MS-DEFCON 3: Get patched, but watch out

It’s been almost a week since Microsoft re-issued the famed, feared “Get Windows 10” patch, KB 3035583. I still don’t see what’s different about it, but at least those of you with “Give me recommended updates the same way I receive important updates” turned off won’t see a check mark on the patch in Windows Update – so it won’t install.

There have been problems with this month’s patches, but most of them are reasonably well understood. A bug in the Office 2010 patch MS16-039/KB 3158453, for example, triggered “The Windows installer service could not be accessed. ” errors and a re-release of KB 3144432. Windows 10 got a new “Update Assistant” KB 3159635 to help Win10 users still on the RTM version to upgrade to build 1511.

I found the new Windows 7 “SP2” to be frustrating and painfully slow, but it’s only intended for folks with Win7 systems that haven’t been updated in years, or for those who are building new Win7 systems from scratch. See the comments in this AskWoody post from Noel Carboni.

With Office non-security patches just around the corner, it’s a good idea to get your system patched. I’m going to stick with my three-month-old advice: Skip all non-security patches; only install security patches. Here’s how to do that:

Vista: If you haven’t yet followed the trick for speeding up Windows Update scans, use the methoddescribed in this InfoWorld article to first grease the skids. Start Internet Explorer and verify (Help > About) that you’re running Internet Explorer 9. Go into Windows Update (see the Windows Update tab on this page), make sure security patches are checked and non-security patches are unchecked, then run the update.

Windows 7: If you haven’t yet followed the trick for speeding up Windows Update scans, use the method described in this InfoWorld article to first grease the skids. Yes, that means you should install KB 3153199 manually. [Information updated, thanks to owburp and EP.]

Also, note that the Windows 7 “SP2” convenience update rollup, KB 3125574, is NOT intended for people who’ve been keeping their Win7 systems up to date. It’s only really useful for people who are building new systems, or those who haven’t applied updates for many, many months.

Step 1. If you haven’t checked recently, crank up Internet Explorer. Don’t use it to go to any sites, but click the gear icon in the upper right corner, choose About Internet Explorer, and verify that you’re on IE 11. If you aren’t yet on IE 11, make sure the box marked “Install new versions automatically” is checked, then click Close. That’s the easiest way to upgrade to IE 11. There may be an IE 11 upgrade sitting in Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates). If so, keep it checked.

I don’t recommend that you use IE. But you need to update it, and keep it patched, because Windows still uses bits and pieces of IE in various places.

Step 2. Run GWX Control Panel and set it to block OS upgrades.

Step 3. Go into Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates). Click the link that says “XX important updates are available.” Check the boxes next to items that say “Security Update.” Last month I warned about KB 3146706, but it’s been reissued and appears to be OK. UNCHECK the boxes next to any items that aren’t specifically marked as “Security Update.” All of them.

Be aware of the fact that one of the security patches, KB 3154070, also includes non-security patches. Microsoft did the same thing in March. It’s an IE 11 patch, so you need it, even if Microsoft is sneaking in non-security stuff.

As noted below, if you see Windows Defender listed or the Malicious Software Removal Tool, keep it checked, too. Those are security patches, whether they’re identified that way or not.

Step 4. On the left, click the link that says Optional. Uncheck every box that you see. Yes, I’m saying that if a box is checked, uncheck it. If you uncheck the box next to “Upgrade to Windows 10 Pro, Version 1511, 10586 box.” Windows Update will check it again for you. Don’t be alarmed. GWX Control Panel will protect you.

Step 5. Click OK, then Install updates.

Step 6. Back in Windows Update, on the left, click the link to Change settings. Make sure “Important Updates” is set to “Check for updates but let me choose whether to download and install them,” and uncheck the box next to “Give me recommended updates the same way I receive important ones.”

Step 7. Click OK and reboot.

Step 8. Run GWX Control Panel again, just for good luck. (Note: GWX Control Panel has a “Monitor Mode” option. If you choose to use that option, you won’t need to run GWX Control Panel again – it’s already running. Personally, I don’t use Monitor Mode. I don’t like to leave anything running if I don’t have to. So I run GWX Control Panel manually, twice.)

Windows 8.1: I haven’t heard of any appreciable Windows Update speed-up by using the KB3138612 and KB3145739 trick. Follow the instructions for Windows 7, but in Step 3 go into Windows Update by right-clicking on the Start icon and choosing Control Panel.

Windows 10: If you’re using the metered connection trick to block updates, unblock the metered connection long enough to get caught up. If you hit a problem, be sure to drop John Wink a line. The twelfth Win10 cumulative update should bring your version of Windows up to build 1511 OS version 10586.318 – what I like to call Windows 10.1.12.

You may get a couple of stragglers — little patches that aren’t cumulative updates — KB 3147062 and KB 3152599. Those are OK to install, too. I still wish Microsoft would release individual patches like these, instead of massive cumulative updates, but…

Office Click-to-Run: Thanks to reader Eric for an update – there was a Windows Installer issue in the April 2016 update, MS16-039. I see references to May 10 and May 25 fixes, with the latest build at 15.0.4823.1004. If you have details, I’d sure like to hear about it!

Everybody: Either watch here on AskWoody.com, or follow me on Twitter (@woodyleonhard) or Facebook to keep up on the latest. Microsoft’s releasing patches at a breathtaking rate. It’s a jungle out there. And if you catch something, shoot me email (click on the mail icon in the upper right corner of this page), or post a reply to this blog.

I’m putting us at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

My usual boilerplate advice:

For those of you who are new to this game, keep in mind that… You should always use Windows Update to install patches; downloading and installing individual patches is a clear sign of impending insanity. I always install Windows Defender/Microsoft Security Essentials updates as soon as they’re available – same with spam filter updates. I never install drivers from Windows Update (in the rare case where I can actually see a problem with a driver, I go to the manufacturer’s web site and download it from the original source). If Windows Update has a patch but the box isn’t checked, DON’T CHECK THE BOX. It’s like spitting in the wind. I use Chrome and Firefox, and only pull out IE when I feel very inclined — but even if you don’t use IE, you need to keep up with its patches.

Thanks, as always, to Susan Bradley and her in-depth work in Windows Secrets Newsletter.