MS-DEFCON 3: Cautiously update Windows and Office

It’s been a difficult month for Windows patches. If you’ve been following along here you know about:

• Odd Windows driver updates, distributed through Windows Update, that include a Realtek Win10 driver being pushed onto Win7 machines
• Undocumented rollbacks of “INTEL – System” drivers, with a specific recommendation to bypass the “Intel System 8/19/2016 12:00:00 AM 10.1.2.80” patch
• An Active Directory Admin Center console conflict with the Win7 December Security-only patch
• A hotfix for Windows 10, build 14393.577, that isn’t available through Windows Update – or even acknowledge on the Win10 update page
• Conflicts between the .NET Security/Quality rollups and SQL Server and Veritas (which I incorrectly reported as Microsoft pulling KB 3210137 and 3210138). The confusion over the patch numbers was resolved by Abbodi, “Both .NET 4.6.2 updates are identical it seems they created the security-only update just to comfort the non-security haters. Apparently they didn’t feel the same or have the time to do that with other .NET versions.”
• A conflict between the Win10 version 1607 cumulative update KB 3206632 and IP addressing
• An enormous amount of misinformation (not Microsoft’s fault) about the way the Win10 1607 cumulative update solved the “dropped internet connection” bug

And those are just the highlights.

I count nearly a hundred Office patches this month, for Office 2003 (!), 2007, 2010, 2013 and 2016. Microsoft lists just one known bug in Word –

Customers have reported that automatic saving of files doesn’t always function, resulting in loss of data and other work… We’re aware of this issue and are investigating it. When we have more information, we’ll provide it here.

There are fixes or workaround for other acknowledged bugs in Outlook, Excel, PowerPoint and OneNote.

Anyway, enough time has elapsed that I think we know about the major problems, and it’s time to get Windows and Office patched.

I’ll post these instructions in InfoWorld on Monday, but for now, here’s the gist of it.

If you have Win7 or 8.1 Automatic Update set to “Never” or “Check but don’t download,” it’s time to get your system patched. If you have Win10 and you followed one of the many paths to blocking forced updates, now would be a good time to release the blocks and let Windows Update do its thing.

Those of you who haven’t updated Windows 7 or 8.1 since the patchocalypse in October need to decide if you’re in Group A (those who will take all the changes Microsoft has to offer, telemetry-laden or not) or in Group B (you only want security updates).

Once you’ve made that decision, follow the steps outlined in “How to cautiously update Windows 7 and 8.1 machines.” (Be aware that article is more than a little controversial. You can see much of the debate on AskWoody.com.)

For those in Group B, the update you want from the Microsoft Catalog is as follows:

• Win7 64-bit
• Win7 32-bit 
• Win 8.1 64-bit 
• Win 8.1 32-bit 

One important caveat: Do NOT install any optional drivers. As ch100 noted earlier today:

I can say with a degree of certainty that the Chipset drivers being pushed are related to improving chances of a successful Windows 7/8.1 upgrade in place to Windows 10. They are Windows 10 compatible and there is no other reason to install Windows 10 drivers on a lower version of Windows, when the current drivers are functional.

On the other hand, if you hit a Recommended driver, you should probably install it.

The instructions for Group A and Group B take you through the process of checking for updates (including driver updates), for Office patches and for .NET security patches. Although there’s a problem with one of the pieces of one of the .NET patches, it appears to be limited to Windows 8.1 machines running SQL Server. I’d guess that very few of you fall into that category.

If you’re on the Windows 10 side of the fence, follow the steps in “Woody’s Win10Tip: Apply updates carefully.”

If you hit any problems, hit me in the comments!

Next month’s going to be interesting. We bid a (fond??) farewell to the Security Bulletin system, and ring in a new ring of hand wringing. Oh boy.