MS-DEFCON 3: Get Windows patched, gingerly

It’s time to get caught up on your patching. We have a few outstanding major problems with the latest round of Windows patches. The worst is an ongoing bug in double printing, introduced by security patch MS 16-098, which has only been fixed in one version of Windows 10. I don’t know of any significant problems with outstanding Office patches – although, with dozens of non-security patches, you can expect some odd bug to crop up eventually.

Microsoft’s gradually changing to a cumulative update approach for fixing Windows 7 and 8.1. I don’t like it, you don’t like it, but there we are. Supposedly security and non-security updates will come out in different blobs, but Microsoft’s already playing fast and loose with the distinction: For example KB 3179573, the Aug. non-security update rollup for Win7, contains at least one fix for a June security patch; KB 3179574, the analogous non-security rollup for Win 8.1, contains at least one fix for a July security patch. Microsoft’s been playing whack-a-mole with the fix for the MS16-098 bug.

We’re at something of a crossroads with Windows 7, 8.1, and to a lesser extent Vista. In October, the whole patching applecart is in for a major upending. At this point, I don’t know exactly how it’s going to shake out.

With that as prolog, this is what I recommend:

Windows 10

Check to see which version you’re running: type winver in the Cortana search box and look for the version number.

On all Win10 machines, once you’ve installed whatever you want to install, turn automatic updating off.

Windows 10 Anniversary Update, version 1607, Win 10.2

If you’re blocking patches to the Anniversary Update (possibly using the metered connection trick, possibly by disabling the update service), I suggest you go ahead and let KB 3176938 bring your machine up to build 143393.105.

Realize that you’ll have trouble using many cameras with Skype, and that plugging your Kindle into the machine will result in a blue screen. You may also experience intermittent problems with copy and paste. If any of those bother you, stick with the build you have. In addition, there are lots of reported problems installing KB 3176938. If it won’t install, don’t sweat it – a new cumulative update is just around the corner, likely on Sep. 13.

Windows 10 Fall Update, version 1511, Win 10.1

This is the version I’m using on my production machines.

If you haven’t yet installed cumulative update KB 3176493, do it. You may see problems with printing in certain situations – the double-print bug triggered by MS16-098/KB 3176493, which is part of this cumulative update. If you hit the bug (you’ll know because your printer will stop working), run over to KB 3186988 to install the short-term fix.

For heaven’s sake, don’t intentionally install the Anniversary Update. It isn’t ready yet. You can proactively block the update if you know the tricks. If you upgraded to Win10 Anniversary Update less than ten days ago, you can roll back: Start > Settings > Update & security. On the left choose Recovery. On the right, under “Go back to an earlier build” click the box marked Get Started.

Windows 7, 8.1 and Vista

Time for you to make a decision. While the details are up in the air (and no doubt subject to much change), it looks like Win7 and 8.1 customers will have two separate paths, starting in October. Those of you who want all of the patches Microsoft has on offer will, ultimately, be able to install a monthly cumulative update that’ll bring everything up to date. Those of you who want security patches only will be able to install just the security patches – in one big blob. The old KB system is getting retired. We don’t know exactly how just yet, but you won’t have the ability to remove or block individual “KB style” patches.

I figure there are two different groups of Win7 and 8.1 users. I call them “Group A” – the ones who are willing to take all of Microsoft’s “improvements” to its data gathering and reporting efforts – and “Group B” who don’t want more snooping. I know it’ll give many of you heartburn, but I tend to be in Group A. I don’t really care what Microsoft learns about me. I’ve been using Google products for many years and it’s been tracking everything I do. I can accept that – and in the same vein, Microsoft can snoop on me, too. You may or may not agree, for good reason.

So, starting this month, I’m proposing that you choose to join Group A or Group B. For Group A, patching is much easier. For Group B, the snooping should be less – but there’s no guarantee. You can move from Group B to Group A, but as far as I can tell there’s no way to move from Group A to Group B without completely re-installing Win7 or 8.1.

For those of you who want all the new features in Win7 and 8.1, but don’t want the snooping… I hate to break it to you, kid, but Microsoft hasn’t given us any new features in years. As best I can tell, all of the patches these days are either security fixes, advertisements for Windows 10 (which should be going away), snoop enablers, or fixes for problems created by one of those.

I have no idea how updates to Vista will roll out. For now, I suggest you choose between Group A or Group B.

If you encounter very slow Windows Update scan speeds on Windows 7 or Vista, I suggest that you use Canadian Tech’s speedup method, posted on the Microsoft Answers forum.

For Group A – the ones who are willing to let Microsoft snoop

Go into Windows Update (in Win7, Start > Control Panel > System and Security > under Windows Update, click Check for updates – in Win8.1, right-click Start). Click the link that says “XX important updates are available.” Make sure all of those patches are checked (they should be). Then on the left, click Optional, and make sure all of those patches are checked. (WARNING: Don’t check Silverlight and Skype, don’t check any drivers – see below – and don’t check any language packs). Click OK, then Install updates. Reboot.

For Group B – the ones who don’t want to let Microsoft snoop

Go into Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates – in Win 8.1, right-click Start). Click the link that says “XX important updates are available.” CHECK the boxes next to items that say “Security Update,” “Windows Defender” and “Malicious Software Removal Tool.” UNCHECK the boxes next to any items that aren’t specifically marked as “Security Update.”

On the left, click the link that says Optional. Uncheck every box that you see, except “Windows Defender,” which should stay checked. Yes, I’m saying that if a box is checked, uncheck it. Click OK, then Install updates. Reboot.

I’m putting us at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

My usual boilerplate advice:

For those of you who are new to this game, keep in mind that… I never install drivers from Windows Update (in the rare case where I can actually see a problem with a driver, I go to the manufacturer’s web site and download it from the original source). I use Chrome and Firefox, and only pull out IE when I feel very inclined — but even if you don’t use IE, you need to keep up with its patches.

Thanks to PKCano for the corrections!