Time to install your September Windows and Office patches

September patching started out looking sweeter and cleaner than we’ve seen in a long time. Then came four massive Win10 cumulative updates, which were quickly yanked. Now it seems the 'v2' crop is ready — and there's an explanation for those four big patches.

putting on a band-aid patch with binary code

Make it two months in a row. Back in August, Microsoft screwed up a bunch of patches, and finally fixed them on the last business day of August. In September, after a laudable start, we saw four huge cumulative updates later in the month, but they dried up shortly after release. We didn’t get fixes for those bad patches until late September.

Two months of cliffhangers.

What’s with the 'v2' Win10 patches?

To refresh your memory, Microsoft pushed four Win10 patches on Thursday, Sept. 20, nine days after Patch Tuesday:

  • KB 4458469 takes Win10 version 1803 to build 17134.319.
  • KB 4457136 turns Win10 1709 into build 16299.697.
  • KB 4457141 moves 1703 to build 15063.1358.
  • KB 4457127 twists Win10 1607 and Server 2016 to build 14393.2517.

All of those patches contain dozens of minor, individual fixes. The mechanism is still shrouded in mystery, but some Win10 users got the patches through “normal” Windows Update means, but many did not. By Friday, they weren’t coming out at all, although they were always available in the Microsoft Update Catalog.

If you’re wondering why Microsoft unleashed such huge bunches of patches, simultaneously, on all of those versions of Windows, I think I’ve found an explanation. If you watch the video of presentation THR2234 from last week’s Ignite conference, you’ll find that Microsoft has changed its patching policies again.

how long does it take to fix a windows bug Microsoft

Ignite session THR2234. (Click image to enlarge it.)

Around minute 12 in the presentation, Microsoft spokesman John Wilcox explains that Microsoft is now bundling low-impact bug fixes from earlier versions of Win10, testing them on the “next” version of Win10 — in this case 1809 — and, if they survive the beta-testing barrage, they’re backported to earlier versions of Windows. The screenshot shows an Ignite slide that explains part of the process.

Microsoft has never done that before, at least not on this scale. Nice of it to warn us, after the fact, buried at minute 12 in one of the 623 Ignite presentations.

Since the first big bunch of backported patches performed so poorly, Microsoft stopped distributing them and, on Sept. 26,  reissued “v2” versions of the cumulative updates for 1803 and 1709. Furthering the obfuscation, the v2 versions have the same KB numbers as the original, bad updates, and there’s no way for a normal person to tell if they have v1, v2, or both.

Oddly, Microsoft never did issue v2 versions of the 1703 patches (likely it has given up on 1703, which expires in October) or 1607/Server 2016.

At any rate, the Win10 cumulative updates — four of them for Win10 1803 — now seem ready for prime time. And they actually appear to be cumulative. Imagine.

Win7/Server 2008R2 Network Card bugs continue

Microsoft has a bug in its Win7 Monthly Rollup that’s been, uh, bugging us since March. If you installed any Win7/Server 2008R2 patches after March and your network connections didn’t go kablooey, you’re almost undoubtedly OK to proceed with this month’s patches.

On the other hand, if you’ve been waiting to install patches on your Win7 or Server 2008R2 machine, you need to be aware of a bug that Microsoft has acknowledged.

Symptom: There is an issue with Windows and third-party software that is related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.
Workaround: 1.To locate the network device, launch devmgmt.msc; it may appear under Other Devices.
2. To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.
a. Alternatively, install the drivers for the network device by right-clicking the device and selecting Update. Then select Search automatically for updated driver software or Browse my computer for driver software.

That’s a bizarre, convoluted series of steps. Microsoft still hasn’t confirmed which third-party software is at fault, but reports have it that it’s largely a VMware problem. Six months later, the bug’s still there, still acknowledged, still unfixed.

If you’re worried that installing this month’s updates will clobber your network interface card, make sure you take a full backup before installing the updates. You can also take @GoneToPlaid’s advice and edit certain registry entries in advance.

SSU before LCU except after C or when it sounds like an A

In yet another demonstration of Windows as a Tired Old Relic, the Win7 and Win10 installers aren’t smart enough to pull in requisite fixes before they run. As a result, you may see an error 0x8000FFFF when installing Win7 patches, or phantom patches for Win10.

Now that we know the source of the problem, it isn’t as mysterious as it once was. Just remember that if you hit an error 0x8000FFFF when installing the Win7 Monthly Rollup, it isn’t your fault. You simply have to install KB 3177467 before re-running the patch.

Microsoft promises it'll get better next month.


Susan Bradley’s Master Patch List for September shows no glaring bugs, other than the ones documented by Microsoft. The official Fixes or workarounds articles include a strange manual fix if Outlook stops receiving your AOL messages.


Ready to take a chance on messing up your NIC? Here’s how to proceed. The patching pattern should be familiar to many of you.

Step 1. Make a full system image backup before you install the June patches.

There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.

There are plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup. For Win 7 users, If you aren’t making backups regularly, take a look at this thread started by Cybertooth for details. You have good options, both free and not-so-free.

Step 2. For Win7 and 8.1

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s a year old or less, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

If you’ve already installed any March or later updates, your Network Interface Card should be immune to the latest slings and arrows. But if you haven’t been keeping up on patches, see the discussion in the Network Cards section above to protect yourself.

If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches.

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Realize that some or all of the expected patches for September may not show up or, if they do show up, may not be checked. DON'T CHECK any unchecked patches. Unless you're very sure of yourself, DON'T GO LOOKING for additional patches. In particular, if you install the September Monthly Rollups or Cumulative Updates, you won’t need (and probably won’t see) the concomitant patches for August. Don't mess with Mother Microsoft.

If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx, @MrBrian.) If you see KB 2952664 (for Win7) or its Win8.1 cohort, KB 2976978 — the patches that so helpfully make it easier to upgrade to Win10 — uncheck them and spread your machine with garlic or drive a wooden stake through its heart. Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.

After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’m starting to believe that information pushed to Microsoft’s servers for Win7 owners is nearly on par with that pushed in Win10.

Step 3. For Windows 10

If you’re running Win10 Creators Update, version 1703 (my current preference), or version 1709, and you want to stay on 1703 or 1709 and not get sucked into the 1803 vortex, follow the instructions here to ward off the upgrade. Of course, all bets are off if Microsoft, uh, forgets to honor its own settings.

Remember: If you want to avoid 1803, don’t click “Check for Updates” until you’ve gone through all the precautions listed in this article, including running wushowhide. If you forget, you may be tossed in the seeker heap and shuffled off to 1803 land.

Those of you running Win10 1703 will need to upgrade to 1709, 1803 or possibly 1809 at some point in October. (It isn’t clear if Microsoft will release Fourth Tuesday or C/D Week patches for 1703 in October.) I’m still sitting on a fence, and suggest you join me in mugwump land until we have a clearer view of the horizon. I'll have full instructions, of course.

If you have trouble getting the latest cumulative update installed, make sure you’ve checked your antivirus settings and, if all is well, run the newly refurbished Windows Update Troubleshooter before inventing new epithets.

To get Windows 10 patched, go through the steps in "8 steps to install Windows 10 patches like a pro."

Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86, @gborn, @GoneToPlaid, @Cybertooth and @MrBrian.

We’ve moved to MS-DEFCON 3 on the AskWoody Lounge.

Copyright © 2018 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon