Be of good cheer: The Windows/Office December patching minefield looks clear

There’s still a great deal of uncertainty about the way-out-of-band “emergency” Internet Explorer patch last week and its changing workaround instructions. Server 2016’s known bugs list runs more than a page. Still, now’s a reasonably safe time to install December Windows and Office patches.

Broken window with band-aid patch
Thinkstock

The big remaining bugaboo — the Dec. 19 emergency release of Internet Explorer patches for all supported versions of Windows — remains shrouded in secrecy. That said, it looks like early reports of devastating bugs in the IE update are overstated; at this point, I’m not aware of any replicable problems.

That’s very good news, actually, given Microsoft’s exceedingly poor recent history with emergency patches.

Where we stand with Windows

That Internet Explorer patch — KB 4483235 (1809), KB 4483234 (1803), KB 4483232 (1709), KB 4483187 (Win7 and 8.1), or KB 4483187 (19H1 beta) — has had a series of workarounds posted, reworked, then reposted, over the past week. If you took Microsoft’s advice a few days ago and manually implemented the workaround (basically blocking access to jscript), you should check back and make sure that your old method is the same as the new method.

The relatively small crop of December Patch Tuesday patches turned out just fine. There were no non-security patch “previews” this month, so we dodged the usual monthly second chance at screwing up systems.

The rest of the December patches seem good to go, with two exceptions:

  • The Outlook Manage Rules & Alerts “operation failed…” error is still out there. Microsoft says it has fixed the bug, introduced in November, for Outlook 2013. The other six versions of Outlook with acknowledged errors (two “perpetual” versions and four rented Office 365 versions) still bear the bug.
  • Windows Server 2016 (nee Windows 10 version 1607) has a list of acknowledged bugs that should give you Server savants pause. In many cases the bugs — an exception thrown for SqlConnection, SCVMM errors, “Outlook cannot perform the search,” NERR_PasswordTooShort, Lenovo startup failure — have been around for months, but the list isn’t getting any shorter.  

The ongoing question of 1809 and seekers

I’m seeing more and more reports that Microsoft is pushing Win10 version 1809 on Win10 machines that aren’t “seekers” — the machines get upgraded even if the user doesn’t click “Check for updates.”

Version guru @abbodi86 assures me that the old rules of engagement still hold true — that Microsoft is only installing Win10 1809 on “seeker” machines. But the situation’s muddied a bit by the possibility that another forced-upgrade bug has crept into the rollout sequence (as it has many times before) and/or that the KB 4023057 “Update for update reliability” may be turning on the Seeker flag.

Bottom line remains the same: Unless you want Win10 version 1809 on your machine, you need to proactively block it until you’re comfortable with moving on to the next, arguably better version of the last version of Windows.

Update

Here’s how to get your system updated the (relatively) safe way.

Step 1. Make a full system image backup before you install the December patches.

There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.

There are plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup. For Win 7 users, If you aren’t making backups regularly, take a look at this thread started by Cybertooth for details. You have good options, both free and not-so-free.

Step 2. For Win7 and 8.1

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s 18 months old or less, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches.

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Realize that some or all of the expected patches for December may not show up or, if they do show up, may not be checked. DON'T CHECK any unchecked patches. Unless you're very sure of yourself, DON'T GO LOOKING for additional patches. In particular, if you install the December Monthly Rollups or Cumulative Updates, you won’t need (and probably won’t see) the concomitant patches for November. Don't mess with Mother Microsoft.

Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.

After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. If you want to thoroughly cut out the telemetry, see @abbodi86’s detailed instructions in AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model.

Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’m starting to believe that information pushed to Microsoft’s servers for Win7 owners is nearing equality to that pushed in Win10.

Step 3. For Windows 10

If you’re running Win10 version 1709, or version 1803 (my current preference), you definitely want to block the forced upgrade to Win10 1809. Don’t get caught flat-footed: Microsoft may decide to push 1809 again with little or no notice. Follow the advice in How to block the Windows 10 October 2018 Update, version 1809, from installing. Of course, all bets are off if Microsoft, uh, forgets to honor its own settings.

Those of you who run Win10 Pro/Education and followed my advice last month — to set the branch distribution ring to "Semi-Annual Channel" and set “quality update” (cumulative update) deferrals to 15 days — don’t need to do anything. Your machine will update itself on the 26th. Don’t touch a thing.

For the rest of you, including those of you stuck with Win10 Home, go through the steps in "8 steps to install Windows 10 patches like a pro." Make sure that you run Step 3, to hide any updates you don’t want (such the Win10 1809 upgrade or any driver updates for non-Microsoft hardware) before proceeding.

If you really want to hide everything, including the gonzo KB 4023057 patch I mentioned earlier, you need to go through @PKCano’s steps to wring every last update out of your update queue. Microsoft hides some of them.

For those of you running Win10 Pro, I suggest you follow the instructions in Step 7, but leave your advanced setup settings like the ones shown in the screenshot.

1809 advanced updates Woody Leonhard

That’ll ensure Microsoft has 15 days to pull its bad initial patches

May all the coals in your stocking be intentional.

Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86, and many others.

We’ve moved to MS-DEFCON 4 on the AskWoody Lounge.

Copyright © 2018 IDG Communications, Inc.

Where does this document go — OneDrive for Business or SharePoint?
  
Shop Tech Products at Amazon