Good things come to those who wait. If you should resisted the drill sergeant scream of “GET THOSE PATCHES INSTALLED AS SOON AS THEY’RE OUT, MAGGOT!” you’re about to reap your just reward.
As is so often the case, the Patch Tuesday screams are something you should consider, but they’re hardly the final word. At this point, there’s a credible threat forming for Win7 and Server 2008 R2 machines – Total Meltdown is definitely coming – but the sky hasn’t fallen. One can find no known Meltdown or Spectre exploits around the wild, and all with the hell unleashed by this month’s series of patches and re-patches and pre-appended re-re-patches primarily served as demonic theater to those of us who chose to wait.
I don’t know of any major exploits within wild, as yet, that are blocked by the April patches. Yet you do need to patch sooner or later – and right now is as good a time as any.
Even if you waited, the way forward is clear. If you should installed some (or all) of this month’s patches as they came out, and you’re using Win7 or Server 2008 R2, you could potentially be stuck inside very difficult spot.
The ongoing Win7/Server 2008 R2 nightmare
Microsoft’s Keystone Kops act returned with a vengeance this month, kicked off by a bug in last month’s 64-bit Win7 Monthly Rollup that knocked some Network Interface Cards and some machines with manually set IP addresses off their networks. Microsoft fixed, then re-fixed, then pulled apart and re-fixed the bug, but the re-fix still has problems, even when you uninstall the original fix. Got that? Naw, me neither.
Here’s the short version for 64-bit Win7 and Server 2008 R2 machines, for those who install the Monthly Rollups (“Group A”). Thx to @abbodi86, @MrBrian and @PKCano, all of whom contributed to this simplified solution:
Step 1. Check your update history to see if you decide you have already installed this month’s Win7/Server 2008 R2 Monthly Rollup, KB 4093118. Any time you haven’t installed KB 4093118, you’re fine; proceed with the next section to install the April Monthly Rollup, KB 4093118.
Step 2. You have (a possibly old version of) this month’s Monthly Rollup, KB 4093118. Uninstall KB 4093118. Then …
Step 2a. Should you have the March Monthly Rollup, KB 4088875, uninstall it.
Step 2b. If you happen to have the Carnak patch, KB 4099950, uninstall it.
Step 3. Just for good luck, reboot.
That’s the simplest sequence I know to help make sure you ultimately get the latest version of a file called pci.sys, after you install this month’s Monthly Rollup. You can follow along with the discussion, but the simple fact is that Microsoft’s mucking with KB 4099950 metadata and re-re-releasing KB 4093118 can put you inside a position where you have an outdated version of that key file.
For those of you who are spitting on the patching god’s face and manually installing Security Only patches (the “Group B” approach), I wish you well and point you to @abbodi86’s instructions.
See how you’re way ahead of this game if you didn’t install any of this month’s patches?
Windows 10
Go ahead and install all outstanding Win10 patches. The first set of April cumulative updates had some bad bugs, but those were fixed within a versions released later in the month.
Office
We’re seeing a late-surfacing bug in KB 4018319 (Office 2016) and KB 4018288 (Office 2013) that cause problems when opening files with embedded charts. Microsoft has not yet officially acknowledged the bug.
Other than that, Susan Bradley’s Master Patch List says the April Office patches are OK.
Windows 7/Server 2008 R2
Before you install this month’s Win7/Server 2008 R2 patches, ensure you use the above steps to figure out in the event you have to uninstall anything before you proceed.
The patching pattern should be familiar to some of you.
Step 1. Make a full system image backup before you install the April patches.
There’s a non-zero chance that the patches – even the latest, greatest patches of patches of patches – will hose your machine. Best to have a backup that you choose and can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.
There are many plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup.
Step 2. For Win7 and 8.1
Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. When you are running Windows 7 or 8.1 during a PC that’s a year old or less, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method in order to make sure you can use Windows Update to gain updates applied.
If you’re very concerned about Microsoft’s snooping on you and prefer to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” – security patches only – isn’t dead, but it’s no longer within grasp of typical Windows customers. Once you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and think about @MrBrian’s recommendations for hiding any unwanted patches.
For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Realize that some or all for this expected patches for April may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. That way thar be tygers. For everybody who is going to install the April patches, accept your lot in life, and don’t mess with Mother Microsoft.
If you would like minimize Microsoft’s snooping but still install all of this offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx, @MrBrian.) For those who see KB 2952664 (for Win7) or its Win8.1 cohort, KB 2976978 – the patches that so helpfully make it easier to upgrade to Win10 – uncheck them and spread your machine with garlic. Watch out for driver updates – you’re far better off getting them from a manufacturer’s website.
After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’m starting to believe that information pushed to Microsoft’s servers for Win7 owners is nearing that pushed in Win10.
Step 3. For Windows 10
If you’re running Win10 Creators Update, version 1703 (my current preference), or version 1607, the Anniversary Update, and then you want to stay on 1607 or 1703 while those on 1709 get to eat Microsoft’s dog food, follow the instructions here to ward off the upgrade. As you go through the steps, keep in mind that Microsoft, uh, forgot to honor the “Current Branch for Business” setting – so you must run the “feature update” (read: version change) deferral setting, if you have one, all the way up to 365. And hope that Microsoft doesn’t forget how to count to 365.
If you’re running an earlier version of Win10, you’re basically on your own. Microsoft doesn’t support you anymore.
Should have trouble getting the latest cumulative update installed, be sure that you’ve checked your antivirus settings (see ProTip #2 above) and, if all is well, run the newly refurbished Windows Update Troubleshooter before inventing new epithets.
So as to get Windows 10 patched, go through the steps in “8 steps to install Windows 10 patches like a pro.”