Jan 25, 2018 10:00 AM PT

Microsoft Patch Alert: Lots of lingering problems in a very messy month

In spite of a whiplash patch/re-patch/re-re-patch cycle earlier this month, all is not doom and gloom. There've been a few actual fixes, too.

OpenClipArt-Vectors (CC0)

On the heels of a relatively benevolent December Patch Tuesday, the stream of patches pouring out of Microsoft (and Intel!) in January reached epic proportions. To be fair, it looks as if Microsoft got drawn into releasing its Meltdown/Spectre barrage early – on Jan. 3 – but they were so buggy they were withdrawn for AMD processors on Jan. 8, and gradually re-released in phases over the next two weeks.

If you had Automatic Update turned on, and you’re running an AMD machine that’s more than a couple of years old, chances are good that you woke up to a blue screen, and restoring your system took two magic incantations and an Act of Congress. Tens of thousands – possibly hundreds of thousands – of AMD machines may have been bricked by this month’s patches. But be of good cheer. Microsoft released  KB 4073578 (“Unbootable state for AMD devices in Windows 7 SP1 and Windows Server 2008 R2 SP1”) and KB 4073576 (same for Win8.1 and Server 2012 R2) to fix your problem. Of course, you have to be able to boot your computer to install the updates.

Never mind.

Then there’s .NET.

So far this month, we’ve seen patches roll out like this:

That is an enormous pile of patches; even the folks who are paid to watch patches full time are confused.

Intel BIOS/UEFI patch recalls

Not to be outdone by Microsoft, Intel created mayhem by releasing, then yanking, its Meltdown/Spectre BIOS and UEFI firmware patches for almost every Intel computer released in the past five years. Intel’s documentation rivals that of Microsoft for ambiguity, hyperbole, and obfuscation.

Here are the latest links to BIOS/UEFI Meltdown/Spectre recall advice from the major hardware manufacturers:

If you have new information about any of those vendors, please let me know on the AskWoody Lounge.

Windows patches

No matter which version of Windows you patch, you need to get your antivirus program to signal to Windows that it’s compatible with this month’s updates.

The Win10 Fall Creators Update patch on Jan. 18 seems to have shaken out the major problems with Win10 1709.

The Win10 Creators Update patch on Jan. 17, similarly, seems to fix the outstanding problems with this month’s changes to Win10 1703

The Win10 Anniversary Update patch on Jan. 17 – again, manual install only – fixes a bunch of bugs in Win10 1607, but it also clobbers Windows Defender Credential Guard (which you probably don’t use).

With the release of KB 4077561 on Jan. 24, Microsoft has fixed many of the acknowledged problems with this month’s Monthly Rollup and Security-Only (manual installation) patches for Win8.1. That said, there’s still a great deal of debate about the proper installation sequence of patches, re-patches and old patches. As usual, Microsoft hasn’t said anything.

.NET patches

This looks like a mess. You can get the details in my Jan. 19 column, but the basic idea is that the original .NET patches for .NET 4.6/4.6.1/4.6.2/4.7/4.7.1 were all bad, and have to be augmented by additional patches. The font problems in the original patches have been fixed in general, but only if you install these latest patches.

Then there’s the Fixit tool KB 4074906 that fixes “Windows Presentation Foundation (WPF) applications that request a fallback font or a character that is not included in the currently selected font.”

Office patches

It appears as if the Office 2016 patch KB 3178662 throws an installation error 0x8007006e. The Office folks, who are usually good about acknowledging problems, haven’t picked this one up yet. Solution? Uninstall "Microsoft Office Proofing Tools Kit Compilation 2016.”

There’s a laundry list of acknowledged problems with Outlook: To-Do Bar and Task List view not displaying events; Unable to "Save All Attachments" to a shared network drive; No Search results found when using All Mailboxes; Find Related option does not show results; Outlook 2010 will not start on WinXP after January updates. The bug that prevented Outlook 2016 from forwarding files attached to text messages was fixed on Jan. 24.

What to do now


If you have an irresistible urge to click “Enable Edits” on bogus Word documents, you can disable Equation Editor with a quick registry hack. Other than that, as long as you don’t use IE or Edge, there’s absolutely no reason to dive into the roiling mess of January updates.

In spite of the “Sky is falling” screams online, there’s no sign a single PC has been compromised by the Meltdown or Spectre vulnerabilities. Contrast that to the multitudes of machines that’ve been bricked by bad patches, and the untold users wondering why they have to unwind this month’s firmware updates.

The long and short of it: If you installed any of this month’s patches from Microsoft or your PC manufacturer, you joined the swelling ranks of unpaid beta testers. If your machine’s still working, thank your lucky stars.

There’s a reason why I recommend you turn off Automatic Update and wait for carnage to clear before installing the latest missives.

Group therapy for patchers continues on the AskWoody Lounge.

It’s hard to remember the last time we had a Patch Tuesday as inoffensive as this month’s. February 2017 comes to mind — but then again, we didn’t have a Patch Tuesday in February, as Microsoft called it off.

Part of the reason for the relatively easy going this month, I’m convinced, is the lack of attention showered on Windows 7 and earlier versions of Windows 10 (including the Creators Update, version 1703, which has become more-or-less fully baked and remains my version of choice). Aside from a few lackluster security patches, the December update for Win10 1607 fixed the “CDPUserSvc_XXXX has stopped working” bug introduced in a security patch two months ago, and the rest is largely routine.

The exception, of course, is Windows 10 Fall Security Update, version 1709. If you succumbed to the pressure (or the forced upgrade) and installed the latest version of Win10, you were rewarded for your trust by a series of unfortunate patching events worthy of Lemony Snicket. If you’re hell-bent on installing this month’s updates on a Win10 1709 machine, make sure you read the Computerworld synopsis of problems and sometime-solutions. Or, better, forget about it until next month.

The only major problem with the Office December patches that I’ve seen involves the blocking of Word {DDEAUTO} fields — an arcane topic that I covered yesterday. You’ll only notice the difficulty if you have a Word document that needs to update itself every time you open it. Thus, if you install this month’s Office patches, then open a Word doc, and it no longer responds correctly (by, say, pulling data from an Excel spreadsheet and putting the data in the doc), you need to slog through the manual workarounds, edit the registry, and put DDE right again.

As a long-time advocate of powerful documents, I’m sorry to see the “Auto” functions go. At the same time, I can understand why their days were numbered. I hate to admit it, but Microsoft made the right choice in cutting off “Auto” updating.

Bitten by a bug? Bite back. Drop by the AskWoody Lounge.

There are so many issues with this month’s security patches that it’s hard to decide where to begin. Let’s start with the problems that have been acknowledged, then move into the realm of what’s not yet fully defined.

Forced upgrades

Many users have remarked about how much the forced 1703-to-1709 Windows 10 upgrades feel like Microsoft’s detested forced upgrades from Win 7 and 8.1 to 10 – the “Get Windows X” campaign. Although the situation’s different on the surface, the net result is the same. Many people who were happily using Windows 10 Fall Update – version 1703 – were forcibly upgraded this month to the Fall Creators Update – version 1709 – even on systems that were not supposed to be upgraded.

At first, Microsoft ignored the uproar. But last week it quietly owned up to the move by putting this notification in the description for November’s Win 10 1703 Patch Tuesday cumulative update:

Known issues in this update:

Windows Pro devices on the Current Branch for Business (CBB) will upgrade unexpectedly.

Microsoft is working on a resolution and will provide an update in an upcoming release.

On the same day, Nov. 22, Microsoft released another cumulative update for 1703, KB 4055254, which doesn’t mention the problem. I’m going to guess it was fixed.

Those who were forcibly upgraded from 1703 to 1709 are now in limbo; if you allowed Win10 to automatically update itself, and the 1709 installer decided to take over, you’re stuck on 1709. Users had 10 days to roll back to the older version, and those days are gone.

That’s not good news if you hit problems with 1709, like the folder permissions problem or the autostart after boot problem. Those who got hit were upgraded without warning.

Broken Epson dot matrix printers

There are lots and lots of Epson dot matrix (and POS terminal) printers alive and well, thank you very much.

To recap, this month’s Patch Tuesday patches broke the Epson dot matrix driver for every supported version of Windows: Win10 1709, Win10 1703, Win10 1607/Server 2016, Win10 1511 Enterprise, Win10 1507 LTSC, Win 8.1/Server 2012 R2, Server 2012, and Win7/Server 2008 R2. (It’s quite remarkable: Microsoft is now actively supporting 11 versions of Windows – 14 if you count the Server versions separately.)

As noted yesterday, there are now fixes for six of those versions: Win 8.1/Server 2012 R2, Server 2012, and Win7/Server 2008 R2 and Win10 1703. There was a fleeting fix for Win10 1709, but it disappeared. As of this morning, there's a spot reserved for a Win10 1709 cumulative update, KB 4051963 for build 16299.96, but there's no KB article as yet and no reports of it rolling out. Presumeably, it'll include a fix for the Epson printing bug.

But there’s still no word on Epson printer fixes for Win10 1511 Enterprise or for Win10 1507 LTSC.

.NET patches appear, disappear, then reappear

Microsoft released four .NET Framework patches on Patch Tuesday:

  • 2017-11 Quality Rollup for .Net Framework 3.5.1 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB 4049016)
  • 2017-11 Quality Rollup for .Net Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB 4049017)
  • 2017-11 Quality Rollup for .Net Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows Embedded 8 Standard and Windows Server 2012 (KB 4049018)
  • 2017-11 Quality Rollup for .Net Framework 2.0 on Windows Server 2008 (KB 4049019)

The company then pulled all of them down before Thanksgiving. There was no official notice, just a string of comments on the MSDN TechNet blog that said, in effect, Microsoft hadn’t handled the supercedence chain on the patches properly and would fix the problem sometime after the U.S. holiday.

Sure enough, they were re-released yesterday.

CDPUserSvc_XXXX has stopped working

This bug, introduced in the Win10 1607 October cumulative update and both of the November 1607 cumulative updates, was finally acknowledged a little over a week ago. The three cumulative updates now contain this notice:

After installing KB4041688, KB4052231, or KB4048953, the error "CDPUserSvc_XXXX has stopped working" appears. Additionally, Event ID 1000 is logged in the Application event log. It notes that svchost.exe_CDPUserSvc_XXXX has stopped working and the faulting module name is "cdp.dll".

Microsoft is working on a resolution and will provide an update in an upcoming release.

Until then, follow the steps in the Per-user services in Windows 10 and Windows Server article.

To be clear, the bug has not been fixed, although it’s been well documented for six weeks. It even appears in the Win10 1703 Cumulative Update, KB 4051033, which was released on Nov. 27. Expect a real fix in the December Patch Tuesday crop.

Win10 1709 group policy setting incorrectly blocking cumulative updates

In Win10 1709 Fall Creators Update, adjusting the setting “After a Preview Build or Feature Update is released, defer receiving it for this many days” may, in fact, defer cumulative updates (which Microsoft insists on calling “quality updates”).

Poster Klaasklever who first described the bug on the TechNet, pointed to “reports that this issue is also caused by setting to defer Feature Updates in the Windows Update Settings within the normal Windows Settings App.”

It’s clearly a bug in Win10 1709, though it’s not clear which versions are afflicted – and there’s a possibility that the not-yet-released Win10 1709 cumulative update, KB 4051963 for build 16299.96, may fix it. As noted, there's no KB article as yet, and no reports of it rolling out.

‘Unexpected error from external database driver’ bug resolved

This bug, introduced in Microsoft’s October security patch release, led to Microsoft pushing out five patches in early November:

  • KB 4052234 for Windows 7 SP1 and Server 2008 R2 SP1
  • KB 4052235 for Windows Server 2012
  • KB 4052233 for Windows 8.1 and Server 2012 R2
  • KB 4052232 for Windows 10 Fall (“November”) Update, version 1511
  • KB 4052231 for Windows 10 Anniversary Update, version 1607, and Server 2016

Users who installed those patches (they had to be manually downloaded and installed) soon discovered that they all brought back old Windows security patches which themselves had bugs. Those buggy patches were yanked a few days later, and all mention of them was scrubbed as if they never existed.

In their stead, the Patch Tuesday Win7 and 8.1 Monthly Rollups and Security-only Updates and the Patch Tuesday patches for Win10 1709, 1703, 1607, 1511 and 1507 all claim to solve the problem.

Equation Editor bug resolved

Two weeks ago, I talked about the Equation Editor bug, CVE-2017-11882. There are a few exploits out in the wild at this point. If you’re concerned about them, you can bypass Equation Editor and eliminate the security hole by changing two Registry entries described in the Embedi article on the subject.

Good news? The HP Spyware update doesn’t appear to be a Windows problem. It’s all on HP.

Special thanks to @MrBrian, @abbodi86 and @PKCano

Did I miss a bug? Need a scorecard? I sympathize! Drop by the AskWoody Lounge.

Microsoft’s foray into quantum computing sure sounds neat, but those of us stuck with real programs on real computers have been in something of a quandary. Once again this month, we’ve hit a bunch of stumbling blocks, many of which were pushed down the Automatic Update chute.

Before we dissect the creepy-crawlies this month, it’s important to remember that you have to get the .Net patches installed, unless you fastidiously refrain from clicking the “Enable Editing” button in Word.

Windows 10

After telling us that Windows 10 Creators Update, version 1703, is “the most performant and reliable version of Windows 10 ever!” you might expect some stability with version 1703 patches. This month, that didn’t happen. After releasing cumulative update KB 4038788 on Patch Tuesday, we got a new out-of-band fix for bugs introduced by that same update. The new cumulative update, KB 4040724, appeared in Windows Update on Monday, Sept. 25. It brings 1703 up to build 15063.632. So far, I haven’t heard of any problems with the new cumulative update — but it’s been less than a day.

The situation with Win10 Anniversary Update, version 1607, isn’t as straightforward. Apparently, there were a host of problems that appeared after this month’s Patch Tuesday cumulative update, KB 4038782. It isn’t clear if that update introduced bugs of its own, but the situation’s bad enough that we got a second cumulative update this month, again on Monday. KB 4038801 brings Win10 version 1607 to build 14393.1736. It’s a hotfix; it isn’t distributed via Automatic Update. You have to download KB 4038801 and install it manually. I haven’t seen a detailed analysis of the security holes fixed by this odd Monday patch – but to date I haven’t seen any complaints, either. The day is still young.

For reasons as yet unexplained, KB 4038801 is only for Win10 1607; it’s explicitly not released for Server 2016.

There’s a note on the 1607 patch site that says:

Windows Update Client Improvement

Microsoft will release an update directly to the Windows Update Client to improve Windows Update reliability. It will only be offered to devices that have not installed any recent cumulative updates and are not currently managed (e.g., domain joined).

As noted by @abbodi86 on AskWoody.com:

The note means [they] are going to release a separate “small” update for WUC, similar to this one for version 1507. They could also release the update directly as a SelfUpdate for WUC like they used to do with Windows prior [to] Windows 8 (for example, latest for Windows 7 is v7.6.7600.320 before they shifted to separate WUC updates starting with KB2990214).

Windows Server 2016

When you run the Get-PhysicalDisk cmdlet, some disks may display an operational status of "In Maintenance Mode." The Get-VirtualDisk cmdlet may also display the operational status of the virtual disk as "Degraded." There’s a manual workaround described in KB 4043361.

On Windows Server 2016, when you try to download updates by using Windows Update (stand-alone or WSUS), the process hangs at 0 percent completion. Microsoft has a description of the problem and two manual overrides in KB 4039473.

Windows 8.1

Everyone’s favorite whipping boy just took another lash. Many folks report that, after installing KB 4038792 — the September Monthly Rollup for Win 8.1 — they can no longer log on to their computers with a Microsoft account. I posted the details yesterday. Still no word from Microsoft – not even an acknowledgment of the problem on the KB article.

Windows 7

There’s a well-publicized problem with Internet Explorer 11 suddenly sprouting a search box on the address bar after installing KB 4038777 (the Windows 7 Monthly Rollup) or KB 4036586 (the September Internet Explorer Security-only patch). For a detailed look at what’s happening, with screenshots, see ElderN’s post on the Microsoft Answers forum. Turns out up the flim-flammery is a result of font sizes changed behind the scenes and a possible undocumented switcheroo in one of the IE settings. See @PKCano’s post.

Poster Richard has also identified a problem with starting IE 11 after this month’s Windows 7 updates — and he found a solution. Again, it’s related to undocumented changes in the Tab View settings and in font size. See post 8 on the AskWoody Lounge.


I’ve seen no change from the sorry state we were in a week ago: Microsoft pulled the September Outlook 2007 security patch KB 4011086 and replaced it with KB 4011110, but you have to manually uninstall the bad patch before you install the new one. Microsoft posted incorrect information about the uninstallation method. Both that patch and the Outlook 2010 patch, KB 4011089, have a nasty habit of changing languages in menus.


The .NET Security and Quality Rollups make certain custom images turn black. As Microsoft puts it: “After you install the September 12, 2017, .NET Security and Quality Rollups that apply to the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7, you experience rendering issues in Windows Presentation Foundation (WPF) applications that use WPF types in a Windows service.”

There’s a description of the problem on the Visual Studio forum and a workaround in KB 4043601. The workaround suggests that you uninstall the Security and Quality Rollup and install the Security-only patch.

In addition, Microsoft has released a preview of next month’s .Net Framework patches.


Assuming you don’t click “Enable Editing” in Word, there are no immediately pressing September patches. I say it’s wise to wait and see if any of the outstanding bugs get fixed — and wait to see if the patches-of-patches generate new problems of their own.

Remember when patching was easy?

Please join us for an ongoing Patch Festschrift on the AskWoody Lounge.

Patch issues: September 2017

September’s retinue of Microsoft patches includes one very important .NET fix that blocks a security hole brought to life when you open an RTF file in Word. So far, it's only been seen in the wild in a Russian-language RTF document, apparently generated by NEODYMIUM, allegedly used by a nation-state to snoop on a Russian-speaking target.

Several researchers have found ways to leverage the security hole, and it's only a matter of time before some enterprising folks come up with ways to turn it into a widespread infection vector. Bottom line: If you can't keep your finger off the "Enable Editing" button in Word, you better get this month's security patches installed.  

  • The Win10 Creators Update cumulative update, KB 4038788, brings Win10 1703 up to build 15063.608. It contains 25 security patches as well as dozens of plain old bug fixes. I’m seeing a number of complaints about Edge misbehaving after the update: behind-the-scenes crashes showing in Event Viewer and Reliability Monitor, and occasional stops with an application error event id of 1000. So far, there aren’t enough reports to confirm that there’s a bona fide problem with Edge, but it’s a concern.
  • The bug in Word and Outlook that I described earlier this week, Buggy Word 2016 non-security patch KB 4011039 can’t handle merged cells, is still around. That’s the same bug I wrote about a couple of weeks ago in Word, Outlook merged-cell problem arises after install of patch KB 3213656. Microsoft has (finally!) confirmed both of the bugs. The only solution offered:
  • "You can uninstall both KBs and your tables will return to normal," Microsoft said. "We anticipate releasing the fix for this issue in the next monthly update, tentatively scheduled for October 3, 2017."
  • Excel 2016’s security patch KB 4011050 can put spurious black borders around rows or cells. If you’re getting unexpected black borders, download and manually install KB 4011165. As best I can tell, that bug isn’t listed on the official Fixes or workarounds for recent issues in Excel for Windows site.
  • Multiple language problems with the Outlook 2007 security patch KB 4011086Reports of Hungarian switched to Swedish, Italian to Portuguese, Slovenian to Swedish, Italian to Spanish, Dutch to Swedish, and who-knows-what-else. The solution, offered by TechNet poster Sitz-AIR:
  • 1) uninstall KB4011086. If you have two of them listed, uninstall both of them.
    2) hide them
    3) restart Windows
    4) Outlook 2007 UI original correct language was restored.

[ To comment on this story, visit Computerworld's Facebook page. ]

A general reminder: If you have trouble installing Windows 10 updates, make sure you go through the list at Windows 10 install issues -- and what to do about them.

For up-to-the-second notices, see the Patch Alert update on AskWoody

Patch issues: August 2017

One week after Patch Tuesday, and would-be Windows Updaters are facing a handful of bugs. Some will find them minor annoyances. Others … not so much. Here are the known bugs, and where we stand in the struggle to resolve the problems.

Worthy of note: Microsoft is now acknowledging many bugs that in the past would’ve gone without comment. There’s hope.

Here are the known, significant buggy security patches:

  • Windows 10 Anniversary Update, version 1607 – Cumulative update KB 4034658 wipes out Update History, unhides hidden updates, and effectively disconnects some updated computers from WSUS. Microsoft has acknowledged all three of those bugs in the KB 4034658 article with the usual “Microsoft is investigating this issue and will provide an update as soon as possible.”
  • The first undocumented buggy driver this month for the Surface Pro 4, “Surface - System - 7/21/2017 12:00:00 AM -,” was released on August 1. It was replaced by a second driver “Surface – System – 7/31/2007 12:00:00 AM -” on August 4. The second one was documented. But then we saw four more undocumented Surface Pro 4 drivers — “Intel driver update for Intel(r) Dynamic Platform and Thermal Framework Generic Participant,” “Power Participant,” Processor Participant” and “Manager” — all released on Saturday, August 12. Sometime late on August 14, Microsoft posted information about two of the drivers.
  • Both the Windows 7 August Monthly rollup KB 4034664 and the manually installed security-only patch KB 4034679 are causing problems with two-screen systems: The second screen starts showing gibberish with many applications, including Office. The problem has been widely reported — even replicated with a Proof of Concept program — but Microsoft hasn’t yet acknowledged it.
  • The only bug reported by Microsoft in its August Windows 7 security patches is an old bug, continuing from July, in which a buggy LDAP plugs up TCP dynamic ports. That bug hasn’t been fixed.
  • The Windows 8.1 Monthly rollup listing mentions a known bug: NPS authentication may break, and wireless clients may fail to connect. The solution is to manually set a registry entry on the server.

Dozens of patches were made to Office earlier this month but, so far, I’m not aware of any bugs.

Depending on which version of Windows you’re using, and how you’re using it, those bugs may be important or they may be annoyances.

I continue to recommend that you hold off on applying this month’s patches. I haven’t seen any malware outbreaks that are blocked by the August patches, and we may get some surprises — good, bad or indifferent — later today.

Have a question or a bug report? Drop by the AskWoody Lounge.