If your organization’s Windows 7 PCs failed to install Microsoft’s two most recent monthly rollup updates or the September security-only update, it’s because the affected systems were missing a servicing stack update (SSU) that Microsoft released in October 2016.
Microsoft is preparing to rerelease a two-year old update for Windows 7 that’s necessary to avoid ‘error 0x8000FFFF’ when installing its latest security updates.
It seems this happened due to Microsoft’s patching nomenclature. That 2016 update, KB 3177467, was a ‘full servicing stack update’ for Windows 7 Service Pack 1 (SP1).
Microsoft labeled it as ‘critical’ but didn’t classify it as a ‘security’ fix, which apparently led those organizations that only install updates tagged with ‘security’ to skip it.
Two years later, that decision — based on Microsoft’s communications — caused some Windows 7 systems to report ‘error 0x8000FFFF’, and prevented these devices from installing critical security updates.
This problem affected customers installing the Windows 7 SP1 August 30 Monthly Rollup Preview KB 4343894, the September 11 Monthly Rollup KB 4457144, and the September 11 Security-only update KB 4457145.
“Installing the October 2016 Windows 7 SP1 servicing stack update (KB 3177467) first, and then applying the August 30 or September 11, 2018 updates mitigates this issue,” Microsoft’s John Wilcox said.
While this move fixes the issue, admins managing Windows 7 devices affected by this issue should take note of Microsoft’s definition of servicing stack updates (SSUs).
“Servicing stack updates, or SSUs, are periodic updates released to specifically service or update the software stack for Windows platforms,” explains Wilcox.
“These are fixes to the code that process and manage updates that need separate servicing periodically to improve the reliability of the update process, or address issue(s) that prevent patching some other part of the OS with the monthly latest cumulative update (LCU).”
In other words, SSUs for Windows 7 aren’t security updates, but they’re necessary to receive certain future security updates, and that’s why Microsoft in the past labeled them as ‘critical’ even though it didn’t previously class them as security updates.
However, it’s going to change that now by labeling all SSUs as ‘security’ and ‘critical’, even though strictly speaking they’re not security updates. And with good reason too, since customers will now know that future Windows 7 security patches can be contingent on SSUs.
To ensure that Windows 7 customers don’t overlook this dependency on KB 3177467, Microsoft will also reissue that update alongside the October 2018 Patch Tuesday update, and as per Microsoft’s new naming scheme, it will be tagged as a security update.
Microsoft didn’t spot this issue until now because its pre-flight tests apparently don’t include systems with missing SSUs.