Patch Lady – Business view of updates

Topic

New Reply

While Woody has yet to declare the all clear, I’m listing the updates and giving the “business report” for consultants, admins or anyone who has to ha
[See the full post at: Patch Lady – Business view of updates]

Susan Bradley Patch Lady

7 users thanked author for this post.

cesmart4125, AlphaCharlie, JDeC, Mr. Natural, woody, ch100, columbia2011

Reply | Quote

Replies

Susan, thanks for elucidation. But I’d like to correct myself: if I will install KB4093118 from WSUS (sync 12.04.18) does it bundle with KB4099950? Because of earlier posts wrote about downloading KB4093118 from Windows Catalogue! I’m in group A.

Reply | Quote

Not Susan here, replying to your enquiry.
The suggestions here were to download KB4099950 from the Catalog and install manually to avoid potential issues. No other update was suggested to be downloaded from the Catalog from the March/April batch of updates.

Reply | Quote

If you have resync since Thursday you will have the newly revised KB.

Susan Bradley Patch Lady

1 user thanked author for this post.

columbia2011

Reply | Quote

The Master Patch List for Apr 2018 indicates that KB 4018359 corresponds to Office 2010. More specifically, this KB security patch is for Word 2010.

From Susan Bradley’s post:
I’ve seen comments that more and more consultants are taking the drastic steps of turning off windows update and in fact scripting a task to turn off the update services each day.  I wince when I see these comments and urge consultants and those concerned about update quality to push off updates for a week but not to turn off the updating process completely.

I think the situation of remaining in or increasingly “converting” to Group W may not improve, unless Microsoft reverts to releasing individual patches, instead of (permanently problematic) rollups.

With individual patches, users & sys admins alike can, if necessary, choose to be temporarily in Group W for selective problematic patches, & install these patches later when/if the issues afflicting them are resolved.

4 users thanked author for this post.

JDeC, SueW, Elly, Cybertooth

Reply | Quote

I see what Ms. Bradley describes in that citation (consultants taking extreme measures to make sure Windows Update is, and remains, disabled) as a completely foreseeable consequence of Microsoft’s heavy-handedness.  I say that because I did foresee it, but I’m not claiming any great level of insight to have thought that way back when I first learned of all of this.  It was the first thing that popped into my mind when the argument was first made that “MS had to do this because people were stupid and they disabled updates,” which I’ve had someone claim as recently as yesterday over on Reddit.

Did MS really think that people who would completely disable updates, with all the risk that entails, at a time when MS had more credibility and trustworthiness than it has now or may ever have again, were simply going to throw up their hands and concede that MS is in control now?

The beginning user was probably never going to even realize the option to turn automatic updates off was present in earlier versions, but I saw someone argue that maybe a nephew or well-meaning but misguided friend would offer to “fix” the beginner’s computer, taking the liberty to disable updates on their behalf in the process.

While I’ve fixed many a beginner’s computer, I’ve certainly never done that; much of the fixing was about getting the updates to work again, not stopping them… but let’s say that some person is so convinced that updates are bad that they’d take the liberty with someone else’s computer (and while I am speaking in a consumer sense here, it could just as easily apply to a consultant doing the same with a business client’s computer as Ms. Bowman mentioned).

In the past, the well-meaning person would simply go to Windows Updates and set it to “Never check for updates (not recommended),” knowing that this would do just what it says on the tin.  In a business setting, it could easily be done via GPO.

Now that Windows no longer presents that option, the well-meaning person (according to what Ms. Bowman reports) creates a task in Task Scheduler to set the Windows updating services to Disabled (triggered by a login event, perhaps), so that if Windows decides to “self heal,” which is Microsoft-speak for “do what we want instead of what the customer wants,” the service will again get disabled at the next login.

Which one of these unfortunate changes is going to be easier for someone other than the well-meaning person to discover and fix? A setting that nearly everyone knows is there, or a hacky kind of thing that requires knowledge of the Task Scheduler, which not everyone knows even exists, let alone how to check it (or that one ought to check it, even if he knows how)?

Whatever possessed people to turn updates completely off before Windows 10 arrived was certainly less convincing than the situation we have at present, where being in group “W” is beginning to look like the sane choice.  People who didn’t trust updates when Microsoft still had a modicum of integrity and trust are certainly not going to be any more trusting now that Microsoft is behaving as it is.

In other words, while I don’t agree with the wisdom of completely disabling updates, Microsoft’s own actions are making the case better than anyone else ever could have.  You can’t make this stuff up…

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon
XPG Xenia 15, i7-9750H/16GB & GTX1660ti, KDE Neon

3 users thanked author for this post.

Bill C., Cybertooth, Elly

Reply | Quote

I just want to take this opportunity to say how glad I am that Susan Bradley has become such a prominent fixture here at AskWoody. Susan’s posts in Windows Secrets was one of the reasons I stayed with them for so long after being migrated from Gizmo’s TechSupportAlert. Thank you Susan Bradley!

11 users thanked author for this post.

johnf, Jan K., satrow, AlphaCharlie, CADesertRat, Geo, Laptop Boy, flackcatcher, mcbsys, woody, columbia2011

Reply | Quote

I don’t know if Sandboxie is used much in the business world (your target audience in this post), but the Windows 8.1 32 bit versions of the April 2018 Rollup KB4093114 and Security Only update KB4093115 break the latest Sandboxie 5.24 as I reported here:

https://www.askwoody.com/forums/topic/heres-what-you-need-to-know-about-this-months-patches/#post-184494

and this may be of interest to other, non-business IT support users who may read this.

The Windows 8.1 64 bit versions appear OK with respect to Sandboxie.

HTH. Garbo.

1 user thanked author for this post.

johnf

Reply | Quote

If my fellow Windows 8.1 32 bit Sandboxie users are keen to install the April 2018 updates, the Sandboxie developers have produced Beta 5.25.1 which includes a fix/work-around to the problem described above and which can be downloaded at:

https://forums.sandboxie.com/phpBB3/viewtopic.php?f=65&t=25684

I upgraded to this (without a PC reboot) before again installing the April 2018 security update KB4093115 and now Sandboxie appears to be working OK (the program starts without error and I’m typing this in W8.1 32 bit IE running in a Sandboxie sandbox).

I assume that this also works for the Rollup KB4093114 because that was the thing reported to the Sandboxie developers – most users will be Group A in the AskWoody jargon, not Group B like me.

Maybe this Sandboxie issue should be added to the list of known Windows 8.1 32 bit April 2018 update issues?

HTH. Garbo.

Reply | Quote

Running Windows Update manually on a ‘Group A’ system, it cought KB4100480 and KB4093118. Do I need install both of them or only KB4093118 will be enough?

Reply | Quote

According to the Microsoft pages, KB4093118 replaces KB4100480.

This update supercedes update 4100480, Windows kernel update for CVE-2018-1038.

1 user thanked author for this post.

columbia2011

Reply | Quote

I’ve installed both KB4100480 and KB4093118 on a couple of my semi-test systems, as they were presented by manually running Windows Update (Windows 7×64 Home Premium).

Both systems show they were installed and both systems are running normally.

Later this week, I’ll be turning my clients loose to run Windows Update and install those 2. I had one client report to me over the weekend those 2 had shown up in his Windows Update (set to Check, but let me decide to download and install…).

At one office, I’ll go by in person, as 5-6 of the systems there have a BIOS update from Dell available to ‘fix’ the hardware part of the Intel CPU flaws. I’ll test it on one spare system, see what it does and see that they all get the April updates installed as all systems there are in manual checking mode since the Feb. updates were installed.

Reply | Quote

@PKCano,now everything has become clear with April cumulative update.

Reply | Quote

Still having problems with KB4093118.  Using WSUS – WSUS has 4 entries for 14/12/18 for the same patch.  When we roll this out to test machines we find that 3 out of 6 are ok.  The failed 3 loose the network interface.  Rolling back on the individual PC gets it back.  Not sure if this is co incidence or not but the three machines that failed are all i3 processors – the other 3 are a mixture of i5 and older pentiums.

I have removed the approval for the 04 security quality monthly rollup in the meantime as I want to get the IE and office patches out as they all seem to be ok.  I will await more comment before wasting another morning on this debacle!

1 user thanked author for this post.

MrBrian

Reply | Quote

You should import 4099950 and apply it first before KB4093118 to fix the NIC problem. It is bundled in WU but I don’t believe it is bundled in WSUS.

Reply | Quote

PKCano

Thanks for the reply.  Susans note from 13th April suggests that the new wsus update doesnt need that patch.  Confused now.  I will wait a while and see what else transpires.

 

Reply | Quote

I found that when I installed KB4093114, it slowed my Windows 8.1 computer considerably.
When I uninstalled it, my computer worked as before, but the Windows Store would not work almost at all. I managed to get the Store to mostly work again. Reinstalling the update put things back the way they were at first, so I uninstalled the patch for good. I haven’t tried
KB4093115. Do you think that I should?

Reply | Quote

Group A, Windows 7 Home Premium. I installed the original April 10th version of KB4093118 from WU. No issues with installation. Susan says that the April 12th installation of KB4093118 is unnecessary. My question is whether the existence of the cache text file in the Logs folder is necessary to prove that the updates have fixed the NIC issue. If so, is the best strategy to install KB4099950 manually from the catalog prior to installing the May rollup to ensure the execution of the cache .exe and the generation of the Log text file? Or should I ignore the manual installation of KB4099950 if my computer is working normally?

 

Reply | Quote

@ashfan212

If the log file is present in C:\Windows\Logs, you can also check the date and version of PCI.SYS located in C:\Windows\System32\drivers.

I actually had one system that DID not have the C:\Windows\Logs\PCIClearStaleCache.txt created, but the PCI.SYS file was updated.

On the rest of the systems (lost count) I was testing, the above log file was created and the PCI.SYS file was updated.

After it’s updated, it should be like this:

Date: 2/10/2018
Size: 181KB (185,024 bytes on the disk)
Version: 6.1.7601.24056

The previous PCI.SYS was dated 11/20/2010

1 user thanked author for this post.

ashfan212

Reply | Quote

My pci.sys file was updated with the 2/10/2018 stamp during the March rollup using KB4088875. Are you saying that the update of the pci.sys file is sufficient to ensure the NIC fix or that it is a 2nd necessary condition in addition to the presence of the Logs text file?

Reply | Quote

If the log file isn’t present, I recommend:

1. Uninstall KB4099950.

2. Download KB4099950 from the Catalog.

3. Run the downloaded .msu file.

5 users thanked author for this post.

johnf, columbia2011, jburk07, ashfan212, ch100

Reply | Quote

MrBrian wrote:

If the log file isn’t present, I recommend:

1. Uninstall KB4099950.

2. Download KB4099950 from the Catalog.

3. Run the downloaded .msu file.

Totally agree.

Reply | Quote

@MrBrian, I checked that I do have the latest version of the pci.sys file; however, KB4099950 does not appear in the list of installed updates. It presumably never was executed since I had installed the April 10th version of KB4093118 from WU. It sounds as though you are saying that it is safe to run KB4099950 from the catalog as a one-off update and logging out rather than bundling KB4099950 with, say, the May rollup. I was under the impression that it could be unsafe to execute KB4099950 after installing the latest monthly rollup according to Microsoft’s documentation for KB4099950 from late March.

 

Reply | Quote

In order to be effective, the fix – whether it’s KB4099950 or the predecessor script – is supposed to be run before installing KB4088881, KB4088875, or KB4088878. If the fix wasn’t run before installing KB4088881, KB4088875, or KB4088878, there might be a benefit to running KB4099950 from the Catalog after installing KB4088881, KB4088875, or KB4088878 because it might make doing a manual fix for the networking issues easier. I don’t know if there is a risk in running KB4099950 from the Catalog after installing KB4088881, KB4088875, or KB4088878.

1 user thanked author for this post.

ashfan212

Reply | Quote

Group A ,  Win 7×64  home Premium  installed 118 from 10 Apr. from WU.  No problems so far.

Reply | Quote

Patch Lady wrote about 1709:

“If you manually install updates by going to the Windows catalog and download updates make sure you install 4099989 first.”

Funny thing though is while 4090914 (March SSU) specifically states the required order of installation when done via catalog, the same caution is missing from 4099989 (April SSU).

I have noticed though that if the SSU is skipped, it won’t be offered by WU after manual installation of the associated Cumulative Update.

I’m assuming one can get back on track by first installing a future SSU but have seen no ill effects from the prior SSU’s I’ve skipped.

Will be interesting to see what 1803 does with this.

1 user thanked author for this post.

MrBrian

Reply | Quote

From the Patch Lay’s Home Page posting: “Microsoft re-packaged and released the April 10 update of 4093118 to include the networking fix on Thursday April 12th. ”

Reading the Master Patch List I am left wondering if this is an issue taken care of also in the current release of KB4093108 (in my case, for win 7 x64), the security only update. Or if it is an issue at all for the likes of me.

Thanks.

Group B, Windows 7 Pro SP1 x64, I-7 “sandy bridge” CPU.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

This is to further clarify my preceding entry.

MrBrian said this about the same issue, earlier on:

“No. KB4093108 apparently cannot cause the two recent networking issues because it doesn’t contain file pci.sys. KB4093108 apparently also doesn’t fix the two recent networking issues on computers that already have those issues.”

So, to refine my question: is “apparently” still the case, or is now “certainly” a better word for the present situation?

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

MrBrian

Reply | Quote

Me again: I just read, once more, the Patch Lady’s Master List and her Note (No. 2) on KB4093108.

And that is the answer, right there… Somehow, I must have missed it last time I looked.

So: same as KM4093118, both without networking issues solved, both still having memory leaks “under certain circumstances.”

Memory leaks are hard to notice unless one monitors performance looking for them, or  — if memory serves — there is an obvious gradual slowing down of the processing that goes away when restarting the machine, then starts to creep back again. Of course, eventually, one also might find out about leaks the hard way, when the computer finally runs out of working memory…

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I cannot install monthly rollup security update KB4093118 on computers with 32bit windows 7. Installation always ends up with computers restarting right after boot. PC starts till ‘Wait Please’ message is displayed and then after few seconds it reboots. First I thought it’s and isolated incident, but this happens the same way on all computers with 32bit windows 7. I have 7 of them. So only reverted back before installing Rollup solve boot problem.
I’m on group A, all updates tried to install from WSUS and WU.

2 users thanked author for this post.

geekdom, MrBrian

Reply | Quote

At the bebinning of April, I updated Java and Flash Player.  I just noticed there are additional updates for my computer, which I downloaded and installed without problems.

Hope this helps my fellow readers of Ask Woody.

Charles

Win 7 SP1, Intel Core 2 Duo 1.80 GHz, 4 GB RAM, Mobile Intel 965 Express Chipset

 

Reply | Quote