Is it time to install Microsoft’s January updates? (Yes.)
Some people can’t wait for a new version of Windows 10. They sign up for insider editions and eagerly watch for the next release.
I’m exactly the opposite of that.
I wait and make sure the version of Windows 10 that I’m using is fully compatible with my applications and I have time to deal with any side effects. My philosophy with security updates is the same; I don’t install them right away. (Though I do install them every month without fail.) If you haven’t yet installed the January updates, do so as soon as possible.
The major update that I warned about last month was KB4535680, which was offered up to Windows Server 2012 x64-bit; Windows Server 2012 R2 x64-bit; Windows 8.1 x64-bit; Windows Server 2016 x64-bit; Windows Server 2019 x64-bit; Windows 10, version 1607 x64-bit; Windows 10; version 1803 x64-bit; Windows 10, version 1809 x64-bit; and Windows 10, version 1909 x64-bit systems.
Specifically, for server admins that control patching on a HyperV server, I recommend you temporarily shut down the virtual machines hosted on that server before installing this update — or skip this one completely. Even if you are not a server administrator, you might see some issues with this update. In some cases, it may not be offered because it’s being blocked by your original equipment manufacturer. In those cases, the OEM firm likely detected that your machine does not have the proper BIOS or firmware needed to support this Secure Boot update, and thus worked with Microsoft to defer it.
In some instances, it was offered to systems that don’t support secure boot, as Gunther Born noted on his blog. In that case, I recommend skipping this update. On other Windows 8.1 systems, the update failed to install repeatedly, with an error message pointing to issues with the OEM partition. In an answers forum posting, several users indicated that they couldn’t install the update. If you are in the same boat on the older platform like Windows 8.1, I would strongly suggest using this Windows update technique to hide the update.
Some patchers were prompted for a Bitlocker recovery key — even though they didn’t remember enabling Bitlocker on their computer. In that case, they may find that the system automatically saved the Bitlocker key under their Microsoft account. If it’s not there, there’s no easy way to recover a system and they face a rebuild. While these issues are not widespread, the risk of an attack on home users is low enough that I’m OK recommending you hide this update on older platforms. On Windows 10, the only way to hide it is with third-party tools or by using the Microsoft driver-hiding tool such as wushowhide. This is one reason I always recommend you have a backup before installing updates. Not only does it protect you from ransomware, it ensures that you can recover from any issue.
In cases where I installed the January updates on hardware running Windows 10 20H2 and 2004, I found that several computers needed a second reboot to show the update was properly installed. So don’t worry if your systems need a second reboot. If you’ve already installed KB4535680, you don’t need to uninstall it; no side effects have shown up once the patch is installed.
Recently, an NTFS data corruption bug has been in the headlines. Microsoft plans to fix the bug, which makes Windows think it needs to fix drive corruption when you inadvertently click on a triggering file. Independent researchers have come up with a tool to protect systems from this bug. As noted on the site attackerkb.com, “The disk is not actually corrupted. If you try to access files on the disk, you can still interact with them and do things normally without any issues. Windows just somehow thinks that the disk is corrupted, even though it isn’t.”
I recommend you take no action for now or use the workaround tool. I haven’t seen the NTFS bug attack used in the wild; it’s safer to just be aware of the situation. (As a general rule, be careful when you click, download, or open attachments. Only open things you expect or can be sure aren’t malicious.)
One patch we haven’t seen, and apparently won’t see for a few weeks, is the one that removes Flash from systems. That update won’t be mandatory until later this year. In the meantime, if you want to remove Flash, you can manually download KB4577586 from the Microsoft catalog site and install it. I have a how-to video that you can view on Youtube. (Adobe did start blocking Flash content from running in Flash Player on Jan. 12.)
Often, silent patches have the most impact on Windows. Microsoft’s Edge and Google’s Chrome browsers recently received updates that enable checking your saved passwords to make sure they aren’t weak or have been included in password breaches. That said, I don’t recommend saving passwords in your browser at all; instead, I recommend using a third-party password manager tool to save and track your long and strong passphrases. Remember to always add two-factor authentication whenever you can.
Reminder: we are counting down the support window for Windows 10 1909. Windows 10 Home and Pro leave support on May 11. Included in the preview update for 1909 and in next month’s update will be a notification that tells you when your device is close to this date. After May 11, your device will stop receiving important quality and security updates. (Windows 10 Enterprise and Education editions have an extra year before 1909 drops out of support.) If you are still running Windows 10 Pro version 1909, it’s time to start planning to move to 2004 or 20H2.
Need help updating or getting to 2004 or 20H2? We have you covered at askwoody.com.