A quick overview of January patching recommendations for Windows

This web site is getting hammered. Sorry about that, but there’s a reason why the main discussion thread for installing January 2018 takes a long time to load – lots of comments, lots of people. We’re redlining the server again, folks, and it’s the beefiest one currently available from our host.

For those of you looking for the bottom line on patching Win7 and 8.1, I’d like to repeat the posts from @PKCano and @MrBrian.

Starting with @MrBrian:

For any manually-installed Windows update from January 2018 and later: If you use antivirus, you must ensure that the antivirus-related registry item was set by your antivirus before proceeding with manual installation. If you don’t use antivirus, set the antivirus-related registry item, so that Windows Update won’t blacklist relevant updates.

Windows 7 Monthly Rollup (“Group A”) – recommended:

If Windows Update offers KB4056894 then install it. If Windows Update doesn’t offer KB4056894, then if Windows Update offers KB4057400 then install it. If neither update is offered, then wait for the February 2018 Windows updates.

Windows 7 Security-only patch (“Group B”) – for those who only want the security update, and none of the additional patches:

Manually install KB4073578. Manually install KB4056568.

Windows 8.1 Monthly Rollup (“Group A”) – recommended:

If Windows Update offers KB4056895 then install it. If Windows Update doesn’t offer KB4056895, then if Windows Update offers KB4057401 then install it. If neither update is offered, then wait for the February 2018 Windows updates.

Windows 8.1 Security-only patch (“Group B”) – for those who only want the security update, and none of the additional patches:

Manually install KB4077561. Manually install KB4056568.

@PKCano has a slightly different approach – with observations for Windows 10.

As a prelim:
1. Update your Anti-virus to the latest version of the PROGRAM. Check to be sure the ALLOW Regkey is set.
2. Verify whether your CPU is Intel or AMD.
3. Backup your computer!!!!!
4. Rule: DO NOT CHECK ANYTHING THAT IS NOT CHECKED BY DEFAULT

The following are only my choices. Make the choices as applies to your case.

Windows 7 Monthly Rollup (“Group A”):
I installed KB4056894 Monthly Rollup. If you have AMD and you feel unsure, download KB4073578 and install it manually first then the Rollup. See AKB2000003. EDIT: See @abbodi86 ‘s comment at #165285. Normally it is not recommended to install unchecked Preview patches, but in this case KB4057400 Preview probably contains the AMD fixes found in KB4073578.
I installed MSRT
I installed all the Office 2010 updates
I have .NET 4.7 on all machines. I did not install .NET 4.7.1 (unchecked).
My choice for .NET has always been the Rollups offered by WU.

Windows 8.1 Monthly Rollup (“Group A”):
I installed KB4056895 Monthly Rollup. If you have AMD and you feel unsure, download KB4073576 and install it manually first then the Rollup. I suspect the PIC/APIC problem will be fixed in the Feb Rollup. See AKB2000003. EDIT: See @abbodi86 ‘s comment at #165285. Normally it is not recommended to install unchecked Preview patches, but in this case KB4057401 Preview probably contains the fixes found in KB4073576 and KB4077561.
I installed the IE Flash update
I installed MSRT
I installed all the Office 2010 updates
I have .NET 4.7 on all machines. I did not install .NET 4.7.1 (unchecked).
My choice for .NET has always been the Rollups offered by WU.

Win10 1703
Using wushowhide I hid KB4023057, KB4073543, and KB4056254
I installed CU KB4057144 Build 15063.877
I installed all the other non-driver patches.

Win10 1709
I have KB4056892 Build 16299.192 installed.
I was not offered KB4058258 Build 16299.214 through WU and I did not try to manually install it. It seems to have an installation problem as noted here.

@PKCano’s approach to Win7 and 8.1 patching is slightly more aggressive than @MrBrian’s. Both ways are valid (and better than the directions I gave in the Computerworld article). You should choose @MrBrian’s approach if you aren’t overly concerned about a looming Meltdown/Spectre attack. But if you’re worried about an imminent attack (which is to say, one that happens before the February patches have time to stew), go with @PKCano’s approach.