Check for Updates?

kosmo

Member
(Returning back to NTL after not using it for some time. My NTL-built Win 7 desktop still works perfectly but the dynamic duo of M$ & Google have convinced all of the Chrome-based browser builders that they better get in line and stop supporting Win 7 so my browser (Vivaldi) grows increasingly more crippled by the day. But i've forgotten so much since NTL ver 1.7 that i'm, once again, a complete newbie. Have mercy.)

Last week I tried out the current free ver of NTL & loaded my ISO. Looking at Updates I was able to get NTL to check M$ and see what new updates hadn't yet been applied to this ISO. Very cool. But now that NTL is paid for and registered I can't find any such button or menu. Is it me or is this just a "Free" feature? (Which makes no sense at all)
 
Download Updates is a licensed feature. In case, you haven't upgraded since v1.7 (2018):

1718024044572.png

1718024143463.png
 
Thanks for your reply.

Ok, I found the problem. And (once again) it's a GUI issue. I was clicking on the "arrowhead" UNDERNEATH the ADD button. Clicking on the ADD button itself offers up a completely different menu - which I find unintuitive.
 
Followup question:

NTL has retrieved a list of 13 updates that M$ feels that this ISO should have. Of that list of 13 only 3 of those have a check in the box to the left of the update. Does that check mean that those are flagged by M$ as "required" or "crucial" updates or is this Nuhi's recommendation? Or?
 
Every release version's list is curated by nuhi (if you see a problem, please DM him). The default checked selections are always the most critical updates you should install.

- Preview CU is next month's CU, provided for early testing. You should only pick the normal CU or Preview, but not both.​
- Defender updates are optional, since not everyone keeps Defender​
- OOBE update is optional, mostly to fix random compatibility issues​
- App Installer, UI.Xaml, VC++ UWP Runtime are provided in case you want winget to work for Post-Setup.​
 
New Updates Issue:

I asked NTL to download 2 updates. It popped up an error message having to do with TLS 1.1 & 1.2. Unfortunately I didn't capture that error so i'm left with my vague memory of it. (note: I have the Win 7 update that enables TLS 1.1 / 1.2. see screenshots) I clicked "Whatever". Then it threw up this error:

retry.jpg

My 1st issue here is that this message is not helpful. It doesn't give us normal human beings useful info to be able to proceed with. I don't think NTL users should have to understand the state of their "handle" to be able be able to successfully use the program.

Secondly it would be cool if I could fix this and get NTL to actually D/L these non-KB updates - since I didn't have any luck finding a source to D/L them from manually.

Here's shots showing that TLS 1.1 & 1.2 are enabled on my machine:

int_options.jpg

and:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Enabled REG_DWORD 0x00000001 (1)
 
Confirm you have the latest NTLite v2024.5.9946.
  • Updates: Downloader mitigation for error 12175 under Win7 and 8.1 hosts due to non-default TLS 1.1/1/2

If you've done any code development, error messages are represented by two different types. One is a specific error message, because you know exactly what went wrong. The other is the raw return code from a function's API, because the error condition was unexpected.

I'm on W7 myself, and the real problem isn't whether TLS 1.2 is enabled or not. Different API's don't necessarily use the highest TLS encryption level by default, and therefore fail when connecting to a remote server which enforces a minimum TLS level. I had this problem when writing my PS scripts, and you need to explicitly force a "[Net.SecurityProtocolType]::Tls12" call for older Windows.

So the problem is less with W7/8 itself, but not enforcing TLS 1.2 when using someone's API.
 
"Confirm you have the latest NTLite v2024.5.9946."

Correct.


"you need to explicitly force a "[Net.SecurityProtocolType]::Tls12" call for older Windows."

OK, I took this as a suggestion to do my homework. I decided to run:
"[Net.SecurityProtocolType]::Tls12"
in Powershell. And since i've never actually never used PS before I had to go and find it. Only to discover that it doesn't exist on my W7 machine! So I downloaded PS 7.4 and tried to install it but that install failed with an inscrutable error message. So I read a bit more and then downloaded PS 5.1 ( Win7AndW2K8R2-KB3191566-x64.msu ) and ran that. It actually installed the files and then ended with a failure message that offered no reason for the failure but left 360mb of new uninstallable crap on the machine.

So.......I can live with NTL not being able to D/L the 2 updates for me but what other problems am I likely to have while building this ISO because of this TLS 1.2 / API issue? What other functions of the program require NTL to fetch stuff from M$?
 
...what other problems am I likely to have while building this ISO because of this TLS 1.2 / API issue?...
TLS/SSL and related issues is also why I was forced to abandon XP. I made it work up until December of 2021, but you just can't force these older operating systems to support things that they literally don't have all the files and code necessary to. While there are little tweaks that act as workarounds, it's still a crippled experience that gets worse each year, depending on what software or websites a user needs.

Major developers are starting to completely drop Windows 7 and 8/8.1 support (link1, link2) in 2024, and it's only a matter of time until Microsoft pulls the 8/8.1 ISO from their download list too, as they already did for all the others below it last year. Microsoft could update old operating systems to have modern DX and TLS/SSL support, but that doesn't make money, so planned obsolescence kills them off.

Also, by time Microsoft resolves the BlackLotus exploit (link3) in 2025, it will put the final nail in the coffin for everything under Windows 10. Essentially, anyone trying to use systems older than that in today's age is wasting their time unless they're a power user and it's for a specific pet project or other niche, and since that has a high failure rate for many scenarios, most people are better served making an optimized Windows 10 build instead.

This isn't meant to argue with anyone, because as I mentioned power users can workaround some issues, but it will eventually reach an end for everyone, and that time is soon. For most people, especially gamers and those that want to use modern apps, you're in for a lot of frustration trying to use anything below the latest 2 versions of Windows 10. That struggle grows exponentially the older a build is in relation to newer hardware and software.
 
Last edited:
garlin
Perhaps you missed my reply to your suggestion (with browser TLS results) or perhaps we're at the end of the line... ?

@ Hellbovine:
Thanks! Yes, XP had the best UI of ANY M$ OS. It's been steadily downhill with each "advance" since then. I bought a laptop in '18 that came with W10. It was playing COMMERCIALS on my desktop!!! (replaced w/ an NTL W7 instantly)
 
Dear kosmo and garlin, Vivaldi is based on Chromium. Chromium implements BoringSSL and thus do NOT honour the TLS settings under "Internet Properties" (Schannel) and registry (also Schannel). Therefore, I think the TLS browser check may not be representative of TLS support from the OS.
 
So.......I can live with NTL not being able to D/L the 2 updates for me but what other problems am I likely to have while building this ISO because of this TLS 1.2 / API issue? What other functions of the program require NTL to fetch stuff from M$?

For TLS, you probably need certain cipher suites that may not be supported in Windows 7 (maybe RSA keys < 2048 bits?).

Anyways, I think people probably cannot guarantee you what problems will or will not appear. After all, the control is on MS side to remove support for old OSes.
 
Microsoft could update old operating systems to have modern DX and TLS/SSL support, but that doesn't make money, so planned obsolescence kills them off.

I am sorry but cannot agree here. Windows is very large code by itself, and "update old OS to have modern feature support" means MS needs to test new code on old OS under uncountable number of scenarios (such as different hardware and software combinations), which any programmer can tell you, this is VERY difficult.
 
I am sorry but cannot agree here. Windows is very large code by itself, and "update old OS to have modern feature support" means MS needs to test new code on old OS under uncountable number of scenarios (such as different hardware and software combinations), which any programmer can tell you, this is VERY difficult.
You're overthinking it, all I was doing is explaining to the masses why Microsoft abandons an OS and puts us into this predicament where people aren't ready to move on, but are forced to anyway. It wasn't meant to be a philosophical argument about programming, though I also know how much work goes into coding, as I was a developer, QC lead, and top playtester for several years on an MMO, so I understand refactoring.

What I said has already been proven true and isn't anything to contest, as DX is constantly updated in operating systems, so we know it's possible and this argument is moot. Look at XP for example, it launched with DX version 8.1 and was updated more than half a dozen times into version 9.0c (link1). Windows 7 also got backported support for DX12 (link2) to play games.

The United States military, as well as bank ATMs, cash registers, and other commercial devices (link3, link4) are using a contracted version of Windows XP or the embedded one, which continued to get updates for various security features, such as TLS/SSL (link5) and others, so what I said is true again there.

Even video games get updated to work on newer and older operating systems after launch, as well as getting newer DX support in patches too. If refactoring code was harder than making new software from the ground up, then why isn't NTLite releasing a standalone product for every new Windows like how it went from nLite to NTLite, and why is Minecraft releasing thousands of updates instead of a sequel, etcetera.

If the code is unoptimized and sloppy, then yeah it's going to be easier for someone that has good quality control to copy all the important bits into new files and rebuild everything again, but that's a whole different story...I'm not saying Microsoft needs to go back today and make all their old operating systems modern, but rather there was no necessity to make Vista and beyond in order to maintain, optimize, or innovate Windows.
 
Last edited:
First my thanks for all who have replied.

For TLS, you probably need certain cipher suites that may not be supported in Windows 7 (maybe RSA keys < 2048 bits?).
side

OK, I followed the link you kindly provided and in it M$ explains that KB3042058 (which is installed) enables about a gazillion "cipher suites" and changes the existing cipher suites priority order. It lists 4 new suites that it added to the new priority order but doesn't show either the new order list or the old one. (hold that thought)

The page also pointed out that I can build / enable a new cipher suites priority order by using the Group Policy Editor. I opened GPE to Local Computer > Administrative Templates > Network > SSL Configuration Setting and it opens a window explaining how to build a new priority order and listing every know cipher suite in the known universe. I understand the instructions on how to do this but which "suites" to choose and what sequence to apply is miles above my pay grade.

Here's my understanding of the problem at this point:
  1. Even though my W7 machine has TLS1.2 enabled NTL wasn't able to fetch files from M$ due to a TLS issue.
  2. I'm not obsessed with getting NTL to D/L the 2 updates I want but I am concerned about the possibility that this connection issue could cause problems at a later point in the build process.
  3. If this is a W7 issue that could, potentially, affect those of us who are still using W7 then it would seem to NTL's benefit to find a fix or a workaround for this issue if possible.
  4. I use multiple partitions on my computer. The only SW on my system partition is the OS and it's backed up. If I bork the OS I can pull out my Rescue USB, reboot and be back in business in less than 5 min. IE: I'm willing to use my computer as a guinea pig if it's a useful thing to do.

So, is this worth looking into or am I just thrashing around in the tall weeds?




 
Dear kosmo, I think you do not need to troubleshoot further. Please consider it a limitation of Windows 7, as it does not support all cipher suites required by TLS 1.2, and as a result, it may not be able to communicate with Microsoft servers anymore.

Instead, please let me introduce you to Microsoft Update Catalog, the web-based front-end that Microsoft hosts updates for users to download via web browsers. You can download your desired update for Windows 7 there, and add it to NTLite via "Updates", "Add" -> "Files".

Throughout the whole integration and customization process, I do not think NTLite needs to communicate further with Microsoft servers.
 
What I said has already been proven true and isn't anything to contest, as DX is constantly updated in operating systems, so we know it's possible and this argument is moot. Look at XP for example, it launched with DX version 8.1 and was updated more than half a dozen times into version 9.0c (link1). Windows 7 also got backported support for DX12 (link2) to play games.
From your link2:

How are DirectX 12 games different between Windows 10 and Windows 7? Windows 10 has critical OS improvements which make modern low-level graphics APIs (including DirectX 12) run more efficiently. If you enjoy your favorite games running with DirectX 12 on Windows 7, you should check how those games run even better on Windows 10!

I understand your level of knowledge when you compared DirectX with the security stack within Windows. It seems people here does not know TLS 1.2 is not just TLS 1.2, it involves a lot of different cipher suites for communications, and it is a fact that the world does not stay in TLS 1.2, as we are already using TLS 1.3 or QUIC.

Btw, Steam ended support for Windows 7 in Jan 2024 already, and new Windows users do not need to install DirectX anymore as it is integrated part of Windows already. Oh yeah, I am on DirectX 12_2. Who know which Windows supports DirectX at this level?
 
Last edited:
Back
Top