Sep 20, 2018 8:40 AM PT

Microsoft Patch Alert: Despite weird timing, September’s Windows and Office patches look good

If you look beyond the inexplicable ‘Patch Monday’ dump and some forgettable vorpal blades aimed at the Meltdown/Spectre Jabberwocky, this month’s Windows and Office patches are the best-behaved in months.


As we near the end of patching’s “C Week” (which is to say, the week that contains the third Tuesday of the month), there are no show-stopping bugs in the Windows and Office patches and just a few gotchas. As long as you avoid Microsoft’s patches for Intel’s Meltdown/Spectre bugs, you should be in good shape.

Why a Patch Monday?

On Sept. 17, Microsoft released two very-out-of-band cumulative updates for Windows 10:

  • KB 4464218 brings Win10 1803 up to build 17134.286
  • KB 4464217 brings Win10 1709 up to build 16299.666

Both of the cumulative updates fix a bug that was introduced in the July 24 cumulative updates. The bug causes Microsoft’s Intune to stutter because it looks in the wrong place for user profiles. The second cumulative update also fixes an obscure VPN bug.

I have no idea why Microsoft released those patches on a Monday. They certainly could’ve waited until Tuesday – the “C Week” Tuesday traditionally being used to fix bugs introduced on Patch Tuesday. Somebody clearly jumped the gun, and folks who patch for a living aren’t really happy about having their chains jerked.

We never did get a cumulative update for Win10 1703. Maybe it wasn’t affected by the July 24 bug. Maybe it’s just too long in the tooth, with support for 1703 due to expire next month.

We also got a way-out-of-band cumulative update for Windows 7 Internet Explorer, KB 4463376, on a “B Week” Friday afternoon.

Second Win10 cumulative updates

If September follows the precedent set this year, we’ll probably see another set of Win10 cumulative updates during “D Week” – next Tuesday, Sept. 25. At the same time, we’ll likely see sets of Monthly Rollup Previews for Win7 and 8.1. Of course, you should ignore them.

More firmware updates

We’re getting more and more firmware updates for Microsoft Surface devices. In the past month, there’ve been firmware/driver patches for the Surface Pro 3, Surface Pro 4, Surface Pro 2017, Surface Book, and even the Surface Studio. It’s an across-the-board makeover (or massive fix) that hasn’t been extended to the Surface Laptop, Book 2, or Go. Yet.

Meanwhile, I’m still hearing complaints about the Surface Pro 4 update.

More Intel microcode fixes

While there has yet to be any credible Meltdown or Spectre threat (Spectre v 1, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 2, 3, 3a, 4 or 5), Microsoft continues to release microcode updates for Intel processors on machines running Win10 version 1709 and 1803. Sometimes the installers try to install the Intel updates on AMD processors, but what the hay.

I go back to Helen Bradley’s statement last month:

Unless you are a nation state, have a key asset in a cloud server, or are running for a government office, I think we are spending way, way more time worrying about this than we should.  I still think that attackers will nail me with malware, attack me with phishing, ransomware, etc., etc. way more than someone will use these side channel attacks to gain information from me.  Remember that the attacker has to get on your system first and I still think they will use the umpteen other ways to attack me easier than this attack.  Also keep in mind that we won’t really have a full fix for this issue for several years.  Intel and AMD will need to redesign the chips to ultimately get fixed.

If you’re concerned about such things, do yourself a favor and go to Intel (probably via your PC’s manufacturer) and install the specific patches that you need. And remember that they won’t completely solve the problem.

If you insist on using the Microsoft approach to microcode, abandon all hope, and follow Bradley’s advice here.

The bottom line

July patching was an unmitigated disaster. August fared substantially better. Now, although the month isn’t yet over, September seems to be doing well – if you ignore the Patch Monday gaffe and throw up your hands over Meltdown and Spectre.

In spite of several Chicken Little warnings this month, there haven’t been any widespread attacks that warrant rushing out and installing any of the September patches just yet.

Susan Bradley’s Master PatchList looks relatively serene.

There’s something to look forward to. In October we get an “E Week” – there are five Tuesdays in October. It’ll be the first “E Week” since Microsoft adopted the “A Week” “B Week” bafflegab. What wonders await?

Thx to @sb and @PKCano

Patching problems? Join us on the AskWoody Lounge.

August 2018

So far this month we’ve only seen one cumulative update for each version of Windows 10, and one set of updates (Security only, Monthly Rollup) for Win7 and 8.1. With a few notable exceptions, those patches are going in rather nicely. What a difference a month makes.

We’ve also seen a massive influx of microcode updates for the latest versions of Windows 10, running on Intel processors. Those patches, released on Aug. 20 and 21, have tied many admins up in knots, with conflicting descriptions and iffy rollout sequences.

Big problems for small niches

At this point, I’m seeing complaints about a handful of patches:

  • The original SQL Server 2016 SP2 patch, KB 4293807, was so bad Microsoft yanked it — although the yanking took almost a week. It’s since been replaced by KB 4458621, which appears to solve the problem.
  • The Visual Studio 2015 Update 3 patch, KB 4456688, has gone through two versions — released Aug. 14, pulled, then re-released Aug. 18 — and the re-released version still has problems. There’s a hotfix available from the KB article, but you’d be well advised to avoid it.
  • Outlook guru Diane Poremsky notes on Slipstick that the version of Outlook in the July Office 365 Click-to-Run won’t allow you to start Outlook if it’s already running. “Only one version of Outlook can run at a time” — even if the “other version” is, in fact, the same version.
  • The bug in the Win10 1803 upgrade that resets TLS 1.2 settings persists, but there’s an out-of-the-blue patch KB 4458116 that fixes the problem for Intuit QuickBooks Desktop.
  • The Win10 1803 cumulative update has an acknowledged bug in the way the Edge browser interacts with Application Guard. Since about two of you folks use that combination, I don’t consider it a big deal. The solution, should you encounter the bug, is to uninstall the August cumulative update, manually install the July cumulative update, and then re-install the August cumulative update — thus adding a new dimension to the term “cumulative.”
  • The Win7 Monthly Rollup has an old acknowledged bug about “missing file (oem<number>.inf).” Although Microsoft hasn’t bothered to give us any details, it looks like that’s mostly a problem with VMware.

The rest of the slate looks remarkably clean. Haven’t seen that in a long while.

Second Win10 cumulative updates

If August follows the precedent set this year, we’ll probably see another set of Win10 cumulative updates next Tuesday, “dee” Tuesday, Aug. 28. At the same time we’ll likely see sets of Monthly Rollup Previews for Win7 and 8.1. Of course, you should ignore them.

More firmware updates

In the past couple of months, Microsoft has released massive firmware/driver updates for almost all of the latest Surface devices.

At this point, I’m still seeing problems with the July 26 set of fixes for the Surface Pro 4, which have been blamed for touchscreens that don’t touch, pens that don’t pen, batteries that go out to lunch, and all sorts of boorish behavior.

Of course, there have been no solutions.

More Intel microcode fixes

Microsoft released oodles and gobs (that’s a technical term) of microcode fixes for Win10 1803 and 1709, passing along Intel’s fixes for the Meltdown and Spectre V1, 2, 3, and 4 security holes. People have been pulling their hair out by the roots. Susan Bradley has a great birds-eye view:

Unless you are a nation state, have a key asset in a cloud server, or are running for a government office, I think we are spending way way more time worrying about this than we should.  I still think that attackers will nail me with malware, attack me with phishing, ransomware, etc etc, way more than someone will use these side channel attacks to gain information from me.  Remember that the attacker has to get on your system first and I still think they will use the umpteen other ways to attack me easier than this attack.  Also keep in mind that we won’t really have a full fix for this issue for several years.  Intel and AMD will need to redesign the chips to ultimately get fixed.

If you’re concerned about such things, do yourself a favor and go to Intel (probably via your PC’s manufacturer) and install the specific patches that you need. And remember that they won’t completely solve the problem.

If you insist on using the Microsoft approach to microcode, abandon all hope, and follow Bradley’s advice here. No matter which approach you take, make sure that you don’t publish any before-and-after performance data, which Intel has unilaterally declared verboten. See Bruce Perens’s article Intel Publishes Microcode Security Patches, No Benchmarking Or Comparison Allowed!

The bottom line

After all the problems last month, it’s a relief to have only a handful of glaring problems this month. I suggest you wait another day or two before installing the August patches.

The only significant breach of a recently patched security hole that I’ve found involves North Korea, Internet Explorer 11, VBScript, and China. That’s probably not a combination that’ll keep you up at night — and there’s little reason to rush into installing the August patches unless you’re in a Chinese organization that’s run afoul of the North Korean government.

I continue to recommend that you keep 1803 off your Win10 machines. No reason to go there until you’re forced. Susan Bradley’s Master PatchList has details for individual patches.

Thx to @sb, @abbodi86 and @PKCano

Patching problems? Join us on the AskWoody Lounge.

July 2018

If you ever wondered why people — and organizations — are taking longer and longer to willfully install patches, take a look at what happened this month. After a disastrous start, Windows 10 patches seem to be OK, but .NET and Server patches still stink.

For most of the year, we’ve seen two big cumulative updates every month for each of the supported Win10 versions. This month, so far, we’ve had three. Microsoft’s claim that it will install the Win7 and Win8.1 Monthly Rollups defies logic. The .NET patches are in such bad shape that the .NET devs have thrown in the towel. And here we sit not knowing exactly which way is up.

Three Win10 cumulative updates for each version in July

On Patch Tuesday, July 10, as usual, Microsoft rolled out cumulative updates for all of the supported versions of Windows 10. Almost immediately we heard screams of pain as four big bugs, later officially acknowledged, hit the fan. Six days later, Microsoft released a second set of cumulative updates, again for all versions of Win10. Those updates were specifically designed to fix the bugs introduced by the original updates. The build numbers in the Knowledge Base articles didn’t match the build numbers that people actually installed but, well, that’s Microsoft.

A week after that, on July 24, Microsoft released a third set of cumulative updates, again for all versions of Win10. At least, I think they were released on July 24. The dates in the Update Catalog and on the files themselves don’t line up. But we definitely have three cumulative updates for every version, so far this month. Beefy bug fixes.

It’s still too early to tell whether the third round of patches is viable. We’ve only had them for two days.

Win7 and Win8.1 get their fair share

As usual, Win7/Server 2008 R2 and Win8.1/Server 2012 R2 both received a single Monthly Rollup (along with a Security-only patch) on July 10. Both contained three of the four bugs introduced in the Win10 Patch Tuesday security patches, including the Stop 0xD1 bug. Microsoft released manual download-only fixes for the bugs for Win7 and 8.1 on July 16.

Then, on July 18, Microsoft released Monthly Rollup Previews for both Win7/Server 2008 R2 and Win8.1/Server 2012 R2, which apparently contain the manual download-only fixes. Like all good Monthly Rollup Previews, they’re released as Optional patches, so you have to specifically check them in order to get them — a procedure I never recommend.

Except, golly gee, on July 24, Microsoft announced:

The Windows Update classification for the following update packages has been changed from Optional to Recommended: KB 4338821 (Preview Monthly Rollup for Win7/Server 2008 R2), KB 4338816 (Preview Monthly Rollup for Server 2012), KB 4338831 (Preview Monthly Rollup for Win 8.1/Server 2012 R2). These packages will be installed automatically if the operating system is configured to receive automatic updates.

It’s a setting that, as best I know, is completely unprecedented in the history of Monthly Rollup Previews. Hard to imagine a Preview — by definition, a fix that isn’t ready for prime time — that’s pushed onto all machines. As of today, I haven’t seen those Previews pushed onto Win7 or 8.1 machines with automatic update enabled. It appears as if the announcement only applies to Servers — but that’s just conjecture at this point.

A poster named Francis says:

Since only the server preview rollups are updated in the catalog, I think Microsoft is not telling us the whole truth. Probably only the server preview rollups will be installed automatically if the operating system is configured to receive automatic updates AND the option to receive recommended updates is set in the Windows Update client settings

That corresponds to what I’ve seen. (If you aren’t confused, you haven’t been following along.)

.NET’s nuts

The .NET patches released on Patch Tuesday were bad. They were so bad that Microsoft itself has disavowed any knowledge of their actions. On July 20 — 10 days late and $10 short — ‘Softie Rich Lander posted on the official .NET blog:

The July 2018 Security and Quality Rollup updates for .NET Framework was released earlier this month. We have received multiple customer reports of applications that fail to start or don’t run correctly after installing the July 2018 update… We have stopped distributing the .NET Framework July 2018 updates on Windows Update and are actively working on fixing and re-shipping this month’s updates. If you installed the July 2018 update and have not yet seen any negative behavior, we recommend that you leave your systems as-is but closely monitor them and ensure that you apply upcoming .NET Framework updates.

Since that time, we’ve seen some fancy footwork to stop the disease from spreading. It now appears as if the patches are either not available or, if available through Windows Update, aren’t checked for automatic installation. The official apology hasn’t been updated with any word of a fix.


Microsoft pulled the bad Office 2016 non-security patch KB 4018385 on July 12, nine days after its release on the first Tuesday of the month. As I explained at the time:

What we’re seeing is a non-security patch for a bug in three-month-old security patch that crashed Office … and the new non-security patch also crashes Office. That's progress.

No word on a fix.

Massive firmware updates

If you have a Surface Pro 4 or a Surface Laptop, Microsoft has released dozens of firmware/driver fixes for your machine. Some of the “new” drivers are a year or more old. I hold out some hope that the fixes will cure some of the outstanding problems we’ve seen with the Surface Pro 4, especially with flakey keyboards and super slow write speeds.

More Intel microcode fixes

On July 24, we saw another bunch of Intel microcode fixes, specifically targeting the Spectre v2 vulnerability. There are separate patches for Win10 version 1803 and 1709— and no new updates, so far at least, for earlier versions. Microsoft’s summary post for the microcode KBs contains links.

The bottom line

Just about every aspect of patching this month revealed significant screw-ups. If your machine is set to automatically install new updates as soon as they’re released, you were likely stung at least once. Add to that the stunning lack of transparency and obvious documentation inconsistencies, and you have one of the worst patching months in recent memory. Let’s hope it doesn’t get worse.

I continue to recommend that you keep 1803 off your Win10 machines. The volume (and quality!) of patches doesn’t bode well. Of course, the other Win10 versions weren’t much better this month. Susan Bradley’s Master PatchList has details for individual patches.

Thx to @sb, @abbodi86 and @PKCano

Problems with patches? Yeah, join the club. Visit us on the AskWoody Lounge.

June 2018

Microsoft's patches in June took on some unexpected twists.

Windows 7 owners with older, 2002-era Pentium III machines got their patching privileges revoked without warning or explanation (and a documentation cover-up to boot), but there’s little sympathy in the blogosphere for elderly PCs.

Win10 1803 was declared fully fit for business, a pronouncement that was followed weeks later by fixes for a few glaring, acknowledged bugs — and stony silence for other known problems.

We’re continuing the two-big-cumulative-updates-a-month pace for all supported versions of Windows 10. The second cumulative update frequently fixes bugs introduced by the first cumulative update.

Win10 version 1803 still rough around the edges

Microsoft may think that Win10 (1803) is ready for widespread deployment, but there are a few folks who would take issue with that stance.

Yesterday, Microsoft finally released a fix for two big bugs that have dogged Win10 1803 since its inception. In theory, patch KB 4284848 fixes these acknowledged bugs:

  • Some users running Windows 10 version 1803 may receive the error "An invalid argument was supplied" when accessing files or running programs from a shared folder using the SMBv1 protocol.
  • Microsoft Edge may stop working when it initializes the download of a font from a malformed (not RFC compliant) URL.

In practice, life isn’t so simple. WSUS (the Windows Update Server software) isn’t “seeing” KB 4284848, as of late Wednesday afternoon –  which may be a good thing.

Along with the second cumulative update this month, there are additional releases to fix the Servicing Stack, and a new “Compatibility update” that, per the documentation, is designed to make it easier to upgrade Win10 1803 Enterprise to Win10 1803 Enterprise (not a typo).

Old problems remain in abundance. There are many reports of munged Intel NICs and VLAN problems after installing 1803. Josh Mayfield (whom you may recall from GWX days) reports that you’re forced to set up a PIN during fresh installs. The ancient problem with restore partitions getting assigned drive letters on install remains. Chrome continues its indigestion with 1803, although Microsoft claims the latest patch cures all ills. None of this is acknowledged anywhere I can see.

One problem that has been acknowledged – but only by a Microsoft Agent on an Answers Forum post – says that installing 1803 can clobber your peer-to-peer network. That certainly matches my experience. With earlier versions of Win10, I’d fire up the Homegroup Troubleshooter and that usually solved the problem. Unfortunately, Microsoft discontinued Homegroups in version 1803.

On the positive side, WindowsCentral’s Zac Bowden reports that yesterday’s 1803 patch fixes lagging/stuttering issues on his Surface Book 2 – a problem that’s neither acknowledged, nor described in the list of fixes.

If you think Win10 1803 is ready for prime time, you’re welcome to give it a try.

Multiple patches for supported versions of Win10

  • Version 1803 saw patches on June 5 (for a QuickBooks bug), June 12 (which introduced the Edge font bug) and June 26 (see the above);
  • Version 1709 was patched on June 12 and June 21. Now up to build 16299.522, it appears to be relatively stable. I haven’t upgraded to it, but will try to find time over the July 4 holiday;
  • Version 1703 was also patched on June 12 and June 21.

Win7 continues to draw attention

We still have an acknowledged bug, introduced by the Win7 patches in March:

There is an issue with Windows and a third-party software that is related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.

As noted by an anonymous poster last month:

It’s not only KB4103718 (May 8, 2018—KB4103718 (Monthly Rollup)) that has been updated with the missing oem<number>.inf issue. The problem seems to date back to the March 2018 Security-Only and Monthly Rollup updates.

All of the following knowledge base articles were updated with similar warnings on May 25, 2018:

  • KB4088875: March 13, 2018—KB4088875 (Monthly Rollup);
  • KB4088878: March 13, 2018—KB4088878 (Security-only update);
  • KB4088881: March 23, 2018—KB4088881 (Preview of Monthly Rollup);
  • KB4093118: April 10, 2018—KB4093118 (Monthly Rollup);
  • KB4093113: April 17, 2018—KB4093113 (Preview of Monthly Rollup);
  • KB4103718: May 8, 2018—KB4103718 (Monthly Rollup);
  • KB4103713: May 17, 2018—KB4103713 (Preview of Monthly Rollup).

Microsoft won’t say which vendor(s) and/or which network card(s) are getting cracked by the patch. There’s speculation that the bad card is from Intel, but we really don’t know. Your only real recourse is to create a full backup prior to applying this month’s patches, or to accept the possibility that you’ll have to manually re-install them. Susan Bradley has detailed instructions.

The bottom line

Windows 8.1 continues to hold the title as the most stable version of Windows. Hard to believe.

This month’s Office patches seem to be working, although there are many individual problems listed in the Office Fixes or Workarounds list.

Stay tuned.

Thx to @sb and @PKCano

Struggling with other problems? Join us on the AskWoody Lounge.

May 2018

Once more we have a monthly Windows/Office patch scorecard that needs a guidebook. Or two. And we just got a handful of buried warnings about problems in old patches, plus a brand new way to fry your network interface card.

Thus continues the tradition of two cumulative updates per month for all of the supported Windows 10 versions – that’s eight cumulative updates in total – in addition to bobs and weaves and a very long list of acknowledged bugs introduced by recent security patches in Windows 7.

Conflicts with Remote Desktop

The strange behavior of the CredSSP update – where the Patch Tuesday fixes for all versions of Windows seemed to break Remote Desktop Protocol with a strange error message: “This could be due to CredSSP encryption oracle remediation” has been resolved.

Patch Lady Susan Bradley notes (about all versions of Windows and Remote access):

Be aware — if you are seeing RDP issues post patch Tuesday, the underlying issue is that there is a mismatch between patch levels. The updates for the RDP/credssp came out in March and slowly Microsoft has been adjusting the mandate of the update. In May, the full “you must have a patch on both ends” kicked in. So if you haven’t updated your servers, but your workstations got patched you’ll see the CredSSP error message.

While there is a registry key to allow patched systems to connect to unpatched systems, it’s much wiser to patch your servers. Note that if you held off patching your servers because of the networking side effects/bugs, those were patched in the April.

That’s how you solve a CredSSP encryption oracle remediation problem. Obviously. Ahem.

Win10 version 1803 approaches 'usable' status

The unpaid beta testers for Windows 10 April 2018 Update (better known as version 1803) earned their salaries this month, with triple overtime. The embarrassing bug in the original 1803 (released April 30) bricked any computer with an Intel SSD6 drive– including some of Microsoft’s own Surface Pro 2017 computers.

A similar, but different, bug dogged PCs with Toshiba SSDs. The bug persisted in the first cumulative update for Win10 1803, but was finally put to sleep last week with the second cumulative update, which finally made 1803 installable on most common PCs.

Installable, mind you. Not stable. For example, there are many reports of 1803 driving batteries nuts. I’ve seen discussions of the Surface Studio mouse and keyboard lock-ups after installing 1803, but no solutions – and there may be a similar problem with earlier versions of Win10. The Reddit 1803 megathread is up to 1,800 comments– not all of which are glowing reports of happiness in 1803 land.

The greatest malfeasance, in my opinion, is Microsoft’s continuing push to install Win10 1803 on machines that are set to specifically avoid it. Win10 1709 Home users get hit the worst. AskWoody reader IG puts it this way:

I have found that (at least in my situation with my Lenovo and HP laptops) the best way to avoid the latest feature update for Windows 10 Home, is to not only set your connection to metered, but to also install the Windows update tool, (wushowhide). Despite being on a metered connection, the 1803 upgrade eventually showed up ‘available to download’ this week. Along with the 1803 update a 1709 update also showed up but required a ‘retry.’ Using the update tool I hid the 1803 upgrade, and the next time Windows automatically checked for updates, it was no longer available to download. I was also able to retry and install the current 1709 update without any issues.

I continue to strongly recommend that you not hobnob with the cannon fodder and wait for Microsoft to show some restraint. Or at least some fixes. My original recommendations for blocking 1803 still work, but you have to use all of them, altogether, all the time.

Multiple patches for all versions of Windows 10

If you’re using Windows 10, you saw big multiple patches in April:

  • Version 1709– the Fall Creators Update — the initial Patch Tuesday patch, KB 4103727, had the usual round of complaints about failure to install, random bluescreens and the like. The second cumulative update, KB 4103714, seems to be stable.
  • Version 1703— the Creators Update — got its first cumulative update, KB 4103731, on Patch Tuesday, and a second huge cumulative update, KB 4103722a week later.
  • Version 1607— the Anniversary Update (only for Win10 1607 Enterprise and Education) also got two cumulative updates.

Version 1703 remains stable (although there’s a whole lotta patchin’ goin’ on) and 1709 has finally found some maturity. About a month too late.

The ongoing Windows 7/Server 2008 R2 saga

Windows 7 continues to be singled out for back-breaking patch-induced bugs. Microsoft officially acknowledges both of these bugsin the latest Win7/Server 2008 R2 patch, KB 4103718:

  • A stop error occurs on computers that don't support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2). A long-standing problem, still with no solution.
  • There is an issue with Windows and a third-party software that is related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.That announcement appeared out of the blue on May 26. There’s no indication which “third-party software” is at fault – or who should avoid the patch – but such are the vagaries of Windows patching. There’s an in-depth discussion going on the AskWoody Lounge.

As it turns out, the missing oem<number>.inf issue dates back to the March patches. According to an anonymous poster:

It’s not only KB4103718 (May 8, 2018—KB4103718 (Monthly Rollup)) that has been updated last Friday with the missing oem<number>.inf issue. The problem seems to date back to the March 2018 Security-Only and Monthly Rollup updates.

All of the following knowledge base articles were updated with similar warnings on May 25:

  • KB4088875: March 13, 2018—KB4088875 (Monthly Rollup)
  • KB4088878: March 13, 2018—KB4088878 (Security-only update)
  • KB4088881: March 23, 2018—KB4088881 (Preview of Monthly Rollup)
  • KB4093118: April 10, 2018—KB4093118 (Monthly Rollup)
  • KB4093113: April 17, 2018—KB4093113 (Preview of Monthly Rollup)
  • KB4103718: May 8, 2018—KB4103718 (Monthly Rollup)
  • KB4103713: May 17, 2018—KB4103713 (Preview of Monthly Rollup)

We’re stuck between a rock and a hard place. Microsoft won’t say which vendor(s) and/or which network card(s) are getting cracked by the patch. There’s speculation that the bad card is from Intel, but we really don’t know. Your only real recourse is to create a full backup prior to applying this month’s patches, or to accept the possibility that you’ll have to manually re-install them. Susan Bradley has detailed instructions.

That same anonymous poster goes on to advise:

Also, there is a new, never heard before issue with the Win7 March 2018 Security-only update (KB4088878):

Symptom: A 32-bit (x86) computer won’t boot or keeps restarting after applying this security update.

Workaround: Before applying this security update and subsequent security updates, uninstall the following external drivers until they are fixed by the vendor that owns them:

  • HASP Kernel Device Driver (a.k.a. Haspnt.sys)
  • Hard Lock Key Drivers (a.k.a. hardlock.sys)

It’s not at all clear if that warning is only for 32-bit computers.

If you want to see something scary, take a look at the current version of the “Known issues” list for the Win7 Security-only patch, KB 4088878. I count nine acknowledged bugs introduced in that one Security-only patch.

Windows 8.1 / Server 2012 R2 continues to look good. By any objective measure, 8.1 is Microsoft’s most stable version of Windows. By a long shot.

Office patches keep rolling along

I don’t know of any pressing problems with this month’s Office patches. Susan Bradley’s Master Patchwatch List gives them a clean bill of health, and @PKCano’s list of non-security patches looks clean, too, although there are a number of acknowledged problems listed on the official Fixes pages.

Stay tuned.

Thx to @PKCano, @sb and the Mentats-in-Training.

Join us for the latest on the AskWoody Lounge

April 2018

People think I’m joking when I refer to bug fixing as Microsoft’s next billion-dollar business. I’m not. This month woefully demonstrated why patching Windows has become much bigger – and more critical – than developing new versions. Microsoft’s hell-bent move to bring out new versions of Windows twice a year “as a service” makes things worse, but quality control problems dog patches to every version of Windows. Except, arguably, Windows 8.1.

In April, we’ve seen a return to two massive cumulative updates per month for all supported versions of Windows 10. The second cumulative update, with luck, fixes the bugs in the first cumulative update. Windows 7 turned into a fiery pit when it was discovered in late March that every patch to Win7 (and Server 2008R2) pushed out this year enables the Total Meltdown bug. Fortunately, by April 23, we finally saw some stability return to the process.

Multiple patches for all versions of Windows 10

If you’re using Windows 10, you saw big multiple patches in April:

  • Version 1709 – the Fall Creators Update – the initial Patch Tuesday patch, KB 4093112, had the usual round of complaints about failure to install, random bluescreens and the like. It took a few days for info to surface about changes in pen behavior, which resulted in pen movements in major program (such as Adobe Photoshop) dragging the canvas. Turns out, beta testers in Win10 1803 liked the new feature so much that Microsoft decided to drop it into Win10 1709, without warning or (apparently) testing. The second cumulative update, KB 4093105, which went out on the night of April 23, fixed the aberrant pen behavior and promises to not re-install Candy Crush Soda Saga on version upgrades. We’ll see.
  • Version 1703– the Creators Update – got its first cumulative update, KB 4093107, on Patch Tuesday, and a second huge cumulative update, KB 4093117, a week later.
  • Version 1607– the Anniversary Update – received its first cumulative update, KB 4093119, on Patch Tuesday, April 10, the scheduled End of Life date for Win10 1607 Pro and Home. Version 1607 received a second monthly cumulative update a week later, KB 4093120 – but only for Win10 1607 Enterprise and Education.

There was yet another update for Win10 1709, 1703 and 1607 released on April 24. KB 4078407 is supposed to be the software side of the fix for Spectre variant 2. It has to be combined with microcode updates to work and it’s only available by download from the Microsoft Update Catalog. We’re following its progress closely on AskWoody.

Of course we’re all waiting for Win10 version 1803 to appear. There’s still no word on when that might happen, or what it’ll be called. (Inveterate leaker Faikee points to a Chinese-language letter to dealers saying it’ll be released May 9.)

The ongoing Windows 7/Server 2008 R2 saga

Two words: Total Meltdown. We now know that every 64-bit Windows 7 and Server 2008 R2 patch released this year, up to March 29, contained a bug that opens a security hole dubbed Total Meltdown. Microsoft spent most of April in Keystone Kops patching mode, where one patch after another introduced more and different bugs, and new patches replaced older patches at a truly mind-boggling rate.

As the month’s now winding down, there’s a bit of good news. As of Monday night, it appears as if the (re-re-re-released) April Monthly Rollup, KB 4093118, has lost its boorish tendency to re-re-re-install itself. That means, to a first approximation, Win7 and Server 2008 R2 users can install one patch and wipe out the Total Meltdown threat.

All of this is unfolding as a real, live working Total Meltdown exploit is in the works. Of course, Meltdown (as opposed to Total Meltdown) and Spectre have absolutely no known exploits. None.

Those who insist on installing Security-only patches, eschewing the Monthly Rollups, face an unanswered question: If you’ve installed the earlier, buggy version of the NIC and static-IP defending patch KB 4099950, do you need to uninstall it before proceeding? The official documents are mum. We’re also following that question on AskWoody.

There continue to be reports from people who installed this month’s updates and had to struggle with recovering their user profile. Microsoft acknowledged the problem, of and on, and even posted a Knowledge Base article with workaround steps.

Office patches keep rolling along

There don’t appear to be any pressing problems with this month’s Office patches. Susan Bradley’s Master Patchwatch List gives them a clean bill of health, although there are a number of acknowledged problems listed on the official Fixes pages.

In short, it looks like Microsoft has fixed the problems that it introduced earlier in the month. The fixes to security holes Microsoft installed with this year’s Win7 and Server 2008 R2 are almost ready. We just have a couple of niggling problems before it’s time to get the April patches installed.

Stay tuned.

Join us for the latest on the AskWoody Lounge.

March 2018

An enormous number of patches spewed out of Microsoft this month, with two ponderous cumulative updates for each version of Windows 10, a third “bonus” bug fix for Win10 Fall Creators Update (version 1709), and a just-described bug in Windows 7 that’ll leave you begging for a Win7 patch that works.

There’s also a bit of comic relief with a patch for Win10 1709, KB 4094276, that “makes improvements to ease the upgrade experience to Windows 10 Version 1709.” That’s a wonderful example of a self-referential fix.

Multiple patches for all versions of Win10

If you’re running Win10, you saw multiple big patches in March:

  • Version 1709 – the Fall Creators Update — saw an emergency fix, KB 4090913, on March 5, which fixed a bug introduced in the February round of patches (and rendered some machines unbootable); a “regular” Patch Tuesday patch, KB 4088776 on March 13; and a big out-of-out-of-band patch KB 4089848 on Thursday, March 22. The biggest complaints involve the usual chorus of patches that refuse to install, and driver problems. Reports of INACCESSIBLE_BOOT_DEVICE bluescreens are tapering off.
  • Version 1703 – the Creators Update — also got a bug fix, KB 4092077, on March 8, which fixed an earlier patch that crashed the user interface. 1703 also saw two big cumulative updates, KB 4088782 on Patch Tuesday and KB 4088891 on the really-out-of-band patch date: March 22.
  • Version 1607 and Server 2016 – the Anniversary Update — also got two big cumulative updates, KB 4088787 on Patch Tuesday and a big booster KB 4088889 on the way-out-of-band Thursday. Just a reminder that, unless you’re using 1607 Enterprise or Education, your version runs out of support (as it were) on April 10.

March also presented us with the third, uh, opportunity to get forcibly pushed from Win10 1703 to 1709 – even on systems specifically set to block the upgrade.

At various points in March, users also saw updates to the Servicing Stacks for all three Win10 versions. Apparently, they resolved the race condition-related bugs that left USB drivers, in particular, dead in the water. If you’re installing the Win10 cumulative updates manually, make sure you install the respective Servicing Stack Update before you install the cumulative update.

A little bit of Word poison

Microsoft released a buggy Office 2016 security patch, KB 4011730, which left Word 2016 in such a bad state that it couldn’t save – or sometimes even open – files. We discovered later that if you install the March non-security patch for Office 2016, KB 4018295, Word 2016 suddenly got its mojo back.

Microsoft is researching this problem and will post more information in this article when the information becomes available.

Of course.

Windows 7: To patch or not to patch

All of which serves as prelude to the massive cluster-cluck that engulfed Windows 7 in March.

Win7 and Server 2018 R2 received a relatively modest Monthly Rollup, KB 4088875, and the obligatory Security-only, manually installed patch, KB 4088878, on Patch Tuesday, March 13. Almost immediately, we started seeing reports of networking problems with the patches, and some bluescreens. Shortly afterward, two specific problems with broken manual IP addresses and disabled Network Interface Cards (vNICs) bubbled up.

At first, Microsoft didn’t acknowledge the bugs; instead it stopped the Monthly Rollup from installing automatically (for those of you naïve enough to have Automatic Update enabled). As days passed, Microsoft finally published a detailed list of “known issues in this update.”

At this point, some users report that KB 4088875 appears in Windows Update as an “important” update that isn’t checked, and which doesn’t install by default. But there’s more. Others say it’s off the Windows Update list, but apparently it’s still being pushed out via WSUS servers.

Microsoft released, then re-released, an ad-hoc VBScript program that was supposed to fix the problem. But the script has raised all sorts of questions. Poster MrBrian reports that the script was changed on March 27, with no notification. Poster abbodi86 has an improved version posted on Pastebin.

But there’s more to the story.

Yesterday, security researcher UlfFrisk posted a report about a new big security hole in Windows 7. Bucking the recent trend, UlfFrisk avoided a massive publicity campaign, replete with pre-defined exploit names and cute logos, but his “Total Meltdown” exploit almost defies imagination. As Günter Born says:

Microsoft’s Meltdown updates shipped in January 2018 and February for Windows 7 (and Server 2008 R2) intended to mitigate the Meltdown vulnerability rip open a huge security hole. This allows any process under Windows 7 to read and write to any memory area without exploits…

Unfortunately, an accident happened in the January 2018 [Win7] patch (and also in February 2018 patch) when… if a (user) process has read/write access to the page tables, it is [trivial] to access the entire physical memory.

This isn’t “Sky is Falling” time. But it means that if you’re running Win7 64-bit or 2008R2 64-bit on an Intel machine, and you installed either the January or February Win7 Monthly Rollups or Security-only patches, Microsoft flipped the wrong bit, and you now have a big hole in your machine that will let any running program look at and change everything in memory. Note that you have to be running a destructive program in the first place – Total Meltdown doesn’t make it easier to run bad programs – but the security hole appears to be massive, by any estimation.

The problem is solved by the March Win7 patches, but…, well, you can see what a mess those have become.

Thx to @PKCano, @sb, @MrBrian, @abbodi86.

Having problems with this month’s patches? Join us on the AskWoody Lounge.

February 2018

The January 2018 Microsoft patching cycle may have been the worst and most invasive set of Microsoft releases in recent memory. The February updates, by marked contrast, only clobber a limited number of machines. How many? We don’t know — and Microsoft isn’t saying.

Bad Win10 Fall Creators Update patch

What we do know for sure is that the buggy Win10 Fall Creators Update cumulative update KB 4074588 tossed many PCs into bluescreen hell and disabled USB devices of various stripes. That’s quite an accomplishment for version 1709 which, according to AdDuplex, is now said to run on 85% of all Windows 10 machines. To look at it a different way, Microsoft blew the cumulative update to the most-used version (1709) of the most-used Windows (Win10 now surpasses Win7).

It took Microsoft 10 days to admit to the bugs. Finally, on Feb. 23, it appended these items to the KB article. There’s no additional notification, of course – if you figured out what caused your problem, and figured the KB article would have some information, here’s what you eventually got:

After installing this update, some USB devices and onboard devices, such as a built-in laptop camera, keyboard or mouse, may stop working.  This may occur when the windows update servicing stack incorrectly skips installing the newer version of some critical drivers in the cumulative update and uninstalls the currently active drivers during maintenance.

Microsoft is working on a resolution and will provide an update in an upcoming release. Workaround steps are available in KB4091240.

After installing this update, some devices may fail to boot with INACCESSIBLE_BOOT_DEVICE.

This issue occurs when the windows update servicing stack incorrectly skips installing the newer version of some critical drivers in the cumulative update and uninstalls the currently active drivers during maintenance.

Microsoft is working on a resolution and will provide an update in an upcoming release. Workaround steps are available in KB4075150.

As you might imagine, both manual workarounds require an advanced degree in Microsoft Patch bugology.

More fixes for Win10

Late last week, on Feb. 22, we saw new cumulative updates for Win10 1703 (the Creators Update) and 1607 (the Anniversary Update). Both were the second cumulative updates this month for the respective versions. What we didn’t see was a second cumulative update for 1709. Although there’s been no official word, I think it’s likely that the 1709 second cumulative update was held because of problems with the patch – and I’d be willing to bet my eye teeth that the problems have to do with the bluescreen and USB issues.

We’ll reportedly see the second February cumulative update for Win10 1709 on  Tuesday.

In spite of its 85% lead, I’m still not moving from the Creators Update (1703) to the Fall Creators Update (1709), and suggest that you resist, too, until Microsoft has shown it can reliably keep 1709 alive and well.

Or, you can join the swelling ranks of the unpaid beta testers. Millions already have.

Win7 reboot to black

The other major problem this month is with the Windows 7 Monthly Rollups. Many users report that, after installing a Win7 Monthly Rollup, their systems no longer restart properly: Clicking through the Start / Restart sequence lands these PCs on a black screen, with the computer and fans still running. The only way to get their system working again involves a nearly-hard-restart, typically by punching the restart button on the front of a desktop or pushing and holding the power button on a laptop.

It’s not clear whether the problem affects Intel (Sandy Bridge? Ivy Bridge?) or AMD processors, or all of them – and maybe more.

It’s also not clear whether the problem started with January’s Monthly Rollup, or if it just emerged in February. I have a report that the problem didn’t occur after the January Monthly Rollup. But then again I have a report that it did.

Ben1907 on the Microsoft Answers forum has had some success, without uninstalling the patch:

I checked my C-State settings on my ASUS P8P67-M motherboard and they were set to the default settings in the ASUS manual.

  • C1E [enabled]
  • C3 Report [disabled]
  • C6 Report [enabled]

Playing around by setting different combinations, I found the C1E enabled/disabled did not matter, so left it enabled. However, by setting C6 Report to DISABLED, I have now been able to perform a normal restart/reboot from Windows 7. Tried at least half dozen times and all good so far.

Thanks for investigating this and putting me on the right path to correct this issue. Microsoft has caused me so many lost hours of troubleshooting problems they inject with updates you wonder if they have any quality control.

Two NET Previews bite the dust

On Thursday, Microsoft released a gaggle (or perhaps it’s a murder?) of Preview patches at the the same time it released a bunch of optional Windows patches (see Susan Bradley’s list). Two of those Previews were doomed from the get-go:

KB 4074805 – the February 2018 Preview of Quality Rollups for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1 for Windows 7 SP1 and Server 2008 R2 SP1 – set Quickbooks Enterprise 2017 crashing at startup

KB 4073701 – the February 2018 Preview of Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1 for Windows 7 SP1 and Server 2008 R2 SP1 and for .NET Framework 4.6 on Server 2008 SP2 has also been implicated.

Intuit, the owner of Quickbooks, has some choice comments about the bug:

Consult your IT professional to remove patch KB4074805. If you are still experiencing the issue, you may have to uninstall patch KB 4073701 as well.

Microsoft apparently pulled the patches, although the KB articles fail to mention the bug – or the fact that KB 4074805 and KB 4073701 are no longer available.

There’s a reason why you should never install a Preview.

What are we fighting for?

Every month, I look back and try to figure out whether the damage caused by Microsoft’s patches outweighs the undeniable benefit of more-secure systems. This month’s Anubis weigh-in shows, once again, that lots of people are getting clobbered – and there’s very little benefit to the February patches at this point.

One important point for the patching-inclined: As I made clear shortly after this month’s Patch Tuesday, there’s a very real threat for folks with the installed (“MSI”) version of Office:

If you’re using Outlook 2007, 2010, 2013, or 2016 – the installed versions – you’ll be vulnerable to drive-by email attacks by previewing a bad email or just by downloading a rigged email. No, you don’t need to open the email. It just infects.

As best I can tell, there aren’t any known exploits. But anyone with installed versions of Outlook should seriously consider installing the patch for Outlook 2007 (KB 4011200, four months beyond its end-of-support date), Outlook 2010 (KB 4011711), Outlook 2013 (KB 4011697), and/or Outlook 2016 (KB 4011682).

If you use Office 2016 Click-to-Run, the patches will appear the next time CtR updates itself, with version 1708 build 8431.2215 in the Semi-Annual Channel and 1705 build 8201.2258 in the Deferred Channel.

I’m also seeing reports that last month’s Outlook 2010 patch, KB 4011273, is making Contacts View in Microsoft’s Dynamics CRM 2011 fail. This isn’t the first report of problems with KB 4011273.

Other than that, and a disclosed (but not particularly infectious) exploit in Edge (CVE-2018-0771), and ongoing, perennial threats through Flash (if you use Flash, you have nobody to blame but yourself), there are no immediate threats from the exploits fixed this month that I know about. In particular, there are no known attacks that use Meltdown or Spectre. None.

What to do now

If you’re motivated to sift through individual patches, patching guru Susan Bradley has watchlists for the February Patch Tuesday patches, the February Optional Updates, and last week’s Feb. 22 releases.

If you’d rather wait until the coast is clear, and prefer not to sweat the small stuff, make sure you have Outlook fixed if you need to then go get a cup of coffee. Check back again in a few days, to see whether Microsoft has finally given us a version of Win10 1709 that actually, you know, works – and if there are any further problems with the second cumulative updates for 1703 and 1611. Don’t expect a fix for the Win7 boot to black screen problem.

Have a problem? Don’t we all. Join us on the AskWoody Lounge.

January 2018

On the heels of a relatively benevolent December Patch Tuesday, the stream of patches pouring out of Microsoft (and Intel!) in January reached epic proportions. To be fair, it looks as if Microsoft got drawn into releasing its Meltdown/Spectre barrage early – on Jan. 3 – but they were so buggy they were withdrawn for AMD processors on Jan. 8, and gradually re-released in phases over the next two weeks.

If you had Automatic Update turned on, and you’re running an AMD machine that’s more than a couple of years old, chances are good that you woke up to a blue screen, and restoring your system took two magic incantations and an Act of Congress. Tens of thousands – possibly hundreds of thousands – of AMD machines may have been bricked by this month’s patches. But be of good cheer. Microsoft released  KB 4073578 (“Unbootable state for AMD devices in Windows 7 SP1 and Windows Server 2008 R2 SP1”) and KB 4073576 (same for Win8.1 and Server 2012 R2) to fix your problem. Of course, you have to be able to boot your computer to install the updates.

Never mind.

Then there’s .NET.

So far this month, we’ve seen patches roll out like this:

That is an enormous pile of patches; even the folks who are paid to watch patches full time are confused.

Intel BIOS/UEFI patch recalls

Not to be outdone by Microsoft, Intel created mayhem by releasing, then yanking, its Meltdown/Spectre BIOS and UEFI firmware patches for almost every Intel computer released in the past five years. Intel’s documentation rivals that of Microsoft for ambiguity, hyperbole, and obfuscation.

Here are the latest links to BIOS/UEFI Meltdown/Spectre recall advice from the major hardware manufacturers:

If you have new information about any of those vendors, please let me know on the AskWoody Lounge.

Windows patches

No matter which version of Windows you patch, you need to get your antivirus program to signal to Windows that it’s compatible with this month’s updates.

The Win10 Fall Creators Update patch on Jan. 18 seems to have shaken out the major problems with Win10 1709.

The Win10 Creators Update patch on Jan. 17, similarly, seems to fix the outstanding problems with this month’s changes to Win10 1703

The Win10 Anniversary Update patch on Jan. 17 – again, manual install only – fixes a bunch of bugs in Win10 1607, but it also clobbers Windows Defender Credential Guard (which you probably don’t use).

With the release of KB 4077561 on Jan. 24, Microsoft has fixed many of the acknowledged problems with this month’s Monthly Rollup and Security-Only (manual installation) patches for Win8.1. That said, there’s still a great deal of debate about the proper installation sequence of patches, re-patches and old patches. As usual, Microsoft hasn’t said anything.

.NET patches

This looks like a mess. You can get the details in my Jan. 19 column, but the basic idea is that the original .NET patches for .NET 4.6/4.6.1/4.6.2/4.7/4.7.1 were all bad, and have to be augmented by additional patches. The font problems in the original patches have been fixed in general, but only if you install these latest patches.

Then there’s the Fixit tool KB 4074906 that fixes “Windows Presentation Foundation (WPF) applications that request a fallback font or a character that is not included in the currently selected font.”

Office patches

It appears as if the Office 2016 patch KB 3178662 throws an installation error 0x8007006e. The Office folks, who are usually good about acknowledging problems, haven’t picked this one up yet. Solution? Uninstall "Microsoft Office Proofing Tools Kit Compilation 2016.”

There’s a laundry list of acknowledged problems with Outlook: To-Do Bar and Task List view not displaying events; Unable to "Save All Attachments" to a shared network drive; No Search results found when using All Mailboxes; Find Related option does not show results; Outlook 2010 will not start on WinXP after January updates. The bug that prevented Outlook 2016 from forwarding files attached to text messages was fixed on Jan. 24.

What to do now


If you have an irresistible urge to click “Enable Edits” on bogus Word documents, you can disable Equation Editor with a quick registry hack. Other than that, as long as you don’t use IE or Edge, there’s absolutely no reason to dive into the roiling mess of January updates.

In spite of the “Sky is falling” screams online, there’s no sign a single PC has been compromised by the Meltdown or Spectre vulnerabilities. Contrast that to the multitudes of machines that’ve been bricked by bad patches, and the untold users wondering why they have to unwind this month’s firmware updates.

The long and short of it: If you installed any of this month’s patches from Microsoft or your PC manufacturer, you joined the swelling ranks of unpaid beta testers. If your machine’s still working, thank your lucky stars.

There’s a reason why I recommend you turn off Automatic Update and wait for carnage to clear before installing the latest missives.

Group therapy for patchers continues on the AskWoody Lounge.

December 2017

It’s hard to remember the last time we had a Patch Tuesday as inoffensive as this month’s. February 2017 comes to mind — but then again, we didn’t have a Patch Tuesday in February, as Microsoft called it off.

Part of the reason for the relatively easy going this month, I’m convinced, is the lack of attention showered on Windows 7 and earlier versions of Windows 10 (including the Creators Update, version 1703, which has become more-or-less fully baked and remains my version of choice). Aside from a few lackluster security patches, the December update for Win10 1607 fixed the “CDPUserSvc_XXXX has stopped working” bug introduced in a security patch two months ago, and the rest is largely routine.

The exception, of course, is Windows 10 Fall Security Update, version 1709. If you succumbed to the pressure (or the forced upgrade) and installed the latest version of Win10, you were rewarded for your trust by a series of unfortunate patching events worthy of Lemony Snicket. If you’re hell-bent on installing this month’s updates on a Win10 1709 machine, make sure you read the Computerworld synopsis of problems and sometime-solutions. Or, better, forget about it until next month.

The only major problem with the Office December patches that I’ve seen involves the blocking of Word {DDEAUTO} fields — an arcane topic that I covered yesterday. You’ll only notice the difficulty if you have a Word document that needs to update itself every time you open it. Thus, if you install this month’s Office patches, then open a Word doc, and it no longer responds correctly (by, say, pulling data from an Excel spreadsheet and putting the data in the doc), you need to slog through the manual workarounds, edit the registry, and put DDE right again.

As a long-time advocate of powerful documents, I’m sorry to see the “Auto” functions go. At the same time, I can understand why their days were numbered. I hate to admit it, but Microsoft made the right choice in cutting off “Auto” updating.

Bitten by a bug? Bite back. Drop by the AskWoody Lounge.

November 2017

There are so many issues with this month’s security patches that it’s hard to decide where to begin. Let’s start with the problems that have been acknowledged, then move into the realm of what’s not yet fully defined.

Forced upgrades

Many users have remarked about how much the forced 1703-to-1709 Windows 10 upgrades feel like Microsoft’s detested forced upgrades from Win 7 and 8.1 to 10 – the “Get Windows X” campaign. Although the situation’s different on the surface, the net result is the same. Many people who were happily using Windows 10 Fall Update – version 1703 – were forcibly upgraded this month to the Fall Creators Update – version 1709 – even on systems that were not supposed to be upgraded.

At first, Microsoft ignored the uproar. But last week it quietly owned up to the move by putting this notification in the description for November’s Win 10 1703 Patch Tuesday cumulative update:

Known issues in this update:

Windows Pro devices on the Current Branch for Business (CBB) will upgrade unexpectedly.

Microsoft is working on a resolution and will provide an update in an upcoming release.

On the same day, Nov. 22, Microsoft released another cumulative update for 1703, KB 4055254, which doesn’t mention the problem. I’m going to guess it was fixed.

Those who were forcibly upgraded from 1703 to 1709 are now in limbo; if you allowed Win10 to automatically update itself, and the 1709 installer decided to take over, you’re stuck on 1709. Users had 10 days to roll back to the older version, and those days are gone.

That’s not good news if you hit problems with 1709, like the folder permissions problem or the autostart after boot problem. Those who got hit were upgraded without warning.

Broken Epson dot matrix printers

There are lots and lots of Epson dot matrix (and POS terminal) printers alive and well, thank you very much.

To recap, this month’s Patch Tuesday patches broke the Epson dot matrix driver for every supported version of Windows: Win10 1709, Win10 1703, Win10 1607/Server 2016, Win10 1511 Enterprise, Win10 1507 LTSC, Win 8.1/Server 2012 R2, Server 2012, and Win7/Server 2008 R2. (It’s quite remarkable: Microsoft is now actively supporting 11 versions of Windows – 14 if you count the Server versions separately.)

As noted yesterday, there are now fixes for six of those versions: Win 8.1/Server 2012 R2, Server 2012, and Win7/Server 2008 R2 and Win10 1703. There was a fleeting fix for Win10 1709, but it disappeared. As of this morning, there's a spot reserved for a Win10 1709 cumulative update, KB 4051963 for build 16299.96, but there's no KB article as yet and no reports of it rolling out. Presumeably, it'll include a fix for the Epson printing bug.

But there’s still no word on Epson printer fixes for Win10 1511 Enterprise or for Win10 1507 LTSC.

.NET patches appear, disappear, then reappear

Microsoft released four .NET Framework patches on Patch Tuesday:

  • 2017-11 Quality Rollup for .Net Framework 3.5.1 on Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB 4049016)
  • 2017-11 Quality Rollup for .Net Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB 4049017)
  • 2017-11 Quality Rollup for .Net Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7 on Windows Embedded 8 Standard and Windows Server 2012 (KB 4049018)
  • 2017-11 Quality Rollup for .Net Framework 2.0 on Windows Server 2008 (KB 4049019)

The company then pulled all of them down before Thanksgiving. There was no official notice, just a string of comments on the MSDN TechNet blog that said, in effect, Microsoft hadn’t handled the supercedence chain on the patches properly and would fix the problem sometime after the U.S. holiday.

Sure enough, they were re-released yesterday.

CDPUserSvc_XXXX has stopped working

This bug, introduced in the Win10 1607 October cumulative update and both of the November 1607 cumulative updates, was finally acknowledged a little over a week ago. The three cumulative updates now contain this notice:

After installing KB4041688, KB4052231, or KB4048953, the error "CDPUserSvc_XXXX has stopped working" appears. Additionally, Event ID 1000 is logged in the Application event log. It notes that svchost.exe_CDPUserSvc_XXXX has stopped working and the faulting module name is "cdp.dll".

Microsoft is working on a resolution and will provide an update in an upcoming release.

Until then, follow the steps in the Per-user services in Windows 10 and Windows Server article.

To be clear, the bug has not been fixed, although it’s been well documented for six weeks. It even appears in the Win10 1703 Cumulative Update, KB 4051033, which was released on Nov. 27. Expect a real fix in the December Patch Tuesday crop.

Win10 1709 group policy setting incorrectly blocking cumulative updates

In Win10 1709 Fall Creators Update, adjusting the setting “After a Preview Build or Feature Update is released, defer receiving it for this many days” may, in fact, defer cumulative updates (which Microsoft insists on calling “quality updates”).

Poster Klaasklever who first described the bug on the TechNet, pointed to “reports that this issue is also caused by setting to defer Feature Updates in the Windows Update Settings within the normal Windows Settings App.”

It’s clearly a bug in Win10 1709, though it’s not clear which versions are afflicted – and there’s a possibility that the not-yet-released Win10 1709 cumulative update, KB 4051963 for build 16299.96, may fix it. As noted, there's no KB article as yet, and no reports of it rolling out.

‘Unexpected error from external database driver’ bug resolved

This bug, introduced in Microsoft’s October security patch release, led to Microsoft pushing out five patches in early November:

  • KB 4052234 for Windows 7 SP1 and Server 2008 R2 SP1
  • KB 4052235 for Windows Server 2012
  • KB 4052233 for Windows 8.1 and Server 2012 R2
  • KB 4052232 for Windows 10 Fall (“November”) Update, version 1511
  • KB 4052231 for Windows 10 Anniversary Update, version 1607, and Server 2016

Users who installed those patches (they had to be manually downloaded and installed) soon discovered that they all brought back old Windows security patches which themselves had bugs. Those buggy patches were yanked a few days later, and all mention of them was scrubbed as if they never existed.

In their stead, the Patch Tuesday Win7 and 8.1 Monthly Rollups and Security-only Updates and the Patch Tuesday patches for Win10 1709, 1703, 1607, 1511 and 1507 all claim to solve the problem.

Equation Editor bug resolved

Two weeks ago, I talked about the Equation Editor bug, CVE-2017-11882. There are a few exploits out in the wild at this point. If you’re concerned about them, you can bypass Equation Editor and eliminate the security hole by changing two Registry entries described in the Embedi article on the subject.

Good news? The HP Spyware update doesn’t appear to be a Windows problem. It’s all on HP.

Special thanks to @MrBrian, @abbodi86 and @PKCano

Did I miss a bug? Need a scorecard? I sympathize! Drop by the AskWoody Lounge.

October 2017

Microsoft’s foray into quantum computing sure sounds neat, but those of us stuck with real programs on real computers have been in something of a quandary. Once again this month, we’ve hit a bunch of stumbling blocks, many of which were pushed down the Automatic Update chute.

Before we dissect the creepy-crawlies this month, it’s important to remember that you have to get the .Net patches installed, unless you fastidiously refrain from clicking the “Enable Editing” button in Word.

Windows 10

After telling us that Windows 10 Creators Update, version 1703, is “the most performant and reliable version of Windows 10 ever!” you might expect some stability with version 1703 patches. This month, that didn’t happen. After releasing cumulative update KB 4038788 on Patch Tuesday, we got a new out-of-band fix for bugs introduced by that same update. The new cumulative update, KB 4040724, appeared in Windows Update on Monday, Sept. 25. It brings 1703 up to build 15063.632. So far, I haven’t heard of any problems with the new cumulative update — but it’s been less than a day.

The situation with Win10 Anniversary Update, version 1607, isn’t as straightforward. Apparently, there were a host of problems that appeared after this month’s Patch Tuesday cumulative update, KB 4038782. It isn’t clear if that update introduced bugs of its own, but the situation’s bad enough that we got a second cumulative update this month, again on Monday. KB 4038801 brings Win10 version 1607 to build 14393.1736. It’s a hotfix; it isn’t distributed via Automatic Update. You have to download KB 4038801 and install it manually. I haven’t seen a detailed analysis of the security holes fixed by this odd Monday patch – but to date I haven’t seen any complaints, either. The day is still young.

For reasons as yet unexplained, KB 4038801 is only for Win10 1607; it’s explicitly not released for Server 2016.

There’s a note on the 1607 patch site that says:

Windows Update Client Improvement

Microsoft will release an update directly to the Windows Update Client to improve Windows Update reliability. It will only be offered to devices that have not installed any recent cumulative updates and are not currently managed (e.g., domain joined).

As noted by @abbodi86 on

The note means [they] are going to release a separate “small” update for WUC, similar to this one for version 1507. They could also release the update directly as a SelfUpdate for WUC like they used to do with Windows prior [to] Windows 8 (for example, latest for Windows 7 is v7.6.7600.320 before they shifted to separate WUC updates starting with KB2990214).

Windows Server 2016

When you run the Get-PhysicalDisk cmdlet, some disks may display an operational status of "In Maintenance Mode." The Get-VirtualDisk cmdlet may also display the operational status of the virtual disk as "Degraded." There’s a manual workaround described in KB 4043361.

On Windows Server 2016, when you try to download updates by using Windows Update (stand-alone or WSUS), the process hangs at 0 percent completion. Microsoft has a description of the problem and two manual overrides in KB 4039473.

Windows 8.1

Everyone’s favorite whipping boy just took another lash. Many folks report that, after installing KB 4038792 — the September Monthly Rollup for Win 8.1 — they can no longer log on to their computers with a Microsoft account. I posted the details yesterday. Still no word from Microsoft – not even an acknowledgment of the problem on the KB article.

Windows 7

There’s a well-publicized problem with Internet Explorer 11 suddenly sprouting a search box on the address bar after installing KB 4038777 (the Windows 7 Monthly Rollup) or KB 4036586 (the September Internet Explorer Security-only patch). For a detailed look at what’s happening, with screenshots, see ElderN’s post on the Microsoft Answers forum. Turns out up the flim-flammery is a result of font sizes changed behind the scenes and a possible undocumented switcheroo in one of the IE settings. See @PKCano’s post.

Poster Richard has also identified a problem with starting IE 11 after this month’s Windows 7 updates — and he found a solution. Again, it’s related to undocumented changes in the Tab View settings and in font size. See post 8 on the AskWoody Lounge.


I’ve seen no change from the sorry state we were in a week ago: Microsoft pulled the September Outlook 2007 security patch KB 4011086 and replaced it with KB 4011110, but you have to manually uninstall the bad patch before you install the new one. Microsoft posted incorrect information about the uninstallation method. Both that patch and the Outlook 2010 patch, KB 4011089, have a nasty habit of changing languages in menus.


The .NET Security and Quality Rollups make certain custom images turn black. As Microsoft puts it: “After you install the September 12, 2017, .NET Security and Quality Rollups that apply to the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7, you experience rendering issues in Windows Presentation Foundation (WPF) applications that use WPF types in a Windows service.”

There’s a description of the problem on the Visual Studio forum and a workaround in KB 4043601. The workaround suggests that you uninstall the Security and Quality Rollup and install the Security-only patch.

In addition, Microsoft has released a preview of next month’s .Net Framework patches.


Assuming you don’t click “Enable Editing” in Word, there are no immediately pressing September patches. I say it’s wise to wait and see if any of the outstanding bugs get fixed — and wait to see if the patches-of-patches generate new problems of their own.

Remember when patching was easy?

Please join us for an ongoing Patch Festschrift on the AskWoody Lounge.

September 2017

September’s retinue of Microsoft patches includes one very important .NET fix that blocks a security hole brought to life when you open an RTF file in Word. So far, it's only been seen in the wild in a Russian-language RTF document, apparently generated by NEODYMIUM, allegedly used by a nation-state to snoop on a Russian-speaking target.

Several researchers have found ways to leverage the security hole, and it's only a matter of time before some enterprising folks come up with ways to turn it into a widespread infection vector. Bottom line: If you can't keep your finger off the "Enable Editing" button in Word, you better get this month's security patches installed.  

  • The Win10 Creators Update cumulative update, KB 4038788, brings Win10 1703 up to build 15063.608. It contains 25 security patches as well as dozens of plain old bug fixes. I’m seeing a number of complaints about Edge misbehaving after the update: behind-the-scenes crashes showing in Event Viewer and Reliability Monitor, and occasional stops with an application error event id of 1000. So far, there aren’t enough reports to confirm that there’s a bona fide problem with Edge, but it’s a concern.
  • The bug in Word and Outlook that I described earlier this week, Buggy Word 2016 non-security patch KB 4011039 can’t handle merged cells, is still around. That’s the same bug I wrote about a couple of weeks ago in Word, Outlook merged-cell problem arises after install of patch KB 3213656. Microsoft has (finally!) confirmed both of the bugs. The only solution offered:
  • "You can uninstall both KBs and your tables will return to normal," Microsoft said. "We anticipate releasing the fix for this issue in the next monthly update, tentatively scheduled for October 3, 2017."
  • Excel 2016’s security patch KB 4011050 can put spurious black borders around rows or cells. If you’re getting unexpected black borders, download and manually install KB 4011165. As best I can tell, that bug isn’t listed on the official Fixes or workarounds for recent issues in Excel for Windows site.
  • Multiple language problems with the Outlook 2007 security patch KB 4011086Reports of Hungarian switched to Swedish, Italian to Portuguese, Slovenian to Swedish, Italian to Spanish, Dutch to Swedish, and who-knows-what-else. The solution, offered by TechNet poster Sitz-AIR:
  • 1) uninstall KB4011086. If you have two of them listed, uninstall both of them.
    2) hide them
    3) restart Windows
    4) Outlook 2007 UI original correct language was restored.

A general reminder: If you have trouble installing Windows 10 updates, make sure you go through the list at Windows 10 install issues -- and what to do about them.

For up-to-the-second notices, see the Patch Alert update on AskWoody

August 2017

One week after Patch Tuesday, and would-be Windows Updaters are facing a handful of bugs. Some will find them minor annoyances. Others … not so much. Here are the known bugs, and where we stand in the struggle to resolve the problems.

Worthy of note: Microsoft is now acknowledging many bugs that in the past would’ve gone without comment. There’s hope.

Here are the known, significant buggy security patches:

  • Windows 10 Anniversary Update, version 1607 – Cumulative update KB 4034658 wipes out Update History, unhides hidden updates, and effectively disconnects some updated computers from WSUS. Microsoft has acknowledged all three of those bugs in the KB 4034658 article with the usual “Microsoft is investigating this issue and will provide an update as soon as possible.”
  • The first undocumented buggy driver this month for the Surface Pro 4, “Surface - System - 7/21/2017 12:00:00 AM -,” was released on August 1. It was replaced by a second driver “Surface – System – 7/31/2007 12:00:00 AM -” on August 4. The second one was documented. But then we saw four more undocumented Surface Pro 4 drivers — “Intel driver update for Intel(r) Dynamic Platform and Thermal Framework Generic Participant,” “Power Participant,” Processor Participant” and “Manager” — all released on Saturday, August 12. Sometime late on August 14, Microsoft posted information about two of the drivers.
  • Both the Windows 7 August Monthly rollup KB 4034664 and the manually installed security-only patch KB 4034679 are causing problems with two-screen systems: The second screen starts showing gibberish with many applications, including Office. The problem has been widely reported — even replicated with a Proof of Concept program — but Microsoft hasn’t yet acknowledged it.
  • The only bug reported by Microsoft in its August Windows 7 security patches is an old bug, continuing from July, in which a buggy LDAP plugs up TCP dynamic ports. That bug hasn’t been fixed.
  • The Windows 8.1 Monthly rollup listing mentions a known bug: NPS authentication may break, and wireless clients may fail to connect. The solution is to manually set a registry entry on the server.

Dozens of patches were made to Office earlier this month but, so far, I’m not aware of any bugs.

Depending on which version of Windows you’re using, and how you’re using it, those bugs may be important or they may be annoyances.

I continue to recommend that you hold off on applying this month’s patches. I haven’t seen any malware outbreaks that are blocked by the August patches, and we may get some surprises — good, bad or indifferent — later today.

Have a question or a bug report? Drop by the AskWoody Lounge.