(Guide) With a few exceptions, all’s clear to install Microsoft’s October patches

[Karlston]

With a few exceptions, all’s clear to install Microsoft’s October patches

October started in the cellar, with a third-time attempt at patching the CVE-2019-1367 IE zero-day that nobody needed, but the situation has gradually improved. Get the October patches installed, but watch out for a handful of known cowpies.

Thinkstock/Microsoft

 

If you had automatic update turned on at the beginning of October, you got clobbered with a bug-infested, out-of-band update for an IE-related zero-day that never appeared in real life. Later in the month, those with automatic update turned on were treated to a wide assortment of bugs (Start and Search fails, RDP redlines, older Visual Basic program blasts) – only some of which were solved with the month’s final, optional, non-security patches.

 

It’s now time to install the October patches. Here’s a guide to what might go bump in the night, and what you can do about it.

 

For users manually installing Windows 7 and 8.1 (and related Server) Security-only patches to avoid Microsoft’s pernicious snooping/telemetry, I have good news. For October, we haven’t detected the full-monty telemetry packages that were lurking in the July and September “Security-only” updates. 

A safe update

Here’s how to get your system updated the (relatively) safe way.

 

Step 1. Make a full system image backup before you install the latest patches.

 

There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall, even if your machine refuses to boot. This is in addition to the usual need for System Restore points.

 

There are plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup. For Win7 users, If you aren’t making backups regularly, take a look at this thread started by Cybertooth for details. You have good options, both free and not-so-free.

 

Step 2. For Win7 and 8.1

 

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you're running Windows 7 or 8.1 on a PC that’s less than two years old, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

 

If you’ve been relying on the Security-only “Group B” patching approach to keep Microsoft’s snooping software off your PC, this month you’re in luck – we haven’t detected a repeat of the full telemetry packages hidden in the July and September patches. That means you can install the June, August and October patches without covering Microsoft’s messy tracks.

 

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. You should have one Windows patch, dated Oct. 8 (the Patch Tuesday patch).  

 

If you have problems with an error 0x8009030f in Transport Layer Security (TLS), see this post for the cause and a solution.

 

Realize that some or all of the expected patches for October may not show up or, if they do show up, may not be checked. DON'T CHECK any unchecked patches. Unless you're very sure of yourself, DON'T GO LOOKING for additional patches. In particular, if you install the October Monthly Rollup, you won’t need (and probably won’t see) the concomitant patches for September. Don't mess with Mother Microsoft.

 

If you see KB 4493132, the “Get Windows 10” nag patch, make sure it’s unchecked.

 

Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.

 

After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. If you want to thoroughly cut out the telemetry, see @abbodi86’s detailed instructions in AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model.

 

Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’d be willing to bet that fully-updated Win7 and 8.1 machines are leaking almost as much personal info as that pushed in Win10.

 

Step 3. For Windows 10 prior to version 1903

 

If you’re running Win10 version 1803, don’t feel bashful about sticking with it. Microsoft’s last security patch for 1803 is scheduled to arrive on Nov. 12, but you have another month after that before the disappearing patches may start to hurt.

 

If you’re running Win10 version 1809 – my production machines are still on 1809 – you should start thinking about moving to 1903. Microsoft has issued rivers of patches for 1903 in recent months, and 1903 may be approaching some semblance of stability. That’ll be an ongoing theme this month; stay tuned.

 

I have step-by-step instructions for dealing with the 1803-1809-1903 conundrum in How to block the Windows 10 November 2019 Update, version 1909, from installing.

 

Once you’re running the version of Win10 you want – there’s no reason to install patches until you’re running the right version – and you have Win10 Pro (or Education or Enterprise), you can follow my advice from February and set “quality update” (cumulative update) deferrals to 15 days, per the screenshot below. If you have quality updates set to 15 days, your machine already updated itself on Oct. 23 and will update again on Nov. 27. Don’t touch a thing and in particular don’t click Check for updates.

Microsoft

Woody Leonhard/IDG

 

If you’re stuck with Win10 Home, and you don’t want to upgrade to Win10 version 1909 (specifically to take advantage of its vastly improved patch blocking features), go through the steps in "8 steps to install Windows 10 patches like a pro." Make sure that you run Step 3, to hide any updates you don’t want (such as the Win10 1903 upgrade or any driver updates for non-Microsoft hardware) before proceeding.

 

If you see a notice that "You're currently running a version of windows that's nearing the end of support. We recommend you update to the most recent version of Windows 10 now to get the latest features and security improvements" you can safely chill. Win10 1803 will get patched through November and doesn't really turn belly-side up until December. If you see a link to “Download and install now,” ignore it for the same reason.

 

Step 4. For Windows 10 version 1903

 

Most users running Win10 version 1903 will want to install the first (but not the second) October cumulative update. We still have a couple of unresolved errors in Win10 1903, though, that may prove to be showstoppers:

• There’s a problem with certain RealTek LAN adapters throwing Error 10 after installing either the September or October cumulative update. 
• If you’re running any older Visual Basic programs on a 32-bit installation of Win10 1903, you can kiss ‘em goodbye with an “unexpected error; quitting” message. Best for you VBRUN300.DLL users to avoid this update.

Should either of those bugs, uh, bug you, uninstall the October update as soon as you hit the problem. There’s nothing in the October updates that you absolutely have to have right now. Let’s see if Microsoft irons out those bugs at some point in the future.

 

Windows Update in Win10 version 1903 went through a major makeover in September – the documentation didn’t change, but the behavior did. The result is a major step forward in Windows 10 patching.

 

There’s a legacy fly in the ointment, though. If you’ve moved to Win10 Pro version 1903, and you set 15-day deferral on quality updates (as shown in the screenshot below), you’ll no doubt discover that the settings shown are no longer available on your machine. I have details about the change, and its implications, in The difference between Defer updates, Pause updates and Delay updates — and what happens with Win10 1909.

 

Long story short, the setting shown in the screenshot may not be visible on your machine. Not to worry. You have a belt-and-suspenders kind of second choice. If you’re on Win10 version 1903 (either Home or Pro), click the link on the Windows Update page that says “Pause updates for 7 days,” then click on the newly revealed link, which says “Pause updates for 7 more days,” then click it again.

 

Microsoft

By clicking that link three times, you’ll defer cumulative updates for 21 days from the day you started clicking -- if you do it today, you’ll be protected until Nov. 22 – which is typically long enough for Microsoft to work out the worst bugs in their patches.

 

There are several group policies and a handful of registry settings working in the background when you make those changes. But if you’re using Pro and set the quality update deferral to 15 days, and punch the “Pause updates for 7 days” button three times (on either Home or Pro), you should be in good shape.

 

If you see an offer of an Optional update (see screenshot), don’t click Download and install now. Even more bugs await.

Microsoft

There’s one exception: If you hit any of the documented problems with Win10 version 1903 – the Start menu triggers a Critical error; Search doesn’t work; your machine redlines after disconnecting from a remote session – you might (operative term: might) have some luck installing the Optional update. Numerous posters have said that the second cumulative update still doesn’t work (see Laurence Abrams’ article in BleepingComputer), but Microsoft says the latest “optional” patch should help in some cases. Probably wouldn’t hurt to give it a try.

 

Happy trails. Or are those contrails?

 

Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.

 

We’ve moved to MS-DEFCON 4 on the AskWoody Lounge.

 

 

Source: With a few exceptions, all’s clear to install Microsoft’s October patches (Computerworld - Woody Leonhard)

[funkyy]

It really has gone past the humorous stage now. Seriously, we are under attack from trojans, viruses, spyware, ransomware, hackers , criminals, governments and the company whose product hundreds of millions of people use is the most likely source of  a disaster befalling our computers every time they issue "patches". It's easy to say "make a full backup" etc, which is good advice and is done by people with some knowledge and skill. But what of the untold millions who have very basic knowledge of what's happening when their machine takes a fit?

On one hand we're bombarded with reasons why patches are vital...but at the same time the patches can bring disaster. Yes, buy our Ferrari sir and we'll maintain it for you...but don't bother us if the mechanic doesn't tighten the bolts and the wheels come off!!

"Patches?...we don't need no steenking patches!!!" (Copyright "The Treasure Of The Sierra Madre")

[frankl1n]

10 hours ago, funkyy said:

"Patches?...we don't need no steenking patches!!!"

I love that!

[frankl1n]

Sorry kinda off topic but want to say this, it may help others! According to Woody I am in group B.

I have put off installing the Sept security only update until last night, subsequently then also the OCT security update as they are not cumulative.

Quote

“Group B” Security-Only patches are not cumulative. In order to be protected, you must install all of them. Every. Single. One. By hand. More than that, you have to install them in chronological order — the October patch, followed by the November patch, followed by the December patch, and so on.

The reason I put off installing the Sept security only update is because it contains the telemetry crap as was included in the July security only update. I read on Askwoody that if you had already installed the July patch AND then also took measures afterward to disable the telemetry crap : (which I did do)

Spoiler

Now comes word that the July security-only patch, KB 4507456, includes an unexpected bonus. Snooping, er, telemetry.
Windows guru @abbodi86 has looked at the internals of the patch and concludes:

Disabling (or deleting) these schedule tasks after installation (before reboot) should be enough to turn off the appraiser

\Microsoft\Windows\Application Experience\ProgramDataUpdater
\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
\Microsoft\Windows\Application Experience\AitAgent

(I got rid of these 3 scheduled startups via Ccleaner advanced mode)

but it’s best to wait until next month to see if the Security-only update comes clean

ALSO

Disable the Windows Customer Experience Improvement Program
Disabling the Windows Customer Experience Improvement Program and the related Task Scheduler tasks that control this program can improve Windows 7, Windows 8/8.1, and Windows 10 system performance in large desktop pools.

The following steps apply to Windows 7 and Windows 8. The steps might vary on different Windows operating systems.
Procedure

    In the Windows 7 or Windows 8 guest operating system, start the control panel and click Action Center > Change Action Center settings.
    Click Customer Experience Improvement Program settings.
    Select No, I don't want to participate in the program and click Save changes.
    Start the control panel and click Administrative Tools > Task Scheduler.
    In the Task Scheduler (open Run, and then type taskschd.msc) (Local) pane of the Task Scheduler dialog box, expand the Task Scheduler Library > Microsoft > Windows nodes and open the Application Experience folder.
    Disable the AITAgent, ProgramDataUpdater, and if available, Microsoft Compatibility Appraiser tasks.
    In the Task Scheduler Library > Microsoft > Windows node, open the Customer Experience Improvement Program folder.
    Disable the Consolidator, KernelCEIPTask, and UsbCEIP tasks.
    In the Task Scheduler Library > Microsoft > Windows node, open the Autochk folder.
    Disable the Proxy task.

 

then when installing the Sept Security Only patch that the telemetry crap would stay disabled, it did stay disabled for me! so I finally installed the Sept patch and then the Oct patch...I love Woody! Hope this helps other Group B people when deciding to install these patches