Patch Lady – some comments about the master listing

So let me explain a bit about my patch chart this month and some of the optional items.

First off let’s draw a line in the sand between Windows 10 and Windows 7, as they are two different patching beasts.

Next let’s draw a line in the sand between Office 2010 and Office 2013, 2016 and the upcoming office.

Let’s take Windows 10 first.  You can control it’s updates and not have it control you as long as you understand one basic concept:  You must have Pro version in order to give you the ability to easily hook into the Windows update for business patching policies to defer updates.  I am NOT a fan of deferring updates forever.  I do recommend that you try not to be part of the beta testing team of updates and unfortunately, and too often, if you install updates on the day they are released, often you end up as part of the unofficial beta testing team.

With the pro version of windows 10 you can put in place an option to defer updates for at least a week.  That is the normal time that we see issues shake out after Patch Tuesday. To do this on Pro, click on start, settings, update and security, advanced and then put your settings as follows:

Note:  You can also pause updates for up to 35 days if you hear of major issues.

For Windows 7, the recommendation I give is to set updates to “download but do not install”.  This stages them ready to go but does not install them until you are ready to.

I honestly would think carefully about why you want the security only updates. Not every non security update is a telemetry one.  Often there are fixes in the non security updates that fix issues introduced by the security ones.  Not every optional patch is a bad thing.

Now let’s talk about Office updating.  Office has “old way” and “new way”.  Old way means that you get offered up individual updates for Office if your version supports that.  This “old way” is default for Office 2010 and for those that purchase Office 2016 via volume license.  If you have purchased Office via Office 365 you are on the “new way” called click to run.  Click to run does its updating automatically and in the background.  It starts to trickle out during the second week of the month. 

For those on the “old way”, you often decide to install only the security updates and not the non security updates.  But doing so, means that you got nailed this month by a dependency.  The security update for Word depended on the non security update to properly let the application open up files.  If you failed to install the earlier non security update from the week before, you saw the side effect.  If you installed it, you didn’t see the side effect.

Because Click to Run installs both security and non security updates at the same time, you get both at the same time, thus ensuring that you won’t see the issue that nailed all of us folks who want to only get the security updates. 

For click to run installs I’ve noticed that many of the side effects come if you are on the “monthly” release and not the semi-annual channel.  As you can see in the master Office issue listing located here, there’s a known issue for the monthly click to run that’s been addressed:

Outlook known issues in the March 2018 updates

There is a way to opt out of the monthly channel and move to the semi-annual.  I’ll post on that tomorrow, just know that click to run has a monthly update cycle, a semi-annual targeted and then a semi-annual channel.  It’s a little bit confusing, I know, but all of this is about offering up feature releases.

For my specific March master patch listing, I listed several Windows 10 updates as “optional” just because of the unusual release of updates in March.  We had several out of band fixes to Windows 10 1709 and 1703 due to various issues including fixes for inaccessible boot device and loss of usb devices.  If you didn’t happen to catch those extra updates that were released for 1709 there was no harm, no foul as they didn’t include any new security updates, and if you waited until the normal March second week releases, you’d get the same code plus the new security fixes for the month.

One other thought to ponder, I know many here install updates manually from the catalog, but there is risk in manually patching and not letting Microsoft update or Windows update do it’s thing.   Take for example the Windows 10 servicing stack update of KB4090914 that has a warning that you should install it in a certain order:

When installing both the servicing stack update and the latest cumulative update from the Microsoft Update Catalog, install the servicing stack update before you install the cumulative update.

When you manually install updates you may end up with patches in an order that Microsoft didn’t intend.  So if you manually install updates make sure you read the KB articles for any patch dependencies and order directions in the information.  I’ll also recommend that anyone on the Windows 7 platform every now and then do a manual scan for updates just to see what is offered to you.  Remember that often you will get Office updates offered up for platforms you don’t think you have only because when you do inplace upgrades, there is often dlls and files left over from the prior version.  Also if you install new business software, it often installs older C+ runtimes and .net files that need updates.  So often you’ll think you are up to date… and you aren’t.  Stay tuned there is even a way to do this manual scan in Windows 10 by using PowerShell.