Now's the time to get caught up on Windows and Office patches

Microsoft released a minimal set of patches in February, so those of you who have been waiting should now get fully caught up

There were almost no patches from Microsoft in February, and the ones that were released haven’t caused any problems. It makes a lot of sense to apply those few patches now, since … who knows what could happen next.

tiny Windows 7 security patch was released in January, and there were no Windows 7 patches at all in February. Meanwhile, the list of problems is growing; two zero-day exploits in IE and Edge were confirmed in February—the gdi32.dll heap boundary error and the CSS token sequence/JavaScript table header bug. The vulnerability that caused SMBv3 protocol crashes hasn’t been fixed, either. A lot of stuff is likely ready to hit the fan.

Perhaps Microsoft is catching up on its vowed attempt to improve the Win7 monthly rollups by including patches going back before October 2016. Abbodi86 speculates on AskWoody that the dearth of patches in February may be due to Microsoft renumbering all of its patch downloads. “Since SHA-1 is now totally deprecated and disclosed, they are switching to SHA-256 as the default verification, which requires them to recheck and rename all files at their back end,” Abbodi86 writes.

While we may never know why the patch well dried up, now’s a good time to take advantage of the break.

Windows 8.1 had no security patches at all in January and February. Other than the IE and Flash updates for Win 8.1 and Win10, released a week late, there have been no security patches for Vista and Win10 1507, 1511, or 1607 since December—although there were two optional hotfixes issued for Win10 1607, namely 14393.726 and 14393.729.

Microsoft released 26 nonsecurity Office 2013 and 2016 patches in early February.

Here are my recommendations for getting caught up:

Windows 10

If you haven’t already installed the January cumulative update for Win10 Anniversary Update, KB 3213986, you should be aware of the fact that doing so may clobber System Restore. If you use Restore Points, it’s more important than ever that you back up everything first.

Follow my tip on installing Win10 updates. You may want to use wushowhide to hide any driver updates, but all of the other updates should be OK, including Servicing stack updates, Office, MSRT, or .Net updates (there won’t be many, and you may not see any at all). Be sure to note the recommendation for reporting any problems you might encounter.

Windows 7 and 8.1

You need to choose whether you want to install the security-only updates or to get all that Microsoft has to offer--including “telemetry” patches—by using the monthly rollup. If you’re in “Group A”—the monthly rollup group—updating’s easy. If you’re in “Group B”--those who don’t want Microsoft snooping—your life’s considerably more complex. I provide details in my patchocalypse article.

For those in Group A:

Step A1: Get your settings right. In Win7, click Start > Control Panel. In Win 8.1, press Win-X and choose Control Panel. Click System and Security. Under Windows Update, click the link marked “Turn automatic updating on or off.” Make sure Windows Update is set to “Never check for updates (not recommended),” then check the boxes marked “Give me recommended updates the same way I receive important updates” and “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows.” Click OK.

Step A2: Check for updates. Back in the Control Panel, under Windows Update, click the link to Check for Updates. (You may have to click Check for Updates a second time.) The check takes many minutes. If it takes many hours, follow these steps. (Microsoft claims it has solved the slow Win7 Update scan problem, but you still may need to kick-start the process by following those steps.) Don’t check any unchecked boxes. (You may see a driver update distributed as “Recommended,” with a check in the Optional category. That’s OK; leave it checked. But if any driver updates aren’t checked, don’t check them.)

If you see a monthly rollup, leave it checked. If you don’t, whistle a merry tune and continue.

Step A3: Install the patches. Click the button marked Install Updates and follow the instructions. You’ll end up with the monthly rollup, if one appears; all of your Office patches; maybe some .Net patches; Adobe Flash fixes; the Microsoft Security Essentials update; and the usual MSRT scanner. After the reboot, everything will be set to block automatic updates. You’re all set, but be sure to watch this column next month to see when the unpaid beta testers are done.

For those in Group B:

There are no security-only patches this month. Since security-only patches are not cumulative, you have to download and install each month’s patches separately. There’s a full list of security-only patches with download links in the AskWoody Knowledge Base article AKB 2000002.

Once you’ve installed all of the outstanding security-only patches, you need to get the rest of the patches put together.

Step B1: Get your settings right. In Win7, click Start > Control Panel. In Win 8.1, press Win-X and choose Control Panel. Click System and Security. Under Windows Update, click the link marked “Turn automatic updating on or off.” Make sure Windows Update is set to “Never check for updates (not recommended),” then check the box marked “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows.” Uncheck the box marked “Give me recommended updates the same way I receive important updates” (yes, Group B is different from Group A), and click OK.

Step B2: Check for updates. Back in the Control Panel, under Windows Update, click the link to Check for Updates. (You may have to click Check for Updates a second time.) The check takes many minutes. If it takes many hours, follow these steps.

Step B3: Get rid of the monthly rollup. Click the links to look at the Important and Optional updates. Don’t check any unchecked boxes. You shouldn’t see any entries marked “Monthly Quality Rollup,” but if you do, uncheck the boxes. If you’re in Group B, you don’t want them. For heaven’s sake don’t ever check anything marked “Preview.” If you see any “Security and Quality Rollup for .Net Framework” boxes checked, leave them checked.

Step B4: Get rid of the problematic driver updates. Look for driver updates, especially those marked “INTEL – System” followed by a date. And if you see any that are checked, uncheck the box--there are better ways to get the latest drivers.

Step B5: Install the patches. Click the button marked Install Updates and follow the instructions. You’ll end up with Office patches, .Net patches, possible Adobe Flash fixes, Security Essentials update, and the usual MSRT scanner. After the reboot, you’re done. Pat yourself on the back, and watch this column next month for the all-clear.

Discussion continues on the AskWoody Lounge.

Copyright © 2017 IDG Communications, Inc.

Download: EMM vendor comparison chart 2019
  
Shop Tech Products at Amazon