Good things come to those who wait. If we resisted a cavalcade sergeant roar of “GET THOSE PATCHES INSTALLED AS SOON AS THEY’RE OUT, MAGGOT!” you’re about to reap your usually reward.
As is so mostly a case, a Patch Tuesday screams are something we should consider, though they’re frequency a final word. At this point, there’s a convincing hazard combining for Win7 and Server 2008 R2 machines — Total Meltdown is really coming — though a sky hasn’t fallen. There are no famous Meltdown or Spectre exploits in a wild, and all of a hell unleashed by this month’s array of rags and re-patches and pre-appended re-re-patches essentially served as wicked museum to those of us who chose to wait.
I don’t know of any vital exploits in a wild, as yet, that are blocked by a Apr patches. But we do need to patch progressing or after — and right now is as good a time as any.
If we waited, a ensue brazen is clear. If we commissioned some (or all) of this month’s rags as they came out, and you’re regulating Win7 or Server 2008 R2, we might be stranded in a really formidable spot.
The ongoing Win7/Server 2008 R2 nightmare
Microsoft’s Keystone Kops act returned with a reprisal this month, kicked off by a bug in last month’s 64-bit Win7 Monthly Rollup that knocked some Network Interface Cards and some machines with manually set IP addresses off their networks. Microsoft fixed, afterwards re-fixed, afterwards pulled detached and re-fixed a bug, though a re-fix still has problems, even if we uninstall a strange fix. Got that? Naw, me neither.
Here’s a brief chronicle for 64-bit Win7 and Server 2008 R2 machines, for those who implement a Monthly Rollups (“Group A”). Thx to @abbodi86, @MrBrian and @PKCano, all of whom contributed to this simplified solution:
Step 1. Check your refurbish story to see if we have already commissioned this month’s Win7/Server 2008 R2 Monthly Rollup, KB 4093118. If we haven’t installed KB 4093118, you’re fine; ensue with a subsequent territory to implement a Apr Monthly Rollup, KB 4093118.
Step 2. You have (a presumably aged chronicle of) this month’s Monthly Rollup, KB 4093118. Uninstall KB 4093118. Then …
Step 2a. If we have a Mar Monthly Rollup, KB 4088875, uninstall it.
Step 2b. If we have a Carnak patch, KB 4099950, uninstall it.
Step 3. Just for good luck, reboot.
That’s a simplest method we know to make certain we eventually get a latest chronicle of a record called pci.sys, after we implement this month’s Monthly Rollup. You can follow along with a discussion, though a elementary fact is that Microsoft’s mucking with KB 4099950 metadata and re-re-releasing KB 4093118 can put we in a position where we have an old-fashioned chronicle of that pivotal file.
For those of we who are spitting in a patching god’s face and manually installing Security Only rags (the “Group B” approach), we wish we good and indicate we to @abbodi86’s instructions.
See how you’re ensue forward of a diversion if we didn’t implement any of this month’s patches?
Go forward and implement all superb Win10 patches. The initial set of Apr accumulative updates had some bad bugs, though those were bound in a versions expelled after in a month.
We’re saying a late-surfacing bug in KB 4018319 (Office 2016) and KB 4018288 (Office 2013) that means problems when opening files with embedded charts. Microsoft has not nonetheless officially concurred a bug.
Other than that, Susan Bradley’s Master Patch List says a Apr Office rags are OK.
Windows 7/Server 2008 R2
Before we implement this month’s Win7/Server 2008 R2 patches, make certain we use a above stairs to figure out if we have to uninstall anything before we proceed.
The patching settlement should be informed to many of you.
Step 1. Make a full complement picture backup before we implement a Apr patches.
There’s a non-zero possibility that a rags — even a latest, biggest rags of rags of rags — will hose your machine. Best to have a backup that we can reinstall even if your appurtenance refuses to boot. This, in further to a common need for System Restore points.
Step 2. For Win7 and 8.1
Microsoft is restraint updates to Windows 7 and 8.1 on new computers. If we are using Windows 7 or 8.1 on a PC that’s a year aged or less, follow a instructions in AKB 2000006 or @MrBrian’s outline of @radosuaf’s method to make certain we can use Windows Update to get updates applied.
If you’re really endangered about Microsoft’s snooping on we and wish to implement usually confidence patches, comprehend that a remoteness path’s removing some-more difficult. The aged “Group B” — confidence rags usually — isn’t dead, though it’s no longer within a grasp of standard Windows customers. If we insist on manually installing confidence rags only, follow a instructions in @PKCano’s AKB 2000003 and be wakeful of @MrBrian’s recommendations for stealing any neglected patches.
For many Windows 7 and 8.1 users, we suggest following AKB 2000004: How to request a Win7 and 8.1 Monthly Rollups. Realize that some or all of a approaching rags for Apr might not uncover adult or, if they do uncover up, might not be checked. DON’T CHECK any violent patches. Unless you’re really certain of yourself, DON’T GO LOOKING for additional patches. That ensue thar be tygers. If you’re going to implement a Apr patches, accept your lot in life, and don’t disaster with Mother Microsoft.
If we wish to minimize Microsoft’s snooping though still implement all of a offering patches, spin off a Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off a misfortune Windows 7 and 8.1 snooping) before we implement any patches. (Thx, @MrBrian.) If we see KB 2952664 (for Win7) or its Win8.1 cohort, KB 2976978 — a rags that so willingly make it easier to ascent to Win10 — uncheck them and widespread your appurtenance with garlic. Watch out for motorist updates — you’re distant improved off removing them from a manufacturer’s website.
After you’ve commissioned a latest Monthly Rollup, if you’re vigilant on minimizing Microsoft’s snooping, run by a stairs in AKB 2000007: Turning off a misfortune Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’m starting to trust that information pushed to Microsoft’s servers for Win7 owners is impending that pushed in Win10.
Step 3. For Windows 10
If you’re using Win10 Creators Update, version 1703 (my stream preference), or version 1607, a Anniversary Update, and we wish to stay on 1607 or 1703 while those on 1709 get to eat Microsoft’s dog food, follow the instructions here to sentinel off a upgrade. As we go by a steps, keep in mind that Microsoft, uh, forgot to honor a “Current Branch for Business” environment — so we need to run a “feature update” (read: chronicle change) deferral setting, if we have one, all a ensue adult to 365. And wish that Microsoft doesn’t forget how to count to 365.
If you’re using an progressing chronicle of Win10, you’re fundamentally on your own. Microsoft doesn’t support we anymore.
If we have difficulty removing a latest accumulative refurbish installed, make certain you’ve checked your antivirus settings (see ProTip #2 above) and, if all is well, run the newly refurbished Windows Update Troubleshooter before inventing new epithets.
To get Windows 10 patched, go by a stairs in “8 stairs to implement Windows 10 rags like a pro.”
Thanks to a dozens of volunteers on AskWoody who minister mightily.
We’ve changed to MS-DEFCON 3 on the AskWoody Lounge.