Get the March patches for your Windows machines installed, but watch out for Win7

With Patch Tuesday right around the corner, it’s time to salvage the fixed parts of March’s patches and get them applied. Win7/Server 2008 R2 customers have to choose between a gaping security hole and even more bugs. Here's what you need to know.

patch on top of Windows logo
Thinkstock/Microsoft

The quality of March’s patches set new lows, even by Windows’ tarnished standards. The Win10 patches flew fast and furious, with new Microsoft-induced bugs introduced and swatted multiple times over the month. The Word 2016 security patch demands that you first install the Word 2016 non-security patch, or Word refuses to open files. That bug hasn’t been fixed. Windows 8.1/Server 2012R2 escaped relatively unscathed. Server 2008 got a fix for its buggy patch, KB 4090450, on April 3. But Windows 7… ah, that’s a dying horse of a completely different color.

The fur’s flying so fast and thick that it’s hard to pick an auspicious point in time to get patched up, but now seems as opportune a moment as any. Except for Win7. If you’re still using Win7 — and about half of the Windows world is — you have a difficult choice to make.

The Windows 7/Server 2008 R2 nightmare

You can read some of the historic details here, but the short version goes like this:

As of this moment, EVERY Windows 7 / Server 2008 R2 64-bit patch released this year opens a gaping security hole commonly called “Total Meltdown.” In addition, recent patches have a healthy collection of bugs that range from blue screens (STOP messages), to blocking Internet Explorer 11, to a particularly debilitating bug for folks running servers that leads to lockups due to SMB leaks.

Microsoft has released a fix for the Total Meltdown hole, but installing it brings along many of those creepy bugs.

The 32-bit version of Win7 doesn’t seem to have the same problems, but I’m seeing reports of blue screens after installing the 32-bit version of the Win7 Security-only update.

Realize this drama unfolded over weeks of bad patches, re-patches, re-re-patches, appended patches, surprise patch confessions, patched surprise patch confessions, and documentation that comes from a demonstrably unparallel dimension. Even now, on the Friday before Patch Tuesday, we have a warning of yet another patch in the offing that hasn’t been released as yet, and it isn’t completely clear how (or if) Microsoft will fix the ongoing NIC/static IP address bug.

The unsteady state of Windows patches

The Windows 7/Server 2008 R2 inanity has been surrounded by on-again, off-again patches, like evil sprites prancing around a Win7 bonfire. At any given moment, on any given machine, one or some or all of the March Win7 patches may be offered through Windows Update. A different set of patches may or may not be offered through enterprise update servers (WSUS or SCCM). And for those who defy the automatic update gods and install patches manually, unknown conflicts and hidden prerequisites abound.

Against that demonic backdrop, I offer the following recommendations…

Windows 10

Go ahead and install all outstanding Win10 patches. They were re-released and re-re-released in March, and the current versions appear to be working OK. Heaven only knows what’s going to happen on April Patch Tuesday, so get the patches squared away now.

What about upgrading to Win10 1709?

I’ve thought long and hard about whether to recommend that Win10 Creators Update (version 1703) customers upgrade to Win10 Fall Creators Update (version 1709). It looks like Microsoft has pushed about 90% of all Win10 1703 users on to 1709 — forcibly in some cases. And 1803 appears to be ready to launch next Tuesday. So if you’re so inclined, the time to move to 1709 is now, unless you want to quickly squirrel away a copy of 1709 to install at a later date — but you need to do that in the next few days.

Personally, I’m not going to bother with 1709. The new features aren’t worth a second glance for most (3D this 'n' that, keyboard emojis, Controlled Folder Access — which is so intrusive that I disabled it immediately). I’d consider moving to 1709 for the OneDrive Files on Demand feature, but I use Dropbox and Google Drive much more than OneDrive.

If you feel bold enough to move to 1709 on your own terms, not Microsoft’s, now’s the time to roll the Defer feature updates setting (Start > Settings > Update & security > Advanced Options) down to 0. Let the Fall Creators Update engulf you. As for me and  mine, meh, I’m sticking with 1703.

Office

That bug in the Word 2016 security patch, KB 4011730, hasn’t been fixed: If you install it, you need to get the non-security patch, KB 4018295, too. Otherwise, you won’t be able to open or save Word documents.

Other than that, Susan Bradley’s Master Patch List says the March Office patches are OK.

Windows 7/Server 2008 R2

“You gotta ask yourself one question: Do I feel lucky?”

There’s no clearcut right-or-wrong answer to the patching question of the month: Should you patch Win7 or just let sleeping dogs lie? I’ve struggled with scenarios and arguments both for and against installing the mammoth list of buggy March Win7 patches. No luck. Here’s the best I could come up with:

  • If you’re willing to wade through the hassles — blue screens, leaky memory, and a cornucopia of additional bugs — go ahead and install all of the CHECKED Windows updates. Realize that your machine may slow down, even if it’s still going strong after the January and February patches (see the next section).
  • If you don’t need the headache, and you’re reasonably sure nobody’s going to attack you with a Total Meltdown push*, don’t do anything. Don’t install any of the March patches.
  • Otherwise, take Susan Bradley’s advice and roll back your machine to its state before the patching insanity started in January. You’ll lose some worthwhile fixes, but at least you won’t be wide open to Total Meltdown.

*The Total Meltdown attacks, when they come, will rely on infected web pages and files you receive from the web. At least, that’ll be the first wave. Of course, we’ll be watching intently and screaming bloody murder should something untoward happen, both on AskWoody and Computerworld. With a little luck, you’ll have enough advance warning that you can get all of the March patches installed in time. Or maybe Microsoft will clean up its Win7 act for the April round of patches. Hope springs eternal.

Impact on performance

If your machine slows down noticeably after March’s patches (or any of the January or February patches), you can disable many of the fixes and see if your machine speeds back up. Microsoft has instructions. Steve Gibson’s InSpectre tool automates much of it.

Don’t forget: There are no known exploits for Meltdown or Spectre in the wild. None. Zero. Never have been.

How to patch with verve and alacrity

The patching pattern should be familiar to many of you.

Step 1. For Win7 and 8.1, make sure your antivirus is copacetic with this month’s patches.

If you’re running Win7 or 8.1, you still need to have a reasonably recent version of your antivirus software. If you’re running Windows Defender/Microsoft Security Essentials, you’re fine. If you want to check to see if your machine, specifically, is ready for the March patches, follow the steps posted by SueW on AskWoody.com

Starting next month, it looks as if this step will no longer be necessary for Win7 and 8.1. It’s already been waived for Win10.

Step 2. Make a full system image backup before you install the January patches.

There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.

There are plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup.

Step 3. For Win7 and 8.1

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s a year old or less, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches.

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Realize that some or all of the expected patches for March may not show up or, if they do show up, may not be checked. DON'T CHECK any unchecked patches. Unless you're very sure of yourself, DON'T GO LOOKING for additional patches. That way thar be tygers. If you're going to install the March patches, accept your lot in life, and don't mess with Mother Microsoft.

If you want to minimize Microsoft’s snooping but still install all of the offered patches, turn off the Customer Experience Improvement Program (Step 1 of AKB 2000007: Turning off the worst Windows 7 and 8.1 snooping) before you install any patches. (Thx, @MrBrian.) If you see KB 2952664 (for Win7) or  its Win8.1 cohort, KB 2976978 — the patches that so helpfully make it easier to upgrade to Win10 — uncheck them and spread your machine with garlic. Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.

After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’m starting to believe that information pushed to Microsoft’s servers for Win7 owners is nearing that pushed in Win10.

Step 4. For Windows 10

If you’re running Win10 Creators Update, version 1703 (my current preference), or version 1607, the Anniversary Update, and you want to stay on 1607 or 1703 while those on 1709 get to eat Microsoft’s dog food, follow the instructions here to ward off the upgrade. As you go through the steps, keep in mind that Microsoft, uh, forgot to honor the “Current Branch for Business” setting — so you need to run the “feature update” (read: version change) deferral setting, if you have one, all the way up to 365. And hope that Microsoft doesn’t forget how to count to 365.

If you’re running an earlier version of Win10, you’re basically on your own. Microsoft doesn't support you anymore.

If you have trouble getting the latest cumulative update installed, make sure you’ve checked your antivirus settings (see ProTip #2 above) and, if all is well, run the newly refurbished Windows Update Troubleshooter before inventing new epithets.

To get Windows 10 patched, go through the steps in "8 steps to install Windows 10 patches like a pro."

What about Win10 version 1803?

Yes, that’s on the horizon. The next “feature update” for Win10 will likely arrive on April 10. As with all new versions of Windows, it would be a bit, uh, presumptuous to install it before the unpaid beta testers take a whack at it. Listen to ‘em whine, whine, whine. With apologies to Jan and Dean.

I’ll have full instructions for blocking the update to Win10 1803 coming early next week. But I’ll leave you with this little Protip: If you rely on Microsoft’s Win10 Pro Advanced Options to ward off the update, you’re setting yourself up for a big surprise. Don’t forget that Microsoft pushed Win10 1709 onto machines that had it blocked three times in the past six months — and that most Win10 machines now have an official backdoor for version updates.

Gotcha.

Thanks to the dozens of volunteers on AskWoody who contribute mightily.

We’ve moved to MS-DEFCON 3 on the AskWoody Lounge.

First look: Office 2019’s likeliest new features
  
Shop Tech Products at Amazon