Newsletter Archives

• MS-DEFCON 3: Get patches installed, but tread lightly, and roll back Office 2013 Click-to-Run

  Posted on April 28, 2016 at 12:59 CDT by woody • Comment in the Forums

  With almost a hundred patches arriving since the last time I moved to MS-DEFCON 3 (March 16), the Windows and Office patching scene looks as daunting as ever. Microsoft didn’t release any patches on Tuesday of this week (the fourth Tuesday of the month is a traditional fur flying fest), so I’m feeling more confident that y’all have time to get things caught up. I suggest you do get caught up before the next round arrives – Office patches are due out on May 3, and heaven only knows if we’ll get a Windows 10 cumulative update before the next Patch Tuesday, May 10.

  This month, if you have Vista or Windows 7, you can spend hours and hours and hours waiting for Windows Update to run its course – or you can run out ahead of the insanity, by using the KB3138612 and KB3145739 scan speedup proposed here on AskWoody.com, and codified by poster EP.

  Here’s where we stand.

  Vista: If you haven’t yet followed the trick for speeding up Windows Update scans, use the method described in this InfoWorld article to first grease the skids. Start Internet Explorer and verify (Help > About) that you’re running Internet Explorer 9. Apply all outstanding patches, but DON’T CHECK any update boxes that are unchecked.

  Last month, I warned Vista users about KB 3139398 and KB 3139852, but the first appears to be good to go, and the second has already been superseded by KB 3145739 – so if you followed my directions earlier and installed KB 3145739 already, in order to speed up your scans, the old KB 3139852 won’t even appear.

  Windows 7: If you haven’t yet followed the trick for speeding up Windows Update scans, use the method described in this InfoWorld article to first grease the skids. Yes, that means you should install KB 3145739 manually.

  Step 1. If you haven’t checked recently, crank up Internet Explorer. Don’t use it to go to any sites, but click the gear icon in the upper right corner, choose About Internet Explorer, and verify that you’re on IE 11. If you aren’t yet on IE 11, make sure the box marked “Install new versions automatically” is checked, then click Close. That’s the easiest way to upgrade to IE 11. There may be an IE 11 upgrade sitting in Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates). If so, keep it checked.

  I don’t recommend that you use IE. (Hey, Microsoft’s already put it out to pasture; that’s what Edge is all about.) But you need to update it, and keep it patched, because Windows still uses bits and pieces of IE in various places.

  Step 2. Run GWX Control Panel and set it to block OS upgrades.

  Step 3. Go into Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates). Click the link that says “XX important updates are available.” Check the boxes next to items that say “Security Update,” but do NOT check the box for KB 3146706 – it’s probably unchecked anyway. (Yes, KB 3139398 is OK.) If you need to keep up with time zone changes in Oblast, Altai Republic or Zabaykalsky Krai, check the box for KB 3148851 and/or 971033. UNCHECK the boxes next to Important items that only say “Update.”

  Step 4. On the left, click the link that says Optional. Uncheck every box that you see. Yes, I’m saying that if a box is checked, uncheck it. If you uncheck the box next to “Upgrade to Windows 10 Pro, Version 1511, 10586 box.” Windows Update will check it again for you. Don’t be alarmed. GWX Control Panel will protect you.

  There’s a lot of debate about the advisability of installing the April Office patches, and it appears as if a couple of them have been pulled. Susan Bradley in her nearly-biblical Patch Watch column in Windows Secrets Newsletter (paywall) recommends that you install KB 3114566, KB 3114888, KB 3114993 and non-security patch KB 3114996, if any of those should appear. Personally, I’d skip the non-security patch, but I’m just ornery that way.

  Those of you attached to corporate networks need to be aware of some problems. The 3114996 KB article has a warning about the patch and Exchange Server. KB 3114941 is showing problems on some Lync 2013 (Skype for Business) and Outlook 2013 installations. For those of you who aren’t attached to a corporate network, you should be fine.

  Step 5. Click OK, then Install updates.

  Step 6. Back in Windows Update, on the left, click the link to Change settings. Make sure “Important Updates” is set to “Check for updates but let me choose whether to download and install them,” and uncheck the box next to “Give me recommended updates the same way I receive important ones.”

  Step 7. Click OK and reboot.

  Step 8. This one’s important. Unless you want to look like Metinka Slater, the weather forecaster on Des Moines station KCCI, you need to run GWX Control Panel again. That’ll ensure Microsoft didn’t install anything untoward. (Note: GWX Control Panel has a “Monitor Mode” option. If you choose to use that option, you won’t need to run GWX Control Panel again – it’s already running. Personally, I don’t use Monitor Mode. I don’t like to leave anything running if I don’t have to. So I run GWX Control Panel manually, twice.)

  Windows 8.1: I haven’t heard of any appreciable Windows Update speed-up by using the KB3138612 and KB3145739 trick. Follow the instructions for Windows 7, but in Step 3 go into Windows Update by right-clicking on the Start icon and choosing Control Panel.

  Windows 10: If you’re using the metered connection trick to block updates, unblock the metered connection long enough to get caught up. There have been lots and lots of reports with problems with the cumulative update KB 3147458 but they don’t appear to be any worse than usual. If you hit a problem, be sure to drop John Wink a line. This eleventh Win10 cumulative update should bring your version of Windows up to build 1511 OS version 10586.218 – what I like to call Windows 10.1.11.

  If you blocked KB 3140741, dated March 22, you should install it, too. 3140741 is a different kettle of fish. It “updates the servicing stack” in Windows 10, which means it makes changes to Windows Update. Since it’s a Win10 patch, it’s forced just like all the other patches. Originally there were several reported problems with 3140741, but I haven’t heard many screams lately. Yes, you should install 3140741 if you’ve blocked it. If it doesn’t install properly, don’t sweat it – hide it again and forget it. Servicing stack updates come and go, and there will be another one some day.

  Office Click-to-Run: For the first time, I’m going to start including Office Click-to-Run in my MS-DEFCON ratings. There have been problems reported with Office 2013 Click-to-Run version 15.0.4815.1001. Microsoft recommends that you roll back to Office 2013 build 15.0.4805.1003. It’s not easy.

  For those of you using Click-to-Run, I would appreciate hearing about any problems you’ve found – and help me fill out this part of the MS-DEFCON advisory!

  Everybody: Either watch here on AskWoody.com, or follow me on Twitter (@woodyleonhard) or Facebook to keep up on the latest. Microsoft’s releasing patches at a breathtaking rate. It’s a jungle out there. And if you catch something, shoot me email (click on the mail icon in the upper right corner of this page), or post a reply to this blog.

  I’m putting us at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

  My usual boilerplate advice:

  For those of you who are new to this game, keep in mind that… You should always use Windows Update to install patches; downloading and installing individual patches is a clear sign of impending insanity. I always install Windows Defender/Microsoft Security Essentials updates as soon as they’re available – same with spam filter updates. I never install drivers from Windows Update (in the rare case where I can actually see a problem with a driver, I go to the manufacturer’s web site and download it from the original source). If Windows Update has a patch but the box isn’t checked, DON’T CHECK THE BOX. It’s like spitting in the wind. I use Chrome and Firefox, and only pull out IE when I feel very inclined — but even if you don’t use IE, you need to keep up with its patches.

  P.S. Yes, you read that right. I now recommend that you Win7 and 8.1 users only install Security Updates. For many months, almost all of the non-security updates Win7 and 8.1 customers have received are specifically designed to push them to Windows 10, or to increase Microsoft’s ability to snoop on Win7 and 8.1 machines. No thanks.

  Thanks, as always, to Susan Bradley and her in-depth work in Windows Secrets Newsletter.

  Windows Patches/Security April 2016 Black Tuesday

• First glance at this month’s Windows patches: Badlock dud, one active exploit, and a whole lot of Win10

  Posted on April 12, 2016 at 14:51 CDT by woody • Comment in the Forums

  What concerns me the most: The way Win10 is getting patched so hard.

  InfoWorld Woody on Windows

  Windows Patches/Security April 2016 Black Tuesday

• MS-DEFCON 2: Make sure auto updates is locked down

  Posted on April 7, 2016 at 11:30 CDT by woody • Comment in the Forums

  Microsoft has released its first-Tuesday set of non-security Office patches. Several of you have written to me, to ask if you should install them. Short answer: No. Let them stew.

  It’s probably best if I move us to MS-DEFCON 2, to avoid any confusion.

  Make sure you have your Vista, Win7 and 8.1 Windows Update set to “Notify but don’t download.” If your Windows 10 machine is set up with a Wi-Fi connection, set it to a metered connection. To do all of that, see the Automatic Update tab above.

  I’m going to recruit as many Windows 10 users as I can find to try Noel Carboni’s trick to block forced Win10 updates on machines that don’t have Wi-Fi connections. Details coming shortly.

  On to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

  Windows Patches/Security April 2016 Black Tuesday