MS-DEFCON 3: Get patches installed, except for a couple

We have more than a hundred patches sitting on the back burner, since the last foray to MS-DEFCON 3, three weeks ago. For those of you staring at a bunch of patches, here’s my recommendation.

As has been the case for a couple of months, I’m generally recommending that Vista, Win 7 and 8.1 users install identified Security updates, and that you give all of the rest a wide berth. There are two Security updates, though, that are probably worth avoiding. If you’re running Win10 and have updates turned off (probably with the metered connection trick), it’s time to cross your fingers and get caught up.

The details are similar to last month’s:

Vista: Start Internet Explorer and verify (Help > About) that you’re running Internet Explorer 9. Apply all outstanding patches, but DON’T CHECK any update boxes that are unchecked. Also, see the description in the next paragraph about KB 3139398 and KB 3139852: If you see them, uncheck them.

Windows 7: There were two patches released earlier this month that still need some time to stew before they’re ready: KB 3139398, the Windows 7 and 8.1 USB driver fix; and KB 3139852, the kernel mode driver patch. Susan Bradley recommends holding off on both (paywalled). I haven’t seen any specific reports of problems with either, but given the headaches we’ve had in the past with kernel patches, it’s worthwhile to wait.

Step 1. If you haven’t checked recently, crank up Internet Explorer. Don’t use it to go to any sites, but click the gear icon in the upper right corner, choose About Internet Explorer, and verify that you’re on IE 11. If you aren’t yet on IE 11, make sure the box marked “Install new versions automatically” is checked, then click Close. That’s the easiest way to upgrade to IE 11. There may be an IE 11 upgrade sitting in Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates). If so, keep it checked.

I don’t recommend that you use IE. (Hey, Microsoft’s already put it out to pasture; that’s what Edge is all about.) But you need to update it, and keep it patched, because Windows still uses bits and pieces of IE in various places.

Step 2. Run GWX Control Panel and set it to block OS upgrades.

Step 3. Go into Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates). Click the link that says “XX important updates are available” and select only security updates. In other words, check the boxes next to items that say “Security Update” and UNCHECK the boxes next to items that only say “Update.”

Uncheck KB 3139398 and KB 3139852, if they appear.

Yes, you should check the KB 3139929 Internet Explorer cumulative update, even though it hides an ad generator in the guise of a security patch. We haven’t seen the ad appear yet and, when it does, you’ll just avoid it, OK?

For those of you who have asked, I don’t see any worthwhile updates in yesterday’s bountiful crop of patches. Apparently KB 3103709 is appearing on some Windows 8.1 machines. I don’t have a clue what that one does — there’s no KB article, and it isn’t included in the master Windows Update list. KB 3115224 doesn’t have a KB article either. Can’t think of any good reason to install either of them.

Step 4. On the left, click the link that says Optional. Uncheck every box that you see. Yes, I’m saying that if a box is checked, uncheck it. If you uncheck the box next to “Upgrade to Windows 10 Pro, Version 1511, 10586 box.” Windows Update will check it again for you. Don’t be alarmed. GWX Control Panel will protect you.

Step 5. Click OK, then Install updates.

Step 6. Back in Windows Update, on the left, click the link to Change settings. Make sure “Important Updates” is set to “Check for updates but let me choose whether to download and install them,” and uncheck the box next to “Give me recommended updates the same way I receive important ones.”

Step 7. Click OK and reboot.

Step 8. This one’s important. You need to run GWX Control Panel again. That’ll ensure Microsoft didn’t install anything untoward.

Windows 8.1: Follow the instructions for Windows 7, but in Step 3 go into Windows Update by right-clicking on the Start icon and choosing Control Panel.

Windows 10: If you’re using the metered connection trick to block updates, unblock the metered connection long enough to get caught up.

Everybody: Either watch here on AskWoody.com, or follow me on Twitter (@woodyleonhard) or Facebookto keep up on the latest. Microsoft’s releasing patches at the rate of more than a hundred – maybe 200 – a month. It’s a jungle out there. And if you catch something, shoot me email (click on the mail icon in the upper right corner of this page), or post a reply to this blog.

I’m putting us at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

My usual boilerplate advice:

For those of you who are new to this game, keep in mind that… You should always use Windows Update to install patches; downloading and installing individual patches is a clear sign of impending insanity. I always install Windows Defender/Microsoft Security Essentials updates as soon as they’re available – same with spam filter updates. I never install drivers from Windows Update (in the rare case where I can actually see a problem with a driver, I go to the manufacturer’s web site and download it from the original source). If Windows Update has a patch but the box isn’t checked, DON’T CHECK THE BOX. It’s like spitting in the wind. I use Chrome and Firefox, and only pull out IE when I feel very inclined — but even if you don’t use IE, you need to keep up with its patches.

P.S. Yes, you read that right. I now recommend that you Win7 and 8.1 users only install Security Updates. For many months, almost all of the non-security updates Win7 and 8.1 customers have received are specifically designed to push them to Windows 10, or to increase Microsoft’s ability to snoop on Win7 and 8.1 machines. No thanks.

Thanks, as always, to Susan Bradley and her in-depth work in Windows Secrets Newsletter.

P.S. Remember when patching was easy?

Another big batch of patches, with a mystery patch and 46 mildly interesting ones

If you’re an admin, though, there’s a lot to slog through.

InfoWorld Woody on Windows

Big batch of patches just dropped

I count seven patches for .NET on Windows Embedded, and 39 40 separate non-security patches. But I might be off by one or two.

No rest for the weary.

Here’s the list. I don’t see anything that’ll be of interest to most Windows users, but admins may want to take a look. (One KB hasn’t been posted yet.)

Update to enable WSUS support for Windows 10 feature upgrades https://support.microsoft.com/kb/3095113

DNS records get deleted when you delete the scope on a Windows Server 2012 R2-based DHCP server https://support.microsoft.com/en-us/kb/3100473

Update that supports Azerbaijani Manat and Georgian Lari currency symbols in Windows (for Windows Embedded 8 Standard) https://support.microsoft.com/en-us/kb/3102429 – original version released Jan. 19

Can’t connect to the desktop of Windows 8.1 or Windows Server 2012 R2 from a remote desktop at low screen resolution https://support.microsoft.com/en-us/kb/3105115

Licensing servers become deadlocked under high load in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3108326

Texas Instruments xHCI USB controllers may encounter a hardware issue on large data transfers in Windows 8.1 https://support.microsoft.com/en-us/kb/3109976

KB 3115224 (No description yet, but the KB article should eventually appear at https://support.microsoft.com/en-us/kb/3115224)

Update improves port exhaustion identification in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3123245

DPM filter driver can’t track changes on CSV or VM setting files can’t be online in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3130944

Virtual machines don’t respond to your operation in SCVMM in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3133681

Update to add Discrete Device Assignment support for Azure that runs on Windows Server 2012 R2-based guest VMs https://support.microsoft.com/en-us/kb/3133690

DNSSEC validation fails when incorrect response to DNSKEY query is sent on Windows Server 2012 R2-based DNS server https://support.microsoft.com/en-us/kb/3133954

BitLocker can’t encrypt drives and the service crashes in svchost.exe process in Windows 7 or Windows Server 2008 R2 (only applies to FIPS mode-enabled machines) https://support.microsoft.com/en-us/kb/3133977

Memory leak in RPCSS and DcomLaunch services in Windows 8.1 or Windows Serer 2012 R2 https://support.microsoft.com/en-us/kb/3134785

Explorer.exe may crash when you play back an MPEG-4 file in Windows 8.1 or Windows RT 8.1 https://support.microsoft.com/en-us/kb/3136019

Windows Azure VMs don’t recover from a network outage and data corruption issues occur https://support.microsoft.com/en-us/kb/3137061

LBFO Dynamic Teaming mode may drop packets in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3137691

Get-StorageReliabilityCounter doesn’t report correct values of temperature in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3137725

“VSS_E_PROVIDER_VETO” error occurs when VSS restore fails in Windows Server 2012 https://support.microsoft.com/en-us/kb/3137726

VSS restore fails when you use ResyncLuns VSS API in Windows Server 2012 R2-based failover cluster https://support.microsoft.com/en-us/kb/3137728

“0x00000027” Stop error and unexpected restart in Windows Server 2012 https://support.microsoft.com/en-us/kb/3137916

Files are corrupted on deduplicated volumes that were created as NTFS-compressed in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3137923

“File contents” option is always selectable, Start screen becomes blank, or computer freezes when startup in Windows 8.1 (could explain why Win 8.1 users aren’t getting good search results) https://support.microsoft.com/en-us/kb/3138602

Deduplication filter marks files as deleted incorrectly and data corruption occurs on Windows Server 2012 R2 file server https://support.microsoft.com/en-us/kb/3138865

Access to Internet is denied because proxy settings are overwritten in Windows 7 SP1 or Windows Server 2008 R2 SP1 https://support.microsoft.com/en-us/kb/3138901

DirectAccess client receives incorrect response to reverse lookup query from a Windows Server 2012 R2-based DNS64 server https://support.microsoft.com/en-us/kb/3139162

Tracert command doesn’t receive responses when you trace resources on Internet through Windows Server 2012 R2 HNV GW https://support.microsoft.com/en-us/kb/3139164

High CPU load on a Windows Server 2012 R2-based server because NAT keep-alive timer isn’t cleaned up https://support.microsoft.com/en-us/kb/3139165

0x1E Stop error when you restart or shut down a computer running Windows 8.1 or Windows Server 2012 R2 (RAID problem) https://support.microsoft.com/en-us/kb/3139219

Print job fails if Creator Owner is removed from Windows Server 2012 R2 or Windows Server 2012 https://support.microsoft.com/en-us/kb/3139649

Hyper-V guest may freeze when it is running failover cluster service together with shared VHDX in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3139896

MSI repair doesn’t work when MSI source is installed on an HTTP share in Windows (“MSI repair no longer works after you install update 3000988 or update 3008627”) https://support.microsoft.com/en-us/kb/3139923

March 2016 WAU (Windows Anytime Upgrade) update for Windows 8.1 (“This update removes the commerce specific entry points for WAU since it’s no longer supported for Windows 8.1.”) https://support.microsoft.com/en-us/kb/3140185

“0x00000133” Stop error after you install hotfix 3061460 in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3140219

Conflicting files on the desktop when Work Folders are installed in Windows 8.1 (“You see many unresolved file conflicts on your desktop. The conflicting files are shortcuts on the desktop folder redirected to Work Folders.”) https://support.microsoft.com/en-us/kb/3140222

“0x0000009F” Stop error when a Windows VPN client computer is shutdown with an active L2TP VPN connection https://support.microsoft.com/en-us/kb/3140234

MinDiffAreaFileSize doesn’t work on Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3140250

Windows Server backup fails despite sufficient free space on target volume in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3140786

System becomes unresponsive because filter manager leaks nonpaged pool allocations in Windows Server 2012 https://support.microsoft.com/en-us/kb/3140990

“0x00000001” Stop error when a shared VHDX file is accessed in Windows Server 2012 R2-based Hyper-V guest https://support.microsoft.com/en-us/kb/3141074

Reducing the level of Windows 7 snooping

I’ve been avoiding this topic studiously. Recent reports have shown that there isn’t a whole lot of “phone home” activity between fully-updated Windows 7 and the Microsoft borg. At the same time, we don’t have any idea exactly what is being transmitted. All of this ties in to Windows 10 snooping, of course, because the sins of the child are being cast upon the father. And grandfather, as it were. Microsoft admits that some of the Win7 and Win8.1 updates are aimed to bringing Windows 10-style “telemetry” to Windows 7.

I’ll write an article about it for InfoWorld one of these days. Unfortunately, I’m still buried in other stuff. There’s a lot of history with the “Customer Experience Improvement Program” and Dr. Watson before it. I’ve been recommending that you turn off CEIP in all of my books since the XP days, if memory serves. But the picture’s become considerably more complex in the past year.

With that as prelude – and the understanding that I DON’T recommend you put on a tinfoil hat at the moment – I wanted to post a message sent to me by JY.  I’d like to open the topic up for discussion.

Thanks for facilitating and keeping people on top of all this. I did some additional checking and found other issues (scheduled tasks) related to the Win CEIP (not Office). While I had indeed opted out of CEIP, that didn’t turn everything off. Below is what I found at VMware. Even though the setting is VM, this still pertains to non-VM.

“Disable the Windows Customer Experience Improvement Program

Disabling the Windows Customer Experience Improvement Program and the related Task Scheduler tasks that control this program can improve Windows 7 and Windows 8 system performance in large View desktop pools.

Procedure
1 In the Windows 7 or Windows 8 guest operating system, start the control panel and click Action Center > Change Action Center settings.
2 Click Customer Experience Improvement Program settings.
3 Select No, I don’t want to participate in the program and click Save changes.
4 Start the control panel and click Administrative Tools > Task Scheduler.
5 In the Task Scheduler (Local) pane of the Task Scheduler dialog box, expand the Task Scheduler Library > Microsoft > Windows nodes and open the Application Experience folder.
6 Disable the AITAgent and ProgramDataUpdater tasks.
7 In the Task Scheduler Library > Microsoft > Windows node, open the Customer Experience Improvement Program folder.
8 Disable the Consolidator, KernelCEIPTask, and Use CEIP tasks.” [last one should be “UsbCEIP”]

https://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.administration.doc%2FGUID-BE82165B-13BC-4FD9-A9CF-FBEF6343D98A.html

Opting out of CEIP did nothing to disable the 5 tasks above. On this particular computer, all 5 are currently enabled (for about the next 2 minutes) and have been running on their default schedules. All of them are clearly labeled as being part of the CEIP. Interestingly, the last two contain in the description, “If the user has not consented to participate in Windows CEIP, this task does nothing.” Yet, they are still active and show the last run results as having been completed successfully. What? Screenshot below.

I opted not to post this for fear of creating more fear. Obviously, we need a great deal of telemetry to keep our machines in top form. However, I decided that these tasks aren’t necessary, whether data transmission is going on or not. They have nothing to do with updates or security, at least not directly. If you think this info is valuable to others, feel free to share it.

Is 46 GB not enough free space to install Windows 10?

Interesting question from reader A:

I wrote back to A, asking for more details, but there’s obviously something wrong. Have any of you hit the problem? And solved it?

Best guess I have at the moment is to stick a blank USB drive in the computer and try again. The Win10 installer may use free USB space for the installation.

Are Win7 and Win8.1 Auto Update stuck?

Here’s the behavior I’ve seen since Saturday:

I’m running Win7 in a VM, with default settings (Auto Update is turned on), with all checked patches installed.

The “Upgrade to Windows 10 Pro, version 1511, 10586” item is in Optional updates, and Microsoft checked it for me. I can clear the check mark, but it reappears every time any component of Windows Update runs.

I let the machine run overnight (or however long it takes for Auto Update to kick in). All of the checked items except “Upgrade to Windows 10 Pro, version 1511, 10586” install with the Auto Update run.

It looks to me like MS changed the behavior on Saturday, possibly early Sunday morning.

If any of you are brave enough to run Win7 with Auto Update turned on (without running GWX Control Panel or making the registry changes that prevent the upgrade), could you give that a try and see what happens for/to you?

If you, or anyone you know, was upgraded to Win10 without permission – and they haven’t rolled back yet – please have them dig into the C:\windows.old folder (in Windows 10, mind you) and email me a copy of windowsupdate.log. Asking for a friend.

The debate rages on — oops, now it’s over

Astoundingly, there are some people on SevenForums who don’t believe the forced upgrade happened.

UPDATE: Aw, nevermind. The thread owner was insulting and completely unwilling to discuss facts. I’m over SevenForums.

Does Windows snooping break data privacy laws?

I received a very well-considered question from DB:

Mr. Leonhard,

I just read your article about the forced Windows 10 update on InfoWorld. I also see that you have published other work on Windows 10. I have a question that I have been unable to get answered, even after asking Microsoft directly. I’m hoping you can assist me.

I am a college instructor. As such, I am bound by college policy and federal law to maintain the privacy and security of my students’ personal and educational data. This includes obvious things like their home addresses and phone numbers, but it also includes their grades, communication about missed classes and even which classes they are currently taking.

I use my personal computers to log into my college email, my learning management system (where grades are recorded) and to create my own files for assignments, projects, and general record keeping that is the constant side-task of any teacher. My college runs Windows 7 on campus currently. I have multiple laptops running multiple OSs but I am reluctant to upgrade to Windows 10 because I have not yet been assured that Microsoft will not collect data from my daily usage that could compromise my adherence to FERPA (the HIPAA laws for education).

I’ve read plenty of articles that describe Microsoft’s data collection ranging from benign to outrageous, so I posted directly to their own forums asking if Windows 10 collects data that violates FERPA. I received a response, however the technician seemed to think I was asking about firewalls and malware. Even after restating my question, no response from Microsoft was forthcoming.

I do have access to the enterprise version of Windows 10 and I know some things can be disabled, but then I read something about data still being sent, despite disabling anything and everything to do with this process. Can you help me figure out if I can actually safely and securely use Windows 10 when I am dealing with student data?

Thank you for your time.

My response:

I’ve seen lots of evidence that Microsoft is snooping more in Win10 than it was in Win7 — and I’ve seen ancillary evidence that it’s snooping more in Win7 than it used to.