Now's the time to patch Windows and Office

With no new Tuesday surprises, here's your opportunity to catch up on the latest updates for Microsoft

Now's the time to patch Windows and Office
Thinkstock

If you've been sitting on the sidelines, waiting for the unpaid beta testers to finish their jobs running down the bad parts of the latest Windows patches, your wait's over. It's time to get everything brought up to snuff.

In the Windows 7 and 8.1 world, Microsoft didn't release any new nonsecurity patches in the past month and only one fairly innocuous security patch for Win7. There was absolutely nothing, zilch, for Win 8.1. For Win10 users, there's been a cumulative update with one well-documented bug. Office patches have been relatively benign.

Office patches

One of the December Office patches, the KB 3128008 Security patch for Excel 2013, broke the Send as PDF and Send as XPS functions in Excel. If you installed the patch at the end of December, you had to work around the problem. It was solved on Jan. 10, with KB 3141475, so if you install the latest bunch of Office patches, you'll be in good shape.

There's one odd patch: KB 3141490 is a last-ditch patch for Word Viewer 2003 before Microsoft abandons the Word Viewer in November. If it appears, you want it.

I'm not aware of any other problems with this month's Office patches. Note that the month's still young, though, and some skepticism and additional delay is certainly warranted. Notably, patching guru Susan Bradley has not yet given the go-ahead for this month's Office nonsecurity patches (Windows Secrets paywall).

Windows 10

If your system has multiple monitors and you run games with 3D rendering, be aware that this month's cumulative updates may mess up your second monitor. Microsoft announced that as a known issue with the following:

  • KB 3213986 for the Anniversary Update, version 1607, build 14393.693
  • KB 3210721 for the Fall (now "November") Update, version 1511, build 10586.753
  • KB 3210720 for the RMT version (now "1507"), build to 10240.17236

However, I'm not at all sure the symptoms are caused by the patches. Be aware of the problem and if it happens to you, immediately uninstall the cumulative update.

We still haven't shaken the dicey driver updates. Based on comments on AskWoody from abbodi86 and ch100, it looks like the classic method for disabling driver updates in Group Policy doesn't work (see Shawn Brink's description on TenForums). The best advice I have at this point is to be aware of potential problems, make a full system backup before you run Windows Update, and if something goes kablooey -- you can't use a USB port, your audio stops working, your trackpad doesn't track -- use Device Manager (right-click Start > Device Manager) to roll back the bad patch. If you can't get the bad patch uninstalled, revert to the system backup and pray that better drivers come out next month.

I've also seen continuing complaints about the latest cumulative update refusing to install. If you hit that problem, you can help Microsoft fix it by posting a description of the refusal on the Reddit Windows 10 forum and working with Microsoft support staff to run diagnostics and submit a report.

With that warning, I say go ahead and take your medicine. Follow the steps in my Windows 10 Tip: Apply updates carefully. If you find KB 3199986, the "Servicing stack update for Windows 10 Version 1607: October 27, 2016," you want to install it. Likewise any Office, Flash, MSRT, or .Net updates.

Or you can say "meh" and run Windows Update. May the Cumulative Force be with you. Many people do run their patches unprotected. Some live to tell about it.

Windows 7 and 8.1

Windows 7 or 8.1 users need to decide if they're in Group A (those who will take all the changes Microsoft has to offer, telemetry-laden or not) or in Group B (those who only want security updates). It's not an easy choice. Details in my patchocalypse article.

For those in Group A:

Step A1: Get your settings right. In Win7, click Start > Control Panel. In Win 8.1, press Win-X and choose Control Panel. Click System and Security. Under Windows Update, click the link marked "Turn automatic updating on or off." Make sure Windows Update is set to "Never check for updates (not recommended)," then check the boxes marked "Give me recommended updates the same way I receive important updates" and "Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows." Click OK.

Step A2: Check for updates. Back in the Control Panel, under Windows Update, click the link to Check for Updates. (You may have to click Check for Updates a second time.) The check takes many minutes. If it takes many hours, see the steps here. Microsoft claims it has solved the slow Win7 Update scan problem, but you may need to kick-start the process by following those steps. Don't check any unchecked boxes. (You may see a driver update distributed as "Recommended," thus with a check in the Optional category. That's OK. Leave it checked. But if any driver updates aren't checked, don't check them.)

This month, you should see a Monthly Rollup for Windows 7 ("January, 2017 Security Monthly Quality Rollup for Windows 7") although, oddly, at this moment, the associated KB 3212646 isn't available. Windows 8.1 does not have a Monthly Rollup this month, so you won't find a "January, 2017 Security Monthly Quality Rollup for Windows 8.1." Don't sweat it.

Step A3: Install the patches. Click the button marked Install Updates and follow the instructions. You'll end up with the Monthly Rollup, all of your Office patches, your .Net patches, possibly Adobe Flash fixes, the Microsoft Security Essentials, and the usual MSRT scanner. After the reboot, everything will be set to block automatic updates. You're all set. But be sure to watch this column next month, to see when the unpaid beta testers are done.

For those in Group B:

Step B1: Get the Security-only patch. If you want security patches only, you have to reach out and grab them. Assuming you've already installed the October, November, and December Security-only patches (which are not rollups, not cumulative), you can download the January 2017 patches here:

There are no Security-only updates for Windows 8.1 this month.

Step B2: Install the Security-only patch. The method depends on which browser you used to download the patch, but you need to run the MSU file and restart. At that point, you have the Security-only patches, but need to pick up other key patches, including the .Net update, Flash, Office patches, and others. This means you get to run Windows Update, like the Group A folks, but be more selective in what you install.

Step B3: Get your settings right. In Win7, click Start > Control Panel. In Win 8.1, press Win-X and choose Control Panel. Click System and Security. Under Windows Update, click the link marked "Turn automatic updating on or off." Make sure Windows Update is set to "Never check for updates (not recommended)," then check the box marked "Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows." Uncheck the box marked "Give me recommended updates the same way I receive important updates" (yes, Group B is different from Group A), and click OK.

Step B4: Check for updates. Back in the Control Panel, under Windows Update, click the link to Check for Updates. (You may have to click Check for Updates a second time.) The check takes many minutes. If it takes many hours, see the steps here.

Step B5: Get rid of the Monthly Rollup. Click the links to look at the Important and Optional updates. Don't check any unchecked boxes. If you're running Win7, uncheck the box marked "January, 2017 Security Monthly Quality Rollup for Windows 7." If you're running Win 8.1, you shouldn't see a box for the January Security Monthly Quality Rollup. If you're in Group B, you don't want them. For heaven's sake don't ever check anything marked "Preview." If you see any "Security and Quality Rollup for .Net Framework" boxes checked, leave them checked.

Step B6: Get rid of the problematic driver updates. Look for driver updates, especially those marked "INTEL – System" followed by a date and if you see any that are checked, uncheck the box. There are better ways to get the latest drivers.

Step B7: Install the patches. Click the button marked Install Updates and follow the instructions. You'll end up with Office patches, .Net patches, possible Adobe Flash fixes, Security Essentials update, and the usual MSRT scanner. After the reboot, you're done. Pat yourself on the back. And watch this column next month for the all-clear.

Remember back in the day when patching was merely frustrating and dangerous?

ADAC bugs

If you're using Active Directory Admin Center (ADAC), this month's patches are going to bring you loads of headaches. There's a long list of patches that clobber ADAC (see my Jan. 6 post) and an ongoing litany of complaints on AskWoody. The easiest solution: Don't use ADAC.

Don't install Adobe Reader patch

Last week, I warned you about the latest Acrobat Reader DC patch, which automatically installs a Google Chrome spyware extension. According to @SwiftOnSecurity, "Adobe pushed this to 30 million people through automatic updater without notice, without prompt, without mention in the changelog." Google security guy Tavis Ormandy says, "I took a quick look at the extension. There was an easy privileged JavaScript code execution bug. Sigh." Bottom line: Get rid of Acrobat Reader and, for heaven's sake, don't install a Reader patch if you find one. No, the Acrobat Reader patches don't go through Windows Update, but if you're in patching mode, you should triple-check it.

The discussion continues on AskWoody.com.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon