Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Friday night patch dump: KB 4088881, a flawed Win7 Monthly Rollup preview and KB 4089187, an IE fix

    Posted on March 24th, 2018 at 08:19 woody Comment on the AskWoody Lounge

    Microsoft continues its any-day-of-the-month patching policy with a highly anticipated preview of the April Win7 Monthly Rollup and a rushed patch for IE on Win7 that resolves a bug introduced two weeks ago

    When Microsoft released its gang of patches last Thursday, one patch was remarkably absent: We didn’t get a preview of next month’s Win7 Monthly Rollup. Win8.1, Server 2012 and Server 2012R2 all got previews, but not Win7 (or Server 2008R2).

    I hypothesized at the time that Microsoft didn’t release a new Win7 April Monthly Rollup preview because they were still trying to fix the bugs they introduced in this month’s Monthly Rollup for Windows 7 and Server 2008 R2, KB 4088875, and  the download-and-manually-install Security-only patch for March, KB 4088878.

    Microsoft now acknowledges all of these bugs in March’s Win7 Patch Tuesday release:

    • After you install this update, SMB servers may leak memory.
    • A Stop error occurs if this update is applied to a 32-Bit (x86) machine with the Physical Address Extension (PAE) mode disabled.
    • A Stop error occurs on computers that don’t support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).
    • A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused.
    • IP address settings are lost after you apply this update.

    All of those bugs are new in March, except the memory leak, which first appeared in January.

    With the new, delayed preview of April’s Win7 Monthly Rollup, you might expect that at least some of those bugs would be fixed. Not so. They’re all still around, per the official write-up.

    Microsoft is working on a resolution and will provide an update in an upcoming release.

    Sooner or later.

    In addition to the Friday night Monthly Rollup preview that doesn’t fix the major bugs, Microsoft rolled out a patch for a bug introduced in IE by its Patch Tuesday patch. Another patch of a patch. The article for the original Patch Tuesday patch, KB 4089187, has been modified to state:

    After you install this update, security settings in some organizations that are running Windows 7 SP1 or Windows Server 2008 R2 may prevent Internet Explorer 11 from starting because of an invalid SHA1 certificate.

    To resolve this issue, use one of the following methods:

    If you’re a bit rusty on manually whitelisting an SHA1 certificate, you can run the patch released on Friday night, KB 4089187. Note that this is only for IE 11 running on Windows 7 (and Server 2008R2).

    I think of it as Mother Microsoft’s way of telling you that you really shouldn’t be using IE. Excuse my snark.

    Of course, you’ve been following along here and know that we’re still at MS-DEFCON 2, which means you didn’t install the original buggy patches, anyway. Right?

    By the by… for those of you who are manually installing the cumulative updates for Win10 1703 or 1607, there’s now an explicit warning in the associated KB article:

    Important When installing both the SSU (KB4088825) and the LCU updates from the Microsoft Update Catalog, install the SSU before installing the LCU.

    Which is an obtuse way of saying that, if you’re going to install the Cumulative Update manually, you better get the Servicing Stack Update installed first.

    MrBrian speculates that the root problem is the race condition on installation that Susan Bradley talked about last week.

    The Servicing Stack updates for 1703 and 1607 were part of the Thursday blast.

    Thx, @MrBrian, @gborn

  • More Windows patches — and warnings about the Win10 1709 update KB 4089848

    Posted on March 23rd, 2018 at 08:24 woody Comment on the AskWoody Lounge

    In yet another out-of-out-of-band flurry, on Thursday Microsoft released new cumulative updates for all Win10 versions, a couple of Servicing Stack updates, two previews of Monthly rollups… and absolutely nothing that fixes the flaws in this month’s botched Win7 patch.

    And the Windows Update bypassing routine blamed for the forced push from Win10 1703 to 1709? It’s baaaaaaaaaack.

    Computerworld Woody on Windows.

    UPDATE: @PKCano found a patch for Win10 1709 that “This update makes improvements to ease the upgrade experience to Windows 10 Version 1709.”

    Go figger. KB 4094276. It’s listed on the KBNew page, but the link there (which was provided by Microsoft) doesn’t work.

  • Surprise! A new version of the Windows Update block-buster KB 4023057

    Posted on March 23rd, 2018 at 07:42 woody Comment on the AskWoody Lounge

    While scanning through the KBNew list, I bumped into an old f(r)iend, KB 4023057. Looks like it was re-issued on March 22 — along with about half a gazillion patches for Windows.

    KB 4023057, if you don’t recall, is the patch that’s credited with busting through sites that have Windows Update blocked. There’s a discussion here, with this description from abbodi86:

    it evolved from just fixing registry to restore tasks and fix drivers DB, and compatibilty for UAC management..

    the main purpose or function did not change: re-allow blocked or disabled WU

    Of course, Microsoft’s official description is the usual “Nothing to see here, folks” drivel:

    This update includes reliability improvements that affect the update service components in Windows 10 Versions 1507, 1511, 1607, and 1703.

    This update includes files and resources that address issues that affect the update processes in Windows 10. These improvements ensure that quality updates are installed seamlessly on your device and help to improve the reliability and security of devices running Windows 10.  When Windows update is available for your device, devices that do not have enough disk…

    Only certain builds of Windows 10 Versions 1507, 1511, 1607, and 1703 require this update. Devices that are running those builds will automatically get the update downloaded and installed through Windows Update.

    This update is also offered directly to Windows Update Client for some devices that have not installed the most recent updates. This update is not offered from the Microsoft Update Catalog.

    I just wish Microsoft could speak plainly. In this case, some Win10 users (not sure which ones) are getting a patch that (apparently?) breaks their wuauserv settings. I assume that its entire reason for existence is to push more people onto the next version of Win10.

    Does anybody out there have any better info?

  • OUt-of out-of band patches for Win10 1709, 1703 and 1607

    Posted on March 22nd, 2018 at 15:18 woody Comment on the AskWoody Lounge

    Just a heads-up. We’ll have more later.

    KB 4089848 brings 1709 up to Build 16299.334 – seems to have fixed the problem with the January Delta update

    KB 4088891 brings 1703 up to build 15063.994

    KB 4088889 brings 1607 up to build 14393.2155 – this one’s a bit surprising because 1607 is due to go off life support in a couple of weeks.

    Also, a Servicing Stack update for 1703, KB 4088825, and a Servicing Stack update for 1607, KB 4089510.

    Two previews of Monthly rollups, KB 4088882 for Win 8.1 and Server 2012 R2, and KB 4088883 for Server 2012.

    Martin Brinkmann has some notes on his ghacks.net site.

    I’ve updated the list of revised KB articles, KBNew.

  • Patch Lady – a reminder that 1607 drops out of support

    Posted on March 21st, 2018 at 14:49 Susan Bradley Comment on the AskWoody Lounge

    For those that are still running Windows 10 (including one HP envy tablet with a 32 gig flash drive that I’m still fighting to get it up to anything beyond what it was shipped with[*]), be aware that in April the 1607 release of Windows 10 drops out of support unless you are running Education or Enterprise version.

    Thus if you are still on 1607 please be aware that you will not get security updates after that date.

    If you’ve not be able to install past 1607 you might try this trick of determining what the blocker is.  To do so you need to download the ISO, extract it out, and then run setup as noted in this post to determine what the blocking is.

    Basically you run this script:  SETUP.EXE /Auto Upgrade /Quiet /NoReboot /DynamicUpdate Disable /Compat ScanOnly

    Or better yet do it like this:  SETUP.EXE /Auto Upgrade /Quiet /NoReboot  /Compat ScanOnly

    and leave it the bit about grabbing the latest dynamic update so we can see what the issue is.

    Post in the forums and let’s see if we can get everyone past 1607 and up to a serviced platform.

    [*]  I’m getting a usbC adapter to hang off a Western digital external hard drive as that did the trick for my Asus with the 32 gig flash drive.  An external flash drive didn’t cut it, nor did a Micro SD card.

  • Windows 10 Enterprise: Does setting telemetry to zero disable cumulative updates?

    Posted on March 20th, 2018 at 06:17 woody Comment on the AskWoody Lounge

    A very interesting post this morning from Günter Born. In a nutshell:

    • If you’re running Win10 Enterprise
    • And you aren’t connected to an update server
    • And you set the level of telemetry to “Security data only” (HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry set to 0)

    You don’t get any cumulative updates.

    Sounds like a bug to me. Can anyone out there confirm?

    UPDATE: @teroalhonen pointed me to the Microsoft documentation for the AllowTelemetry setting:

    Security level

    The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.


    If your organization relies on Windows Update for updates, you shouldn’t use the Security level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.

    Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data data about Windows Server features or System Center gathered.

    Sure enough — it’s not a bug, it’s a feature!

  • We’re still at MS-DEFCON 2

    Posted on March 20th, 2018 at 06:03 woody Comment on the AskWoody Lounge

    If you’re worried about all of the patches, manual installation sequences, and other mind-boggling things, don’t be.

    We’re still at MS-DEFCON 2 — don’t patch unless you have an overwhelming need to install a specific patch.

    The MS-DEFCON system is designed for folks who don’t want to sweat the details. If you aren’t particularly interested in sorting through the offal, wait for the MS-DEFCON number to change.

    Each time I raise the MS-DEFCON level, I have detailed instructions on what you need to do to keep your ship afloat. Unlike Susan (see below), I recommend that you defer “quality updates” (read “cumulative updates”) for the full 35 days, then set the spinner down to 0 when you’re ready to install a specific cumulative update. I also recommend that you set Win7 and 8.1 to “check but don’t download.” I include full instructions for both of those settings in every month’s Computerworld “go ahead” article.

    For now, unless you need to sort through the patching details, just hold tight.

  • Patch Lady – some comments about the master listing

    Posted on March 20th, 2018 at 01:23 Susan Bradley Comment on the AskWoody Lounge

    So let me explain a bit about my patch chart this month and some of the optional items.

    First off let’s draw a line in the sand between Windows 10 and Windows 7, as they are two different patching beasts.

    Next let’s draw a line in the sand between Office 2010 and Office 2013, 2016 and the upcoming office.

    Let’s take Windows 10 first.  You can control it’s updates and not have it control you as long as you understand one basic concept:  You must have Pro version in order to give you the ability to easily hook into the Windows update for business patching policies to defer updates.  I am NOT a fan of deferring updates forever.  I do recommend that you try not to be part of the beta testing team of updates and unfortunately, and too often, if you install updates on the day they are released, often you end up as part of the unofficial beta testing team.

    With the pro version of windows 10 you can put in place an option to defer updates for at least a week.  That is the normal time that we see issues shake out after Patch Tuesday. To do this on Pro, click on start, settings, update and security, advanced and then put your settings as follows:


    Note:  You can also pause updates for up to 35 days if you hear of major issues.

    For Windows 7, the recommendation I give is to set updates to “download but do not install”.  This stages them ready to go but does not install them until you are ready to.

    I honestly would think carefully about why you want the security only updates. Not every non security update is a telemetry one.  Often there are fixes in the non security updates that fix issues introduced by the security ones.  Not every optional patch is a bad thing.

    Now let’s talk about Office updating.  Office has “old way” and “new way”.  Old way means that you get offered up individual updates for Office if your version supports that.  This “old way” is default for Office 2010 and for those that purchase Office 2016 via volume license.  If you have purchased Office via Office 365 you are on the “new way” called click to run.  Click to run does its updating automatically and in the background.  It starts to trickle out during the second week of the month. 

    For those on the “old way”, you often decide to install only the security updates and not the non security updates.  But doing so, means that you got nailed this month by a dependency.  The security update for Word depended on the non security update to properly let the application open up files.  If you failed to install the earlier non security update from the week before, you saw the side effect.  If you installed it, you didn’t see the side effect.

    Because Click to Run installs both security and non security updates at the same time, you get both at the same time, thus ensuring that you won’t see the issue that nailed all of us folks who want to only get the security updates. 

    For click to run installs I’ve noticed that many of the side effects come if you are on the “monthly” release and not the semi-annual channel.  As you can see in the master Office issue listing located here, there’s a known issue for the monthly click to run that’s been addressed:

    Outlook known issues in the March 2018 updates

    Meeting location updates are not reflected in recipient calendar [FIXED]

    Last updated: March 14, 2018


    After updating to Version 1803 (Build 9126.2072), you may find that when you open an existing meeting in the calendar and send an update with updated location, the recipient still sees the old location. If you review the item in the Sent Items folder it shows the old location and was not updated.

    Note: This issue only affects Semi-Annual Channel (Targeted) and Monthly Channel (Targeted) versions using builds 9126.2072 and higher.


    This issue is fixed by a change in the service. Restarting Outlook should fix the issue but you may have to restart Outlook up to three times to pick up the change.

    Information for this issue is also provided in this article: Meeting location updates are not reflected in recipient calendar in Outlook 2016.



    There is a way to opt out of the monthly channel and move to the semi-annual.  I’ll post on that tomorrow, just know that click to run has a monthly update cycle, a semi-annual targeted and then a semi-annual channel.  It’s a little bit confusing, I know, but all of this is about offering up feature releases.

    For my specific March master patch listing, I listed several Windows 10 updates as “optional” just because of the unusual release of updates in March.  We had several out of band fixes to Windows 10 1709 and 1703 due to various issues including fixes for inaccessible boot device and loss of usb devices.  If you didn’t happen to catch those extra updates that were released for 1709 there was no harm, no foul as they didn’t include any new security updates, and if you waited until the normal March second week releases, you’d get the same code plus the new security fixes for the month.

    One other thought to ponder, I know many here install updates manually from the catalog, but there is risk in manually patching and not letting Microsoft update or Windows update do it’s thing.   Take for example the Windows 10 servicing stack update of KB4090914 that has a warning that you should install it in a certain order:

    When installing both the servicing stack update and the latest cumulative update from the Microsoft Update Catalog, install the servicing stack update before you install the cumulative update.

    When you manually install updates you may end up with patches in an order that Microsoft didn’t intend.  So if you manually install updates make sure you read the KB articles for any patch dependencies and order directions in the information.  I’ll also recommend that anyone on the Windows 7 platform every now and then do a manual scan for updates just to see what is offered to you.  Remember that often you will get Office updates offered up for platforms you don’t think you have only because when you do inplace upgrades, there is often dlls and files left over from the prior version.  Also if you install new business software, it often installs older C+ runtimes and .net files that need updates.  So often you’ll think you are up to date… and you aren’t.  Stay tuned there is even a way to do this manual scan in Windows 10 by using PowerShell.