The peculiarity of March’s rags set new lows, even by Windows’ tarnished standards. The Win10 rags flew quick and furious, with new Microsoft-induced bugs introduced and swatted mixed times over a month. The Word 2016 confidence patch final that we initial implement a Word 2016 non-security patch, or Word refuses to open files. That bug hasn’t been fixed. Windows 8.1/Server 2012R2 transient comparatively unscathed. Server 2008 got a repair for a cart patch, KB 4090450, on Apr 3. But Windows 7… ah, that’s a failing equine of a totally opposite color.
The fur’s drifting so quick and thick that it’s tough to collect an portentous indicate in time to get patched up, though now seems as well-suited a impulse as any. Except for Win7. If you’re still regulating Win7 — and about half of a Windows universe is — we have a formidable choice to make.
The Windows 7/Server 2008 R2 nightmare
You can review some of a historic sum here, though a brief chronicle goes like this:
As of this moment, EVERY Windows 7 / Server 2008 R2 64-bit patch expelled this year opens a gaping confidence hole ordinarily called “Total Meltdown.” In addition, new rags have a healthy collection of bugs that operation from blue screens (STOP messages), to restraint Internet Explorer 11, to a quite debilitating bug for folks using servers that leads to lockups due to SMB leaks.
Microsoft has expelled a repair for a Total Meltdown hole, though installing it brings along many of those creepy bugs.
The 32-bit chronicle of Win7 doesn’t seem to have a same problems, though I’m saying reports of blue screens after installing a 32-bit chronicle of a Win7 Security-only update.
Realize this play unfolded over weeks of bad patches, re-patches, re-re-patches, appended patches, warn patch confessions, patched warn patch confessions, and support that comes from a demonstrably unparallel dimension. Even now, on a Friday before Patch Tuesday, we have a warning of yet another patch in a offing that hasn’t been expelled as yet, and it isn’t totally transparent how (or if) Microsoft will fix a ongoing NIC/static IP residence bug.
The fluid state of Windows patches
The Windows 7/Server 2008 R2 inanity has been surrounded by on-again, off-again patches, like immorality sprites prancing around a Win7 bonfire. At any given moment, on any given machine, one or some or all of a Mar Win7 rags might be offering by Windows Update. A opposite set of rags might or might not be offering by craving refurbish servers (WSUS or SCCM). And for those who challenge a involuntary refurbish gods and implement rags manually, different conflicts and dark prerequisites abound.
Against that wicked backdrop, we offer a following recommendations…
Go forward and implement all superb Win10 patches. They were re-released and re-re-released in March, and a stream versions seem to be operative OK. Heaven usually knows what’s going to occur on Apr Patch Tuesday, so get a rags squared divided now.
What about upgrading to Win10 1709?
I’ve suspicion prolonged and tough about either to suggest that Win10 Creators Update (version 1703) business ascent to Win10 Fall Creators Update (version 1709). It looks like Microsoft has pushed about 90% of all Win10 1703 users on to 1709 — forcibly in some cases. And 1803 appears to be prepared to launch subsequent Tuesday. So if you’re so inclined, a time to pierce to 1709 is now, unless we wish to fast squirrel divided a copy of 1709 to implement during a after date — though we need to do that in a subsequent few days.
Personally, I’m not going to worry with 1709. The new features aren’t value a second peek for many (3D this ‘n’ that, keyboard emojis, Controlled Folder Access — that is so forward that we infirm it immediately). I’d cruise relocating to 1709 for a OneDrive Files on Demand feature, though we use Dropbox and Google Drive many some-more than OneDrive.
If we feel confidant adequate to pierce to 1709 on your possess terms, not Microsoft’s, now’s a time to hurl a Defer underline updates environment (Start Settings Update confidence Advanced Options) down to 0. Let a Fall Creators Update overflow you. As for me and mine, meh, I’m adhering with 1703.
That bug in a Word 2016 confidence patch, KB 4011730, hasn’t been fixed: If we implement it, we need to get the non-security patch, KB 4018295, too. Otherwise, we won’t be means to open or save Word documents.
Other than that, Susan Bradley’s Master Patch List says a Mar Office rags are OK.
Windows 7/Server 2008 R2
“You gotta ask yourself one question: Do we feel lucky?”
There’s no clearcut right-or-wrong answer to a patching doubt of a month: Should we patch Win7 or usually let sleeping dogs lie? I’ve struggled with scenarios and arguments both for and opposite installing a huge list of cart Mar Win7 patches. No luck. Here’s a best we could come adult with:
- If you’re peaceful to wade by a hassles — blue screens, leaky memory, and a cornucopia of additional bugs — go forward and implement all of a CHECKED Windows updates. Realize that your appurtenance might delayed down, even if it’s still going clever after a Jan and Feb rags (see a subsequent section).
- If we don’t need a headache, and you’re pretty certain nobody’s going to conflict we with a Total Meltdown push*, don’t do anything. Don’t implement any of a Mar patches.
- Otherwise, take Susan Bradley’s recommendation and roll behind your machine to a state before a patching stupidity started in January. You’ll remove some inestimable fixes, though during slightest we won’t be far-reaching open to Total Meltdown.
*The Total Meltdown attacks, when they come, will rest on putrescent web pages and files we accept from a web. At least, that’ll be a initial wave. Of course, we’ll be examination earnestly and screaming bloody murder should something unfavourable happen, both on AskWoody and Computerworld. With a small luck, you’ll have adequate allege warning that we can get all of a Mar rags commissioned in time. Or maybe Microsoft will purify adult a Win7 act for a Apr spin of patches. Hope springs eternal.
Impact on performance
If your appurtenance slows down noticeably after March’s rags (or any of a Jan or Feb patches), we can invalidate many of a fixes and see if your appurtenance speeds behind up. Microsoft has instructions. Steve Gibson’s InSpectre apparatus automates many of it.
Don’t forget: There are no famous exploits for Meltdown or Spectre in a wild. None. Zero. Never have been.
How to patch with animation and alacrity
The patching settlement should be informed to many of you.
Step 1. For Win7 and 8.1, make certain your antivirus is copacetic with this month’s patches.
If you’re using Win7 or 8.1, we still need to have a pretty new chronicle of your antivirus software. If you’re using Windows Defender/Microsoft Security Essentials, you’re fine. If we wish to check to see if your machine, specifically, is prepared for a Mar patches, follow a steps posted by SueW on AskWoody.com
Starting subsequent month, it looks as if this step will no longer be required for Win7 and 8.1. It’s already been waived for Win10.
Step 2. Make a full complement picture backup before we implement a Jan patches.
There’s a non-zero possibility that a rags — even a latest, biggest rags of rags of rags — will hose your machine. Best to have a backup that we can reinstall even if your appurtenance refuses to boot. This, in further to a common need for System Restore points.
Step 3. For Win7 and 8.1
Microsoft is restraint updates to Windows 7 and 8.1 on new computers. If we are using Windows 7 or 8.1 on a PC that’s a year aged or less, follow a instructions in AKB 2000006 or @MrBrian’s outline of @radosuaf’s method to make certain we can use Windows Update to get updates applied.
If you’re really endangered about Microsoft’s snooping on we and wish to implement usually confidence patches, comprehend that a remoteness path’s removing some-more difficult. The aged “Group B” — confidence rags usually — isn’t dead, though it’s no longer within a grasp of standard Windows customers. If we insist on manually installing confidence rags only, follow a instructions in @PKCano’s AKB 2000003 and be wakeful of @MrBrian’s recommendations for stealing any neglected patches.
For many Windows 7 and 8.1 users, we suggest following AKB 2000004: How to request a Win7 and 8.1 Monthly Rollups. Realize that some or all of a approaching rags for Mar might not uncover adult or, if they do uncover up, might not be checked. DON’T CHECK any violent patches. Unless you’re really certain of yourself, DON’T GO LOOKING for additional patches. That approach thar be tygers. If you’re going to implement a Mar patches, accept your lot in life, and don’t disaster with Mother Microsoft.
If we wish to minimize Microsoft’s snooping though still implement all of a offering patches, spin off a Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off a misfortune Windows 7 and 8.1 snooping) before we implement any patches. (Thx, @MrBrian.) If we see KB 2952664 (for Win7) or its Win8.1 cohort, KB 2976978 — a rags that so willingly make it easier to ascent to Win10 — uncheck them and widespread your appurtenance with garlic. Watch out for motorist updates — you’re distant improved off removing them from a manufacturer’s website.
After you’ve commissioned a latest Monthly Rollup, if you’re vigilant on minimizing Microsoft’s snooping, run by a stairs in AKB 2000007: Turning off a misfortune Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’m starting to trust that information pushed to Microsoft’s servers for Win7 owners is impending that pushed in Win10.
Step 4. For Windows 10
If you’re using Win10 Creators Update, version 1703 (my stream preference), or version 1607, a Anniversary Update, and we wish to stay on 1607 or 1703 while those on 1709 get to eat Microsoft’s dog food, follow the instructions here to sentinel off a upgrade. As we go by a steps, keep in mind that Microsoft, uh, forgot to honor a “Current Branch for Business” environment — so we need to run a “feature update” (read: chronicle change) deferral setting, if we have one, all a approach adult to 365. And wish that Microsoft doesn’t forget how to count to 365.
If you’re using an progressing chronicle of Win10, you’re fundamentally on your own. Microsoft doesn’t support we anymore.
If we have difficulty removing a latest accumulative refurbish installed, make certain you’ve checked your antivirus settings (see ProTip #2 above) and, if all is well, run the newly refurbished Windows Update Troubleshooter before inventing new epithets.
To get Windows 10 patched, go by a stairs in “8 stairs to implement Windows 10 rags like a pro.”
What about Win10 chronicle 1803?
Yes, that’s on a horizon. The subsequent “feature update” for Win10 will expected arrive on Apr 10. As with all new versions of Windows, it would be a bit, uh, haughty to implement it before a delinquent beta testers take a strike during it. Listen to ‘em whine, whine, whine. With apologies to Jan and Dean.
I’ll have full instructions for restraint a refurbish to Win10 1803 entrance early subsequent week. But I’ll leave we with this small Protip: If we rest on Microsoft’s Win10 Pro Advanced Options to sentinel off a update, you’re environment yourself adult for a large surprise. Don’t forget that Microsoft pushed Win10 1709 onto machines that had it blocked three times in a past 6 months — and that many Win10 machines now have an central backdoor for chronicle updates.
Thanks to a dozens of volunteers on AskWoody who minister mightily.
We’ve changed to MS-DEFCON 3 on a AskWoody Lounge.