Get ready for Patch Tuesday: Block Windows Update and ignore KB 3008923
Tomorrow, Microsoft will likely issue another bunch of security and nonsecurity patches for all versions of Windows and Office. If May’s Patch Tuesday plays out like April’s did, we’re going to see a lot of problems.
Now’s a good time to check and make sure you aren’t installing Windows or Office updates automatically. Wait a week or two and see what ghosts appear.
Speaking of ghosts, many of you are seeing an old Internet Explorer patch, KB 3008923, MS 14-080, which was the cumulative update for IE on Dec. 9, 2014. Poster abbodi86 on the AskWoody Lounge says it’s a mistake and you shouldn’t install it:
It’s just an incomplete job in expiring old superseded updates, in order to further reduce Windows Update scanning load. They expired most of IE11 cumulative updates (around 14 updates) however, the supersedence chain for KB 3008923 is now broken, the update that superseded it has expired. Therefore by metadata rules, KB 3008923 is not superseded now.
They did this exact same incomplete job for Windows 8.1 about 2 or 3 months ago. The mistake did not last long, and they fixed it and completed the “expiring” job within a month.
Bottom line, just ignore KB3008923 for now until they fix the issue and expire it. Even if it gets installed by Windows Update, it will have no affect at all on IE or your system, because it’s completely superseded and won’t be active.
General consensus is that you should uncheck KB 3008923 if you see it and ignore the ancient patch until Microsoft gets its act together. Don’t bother hiding it because if you hide it, you may uncover even older, more obsolete patches. Microsoft screwed up.
If you followed my instructions for installing April’s patches, your system is already set to block updates. If you didn’t follow those directions, turning off automatic update will only take a minute.
Remember, you have to patch sooner or later. But you don’t have to patch the minute Microsoft drops the updates. Last month we had an unusual situation where a security hole that was patched in the monthly update was actively exploited on normal PCs. In those situations, you should patch relatively quickly. Most of the time, the world can wait for two weeks or three—long enough to see what bad stuff comes along with the patches.
In Windows 7 click Start > Control Panel. In Win 8.1, press Win-X and choose Control Panel. Click System and Security. Under Windows Update, click the link marked “Turn automatic updating on or off.” Make sure Windows Update is set to “Never check for updates (not recommended).”
In Windows 10 1507 (which gets its last patches this month), 1511, and 1607, the situation’s a bit more complex, but I have full details in the InfoWorld article “Woody’s Win10Tip: Block forced Windows updates.” Short version: With Win10 Pro, bring up gpedit, click Administrative Templates > Windows Components > Windows Update. On the right, double-click Configure Automatic Updates. At the top of the resulting settings box, choose Disabled, click OK, and close out of the Group Policy editor. Reboot and you’re done. With Win10 Home, if you’re on a Wi-Fi connection, set it to metered (see the article). If you’re on Win10 Home and you don’t have a Wi-Fi connection, your options are considerably more complex.
If you’re already using Win10 Pro Creators Update, version 1703, delaying cumulative updates is easier. In Win10 1703 Pro, click Start > Settings > Windows Update. Click the link for Advanced options. In the Advanced options pane (see the screenshot below), run the “quality updates” slider up to 30, which is the maximum.
With Win10 version 1703 Home, you’re stuck in the same rut as the earlier versions of Win10: Set your internet connection to Metered if it’s Wi-Fi. Otherwise, follow the steps outlined in the article to throttle the update service. And remember that “Windows 10 Home” is synonymous with “Windows 10 unpaid beta tester.”
What’s new this month? I expect we’ll see some sort of resolution of the problem where Microsoft misidentified Carrizo DDR4 chips and AMD RX-480 graphic boards and summarily turned off Windows Update with the “Unsupported hardware” notice. Many of us are hoping that Microsoft will relent and restore the old Security Bulletin system—perhaps with a simple new column in the Security Update Guide listing Security Bulletin numbers, matched with entries in the monthly Security Updates Release Note.
Lock down Windows Update. The machine you save may be your own.
Stay up on the latest patching problems on the AskWoody Lounge.