Offline Update - Update Microsoft Windows and Office without an Internet connection

    And if you're going down the Security-only update route, then yes you have to install each months, or you'll have some parts of Windows unpatched.
      My Computer
    Quote Quote

  6. Paul Black
    Posts : 6,021
    Win 7 HP SP1 64-bit Vista HB SP2 32-bit Linux Mint 18.3
    Thread Starter
       New #4

    Thanks iko22 and Brds7t7 for the replies, it is appreciated.

    Paul Black said:
    On a clean install (other than: KB3020369, KB3125574, KB3172605 and KB3179573), is it best to install ALL the Security Only Updates from October 2016 to February 2018 or just the last Security Monthly Quality Rollup Update?
    I am really just curious about what people think from their own experience is the best and most stable way to go about creating a new install.wim file for a clean install.

    As I said previously, whichever way I choose to go, whether it is the Security-Only option or the Cumulative option the updates KB3020369, KB3125574, KB3172605 & KB3179573 MUST be installed first obviously.

    If I was to go down the Cumulative route then I would only have to install the 4 updates above + KB4088875 - Security Monthly Quality Rollup Update (March 2018).

    If I was to go down the Security-Only route then I would have to install the 4 updates above + 17 Security-Only updates from KB3192391 - October 2016 > KB4088878 - March 2018.

    I do realise that the Cumulative update includes ALL previous updates so is the easier of the two options but does it still include some telemetry? I say this because I did read somewhere that Microsoft have now stopped pushing out the telemetry updates!

    Anyway, I was just curious about other peoples opinions and experience and what they had found was the best of the two options, if any!

    Thanks in advance.
      My Computer
    Quote Quote

  7. Brds7t7
    Posts : 1,797
    Win 7 Ultimate, Win 8.1 Pro, Linux Mint 19 Cinnamon (All 64-Bit)
       New #5

    Hi Paul, be warned that the cumulative updates don't include all past updates. MS is slowly rolling the past updates into the Cumulatives, but they're not fully there yet. So either way you go, you'll still have to install more updates from Windows Update.

    I can't help you with the install.wim option unfortunately, as I found it less hassle just to install Windows from the disc/USB stick then use WSUSOffline to get me up to date security wise and skip all the rollups easily. This is why it isn't as straightforward as you think since MS changed its servicing model.

    Another tool to use which will tell you which Security-only updates are missing is the Microsoft Baseline Security Analyser. After install you can run it and set it to 'Scan the offline catalog only'. This will scan for Security-only updates missing.

    Ignore any references to Monthly rollups though.

    Download Microsoft Baseline Security Analyzer 2.3 (for IT Professionals) from Official Microsoft Download Center
      My Computer
    Quote Quote

  8. Paul Black
    Posts : 6,021
    Win 7 HP SP1 64-bit Vista HB SP2 32-bit Linux Mint 18.3
    Thread Starter
       New #6

    Thanks for the reply and link Brds7t7,

    Brds7t7 said:
    ...be warned that the cumulative updates don't include all past updates. MS is slowly rolling the past updates into the Cumulatives, but they're not fully there yet. So either way you go, you'll still have to install more updates from Windows Update...
    Yes, I appreciate that. The idea is to stop the many many hours needed to download and install them and the numerous restarts that are needed. Hence why I have gone down the route of pre-integrating them and creating a new install.wim file for the initial clean install.

    Brds7t7 said:
    ...then use WSUSOffline to get me up to date security wise and skip all the rollups easily.
    I will out of interest look at this process over the weekend.
    I assume that it is a package that contains ALL the updates that can then be run against the clean install to find those updates that are missing?

    Brds7t7 said:
    Another tool to use which will tell you which Security-only updates are missing is the Microsoft Baseline Security Analyser. After install you can run it and set it to 'Scan the offline catalog only'. This will scan for Security-only updates missing. Ignore any references to Monthly rollups though.
    This also sounds interesting, and again, I will look at this process over the weekend.

    Thanks in advance.

    EDIT:

    I am also going to have a go at integrating I.E.11 (I know that this needs at least 4 Prerequisites) into the install.wim file as well to make it a bit more complete. I might also then be able to integrate the KB4089187 - Cumulative Security Update I.E.11 - March 2018.

    I know that Microsoft .NET Framework 4.7.1 can't be integrated but this can be done from the downloaded .msu file after the clean install to also reduce the time (as opposed to letting it update through Windows update).
      My Computer
    Quote Quote

  10. Brds7t7
    Posts : 1,797
    Win 7 Ultimate, Win 8.1 Pro, Linux Mint 19 Cinnamon (All 64-Bit)
       New #7

    WSUSOffline includes all updates either Security-only updates or the rollups whichever you choose when running the downloader. There's a checkbox at the bottom which says "Download Security-only updates instead of Quality Rollups". You can also set it to install all the .NET Framework updates and IE11 plus its updates. Believe me, it's a very handy piece of software to have in the toolkit!

    I sound like I work for the team at WSUSOffline, but I'm not affiliated with them in any way.

    Give it a try at the weekend, then let me know how you get on.

    The install.wim option is probably the quicker option for install, but I got fed up of trying to integrate updates all the time. Must be my age!
      My Computer
    Quote Quote

  11. Paul Black
    Posts : 6,021
    Win 7 HP SP1 64-bit Vista HB SP2 32-bit Linux Mint 18.3
    Thread Starter
       New #8

    Thanks Brds7t7,

    Brds7t7 said:
    The install.wim option is probably the quicker option for install, but I got fed up of trying to integrate updates all the time.
    I can create a new install.wim with the 4 updates + Cumulative update in about 20 minutes.
    I can create a new install.wim with the 4 updates + ALL 17 Security-Only updates in just over an hour.
    Both Batch driven.

    Thanks in advance.
      My Computer
    Quote Quote

  12. Brds7t7
    Posts : 1,797
    Win 7 Ultimate, Win 8.1 Pro, Linux Mint 19 Cinnamon (All 64-Bit)
       New #9

    Paul Black said:
    I can create a new install.wim with the 4 updates + ALL 17 Security-Only updates in just over an hour.
    Both Batch driven.

    Thanks in advance.
    Don't forget that you have to install all the standalone security updates that came before the 2016 Security-only updates too.

    If you can do all that you're a much more patient man than I am! It started driving me nuts keeping up with all the different updates both pre and post August 2016.
      My Computer
    Quote Quote

  13. Paul Black
    Posts : 6,021
    Win 7 HP SP1 64-bit Vista HB SP2 32-bit Linux Mint 18.3
    Thread Starter
       New #10

    Hi Brds7t7y,

    Brds7t7 said:
    Don't forget that you have to install all the standalone security updates that came before the 2016 Security-only updates too.
    Yes, these were the 4 I was talking about that MUST be installed first (regardless of which of the 2 options are used):

    KB3020369 - Servicing Stack Update - April 2015.
    KB3125574 - Convenience Rollup Package - May 2016.
    KB3172605 - Functional Update Rollup (THIS ONE IS IMPORTANT) - July 2016.
    KB3179573 - Functional Update Rollup - August 2016.

    Brds7t7 said:
    If you can do all that you're a much more patient man than I am!
    Batch driven so it just does it!

    Thanks in advance.
      My Computer
    Quote Quote

 
Page 1 of 2 12 LastLast

  Related Discussions
Good afternoon, Can someone please tell me if there is any difference between the Security Monthly Quality Rollup and the Preview Of Monthly Quality Rollup if any. Thanks in advance.
This "optional" entry appears each month during Win Update. It is several hundred MB in size so takes a while to download but there is no indication of what it does or why it is optional. Since individual updates also appear is this stuff really necessary ? Can it safely be ignored ? Thanx. ...
Security Monthly Quality Rollup
in Windows Updates & Activation

I have been using W7 Pro x64 for ages and have been delighted with it and intend to stay with it until Microsoft eventually drives me to Linux. Now down to my question. I have been receiving a Security Monthly Quality Rollup and beginning to wonder if I really need to download it. The latest...
Hello all, I need some help, I am having an issue with 2 workstations. 1 Physical Windows 7 Pro x86 1 Virtual Windows 7 Pro x64 When I try to install the update KB3185330 the workstation reboots and eventually I get the message on the screen "Failure configuring Windows updates. Reverting...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 15:51.
Find Us