Good things come to those who wait. If you resisted the drill sergeant scream of “GET THOSE PATCHES INSTALLED AS SOON AS THEY’RE OUT, MAGGOT!” you’re about to reap your just reward.
As is so often the case, the Patch Tuesday screams are something you should consider, but they’re hardly the final word. At this point, there’s a credible threat forming for Win7 and Server 2008 R2 machines — Total Meltdown is definitely coming — but the sky hasn’t fallen. There are no known Meltdown or Spectre exploits in the wild, and all of the hell unleashed by this month’s series of patches and re-patches and pre-appended re-re-patches primarily served as demonic theater to those of us who chose to wait.
I don’t know of any major exploits in the wild, as yet, that are blocked by the April patches. But you do need to patch sooner or later — and right now is as good a time as any.
If you waited, the way forward is clear. If you installed some (or all) of this month’s patches as they came out, and you’re using Win7 or Server 2008 R2, you may be stuck in a very difficult spot.
The ongoing Win7/Server 2008 R2 nightmare
Microsoft’s Keystone Kops act returned with a vengeance this month, kicked off by a bug in last month’s 64-bit Win7 Monthly Rollup that knocked some Network Interface Cards and some machines with manually set IP addresses off their networks. Microsoft fixed, then re-fixed, then pulled apart and re-fixed the bug, but the re-fix still has problems, even if you uninstall the original fix. Got that? Naw, me neither.
Here’s the short version for 64-bit Win7 and Server 2008 R2 machines, for those who install the Monthly Rollups (“Group A”). Thx to @abbodi86, @MrBrian and @PKCano, all of whom contributed to this simplified solution:
Step 1. Check your update history to see if you have already installed this month’s Win7/Server 2008 R2 Monthly Rollup, KB 4093118. If you haven’t installed KB 4093118, you’re fine; proceed with the next section to install the April Monthly Rollup, KB 4093118.
Step 2. You have (a possibly old version of) this month’s Monthly Rollup, KB 4093118. Uninstall KB 4093118. Then …
Step 2a. If you have the March Monthly Rollup, KB 4088875, uninstall it.
Step 2b. If you have the Carnak patch, KB 4099950, uninstall it.
Step 3. Just for good luck, reboot.
That’s the simplest sequence I know to make sure you ultimately get the latest version of a file called pci.sys, after you install this month’s Monthly Rollup. You can follow along with the discussion, but the simple fact is that Microsoft’s mucking with KB 4099950 metadata and re-re-releasing KB 4093118 can put you in a position where you have an outdated version of that key file.
For those of you who are spitting in the patching god’s face and manually installing Security Only patches (the “Group B” approach), I wish you well and point you to @abbodi86’s instructions.
See how you’re way ahead of the game if you didn’t install any of this month’s patches?
Go ahead and install all outstanding Win10 patches. The first set of April cumulative updates had some bad bugs, but those were fixed in the versions released later in the month.
We’re seeing a late-surfacing bug in KB 4018319 (Office 2016) and KB 4018288 (Office 2013) that cause problems when opening files with embedded charts. Microsoft has not yet officially acknowledged the bug.
Other than that, Susan Bradley’s Master Patch List says the April Office patches are OK.
Windows 7/Server 2008 R2
Before you install this month’s Win7/Server 2008 R2 patches, make sure you use the above steps to figure out if you have to uninstall anything before you proceed.
The patching pattern should be familiar to many of you.
Step 1. Make a full system image backup before you install the April patches.
There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.
Step 2. For Win7 and 8.1
Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s a year old or less, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.
If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches.
For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Realize that some or all of the expected patches for April may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. That way thar be tygers. If you’re going to install the April patches, accept your lot in life, and don’t mess with Mother Microsoft.
If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx, @MrBrian.) If you see KB 2952664 (for Win7) or its Win8.1 cohort, KB 2976978 — the patches that so helpfully make it easier to upgrade to Win10 — uncheck them and spread your machine with garlic. Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.
After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’m starting to believe that information pushed to Microsoft’s servers for Win7 owners is nearing that pushed in Win10.
Step 3. For Windows 10
If you’re running Win10 Creators Update, version 1703 (my current preference), or version 1607, the Anniversary Update, and you want to stay on 1607 or 1703 while those on 1709 get to eat Microsoft’s dog food, follow the instructions here to ward off the upgrade. As you go through the steps, keep in mind that Microsoft, uh, forgot to honor the “Current Branch for Business” setting — so you need to run the “feature update” (read: version change) deferral setting, if you have one, all the way up to 365. And hope that Microsoft doesn’t forget how to count to 365.
If you’re running an earlier version of Win10, you’re basically on your own. Microsoft doesn’t support you anymore.
If you have trouble getting the latest cumulative update installed, make sure you’ve checked your antivirus settings (see ProTip #2 above) and, if all is well, run the newly refurbished Windows Update Troubleshooter before inventing new epithets.
To get Windows 10 patched, go through the steps in “8 steps to install Windows 10 patches like a pro.”
Thanks to the dozens of volunteers on AskWoody who contribute mightily.
We’ve moved to MS-DEFCON 3 on the AskWoody Lounge.