This list of updates have been expired for Windows 7/Windows 7 64 bit/Windows 2008 R2 on January 12, 2017. This seems to have fixed the slow scanning without the need for manual installs up front like KB3020369/KB3172605 KB2567053 KB2617657 KB2639417 KB2641653 KB2660465 KB2709162 KB2718523 KB2731847 KB2761226 KB2778344 KB2778930 KB2779030 KB2808735 KB2829361 KB2850851 KB2876315 KB2883150 KB2893984 KB2913602 KB2930275 KB3000061 KB3002885 KB3013455 KB3034344 KB3057839 KB3070102 KB3095649
They are old updates which already superseded by various updates before 2016 what @ch100 mean is that their metadata is removed and no longer pushed to WU/WSUS and they are not available for download anymore in MU catalog
You look at the Synchronizations under the Expired Updates column and where you see a large number, double click on the specific one to see the report. I copied the KBs manually from the report, few of them apply only to 64-bit version, which means Windows 7 64-bit and Server 2008 R2. Also when updates are expired, they automatically move into the Declined section. If you are interested in understanding WSUS better, check for anything written by Lawrence Garvin anywhere on the Internet. He sadly died unexpectedly not long ago.
It is a bit complicated to detail each of them. But if you check either WSUS or Microsoft Catalog, you will actually see the relationships between them. I briefly checked and I found that there are few of them being part of longer chains of supersedence, some of them in the middle of those long chains, some superseding each other. The net effect of expiring updates belonging to longer supersedence chains is that the calculations performed as part of Windows Update by svchost.exe are much lighter and as such the performance is dramatically improved. Saying that, you would still be better off by installing an optimised Windows Update agent like the one contained in KB3172605 or if you don't trust some of the components inside, then the next best is KB3138612, but this is not as good as KB3172605.
For those using WSUS, this means they are automatically expired, and as such invisible. A similar mechanism may be used at WU, as I was able to find an invisible SCEP Engine upgrade not long ago on the download servers, by having the URL sniffed previously. In WSUS the admin has the luxury to decline manually whatever needs to be and as such a well maintained WSUS server should have never had the slow scanning issue. Only that most admins either do not do maintenance, or simply do not have a clue about the slow scanning issue.
Hi, after installing on windows 7 all the security only updates: oct 2016: KB3192391 nov 2016: KB3197867 dec 2016: KB3205394 jan 2016: KB3212642 ie11: kb3210694 the Security Monthly Quality Rollup KB3212646 still appears after checking for windows updates. Is this normal? Thanks
It will always show the Quality Rollup even if you install the security only. Uncheck it and right click on it then select "Hide".
Hi, thanks, I did that, and after hiding all Quality Rollups, some old updates showed up: (my last checking for updates on this machine was on june 2016) KB3182203 (time zone) KB3168965 (windows kernel mode) KB3185319 (ie11) but the Microsoft Update Catalog says it is superseeded by Security Only updates of december, november and october already applied on my system?????
I think it is normal. I am not installing the Security Only updates, but they are only a subset of the Monthly Rollups. Security Only are normally installed outside of Windows Update and compared to a master list like Wsusscn2.cab and not with Windows Update for compliance and full patching.
I always wondered, why IE10 is offered as Important, while IE11 is merely Optional although both needs "optional" Platfrom Update, and IE10 is support-ended
I noticed the same thing, but if you don't know this, who else would be able to know? Just guessing. I think IE10 support-ended as is, it is still offered to Server 2008 R2 for reasons specific to business applications, in general Microsoft Server applications, like CRM, BizTalk, Sharepoint. It doesn't make much sense as browsing from the servers should be minimal, ideally at least, except for configurations like Terminal Server (Remote Desktop Host) or Citrix XenApp. My point of view is that IE11 is not so much different when compared to IE10, only that it sends a more neutral (not IE like) browser agent string. For that reason, IE10 is more compatible, while offering essentially the same functionality with IE11. I am not sure if IE10 is still offered to Windows 7. This is easy to test, by hiding IE11, I only did not test recently. I think IE11 used to be Optional but now comes as Important on a new installation, without being offered IE10 first. IE10 is not expired like IE9, so it should still be available. The Platform Update is another thing. It is Optional by itself, but if you install IE10/11 from Windows Update or even from the IE downloaded installer without the pre-requisites while allowing Internet access, the Platform Update is installed in the background, but in the history is flagged as Important. I know that the history does not matter being just a cache, but this is how it appears. You are probably right when saying that the difference between the various types of updates, Important (Security & Critical), Recommended and Optional is only cosmetic. In addition, according to WSUS (and Catalog I believe) there are other categories like Updates (no distinction there between Recommended and Optional) or Update Rollups, Feature Packs and Definition Updates (MSE, FEP, SCEP, Defender, but also Office Definitions/Junk Mail filter updates). Recommended updates have superseded sometimes Security Updates and as such, there should be no difference other than cosmetic.
I will do another test soon. I was under the impression that IE11 is presented as important for new installs only with SP1 right now.