It’s time to install the March Windows and Office patches

With one important exception and a few niggling details, the March patches for Windows and Office are ready to go. Here’s how to get them installed safely.

putting on a band-aid patch with binary code
Thinkstock

Microsoft’s March patches are in reasonably good shape, as I explained earlier this week. Since that relatively clean bill of health, we’ve had some clarification about the missing second March cumulative update for Win10 version 1809: Yesterday, Microsoft tested another iteration of the long-anticipated update in the Windows Insider Release Preview ring. It’s identified as KB4490481 and it raises the Win10 1809 build number up to 17763.404.

Mere muggles can’t get 17763.404 yet — although that may change later today — but the fact that Microsoft’s taking its time to get it right counts for a lot. Remember that Win10 version 1809 is the first of the magic extended support versions, where Microsoft pledges Enterprise customers support for a full 30 months (see Gregg Keizer’s explanation).

For those of you rushing to join the beta ring, there’s also a new Servicing Stack Update for 1809 on the Release Preview Ring, KB 4493510. Look for it to arrive “for real” next week.

The one Win7 patch to avoid

The only patch this month that you should studiously avoid is KB 4493132, a Win7 patch that does nothing but nag you to move to Windows 10.

It may be time for 1809

Although there are acknowledged problems with Win10 version 1809, they’re relatively minor. Given that Win10 version 1903 is nipping on our heels, I’m upgrading my Win10 machines to 1809. Better the devil ye ken.

If you want to stay with 1803, it’s hard to blame you — the list of new features in 1809 reads like the ingredients list for a bottle of water. Mostly, if you move to 1809, you’re buying yourself six more months before you have to upgrade. Again.

1803 feature deferral at zero Woody Leonhard/IDG

The safest way to move to 1809 is to run the “feature update” deferral down to zero and wait for Microsoft to take over. (See general instructions here.) That way the monkey’s on Microsoft’s back to make sure your machine is ready for 1809. Put the branch readiness level at “Semi-Annual Channel,” turn the feature update deferral to 0, and wait. If Microsoft figures your machine can take it, you’ll get 1809 sooner or later. But you won’t get 1903.

Why? Even though Microsoft has changed the terminology, we’re assured “Semi-Annual Channel” will keep new versions off your machine until at least 60 days after release — which is plenty long enough to dodge 1903.

Yes, you do need a secret decoder ring these days to understand the bafflegab.

Update

Here’s how to get your system updated the (relatively) safe way.

Step 1. Make a full system image backup before you install the March patches.

There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.

There are plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup. For Win 7 users, If you aren’t making backups regularly, take a look at this thread started by Cybertooth for details. You have good options, both free and not-so-free.

Step 2. For Win7 and 8.1

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s 18 months old or newer, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches.

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Realize that some or all of the expected patches for March may not show up or, if they do show up, may not be checked. DON'T CHECK any unchecked patches. Unless you're very sure of yourself, DON'T GO LOOKING for additional patches. In particular, if you install the March Monthly Rollups or Cumulative Updates, you won’t need (and probably won’t see) the concomitant patches for January or February. Don't mess with Mother Microsoft.

If you see KB 4493132, the “Get Windows 10” nag patch, make sure it’s unchecked. Yes, it'll keep trying to install itself. No, you don't want it.

Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.

After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. If you want to thoroughly cut out the telemetry, see @abbodi86’s detailed instructions in AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model.

Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’m starting to believe that information pushed to Microsoft’s servers for Win7 owners is almost as extensive as that pushed in Win10.

Step 3. For Windows 10

You can follow the steps at the beginning of this article to leave your machine open for updating to Win10 version 1809 (my new current preference), if you like. When Win10 version 1903 appears we’ll have full instructions for blocking it. Of course, all bets are off if Microsoft, uh, forgets to honor its own settings.

If you want to stick with your current version of Win10 — a reasonable alternative — you can follow my advice from February and set "feature update" deferrals to 120 days or so and “quality update” (cumulative update) deferrals to 15 days, per the screenshot. If you have quality updates set to 15 days, your machine already updated itself on March 27th. Don’t touch a thing and in particular don’t click Check for updates.

1809 advanced updates Woody Leonhard

For the rest of you, including those of you stuck with Win10 Home, go through the steps in "8 steps to install Windows 10 patches like a pro." Make sure that you run Step 3, to hide any updates you don’t want (such as any driver updates for non-Microsoft hardware) before proceeding.

Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.

We’ve moved to MS-DEFCON 4 on the AskWoody Lounge.

8 highly useful Slack bots for teams
  
Shop Tech Products at Amazon