Now’s the time to install the April Windows and Office patches

With one final April patch delivered in May, the time looks ripe to install last month’s patches. One antivirus manufacturer has a significant disagreement with Microsoft about the April patches, but you can easily bypass the problem — if you know the trick.

Windows logo overlaying hand with band-aid patch
Thinkstock/Microsoft

April was a tough month for Win 7, 8.1, Server 2008 R2, 2012 and 2012 R2 customers who ran specific antivirus products. Blue screens, freezes, slow-as-sludge drippings all bedeviled a large number of Sophos, Avira, Avast, AVG and even McAfee users.

Looks like we’re over that hump, with the AV manufacturers scurrying to fix their wares.

Current state of AV

Microsoft claims that it has “mitigated” (interesting choice of terminology) the blue screens and freezes with certain Sophos, McAfee and Avast (including AVG) products. In fact, if you check with the individual manufacturers' websites, they all claim to have shipped and installed fixes of various types that will allow Monthly Rollups and Security-only patches to proceed without gumming up the works.

The one holdout? Avira. It’s a particularly interesting exception because Avira has claimed from the start that the April Win10 version 1809 cumulative update also clogged up the works with its antivirus product. I’ve seen rumors — but no definitive confirmation — that other AV products have had the same problem.

At any rate, Avira at this point says it’s fixed everything:

We have looked into the issue… and have found a way to fix it. We have recently released an update that should fix this issue. Your Avira Product will be automatically updated, and you don’t have to do anything else in the product.

In a private communication, an Avira spokesperson says that Microsoft is no longer blocking the problematic patches on machines running Avira.

Microsoft has a contrary opinion:

Microsoft has temporarily blocked devices from receiving this update if Avira antivirus software is installed. … We are presently investigating this issue with Avira and will provide an update when available.

There’s no mention on the Microsoft sites about slowdowns with the Win10 1809 patch.

At this point, your best bet is to get Avira updated — manually if need be — and move on. I'd be willing to bet that the patches will install on updated Avira machines. (If you discover something contrary, hit me on AskWoody.com!)

This whole incident left a bad taste in my mouth. As I mentioned before, whoever made the decision to release the six (now nine) problematic Windows patches either:

  1. Didn’t know they’d wreak havoc on millions of computers, or
  2. Didn’t care

You can choose which one’s worse.

More than that, the incident(s) exposed a bizarre behavior with Avast/AVG products: In order to update the software, you’re supposed to turn on your machine and do nothing for 15 minutes, while the AV package updates itself. As an anonymous poster on AskWoody put it:

I have AVG and I have many items blocked in the firewall. Avast / AVG needs to have a way to manually download the patch from the AVG support download site and they need a warning to the person that an AVG update is about to commence, unblock or allow the files and registry keys to be modified. Updating in the background when the operator is away is not a good idea. Avast / AVG should be more transparent.

The one Win7 patch to avoid

Once again this month, you should studiously avoid KB 4493132, a Win7 patch that does nothing but nag you to move to Windows 10. Looks like the nag hasn’t had much effect, but why install it in the first place?

It may be time for 1809

Although there are acknowledged problems with Win10 version 1809, they’re relatively minor. Given that Win10 version 1903 is nipping on our heels, I’m upgrading my Win10 machines to 1809. Better the devil ye ken.

If you want to stay with 1803, it’s hard to blame you — the list of new features in 1809 reads like the ingredients list for a bottle of water. Mostly, if you move to 1809, you’re buying yourself six more months before you have to upgrade. Again.

1803 feature deferral at zero Woody Leonhard/IDG

The safest way to move to 1809 is to run the “feature update” deferral down to zero and wait for Microsoft to take over. (See general instructions here.) That way the monkey’s on Microsoft’s back to make sure your machine is ready for 1809. Put the branch readiness level at “Semi-Annual Channel,” turn the feature update deferral to 0, and wait. If Microsoft figures your machine can take it, you’ll get 1809 sooner or later. But you won’t get 1903.

Why? Even though Microsoft has changed the terminology, we’re assured “Semi-Annual Channel” will keep new versions off your machine until at least 60 days after release — and we’re told that 1903 won’t be released until the end of May.

We've also been promised that Win10 1803 will sprout a new "Download and install" link — likely for both Home and Pro — by late May. We still haven't seen it in action, but if it works as promised, that'll be an enormous improvement over the blind-men-and-elephant approach we have right now.

Update

Here’s how to get your system updated the (relatively) safe way.

Step 1. Make a full system image backup before you install the latest patches.

There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.

There are plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup. For Win 7 users, If you aren’t making backups regularly, take a look at this thread started by Cybertooth for details. You have good options, both free and not-so-free.

Step 2. For Win7 and 8.1

If you have an antivirus product from Sophos, Avira, Avast, AVG or McAfee, make sure it’s up-to-date. Each product’s different. Yes, I know that many products from those vendors don’t have any problems — but it’s better to get buckled up anyway.

Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s 18 months old or newer, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.

If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches.

For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Realize that some or all of the expected patches for April may not show up or, if they do show up, may not be checked. DON'T CHECK any unchecked patches. Unless you're very sure of yourself, DON'T GO LOOKING for additional patches. In particular, if you install the April Monthly Rollups or Cumulative Updates, you won’t need (and probably won’t see) the concomitant patches for March. Don't mess with Mother Microsoft.

If you see KB 4493132, the “Get Windows 10” nag patch, make sure it’s unchecked.

Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.

After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. If you want to thoroughly cut out the telemetry, see @abbodi86’s detailed instructions in AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model.

Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’d be willing to bet that fully-updated Win7 and 8.1 machines are leaking almost as much personal info as that pushed in Win10.

Step 3. For Windows 10

You can follow the steps at the beginning of this article to leave your machine open for updating to Win10 version 1809 (my new current preference). When Win10 version 1903 appears we’ll have full instructions for blocking it. Of course, all bets are off if Microsoft, uh, forgets to honor its own settings.

If you want to stick with your current version of Win10 — a reasonable alternative — you can follow my advice from February and set “quality update” (cumulative update) deferrals to 15 days, per the screenshot. If you have quality updates set to 15 days, your machine already updated itself on April 24. Don’t touch a thing and in particular don’t click Check for updates.

1809 feature update 180 days Woody Leonhard/IDG

For the rest of you, including those of you stuck with Win10 Home, go through the steps in "8 steps to install Windows 10 patches like a pro." Make sure that you run Step 3, to hide any updates you don’t want (such the Win10 1809 upgrade or any driver updates for non-Microsoft hardware) before proceeding.

These steps will change drastically when Win10 1903 starts rolling out, particularly if Microsoft keeps its promise about "Download and install now." Stay tuned for details.

Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.

We’ve moved to MS-DEFCON 4 on the AskWoody Lounge.

Copyright © 2019 IDG Communications, Inc.

Where does this document go — OneDrive for Business or SharePoint?
  
Shop Tech Products at Amazon