Windows Update had been a standard of security that was heavily relied upon by scores of Windows users for decades. Applying the once monthly updates became a mandatory ritual that most all Windows owners followed. Windows Update is by default automatic. For all those decades it worked largely flawlessly.
Unfortunately, the quality of Windows Updates has fallen off badly. This has given rise to numerous defective updates that cause a whole range of problems. Many updates are re-issued, some many times over.
Coincident with this falloff in quality, starting just after Microsoft ended Windows 7 development (December 31, 2014) and began security-only “support,” Microsoft changed the objectives of these updates from primarily security-only, to feature-related along with security. The “features” often contain(ed) changes to Windows 7 that some owners did (do) not want. At first they could selectively reject specific updates. October 2016, Microsoft changed the way it assembled updates in a way that no longer allows people to be selective. They call this new type of update “Roll-ups”. These Roll-ups are an all or nothing kind of deal, that includes all manner of “updates” that are largely unpublished. There is a way to get just the security updates, but it is complex and fraught with problems unless you are a serious technician. Therefore out of reach of most people.
Best advice is to set Windows Update setting to “Never check for updates.” Unfortunately, that means Windows Update no longer works automatically, but requires the user to manage the update process. However, this is the only way to take control of the situation. Enterprise IT folks have always done it this way.
If you really must continue to update, in spite of my advice to not do so, do NOT do updating until the day before the next cycle begins on the 2nd Tuesday of the month. That allows time for most of the erroneous updates to get fixed. Woody Leonhard, a tech writer extraordinaire, operates a web site, which does an excellent job of advising on Windows Update. It features his MS-DEFCON rating system that tells you when NOT to update, and when to do so. There is even a section on his web site www.askwoody.com, that specifically deals with Windows 7 updating.
The security-only crowd (Woody calls them Group B) was popular at first but by June of 2017, that strategy fell apart because defects in security only updates got fixed in the “roll-up updates.” So, that made security only updating impractical for all but the most technically competent.
Woody’s recommendation is that Windows 7 owners should stick to Group A, which just accepts all Microsoft roll-up updates and simply allows whatever changes Microsoft decides to make.
Another group, Group W, of which I am a member, simply does no further updating. That group has decided the risk of not applying updates that could immunize your system from some disease, hacker or virus is a lesser risk than applying updates and allowing your system to become something you would not buy if you had a choice, or risk having defective Microsoft updates fouling your working system. Of course this strategy includes some other choices that become far more critical: A very good antivirus program, switching to a browser that will be updated and therefore be more secure, and the acceptance that the January 2020 date that Microsoft has set for the end of updates for Windows 7, has already come.
At this date, I support 122 Windows 7 systems, and have for 16 years now. None of these are enterprise systems, just home PCs. All systems have a major Anti-virus product that I have selected. Most have switched to Chrome browsers, which no longer requires the security problem prone Adobe Reader, Adobe Flash Player or Java. These three programs are needed by Internet Explorer, but not by Chrome, and are a common hacker/virus attack vector. The fact is that the Chrome browser is now in use by more than 2/3’s. None of these systems have versions of Microsoft Office any more recent than 2010. None of these systems has had Microsoft updates since May, 2017. That is 29 months now. Not a single one of them has had a problem of any kind. In fact, my support activities have fallen off by at least 75% as these systems have become so stable and reliable that problems just do not occur. Most of my work is now hardware maintenance.
When I re-build a system, I follow a very specific process of updating. Note well that I do not apply any updates after May 2017:
- Use a Win7 install disk with SP1. This disk need only match the product type (home, pro, etc.) an bitness (32 or 64) of your Microsoft Product Key
- Select Custom, not Upgrade
- Switch to advanced and Delete all partitions. Only one logical partition – C:, which will be created by the installer.
- After install, install network drivers if not installed already. Then activate.
Do NOT install anything until all Windows Updating is completed. Not even antivirus.
- Set Windows Update to Never
- Download and install either one or two updates manually. ***Note exception below if not starting with SP1 disk. In most cases only the first (KB3138612) of these is needed. If that produces a result that says the update is not appropriate for your computer, you need to first install the 2nd of these (KB3020369), then install the first (KB3138612). Choose the one that is for your machine — 32 bit (X86) or 64 bit (X64).
- Switch from Windows-only updates to Microsoft updates
- Reset Windows Update setting to Never
- Start Windows Update
- When a list of updates is offered (likely nearly 200 or so), refuse the following updates by right-clicking on them and choosing hide
Anything labeled Roll-up, with the exception of .net roll-ups
Any update that is NOT described as “Security” whose issue date is later than December 31, 2014. That is the date Windows 7 development ended.
Any Office update whose issue date is later than June 2017, displayed on the right
You do not want any optional updates
*** If you cannot find an SP1 install disk, the step where the 2 specific updates (KB3138612 and KB3020369) described and linked above does not get done until the updating process installs SP1.
- Install any missing drivers, using drivers downloaded only from the OEM support page.
Install the following Security-only updates for October 2016 through May 2017. You do not have to restart until all the following are installed.
You can find an excellent guide on this topic at:
You do not need to restart until all these updates are completed. When you do restart, it may take a while to process it and get back to your desktop screen
- October, 2016 KB3192391:
- November, 2016 KB3197867
- December, 2016 KB3205394
- January, 2017 KB3212642
- February, 2017. There were no updates this month
- March, 2017 KB4012212
- April, 2017 KB4015546
- May, 2017 KB4019263
- May, 2017 IE update KB4018271
Microsoft Office: install in the usual fashion, then run Windows Update again. Do NOT install any Windows update of any kind. Un-check each and every one of them. Then carefully go through the Office Updates offered. Simply select the first with one click, look to the right for the date of issuance. If that date is later than June, 2017, un-check it. Then proceed to the update process. In other words, you only want office updates that were offered prior to July 2017.
After Windows 7, system drivers and all updates are installed and any stable applications like Microsoft Office are installed and updated, and before any data or dynamic applications are installed such as antivirus software, create a system image. It will take 3 or 6 DVD +Rs (not -Rs) and about an hour. When you are done you will have a very nice bit of insurance. Should you ever again need to re-build a corrupted system or replace a hard drive, you will have a precise duplicate of your system as it is at this point. You can restore that image to a hard drive in 20 to 60 minutes. Creation of System Image is found in your menu under Maintenance, Backup and Restore.
Another great feature about creating the image is that you do not need an install disk or a product key to do the re-install the next time, all your drivers will be installed and you will have saved yourself all the time you put in this time, and have a complete functioning system.
You will, in fact, have a final-state Windows 7 installation which could run on this particular computer as long as the computer hardware itself holds up and the software you prefer is still usable. Your system will already be activated and you will not need an install disk or Microsoft Product Key again. In fact, Microsoft could evaporate, and your Windows 7 system would still function just fine, even if you had to install a new hard drive.
I emphasize the need for PLUS R DVD blanks. Do not use the more common MINUS R DVD blanks.
- Install software, ending with antivirus software.
- Then copy data into the newly created system.