December has brought a few surprises in Windows PatchLand, but by and large, the coast is clear. “Clear,” that is, unless you made the mistake of installing the Win10 Fall Creators Update, version 1709 (or got pushed into it), before the nominal four-month testing period lapsed.
In broad terms, it’s safe to install this month’s Windows and Office patches, unless you’re using Win10 1709, although there are a few obscure gotchas that may bite you if you’re using Win7 with encrypted fileshares, or Active Directory app login. For those who installed Win10 1709 before letting the unpaid beta testers skate out on Crait, there’s very little reason to install this month’s security patches, as long as you don’t use Internet Explorer or Edge. Which, if the statistics are to be believed, you probably don’t.
Microsoft has a catch-all web page for known (which is to say, officially acknowledged) bugs in Office patches. In it, you’ll find entries for known Outlook problems (“After updating to Win10 1709, the Outlook People Pane no longer shows any results”), Excel problems (“You may experience problems loading the Excel Solver add-in if you have WPS Office installed on your machine”), and OneNote (“Can’t rename sections in OneNote for Windows”). There’s also a general warning that if you’re having crashes upon opening files located in OneDrive, you need to install the latest version of OneDrive.
I don’t know why, but there’s no mention on that page of the major change in the way Word blocks DDEAUTO fields after installing this month’s Word security patches. I talked about that earlier this week. Bottom line: You should install this month’s Word security patch — KB 4011575, 4011590, 4011608, 4011612, and/or 4011614 — but be aware of the potential problem. If you subsequently open a Word doc, and it no longer responds correctly (by, say, pulling data from an Excel spreadsheet and putting the data in the doc), you need to slog through the manual workarounds, edit the registry, and put DDE right again.
Windows 7 and 8.1 patches
The coast is clear unless you’re using Active Directory to log into apps, or you’re opening Office documents from an encrypted fileshare. If you don’t understand the gibberish, don’t worry, you’re fine. If you do understand the gibberish, get hooked into the Patch Management mailing list.
Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s a year old or newer, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.
If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches.
For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx, @MrBrian).
Watch out for driver updates — you’re far better off getting them from a manufacturer’s website. After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines.
If you’re stuck on Windows 10 Fall Creators Update, version 1709, I strongly recommend that you stop using Internet Explorer and Edge, and wait until Microsoft fixes the many bugs in this month’s Win10 1709 cumulative update, KB 4054517. If you absolutely must use IE or Edge, hold your breath, turn off your antivirus, and if you hit any problems, follow the references in yesterday’s article.
If you’re running Win10 Creators Update, version 1703 (my current preference), or version 1607, the Anniversary Update, and you want to stay on 1607 or 1703 while those on 1709 get to eat Microsoft’s dog food, follow the instructions here to ward off the upgrade. As you go through the steps, keep in mind that Microsoft, uh, forgot to honor the “Current Branch for Business” setting — so you need to run the “feature update” (read: version change) deferral setting, if you have one, all the way up to 365. And hope that Microsoft doesn’t forget how to count to 365.
If you’re running an earlier version of Win10, you’re basically on your own. Microsoft doesn't support you any more.
To get Windows 10 patched, go through the steps in "8 steps to install Windows 10 patches like a pro."
As is always the case, DON’T CHECK ANYTHING THAT’S UNCHECKED. In particular, don’t be tempted to install anything marked “Preview.”
Time to get patched. Time to get your friends patched. As you get suckered into providing tech support for all of your family and friends, it's time to get them patched, too. Full instructions are in the referenced guides to patching.
I just switched to MS-DEFCON 4 on the AskWoody Lounge.