• MS-DEFCON 3: Time to get your update ducks lined up

    Time to get your September Windows and Office updates installed.


    I don’t know of any outstanding major problems with September’s Office patches. Follow the instructions below, but DON’T check any Office patches that aren’t already checked – if any Office patch doesn’t have a check mark, don’t go in and check it.

    Note that Office patches are, increasingly, on a two-tier system, with early patchers used as cannon fodder. It may look complicated, but the basic idea is to install patches that are checked, and ignore all the other Office patches.

    Windows 10

    There are still three major bugs in Windows 10 Anniversary Update, so those of you with the Win10 Fall Update (version 1511 – type winver in the Cortana search box) are better off sticking with it. I continue to recommend that you stick with Win10 Fall Update by blocking the upgrade to version 1607.

    I’ve found no new major bugs introduced in Windows 10, other than bugs introduced in Internet Explorer, and you aren’t using IE, right?

    If you’re on Win10 1511, go ahead and install KB 3185614, to bring yourself up to build 10586.589. Then use the block steps I recommend in InfoWorld to keep Win10 from automatically clobbering your machine.

    If you’re on Win10 1607, install KB3194496 to bring your PC up to 14393.222. Then apply one of those block steps to keep control over this month’s updates. There will likely be several. Microsoft still has a way to go before 1607 is relatively stable.

    Windows 7 and 8.1

    Last month I talked about Group A and Group B – my shorthand for two different kinds of Win7/8.1 users:

    • Group A are the ones willing to take all of Microsoft’s new snooping systems, along with potentially useful non-security updates. That may sound horrible, but realize that you’re being snooped upon all the time, with your search engine (except for duckduckgo and a handful of others), your email provider if you have a free account, your browser (opinions vary as to the extent of the snooping), your ISP, Hello Cortana, Siri, Alexa, the Google voice system, your car, and soon your thermostat and refrigerator.
    • Group B doesn’t want any more snooping than absolutely necessary, don’t care about improvements like daylight savings time zone changes, but still want to keep applying security patches. This month it’s easy to apply security patches. Next month the instructions are scheduled to change quite a bit.

    I would be remiss if I didn’t mention the third group – I call them Group W, with all due respect to Arlo Guthrie – who don’t want anything from Microsoft. No patches. No security updates. Nada. I don’t recommend that you sit on the Group W bench, but I’m certainly sympathetic to your skepticism. Microsoft has shown in great detail just how well they can hack Win7 and 8.1 machines, without our permission.

    We have no idea, and no way of knowing, what information Win10 gathers about its users and, similarly, we have no idea, and no way of knowing, what kind of information Group A Win 7 and 8.1 machines will ultimately feed to the Microsoft marketing cloud. You have to go with your gut on this one.

    For Group A, patching is much easier. For Group B, the snooping should be less – but there’s no guarantee. You can move from Group B to Group A, but as far as I can tell there’s no way to move from Group A to Group B without completely re-installing Win7 or 8.1.

    I have no idea how updates to Vista will roll out. For now, I suggest you choose between Group A or Group B.

    If you encounter very slow Windows Update scan speeds on Windows 7 or Vista, I suggest that you use Canadian Tech’s speedup method, posted on the Microsoft Answers forum.

    For Group A – the ones who are willing to let Microsoft snoop

    Make sure you have Windows Update set to deliver recommended updates. In Win 8.1, hold down the Windows key, press X, choose Control Panel. In Win7, click Start > Control Panel. Click System and Security. Under Windows Update, the Turn automatic updating on or off link. Check the box marked Give me recommended updates the same way I receive important updates. Click OK.

    That ensures Microsoft’s “recommended updates” appear checked and ready to install in Windows Update.

    Go into Windows Update (in Win7, Start > Control Panel > System and Security > under Windows Update, click Check for updates – in Win8.1, right-click Start). Click the link that says “XX important updates are available.” Make sure all of those patches are checked (they should be). Then on the left, click Optional, and uncheck Silverlight and Skype, uncheck any drivers – see below – and uncheck any language packs. Then make sure KB2952664, KB3150513 and KB3193414 are unchecked, although it’s unlikely they’ll appear. (The first two are all about snooping, and don’t do anything to improve your machine. The last one is a completely undocumented update for Microsoft Security Essentials that appears to be screwed up.) Click OK, then Install updates. Reboot.

    For Group B – the ones who don’t want to let Microsoft snoop

    Go into Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates – in Win 8.1, right-click Start). Click the link that says “XX important updates are available.” CHECK the boxes next to items that say “Security Update,” along with “Windows Defender” and “Malicious Software Removal Tool” if you see either or both. UNCHECK the boxes next to any items that aren’t specifically marked as “Security Update.”

    On the left, click the link that says Optional. Uncheck every box that you see, except “Windows Defender,” which should stay checked. Yes, I’m saying that if a box is checked, uncheck it. Click OK, then Install updates. Reboot.

    I’m putting us at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

    My usual boilerplate advice:

    For those of you who are new to this game, keep in mind that… I never install drivers from Windows Update (in the rare case where I can actually see a problem with a driver, I go to the manufacturer’s web site and download it from the original source). I use Chrome and Firefox, and only pull out IE when I feel very inclined — but even if you don’t use IE, you need to keep up with its patches.