Computer Help | Windows:

Secure A Clean Installation Of Windows 7/8.1/10

Version: Default* | Print Friendly With Images | Print Friendly Without Images

For: Windows 7 (32/64) | Windows 8.1 (32/64) | Windows 10 (32/64)

Last Reviewed/Updated: 17 May 2019 | Published: 14 Jan 2004 | Status: Active

  1. 1.  Introduction
    1. 1.1.  Windows Vulnerabilities
    2. 1.2.  Windows 7/8.1 Servicing Model Ending September 2016: Individual Security Updates
    3. 1.3.  Windows 7 SP1 And Windows 7 SP1 Convenience Rollup
      1. 1.3.1.  Security Updates For Windows 7 From February 2011 Through April 2016 Not Included In Windows 7 SP1 Convenience Rollup
      2. 1.3.2.  Security Updates For Windows 7 Included In Windows 7 SP1 And Windows 7 SP1 Convenience Rollup
    4. 1.4.  Windows 8.1 Update
      1. 1.4.1.  Security Updates For Windows 8.1 Included In Windows 8.1 Update
    5. 1.5.  Windows 7/8.1 Servicing Model Starting October 2016: Bundled Updates And Update Rollups Including Security Fixes
    6. 1.6.  Windows 10 Servicing Model: Cumulative Updates
    7. 1.7.  Servicing Stack Updates
    8. 1.8.  Identifying The Security Update Holes In Securing A Clean Installation Of Windows 7/8.1/10
      1. 1.8.1.  The Security Update Holes In Securing A Clean Installation Of Windows 7
      2. 1.8.2.  The Security Update Hole In Securing A Clean Installation Of Windows 8.1
      3. 1.8.3.  No Security Update Hole In Securing A Clean Installation Of Windows 10
    9. 1.9.  Compiling The List Of Security Updates For Windows 7/8.1 That Resolve Vulnerabilities That Do Not Require User Interaction To Be Exploited
      1. 1.9.1.  Listing And Reading The Microsoft Security Bulletins For Windows 7 SP1/8.1
      2. 1.9.2.  Determining That A Security Update For Windows Resolves A Vulnerability That Requires User Interaction To Be Exploited
      3. 1.9.3.  Determining That A Security Update For Windows Resolves A Vulnerability That Does Not Require User Interaction To Be Exploited
      4. 1.9.4.  Policy On Security Update For Windows Supersedence And On Adding All Of The Security Updates In A Microsoft Security Bulletin To The List
    10. 1.10.  Overview: How To Secure A Clean Installation Of Windows 7/8.1/10
      1. 1.10.1.  Overview: How To Secure A Clean Installation Of Windows 7
      2. 1.10.2.  Overview: How To Secure A Clean Installation Of Windows 8.1
      3. 1.10.3.  Overview: How To Secure A Clean Installation Of Windows 10
    11. 1.11.  Abbreviations
  2. 2.  Files To Download And Copy To CD/DVD Before Performing The Clean Installation Of Windows 7/8.1/10
    1. 2.1.  Files To Download And Copy To CD/DVD Before Performing The Clean Installation Of Windows 7
    2. 2.2.  Files To Download And Copy To CD/DVD Before Performing The Clean Installation Of Windows 8.1
    3. 2.3.  Files To Download And Copy To CD/DVD Before Performing The Clean Installation Of Windows 10
  3. 3.  Secure A Clean Installation Of Windows 7/8.1/10
    1. 3.1.  Secure A Clean Installation Of Windows 7
    2. 3.2.  Secure A Clean Installation Of Windows 8.1
    3. 3.3.  Secure A Clean Installation Of Windows 10
  4. 4.  Resources And Additional Information

1.  Introduction

Some Windows vulnerabilities can be exploited without user interaction as soon as the computer is placed online. Therefore, after performing a clean installation of Windows, it is necessary to resolve the known examples of these vulnerabilities before placing the computer online, including before running Windows Update or Microsoft Update.

1.1.  Windows Vulnerabilities

Windows vulnerabilities are flaws in the Windows operating system code that render Windows susceptible to exploitation. The successful exploitation of a Windows vulnerability results in compromise. Toward securing Windows, it is instructive to divide Windows vulnerabilities into two groups: 1.) those that require user interaction to be exploited, and 2.) those that do not require user interaction to be exploited.

For the Windows vulnerabilities that require user interaction to be exploited, compromise requires user interaction on the computer besides placing the vulnerable computer online (i.e., connecting the computer to a network, be it an Intranet and/or the Internet). User interactions that can result in compromise, known as triggers, include attaching external/removable drives or network devices, visiting Web sites, accessing/receiving/opening emails, opening email attachments, creating/accessing/opening/installing/joining/connecting to network resources including but not limited to servers/domains/devices/shares/files/etc. In other words, for the Windows vulnerabilities that require user interaction to be exploited, in the absence of the appropriate user interaction required to trigger exploitation, compromise cannot occur simply by placing the vulnerable computer online.

For the Windows vulnerabilities that do not require user interaction to be exploited, compromise does not require any user interaction on the computer besides placing the vulnerable computer online. In other words, for the Windows vulnerabilities that do not require user interaction to be exploited, there is no trigger and compromise can occur simply by placing the vulnerable computer online.

After installing Windows, a common practice is to place the computer online and run Windows Update or Microsoft Update (Windows/Microsoft Update) to install the latest Windows Service Pack (Windows 7), Update (Windows 8.1), Security Monthly Quality Rollup (Windows 7/8.1), Cumulative Update (Windows 10), Security Updates (Windows 7/8.1/10), and non-security updates and fixes Windows (7/8.1/10). Although the intension (to secure Windows) is good, this practice is bad. Why? Because, for the Windows vulnerabilities that do not require user interaction to be exploited, compromise can occur simply by placing the vulnerable computer online, and this includes during the time that Windows/Microsoft Update is running.

Worms are the class of threat that automatically run themselves on, and automatically copy themselves from, computer to computer over a network without user interaction. To accomplishes this, worms exploit vulnerabilities that, themselves, do not require user interaction to be exploited and that allow remote code execution (RCE). First, the worm exploits the vulnerability, then it runs itself on the now compromised computer, including possibly delivering a destructive payload, and then it attempts to propagate itself to other vulnerable computers on the network, again without user interaction.

Worms are extremely dangerous because they can automatically infect a tremendous number of vulnerable networked computers seemingly simultaneously without any user interaction besides placing the vulnerable computers online. Infamous worms that exploit Windows vulnerabilities include W32.Blaster.Worm (symantec.com) (Discovered 11 Aug 2003 and resolved by MS03-026 (technet.microsoft.com) published 16 Jul 2003), W32.Welchia.Worm (a.k.a., Nachi) (symantec.com) (Discovered 18 Aug 2003 and resolved by MS03-007 (technet.microsoft.com) published 17 Mar 2003 and MS03-026 (technet.microsoft.com) published 16 Jul 2003), W32.Sasser.Worm (symantec.com) (Discovered 30 Apr 2004 and resolved by MS04-011 (technet.microsoft.com) published 13 Apr 2004), W32.Downadup (a.k.a., Conficker) (symantec.com) (Discovered 21 Aug 2008 and resolved by MS08-067 (technet.microsoft.com) published 23 Oct 2008), and Ransom.Wannacry (symantec.com) (Discovered 12 May 2017 and resolved by MS17-010 (technet.microsoft.com) published 14 Mar 2017). Moreover, Blaster, Welchia, Sasser, and Downadup remain so prevalent that even today - years after they have been discovered - vulnerable Windows computers are still being compromised by these worms as soon as they are placed online, including during the time that Windows/Microsoft Update is running.

Fortunately, most of the Windows vulnerabilities that do not require user interaction to be exploited are not wormable (i.e., do not allow RCE and, therefore, are not suitable for worms). Instead, the impact of most Windows vulnerabilities that do not require user interaction to be exploited is to allow either denial of service, elevation of privilege (EOP), information disclosure, security feature bypass, or spoofing.

In some environments, the exploitability (i.e., the likelihood that a vulnerability will be exploited) of a Windows vulnerability that does not require user interaction to be exploited is low. However, in some environments, the exploitability of a Windows vulnerability that does not require user interaction to be exploited is high. Rather than trying to take environment, exploitability, impact, and other factors into account, and unnecessarily driving oneself mad in the process, a simpler and safer policy has been adopted: to secure a clean installation of Windows per this web page, it is necessary to resolve all known examples of Windows vulnerabilities that do not require user interaction to be exploited before, not after, placing the computer online.

i
  • The severity rating (e.g., low, moderate, important, and critical) and impact (e.g., denial of service, EOP, information disclosure, RCE, security feature bypass, or spoofing) of a Windows vulnerability does not matter. The only thing that matters is if the Windows vulnerability requires, or does not require, user interaction to be exploited.
  • Toward securing a clean installation of Windows, this Web page assumes the worse, including:
    • Your network administrator and/or Internet Service Provider is not filtering, or is doing a poor job of filtering, malicious network traffic.
    • A gateway/router is not being used to connect to the Internet, or is being used to connect to the Internet but is running outdated insecure firmware and/or is not properly configured.
    • Worms that can bridge gateways/routers, such as Downadup (a.k.a., Conficker), are not being blocked access to the LAN.
    • Your Intranet includes a compromised computer running malicious software and/or a malicious user which are attempting to use the Intranet (not physical access) to compromise other computers on the Intranet.

1.2.  Windows 7/8.1 Servicing Model Ending September 2016: Individual Security Updates

On the second Tuesday of each month (a.k.a., Patch Tuesday) through March 2017, Microsoft released a Microsoft Security Bulletin Summary consisting of one or more Microsoft Security Bulletins. A Microsoft Security Bulletin describes a single vulnerability, or group of related vulnerabilities, typically in a Microsoft product. Through September 2016, Microsoft Security Bulletins describing Windows vulnerabilities provided links to one or more Security Updates for Windows. A Security Update for Windows (a.k.a., a patch) is a single file. Upon installation, the Security Update(s) for a Microsoft Security Bulletin resolve (a.k.a, patch) the vulnerability(s) described in the Microsoft Security Bulletin.

i
Microsoft Security Bulletins are assigned an alpha-numeric name with syntax, MS##-###, where MS## is the year, and -### is the Microsoft Security Bulletin released that year. For example, MS10-001 is the first Microsoft Security Bulletin released in 2010.

Security Updates for Windows can be installed in an automated, batch-like fashion via Windows/Microsoft Update. Security Updates for Windows can also be downloaded via the links in the Microsoft Security Bulletins and installed manually. To secure a clean installation of Windows 7/8.1 per this web page, it is necessary to install some Security Updates for Windows 7/8.1 before placing the computer online. This requires downloading and copying the Security Updates for Windows 7/8.1 to removable media before performing the clean installation of Windows 7/8.1.

1.3.  Windows 7 SP1 And Windows 7 SP1 Convenience Rollup

Window 7 Service Pack 1 (Windows 7 SP1) is a single file that contains Updates for Windows 7, Security Updates for Windows 7, and new Windows 7 features.

Window 7 Service Pack 1 Convenience Rollup v4 May 2016 KB3125574 (Windows 7 SP1 Convenience Rollup) is a single file that contains Updates for Windows 7 and Security Updates for Windows 7.

Windows 7 SP1 Convenience Rollup requires Windows SP1. This means Window 7 SP1 must be installed before installing Windows 7 SP1 Convenience Rollup.

1.3.1.  Security Updates For Windows 7 From February 2011 Through April 2016 Not Included In Windows 7 SP1 Convenience Rollup

Microsoft has not provided a list of the Security Updates for Windows 7 included/not included in Windows 7 SP1 Convenience Rollup. Moreover, upon installing Windows 7 SP1 Convenience Rollup, Windows Update | View update history lists Update for Windows (KB3125574), which is the Windows 7 SP1 Convenience Rollup itself, not the individual Security Updates for Windows 7 included in Windows 7 SP1 Convenience Rollup.

As a result, it is easier to determine the Security Updates for Windows 7 SP1 not included in, rather than included in, Windows 7 SP1 Convenience Rollup. This can be accomplished by; 1.) installing Windows 7 Includes SP1, 2.) installing Servicing Stack Update, 3.) installing Windows 7 SP1 Convenience Rollup, 4.) connecting to Windows Update and installing Microsoft Update, 5.) running Microsoft Update to list the available Security Updates for Windows 7, and 6.) identifying the Security Updates for Windows 7 that were released from February 2011 through April 2016. The following is the Security Updates for Windows 7 from February 2011 through April 2016 not included in Windows 7 SP1 Convenience Rollup:

Security Updates For Windows 7 From February 2011 Through April 2016 Not Included In Windows 7 SP1 Convenience Rollup (1)
Security Update Released As Microsoft Security Advisory Released As Microsoft Security Bulletin
KB2667402 (support.microsoft.com) - Microsoft Security Bulletin MS12-020 - Critical: Vulnerabilities In Remote Desktop Could Allow Remote Code Execution (2671387) (technet.microsoft.com)
KB2676562 (support.microsoft.com) - Microsoft Security Bulletin MS12-034 - Critical: Combined Security Update For Microsoft Office, Windows, .NET Framework, And Silverlight (2681578) (technet.microsoft.com)
KB2698365 (support.microsoft.com) - Microsoft Security Bulletin MS12-045 - Critical: Vulnerability In Microsoft Data Access Components Could Allow Remote Code Execution (2698365) (technet.microsoft.com)
KB2706045 (support.microsoft.com) - Microsoft Security Bulletin MS12-056 - Important: Vulnerability In JScript And VBScript Engines Could Allow Remote Code Execution (2706045) (technet.microsoft.com)
KB2813347 (support.microsoft.com) - Microsoft Security Bulletin MS13-029 - Critical: Vulnerability In Remote Desktop Client Could Allow Remote Code Execution (2828223) (technet.microsoft.com)
KB2862330 (support.microsoft.com) - Microsoft Security Bulletin MS13-081 - Critical: Vulnerabilities In Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008) (technet.microsoft.com)
KB2984972 (support.microsoft.com) Microsoft Security Advisory 2871997: Update To Improve Credentials Protection And Management (technet.microsoft.com) -
KB3004375 (support.microsoft.com)
(2)
Microsoft Security Advisory 3004375: Update For Windows Command Line Auditing (technet.microsoft.com)
KB3031432 (support.microsoft.com)
(3)
- Microsoft Security Bulletin MS15-015 - Important: Vulnerability In Microsoft Windows Could Allow Elevation Of Privilege (3031432) (technet.microsoft.com)
KB3046269 (support.microsoft.com) - Microsoft Security Bulletin MS15-037 - Important: Vulnerability In Windows Task Scheduler Could Allow Elevation Of Privilege (3046269) (technet.microsoft.com)
KB3059317 (support.microsoft.com) - Microsoft Security Bulletin MS15-060 - Important: Vulnerability In Microsoft Common Controls Could Allow Remote Code Execution (3059317) (technet.microsoft.com)
KB3123479 (support.microsoft.com) Microsoft Security Advisory 3123479: Deprecation Of SHA-1 Hashing Algorithm For Microsoft Root Certificate Program (technet.microsoft.com) -
KB3145739 (support.microsoft.com) - Microsoft Security Bulletin MS16-039 - Critical: Security Update For Microsoft Graphics Component (3148522) (technet.microsoft.com)
(1)  Procedure: 1.) Install MSDN subscriptions Windows 7 Professional With Service Pack 1 (x64) - DVD (English) Media Refresh en_windows_7_professional_with_sp1_x64_dvd_u_676939.iso; 2.) Install Servicing Stack Update for Windows 7 Windows6.1-KB3020369-x64.msu; 3.) Install Windows 7 SP1 Convenience Rollup windows6.1-kb3125574-v4-x64_2dafb1d203c8964239af3048b5dd4b1264cd93b9.msu; 4.) Open Windows Update, click the Get updates for other Microsoft products link, install Microsoft Update; and 5.) Run Microsoft Update. Screenshots (char.learnwebcoding.com).
(2) (3)  Omit if install MSDN subscriptions Windows 7 Home Premium With Service Pack 1 (x64) - DVD (English) Media Refresh en_windows_7_home_premium_with_sp1_x64_dvd_u_676549.iso instead of MSDN subscriptions Windows 7 Professional With Service Pack 1 (x64) - DVD (English) Media Refresh en_windows_7_professional_with_sp1_x64_dvd_u_676939.iso. Screenshots (char.learnwebcoding.com).

1.3.2.  Security Updates For Windows 7 Included In Windows 7 SP1 And Windows 7 SP1 Convenience Rollup

The release date of Windows 7 SP1 and Windows 7 SP1 Convenience Rollup does not indicate the cutoff date for the inclusion of Security Updates for Windows 7 in Windows 7 SP1 and Windows 7 SP1 Convenience Rollup.

Windows 7 SP1 was released to manufacturing (RTM) on February 9, 2011. Based on release date, one might assume that Windows 7 SP1 includes the Security Updates for Windows 7 through the Microsoft Security Bulletin Summary for February 2011, which was released on February 8, 2011 and includes through MS11-014. This assumption is wrong: Windows 7 SP1 includes the Security Update for Windows 7 for MS11-011, but does not include the Security Updates for Windows 7 for MS11-003, MS11-004, MS11-007, MS11-009, MS11-012, and MS11-013. Instead, Windows 7 SP1 only includes the Security Updates for Windows 7 through the Microsoft Security Bulletin Summary for January 2011, which was released on January 11, 2011 and includes through MS11-002.

Windows 7 SP1 Convenience Rollup was released on May 17, 2016. Based on release date, one might assume that Windows 7 SP1 Convenience Rollup includes the Security Updates for Windows 7 through the Microsoft Security Bulletin Summary for May 2016, which was released on May 10, 2016 and includes through MS16-067. This assumption is wrong: Windows 7 SP1 Convenience Rollup only includes most, not all (above), of the Security Updates for Windows 7 through the Microsoft Security Bulletin Summary for April 2016, which was released on April 12, 2016 and includes through MS16-050.

Security Updates For Windows 7 Included In Windows 7 SP1 And Windows 7 SP1 Convenience Rollup
Windows
(Release Date)
7 SP1
(RTM: 09 Feb 2011)
(Gen: 22 Feb 2011)
7 SP1 Convenience Rollup
(Gen: 17 May 2016)
Includes Security Updates For Windows 7
(Through Date)
All through MS11-002.
(Through 11 Jan 2011)
Most from MS11-003 to MS16-050.
(From 08 Feb 2011 through 12 Apr 2016)

1.4.  Windows 8.1 Update

Windows 8.1 Update April 2014 KB2919355 (Windows 8.1 Update) is an update to Windows 8.1 that contains Updates for Windows 8.1, Security Updates for Windows 8.1, and new Windows 8.1 features.

i
The Windows 8.1 Update Rollup November 2014 KB3000850 is named Update Rollup, not Update, requires Windows 8.1 Update April 2014 KB2919355, does not supersede Windows 8.1 Update April 2014 KB2919355, contains Updates for Windows 8.1, does not contain Security Updates for Windows 8.1, does not resolve any Windows 8.1 vulnerabilities (that do or do not require user interaction to be exploited), is not required for Windows 8.1 to receive future Updates/Security Updates for Windows 8.1, and does not need to be installed before placing the computer online. Toward securing a clean installation of Windows 8.1 per this web page, Windows 8.1 Update refers to Windows 8.1 Update April 2014 KB2919355, not Windows 8.1 Update Rollup November 2014 KB3000850. For additional information on Windows 8.1 Update Rollup November 2014 KB3000850, see November 2014 Update Rollup For Windows RT 8.1, Windows 8.1, And Windows Server 2012 R2 (support.microsoft.com).

1.4.1.  Security Updates For Windows 8.1 Included In Windows 8.1 Update

The release date of Windows 8.1 Update indicates the cutoff date for the inclusion of Security Updates for Windows 8.1 in Windows 8.1 Update.

Security Updates For Windows 8.1 Included In Windows 8.1 Update
Windows
(Release Date)
8.1 Update
(Gen: 08 Apr 2014)
Includes Security Updates For Windows 8.1
(Through Date)
All through MS14-019.
(Through 08 Apr 2014)

1.5.  Windows 7/8.1 Servicing Model Starting October 2016: Bundled Updates And Update Rollups Including Security Fixes

Starting with the Microsoft Security Bulletin Summary For October 2016 (technet.microsoft.com), Microsoft replaced Security Updates for Windows 7/8.1 with bundled updates and update rollups including security fixes for Windows 7/8.1, of which there are three types:

Windows 7/8.1 Servicing Model Starting October 2016: Bundled Updates And Update Rollups Including Security Fixes Types (1)
Type Security Only Quality Update
(a.k.a., Security Only)
Security Monthly Quality Rollup
(a.k.a., Monthly Rollup)
Preview Of Monthly Quality Rollup
(a.k.a., Preview Rollup)
Released On Second Tuesday of the month (a.k.a., B week and Update Tuesday, formerly Patch Tuesday). Second Tuesday of the month (a.k.a., B week and Update Tuesday, formerly Patch Tuesday). Third Tuesday of the month (a.k.a., C week).
Is/
Contains
A single update containing all new security fixes for that month. A single update containing all new security fixes for that month (the same ones included in the security only update released at the same time), as well as fixes from all previous monthly rollups. An additional monthly rollup containing a preview of new non-security fixes that will be included in the next monthly rollup, as well as fixes from all previous monthly rollups.
Available To Public Via
Unique KB Number Yes Yes Yes
Includes Security Updates/Security Fixes For Windows 7/8.1
(Through Date)
That month only.
(That month only)
From MS16-118 through those released on Update Tuesday that month.
(From 11 Oct 2016 through Update Tuesday that month)
(1)  Source: More On Windows 7 And Windows 8.1 Servicing Changes (blogs.technet.microsoft.com).

The Windows 7/8.1 servicing model starting October 2016: bundled updates and update rollups including security fixes by diagram (Source: More On Windows 7 And Windows 8.1 Servicing Changes (blogs.technet.microsoft.com)):

Windows 7/8.1 Servicing Model Starting October 2016 By Diagram

In the Windows 7/8.1 servicing model starting October 2016: 1.) a Security Monthly Quality Rollup (Monthly Rollup) for Windows 7/8/1 is a single file that contains new security fixes, and all previous security and non-security fixes for Windows 7/8.1 back through October 2016; and 2.) a Preview Of Monthly Quality Rollup (Preview Rollup) for Windows 7/8.1 is a single file that contains new non-security fixes, and all previous security and non-security fixes for Windows 7/8.1 back through October 2016. In other words, in the Windows 7/8.1 servicing model starting October 2016, Security Monthly Quality Rollups for Windows 7/8.1 and Preview Of Monthly Quality Rollups for Windows 7/8.1 are cumulative back through October 2016. This means that to obtain the security fixes for Windows 7/8.1 from October 2016 through the present, it is only necessary to install the latest Security Monthly Quality Rollup for Windows 7/8.1 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 7/8.1.

Compared to the previous Windows 7/8.1 servicing model of individual Security Updates, the new Windows 7/8/1 servicing model of Security Monthly Quality Rollups for Windows 7/8.1 and Preview Of Monthly Quality Rollups for Windows 7/8.1 are more similar to the Windows 10 servicing model of Cumulative Updates for Windows 10 in that the Security Monthly Quality Rollups for Windows 7/8.1 and Preview Of Monthly Quality Rollups for Windows 7/8.1 are cumulative in nature; however, unlike the Cumulative Updates for Windows 10, which are cumulative back through the initial release of the version of Windows 10, the Security Monthly Quality Rollups for Windows 7/8.1 and Preview Of Monthly Quality Rollups for Windows 7/8.1 are cumulative only back through October 2016.

i
Microsoft intends to extend the cumulative aspect of the Security Monthly Quality Rollups for Windows 7/8.1 and Preview Of Monthly Quality Rollups for Windows 7/8.1 back in time, presumably back to, not through, Windows 7 SP1 Convenience Update for Windows 7 and Windows 8.1 Update for Windows 8.1 (in the diagram above, see the Older fixes box at the bottom of February 02C KB15). Until Microsoft announces that such as occurred, and/or it can be independently demonstrated that such as occurred, to secure a clean installation of Windows 7/8.1 per this web page, it is necessary to play it safe and to maintain that the Security Monthly Quality Rollups for Windows 7/8.1 and Preview Of Monthly Quality Rollups for Windows 7/8.1 are cumulative only back through October 2016.

1.6.  Windows 10 Servicing Model: Cumulative Updates

Microsoft intends to release a new version of Windows 10 (a.k.a., feature update) twice a year around March and September. On the second Tuesday of each month, Microsoft releases a Cumulative Update for Windows 10 (a.k.a., quality update) for the supported versions of Windows 10. Microsoft intends to support each version of Windows 10 with Cumulative Updates for at least 18 months:

Windows 10 Versions Support Status
(Last Reviewed/Updated: 17 May 2019)
Windows
(Build)
10 Version 1507
(10.0.10240)
10 Version 1511
(10.0.10586.0)
10 Version 1607
(10.0.14393.0)
10 Version 1703
(10.0.15063.0)
10 Version 1709
(10.0.16299.15)
10 Version 1803
(10.0.17134.1)
10 Version 1809
(10.0.17763.107) (1)
General
Availability
29 Jul 2015 12 Nov 2015 02 Aug 2016 11 Apr 2017 17 Oct 2017 30 Apr 2018 13 Nov 2018
In Support No Yes
(1)  There are two official releases of Windows 10 Version 1809; 1.) Build 10.0.17763.1 released 02 Oct 2018, and 2.) Build 10.0.17763.107 released 13 Nov 2018. With respect to Microsoft supporting Windows 10 Version 1809 with Cumulative Updates for at least 18 months, the general availability data for Windows 10 Version 1809 is 13 Nov 2018, not 02 Oct 2018. For additional information, see Updated Version Of Windows 10 October 2018 Update Released To Windows Insiders (blogs.windows.com) and Resuming The Rollout Of The Windows 10 October 2018 Update (blogs.windows.com).

In the Windows 10 servicing model, a Cumulative Update for Windows 10 is a single file that contains new security and non-security fixes, and all previous security and non-security fixes (if there are any), for a version of Windows 10. In other words, in the Windows 10 servicing model, Cumulative Updates for Windows 10 are cumulative back through the initial release of the version of Windows 10. This means that to obtain the security (and non-security) fixes for Windows 10 from the initial release of the version of Windows 10 through the present, it is only necessary to install the latest Cumulative Update for Windows 10 for the version of Windows 10.

1.7.  Servicing Stack Updates

Servicing is the process of installing a Windows Service Pack, Update, Security Monthly Quality Rollup, Cumulative Update, Security Update, non-security update, fix, component, role, etc. Depending on what is being installed, servicing is performed manually by the user and/or automatically by Windows/Microsoft Update. The Servicing Stack is the component of Windows that performs servicing. Like other Windows components, the Servicing Stack is periodically updated. A Servicing Stack Update improves the speed and reliability of servicing.

1.8.  Identifying The Security Update Holes In Securing A Clean Installation Of Windows 7/8.1/10

To secure a clean installation of Windows per this web page, it is necessary to resolve the known examples of Windows vulnerabilities that do not require user interaction to be exploited before placing the computer online. Therefore, to secure a clean installation of Windows 7, upon installing the Windows 7 operating system, Windows 7 SP1, Windows 7 SP1 Convenience Rollup, and the latest Security Monthly Quality Rollup for Windows 7 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 7, it is necessary to identify any security update holes into which Security Updates for Windows 7 have not been installed. And to secure a clean installation of Windows 8.1, upon installing the Windows 8.1 operating system, Windows 8.1 Update, and the latest Security Monthly Quality Rollup for Windows 8.1 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 8.1, it is necessary to identify any security update holes into which Security Updates for Windows 8.1 have not been installed. And to secure a clean installation of Windows 10, upon installing the Windows 10 operating system and the latest Cumulative Update for Windows 10, it is necessary to identify any security update holes into which Security Updates for Windows 10 have not been installed.

1.8.1.  The Security Update Holes In Securing A Clean Installation Of Windows 7

Windows 7 SP1 resolves all Windows 7 vulnerabilities (that do or do not require user interaction to be exploited) through January 2011, which is through MS11-002. Windows 7 SP1 Convenience Rollup resolves most, not all (above), Windows 7 vulnerabilities (that do or do not require user interaction to be exploited) from February 2011 through April 2016, which is from MS11-003 through MS16-050. The latest Security Monthly Quality Rollup for Windows 7 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 7 resolves all Windows 7 vulnerabilities (that do or do not require user interaction to be exploited) from October 2016, which is from MS16-118, through the present. Therefore, after installing Windows 7 SP1 and the latest Security Monthly Quality Rollup for Windows 7 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 7, there exists a security update hole: 1.) from February 2011 through April 2016, which if from MS11-003 through MS16-050, into which some Security Updates for Windows 7 have not been installed; and 2.) from May 2016 through April 2016, which if from MS16-051 through MS16-050, into which no Security Updates for Windows 7 have been installed.

1.8.2.  The Security Update Hole In Securing A Clean Installation Of Windows 8.1

Windows 8.1 Update resolves all Windows 8.1 vulnerabilities (that do or do not require user interaction to be exploited) through April 08, 2014, which is through MS14-019. The latest Security Monthly Quality Rollup for Windows 8.1 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 8.1 resolves all Windows 8.1 vulnerabilities (that do or do not require user interaction to be exploited) from October 2016, which is from MS16-118, through the present. Therefore, after installing Windows 8.1 Update and the latest Security Monthly Quality Rollup for Windows 8.1 or subsequent, not previous, Preview Of Monthly Quality Rollup for Windows 8.1, there exists a security update hole from May 2014 through September 2016, which if from MS14-020 through MS16-117, into which no Security Updates for Windows 8.1 have been installed.

1.8.3.  No Security Update Hole In Securing A Clean Installation Of Windows 10

The latest Cumulative Update for a supported version of Windows 10 resolves all Windows 10 vulnerabilities (that do or do not require user interaction to be exploited) from the initial release of the version of Windows 10 through the present. Therefore, after installing the latest Cumulative Update for a supported version of Windows 10, there does not exist a security update hole into which no Security Updates for Windows 10 have been installed.

1.9.  Compiling The List Of Security Updates For Windows 7/8.1 That Resolve Vulnerabilities That Do Not Require User Interaction To Be Exploited

After identifying the security update holes in securing a clean installation of Windows 7/8.1, the next steps are to list the Microsoft Security Bulletins for Windows 7 SP1 and Windows 8.1 (Windows 7 SP1/8.1), read the Microsoft Security Bulletins for Windows 7 SP1/8.1 that fall into the date range/Microsoft Security Bulletin number range of the security update holes in securing a clean installation of Windows 7 (above) and Windows 8.1 (above), determine if a Security Update for Windows 7/8.1 resolves a vulnerability that requires, or does not require, user interaction to be exploited, and to make the list of Security Updates for Windows 7/8.1 that resolve vulnerabilities that do not require user interaction to be exploited:

1.9.1.  Listing And Reading The Microsoft Security Bulletins For Windows 7 SP1/8.1

To list the Microsoft Security Bulletins for Windows 7 SP1/8.1:

  1. Visit the Microsoft Security Updates (technet.microsoft.com) web page.
  2. In the Filter bulletins by product or component dropdown, if you intend to install:
    • Windows 7 32-bit (edition does not matter), select Windows 7 for 32-bit Systems Service Pack 1.
    • Windows 7 64-bit (edition does not matter), select Windows 7 for x64-based Systems Service Pack 1.
    • Windows 8.1 32-bit (edition does not matter), select Windows 8.1 for 32-bit systems.
    • Windows 8.1 64-bit (edition does not matter), select Windows 8.1 for x64-based systems.
  3. The Microsoft Security Bulletins for Windows 7 SP1/8.1 (36/64-bit) are listed.

It is not necessary to read the entire list of Microsoft Security Bulletins for Windows 7 SP1/8.1. Instead, it is only necessary to read the Microsoft Security Bulletins for Windows 7 SP1/8.1 that fall into the date range/Microsoft Security Bulletin number range of the security update holes in securing a clean installation of Windows 7 (above) and Windows 8.1 (above).

1.9.2.  Determining That A Security Update For Windows Resolves A Vulnerability That Requires User Interaction To Be Exploited

The language in Microsoft Security Bulletins makes it easy to determine if a vulnerability does not require user interaction to be exploited. If language similar to the following appears in a Microsoft Security Bulletin, the Security Update for Windows resolves a vulnerability that requires user interaction to be exploited.

1.9.3.  Determining That A Security Update For Windows Resolves A Vulnerability That Does Not Require User Interaction To Be Exploited

The language in Microsoft Security Bulletins makes it difficult to determine if a vulnerability does not require user interaction to be exploited. If language similar to the following appears in a Microsoft Security Bulletin, the Security Update for Windows likely resolves a vulnerability that requires user interaction to be exploited.

Final determination if a vulnerability does not require user interaction to be exploited often requires clicking the vulnerability's Common Vulnerabilities And Exposures (CVE) (cve.mitre.org) link, National Vulnerability Database (NVD) (nvd.nist.gov) link, and examining, for example, the Attack Vector (AV), Privileges Required (PR)/Authentication (AU), and User Interaction (UI) analysis data.

If it is still unclear if a vulnerability does not require user interaction to be exploited, to secure a clean installation of Windows per this web page, it is necessary to play it safe and to include the Security Update for Windows in the list of Security Updates for Windows 7/8.1 that resolve vulnerabilities that do not require user interaction to be exploited.

1.9.4.  Policy On Security Update For Windows Supersedence And On Adding All Of The Security Updates In A Microsoft Security Bulletin To The List

Sometimes a Microsoft Security Bulletin consists of one Security Update for Windows. Sometimes a Microsoft Security Bulletin consists of multiple Security Updates for Windows. Sometimes a new Security Update for Windows replaces an old Security Update for Windows. And sometimes when a Microsoft Security Bulletin consists of multiple Security Updates for Windows, only some of the Security Updates for Windows resolve Windows vulnerabilities that do not require user interaction to be exploited.

When a new Security Update for Windows replaces an old Security Update for Windows, it is said that the new Security Update for Windows supersedes (i.e., takes the place of/replaces) the old Security Update for Windows. Security Update for Windows supersedence information is presented in the Updates Replaced column of the Affected Software section of the Microsoft Security Bulletin.

When an old Security Update for Windows is superseded by a new Security Update for Windows, it is not necessary to install both the old superseded and the new superseding Security Updates for Windows. Instead, it is only necessary to install the new superseding Security Update for Windows. If the old superseded Security Update for Windows is already installed, it is not necessary to uninstall it. Instead, leave the old superseded Security Update for Windows installed and simply install the new superseding Security Update for Windows. When finished, both the old superseded and the new superseding Security Updates for Windows are listed as being installed. In other words, there is nothing wrong with installing both the old superseded and the new superseding Security Updates for Windows except that it is extra work.

Over time, the supersedence of Security Updates for Windows has become increasingly confounding. Moreover, there have been a couple of instances where the stated supersedence of Security Updates for Windows is questionable and/or appears to be incorrect. Rather than trying to decipher the correct supersedence of Security Updates for Windows, and unnecessarily driving oneself mad in the process, a simpler and safer policy has been adopted: ignore supersedence and list all of the Microsoft Security Bulletins that include Security Updates for Windows that resolve Windows vulnerabilities that do not require user interaction to be exploited.

Lastly, when a Microsoft Security Bulletin consists of multiple Security Updates for Windows, and some of the Security Updates for Windows resolve Windows vulnerabilities that do not require user interaction to be exploited, and some of the Security Updates for Windows resolve Windows vulnerabilities that require user interaction to be exploited; rather than omitting the Security Updates for Windows that resolve Windows vulnerabilities that require user interaction to be exploited, and possibly having someone wonder if a mistake was made, a simpler and less confusing policy has been adopted: list all of the Security Updates for Windows included in a Microsoft Security Bulletin, including those that resolve Windows vulnerabilities that require user interaction to be exploited.

1.10.  Overview: How To Secure A Clean Installation Of Windows 7/8.1/10

Toward securing Windows, it is instructive to divide Windows vulnerabilities into two groups: 1.) those that require user interaction to be exploited, and 2.) those that do not require user interaction to be exploited. The Windows vulnerabilities that do not require user interaction to be exploited must be resolved offline (i.e., before placing the computer online). For the Windows vulnerabilities that require user interaction to be exploited, provided the user has not interacted with the computer in any way that could result in compromise, they can be resolved by placing the computer online and running Windows/Microsoft Update. The following are overviews of how to secure a clean installation of Windows 7/8.1/10 per this web page.

1.10.1.  Overview: How To Secure A Clean Installation Of Windows 7

  1. Do the following offline, and before interacting with the computer in any way that could result in compromise:
    1. Perform a default installation of Windows 7 onto a new or fully erased hard drive. The new or fully erased hard drive ensures the installation of Windows 7 is free from compromise (i.e., clean). The default installation of Windows 7 ensures a single, common baseline of started/stopped services from which the list of Security Updates for Windows 7 to install offline can be built. In other words, the default installation of Windows 7 ensures that no unexpected services are started/stopped as might influence the list of Security Updates for Windows 7 to install offline.
    2. Install Windows 7 SP1. This resolves all Windows 7 vulnerabilities (that do or do not require user interaction to be exploited) through January 2011, which is through MS11-002.
    3. Install the latest Servicing Stack Update for Windows 7.
    4. Install Windows 7 SP1 Convenience Rollup. This resolves most, not all (above), Windows 7 vulnerabilities (that do or do not require user interaction to be exploited) from February 2011 through April 2016, which is from MS11-003 through MS16-050.
    5. Install the Security Updates for Windows 7 from February 2011 through April 2016, which is from MS11-003 through MS16-050, not included in Windows 7 SP1 Convenience Rollup that resolve Windows 7 vulnerabilities that do not require user interaction to be exploited. Combined with the above, this resolves all Windows 7 vulnerabilities that do not require user interaction to be exploited through April 2016, which is through MS16-050.
    6. Install the Security Updates for Windows 7 from May 2016 through September 2016, which is from MS16-051 through MS16-117, that resolve Windows 7 vulnerabilities that do not require user interaction to be exploited. Combined with the above, this resolves all Windows 7 vulnerabilities that do not require user interaction to be exploited through September 2016, which is through MS16-117.
    7. Install the latest Security Monthly Quality Rollup for Windows 7. This resolves all Windows 7 vulnerabilities (that do or do not require user interaction to be exploited) from October 2016, which is from MS16-118, through the present. And, combined with the above, this resolves all Windows 7 vulnerabilities that do not require user interaction to be exploited through the present.
  2. Do the following online, and before interacting with the computer in any way that could result in compromise:
    • Run Windows/Microsoft Update and install any Security Updates for Windows 7. Combined with the above, this resolves all Windows 7 vulnerabilities that require user interaction to be exploited through the present.

1.10.2.  Overview: How To Secure A Clean Installation Of Windows 8.1

  1. Do the following offline, and before interacting with the computer in any way that could result in compromise:
    1. Perform a default installation of Windows 8.1 onto a new or fully erased hard drive. The new or fully erased hard drive ensures the installation of Windows 8.1 is free from compromise (i.e., clean). The default installation of Windows 8.1 ensures a single, common baseline of started/stopped services from which the list of Security Updates for Windows 8.1 to install offline can be built. In other words, the default installation of Windows 8.1 ensures that no unexpected services are started/stopped as might influence the list of Security Updates for Windows 8.1 to install offline.
    2. Install Windows 8.1 Update. This resolves all Windows 8.1 vulnerabilities (that do or do not require user interaction to be exploited) through April 2014, which is through MS14-019.
    3. Install the latest Servicing Stack Update for Windows 8.1.
    4. Install the Security Updates for Windows 8.1 from May 2014 through September 2016, which is from MS14-020 through MS16-117, that resolve Windows 8.1 vulnerabilities that do not require user interaction to be exploited. Combined with the above, this resolves all Windows 8.1 vulnerabilities that do not require user interaction to be exploited through September 2016, which is through MS16-117.
    5. Install the latest Security Monthly Quality Rollup for Windows 8.1. This resolves all Windows 8.1 vulnerabilities (that do or do not require user interaction to be exploited) from October 2016, which is from MS16-118, through the present. And, combined with the above, this resolves all Windows 8.1 vulnerabilities that do not require user interaction to be exploited through the present.
  2. Do the following online, and before interacting with the computer in any way that could result in compromise:
    • Run Windows/Microsoft Update and install any Security Updates for Windows 8.1. Combined with the above, this resolves all Windows 8.1 vulnerabilities that require user interaction to be exploited through the present.

1.10.3.  Overview: How To Secure A Clean Installation Of Windows 10

i
The following is for the supported versions of Windows 10 (above). A clean installation of an unsupported version of Windows 10 (above) cannot be made secure.
  1. Do the following offline, and before interacting with the computer in any way that could result in compromise:
    1. Perform a default installation of Windows 10 onto a new or fully erased hard drive. The new or fully erased hard drive ensures the installation of Windows 10 is free from compromise (i.e., clean).
    2. Install the latest Servicing Stack Update for the version of Windows 10.
    3. Install the latest Cumulative Update for the version of Windows 10. This resolves all Windows 10 vulnerabilities (that do or do not require user interaction to be exploited) through the present.

1.11.  Abbreviations


2.  Files To Download And Copy To CD/DVD Before Performing The Clean Installation Of Windows 7/8.1/10

To secure a clean installation of Windows per this web page, it is necessary to resolve the known examples of Windows vulnerabilities that do not require user interaction to be exploited before placing the computer online. This requires downloading and copying one or more files to removable media before performing the clean installation of Windows 7/8.1/10. Because files on CDs/DVDs are far more difficult manipulate by malicious software/users than files on external hard disk drives and flash memory drives, CDs/DVDs are the removable media of choice.

2.1.  Files To Download And Copy To CD/DVD Before Performing The Clean Installation Of Windows 7

Using a computer that is not compromised, download and copy the following files to CD/DVD before performing the clean installation of Windows 7:

  1. Windows 7 SP1:
  2. Latest Servicing Stack Update for Windows 7:
  3. Windows 7 SP1 Convenience Rollup:
  4. Security Updates for Windows 7 from February 2011 through April 2016, which is from MS11-003 through MS16-050, not included in Windows 7 SP1 Convenience Rollup that resolve Windows 7 vulnerabilities that do not require user interaction to be exploited.
    • None. All of the Security Updates for Windows 7 from February 2011 through April 2016, which is from MS11-003 through MS16-050, not included in Windows 7 SP1 Convenience Rollup require user interaction to be exploited.
  5. Security Updates for Windows 7 from May 2016 through September 2016, which is from MS16-051 through MS16-117, that resolve Windows 7 vulnerabilities that do not require user interaction to be exploited:
    1. Microsoft Security Bulletin MS16-072 - Important: Security Update For Group Policy (3163622) (technet.microsoft.com):
    2. Microsoft Security Bulletin MS16-077 - Important: Security Update For WPAD (3165191) (technet.microsoft.com):
      i
      The MS16-077 vulnerability that does not require user interaction to be exploited is CVE-2016-3236, not CVE-2016-3213. Therefore, it is not necessary to also install the MS16-063 Security Update For Windows 7 (KB3160005) per the MS16-077 Update FAQ.
  6. Latest Security Monthly Quality Rollup for Windows 7:
  7. If not located on a disc included with your computer and not installed by Windows 7, the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).

2.2.  Files To Download And Copy To CD/DVD Before Performing The Clean Installation Of Windows 8.1

Using a computer that is not compromised, download and copy the following files to CD/DVD before performing the clean installation of Windows 8.1:

  1. Windows 8.1 Update:
  2. Latest Servicing Stack Update for Windows 8.1:
  3. Security Updates for Windows 8.1 from May 2014 through September 2016, which is from MS14-020 through MS16-117, that resolve Windows 8.1 vulnerabilities that do not require user interaction to be exploited:
    1. Microsoft Security Bulletin MS14-031 - Important: Vulnerability In TCP Protocol Could Allow Denial of Service (2962478) (technet.microsoft.com):
    2. Microsoft Security Bulletin MS14-066 - Critical: Vulnerability In Schannel Could Allow Remote Code Execution (2992611) (technet.microsoft.com):
    3. Microsoft Security Bulletin MS15-005 - Important: Vulnerability In Network Location Awareness Service Could Allow Security Feature Bypass (3022777) (technet.microsoft.com):
    4. Microsoft Security Bulletin MS16-072 - Important: Security Update For Group Policy (3163622) (technet.microsoft.com):
    5. Microsoft Security Bulletin MS16-077 - Important: Security Update For WPAD (3165191) (technet.microsoft.com):
      i
      The MS16-077 vulnerability that does not require user interaction to be exploited is CVE-2016-3236, not CVE-2016-3213. Therefore, it is not necessary to also install the MS16-063 Security Update For Windows 8.1 (KB3160005) per the MS16-077 Update FAQ.
  4. Latest Security Monthly Quality Rollup for Windows 8.1:
  5. If not located on a disc included with your computer and not installed by Windows 8.1, the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).

2.3.  Files To Download And Copy To CD/DVD Before Performing The Clean Installation Of Windows 10

Using a computer that is not compromised, download and copy the following files to CD/DVD before performing the clean installation of Windows 10:

  1. Latest Servicing Stack Update for Windows 10:
  2. Latest Cumulative Update for Windows 10:
  3. If not located on a disc included with your computer and not installed by Windows 10, the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).

3.  Secure A Clean Installation Of Windows 7/8.1/10

3.1.  Secure A Clean Installation Of Windows 7

  1. Do the following offline, and before interacting with the computer in any way that could result in compromise:
    1. Perform a default installation of Windows 7 onto a new or fully erased hard drive:
      1. Boot the computer from the Windows 7 product DVD and proceed with the installation.
      2. Eventually the Install Windows: Which type of installation do you want? dialog appears. Click Custom (advanced).
      3. The Install Windows: Where do you want to install Windows? dialog appears. Either accept the default and click Next, or click Drive options (advanced) | New, create one or more drives, select a drive for the installation of Windows 7, and click Next.
      4. Otherwise, select the default/typical/recommended option throughout the installation.
    2. From CD/DVD, install Windows 7 SP1:
      • If Windows 7 Initial Release was installed:
        • Install the Windows 7 SP1 KB976932 file.
      • If Windows 7 With SP1 was installed:
        • The installation of Windows 7 includes Windows 7 SP1. Skip this step and go to the next step.
    3. From CD/DVD, install the latest Servicing Stack Update for Windows 7:
      • Install the 2019-03 Servicing Stack Update For Windows 7 KB4490628 file.
    4. From CD/DVD, install Windows 7 SP1 Convenience Rollup:
      • Install the Update For Windows 7 KB3125574 file.
    5. From CD/DVD, install the Security Updates for Windows 7 from February 2011 through April 2016, which is from MS11-003 through MS16-050, not included in Windows 7 SP1 Convenience Rollup that resolve Windows 7 vulnerabilities that do not require user interaction to be exploited:
      • None. All of the Security Updates for Windows 7 from February 2011 through April 2016, which is from MS11-003 through MS16-050, not included in Windows 7 SP1 Convenience Rollup require user interaction to be exploited.
    6. From CD/DVD, install the Security Updates for Windows 7 from May 2016 through September 2016, which is from MS16-051 through MS16-117, that resolve Windows 7 vulnerabilities that do not require user interaction to be exploited:
      i
      It is not necessary to restart the computer after installing each Security Update for Windows. Therefore, if prompted to restart the computer after installing a Security Update for Windows, do not restart the computer until after installing the last Security Update for Windows.
      1. Install the MS16-072 (3163622) Security Update KB3159398 file.
      2. Install the MS16-077 (3165191) Security Update KB3161949 file.
    7. From CD/DVD, install the latest Security Monthly Quality Rollup for Windows 7:
      • Install the 2019-05 Security Monthly Quality Rollup KB4499164 file.
    8. If not installed by Windows 7, from CD/DVD install the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).
  2. Do the following online, and before interacting with the computer in any way that could result in compromise:
    • Run Windows/Microsoft Update and install:
      • The Security Updates and any security fixes for Windows 7.
      • Any non-security updates and fixes for Windows 7. If a Preview Of Monthly Quality Rollup for Windows 7 is listed, and if it resolves an issue affecting your computer, install it. Otherwise, it is recommended that you do not install Preview Of Monthly Quality Rollups for Windows 7. Instead, it is recommended that you only install Security Monthly Quality Rollups for Windows 7.
  3. You have secured the clean installation of Windows 7. If you use imaging software to back up your system, this is an excellent time to use it. Otherwise, proceed to use the computer as normal.

3.2.  Secure A Clean Installation Of Windows 8.1

  1. Do the following offline, and before interacting with the computer in any way that could result in compromise:
    1. Perform a default installation of Windows 8.1 onto a new or fully erased hard drive:
      1. Boot the computer from the Windows 8.1 product DVD and proceed with the installation.
      2. Eventually the Windows Setup: Which type of installation do you want? dialog appears. Click Custom: Install Windows only (advanced).
      3. The Windows Setup: Where do you want to install Windows? dialog appears. Either accept the default and click Next, or click New, create one or more drives, select a drive for the installation of Windows 8.1, and click Next.
      4. Otherwise, select the default/typical/recommended option throughout the installation.
    2. From CD/DVD, install the files to bring the installation of Windows 8.1 to Windows 8.1 Update:
      • If Windows 8.1 Initial Release was installed:
        1. Install the Windows 8.1 Update prerequisite:
          • Install the Update For Windows 8.1 KB2919442 file.
        2. Install the Windows 8.1 Update:
          • Install the seven Windows 8.1 Update KB2919355 files in the following order:
            i
            • The clearcompressionflag.exe file simply runs and does not indicate "completed." Therefore, after double clicking clearcompressionflag.exe, wait 30 seconds, and then install the next file.
            • If prompted to restart the computer, restart the computer.
            1. The clearcompressionflag.exe file.
            2. The KB2919355 file.
            3. The KB2932046 file.
            4. The KB2959977 file.
            5. The KB2937592 file.
            6. The KB2938439 file.
            7. The KB2934018 file.
      • If Windows 8.1 With Update was installed:
        i
        There are two Windows 8.1 product DVDs known as Windows 8.1 With Update: one that includes Update Rollup November 2014 KB3000850, and one that does not include Update Rollup November 2014 KB3000850. Both, however, include Windows 8.1 Update April 2014 KB2919355, which is what the With Update in Windows 8.1 With Update means. Toward securing a clean installation of Windows 8.1 per this web page, Windows 8.1 With Update refers to the Windows 8.1 With Update product DVD that includes Update Rollup November 2014 KB3000850 and/or the Windows 8.1 With Update product DVD that does not include Update Rollup November 2014 KB3000850. For additional information on Windows 8.1 Update April 2014 KB2919355 and Windows 8.1 Update Rollup November 2014 KB3000850, see Windows 8.1 Update (above).
        • The installation of Windows 8.1 includes Windows 8.1 Update. Skip this step and go to the next step.
    3. From CD/DVD, install the latest Servicing Stack Update for Windows 8.1:
      • Install the Update For Windows 8.1 KB3173424 file.
    4. From CD/DVD, install the Security Updates for Windows 8.1 from May 2014 through September 2016, which is from MS14-020 through MS16-117, that resolve Windows 8.1 vulnerabilities that do not require user interaction to be exploited.
      i
      It is not necessary to restart the computer after installing each Security Update for Windows. Therefore, if prompted to restart the computer after installing a Security Update for Windows, do not restart the computer until after installing the last Security Update for Windows.
      1. Install the MS14-031 (2962478) Security Update KB2957189 file.
      2. Install the MS14-066 (2992611) Security Update KB2992611 file.
      3. Install the MS15-005 (3022777) Security Update KB3022777 file.
      4. Install the MS16-072 (3163622) Security Update KB3159398 file.
      5. Install the MS16-077 (3165191) Security Update KB3161949 file.
    5. From CD/DVD, install the latest Security Monthly Quality Rollup for Windows 8.1:
      • Install the 2019-05 Security Monthly Quality Rollup KB4499151 file.
    6. If not installed by Windows 8.1, from CD/DVD install the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).
  2. Do the following online, and before interacting with the computer in any way that could result in compromise:
    • Run Windows/Microsoft Update and install:
      • The Security Updates and any security fixes for Windows 8.1.
      • Any non-security updates and fixes for Windows 8.1. If a Preview Of Monthly Quality Rollup for Windows 8.1 is listed, and if it resolves an issue affecting your computer, install it. Otherwise, it is recommended that you do not install Preview Of Monthly Quality Rollups for Windows 8.1. Instead, it is recommended that you only install Security Monthly Quality Rollups for Windows 8.1.
  3. You have secured the clean installation of Windows 8.1. If you use imaging software to back up your system, this is an excellent time to use it. Otherwise, proceed to use the computer as normal.

3.3.  Secure A Clean Installation Of Windows 10

  1. Do the following offline, and before interacting with the computer in any way that could result in compromise:
    1. Perform a default installation of Windows 10 onto a new or fully erased hard drive:
      1. Boot the computer from the Windows 10 product DVD and proceed with the installation.
      2. Eventually the Windows Setup: Which type of installation do you want? dialog appears. Click Custom: Install Windows only (advanced).
      3. The Windows Setup: Where do you want to install Windows? dialog appears. Either accept the default and click Next, or click New, create one or more drives, select a drive for the installation of Windows 10, and click Next.
      4. Otherwise, select the default/typical/recommended option throughout the installation.
    2. From CD/DVD, install the latest Servicing Stack Update for Windows 10:
      • If Windows 10 Version 1803 was installed:
        • Install the 2019-05 Servicing Stack Update For Windows 10 Version 1803 KB4497398 file.
      • If Windows 10 Version 1809 was installed:
        • Install the 2019-05 Servicing Stack Update For Windows 10 Version 1809 KB4499728 file.
    3. From CD/DVD, install the latest Cumulative Update for Windows 10:
      • If Windows 10 Version 1803 was installed:
        • Install the 2019-05 Cumulative Update For Windows 10 Version 1803 KB4499167 file.
      • If Windows 10 Version 1809 was installed:
        • Install the 2019-05 Cumulative Update For Windows 10 Version 1809 KB4494441 file.
    4. If not installed by Windows 10, from CD/DVD install the driver for your network connection device (i.e., dial-up modem, ethernet adapter, or Wi-Fi adapter).
  2. Do the following online, and before interacting with the computer in any way that could result in compromise:
    • Run Windows/Microsoft Update and install:
      • Any Security Updates and any security fixes for Windows 10.
      • Any non-security updates and fixes for Windows 10.
  3. You have secured the clean installation of Windows 10. If you use imaging software to back up your system, this is an excellent time to use it. Otherwise, proceed to use the computer as normal.

4.  Resources And Additional Information