![](\"https:\/\/images.idgesg.net\/images\/article\/2017\/09\/windows_patch_security2-100734733-large.3x2.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Woody Leonhard| Date: Fri, 03 May 2019 07:04:00 -0700<\/strong><\/p>\n April was a <\/span>tough month<\/span><\/a> for Win 7, 8.1, Server 2008 R2, 2012 and 2012 R2 customers who ran specific antivirus products. Blue screens, freezes, slow-as-sludge drippings all bedeviled a large number of Sophos, Avira, Avast, AVG and even McAfee users. <\/span><\/p>\n Looks like we\u2019re over that hump, with the AV manufacturers scurrying to fix their wares.<\/span><\/p>\n Microsoft claims that <\/span>it has \u201cmitigated\u201d<\/span><\/a> (interesting choice of terminology) the blue screens and freezes with certain Sophos, McAfee and Avast (including AVG) products. In fact, if you check with the individual manufacturers’ websites, they all claim to have shipped and installed fixes of various types that will allow Monthly Rollups and Security-only patches to proceed without gumming up the works.<\/span><\/p>\n The one holdout? Avira. It\u2019s a particularly interesting exception because Avira has claimed from the start that the April Win10 version 1809 cumulative update also clogged up the works with its antivirus product. I\u2019ve seen rumors \u2014 but no definitive confirmation \u2014 that other AV products have had the same problem.<\/span><\/p>\n At any rate, Avira at this point says <\/span>it\u2019s fixed everything<\/span><\/a>:<\/span><\/p>\n We have looked into the issue\u2026 and have found a way to fix it. We have recently released an update that should fix this issue. Your Avira Product will be automatically updated, and you don\u2019t have to do anything else in the product.<\/span><\/p>\n In a private communication, an Avira spokesperson says that Microsoft is no longer blocking the problematic patches on machines running Avira.<\/span><\/p>\n Microsoft has a contrary opinion<\/a>: <\/span><\/p>\n Microsoft has temporarily blocked devices from receiving this update if Avira antivirus software is installed. \u2026 We are presently investigating this issue with Avira and will provide an update when available.<\/span><\/p>\n There\u2019s no mention on the Microsoft sites about slowdowns with the Win10 1809 patch.<\/span><\/p>\n At this point, your best bet is to get Avira updated \u2014 manually if need be \u2014 and move on. I’d be willing to bet that the patches will install on updated Avira machines. (If you discover something contrary, hit me on AskWoody.com<\/a>!)<\/span><\/p>\n This whole incident left a bad taste in my mouth. As I mentioned before, whoever made the decision to release the six (now nine) problematic Windows patches either:<\/span><\/p>\n You can choose which one\u2019s worse.<\/span><\/p>\n More than that, the incident(s) exposed a bizarre behavior with Avast\/AVG products: In order to update the software, you\u2019re supposed to turn on your machine and do nothing for 15 minutes, while the AV package updates itself. As an <\/span>anonymous poster on AskWoody<\/span><\/a> put it:<\/span><\/p>\n I have AVG and I have many items blocked in the firewall. Avast \/ AVG needs to have a way to manually download the patch from the AVG support download site and they need a warning to the person that an AVG update is about to commence, unblock or allow the files and registry keys to be modified. Updating in the background when the operator is away is not a good idea. Avast \/ AVG should be more transparent.<\/span><\/p>\n Once again this month, you should studiously avoid\u00a0<\/span>KB 4493132<\/span><\/a>, a Win7 patch that does nothing but nag you to move to Windows 10. Looks like the nag <\/span>hasn\u2019t had much effect<\/span><\/a>, but why install it in the first place?<\/span><\/p>\n Although there are acknowledged problems with Win10 version 1809, they\u2019re relatively minor. Given that Win10 version 1903 is nipping on our heels, I\u2019m upgrading my Win10 machines to 1809. Better the devil ye ken.<\/span><\/p>\n If you want to stay with 1803, it\u2019s hard to blame you \u2014 the list of <\/span>new features in 1809<\/span><\/a> reads like the ingredients list for a bottle of water. Mostly, if you move to 1809, you\u2019re buying yourself six more months before you have to upgrade. Again.<\/span><\/p>\n The safest way to move to 1809 is to run the \u201cfeature update\u201d deferral down to zero and wait for Microsoft to take over. (See general instructions <\/span>here<\/span><\/a>.) That way the monkey\u2019s on Microsoft\u2019s back to make sure your machine is ready for 1809. Put the branch readiness level at \u201cSemi-Annual Channel,\u201d turn the feature update deferral to 0, and wait. If Microsoft figures your machine can take it, you\u2019ll get 1809 sooner or later. But you won\u2019t get 1903. <\/span><\/p>\n Why? Even though Microsoft has changed the terminology, we\u2019re assured \u201cSemi-Annual Channel\u201d will keep new versions off your machine until at least 60 days after release \u2014 and we\u2019re told that 1903 won\u2019t be released until the end of May.<\/span><\/p>\n We’ve also been promised that Win10 1803 will sprout a new<\/a> “Download and install” link \u2014 likely for both Home and Pro \u2014 by late May. We still haven’t seen it in action, but if it works as promised, that’ll be an enormous improvement over the blind-men-and-elephant approach we have right now.<\/span><\/p>\n Here\u2019s how to get your system updated the (relatively) safe way.<\/span><\/p>\n Step 1. Make a full system image backup before you install the latest patches.<\/span><\/p>\n There\u2019s a non-zero chance that the patches \u2014 even the latest, greatest patches of patches of patches \u2014 will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.<\/span><\/p>\n There are plenty of full-image backup products, including at least two good free ones:<\/span> Macrium Reflect Free<\/span><\/a> and<\/span> EaseUS Todo Backup<\/span><\/a>. For Win 7 users, If you aren\u2019t making backups regularly, take a look at this <\/span>thread started by Cybertooth<\/span><\/a> for details. You have good options, both free and not-so-free.<\/span><\/p>\n Step 2. For Win7 and 8.1<\/span><\/p>\n If you have an antivirus product from <\/span>Sophos<\/span><\/a>, <\/span>Avira<\/span><\/a>, <\/span>Avast<\/span><\/a>, <\/span>AVG\u00a0<\/span><\/a>or <\/span>McAfee<\/span><\/a>, make sure it\u2019s up-to-date. Each product\u2019s different. Yes, I know that many products from those vendors don\u2019t have any problems \u2014 but it\u2019s better to get buckled up anyway.<\/span><\/p>\n Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that\u2019s 18 months old or newer, follow the instructions in<\/span> AKB 2000006<\/span><\/a> or<\/span> @MrBrian\u2019s summary of @radosuaf\u2019s method<\/span><\/a> to make sure you can use Windows Update to get updates applied.<\/span><\/p>\n If you\u2019re very concerned about Microsoft\u2019s snooping on you and want to install just security patches, realize that the privacy path\u2019s getting more difficult. The old \u201cGroup B\u201d \u2014 security patches only \u2014 isn\u2019t dead, but it\u2019s no longer within the grasp of typical Windows customers. If you insist on manually installing security patches only, follow the instructions in @PKCano\u2019s<\/span> AKB 2000003<\/span><\/a> and be aware of<\/span> @MrBrian\u2019s recommendations<\/span><\/a> for hiding any unwanted patches. <\/span><\/p>\n For most Windows 7 and 8.1 users, I recommend following<\/span> AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups<\/span><\/a>. Realize that some or all of the expected patches for April may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. In particular, if you install the April Monthly Rollups or Cumulative Updates, you won\u2019t need (and probably won\u2019t see) the concomitant patches for March. Don’t mess with Mother Microsoft.<\/span><\/p>\n If you see <\/span>KB 4493132<\/span><\/a>, the \u201cGet Windows 10\u201d nag patch, make sure it\u2019s unchecked.<\/span><\/p>\n Watch out for driver updates \u2014 you\u2019re far better off getting them from a manufacturer\u2019s website. <\/span><\/p>\n After you\u2019ve installed the latest Monthly Rollup, if you\u2019re intent on minimizing Microsoft\u2019s snooping, run through the steps in<\/span> AKB 2000007: Turning off the worst Win7 and 8.1 snooping<\/span><\/a>. If you want to thoroughly cut out the telemetry, see @abbodi86\u2019s detailed instructions in <\/span>AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model<\/span><\/a>.<\/span><\/p>\n Realize that <\/span>we don\u2019t know <\/i><\/strong>what information Microsoft collects on Window 7 and 8.1 machines. But I\u2019d be willing to bet that fully-updated Win7 and 8.1 machines are leaking almost as much personal info as that pushed in Win10.<\/span><\/p>\n Step 3. For Windows 10<\/span><\/p>\n You can follow the steps at the beginning of this article to leave your machine open for updating to Win10 version 1809 (my new current preference). When Win10 version 1903 appears we\u2019ll have full instructions for blocking it. Of course, all bets are off if Microsoft, uh, <\/span>forgets to honor<\/span><\/a> its own settings. <\/span><\/p>\n If you want to stick with your current version of Win10 \u2014 a reasonable alternative \u2014 you can follow my <\/span>advice from February<\/span><\/a> and set \u201cquality update\u201d (cumulative update) deferrals to 15 days, per the screenshot. If you have quality updates set to 15 days, your machine already updated itself on April 24. Don\u2019t touch a thing and in particular don\u2019t click <\/span>Check for updates<\/span><\/i>.<\/span><\/p>\n For the rest of you, including those of you stuck with Win10 Home, go through the steps in “<\/span>8 steps to install Windows 10 patches like a pro<\/span><\/a>.” Make sure that you run Step 3, to hide any updates you don\u2019t want (such the Win10 1809 upgrade or any driver updates for non-Microsoft hardware) before proceeding. <\/span><\/p>\n These steps will change drastically when Win10 1903 starts rolling out, particularly if Microsoft keeps its promise<\/a> about “Download and install now.” Stay tuned for details.<\/span><\/p>\n Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.<\/span><\/i><\/p>\n We\u2019ve moved to MS-DEFCON 4 on the<\/span><\/i> AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Woody Leonhard| Date: Fri, 03 May 2019 07:04:00 -0700<\/strong><\/p>\n<\/p>\n