October will certainly go down in the Annals of Windows Offal as one of the worst patching months ever. Click “Check for updates” and get your Documents and Photos wiped out. Try to install the Win7 Monthly Rollup — if you can find it — and trigger an Error 0x8000FFFF because the updater doesn’t have the smarts to update itself. Play a little Driver Roulette and trigger a blue screen. Then there were mountains of bug fixes for various versions of Windows 10, dribbled out over several days, likely backported from the ill-fated Win10 1809 effort.
Now that we’re in the October “E week” (or the November “A-1 Week” depending on how you look at it), the stars have aligned and it’s time to get caught up with your Windows and Office patches.
Win7 Monthly Rollup makes a sudden reappearance
Yesterday, with absolutely no fanfare, Microsoft suddenly started pushing the Win7 Monthly Rollup, KB 4462923, out the Windows Update chute again. Although the timeline’s murky, it looks as if Microsoft made it deucedly difficult to get the patch shortly after it was released on Patch Tuesday. No, the patch was never pulled from the Microsoft Update Catalog. But it was re-released on Nov. 1.
Perhaps it took Microsoft all the way until the October “E Week” to get bugs ironed out in the way the patch interacts with the installer — the so-called Servicing Stack Update KB 3177467, re-released earlier this month as a version 2.
@PKCano has been chasing this one by the tail. Yesterday the Gordian knot untied itself:
KB4462923 2018-10 Security Monthly Quality Rollup showed up CHECKED in the “important updates” on my Win7 today 11/1/18.
On a test machine, I installed it along with the 2018-10 .NET Rollup and MSRT without an error (Note: the SSU KB3177467 v1 was installed on my machine in 2016)
AFTER the reboot, KB3177467 v2, the Servicing Stack released 10/9/2018 appeared and installed without requiring a reboot. The hash is the same and the file size is the same. Must be a metadata change to let it install without an error before KB3177467 v2 (the SSU).
Through all of this sturm und drang, it looks like neither KB 3177467 version 2, nor KB 4462923 actually changed.
Lots and lots of little Win10 bug fixes
Starting on Oct. 18, and again on Oct. 24, Microsoft released massive troves of little bug fixes, covering Win10 versions 1607, 1703, 1709 and 1803. They seem to be backports of little patches made during the development of Win10 version 1809, released en masse to the earlier versions. I talked about Microsoft’s change to itty bitty bug backports last month.
The way Windows Update’s rigged right now, you probably won’t get these little fixes unless you click “Check for updates” or you download and install them manually. It looks like Microsoft’s trying to implement Win7/8.1-style Rollup Previews in Win10 as lesser, secondary cumulative updates, which you won’t get unless you’re a sucker. Er, seeker (i.e., if you click on “Check for updates”).
You have to wonder why Microsoft invented the Release Preview Ring in the Windows Insider program, and never uses it.
Win7/Server 2008R2 Network Card bugs continue
Microsoft has a bug in its Win7 Monthly Rollup that’s been, uh, bugging us since March. If you installed any Win7/Server 2008R2 patches after March and your network connections didn’t go kablooey, you’re almost undoubtedly OK to proceed with this month’s patches.
On the other hand, if you’ve been waiting to install patches on your Win7 or Server 2008R2 machine, you need to be aware of a bug that Microsoft has acknowledged.
Symptom: There is an issue with Windows and third-party software that is related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.
Workaround: 1.To locate the network device, launch devmgmt.msc; it may appear under Other Devices.
- To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.
- Alternatively, install the drivers for the network device by right-clicking the device and selecting Update. Then select Search automatically for updated driver software or Browse my computer for driver software.
That’s a bizarre, convoluted series of steps. Microsoft still hasn’t confirmed which third-party software is at fault, but reports have it that it’s largely a VMWare problem. Five months later, the bug’s still there, still acknowledged, still unfixed.
If you’re worried that installing this month’s updates will clobber your network interface card, make sure you take a full backup before installing the updates. You can also take @GoneToPlaid’s advice and edit certain registry entries in advance.
A new tactic for Win10 Pro patches
We’ve been watching Win10 patching for three years, and a pattern has emerged. I’ll flesh out the details in a future article, but the gist of it goes like this…
Historically, Win10 Pro users would avoid the big patch screw-ups if they set Windows Update Advanced Options to:
- When updates are installed: “Semi-Annual Channel”
- Defer “feature updates” (what you and I and Microsoft would call new version upgrades) for 60 or 90 or more days, and
- Defer “quality updates” (what you and I and Microsoft call cumulative updates) for 10 or 12 or more days.
If a major problem with a patch arises, crank the deferral up to 30 days.
Then don’t click “Check for updates.” Ever.
This seems to be the sweet spot for Win10 Pro patching: It avoids the major problems we’ve seen over the past three years (e.g., when patches get pulled because they break things, or when patches get re-released for odd and sundry reasons, or when new patches replace bad old ones), but it leaves the update process sufficiently automated so you can set it and forget it. More or less.
I’m looking for guinea pigs. If you decide to go this route, please keep me posted on the AskWoody Lounge.
Ready to take a chance on messing up your NIC? Here’s how to proceed. The patching pattern should be familiar to many of you.
Step 1. Make a full system image backup before you install the October patches.
There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.
There are plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup. For Win 7 users, If you aren’t making backups regularly, take a look at this thread started by Cybertooth for details. You have good options, both free and not-so-free.
Step 2. For Win7 and 8.1
Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s 18 months old or less, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.
If you’ve already installed any March or later updates, your Network Interface Card should be immune to the latest slings and arrows. But if you haven’t been keeping up on patches, see the discussion in the Network Cards section above to protect yourself.
If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches.
For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Realize that some or all of the expected patches for October may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. In particular, if you install the October Monthly Rollups or Cumulative Updates, you won’t need (and probably won’t see) the concomitant patches for September. Don’t mess with Mother Microsoft.
If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx, @MrBrian.) If you see KB 2952664 (for Win7) or its Win8.1 cohort, KB 2976978 — the patches that so helpfully make it easier to upgrade to Win10 — uncheck them and spread your machine with garlic or drive a wooden stake through its heart. Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.
After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. If you want to thoroughly cut out the telemetry, see @abbodi86’s detailed instructions in AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model.
Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’m starting to believe that information pushed to Microsoft’s servers for Win7 owners is nearing equality to that pushed in Win10.
Step 3. For Windows 10
If you’re running Win10 Creators Update, version 1703 (my current preference), version 1709, or version 1803, you definitely want to block the forced upgrade to Win10 1809. Don’t get caught flat-footed: Microsoft may decide to push 1809 again with little or no notice. Follow the advice in How to block the Windows 10 October 2018 Update, version 1809, from installing. Of course, all bets are off if Microsoft, uh, forgets to honor its own settings.
If you’re using wushowhide to hide specific patches, there’s a gotcha: The Win10 installer may choose to install hidden updates. It’s not clear to me if that’s a byproduct of clicking Check for updates, but better safe than sorry — use @PKCano’s technique to make good ‘n sure that hidden updates stay hidden.
Those of you running Win10 1703 will need to upgrade to 1709, 1803 or possibly 1809 before the November patches arrive. I’m still sitting on a fence, and suggest you join me in mugwump land until we have a clearer view of the horizon.
If you have trouble getting the latest cumulative update installed, make sure you’ve checked your antivirus settings and, if all is well, run the newly refurbished Windows Update Troubleshooter before inventing new epithets.
To get Windows 10 patched, go through the steps in “8 steps to install Windows 10 patches like a pro.” If you feel lucky (well, do ya?), and you’re running a Pro or Education edition of Win10, you might try experimenting with the deferral settings I mentioned earlier in “A new tactic for Win10 Pro patches.”
Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86, @gborn, @GoneToPlaid, @Cybertooth and @MrBrian.
We’ve moved to MS-DEFCON 4 on the AskWoody Lounge.