December was a difficult month for Windows patches, full of all sorts of shenanigans.
Microsoft rang out 2016 with the following:
- Odd Windows driver updates have been distributed through Windows Update, including a Realtek Windows 10 driver pushed onto Windows 7 PCs.
- Undocumented rollbacks of “INTEL – System” drivers, with a specific recommendation to avoid the “INTEL – System – 8/19/2016 12:00:00 AM 10.1.2.80” patch. The driver updates released in the past couple of weeks are aimed at easing in-place upgrades to Win10 – which, presumably, you don’t want. There have been a lot of problems with the new drivers.
- An Active Directory Admin Center console conflict with the Win7 December security-only patch. I’ve seen reports of the same bug with Win10/KB3206632 and with 2012R2 and SCCM.
- A hotfix for Windows 10, build 14393.577, that isn’t available through Windows Update – or even acknowledge on the Win10 update page.
- Conflicts between the .Net Security/Quality rollups and SQL Server and Veritas.
- An enormous amount of misinformation (not Microsoft’s fault) about the way the Win10 1607 cumulative update solved the “dropped internet connection” bug.
In the emperor-has-no-clothes department, Abbodi reported on the AskWoody forum that the .Net 4.6.2 security-only patch is a sham: “Both .Net 4.6.2 updates [Security-only and Rollup] are identical. It seems Microsoft created the security-only update just to comfort the non-security haters. Apparently it didn’t feel the same or have the time to do that with other .Net versions.”
By my count, there were nearly 100 Office patches in December, for Office 2003 (!), 2007, 2010, 2013, and 2016.
Enough time has elapsed that I think we know about the major problems with the December patches, and you should get Windows and Office patched. Here are instructions for the various versions of Windows.
Windows 7 and 8.1
Windows 7 or 8.1 users need to decide if they’re in Group A (those who will take all the changes Microsoft has to offer, telemetry-laden or not) or in Group B (those who only want security updates). It’s not an easy choice. Details are in my patchocalypse article.
For those in Group A:
Step A1. Get your settings right. In Win7, click Start > Control Panel. In Win 8.1, press Win-X and choose Control Panel. Click System and Security. Under Windows Update, click the link marked “Turn automatic updating on or off.” Make sure Windows Update is set to “Never check for updates (not recommended),” then check the boxes marked “Give me recommended updates the same way I receive important updates” and “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows.” Click OK.
Step A2. Check for updates. Back in the Control Panel, under Windows Update, click the link to Check for Updates. (You may have to click Check for Updates a second time.) The check takes many minutes. If it takes many hours, see the steps suggested here. Don't check any unchecked boxes. (You may see a driver update distributed as “Recommended,” and it thus has a check in the Optional category. That’s OK. Leave it checked. But if any driver updates aren’t checked, don't check them.)
Step A3. Install the patches. Click the button marked Install Updates and follow the instructions. You’ll end up with the monthly rollup, all of your Office patches, your .Net patches, possibly Adobe Flash fixes, the Microsoft Security Essentials, and the usual MSRT scanner. After rebooting, everything will be set to block automatic updates. You’re all set – but be sure to watch this column later this month, to see when the unpaid beta testers are done.
For those in Group B:
Step B1. Get the security-only patch. If you want security patches only, you have to reach out and grab them. Assuming you’ve already installed the October and November security-only patches (which are not rollups, not cumulative), you can download the December patches using the following links:
Step B2. Install the security-only patch. With the method varying, depending on which browser you used to download the patch, you need to run the MSU file and restart. At that point, you have the security-only patches, but you need to pick up other key patches, including the .Net update, Flash, and Office patches, and others ... which means you get to run Windows Update, exactly like the Group A folks, but be more selective in what you install.
Step B3. Get your settings right. In Win7, click Start > Control Panel. In Win 8.1, press Win-X and choose Control Panel. Click System and Security. Under Windows Update, click the link marked “Turn automatic updating on or off.” Make sure Windows Update is set to “Never check for updates (not recommended),” then check the box marked “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows.” Uncheck the box marked “Give me recommended updates the same way I receive important updates” (yes, Group B is different from Group A), and click OK.
Step B4. Check for updates. Back in the Control Panel, under Windows Update, click the link to Check for Updates. (You may have to click Check for Updates a second time.) The check takes many minutes. If it takes many hours, see the steps suggested here.
Step B5. Get rid of the monthly rollup. Click the links to look at the Important and Optional updates. Don't check any unchecked boxes.
- If you’re running Win7, uncheck the box marked “December, 2016 Security Monthly Quality Rollup for Windows 7 (KB3207752).”
- If you’re running Win 8.1, uncheck the box marked “December, 2016 Security Monthly Quality Rollup for Windows 8.1 (KB3205401).”
Those are the monthly rollups, which include all of the nonsecurity patches Microsoft is rolling out the chute. If you’re in Group B, you don’t want them.
Leave the “Security and Quality Rollup for .Net Framework” box checked – as noted by Abbodi (see above), it’s the same as the security-only .Net patch this month.
For heaven’s sake don’t ever check anything marked Preview. You shouldn’t have seen any preview rollups in December – Microsoft was on vacation, it seems – but if you see one, don’t check it.
Step B6. Get rid of the problematic driver updates. Look for driver updates, especially those marked “INTEL – System” followed by a date, and if you see any that are checked, uncheck the box. There are better ways to get the latest drivers.
Step B7. Install the patches. Click the button marked Install Updates and follow the instructions. You’ll end up with Office patches, .Net patches, possible Adobe Flash fixes, Security Essentials update, and the usual MSRT scanner. After the reboot, you’re done. Pat yourself on the back, and watch this column later this month for the all-clear.
December was an odd month for Windows 10. The latest patch for the Anniversary Update (version 1607) pushed through Windows Update is KB 3206632, build 14393.576. But there’s a hotfix that only applies in weird situations (conflict with virtualization-based security) that’s available for download as KB 3213522. The hotfix brings the build number up to 14393.577.
Also, a setting that’s supposed to block driver updates for Windows 10 – the “Do not include drivers with Windows Updates” group policy and ExcludeWUDriversInQualityUpdate registry key that Shawn Brink describes in detail on TenForums – doesn’t seem to be working.
Windows 10 also seems to be subject to dicey driver updates, particularly the “INTEL – System – 8/19/2016 12:00:00 AM – 10.1.2.80” patch.
With that in mind, it’s time to update Windows 10 version 1607. Follow the steps in my Windows 10 Tip: Apply updates carefully, paying particular attention to any driver updates you may see. If you find KB 3199986, the “Servicing stack update for Windows 10 Version 1607: October 27, 2016,” you want to install it. Likewise any Office, Flash, MSRT or .Net updates.
Many people find that the cumulative update for 1607, KB 3206632, hangs at 45 percent. If that should happen to you, ch100 on the AskWoody forum recommends that you manually download and install the hotfix version, KB 3213522.
I haven’t heard of any problems with the latest patches to earlier versions of Windows 10.
Having any problems or contrarian experiences? Give me a shout on AskWoody.com.