How to clean-install a Windows 10 upgrade

How to clean-install a Windows 10 upgrade

The current, free, Win10 upgrade is meant to convert an existing Win7 or Win8 setup to Win10, while retaining the user files and as much of the existing settings, software, and customizations as possible.

But if you know how, you also can use the upgrade to give your PC a totally fresh, from-scratch start; you’ll get a clean install that can’t carry over any potential problems from your current setup — no errors, no misconfigurations, and no junk.

A clean install ensures that your new Win10 setup is 100 percent pristine — and as lean and clean as possible.

One of the clean-install methods described below lets you place all Win10 setup files on a self-contained, bootable DVD or flash drive. You can then tuck this setup medium away for safekeeping to use in the future, should your Win10 system ever need major repair, recovery, or reinstallation.

Note that while a clean Win10 install isn’t hard, it must be done correctly in order to preserve your system’s qualification for permanent, ongoing, free use of Win10.

This article will show you several different ways to use the free Win10 upgrade to perform a safe, completely legitimate, clean install — including via bootable DVD or flash drive.

Two steps to a completely clean Win10 setup

There are numerous details to a clean Win10 install, but the process has only two major parts.

First, you must — at least temporarily — upgrade your current Win7/8 system to Win10, the standard way. During this initial upgrade, Microsoft’s activation servers create and store a unique and permanent machine ID that’s based on your old Windows key plus the system’s hardware.

During the upgrade, Microsoft will also automatically issue you a new, generic Win10 product key. But it works only after your PC has been successfully upgraded to Win10 and activated. (This is how Microsoft intends to prevent piracy of the free Win10 upgrade.)

After your system has successfully completed an initial upgrade to Win10 and it has been registered with Microsoft’s activation servers, you then can wipe out the Win10 upgrade setup and perform a thorough, from-scratch, clean install.

At the end of that process, your PC will again check in with Microsoft. But because your system was previously whitelisted on the MS activation servers, your new clean-install setup will pass muster — recognized as 100 percent legitimate.

Again, the essential first step in using the free Win10 upgrade for a clean-install is to perform a normal upgrade of your current Win7/8 PC to Win10. I’ll cover that in the next section.

If you’ve already successfully upgraded to Win10 and you’re now ready to begin your clean install, skip to the section below, “The two major types of clean-install.”

In brief: The essential, initial upgrade

Because this article is mainly about clean installs — not upgrades— I’ll go fast here.

If your intent is to do a clean install of Windows 10, you waste time making your current Win7/8 system lean and clean: it’s all going to go away later, during the clean install.

For now, just make sure your current system is fully upgraded and working at least well enough to survive the upgrade to Win10. For some maintenance suggestions, see the Jan. 16, 2014 Top Story, “Keep a healthy PC: A routine-maintenance guide.”

And, of course, make a full, complete backup (preferably an image backup) of your system, so you can roll back to Win7/8 if anything goes wrong with the initial upgrade.

The upgrade process itself is very easy: you can use the Windows Update method or the option described on Microsoft’s “Upgrade to Windows 10 for free” page). You can also download and run the free Windows Media Creation Tool (site), selecting the “Upgrade this PC now” option shown in Figure 1 (more on this, below).

Any of these Win10 upgrade methods will produce the same result.

When the upgrade’s done, check that Win10 is activated. Open the Win10 Start menu and select Settings/Update & security/Activation. If the window displays Windows is activated, you’re good to go — your system is ready for a clean installation.

If your Win10 upgrade isn’t activated, jump down to the “Last setup steps and activation troubleshooting” section for suggested remedies.

The two major types of clean-install

You have two main options for performing a Win10 clean install:

The Reset this PC option is built right in to Win10. (It’s also in Win8.) This method takes just a few clicks; it restores the operating system files to their original condition and removes all apps, files, and settings. This type of clean install is extremely reliable, in part because it takes place on a setup that’s already working and activated.

The Reset method’s major downside is that it’s not quite as thorough as the bare-metal reinstall method, below. Depending on how you do the Reset, some of the initial Win10 upgrade files may be reused, and you won’t have the option of reformatting drives or partitions.

The bare-metal reinstall method is 100 percent complete — nothing at all is carried over from the initial Win10 upgrade setup. You can even reformat your hard drive prior to installation if you want or need to; or use this method to set up Win10 on a brand-new, empty hard drive. Plus, you’ll end up with a complete Win10 setup DVD or flash drive you can later use, if you need to, for system repairs, recovery, or reinstalls.

The principal drawback to the bare-metal method is that it requires a bit more effort to accomplish. There also is a slightly higher risk of running into problems with system drivers or with activation.

You can use either clean-install method. In fact, you can even use them together. For example, you can use the easy, sure, Reset method to produce a clean install and then use the bare-metal method to generate a bootable DVD or flash drive. Use either method, or both; it’s your choice.

But in either case, before you do any sort of clean install, make a new, fresh backup or system image of your original Win10 upgrade setup, so you can roll back to this initial point in case something goes wrong with the clean install.

For your later convenience, you might also wish to make a separate copy of your user files (e.g. Documents, Music, etc.) in a safe location such as an external drive. This precaution will make it quick and easy to restore these files to your new setup after the clean install.

It’s also wise to ensure you have any required installation codes or keys you’ll need to restore the apps you intend to use after the clean install.

The fast, easy, Reset clean-install method

Both Windows 10 and Windows 8 have a built-in operating-system Reset option. The tool lets you keep your files but remove apps and settings — or remove everything for a completely fresh Windows installation. (Note: Neither option lets you reformat drives or partitions.) Here’s how to set up a clean install:

• From the Win10 desktop, open the Start menu and click Settings/Update & Security/Recovery. Next, click the Get started button under “Reset this PC.” In the next screen, select Remove everything (see Figure 2). Follow the on-screen prompts.
  

  Figure 2. As described, the Remove everything option removes everything but the base OS.

• Alternatively, you can use the Windows Media Creation Tool (WMCT; free; site). Download and run the version of the tool that matches the bittedness (32 or 64) of your Win10 system. When offered, select Upgrade this PC now (shown above in Figure 1) and then follow the on-screen prompts.

  When the Media Creation Tool shows the Ready to install window, click the Change what to keep option (Figure 3).

  

  Figure 3. For a clean install using WMCT, you must click the Change what to keep option.

  In the next window, select Nothing (Figure 4) to remove all previous files, apps, and settings.

  

  Figure 4. WMCT's choose nothing option

Whether you used Win10’s built-in Reset option or the Windows Media Creation Tool, run through the remaining on-screen prompts to reset Windows 10 to a clean, unmodified state.

For more information, skip down to the section labeled “Last steps: Activation and troubleshooting.”

A bare-metal install, Step 1: create setup media

This method ensures that nothing — absolutely nothing — gets carried over from any previous setup. It’s a full, fresh start that deletes your previous Windows installation in its entirety.

It’s not hard to do but is more complicated than the Reset method described above. It starts with creating Win10 installation media. Here are the steps:

• For safety’s sake, first make note of your Win10 product key. It’s easy to find using free tools such as NirSoft’s Produkey (site) or the hideously named Magical Jelly Bean Keyfinder (site).

  Warning: As with all “free” apps, select Custom Installation when the setup program offers it; then deselect any unrelated or tag-along software or toolbars that you don’t want installed.

• Next, download Windows Media Creation Tool (WMCT; free download), choosing either the 32- or 64-bit version that matches the bittedness of the system receiving the clean install.
• Run WMCT and select Create installation media for another PC when offered (Figure 5). Click Next.
  

  Figure 5. WMCT can make a bootable DVD or flash drive that contains all Win10 setup files.

• In the next window, select the language, edition, and architecture that match your original Win10 upgrade — for example, “English (United States),” “Windows 10 Pro,” and “64-bit (x64),” as shown in Figure 6. When you’re finished, click Next.
  

  Figure 6. Select the system settings that that match your original Win10 upgrade.

• Next, you’ll see the Choose what media to use window. You have two choices for creating bootable setup media — flash drive or DVD (Figure 7). I’ll start with the USB flash-drive option.
  

  Figure 7. WMCT lets you create self-booting, Win10-setup media on either a flash drive or a DVD.

  Creating flash-drive media: Plug a 3GB or larger flash drive into an available USB port. (Warning: All files on the drive will be erased.)

  In WMCT’s Select a USB flash drive prompt, select the drive letter for the flash drive you just plugged in (Figure 8). Click Next.

  

  Figure 8. Be sure to select the correct removable-media drive (H:, in this example).

  WMCT will download and verify the Win10 installation files, burn them to the flash drive, and then make the flash drive bootable. This process will take some time, but you can continue to use your PC in the meantime.

  At the end of the process, WMCT will display Your USB flash drive is ready (Figure 9). Click Finish.

  

  Figure 9: WMCT's flash drive-ready notification

  Creating DVD-based installation media: Assuming your PC has a DVD burner (not a given, anymore), select ISO file under WMCT’s “Choose what media to use” prompt (Figure 10) — then click Next.

  

  Figure 10. Select ISO file if you prefer to use a bootable installation DVD.

  You’ll be asked where to place the downloaded setup file and what to call it. By default, the file is called Windows.iso, and it’s stored in your Documents folder. But you can give it a clearer name (for example, Win10Pro64.iso) and place the file wherever you wish.

  WMCT will then download and verify the Win10 installation files and prepare them for burning to a blank DVD. This process will take a few minutes, but you can continue to use your PC in the meantime.

  When the file is ready, you’ll see the “Burn the ISO file to a DVD” window. Insert a blank disc into your DVD drive and then click Open DVD burner (Figure 11).

  

  Figure 11. The burn-an-ISO prompt

  When “Windows Disc Image Burner” opens, click Burn to begin creating the bootable DVD. (Recommended option: Tick the Verify disc after burning box shown in Figure 12 to ensure the integrity of the files after they’re burned to the disc.)

  

  Figure 12. Win10's built-in Disc Image Burner will convert the .iso setup file to a live, bootable DVD.

A bare-metal install, Step 2: Setting up Win10

Your new, bootable flash drive or DVD contains everything you need to set up a standard Windows 10 installation. To clean-install Win10, you simply boot from either medium and follow the normal Windows setup routines. (You’ll see the details in a moment.)

First, however, a potential stumbling block is the Unified Extensible Firmware Interface (UEFI) commonly used by newer PCs — especially PCs that came with Win8 preinstalled. UEFI might prevent easy booting from external devices such as flash drives or DVDs.

If you have trouble booting from your Win10 setup medium, the following articles should help:

• “How to solve UEFI boot and startup problems” – Dec. 11, 2014, Top Story
• “Emergency repair disks for Windows: Part 2” – April 17, 2014, Top Story

When you successfully boot to the Win10 flash drive or DVD, the setup program should automatically launch. The followings steps will complete the setup process.

• On the first screen, select your preferred language, time and currency format, and keyboard layout. On the second screen, select Install now.
• You’ll be asked to enter your Win10 product key, which you should have copied earlier. Either enter it now or click Skip to defer the activation check. (I recommend clicking Skip and deferring the check, especially on newer, UEFI PCs. In many cases, the Win10 setup program will extract the original hardware key from the UEFI firmware and self-Activate Win10 for you. This procedure can avoid problems with mistyping the 25-character key.)
• Next, you’ll be asked to accept the standard Windows License; do so.
• When you get to the prompt “Which type of installation do you want,” click Custom to begin the clean-install process (Figure 13).
  

  Figure 13. Select the Custom install option.

• In the Where do you want to install Windows dialog box, delete the partition(s) that contained your previous Windows installation — they’ll then be converted to “Unallocated Space” (Figure 14). Click Next to continue the setup process.
  

  Figure 14. Deleted Win10 partitions are returned to a drive's empty, unallocated space.

• Win10 setup will then automatically partition and format the unallocated space as needed. It will then begin copying and installing files from the flash drive or DVD to the newly formatted disk space.
• When the initial setup is done, if you didn’t previously enter the product key, you’ll see the nag screen It’s time to enter the product key. You can enter the key now or — as before — defer activation by clicking the offered Do this later link. (Again, I recommend deferral.)

Last setup steps and activation troubleshooting

The normal Win10 setup then continues — and the normal caveats apply.

For example, on the Get going fast prompt, I recommend you not elect to Use Express settings, but choose instead the Customize settings option, which lets you adjust Win10’s privacy-related features and functions to your liking. (For more information on controlling Win10’s privacy settings, see the LangaList Plus column in this issue.)

When the setup’s finally done, check that your new Win10 clean-install is properly activated. Open the start menu and select Settings/Update & security/Activation. If the window displays Windows is Activated, you’re all set. If not, click the Activate Windows button.

If Win10 won’t activate, don’t panic: there are a number of utterly mundane reasons why Win10 might not complete activation right away, as explained on Microsoft’s “Get help with Windows 10 activation errors” page. For example, one of the reasons for a failure is simply that “the activation servers were busy.”

But if you followed the steps outlined here — such as successfully upgrading your Win7/8 PC to Win10 before attempting a clean install — the activation should take place in short order.

If you don’t want to wait, some users report that they’ve successfully hastened automatic activation by rebooting several times — or by using SLMGR, the software-licensing management tool. To use SLMGR, open an admin-level command prompt (right-click the start flag and select Command Prompt (Admin)) and enter slmgr.vbs /ato at the command prompt; a dialog box will open, displaying the results of the activation attempt (more info via TechNet).

If you need additional help, see the Microsoft Answers page, “How to activate and resolve common product-key issues in Windows 10.”

If none of the above works, Microsoft lists still more options on the “Why can’t I Activate Windows 10?” page, including information on the extremely helpful Activate by phone service. Although I haven’t had to use it for Win10, I’ve used that service in other circumstances in which a legitimate copy of Windows simply would not activate correctly via the Internet. Activate by phone was easy to use and always worked when I needed it.

If you tried a bare-metal reinstall and ran into insurmountable activation problems — or if you ran into device-driver issues — restore the backup you made at the start of this process and then use the Reset this PC clean-install option described above. That method is more forgiving and usually avoids activation and driver issues.

When your from-bare-metal installation is finished, Win10 should be ready for business. You can now set up whatever apps you wish and copy your user files from whatever backup location you stored them.

Enjoy your brand-new, clean-as-a-whistle, Win10 setup!

Working through Win10's many privacy settings

Despite what you might’ve heard, Windows 10 lets you control numerous privacy settings, spread across 13 different categories. Here’s how find and adjust them.

Plus: File-permissions problems after an upgrade, Win7 PCs suddenly refuse to install new apps, and proof that an abused lithium-ion battery really can act like a little bomb.

Stories about Win10’s user privacy spark concern

After reading reports online, reader JC Warren is concerned about the kinds of data Microsoft collects from Win10 users.

• “I read an article regarding Windows 10 privacy settings. It states that Microsoft is logging users’ keystrokes and monitoring everything they do.

  “I haven’t installed Win10 yet — and I might not, if this is true. It seems pretty creepy.

  “I’d be interested in your thoughts.”

There’s a lot of misinformation out there about Win10 privacy.

Windows 10 Technical Preview — which was basically beta software — collected lots of system information so that Microsoft could see how people were using the OS and where things went wrong. After all, that’s the whole point of a beta test.

That said, the current shipping version of Win10 doesn’t contain secret keyloggers or other nefarious add-ins. Moreover, most of Win10’s privacy settings are accessible to users and adjustable — and most are a simple on/off option.

For example, my Win10 system has more than 60 user-selectable privacy settings. (The exact number of available settings varies from system to system, depending on which apps and hardware you have installed.)

I’ll tell you how to access and adjust these settings in a moment. But first you should know that Microsoft’s data-collection practices are generally in line with those of other major tech companies. Win10 collects the same types of data commonly collected by operating systems and apps from Apple, Google, Samsung, Yahoo, and others.

Take, for example, tasks such as search, typing, swiping, spell-checking, handwriting translation, and predictive text entry. The enabling apps from all the companies I just listed periodically communicate your actions back to their respective motherships. There, servers pool your data with everyone else’s to develop statistical profiles. The benefit for users is better applications.

All voice-control applications such as Cortana, Siri, OK Google, and Hey Galaxy must send your requests back to online servers to provide correct answers. To work efficiently, these apps continuously listen for their trigger phrases; they might send everything they hear back to their online servers to help improve natural-language parsing.

And, of course, the URLs and search terms you enter into a browser are sent to Apple, Google, Microsoft, Yahoo, or whomever for processing. They all use some of that information for analysis and/or targeted advertising. That’s how Web-based searches work.

So data collection has been common for years, primarily on mobile devices. What’s changed with Win10 is that all this Web-dependent technology is now showing up in force on a desktop system.

In my opinion, we’re seeing a double standard at play. When Apple, Google, and others collect your data, everyone pronounces it “magical.” When Microsoft does the same thing (with Bing and Cortana), it’s reported as evil and intrusive.

If you want to know what Microsoft says it collects, you can review the “Windows 10 and privacy” FAQ and the official Microsoft Privacy Statement page online.

If you’d like help parsing the legalese of the Privacy Statement, The Verge offers what seems to me to be a plain-English, hysteria-free, and reasonably accurate interpretation of the Microsoft Privacy Statement here.

Adjusting Win10’s privacy settings: With all that in mind, you can make your own decisions about what Win10 sends back to Microsoft. Here’s how.

If you’re installing Win10, the best, first step is to not accept “Express settings.” Instead, click “Customize settings” and step through the options for fine-tuning the types and quantities of information you’ll allow Microsoft to collect.

Even if you use “Express settings,” you can always access the full range of Win10 privacy settings. Simply open the Start menu and then select Settings/Privacy. You’ll see a list (see Figure 1) of 13 general privacy categories, each of which offers a panel of controls and options.

After you’ve read the aforementioned FAQ and Privacy Statement and you’ve reviewed the available privacy settings on your system, you’ll have the information you need to decide whether your privacy requirements can be accommodated by the new OS.

It’s fair to say we don’t know exactly what Microsoft actually collects and what it does with that data. But in my opinion, the company isn’t doing anything nefarious — or even unusual. In fact, Win10 gives you more control over privacy than any other OS I’ve seen.

File-permissions problems after Win10 upgrade

Windows’ file and folder attributes are incredibly complex. So it should be no surprise that they sometimes get mangled.

In addition to the seven basic attributes (Archive, Hidden, System, Read-only, Compressed, Encrypted, and Indexed) about which most experienced Windows users know, the OS also supports 18 or more additional security attributes, including “Read,” “Write,” “Read & Execute,” “List Folder Contents,” “Modify,” “Full Control,” and other variations.

I’ve run afoul of permissions problems myself: I once had trouble accessing my files on external USB drives because Windows decided I was no longer authorized to do so.

Reader Don Mau’s problem is more limited — but probably no less frustrating. I’ll cover his issue, but I’ll also point out solutions for other, more complex permissions problems.

• “I can’t use my files after updating. How do I get rid of the read-only attribute in my Documents and Download folders?”

Removing read-only attributes is usually a snap, and should take only a minute or two. Here’s how:

In an admin-level account, right-click the read-only files or folders and select Properties. Under the General tab, untick the box for Read-only and then click OK. After a few seconds (depending on number of affected files and folders) all the selected files/folders should no longer be read-only.

If that doesn’t work — or if you encounter other issues relating to access permissions — you’ll have to dig a little deeper.

For complete details, click the May 21 LangaList Plus, “Windows 8 upgrade error locks user’s files.” Skip down to the paragraph that begins, “Whether or not these workarounds let you copy your files, you’ll eventually want to permanently resolve the permissions problems.”

The instructions there walk you through how to regain control of all your files, no matter which attribute is screwed up.

Win7 PCs suddenly refuse to run new apps

Several of the PCs that C. R. Taliaferro maintains have suddenly balked at running new programs.

• “Hi Fred.

  “One PC I manage is running 64-bit Win 7 SP1. It’s generally well updated, and Windows Update works fine. Recently, however, we’ve been unable to download and install CCleaner, Adobe Flash, Skype, Chrome, and other apps. The apps download successfully, but when we click ‘run,’ we get a crash. It happens whether the app was downloaded with Mozilla, IE, or Chrome.

  “If I try to transfer the same programs to a different machine with a flash drive, they’ll not install there either. I feel this is probably a Windows problem. Also, I’m running WinPatrol, Avast, and other blockers.

  “What’s going on?”

If this were a general problem with Windows 7, message boards all over the world would be lit up, with millions of users screaming about suddenly being unable to install new software.

Since that’s not happening, I can only assume that the problem is with something in your specific setup.

A variety of issues could be at play — such as trying to install 64-bit software on a 32-bit PC.

In your case, the culprit is more likely the software you’ve installed — specifically, the blockers you mention. The freshly downloaded files are blocked, locked, or otherwise neutered (i.e., rendered not runnable).

Furthermore, I’ll bet you’re running the same blockers on all the systems you maintain. That’s likely why you can’t get the software installed on any of your machines.

I would start by disabling all blocker software. Then download and install the software you wish, using the Run as administrator option.

With nothing in the way, I bet your downloads — and the rest of Win7 — will resume normal operation.

Yes, a Li-ion battery really can be dangerous

In “How to make lithium-ion batteries last for years” (Aug. 13 Top Story), I described how I accidentally abused my smartphone’s lithium-ion battery, causing it to deform and swell due to internal gas pressure. Figure 2 shows an end-on view of the battery’s bulge.

Some of you might have thought I was exaggerating when I wrote: “The battery’s case had done its job — it had contained the gases — but the battery was now potentially a tiny, pressure-cooker bomb, just waiting for something to set it off.”

I wasn’t. Figure 3 — a screenshot of a video from a U.K. science blogger — shows dramatically what can happen to a damaged battery.

The still image doesn’t do justice to the full violence of the event. Check out the full 15-second Vine clip. Once you see it, you’ll know why I was so alarmed by my phone’s bulging battery — and why proper charging of Li-ion devices is so important.

Learning new-to-us facts by accident

Lounge member access-mdb accepted genial ribbing from fellow Loungers in the Third-Party Browsers forum, when he confessed he’d learned a Firefox tab-moving trick by accident.

In the ensuing discussion, he learned why he might want to use that feature in future — as did some other Loungers. You might want to see discovery in progress by checking in on that conversation.

The following links are this week’s most interesting Lounge threads, including several new questions for which you might have answers:

Office Applications
General Productivity	Use Office 365 Personal after clean-install of Win10?
Word Processing	Mac Word to Windows Word?
Spreadsheets	Possible to compare data in two sheets with VBA?
Databases	Use field value as query column heading?
Presentation Apps	Function failure, “Find whole words only” checkbox resets after each slide
Visual Basic for Apps	Excel 2010: Can’t update; database or object is read-only
Microsoft Outlook	Reverse DNS leads to blacklisting
Non-Outlook E-mail	Windows Live Mail hangs and must be forced to close
Other MS Apps	OneNote typing not smooth
Windows
General Windows	View who’s connected to my Wi-Fi?
Windows 10	Printer causing Office problems
Windows 8	Unsuccessful refresh
Windows 7	Suspicious of KB 2882822
Windows XP	Remove sign-in requirement
Windows Servers	Schedule task to move files to network drive
Internet/Connectivity
Internet Explorer and Edge	Change “Home” destination in Edge
Third-Party Browsers	New to Firefox feature
Networking	Need to extend Wi-Fi range
Software Development
Windows Programming	Might interest PowerShell programmers
Other Technologies
Non-Microsoft OSes	Need help with VirtualBox/Linux
Security & Scams	Win10 telemetry passed on to Win7 and Win8
Maintenance	Deal on Revo Uninstaller Pro
Hardware	Surface Pro 3 resolution/scaling

starred posts: particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right into today’s discussions in the Lounge.

The fine art of carrying on at Burning Man

Burning Man, the annual arts festival in the Nevada desert, has a big reputation to go with its radical reality. Like all outsized ideas, Burning Man is subject to adjustment. This video illustrates a few interesting truths that have emerged from years of Black Rock City’s sudden end-of-summer appearances and vanishing acts. Click below or go to the original YouTube video.

Only one season for Windows and Office patching

September is the start of another school year for many children, but Windows patching is a never-ending lesson in new vulnerabilities.

This month is fairly typical for the number and variety of updates. But an Edge patch proves that no software is perfect.

As I write this article, I’m cruising at 33,000 feet, on my way to a technology conference. It’s a good thing that Patch Tuesday doesn’t apply to airplanes, or we’d all be staying out of the air for a few days each month.

Now if I can only convince my editor to reimburse me for the cost of the onboard Wi-Fi. The United 737 has free power in the seats (well, slightly under the seat — you have to be a bit of a contortionist to get to it) and Wi-Fi for a fee.

I must say, I was pleasantly surprised by the reasonable Internet speed (see Figure 1) — and that I could remote-access my office computer. (Even more pronounced on the plane than at home, Internet uploads are much slower than downloads.) Not surprisingly, I could use more elbow room while working on my laptop, but there’s sufficient space to type up this week’s Patch Watch and keep an eye out for patching issues.

MS15-097

Security fix for Windows graphics breaks games

If you’re fond of computer gaming, you’ll want to consider whether to install the patches in MS15-097, which fix several vulnerabilities in the Microsoft Graphics Component. The patch fixes three elevated-privilege exploits via font drivers and the Win32k driver. Another vulnerability could allow an attacker to bypass the Kernel Address Space Layout Randomization (KASLR) security system.

Unfortunately, these patches have a potentially nasty side effect: after installation, some games may no longer run — primarily those that require the Macrovision SafeDisk driver (secdrv.sys), used by many game developers to protect their systems from piracy.

The secdrv.sys driver is now vulnerable to attack, so Microsoft is using this update to turn the service off. According to the update’s description:

“After you install this security update, some programs may not run. (For example, some video games may not run.) To work around this issue, you can temporarily turn on the service for the secdrv.sys driver by running certain commands or by editing the registry.”

In truth, the process of enabling and disabling the service is not user friendly. But the aforementioned description does tell you how to do it.

Windows 7 and 8 users will see KB 3087039, which is rated important. Vista and Windows Server 2008 users will also see KB 3087135, rated critical. On Windows 10, the update is included in cumulative patch KB 3081455. You might also see related critical updates for Office 2007/2010 (KB 3085529 and 3085546) and Microsoft Lync 2013 (KB 3085500).

What to do: Vista users should install update MS15-097 (KBs 3087039 and 3087135) — and be ready to roll the update back if it causes problems with games. All other Windows users can wait a week or two before installing KB 3087039.

MS15-094 (3087038)

Time for the monthly browser security review

Rated critical, KB 3087038, September’s cumulative Internet Explorer update, patches 17 vulnerabilities. Without the fixes, merely viewing a malicious webpage could give an attacker access to your system.

As usual, now’s a good time to ensure that all your other browsers are fully up to date. That also goes for Adobe Flash Player and other browser helpers.

What to do: Install KB 3087038 (MS15-094) as soon as possible.

MS15-095 (3081455)

Windows 10 Edge is not bulletproof

It was hoped that Microsoft’s new Edge browser would be highly resistant to attack. But it’s already getting critical fixes for four memory-corruption vulnerabilities. Viewing malicious Web content or opening a bogus attachment could let an attacker take remote control of a Win10 system. (Doesn’t that sound all too familiar?)

Note that this patch is included in Win10 cumulative update — KB 3081455 — which includes both security and nonsecurity fixes.

Microsoft is also testing the next “branch” release of Win10, reportedly due out in October. Anyone participating in the Windows Insider Program (site) might see it a bit earlier.

What to do: KB 3081455 will show up in Windows 10 automatically. Your only choice is when you allow a system reboot.

MS15-098 (3069114)

Opening a journal file can be perilous

Possibly the least-used app in Windows is the Windows Journal (more info), designed for simple note taking. But five vulnerabilities in the software could lead to remote attacks or a denial of service, via malicious Journal files.

Rated critical, the patch applies to all supported versions of Windows.

What to do: I expect that hackers will try this exploit soon. Vista through Win8 users should install KB 3069114 (MS15-098) as soon as possible. Win10 users will get the patch in cumulative-update KB 3081455.

MS15-099 (3089664)

A passel of MS Office security patches

The Office security patches in MS15-099 fix several vulnerabilities that could allow attacks via malicious Office files. These days, any update to Office typically includes something for MS SharePoint as well. September is no exception. Along with various patches for all supported versions of Office, server admins should see several updates for SharePoint Server 2013.

Admins should remember that installing SharePoint updates is not enough — you typically need to also run psconfig to complete the patch installation.

For desktop systems, these security patches include:

• 3054932 – Office 2013 SP1
• 3054965 – Office 2010 SP2
• 3054987 – Office 2007
• 3054993 – Office Compatibility Pack SP3
• 3054995 – Excel Viewer
• 3085502 – Excel 2013
• 3085526 – Excel 2010
• 3085543 – Excel 2007
• 3088501 – Excel for Mac 2011

(During the flight, I’m sitting next to a gentleman with a MacBook Pro. I wonder whether I should point out that he’ll be patching his machine when he gets to his destination.

What to do: Some of these patches are rated critical; install any of the above when offered. For more information, see MS Security Bulletin MS15-099.

MS15-100 (3087918)

Keeping WMC safe from bogus link files

Windows Media Center was dumped from Windows 10, but it still represents a potential threat on all other Windows platforms. Rated important, KB 3087918 fixes a vulnerability that could allow remote attacks via malicious Media Center link (.mcl) files. (MCL files are used to link Media Center to third-party apps.)

As with many of the remote-execution vulnerabilities mentioned above, the level of threat from this WMC flaw depends on the user’s current rights. It’s a reminder that we should be doing most of our computing tasks in a non-admin account.

What to do: Install KB 3087918 (MS15-100) if you have Windows Media Center on your system.

MS15-101 (3089662)

Install .NET Framework all by itself

Given the number of September updates, it’s likely that one or two will fail to install. But fear not: typically, if a patch fails the first time, it’ll succeed when you try it again. .NET Framework updates have a long history of being problematic. So I recommend cutting to the chase and installing the .NET updates in MS15-101 separately. That should reduce the potential for failure.

Rated important, the patches fix yet another elevation-of-privileges threat. But exploits for the vulnerabilities are already in the wild, so you should install this update as soon as possible.

You might see the following updates offered:

• KB 3074229 – .NET 4.5/4.5.1/4.5.2
• KB 3074541 – .NET 2.0 SP2
• KB 3074543 – .NET 3.5.1
• KB 3074544 – .NET 3.5
• KB 3074545 – .NET 3.5
• KB 3074547 – .NET 4
• KB 3074548 – .NET 4.5.1/4.5.2
• KB 3074550 – .NET 4.5/4.5.1/4.5.2
• KB 3074552 – .NET 4.6
• KB 3074553 – .NET 4.6
• KB 3074554 – .NET 4.6

What to do: Install any of the .NET updates in MS15-101 when offered.

MS15-102 (3082089, 3084135)

Fixing flaws in Windows Task Management system

Most experienced Windows users are familiar with the Task Scheduler. It’s handy for starting and scheduling applications and events. But three recently revealed flaws in the Task Management system could allow elevation-of-privilege attacks. For a successful exploit, the hacker needs to trick a user into running a malicious application. So the patches are rated merely important.

What to do: Install KBs 3084135 and 3082089 (MS15-102) if offered.

MS15-096, MS15-103, MS15-104, MS15-105

Mail and network updates for server admins

KB 3072595 (MS15-096) fixes and Active Directory service flaw that could allow denial-of-service attacks. The update is rated just important because attacker must be signed in to a network in order to launch an attack.

KB 3087126 (MS15-103), rated important, affects MS Exchange Server 2013, Microsoft’s newest email platform. Two vulnerabilities might allow spoofing; a third could result in data disclosure if Outlook Web Access (OWA) fails to properly handle Web requests.

Apparently, good and bad things come in threes. Skype for Business 2015 and Lync 2013 servers will need KB 3061064 or KB 3080353 (MS15-104) respectively to fix a trio of elevation-of-privilege and data-disclosure vulnerabilities. Be sure that the latest cumulative updates for the servers are installed first.

Finally, KB 3087088 (MS15-105) patches a flaw in Hyper-V for Win8.1 and Win10 systems. Running a malicious application, a hacker could cause Hyper-V to incorrectly apply Access Control List configuration settings.

What to do: Install these updates after testing.

Septembers list of nonsecurity updates

This Patch Tuesday, Microsoft gave us a respite from new Windows nonsecurity updates. It released only a couple of hotfixes, such as one for slow sign-ins, caused by August’s security updates. However, you might also see updates from previous months; Microsoft has changed their status to prechecked in Windows Update.

Office, of course, had a long list of new fixes. As usual, I recommend leaving them for the end of the month.

Windows 8 and 8.1

• 3092627 – Fix for slow sign-ins

Windows 10

• 3081454 – Upgrading compatibility

Office 2007/2010

• 3085513 – PowerPoint 2010; IRM presentation errors, “Update Links” issues
• 3085518 – Word 2010; various fixes
• 3085525 – Outlook 2010 junk-mail filter
• 3055042 – Office 2010; English proofing, worksheet printing format errors
• 3055047 – Excel 2010; formatting issues when saving sheet as PDF
• 3085516 – Office 2010; various fixes
• 3085522 – Outlook 2010; permissions warning, “public group” errors
• 3085531 – Project 2010; “Units” value error in Resources tab
• 3085547 – Outlook 2007 junk-mail filter

Office 2013

• 3023050 – Publisher; enables SSO, active accounts can’t open files
• 3039739 – Excel; Power Query failures
• 3039766 – Word; crashes after using People Picker
• 3054923 – Office; additions to PowerPoint object model, formatting issues on save
• 3055010 – Office; Kazakh translations
• 3055011 – Office; English proofing
• 3085478 – PowerPoint; additions to object model, enables SSO, open-file issues
• 3085479 – Office; enables SSO, active accounts can’t open files
• 3085480 – Office; various fixes and enhancements
• 3085490 – Update for Microsoft Word 2013
• 3085491 – OneNote; enables SSO; Rich Text docs imported as images
• 3085493 – Office; enables SSO, active accounts can’t open files
• 3085495 – Outlook; numerous fixes and enhancements
• 3085499 – Office; junk-mail filter
• 3085503 – Access; enables SSO for ADAL, formatting issues with DBSC text
• 3085504 – Office; SSL 3.0, TLS 1.1, and TLS 1.2 support, OneDrive file-merge errors
• 3085506 – Excel; formatting issues when saving sheet as PDF

Other updates

• 3054870 – SharePoint Server 2013; spell-check stalls and error messages
• 3054967 – SharePoint Server 2010 Excel Web App; menus missing after IE 11 update
• 3054998 – SharePoint Server 2013; English proofing
• 3055032 – SharePoint Server 2010; English proofing
• 3055036 – SharePoint Server 2010; menu items missing after IE 11 update
• 3055043 – SharePoint Server 2010 Office Web Apps; English proofing
• 3085481 – SharePoint Server 2013; various fixes
• 3085484 – Visio 2013; enables SSO and other fixes
• 3085505 – Project Server 2013; various fixes
• 3085510 – Project Server 2013; various fixes
• 3085524 – SharePoint Server 2010; “User not found” errors
• 3085527 – Project Server 2010; status updating failure
• 3085530 – SharePoint Foundation 2010; menu items missing after IE 11 update

What to do: Put these nonsecurity updates on hold until after the next September Patch Watch column.

Regularly updated problem-patch chart

This table provides the status of recent Windows and Microsoft application security updates. Patches listed below as safe to install will typically be removed from the table about a month after they appear. Status changes are highlighted in bold.

For Microsoft’s list of recently released patches, go to the MS Security TechCenter page.

Patch	Released	Description	Status
3089656	09-08	MS Graphics Component; see MS15-097 for full list	Wait
3046017	08-11	Command-parameter passing; also KB 3079757, 3081436 (Win10)	Install
3060716	08-11	Windows Object Manager	Install
3071756	08-11	Windows Mount Manager; also KB 3081436 (Win10)	Install
3073893	08-11	Windows UDDI Services (Server 2008)	Install
3073921	08-11	Server Message Block (Vista and Win Server 2008)	Install
3075158	08-11	System Center Ops Mgr; KBs 3064919, 3071088, 3071089	Install
3075220	08-11	Remote Desktop Protocol; also KBs 3075221, 3075222, 3075226	Install
3076895	08-11	XML Core Services (Windows and Office)	Install
3076949	08-11	Windows/WebDAB servers	Install
3078071	08-11	Internet Explorer cumulative update	Install
3078662	08-11	MS Graphic Component; see MS15-080 for complete patch list	Install
3080790	08-11	MS Office; see MS15-081 for complete patch list	Install
3081436	08-11	Cumulative Windows 10 update	Install
3083184	08-11	.NET Framework; also KBs 3083185 & 3083186	Install
3061064	09-08	Skype for Business Server/Lync Server; also KB 3080353	Install
3069114	09-08	Windows Journal; KB 3081455 for Win10	Install
3072595	09-08	Active Directory Service (servers, only)	Install
3081455	09-08	Edge cumulative update	NA
3084135	09-08	Windows Task Management; also KB 3082089	Install
3087038	09-08	IE cumulative update; KB 3081455 for Win10	Install
3087088	09-08	Windows Hyper-V; KB 3081455 for Win10	Install
3087126	09-08	MS Exchange Server 2013	Install
3087918	09-08	Windows Media Center	Install
3089662	09-08	.NET Framework; see MS15-101 for ful list, install separately	Install
3089664	09-08	Office; see MS15-099 for complete list	Install

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.