It's December patch prep time

Microsoft's Patch Tuesday is coming up. Time to get your hardware ready and delay updates until any issues are worked out.

A hand reaches to activate controls marked with gear icons [ process / update / fix / automate ]
Putilich / Getty Images

It’s the final patching month for 2020 — and what a year it’s been. Two more Windows 10 feature releases, numerous servicing stack updates, the end of Office 2010, the pandemic — this has been a year when technology has driven us slightly crazy, and kept us sane. 

The first Tuesday of the month is the start of my Patching month and serves as a reminder to make sure my machines have all of the mandatory patches installed for November — and I’m ready to pause updates for December. We will not see any optional updates at the end of the month; Microsoft has indicated it will not be releasing the optional preview updates for Windows 10 that they would normally arrive during the third week of December.

I’ll be the first to admit that the first Tuesday of the month has become less important as I’ve moved to using Microsoft 365 at the office. Microsoft 365 deploys Office using click-to-run technology where the patches for Office do not get offered up any longer as individual updates. Rather, they “dribble down” in the background on the second week of the month. But even with my move to the “dribble” method of updating Office, I still look to ensure I’ve installed all the updates I’ve intended to install, all my machines are rebooted and my backup process is.

For Windows 7 hardware that’s covered by Extended Support contracts, this is your last chance to install updates before new security updates arrive next week. For this platform, you can still manually use Windows update to scan for updates and choose which you want to install. I’m not tracking any issues for workstations running Windows 7 at this time, though there is a zero-day issue that has been discussed for which there is an 0-patch available.

0-patch is a third-party site that provides Windows 7-era patches, even if you have not purchased Extended Support. The vulnerability only impacts Windows 7 and stems from the misconfiguration of two service registry keys: it enables local attackers to elevate their privileges on any fully patched Windows 7. We don’t know yet whether Microsoft will release an out-of-band patch for this issue.  I’ll let you know if it does. For now, just install the normal monthly rollup (4586827) or security-only patch (4586805) and related Internet Explorer update (4586768). There was no servicing stack update released for November for Windows 7.

There are no issues I’m tracking for workstations running Windows 8.1. So I recommend you install the normal monthly rollup (4586845) or security-only patch (4586823) and related Internet Explorer update 4586768. As with Windows 7, there was no servicing stack update released for the 8.1 platform.

Remember, for these two platforms you can click Start > Control Panel > System and Security. Under Windows Update, click the "Turn automatic updating on or off" link. Click the "Change Settings" link on the left. Verify that you have Important Updates set to "Never check for updates (not recommended)" and click OK.

Alternatively, if you don’t feel comfortable turning automatic updates off, you can use the setting of “download but do not install.” I have always combined this with the registry key that ensures updates are not installed upon shut down. This registry key, Change "Install Updates and Shut Down" as Default, ensures that I get the option to shut down or restart my computer without getting updates installed automatically.

For Windows 10, you’ll want to ensure that you’ve installed the Nov. 10 security updates for each version. If you are on Windows 10 1903, I highly recommend you review the settings in Windows Update that you’ve used to keep yourself off other feature release versions. The setting I recommend you use is the targetedreleaseversioninfo registry key or group policy setting to set the value of the version you want to be 1909.  If you set the feature deferral to 365 days, you won’t receive a feature update for 365 from its release. This sounds like a reasonable deferral unless you are on a version or two behind the most recent feature release.  If you come up on the one-year anniversary of a feature release, you will suddenly find that the deferral process no longer works as you thought it would. 

While I have personally not seen issues with 2004 in my network at the office, if you are still using 1903, I’d recommend notjumping over to 2004 or 20H2 at this time since Microsoft support personnel and engineers will be in “holiday mode” making it harder to get good support. And if you are thinking of rolling out 20H2, wait until the fix is released to allow you to do an in-place repair. To me, this is one of the key ways to fix a misbehaving Windows 10 machine that just does not want to update properly. The ability to install a new version of Windows 10 atop your current version — and retain your files — is a fundamental need for anyone who doesn’t have an IT department. Furthermore, there are two major blocking issues affecting 2004 and 20H2 that are triggered by audio drivers and certain SSD drives.

If you are still on 1903, the update to 1909 is very fast. Remember, the first feature release of the year takes much longer to install than the second one later in the year. Microsoft now uses what is called an “enablement” package to make the feature release installation process fast. PKCano has an extensive, step-by-step discussion of the various Windows Update settings of Windows 10 in AKB 2000016, Guide for Windows Update Settings for Windows 10.

The easier way to defer or pause updates is to use an administrator account, click Start > Settings > Update & Security and click on advanced options. Click on pause update and choose a date on the calendar that it at least 15 days from the second Tuesday of the month. You can choose a date later than this, but deferring until then ensures that issues have been identified.

Win10 pause update Microsoft

As always, don’t ever click “Check for updates.”  Check for updates isn’t check for updates; instead, it triggers the installation of any updates that the system sees are applicable to your computer. Also don’t install any patches that require you to click “Download and install.”

As always, we’ll be tracking any issues at; we’ll let you know what issues we see.

Copyright © 2020 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon