It’s time to install the September patches for Windows and Office

The September patches were problematic — a couple of them got pulled, a couple more replaced — but most of the bugs are now reasonably well known and understood.

It’s time to install the September patches for Windows and Office

If you’ve already installed some (or all) of the September patches, you’ve watched a parade of problems pass by. The first stab at September’s Windows 10 Creators Update, version 1703, patch brought all sorts of problems to Edge — crashes, stalls and worse. It also brought some unlucky HP computer owners five to 10 minutes of black screens every time Windows restarted. Those problems were fixed earlier this week.

The Windows 8.1 patch made it impossible to log on with a Microsoft account. (I know, some of you think that’s a feature.) The Windows 7 patch made Internet Explorer sprout a new search box. We had a report of the Windows 7 patch breaking activation on certain Dell machines, but it appears that’s an isolated problem. The .NET Security and Quality Rollup makes certain custom images turn black. None of those bugs have fixes, but at least you’ll be prepared before installing the patch — and you'll know where to look for problems.

[ Also on Computerworld: 8 steps to install Windows 10 patches like a pro ]

Office, oy! Depending on which version of Office you use, and which Registry settings you’ve flipped, the current round of Office security patches may have left you with Swedish menus in the wrong places, and/or with (intentionally) broken VBScript problems. Günter Born also reports a problem with Outlook syncing with iCloud. The August problem with merged cells in Word and Outlook is still around, although Microsoft says it will fix that bug on October 3. The problems with buggy Outlook patches are still there. (Recall that the bad August Outlook patch was released, in part, to fix a spell check problem caused by a buggy July Outlook patch. And so it goes.)

As always, I strongly recommend you avoid installing the Preview Rollups on offer, such as KB 4038803. That’s easy — you have to check the right box to install the Preview, and you shouldn’t be checking any boxes!

Here are my recommendations:

.NET patches

Most of you use .NET — some of you have many different versions installed — and this month there’s a particularly devilish problem with .NET Security and Quality Rollup patches. When you install this month’s .NET patches using Windows Update, if you start seeing black boxes where there should be text or a picture, you should uninstall the Security and Quality Rollup and install the Security-Only update.

Sound complicated? Yeah, it is. For starters, you have to figure out which version(s) of .NET are on your machine. The easiest way I’ve found is to use the Raymondcc .NET Detector. (Thx, @MrBrian!) Once you know which version(s) of .NET are on your machine, you can uninstall the Rollup and install the Quality-only patch by following these instructions on the Microsoft Support site.

Office patches

If you have Office 2016 installed and you use merged cells in tables in either Word or Outlook, don’t install KB 3213656 (the August non-security patch for Word 2016) or KB 4011039 (the September non-security patch). Microsoft still hasn’t fixed the problem. If you see an entry in Windows Update for KB 3213656 or KB 4011039, uncheck the box so it won’t be installed.

Outlook patches are an unmitigated disaster. I recommend you refrain from installing any of the Outlook patches, KB 4011110 (Outlook 2007), KB 4011089 (2010), KB 4011090 (2013) or KB 4011091 (Outlook 2017). Microsoft lists all of those as "Defense in Depth" patches, with no immediate threats.

Windows 7 and 8.1 patches

If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on installing security patches only, follow the instructions in @PKCano’s AKB 2000003.

Microsoft is still blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s a year old or newer, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx, @MrBrian).

If you have Windows 8.1, make sure you have a Local account (Microsoft now calls them “Offline accounts” but they’re the same thing) with full administrator privileges before you apply the September updates. That way if you get locked out of your Microsoft account, you have easy access to a Local account. Microsoft has instructions.

If you’re running volume licensed Windows 7 on Dell computers, there’s a tiny chance that the September Monthly Rollup and/or Security-only patch will change folder names, thus invalidating your license. If that’s a possible issue, see this AskWoody thread for instructions on backing up (i.e., copying) and possibly re-installing the c:\Windows\System32\oem folder.

Of course, backing up your machine before applying updates is always a good idea. Even (especially) Windows and Office updates.

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Uncheck the Office patches mentioned above. Watch out for driver updates — you’re far better off getting them from the manufacturer’s website.

After you’ve installed the latest Monthly Rollup:

  • If you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines.
  • In Outlook, if you need to use custom form (VBScript) printing or connect to iCloud, follow Diane Poremsky’s instructions on the Slipstick Systems site to bring back VBScript.
  • If Internet Explorer suddenly sprouts a Search box, see these instructions on the AskWoody site for help. (Thx, @PKCano) While you’re at it, seriously consider why you’re using IE. Unless you’re hopelessly hooked into an obsolete website, go for better security , less buggy snooping, and fewer headaches with Chrome or Firefox.

Windows 10 patches

Last month, I recommended that Anniversary Update customers (version 1607) upgrade to the Creators Update (version 1703) simply because the patches for 1607 had turned very sour. Putrid. Now I’m regretting that recommendation. The patches for 1703 this month are just as bad as the patches last month for 1607. Not sure what to tell you. The only advantage I see to 1703 is that Pro and Enterprise users can easily block updates — and folks with Home who run on Ethernet (not Wi-Fi) can more readily switch to a metered connection.

If you run Windows Update in 1703 (you may have to turn the “Defer updates” setting to 0, see the instructions in "8 steps to install Windows 10 patches like a pro"), you’ll get the Sept. 25 patch KB 4034674, which has fewer bugs than the Sept. 12 patch. For those with 1607, you’ll get the Sept. 12 patch KB 4038782. While it’s possible to manually download and install the latest 1607 patch, KB 4038801, released Sept. 28, I don’t see any good reason to jump through those hoops.

Those of you still on 1511, the Fall Update (later renamed to “November Update”), need to move on to 1703 now. The last 1511 security patches will arrive Oct. 10. May as well swallow your medicine now.

To get Windows 10 patched, run the steps in "8 steps to install Windows 10 patches like a pro." If you have Office 2016 installed, and you use merged cells in tables in either Word or Outlook, use wushowhide as described in the article to “hide” KB 3213656 and/or KB 4011039 and follow a similar defense-in-depth strategy with the Outlook patches mentioned above.You may also want to use wushowhide to hide any driver updates.

All of the other updates should be OK, including Servicing stack updates, Office, MSRT, or .NET updates (go ahead and use the Monthly Rollup if it’s offered).

If you get little black boxes in custom forms after installing the latest patches, see my note above about the ongoing bugs in .NET.


Time to get patched. Tell your friends, but make sure they understand what’s happening. And for heaven’s sake, as soon as you’re patched, turn off automatic updating! Full instructions are in the referenced guides to patching.

I just changed the MS-DEFCON level on the AskWoody Lounge.

Copyright © 2017 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon