Microsoft resurrects Telemetry updates KB2952664 and KB2976978

The past year has not been easy for system owners or administrators on devices running Windows 7 or Windows 8 who don't want their systems to be upgraded to Windows 10.

The main reason for this was that Microsoft pushed a myriad of patches to devices running previous versions of Windows with the sole aim to get those Windows versions upgraded to Windows 10.

Probably the most notorious of them all was "Get Windows 10", a patch that displays an upgrade prompt to the user in various forms. What made the patch particularly problematic was that Microsoft updated it a lot. This meant that it reappeared on devices running Windows 7 or 8 even if the user or a system administrator hid the page to block it from ever being installed on the device.

Another part of the problem was that Microsoft modified the prompt itself making it less user friendly with every iteration. This was borderline malware-like behavior, something that did not seem to bother Microsoft in the slightest.

decline windows 10

But it was not just that patch that infuriated part of the Windows user base. Microsoft introduced telemetry patches as well, most notably KB2952664 for Windows 7 and KB2976978 for Windows 8.

This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. This update will help Microsoft and its partners ensure compatibility for customers who want to install the latest Windows operating system.

If you checked for updates on Windows 7 or Windows 8 recently, you may have noticed that these two patches have once again been updated.



This means that they are offered to all users on Windows 7 and Windows 8 again.

Read also:  What would you like to see in the Windows 10 September 2017 feature update?

What makes this rather worrying from a user point of view is that these updates were prerequisites for the Get Windows 10 update KB3035583.

Some users are already worried that Microsoft might re-introduce the Get windows 10 update again, likely because the operating system's growth fell to a snail-like pace in September 2016.

The update description offers no hint as to what made Microsoft push out an updated version of it to user systems. It could be unrelated to the Get windows 10 campaign, considering that users may still initiate updates to Windows 10 from systems running Windows 7 or 8.

Then again, those who use Microsoft's upgrade assistants will notice that compatibility checks are performed during the upgrade process as well.

While Microsoft is keeping its customers in the dark in regards to what is actually going on, those who don't want their devices to upgrade to Windows 10 better block KB2952664 and KB2976978 once again to make sure nothing of that sort happens.

Those who find one of the patches installed already may find this guide useful that explains how to remove and block already installed Windows updates.

Summary
Article Name
Microsoft resurrects Telemetry updates KB2952664 and KB2976978
Description
If you checked for updates on Windows 7 or Windows 8 recently, you may have noticed that KB2952664 and KB2976978 are offered again.
Author
Publisher
Ghacks Technology News
Logo

Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Microsoft resurrects Telemetry updates KB2952664 and KB2976978

  1. NSA friendly October 5, 2016 at 6:40 pm #

    And good luck to those who try to stop Micro$oft from calling home.

    • Orc October 10, 2016 at 3:15 pm #

      Kek

  2. Yuliya October 5, 2016 at 6:41 pm #

    Well, Christmas is coming, so Microsanta Clausoft might bring you a Win10 Home license, if you were a good boy or a good girl ;)

    • Bob October 5, 2016 at 7:13 pm #

      I'd like Microsanta Clausoft to bring me a respawn of XP.

      I've wondered for some time now why MS doesn't create two divisions; One division to continue developing future technology...Win 10, and a base, no-nonsense workhorse operating system...an updated, upgraded XP.

      It's not as if they don't have the money to fund two projects/operating systems. ;)

      • kalmly October 6, 2016 at 2:29 pm #

        Yes. I'd gladly fork over $200 bucks for it, too. Instead, I'm hiding my Win7 machine from Win10's ugly clutches and wondering how much I am going to hate Linux when I am forced to let go.

      • Anonymous October 11, 2016 at 11:18 pm #

        There was, it was called windows posready 2009, too bad they fired most of the people who did any work at that company, including all the bug testers

  3. The Flash October 5, 2016 at 6:56 pm #

    Wait, they release a patch that removes these GWX related updates, but now they brought one of those patches back?

    • Martin Brinkmann October 5, 2016 at 7:00 pm #

      Those patches were not removed by the "removal" patch. The main issue with these two patches is that they are back, and no one knows why.

      • Rotten Scoundrel October 5, 2016 at 7:52 pm #

        Ummm, a first guess is, it's October and now batched and non-optional updates will happen from here on out. Enjoy...
        https://tech.slashdot.org/story/16/08/20/1826256/microsoft-announces-cumulative-updates-will-become-mandatory-for-windows-7-and-81

        And people ask why I mostly use Ubuntu. Which by the way, has an update-supported version of Pale Moon.

      • Martin Brinkmann October 5, 2016 at 8:06 pm #

        Yeah things will start being quite problematic when Microsoft unleashes cumulative patches. We have seen already how bugged things are on Windows 10, and that's an OS MS cares about a lot.

      • John October 6, 2016 at 12:00 am #

        Guess (Windows version of) Haloween is coming....

      • Mikhoul October 6, 2016 at 6:49 am #

        "things will start being quite problematic when Microsoft unleashes cumulative patches. We have seen already how bugged things are on Windows 10, and that's an OS MS cares about a lot."

        I only have my small tablet with Win10 and I use it mostly as a Ebook Reader and as a test bench to familiarize me with Win10 to be able to support users.

        But I always wait 3 weeks at least before doing any update on Win10 to be sure that bugs are squashed before installing it, I don't want to be a Alpha/beta tester for M$FT. But with the AU at this date I've NOT even tried to install it too many bugs. I just look once every week on Reddit Win10 sub to see if the water is cold or warm... :P

        On my other system it is Win 7 and I will do the same and install also WinUpdateMiniTool to have the choice of the update I want install but again I will delay every fix/update for 3 weeks at least.

        The worst virus or exploit I've seen in my life are not from hacker but from M$FT since the Win10 saga. So when you wight the REAL risk it's better than stay "unprotected" for 3 weeks or even more than installing the Alpha-Pre-re-re-release updates/fix from M$SFT.

        I never encountered so much users having there systems becoming useless, losing days of work and lot of money from installing an upgrade/update.

        At the end of Win7 I will migrate to Win 8.1 and after to some linux flavors... :)

  4. Janur October 5, 2016 at 6:57 pm #

    I have KB2976978 on W8.1/64 now as Optional.
    Installed as Recommended ‎8. ‎3. ‎2016
    Installed as Recommended ‎10. ‎2. ‎2016
    Installed as Recommended ‎12. ‎1. ‎2016
    Installed as Recommended ‎16. ‎10. ‎2015

    • Martin Brinkmann October 5, 2016 at 7:11 pm #

      At least some users reported that it was offered as important and optional to them (see the Infoworld link)

    • T J October 5, 2016 at 7:28 pm #

      I bought a new laptop two weeks ago with Win 7 installed on drive C as a "retro" install.
      The HDD also has a partition named D. This contains the necessary folders and files needed to install Win 10.
      Most of the folders and files are locked as system files so that they cannot be deleted.

      KB2952664 turned up in Win updates five days ago as recommended. As I have " check for updates ...." set instead of auto update I simply hid the KB.

      NB As I was typing this, I checked Win updates again. Guess what was listed as an optional update this time.
      That unloved, despised, KB2952664. I hid it again :) I love playing hide and seek with Microsoft NOT. :(

      • Rotten Scoundrel October 5, 2016 at 7:58 pm #

        @TJ, look for a Registry Manipulating process called "TakeOwnership.zip" unzip, install and run (it alse has an uninstall option) . using windows Explorer there will be a right-click option to try taking ownership of the Folder(s) on D drive. Might be able to remove them then.

      • Anonymous January 9, 2017 at 6:02 am #

        just boot safe mode you can delete them. or make a linux boot disc and do from there

  5. Chryss October 5, 2016 at 7:27 pm #

    Maybe a dumb question, but is there a guide somewhere for blocking telemetry or M$ phone home for Win 7?

    • Gary D October 5, 2016 at 7:35 pm #

      @ Chryss

      Martin has written a lot of blogs about telemetry blocking, etc, since July 2015.
      Click on the Windows box at the top of the page and type (e.g.) Windows Telemetry.

      • Chryss October 5, 2016 at 7:49 pm #

        @ Gary D - Thanks :) I have done that, but was hoping there might be some sort of condensed guide, as it's a lot to try and sort through.

    • Yuliya October 5, 2016 at 7:51 pm #

      As seen on Windows 7 x64 Ultimate:

      KB2952664
      KB3021917
      KB3068708
      KB3080149
      KB3184143
      KB971033

      All you have to hide afaik.

    • Anonymous October 6, 2016 at 1:36 am #

      Try Spybot Anti-Beacon

    • John M October 6, 2016 at 1:41 am #

      Try Spybot Anti-Beacon and Windows Privacy Tweaker.

      Also run the following every time you boot up your PC to keep the choices always green:
      sc config "TermService" start= disabled
      sc stop "TermService"

  6. LD October 5, 2016 at 7:29 pm #

    What is the point in hiding it? Monthly cumulative rollups start on W7/8 in October (next Tuesday). This patch will eventually be included in a monthly rollup after October and you will not be able to remove it or hide it. The only way to avoid it, is to not install any monthly rollups sent through Windows Update.

    MS is not shooting itself in the foot (again), they are merely waving the gun around the room and everyone is either ducking or putting their hands up.

    • Yuliya October 5, 2016 at 7:49 pm #

      There are two ways around this:

      First is Simplix UpdatePack7R2 (curated update pack for 7sp1, does not include any telemetry updates or w10 related ones)
      http://forum.oszone.net/thread-257198.html

      Second is WSUS Offline Update (manual download and install whatever/whenever you want, supports Vista+ and Office2010+)
      http://www.wsusoffline.net/

      I'd go ahead saying that using either of these two solutions is faster and more convenient than the traditional Windows Update. Knowing what's coming next month I already disabled WU. So it make sense in blocking those updates for people who received them and don't happen to be in the "ive got nothing to hide" camp.

      • ivanionello October 5, 2016 at 9:08 pm #

        It has strange certificate in system after update. (:

    • T J October 5, 2016 at 8:05 pm #

      LD

      To start with, Microsoft has made such a balls up of a lot of updates in the last eighteen months for 7 / 8.1 / 10, I do not trust the integrity of the update system.

      I will not be installing the monthly cumulative roll up for W7 in October or in any future month UNLESS Microsoft gives a FULL explanation of the roll up contents. If I do install roll ups, it will not be for at least two months after the release date in order to avoid a borked OS.

      Currently, apart from KB2952664, I have the following KBs hidden:
      15 IE11 security updates. I never use IE11.
      37 "if an attacker logs on to an affected ...." My Laptop is a standalone machine so they cannot log on.
      9 (I think) updates for Russian, etc, time zone fixes.
      As I am not attached to a Local or Remote Server, I have hidden about 40 KBs fixing vulnerabilities in Network Servers.

      If I had had auto update enabled, I estimate that MS would have installed over 1.5 Gigabytes of unnecessary / unneeded updates. That's a waste of my time and HDD space when I have to uninstall them.

      • Pete October 5, 2016 at 8:36 pm #

        "15 IE11 security updates. I never use IE11."

        There still seem to be people who doesn't understand that IE is baked into the system so, that even if you never open/use IE application, some other 3rd party programs can use IE engine (there are many programs that use IE engine). Which means that you definitely should install IE patches.

      • seeprime October 5, 2016 at 10:58 pm #

        Windows uses IE to send telemetry data as soon as your PC is online. You should keep it up to date. You should disable recommended updates, although it may be too late to have that make any difference with the borked cumulative updates starting this month.

      • T J October 6, 2016 at 12:14 am #

        Update

        @ Pete. I know that IE is baked in but 3rd party programs cannot use it because IE 11 is disabled on my Laptop. That's why I never use it.
        Also, I have blocked (hopefully) all the MS phone home telemetry sites in my Firewall using the various Hosts File data lists on the Internet.

      • Corky October 6, 2016 at 2:02 pm #

        Pete is correct, just blocking IE.exe from running isn't enough, like he said many program use the IE rendering engine and/or make calls to IE related dynamic link libraries (mshtml.dll, inet.dll, and others).

      • Tom Hawack October 6, 2016 at 2:49 pm #

        So many programs indeed call IE routines and fortunately disabling our use of the IE browser will not prevent applications using IE routines to work.

        There is a simple way to totally prevent Windows from using IE routines as well but that will prevent many applications from performing correctly.

        Doing as follow blocks all of IE calls but many apps just won't be able to run correctly :

        Step 1. From IE select Tools/Internet Options/Connections/LAN Settings.
        Step 2. Put a tick in the check box next to "Use a Proxy Server for your LAN ...”
        Step 3. Type in "0.0.0.0" in the address box and "80" in the Port box. Don't type in the quote marks of course, just what's inside them.

        Source: http://www.techsupportalert.com/how_to_disable_internet_explorer.htm

        I've tried it... an abomination!

      • Corky October 6, 2016 at 5:02 pm #

        @Tom Hawack, Another partial solution as that (afaik) only blocks Windows from using port 80.

        IE security updates should be treated in the same way as Windows security updates, while you may never interact with IE Microsoft have integrated it so tightly into the OS they are basically one of the same thing, sadly.

      • Tom Hawack October 6, 2016 at 5:55 pm #

        @Corky, there's something I don't understand, because I don't "conceptualize" it as they say :

        An OS will always provide drivers to allow applications to establish connections, right? So is it Windows that uses IE to establish connections or is it IE -- and whatever application -- that uses Windows (its dedicated internet connection drivers) to connect to the Web? What I mean is this : say, tomorrow, Microsoft releases a new OS with no browser : there will still be drivers dedicated to connecting to the Web, no? In other words he who codes the OS is the ultimate master of all applications connecting to the Web from that OS ...

        You see what I mean? That's the idea I'm battling with :)

      • Corky October 7, 2016 at 8:44 am #

        @Tom Hawack, Yes the OS provides the drivers (part of the transport layer) but the way Windows and other applications connect to a network/internet are first handled through an API (of sorts).

        The problem however isn't so much IE or 3rd party applications requesting something from the internet in the traditional sense however, it's that the API's Microsoft made available to developers for making connections and rendering a HTML are left exposed, for instance a 3rd party application could make use of one of these functions without your knowledge...
        https://msdn.microsoft.com/en-us/library/windows/desktop/aa385473%28v=vs.85%29.aspx

        In other words even if Microsoft released an OS without IE there's still a need for the OS to present some way for programs to make connections, it just so happens Microsoft have blurred the line between what should really be the OS's responsibility and what should be the browsers.

      • Tom Hawack October 7, 2016 at 9:48 am #

        OK, Corky, thanks. In other words drivers may be neutral and APIs not, at least when their interference is questionable ... I'm trying to understand but I definitely lack the basics.

  7. khidreal October 5, 2016 at 8:56 pm #

    is there any list of Kb's to be hidden on windows update? I am running windows 7, and I would like to keep running it and avoid those telemetry updates like KB2952664 LOL

    • khidreal October 5, 2016 at 9:00 pm #

      actually I found a list on this site: http://www.wilderssecurity.com/threads/list-of-windows-7-telemetry-updates-to-avoid.379151/
      and this one: https://www.quora.com/Which-Windows-7-updates-should-you-avoid-and-why?share=1

      those are to avoid:
      KB2952664 Compatibility update for upgrading Windows 7
      KB2990214 Update that enables you to upgrade from Windows 7 to a later version of Windows
      KB3021917 Update to Windows 7 SP1 for performance improvements
      KB3022345 Update for customer experience and diagnostic telemetry
      KB3035583 Update installs get windows 10 app in Windows 8.1 and Windows 7 SP1
      KB3068708 (replaces KB3022345) Update for customer experience and diagnostic telemetry
      KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7
      KB3080149 Update for customer experience and diagnostic telemetry
      __
      KB2952664
      KB2976978
      KB2977759
      KB2990214
      KB3021917
      KB3044374
      KB3035583
      KB3139929
      KB3150513

      KB3021917
      KB3022345
      KB3068708
      KB3075249
      KB3080149
      KB3081954

      in order to keep away those telemetry upgrades and upgrade to windows 10 ones.
      I actually just fresh installed windows 7 day 1 October and already had 5 of those installed.

  8. Tony October 5, 2016 at 9:17 pm #

    Microsoft has really gone downhill. It's a horrible experience trying to use and maintain their software.

    The lack of information Microsoft provides is wholly unacceptable.

    Martin, perhaps as a journalist with a popular blog, you can ask them for an explanation.

    • Corky October 6, 2016 at 2:05 pm #

      Like every other journalist he'd probably just get a standard boiler plate reply.

      • T J October 6, 2016 at 3:50 pm #

        Corky and Tom Hawack (Tom for the link)

        Thanks for your input re IE. There was me thinking that MS had made something easy for a change:-(

    • Martin Brinkmann October 6, 2016 at 2:37 pm #

      Never had a contact at Microsoft, probably never will have. Tried several times at establishing contacts but it never went anywhere. MS seems to ignore this blog for the most part. Well, it is what it is.

    • Lurker111 October 8, 2016 at 3:38 pm #

      The problem with Microsoft, and specifically Microsoft Windows, is that it was an OS built by enthusiastic newbies without any business perspective.

      E.g., how in HELL can you design an OS that is so prone to hacking? Security of software should have been designed-in from the beginning, not added in layers upon layers of ever-more-complex patches.

      The Microsoft file permissions system is a nightmare. Sometimes, when a permissions issue is at hand, you don't even get a message giving you a clue as to what's going on.

      The idea of having to "install" products, instead of just copying software into an empty directory and running it from there, had to have been an anti-piracy boondoggle that did nothing except add unneeded complexity.

      Say what you want about IBM and their lack of later innovation. But their shit RAN. I never had a problem with an IBM package. AND, updates didn't break existing code. E.g.: Going from VB6 to .crap -- all of the totally unnecessary language changes. Why? To satisfy some C freaks who happened to gain power in the company? And don't get me started on the lack of orthogonality in the syntax of .crap.

      Ah, shoot. Just wanted to vent. Sorry.

  9. meepmeep October 5, 2016 at 9:55 pm #

    New Microsoft motto: We will add your biological and technological distinctiveness to our own. Your culture will adapt to service us. Resistance is futile.

    • Gary D October 6, 2016 at 12:08 am #

      @ meepmeep

      I bet you still think about 7 of 9 in Star Trek. I do ! What a bum phwoar !!!

  10. SHILL October 5, 2016 at 9:59 pm #

    MS "Experience" at its higest levels.

    Enjoy "'YOUR"' MS Eco-system,

    O' Gullibles.

  11. Parker Lewis October 5, 2016 at 10:08 pm #

    With a great Firewall and knowledge to configure it, this is not really an issue.

    Regarding cumulative updates, I for one like the concept because I tend to image my system and reinstall a clean version once a year. Windows Updates then takes forever to update my fresh install, and after a reboot and another Windows Update check there's always more and more to install.

    I'm hoping it will also be much easier to download a cumulative update manually with Firefox, without letting Windows phone home through Windows Update.

    Microsoft crapware that is not allowed to access the web is not a danger anyway, just a resource drain, which is a lesser evil. And so far there has always been a way to disable annoying stuff on Windows, whether it was through regular means or Regedit, group policies, task scheduler, ... I don't know about Windows 10, so I'll just install Enterprise when I get to it, one of these days. That should do the trick.

    Now I agree that being able to pick your updates one by one was neat for system administrators, but it was also a bother. And likely a nightmare for Microsoft engineers.

  12. RichardT October 5, 2016 at 10:55 pm #

    After more years than I care to remember running Microsoft windows at home, I finally removed it from the last PC this week. Now all my machines are running Linux Mint. My only regret is that I can no longer use Capture One to process my raw photos. Otherwise it is a great relief to be free of all the hassle caused by Microsoft's aggressive and underhanded tactics, as well as all the blunders they they are committing in the update process.

  13. Tom Hawack October 5, 2016 at 11:00 pm #

    I've spent over a year battling with every Windows Updates in an effort to keep the good and avoid the bad patches (Win10 & Telemetry Associated). Enough. I have stopped and set to disabled Windows Updates and BITS services, I have moreover set the hosts file, the firewall, DNSCrypt and Peerblock to not only block anything to do with Windows updates, but also all available IPs and addresses referring to Microsoft, as well as disabling all system tasks pertaining to possible tracking. This means not only totally avoiding as far as possible the Microsoft tracking and intrusive machinery but boycotting as well all Microsoft sites. I can no longer take it, and from what I read I'm not the only one.

    Reading this article confirms what I knew from May 2015 to August 2016 and confirms what I suspected more than feared (fear vanishes with determination and determination rises with certitude). Microsoft's quasi monopoly in its extravagant decadency.

  14. 420 October 6, 2016 at 12:56 am #

    breaking news at 10, microsoft alienates more of it's customer base. on a related note linux sees a sharp uptake in new users, more to follow at 11

    • Parker Lewis October 6, 2016 at 2:17 am #

      Sadly, Linux seems to have no concept of application based firewall, something I consider a serious privacy weakness. Admittedly, I'm not a Linux expert since there's no way I'd use extensively a system on which I wasn't able to replicate "Windows style" per-program rules. (Android does have Netguard, but Android is special.)

      • yossarian October 6, 2016 at 8:53 am #

        Gufw firewall

      • asdf October 6, 2016 at 12:50 pm #

        +1

        http://gufw.org/

      • Corky October 6, 2016 at 2:12 pm #

        Probably not the most user friendlily firewall but "iptables" has been part of the Linux kernel for the past 18 years.

      • Parker Lewis October 6, 2016 at 2:52 pm #

        It's not application based firewall ;)

      • Alan Robertson October 7, 2016 at 12:48 pm #

        Hello Parker, yes I would like that option too. I use Zonealarm in Windows to do this but there doesn't appear to be anything in Linux that can block per app. However, having said that GUFW can block incoming connections by default which sadly Zonealarm doesn't do by default - you have to manually do each entry (real pain). Most Linux apps can be controlled by blocking or allowing ports that they use. As Linux software is open source most apps don't tend to do anything "funky" like their Windows equivalents so I tend to trust them more. It takes a bit of time to get used to that fact that well written open source software can be trusted as Microsoft and the applications that run on Windows generally cannot be trusted by default. If you want to see what ports are open and what is running then try sudo netstat -natp. You'd be surprised how few ports are actually open in Linux. Conversely try doing the same netstat in Windows 10 and prepare to fall off your seat! It opens everything..... Windows 10 is like the noisy kids at the back of the class that just won't shut up and blabs everything out over the net. Linux uses your network far more efficiently than Windows ever will.

      • Parker Lewis October 8, 2016 at 4:12 pm #

        Linux is definitely the most trustworthy OS of all, but as I said down the list of comments there shouldn't be a need to trust in the first place, because that is in itself a weakness when it comes to tech.

        My firewall on Windows can be setup to block *everything* by default. No packet goes through at all, in or out. Then I can decide what I want. E.g. WiFi, DNS lookups, outgoing connections for Firefox through a handful of ports... Then I don't need to touch anything.

        So when I do netstat in Windows, I see no port open and no connection that I am not already aware of and in agreement with.

  15. JR October 6, 2016 at 2:03 am #

    Still wondering why anyone who buys a new PC would even think about wanting Windows 7 or 8.1 on their system. Even PCs that are about 5 years old benefit from Windows 10. Anything Older I could understand. Windows 7 is going to be like XP. All these people grudgingly holding on to an old archaic OS. Nearly ALL people running Apple OS's update within the first month of a new OS coming out. Why are Microsoft people sooooo hell bent on keeping their garbage?

    • T J October 6, 2016 at 2:32 am #

      @ JR

      "Still wondering why anyone who buys a new PC would even think about wanting Windows 7 / 8.1 on their system".

      Well, Win 7 is as fast as Win 10 (tested- see Blogs on the Internet).
      I can choose whether or not to install updates. They are not forced on me.
      The Desktop screen is not stuffed with Tiles for games, Metro apps, and links to Facebook, Twitter, Skype, etc. which are part of the "wonderful" all singing all dancing Universal Windows Platform.

      So you think that users like getting their PC/Laptop borked every time MS rolls out new "updates" for Win 10.
      I've tried Win 10 and it is an under-developed, badly written and engineered OS which is still not out of Beta after 15 months. Win 10 is fine for Note Pads but not Desktops/Laptops.

      However, reading your comment, you appear to be an Apple user. If so, I hope that you like playing in Apple's walled garden.

      Finally, it is XP not ZP.

    • Parker Lewis October 6, 2016 at 2:45 am #

      Windows 7 is the most used desktop OS in the world. There's some time before it becomes like XP :)

      Upgrading Windows in-place has historically not been a wise process. Even upgrading to 10 could turn bad, though more rarely. (From now on it should go smoother since Windows 10 is meant to rely on in-place updates.)

      Windows deals with lots of different hardware and third-party programs, and it's architecturally more open and flexible than OS X, so of course it is harder to do major upgrades.

      The other reason is that moving over to a new system with a new UI is a bother. It takes time, reduces productivity, changes habits, and you have to figure out all those privacy, security and convenience tweaks. If you want to regain complete control over the OS it takes even more time.

      Meanwhile, a major OS update is not reputed to have been tested enough on release day, so there's no rush. I ignored Windows 8 and 8.1 because on top of this all, architectural changes made two programs I rely on less interesting. I would have been gimping myself going to 8.1 even if I was ready to go through the usual "new OS" hurdle.

      I will move to Windows 10 when I have some time. Windows 10 Enterprise LTSB 2016 released this month sounds like it fits all of my requirements listed above, so I guess I should make time. But honestly I'm in no hurry since I need none of the new features and Windows 7 is still very much supported and is still a better place to hide in terms of fingerprint at the moment.

      Plus I will have to change my firewall, something I really don't look forward to.

    • Corky October 6, 2016 at 2:13 pm #

      Because the alternative (Windows 10) is one of Microsoft's worst ever operating systems.

  16. Colin B October 6, 2016 at 2:37 am #

    M$ is making a great job of annoying and hassling its own customers !

    Many people are considering moving to Linux or have made the move.

    I've used all versions of Windows. I can say without a doubt Windows 10 P me off.

    I've moved fully to Linux. I use Linux MATE,

    The are versions of Linux for the home and business user.

    The move to Linux is very slowly gaining momentum.
    Whats needed is bloggers, site owners and tech media cover Linux more.

    (On the subject of Firewalls in Linux there are firewalls its a mater of Googling and doing a little research. )

    If your considering switching or duel booting there are buckets loads of How to's, Tuts , Wiki's on installing / using Linux.

    Perhaps Martin might start a Linux section.

    Any ways some love Windows , Some love Linux is a matter of personal choice

    • Parker Lewis October 6, 2016 at 3:18 am #

      I know of no application based firewall with an UI on Linux. People on Linux tend to say it's not needed due to the OS architecture but I completely disagree for privacy reasons.

      They *can* exist, I think, but I know none. Linux users don't appear to be interested in such a tool. Only Android, which as I said is special, has this small no root app that does the trick, Netguard. Netguard is less than a year old.

      Just a quick search on Startpage found me this: https://ubuntuforums.org/showthread.php?t=2248672

      • Khidreal October 6, 2016 at 6:55 am #

        you just don't need because on linux you should only install Opensource, because those are revised even by general population about their security, privacy and reliability. like 90% of all apps made for linux have their source code available on GitHub and there there are people, like you and me with knowledge that spend their time reading the code, trying to find holes and ways to exploit privacy.
        while if you use free software instead of Opensource (example: chrome) nobody can know what a company is making behind your sight.
        people that use Linux for longer time realise Opensource is better: it's shaped to what users need and users can be actively helping develope the program with suggestions and even knowledge (like giving the code to do something). for this motives linux does not has not much of firewalls, specially with UI.

        besides that, I was using fedora for a bit, and a thing I noticed is that population, in general, rely too much on the terminal to do something. for example, while searching how to install a program, I found a huge tutorial on terminal to install it. did it, spent my time copy and pasting code for 5 minutes... and than I read on a comment: "or simply go to the program center and download through it"... it made me mad xd. than on linux there's the mindset "there's already this feature as add-on or as a program, why implement it into the OS? (which is making the OS less user friendly); and ofc, the lack of support from companies... if there were more companies supporting their products and investing on Linux (specially more actively) there would be maybe a firewall from Comodo or something for linux.

      • Parker Lewis October 6, 2016 at 3:37 pm #

        ..................
        " you just don't need because on linux you should only install Opensource, because those are revised even by general population about their security, privacy and reliability. like 90% of all apps made for linux have their source code available on GitHub and there there are people, like you and me with knowledge that spend their time reading the code, trying to find holes and ways to exploit privacy. "
        ..................

        Well, open source products are not a guarantee that there will be no phoning home. I'm using right now a major open source product that does phone home unless you configure it carefully, and it's called Firefox :)

        I am letting Firefox do outgoing connections on a number of ports because I trust it because I know it upside down and know that I have disabled all network leaks. There's no way I'm letting any random program do the same, which is why application based firewalls are a necessity and why I won't use Linux without one.

        Also I don't want to ban closed source programs, I have no reason to, especially since with an app-based firewall their outgoing connections can be sniffed and filtered or blocked entirely.

        Unless I'm missing an ultimate argument that I never heard being expressed over the years, and never figured out on my own as I evaluated Linux, "You don't need app based firewall on Linux" is the denial of a legitimate need. Of course not all users attach the same importance to this need, but it's a showstopper for me :)

        To each their own as usual ;)

      • swamper October 6, 2016 at 5:24 pm #

        This is part of my ufw configuration. Except those 3 ports I allow below everything else is blocked. EVERYTHING! I use this exact same configuration on my desktops and partly on my servers. In my experience if an app on Linux wants to phone home there is a setting in the app itself that allows you to turn that off. I install Linux apps like Martin Brinkmann installs Windows apps. Phoning home is not a very big issue IMHO on Linux. At least not on a Debian or derivative of it and Arch Linux. I avoid Ubuntu and derivatives if possible. Debian being so strict on what apps are allowed to be installed from Debian Official repos simplifies the worry you have about random apps phoning home. Arch is in the same boat. Ubuntu is much more open and with that openness goes an element of security.

        UFW is run by a whole pile of servers that are wide open to the internet and any attack vectors that live there. It is more than capable of handling anything you get on your desktop. Granular control that you appear to be looking for is not necessary on a Linux desktop. You just block the ports on the entire system and be done. Unless you are running a server you should only need the 3 ports I allow below.

        If you are nervous about an app put it inside Firejail or any other jail/sandbox app you can tolerate. When you think Application Based Firewall think jail/sandbox in Linux. You are in effect using a firewall to do exactly what a jail/sandbox does. The difference is the app still has access to your entire OS with firewall blocking and does not with a jail/sandbox.

        I've been in Linux since 2001 and have spent a good deal of time setting up and configuring desktops and servers for personal use. I don't know what the multitude of connections is you are speaking of Firefox (or it's addons) making but with UFW configured like this it can only make http and https connections through 2 ports.

        #1 thing to remember, Linux is not subject to the same issues as Windows and never will be. I see lots of Windows users struggle because they don't think they are as secure because the tools don't exist that exist in Windows. They don't exist for a reason and it's not because nobody has made them.

        Apparmor and SELinux both add extra levels of protection but along with that the level of configuration complexity goes way up. Apparmor and SELinux will lock up your system. They will also lock up your system from you and have a very steep learning curve. IMHO neither are necessary on a desktop. I would run those on servers that are open to the internet.

        Install ufw/gufw. It's easier just to get on the command line with only ufw and do the below.

        Allow connections on ports:
        $ sudo ufw allow 22 && sudo ufw allow 80 && sudo ufw allow 443
        (22 is ssh, 80 is http, 443 is https. You don't necessarily need to allow 22 if you don't use ssh)

        Turn on UFW:
        $ sudo ufw enable

        Check that your settings are applied:
        $ sudo ufw status

        Whew! It's just not easy to explain all that to somebody that doesn't yet understand Linux. Maybe this will help somebody a little.

      • Parker Lewis October 6, 2016 at 11:55 pm #

        Yes, Firejail sounds helpful!

        Your main arguments are Firejail and Debian's repos. Leaving them aside for a moment, the problem of your proposed firewall configuration is that anything can be transmitted over the three ports you're mentioning. Most home phoning crap actually goes through 80 or 443 by default, so if you allow those two ports for web browsing you also allow them for anything else without an app-based firewall.

        Debian's centralism is an argument if you can trust it in three ways. Competence: I trust that no malware or blatant spyware is distributed. Honesty: Centralism itself is an opportunity for data mining. (Here I should read their privacy policy) Alignment of interests: Are they curating the apps in a way that suits my privacy needs ?

        I'd rather completely free myself from the necessity to trust, which is possible by controlling network access with an app-level granularity.

        The solution I've been looking for could be Firejail indeed, sounds like it could work as a per-app network filter. If so, damn, thank you. People should just mention this instead of second guessing you with a "you don't need app-based firewalls" :)

        .........
        " I see lots of Windows users struggle because they don't think they are as secure because the tools don't exist that exist in Windows. They don't exist for a reason and it's not because nobody has made them. "
        .........
        In our current case it's not a matter of tools but a matter of feature. Some apps should be allowed port 80 and 443, but not all apps, only a select few actually. If Firejail does provide such a feature without problematic drawbacks, that's cool. It doesn't matter that it is called app-based firewall or app-based network sandboxing :)

        Except of course, that you probably can't sandbox all apps. Firejail sounds like it is blacklist based, only a few apps can be forbidden network access. I'd much rather have a whitelist, only a few apps are filtered or allowed network access, since I see no reason to trust the OS and its default programs in this day and age, even if Linux is indeed the most trustworthy of all.

        This imperfect article describes more or less Linux struggles with application-based firewalls. There are stackexchange/overflow and superuser links in there that illustrate the situation, for those interested.
        http://www.dedoimedo.com/computers/linux-per-application-firewall.html

      • Parker Lewis October 7, 2016 at 12:10 am #

        ..........
        " I don't know what the multitude of connections is you are speaking of Firefox "
        ..........

        Mozilla provides an up-to-date list which also serves as a guide to disable everything:
        https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

  17. fena October 6, 2016 at 3:16 am #

    I have windows 7 with service pack 1 & do not allow any updates at all. None since I installed about 6 years ago. I have no problems with the system none with virus' nor malware. I would not buy a computer with windows 10. Here in Thailand that's ok because most computers only come with freedos or linux...ps piracy is rampant.

  18. Anonymouse October 6, 2016 at 9:12 am #

    How many people are actually signed up for the Customer Experiance Program?

    • Martin Brinkmann October 6, 2016 at 10:25 am #

      Is not that enabled by default and opt-out?

      • Yuliya October 6, 2016 at 12:33 pm #

        On 7 CEIP is disabled by default. Those updates might enable it though. Error reporting if On by default though.
        imgur com/KIlh4oI

      • Anonymouse October 6, 2016 at 4:08 pm #

        While not totally relevant to the news post, I am very much unsure if it's enabled or not in Win10.
        Maybe this is handled by the Insider Program, thus I cannot control it
        imgur com/vhPec29

  19. Ann October 6, 2016 at 3:39 pm #

    Well Martin, for once I cannot agree with your statement that MS is pushing Telemetry to everyone.
    Like you said, this patch is for those who participate in the WCEIP This update performs diagnostics on the Windows systems that participate in the [b]Windows Customer Experience Improvement Program[/b]

    just like there is bound to be telemetry and phone home in all beta programs.
    If you just rely on customer email or web feedback , you miss a great deal of information.
    And This is opt in, as you choose to join the WCEIP.

    That beeing said, I received yesterday (sry forgot the KBGnr -G ) anew "the update to smoothen your upgrade to newer versions".
    But I got no new update to improve telemerty, which is normal as I don't use WCEIP.

  20. max October 6, 2016 at 5:53 pm #

    I'm so not going to let Windows update anymore once they switch to the mandatory cumulative updates.

    F@#& that.

  21. Jirka October 6, 2016 at 6:33 pm #

    Wsusoffline looks great, but I don't see a way how to choose what to install.

    • Jay October 10, 2016 at 5:05 pm #

      You can only select in general terms like Windows updates/ service packs or office updates and so on.
      As far As I know there is no way to disable specific KB not to include.

      There might be an undocumented way through the ini file.

  22. Kaolin October 6, 2016 at 10:31 pm #

    I was very concerned when I first read about the new cumulative update packages, but there will still be the possibility to download and install only the cumulative-security-patches-package. Only problem being that it won't be offered in Windows Update and you'll have to download it manually instead.
    I really don't see the big problem with that that everyone seems to make it out to be.
    Yeah, they can still theoretically put those annoying telemetry update components into one of those packages, but let's face it - they could have done that with the single update mechanism too.
    I wish they would just offer both packages (security + optional/others) in Windows Update but it sure won't stop me from doing the extra work to get only what I really need and want on my OS.

    • Ann October 12, 2016 at 10:55 am #

      no with the single item per update one can check and choose not to install that particular item. which I've done each time. Checking what the update was for and then choose to install it or not.

      For example, Summertime definition changes for Ukraine, Paraguay, ... I have no business there what so ever so why would i need to install those "critical" updates ? I don't even understand why these should be critical.

      further more on "metered connection", the all in one approach does put extra strain on that connection.
      Some countries still use limits , even over wired networks.

  23. GoneToPlaid October 13, 2016 at 8:17 am #

    I reckon that I too will move to linux based operating systems on all of my Windows 7 computers, and probably in the not too distant future if MS doesn't hit the brakes and stop shooting themselves in their feet. Yet for the time being and for you all, I have created and been updating an Excel spreadsheet which lists all of the Win10 related updates, all of the Win7 telemetry updates, and all of the other Win7 updates that I know of which can cause issues. I then periodically turn the spreadsheet into a printable PDF which I upload to Dropbox. My comments in the PDF list issues which I found after reading online articles about these updates, or issues which I have encountered. So here it is (last revised on 2016-10-03):

    https://www.dropbox.com/s/owla84eu5rpwi4f/WINDOWS_7_UPDATES_TO_AVOID.pdf

    In the above PDF, you will see that there are nine Win7 updates which install telemetry. They are:

    KB3125574
    KB3118401
    KB3080149
    KB3075249
    KB3068708
    KB3022345
    KB3021917
    KB2999226
    KB2952664

    If your Win7 computer is opted in to the CEIP program, you might want to opt out of the CEIP before uninstalling any of the telemetry updates. Why? Do you really want MS knowing that you are deliberately uninstalling these telemetry updates? At least opting out of CEIP kills most of the telemetry, but not all of it.

    • jay October 13, 2016 at 10:58 am #

      Looolz sry I've said it before , if you opt in into CEIP, then you opt in into telemerty.
      there is no benefit for joining CEIP without it.
      That is also the only place that i find telemery allowed. CEIP and bug reports.

      I'm not a MSFT afiliate or employee or anything, but I am a programmer, and sorry when we need to solve bugs you need to know the context. and I do have everything blocked and still loving win7.
      BUT
      I had a customer just like your last remark, having a complaint that "his reports were not correct" and that was all the information he would give me. I had like 30 reports for that guy, I wrote the program that controlled his whole factory, and had all real time data at hand. But he was one of the "upper guy's" and did not seem to realise that.
      After 15 questions i get some more info , the report in question and that the reported quantity was for him not correct. I forgot the exact figures but let say the day production gave "only 56 tons" and he expected 65 tons.

      In my case that is possible to do , to ask fifteen thousand questions to get to the bottom , but if you are dealing with thousands or even millions of customers this is no longer possible and you need information directly at hand.
      When you join CEIP , it purpose is just to see what and how you are working , who changes affect you and even more you have agreed with it by joining the program.

  24. retired November 4, 2016 at 10:50 am #

    Data in the land of OZ or Down Under is at least 5x the cost anywhere else and capped like mad. Security is not a priority for a majority of organisations, including government who only around 25% would report a breach in spite of it being law.

    We don't need microsoft collecting telemetry, the gov already does it thanks. Well the government forces all providers to collect meta-data, which under the law is really all the data you want to bother collecting on people, then it's stored in China where it's cheap.

    Windows can send data encrypted impersonating user account via proxy so it's not like the telemetry can be blocked easily. There is lots of stuff you can put in images and documents for them to collect, but it's probably best to keep sensitive data in a system other than windows. Windows machines can be used to play games on. Installing anitvirus is a real pain without internet.

    And that is why Loyd's puts Australia's IT security risk at 12 Billion, which is probably a conservative estimate. No one is bothering with their security because everyone else has the keys to the kingdom and no one wants to talk about it at work. I always wondered why nearly all the admins were going bald.

Leave a Reply