Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – Business view of updates

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – Business view of updates

    This topic contains 30 replies, has 14 voices, and was last updated by  cesmart4125 6 months ago.

    • Author
      Posts
    • #184957 Reply

      Susan Bradley
      AskWoody MVP

      While Woody has yet to declare the all clear, I’m listing the updates and giving the “business report” for consultants, admins or anyone who has to ha
      [See the full post at: Patch Lady – Business view of updates]

      Susan Bradley Patch Lady

      7 users thanked author for this post.
    • #184966 Reply

      columbia2011
      AskWoody Lounger

      Susan, thanks for elucidation. But I’d like to correct myself: if I will install KB4093118 from WSUS (sync 12.04.18) does it bundle with KB4099950? Because of earlier posts wrote about downloading KB4093118 from Windows Catalogue! I’m in group A.

      • #184984 Reply

        ch100
        AskWoody MVP

        Not Susan here, replying to your enquiry.
        The suggestions here were to download KB4099950 from the Catalog and install manually to avoid potential issues. No other update was suggested to be downloaded from the Catalog from the March/April batch of updates.

      • #185060 Reply

        Susan Bradley
        AskWoody MVP

        If you have resync since Thursday you will have the newly revised KB.

        Susan Bradley Patch Lady

        1 user thanked author for this post.
    • #184974 Reply

      anonymous

      The Master Patch List for Apr 2018 indicates that KB 4018359 corresponds to Office 2010. More specifically, this KB security patch is for Word 2010.

      From Susan Bradley’s post:
      I’ve seen comments that more and more consultants are taking the drastic steps of turning off windows update and in fact scripting a task to turn off the update services each day.  I wince when I see these comments and urge consultants and those concerned about update quality to push off updates for a week but not to turn off the updating process completely.

      I think the situation of remaining in or increasingly “converting” to Group W may not improve, unless Microsoft reverts to releasing individual patches, instead of (permanently problematic) rollups.

      With individual patches, users & sys admins alike can, if necessary, choose to be temporarily in Group W for selective problematic patches, & install these patches later when/if the issues afflicting them are resolved.

      4 users thanked author for this post.
      • #185201 Reply

        Ascaris
        AskWoody MVP

        I see what Ms. Bradley describes in that citation (consultants taking extreme measures to make sure Windows Update is, and remains, disabled) as a completely foreseeable consequence of Microsoft’s heavy-handedness.  I say that because I did foresee it, but I’m not claiming any great level of insight to have thought that way back when I first learned of all of this.  It was the first thing that popped into my mind when the argument was first made that “MS had to do this because people were stupid and they disabled updates,” which I’ve had someone claim as recently as yesterday over on Reddit.

        Did MS really think that people who would completely disable updates, with all the risk that entails, at a time when MS had more credibility and trustworthiness than it has now or may ever have again, were simply going to throw up their hands and concede that MS is in control now?

        The beginning user was probably never going to even realize the option to turn automatic updates off was present in earlier versions, but I saw someone argue that maybe a nephew or well-meaning but misguided friend would offer to “fix” the beginner’s computer, taking the liberty to disable updates on their behalf in the process.

        While I’ve fixed many a beginner’s computer, I’ve certainly never done that; much of the fixing was about getting the updates to work again, not stopping them… but let’s say that some person is so convinced that updates are bad that they’d take the liberty with someone else’s computer (and while I am speaking in a consumer sense here, it could just as easily apply to a consultant doing the same with a business client’s computer as Ms. Bowman mentioned).

        In the past, the well-meaning person would simply go to Windows Updates and set it to “Never check for updates (not recommended),” knowing that this would do just what it says on the tin.  In a business setting, it could easily be done via GPO.

        Now that Windows no longer presents that option, the well-meaning person (according to what Ms. Bowman reports) creates a task in Task Scheduler to set the Windows updating services to Disabled (triggered by a login event, perhaps), so that if Windows decides to “self heal,” which is Microsoft-speak for “do what we want instead of what the customer wants,” the service will again get disabled at the next login.

        Which one of these unfortunate changes is going to be easier for someone other than the well-meaning person to discover and fix? A setting that nearly everyone knows is there, or a hacky kind of thing that requires knowledge of the Task Scheduler, which not everyone knows even exists, let alone how to check it (or that one ought to check it, even if he knows how)?

        Whatever possessed people to turn updates completely off before Windows 10 arrived was certainly less convincing than the situation we have at present, where being in group “W” is beginning to look like the sane choice.  People who didn’t trust updates when Microsoft still had a modicum of integrity and trust are certainly not going to be any more trusting now that Microsoft is behaving as it is.

        In other words, while I don’t agree with the wisdom of completely disabling updates, Microsoft’s own actions are making the case better than anyone else ever could have.  You can’t make this stuff up…

         

        Group L (Linux): KDE Neon User Edition 5.14.1 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

        3 users thanked author for this post.
    • #184989 Reply

      SusanA
      AskWoody Lounger

      I just want to take this opportunity to say how glad I am that Susan Bradley has become such a prominent fixture here at AskWoody. Susan’s posts in Windows Secrets was one of the reasons I stayed with them for so long after being migrated from Gizmo’s TechSupportAlert. Thank you Susan Bradley!

      11 users thanked author for this post.
    • #184988 Reply

      anonymous

      I don’t know if Sandboxie is used much in the business world (your target audience in this post), but the Windows 8.1 32 bit versions of the April 2018 Rollup KB4093114 and Security Only update KB4093115 break the latest Sandboxie 5.24 as I reported here:

      https://www.askwoody.com/forums/topic/heres-what-you-need-to-know-about-this-months-patches/#post-184494

      and this may be of interest to other, non-business IT support users who may read this.

      The Windows 8.1 64 bit versions appear OK with respect to Sandboxie.

      HTH. Garbo.

      1 user thanked author for this post.
      • #185800 Reply

        anonymous

        If my fellow Windows 8.1 32 bit Sandboxie users are keen to install the April 2018 updates, the Sandboxie developers have produced Beta 5.25.1 which includes a fix/work-around to the problem described above and which can be downloaded at:

        https://forums.sandboxie.com/phpBB3/viewtopic.php?f=65&t=25684

        I upgraded to this (without a PC reboot) before again installing the April 2018 security update KB4093115 and now Sandboxie appears to be working OK (the program starts without error and I’m typing this in W8.1 32 bit IE running in a Sandboxie sandbox).

        I assume that this also works for the Rollup KB4093114 because that was the thing reported to the Sandboxie developers – most users will be Group A in the AskWoody jargon, not Group B like me.

        Maybe this Sandboxie issue should be added to the list of known Windows 8.1 32 bit April 2018 update issues?

        HTH. Garbo.

    • #184994 Reply

      columbia2011
      AskWoody Lounger

      Running Windows Update manually on a ‘Group A’ system, it cought KB4100480 and KB4093118. Do I need install both of them or only KB4093118 will be enough?

      • #184995 Reply

        PKCano
        AskWoody MVP

        According to the Microsoft pages, KB4093118 replaces KB4100480.

        This update supercedes update 4100480, Windows kernel update for CVE-2018-1038.

        1 user thanked author for this post.
      • #185168 Reply

        SkipH
        AskWoody Lounger

        I’ve installed both KB4100480 and KB4093118 on a couple of my semi-test systems, as they were presented by manually running Windows Update (Windows 7×64 Home Premium).

        Both systems show they were installed and both systems are running normally.

        Later this week, I’ll be turning my clients loose to run Windows Update and install those 2. I had one client report to me over the weekend those 2 had shown up in his Windows Update (set to Check, but let me decide to download and install…).

        At one office, I’ll go by in person, as 5-6 of the systems there have a BIOS update from Dell available to ‘fix’ the hardware part of the Intel CPU flaws. I’ll test it on one spare system, see what it does and see that they all get the April updates installed as all systems there are in manual checking mode since the Feb. updates were installed.

    • #184996 Reply

      columbia2011
      AskWoody Lounger

      @pkcano,now everything has become clear with April cumulative update.

    • #185008 Reply

      everest100
      AskWoody Lounger

      Still having problems with KB4093118.  Using WSUS – WSUS has 4 entries for 14/12/18 for the same patch.  When we roll this out to test machines we find that 3 out of 6 are ok.  The failed 3 loose the network interface.  Rolling back on the individual PC gets it back.  Not sure if this is co incidence or not but the three machines that failed are all i3 processors – the other 3 are a mixture of i5 and older pentiums.

      I have removed the approval for the 04 security quality monthly rollup in the meantime as I want to get the IE and office patches out as they all seem to be ok.  I will await more comment before wasting another morning on this debacle!

      1 user thanked author for this post.
      • #185013 Reply

        PKCano
        AskWoody MVP

        You should import 4099950 and apply it first before KB4093118 to fix the NIC problem. It is bundled in WU but I don’t believe it is bundled in WSUS.

    • #185029 Reply

      everest100
      AskWoody Lounger

      PKCano

      Thanks for the reply.  Susans note from 13th April suggests that the new wsus update doesnt need that patch.  Confused now.  I will wait a while and see what else transpires.

       

    • #185047 Reply

      anonymous

      I found that when I installed KB4093114, it slowed my Windows 8.1 computer considerably.
      When I uninstalled it, my computer worked as before, but the Windows Store would not work almost at all. I managed to get the Store to mostly work again. Reinstalling the update put things back the way they were at first, so I uninstalled the patch for good. I haven’t tried
      KB4093115. Do you think that I should?

    • #185059 Reply

      ashfan212
      AskWoody Lounger

      Group A, Windows 7 Home Premium. I installed the original April 10th version of KB4093118 from WU. No issues with installation. Susan says that the April 12th installation of KB4093118 is unnecessary. My question is whether the existence of the cache text file in the Logs folder is necessary to prove that the updates have fixed the NIC issue. If so, is the best strategy to install KB4099950 manually from the catalog prior to installing the May rollup to ensure the execution of the cache .exe and the generation of the Log text file? Or should I ignore the manual installation of KB4099950 if my computer is working normally?

       

      • #185172 Reply

        SkipH
        AskWoody Lounger

        @ashfan212

        If the log file is present in C:\Windows\Logs, you can also check the date and version of PCI.SYS located in C:\Windows\System32\drivers.

        I actually had one system that DID not have the C:\Windows\Logs\PCIClearStaleCache.txt created, but the PCI.SYS file was updated.

        On the rest of the systems (lost count) I was testing, the above log file was created and the PCI.SYS file was updated.

        After it’s updated, it should be like this:

        Date: 2/10/2018
        Size: 181KB (185,024 bytes on the disk)
        Version: 6.1.7601.24056

        The previous PCI.SYS was dated 11/20/2010

        1 user thanked author for this post.
        • #185256 Reply

          ashfan212
          AskWoody Lounger

          My pci.sys file was updated with the 2/10/2018 stamp during the March rollup using KB4088875. Are you saying that the update of the pci.sys file is sufficient to ensure the NIC fix or that it is a 2nd necessary condition in addition to the presence of the Logs text file?

      • #185190 Reply

        MrBrian
        AskWoody MVP

        If the log file isn’t present, I recommend:

        1. Uninstall KB4099950.

        2. Download KB4099950 from the Catalog.

        3. Run the downloaded .msu file.

        5 users thanked author for this post.
        • #185200 Reply

          ch100
          AskWoody MVP

          If the log file isn’t present, I recommend:

          1. Uninstall KB4099950.

          2. Download KB4099950 from the Catalog.

          3. Run the downloaded .msu file.

          Totally agree.

        • #185295 Reply

          ashfan212
          AskWoody Lounger

          @mrbrian, I checked that I do have the latest version of the pci.sys file; however, KB4099950 does not appear in the list of installed updates. It presumably never was executed since I had installed the April 10th version of KB4093118 from WU. It sounds as though you are saying that it is safe to run KB4099950 from the catalog as a one-off update and logging out rather than bundling KB4099950 with, say, the May rollup. I was under the impression that it could be unsafe to execute KB4099950 after installing the latest monthly rollup according to Microsoft’s documentation for KB4099950 from late March.

           

          • #185305 Reply

            MrBrian
            AskWoody MVP

            In order to be effective, the fix – whether it’s KB4099950 or the predecessor script – is supposed to be run before installing KB4088881, KB4088875, or KB4088878. If the fix wasn’t run before installing KB4088881, KB4088875, or KB4088878, there might be a benefit to running KB4099950 from the Catalog after installing KB4088881, KB4088875, or KB4088878 because it might make doing a manual fix for the networking issues easier. I don’t know if there is a risk in running KB4099950 from the Catalog after installing KB4088881, KB4088875, or KB4088878.

            1 user thanked author for this post.
    • #185096 Reply

      Geo
      AskWoody Lounger

      Group A ,  Win 7×64  home Premium  installed 118 from 10 Apr. from WU.  No problems so far.

    • #185120 Reply

      anonymous

      Patch Lady wrote about 1709:

      “If you manually install updates by going to the Windows catalog and download updates make sure you install 4099989 first.”

      Funny thing though is while 4090914 (March SSU) specifically states the required order of installation when done via catalog, the same caution is missing from 4099989 (April SSU).

      I have noticed though that if the SSU is skipped, it won’t be offered by WU after manual installation of the associated Cumulative Update.

      I’m assuming one can get back on track by first installing a future SSU but have seen no ill effects from the prior SSU’s I’ve skipped.

      Will be interesting to see what 1803 does with this.

      1 user thanked author for this post.
    • #185140 Reply

      OscarCP
      AskWoody Lounger

      From the Patch Lay’s Home Page posting: “Microsoft re-packaged and released the April 10 update of 4093118 to include the networking fix on Thursday April 12th. ”

      Reading the Master Patch List I am left wondering if this is an issue taken care of also in the current release of KB4093108 (in my case, for win 7 x64), the security only update. Or if it is an issue at all for the likes of me.

      Thanks.

      Group B, Windows 7 Pro SP1 x64, I-7 “sandy bridge” CPU.

      • #185144 Reply

        OscarCP
        AskWoody Lounger

        This is to further clarify my preceding entry.

        MrBrian said this about the same issue, earlier on:

        No. KB4093108 apparently cannot cause the two recent networking issues because it doesn’t contain file pci.sys. KB4093108 apparently also doesn’t fix the two recent networking issues on computers that already have those issues.

        So, to refine my question: is “apparently” still the case, or is now “certainly” a better word for the present situation?

         

        1 user thanked author for this post.
        • #185359 Reply

          OscarCP
          AskWoody Lounger

          Me again: I just read, once more, the Patch Lady’s Master List and her Note (No. 2) on KB4093108.

          And that is the answer, right there… Somehow, I must have missed it last time I looked.

          So: same as KM4093118, both without networking issues solved, both still having memory leaks “under certain circumstances.”

          Memory leaks are hard to notice unless one monitors performance looking for them, or  — if memory serves — there is an obvious gradual slowing down of the processing that goes away when restarting the machine, then starts to creep back again. Of course, eventually, one also might find out about leaks the hard way, when the computer finally runs out of working memory…

           

    • #185222 Reply

      columbia2011
      AskWoody Lounger

      I cannot install monthly rollup security update KB4093118 on computers with 32bit windows 7. Installation always ends up with computers restarting right after boot. PC starts till ‘Wait Please’ message is displayed and then after few seconds it reboots. First I thought it’s and isolated incident, but this happens the same way on all computers with 32bit windows 7. I have 7 of them. So only reverted back before installing Rollup solve boot problem.
      I’m on group A, all updates tried to install from WSUS and WU.

      2 users thanked author for this post.
    • #186362 Reply

      cesmart4125
      AskWoody Lounger

      At the bebinning of April, I updated Java and Flash Player.  I just noticed there are additional updates for my computer, which I downloaded and installed without problems.

      Hope this helps my fellow readers of Ask Woody.

      Charles

      Win 7 SP1, Intel Core 2 Duo 1.80 GHz, 4 GB RAM, Mobile Intel 965 Express Chipset

       

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – Business view of updates

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.