Patch Tuesday: Here's what's new for Windows 7 and 8.1

Today is Patch Tuesday, the second Tuesday of the month when Microsoft releases updates for all supported versions of Windows. Along with cumulative updates for most versions of Windows 10, older versions get updated as well.

If you're on Windows 8.1 or Windows Server 2012 R2, you'll get the KB4284815 monthly rollup. This can be manually downloaded here, and contains the following fixes:

Addresses an issue where firmware updates cause devices to go into BitLocker recovery mode when BitLocker is enabled, but Secure Boot is disabled or not present. This update prevents firmware installation on devices in this state. Administrators can install firmware updates by:

Temporarily suspending BitLocker.

Immediately installing firmware updates before the next OS startup.

Immediately restarting the device so that BitLocker doesn’t remain in the suspended state.

Permits a band-capable disk that has only one partition, and it is an MSR partition, to convert to a dynamic disk.

Increases the Internet Explorer cookie limit from 50 to better align with industry standards.

Improves the reliability of Internet Explorer when using geolocation.

Security updates to Internet Explorer, Windows apps, remote code execution, Windows Server, Windows storage and filesystems, and Windows wireless networking.

As usual, there's also a security-only update, KB4284878, which you can manually download here.

For Windows 7 SP1 and Windows Server 2008 R2 SP1, you'll see KB4284826, which you can manually download here. It contains the following fixes:

Provides support to control use of Indirect Branch Prediction Barrier (IBPB) on some AMD processors (CPUs) for mitigating CVE-2017-5715, Spectre Variant 2 when switching from user context to kernel context. (See AMD Architecture Guidelines for Indirect Branch Control and AMD Security Updates for more details). For Windows client (IT pro) guidance, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698. Use these guidance documents to enable use of IBPB on some AMD processors (CPUs) for mitigating Spectre Variant 2 when switching from user context to kernel context.

Provides protections from an additional subclass of speculative execution side channel vulnerability known as Speculative Store Bypass (CVE-2018-3639). These protections aren't enabled by default. For Windows client (IT pro) guidance, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698. Use this guidance document to enable mitigations for Speculative Store Bypass (CVE-2018-3639) in addition to the mitigations that have already been released for Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754).

Increased the Internet Explorer cookie limit from 50 to better align with industry standards.

Improves the reliability of Internet Explorer when using geolocation.

Security updates to Internet Explorer, Windows apps, Windows Server, Windows storage and filesystems, Windows wireless networking, and Windows virtualization and kernel.

The security-only update, KB4284867, can be downloaded here.

All of the previously mentioned updates also have some known issues to be aware of:

Symptom	Workaround
A stop error occurs on computers that don't support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).	Microsoft is working on a resolution and will provide an update in an upcoming release.
There is an issue with Windows and third-party software that is related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.	To locate the network device, launch devmgmt.msc; it may appear under Other Devices. To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu. a. Alternatively, install the drivers for the network device by right-clicking the device and selecting Update. Then select Search automatically for updated driver software or Browse my computer for driver software.

Symptom

Workaround

A stop error occurs on computers that don't support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).

Microsoft is working on a resolution and will provide an update in an upcoming release.

There is an issue with Windows and third-party software that is related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.

To locate the network device, launch devmgmt.msc; it may appear under Other Devices.
To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.

a. Alternatively, install the drivers for the network device by right-clicking the device and selecting Update. Then select Search automatically for updated driver software or Browse my computer for driver software.

Finally, users on Windows Server 2012 will get KB4284855, which can be manually downloaded here, and contains the following fixes:

Addresses an issue where firmware updates cause devices to go into BitLocker recovery mode when BitLocker is enabled, but Secure Boot is disabled not present. This update prevents firmware installation on devices in this state. Administrators can install firmware updates by:

Temporarily suspending BitLocker.

Immediately installing firmware updates before the next OS startup.

Immediately restarting the device so that BitLocker doesn’t remain in the suspended state.

Security updates to Internet Explorer, Windows apps, Windows storage and filesystems, Windows Server, and Windows wireless networking.