It’s time to install the May Windows and Office patches
Credit to Author: Woody Leonhard| Date: Tue, 04 Jun 2019 05:08:00 -0700
May 2019 will go down in the annals of Patch-dom as the month we all ran for cover to fend off another WannaCry-caliber worm, but a convincing exploit never emerged.
Microsoft officially released Windows 10 version 1903 on May 21, but I haven’t yet heard from anyone who’s been pushed. All of the complaints I hear are from those “seekers” who went to the download site and installed 1903 with malice and forethought. A triumph of hope over experience.
This month, if you let Windows Update have its way on your machine, you may end up with a different build number than the person sitting next to you. Blame the gov.uk debacle for that: Folks with Windows set up for U.K. English get an extra cumulative update pushed onto their machines, whilst those who don’t fly the Union Jack will get the fix in due course next month.
Remember the “wormable” Remote Desktop security hole that was going to bring down all older Windows machines? As of this writing, early Tuesday morning, there are exactly no known exploits. Lots of people have tried. Plenty of people are selling snake oil. But nobody has yet figured out how to exploit BlueKeep in order to run a nasty program.
Before you feel too smug, realize that I continue to recommend that you install the latest Windows 7, XP, Vista, Server 2003, 2008 or 2008 R2 patches. I’m convinced a weapons-grade BlueKeep attack is on the way, and your only gold-standard defense is to fix the bug in Microsoft’s Remote Desktop Protocol.
Tell your friends. This is the real thing.
Once again this month, you should studiously avoid KB 4493132, a Windows 7 patch that does nothing but nag you to move to Windows 10.
Windows 10 version 1903 has one truly important new feature: The ability to push off updates. That may be the single most important new feature in Windows 10 since it was released almost four years ago. We still haven’t seen the feature in real-life action, and there’s some ambiguity between the descriptions and the settings, but I have great hope.
Don’t make the mistake of jumping in right now before Microsoft’s has a chance to iron out the inevitable problems. At the very least, you should wait until Microsoft declares that version 1903 is stable enough for broad deployment in large organizations.
There’s supposed to be a “Download and install now” link arriving soon in Win10 1803 and 1809 to give you some control over when the upgrade to 1903 gets pushed onto your machine. Unfortunately, there’s also a promise from Microsoft that it’ll start pushing 1903 onto 1803 machines this month. We still don’t know when the 1803-to-1903 forced upgrades will start, and we don’t know how hard Microsoft will push.
Stay tuned.
Here’s how to get your system updated the (relatively) safe way.
Step 1: Make a full system image backup before you install the latest patches.
There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.
There are plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup. For Windows 7 users, if you aren’t making backups regularly, take a look at this thread started by Cybertooth for details. You have good options, both free and not-so-free.
Step 2a: For Windows XP, Server 2003, and Embedded POSReady 2009
Manually download and install KB 4500331. In the Microsoft Update Catalog listing, find the version of Windows XP that concerns you and on the right, click Download. Choose the language that you’re using, and click on the link underneath that language. Click Save File. When the windowsxp-kb4500331-blah-blah.exe file has downloaded, double-click on it and stand back.
Step 2b: For Windows 7 and 8.1
If you have McAfee Endpoint Security, make sure it’s up to date. Microsoft says it’s still having problems with McAfee.
Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s 24 months old or newer, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.
If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path’s getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches.
For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Realize that some or all of the expected patches for May may not show up, or if they do show up, they may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. In particular, if you install the May Monthly Rollups or Cumulative Updates, you won’t need (and probably won’t see) the concomitant patches for April. Don’t mess with Mother Microsoft.
If you see KB 4493132, the “Get Windows 10” nag patch, make sure it’s unchecked.
Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.
After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. If you want to thoroughly cut out the telemetry, see @abbodi86’s detailed instructions in AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model.
Realize that we don’t know what information Microsoft collects on Windows 7 and 8.1 machines. But I’d be willing to bet that fully-updated Win7 and 8.1 machines are leaking almost as much personal info as that pushed in Windows 10.
Step 3: For Windows 10
If you want to stick with your current version of Windows 10 — a reasonable alternative — you can follow my advice from February and set “quality update” (cumulative update) deferrals to 15 days, per the screenshot below. If you have quality updates set to 15 days, your machine already updated itself on May 29. Don’t touch a thing and in particular don’t click Check for updates.
For the rest of you, including those of you stuck with Win10 Home, go through the steps in “8 steps to install Windows 10 patches like a pro.” Make sure that you run Step 3 to hide any updates you don’t want (such the Windows 10 1809 upgrade or any driver updates for non-Microsoft hardware) before proceeding.
When we have more experience with the new settings in Windows 10 1903, I’ll update these steps specifically for 1903. Until then, we’re watching and waiting, to see how things really work — and in the interim, these steps should work just fine in 1903. Stay tuned for details.
Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.
We’ve moved to MS-DEFCON 4 on the AskWoody Lounge.