Windows Security Only Update won't include Internet Explorer patches anymore

Martin Brinkmann
Jan 14, 2017
Updated • Jan 14, 2017

Microsoft's Nathan Mercer announced new servicing changes for Windows 7 and 8.1 in a new blog post on the Windows for IT Pros site on January 13, 2017.

The company switched to a new update servicing system for Windows 7 and Windows 8.1, and the server operating systems Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, in October 2016. The company switched from releasing individual patches for security and non-security updates, to a rollup model.

Microsoft released update collections which included all updates instead of individual updates for Windows 7 and Windows 8.1.

Windows users and administrators ran into issues with the new update servicing model for those operating systems right away.

The first issue that users experienced was that the syntax for the updates was confusing. Microsoft releases three servicing updates each month for each of the supported operating systems:

  1. Security Monthly Quality Update (Monthly Rollup) -- This update includes security and non-security updates for the operating system. It is cumulative.
  2. Security Only Quality Update -- (Security Only Update) This update includes only security updates. It is not cumulative, and not available through Windows Update.
  3. Preview of Monthly Quality Update (Preview Update) -- This update includes non-security update previews that Microsoft will release in the next month.

It is easy enough to confuse the monthly rollup update with the security only update because of the naming scheme for these updates.

windows updates overview

Microsoft revealed a supersedence issue back in December 2016 then that affected customers using WSUS or Configuration Manager 2007.

The main issue was that the installation of a monthly rollup update would supersede security only updates. This should not have happened, and Microsoft made changes to the system to prevent this from happening in the future.

Microsoft won't provide security only updates to PCs where a monthly rollup from the same month or later month is installed on. This was applied retroactively to all security only updates from October 2016 on.

This is accomplished through an applicability definition on the Security Only update, which checks for the installation of a Monthly Rollup (from the same or later month) to determine if it applicable on the PC. For example, if a PC attempts to install the February 2017 Security Only update, and the February 2017 (or later) Monthly Rollup is already installed, the Windows Update client will now report the Security Only update as not applicable. In addition to simplifying the installation scenario, tools that leverage such applicability for deployment reporting would see the Security Only update as not needed on the PC.

The new change that Mercer announced on Friday excludes Internet Explorer updates from the Security Only update starting with the February 2017 updates.

This means that Internet Explorer updates will be offered as standalone updates from that month onward similar to how Microsoft .NET Framework updates are offered.

The change reduces the size of the Security Only update. It means however that users and system administrators will have to install the Internet Explorer patches separately.

The Monthly Rollup update will include Internet Explorer updates just like before, so nothing changes on this front.

Windows Security Only Update won't include Internet Explorer patches anymore
Article Name
Windows Security Only Update won't include Internet Explorer patches anymore
Microsoft's Nathan Mercer announced new servicing changes for Windows 7 and 8.1 in a new blog post on the Windows for IT Pros site on January 13, 2017.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. BHR said on February 23, 2017 at 3:25 am

    Thank god!
    I recently started searching the Internet if the new servicing (monthly and security-only) would include some way to make an exception for IE11.
    I didnt find anything but stumbled over the IE11_BlockerToolkit I had downloaded once.
    Nice sidestory: Two days ago I installed an older cumulative update for IE11 because I had troubles with dialog boxes. I had the cumulative IE update via kb3197867 as a security only quality update already installed. Then wanted to install an cumulative update for IE11 from 2014 that would fix the dialog boxes issue. Better would have been I didnt install it.
    When I did and rebooted suddenly after a couple of minutes Internet Explorer 11 would make the CPU usage rise to 100% so that I would have to close all instances to prevent a crash. Most of the times this were just 6 or 7 tabs for news pages. I do use a virus scanner since I installed Windows 7 in the first place, so it shouldnt be something like a worm. I was able to uninstall the CU from 2014 but the issue remained. Later even removed flash so it must have been the CU from 2014 (system files might have been left on the harddisk) messed up things because I had installed this one after the newer one from 11/2016.

    So I decided to use system restore but it wasnt possible to go so far back, than as a last resort I uninstalled IE11 and was about to reinstall it. But figured out I didnt have any Internet Explorer at all on the

    I used the way described in this article to remove IE9 the ” Internet Explorer 9 Silent Uninstall ” from Friday, April 26, 2013 6:57 PM.

    With this I could remove IE8 some monthsprior to this event (if someone wants to try working without IE on Win7 and maybe also 8.1).

    So this is where it starts and why I’m here. Figured out there is a Windows 7 E and Windows 7 N edition. One without IE 8 and one without Windows Media Player. So if these windows versions exist there must have been an exception for systems not including IE at all.
    Thats why I tried to find something about the IE11 Blocker toolkit considering the fact that new microsoft servicing policy says basically “all updates in a month” with all neccessary stuff (without exceptions).
    I found that silly, because it may have been risky running a system without internet explorer and than getting delivered IE11 updates. May have been for example that the full installation of newer security updates might have failed.
    Not that I would be upset if IE11 was back because it might have become reinstalled somehow.
    Well how ever, I was just about to ask on technet if using the IE 11 blocker toolkit also allowed to block the installation of IE11 updates withing the security-only and monthly-rollups. But as you have this great news that IE 11 CU wont be included anymore, I’m really happy you posted this. Might have been in fear how to cope with the “whole or nothing”-situation. The thing is I dont trust automatic updates, I install them rather manually when I say its time, or I have the time. But everbody needs to know how to deal with update management for themselves.

  2. www said on January 17, 2017 at 11:19 am

    Ok, so where do you go to manually update IE11 by itself at?

    How about telling us, Martin?

  3. Curtis K said on January 16, 2017 at 6:33 am

    Internet Explorer is still here? I’m surprise this software have bad security.

  4. zund said on January 15, 2017 at 11:20 am

    microsoft still heading for self-destruction. fine. :|

  5. pd said on January 15, 2017 at 9:17 am

    Microsoft, you’re a bunch of retarded f wits. Ok, so they gave away the ‘crown jewels’ in order to get people to all upgrade to the one OS they could support more easily. That isn’t enough when that one OS is a half-arsed PoS. If they really wanted to get everyone on to the one (major) version of Windows, just release a decent, free version, you knobheads! Don’t try to con and bully your users into accepting an entirely half-arsed OS as the stick for getting it free (the carrot) and then continue bullying the people who have largely actually paid for your OS but who saw through your scheme or merely had any one of many other legit reasons for not upgrading!

    As usual, the IT industry is getting away with abusing people because there’s no regulatory framework and/or jurisdiction that can bring them into line. EU where are you now? Busy hassling Google? South Korea too busy hassling Qualcomm? Meanwhile the world’s OS company is getting away with a myriad of dodgy behaviour. If only Linux were a more legit alternative and not merely yet another example of 1% elitism dictating the choices available to long-suffering end users who just want an IT industry that is responsive to their needs more than constantly willing to push, prod and poke people into the corporate political direction it wants to go.

    Is it really so scary for Microsoft to admit many of their users don’t give a shit about whatever new ‘features’ MS wants to shunt down their throats? What’s the big deal if only 20/40/60 % of users want to opt into new ‘features’? That still gives MS a huge customer base. The rest of us can just install security patches and remain good netizens instead of inadvertant botnet nodes! FFS MS, just released “Security Rollups” and “Feature Rollups”. It’s …


    But oh no, MS have changed somewhat under Nadella but they’re still scared shitless that if they don’t abuse (“leverage”) their Windows monopoly through foisting whatever junkware they want to expose to ALL Windows users to, thereby maximizing potential customers (whilst annoying the shit out of those who are disinterested) in some new market segment, they can’t make any money.

    You will still make money with a portion of your Windows users who opt-in to your software Microsoft! You do not HAVE TO bully all of them with convoluted patch policies and adhoc decisions to pull your support for this or that critical bit of software!

    1. Anonymous said on January 31, 2017 at 7:41 pm


  6. The Roadwalker said on January 14, 2017 at 11:04 pm

    I’d like to meet the person at Microsoft who makes these decisions. Or maybe not.

  7. Corky said on January 14, 2017 at 7:08 pm

    So much for the rollup model making things easier, we now get IE, Windows, and .net in individual patches with both security and feature updates, x86 and x64 versions, and previews.

  8. Bobo said on January 14, 2017 at 6:25 pm

    Yeah, let’s not make things more confusing than they already are.. Blehhhh, Redmond..too many bosses huh? Let’s cut to the chase: you SO want to send out a kill-switch that decimates all Windows XP, Vista and 7 machines don’t you? A nice little full-screen window that says: install Windows 10 or all your files are gone. Now with Trump at the helm, maybe you can!
    Thank God for Ikey Doherty.

  9. Anonymous said on January 14, 2017 at 5:40 pm

    If Microsoft wanted to punish users of W7 wanting to install “Security Only Update”, well please tell Mister Mercer on the contrary it was the best news for a long long time.

  10. Attila said on January 14, 2017 at 5:29 pm

    I understand M$ is trying to ruin its own business. What I do not understand is why they are paying millions of $$ to their people for something anybody else with no or a completely disfunctional brain could accomplish much faster and for free.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.