December was a difficult month for Windows patches, full of all sorts of shenanigans.

Microsoft rang out 2016 with the following:

In the emperor-has-no-clothes department, Abbodi reported on the that the .Net 4.6.2 security-only patch is a sham: “Both .Net 4.6.2 updates [Security-only and Rollup] are identical. It seems Microsoft created the security-only update just to comfort the non-security haters. Apparently it didn’t feel the same or have the time to do that with other .Net versions.”

By my count, there were  in December, for Office 2003 (!), 2007, 2010, 2013 and 2016.

article.

For those in Group A:

Step A1. Get your settings right. In Win7, click Start > Control Panel. In Win 8.1, press Win+X and choose Control Panel. Click System and Security. Under Windows Update, click the link marked “Turn automatic updating on or off.” Make sure Windows Update is set to “Never check for updates (not recommended),” then check the boxes marked “Give me recommended updates the same way I receive important updates” and “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows.” Click OK.

. DON’T check any unchecked boxes. (You may see a driver update distributed as “Recommended,” and it thus has a check in the Optional category. That’s OK. Leave it checked. But if any driver updates aren’t checked, DON’T check them.)

Step A3. Install the patches. Click the button marked Install Updates and follow the instructions. You’ll end up with the monthly rollup, all of your Office patches, your .Net patches, possibly Adobe Flash fixes, the MS Security Essentials, and the usual MSRT scanner. After rebooting, everything will be set to block automatic updates. You’re all set – just be sure to watch this column later this month, to see when the unpaid beta testers are done.

For those in Group B:

Step B1. Get the security-only patch. If you want security patches only, you have to reach out and grab them. Assuming you’ve already installed the and security-only patches (which are not rollups, not cumulative), you can download the December patches using the following links:

Step B2. Install the security-only patch. With the method varying, depending on which browser you used to download the patch, you need to run the MSU file and restart. At that point, you have the security-only patches, but you need to pick up other key patches, including the .Net update, Flash, and Office patches, and others. Which means you get to run Windows Update, just like the Group A folks, but be more selective in what you install.

Step B3. Get your settings right. In Win7, click Start > Control Panel. In Win 8.1, press Win+X and choose Control Panel. Click System and Security. Under Windows Update, click the link marked “Turn automatic updating on or off.” Make sure Windows Update is set to “Never check for updates (not recommended),” then check the box marked “Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows.” UNcheck the box marked “Give me recommended updates the same way I receive important updates” (yes, Group B is different from Group A), and click OK.

Step B4. Check for updates. Back in the Control Panel, under Windows Update, click the link to Check for Updates. (You may have to click Check for Updates a second time.) The check takes many minutes. If it takes many hours, see .

Step B5. Get rid of the monthly rollup. Click the links to look at the Important and Optional updates. DON’T check any unchecked boxes.

  • If you’re running Win7, UNcheck the box marked “December, 2016 Security Monthly Quality Rollup for Windows 7 (KB3207752).”
  • If you’re running Win 8.1, UNcheck the box marked “December, 2016 Security Monthly Quality Rollup for Windows 8.1 (KB3205401).”

Those are the monthly rollups, which include all of the non-security patches Microsoft is rolling out the chute. If you’re in Group B, you don’t want them.

Leave the “Security and Quality Rollup for .Net Framework” box checked – as noted by Abbodi (see above), it’s the same as the security-only .Net patch this month.

For heaven’s sake don’t ever check anything marked Preview. You shouldn’t have seen any preview rollups in December – Microsoft was on vacation, it seems – but if you do see one, don’t check it.

Step B6. Get rid of the problematic driver updates. Look for driver updates, especially those marked “INTEL – System” followed by a date, and if you see any that are checked, UNcheck the box. There are to get the latest drivers.

Step B7. Install the patches. Click the button marked Install Updates and follow the instructions. You’ll end up with Office patches, .Net patches, possible Adobe Flash fixes, Security Essentials update, and the usual MSRT scanner. After the reboot, you’re done. Pat yourself on the back, and watch this column later this month for the all-clear.

Windows 10

December was an odd month for Windows 10. The latest patch for the Anniversary Update (version 1607) pushed through Windows Update is , build 14393.576. But there’s that only applies in weird situations (conflict with virtualization-based security) that’s available for download as . The hotfix brings the build number up to 14393.577.

Also, a setting that’s supposed to block driver updates for Windows 10 – the “Do not include drivers with Windows Updates” group policy and ExcludeWUDriversInQualityUpdate registry key that Shawn Brink – doesn’t .

Windows 10 also seems to be subject to , particularly the “INTEL – System – 8/19/2016 12:00:00 AM – 10.1.2.80” patch.

With that in mind, it’s time to update Windows 10 version 1607. Follow the steps in my , paying particular attention to any driver updates you may see. If you find , the “Servicing stack update for Windows 10 Version 1607: October 27, 2016,” you want to install it. Likewise any Office, Flash, MSRT or .Net updates.

Many people find that the cumulative update for 1607, KB 3206632, hangs at 45 percent. If that should happen to you, recommends that you manually download and install the hotfix version, .

I haven’t heard of any problems with the latest patches to earlier versions of Windows 10.

Having any problems or contrarian experiences? Give me a shout on .