Get the February Microsoft patches applied, unless you’re using Win10 Fall Creators Update
Credit to Author: Woody Leonhard| Date: Mon, 05 Mar 2018 11:57:00 -0800
Granted, February’s patches from Microsoft weren’t as malevolent as January’s patches, but they still managed to knock out lots and lots of PCs. That said, if you can tiptoe around the problems, now is a good time to get the latest versions of the latest patches installed.
The worst problem I see at this point involves clobbered USB connections on Win10 Fall Creators Update (version 1709) machines after installing the latest cumulative update, KB 4074588. To its credit, Microsoft has acknowledged the problem. But the only offered fix, a complex manual workaround, would drive a hardened MS-DOS junkie to drink.
Microsoft currently acknowledges all of these problems with the February Win10 1709 cumulative update:
As well as a problem with Active Directory Federation Service.
It’s become a familiar refrain. Microsoft had problematic patches for Win10 1709 in December, in January (took three tries and they it didn’t get it right) and in February. I keep waiting for 1709 to stabilize before I recommend that folks move on from 1703, but that time hasn’t come yet.
Then there are those who bought new PCs with 1703 installed and don’t have enough storage to run the upgrade to 1709.
Even if most of the Win10 world has been pushed, pulled and prodded onto 1709 (AdDuplex reports that 85% of all Win10 users they see run Win10 1709), the avalanche of buggy patches proves to me that Fall Creators Update just ain’t ready for prime time.
Truth be told, the multiple patches for 1703 (two in January, two in February) leave me feeling queasy about the Win10 Creators Update as well. I guess that’s the price we pay for Windows as a Service and the mad dash to two new versions of the last version of Windows per year.
There have been problems galore with the .Net Preview patches, with several yanked after colliding with QuickBooks 2017 Enterprise. Fortunately, they’re just Previews — you only installed them if you specifically sought them out and you shot yourself in the foot.
Windows 7 users who install the latest patches (Monthly Rollup KB 4074598, or Security-Only KB 4077525) may have problems if they have a Smart Card two-factor authorization enabled on their machine. Microsoft also warns: “After installing this update, SMB servers may experience a memory leak.” No solution at this point.
If you’re using Flash on Internet Explorer (or Edge) and haven’t yet installed the fix for CVE-2018-4878, described in Microsoft’s Security Advisory ADV180004, you’re vulnerable to a Malspam campaign attack described by Morphisec Labs. Of course, if you avoid Flash and/or use a different browser, you have little to fear.
With those exceptions, Susan Bradley’s Monthly Patchlist gives an all-clear for the other 40 or so patches released this month.
For those of you following the trials and travails of the KB 4090007 microcode updates, which are only available by manual download and only apply to sixth-generation Skylake Intel chips running Win10 1709, there’s a reason why they’re so obscure: Microsoft doesn’t want “normal” people to install them.
Microcode, you may know (but I didn’t!), is different from firmware. Günter Born on his BornCity site explains:
There is also a small but subtle difference between firmware updates for the UEFI and a microcode update. A firmware update for the UEFI must be approved by the manufacturer of the motherboard. This update may also include microcode updates. These are loaded from the UEFI firmware into the CPU when the system is started. Pure microcode updates can be rolled out by Microsoft. These microcodes are loaded into the CPU when the operating system is started. The above update is therefore a microcode update, which is reloaded every time Windows starts.
For now, I figure you’d be crazy to install the microcode update — particularly because there are no Spectre v 2 exploits in the wild. Susan Bradley has a full explanation of the patch and a warning to admins who may be contemplating the leap of faith:
For those that plan to import these microcode updates into your Server 2016 WSUS, there’s a known issue whereby one can’t import updates into WSUS based on Server 2016 like one is used to in other platforms. As noted on the WSUS blog, you’ll need to edit a bit before you can import the patch.
In my humble opinion, it’s time to install the February patches — unless you’re using Win10 Fall Creators Update version 1709. (To see your version, in the Cortana search box, type about and press Enter.) If you’re on 1709, wait until Microsoft finally fixes the USB problems.
Step 1. Make sure your antivirus is copacetic with this month’s patches.
If you have a reasonably recent version of your antivirus software — updated in the past few weeks — you’ll be fine. If you’re running Windows Defender, you’re fine. But if you have a weird antivirus product, or you’ve stopped doling outantivirus payola, I figure it’s best to uninstall your currentantivirus and get Windows Defender or Microsoft Security Essentials working, just for as long as it takes to get Windows updated. Check with your antivirus vendor for details.
If you don’t want to trust your PC to Microsoft — who can blame ya? — check out Kevin Beaumont’s detailed list of antivirus vendors and their patch proclivities. If you want to check to see if your machine, specifically, is ready for the February patches, follow the steps posted by OscarCP on AskWoody.com.
Step 2. Make a full system image backup before you install the January patches.
There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.
There are plenty of full image backup products including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup.
Step 3. For Win7 and 8.1
Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s a year old or newer, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.
If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches. Note that AKB 200003 has been modified to incorporate Microsoft’s fixes-of-fixes in January.
For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx, @MrBrian.)
Watch out for driver updates — you’re far better off getting them from a manufacturer’s website. After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’m starting to believe that information pushed to Microsoft’s servers for Win7 owners is nearing that pushed in Win10.
Step 4. For Windows 10
If you’re running Win10 Creators Update, version 1703 (my current preference), or version 1607, the Anniversary Update, and you want to stay on 1607 or 1703 while those on 1709 get to eat Microsoft’s dog food, follow the instructions here to ward off the upgrade. As you go through the steps, keep in mind that Microsoft, uh, forgot to honor the “Current Branch for Business” setting — so you need to run the “feature update” (read: version change) deferral setting, if you have one, all the way up to 365. And hope that Microsoft doesn’t forget how to count to 365.
If you’re running an earlier version of Win10, you’re basically on your own. Microsoft doesn’t support you anymore.
If you have trouble getting the latest cumulative update installed, make sure you’ve checked your antivirus settings (see ProTip #2 above) and, if all is well, run the newly refurbished Windows Update Troubleshooter before inventing new epithets.
To get Windows 10 patched, go through the steps in “8 steps to install Windows 10 patches like a pro.”
As is always the case, DON’T CHECK ANYTHING THAT’S UNCHECKED. In particular, don’t be tempted to install anything marked “Preview.”
It’s time to get patched. Even if you really, really don’t want to.
Thx, @MrBrian, @sb, @PKCano, @abbodi86, and many others
Join the chorus on the Titanic at the AskWoody Lounge.