![](\"https:\/\/images.idgesg.net\/images\/article\/2019\/06\/patch_and_update_options_pixelized_tools_and_refresh_symbol_with_branching_paths_by_pashaignatov_gettyimages-1152709304-100800559-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Woody Leonhard| Date: Fri, 02 Aug 2019 10:09:00 -0700<\/strong><\/p>\n With one glaring exception, July was a <\/span>rather benign patching month<\/span><\/a>. The Win10 versions got their usual two cumulative updates (the second considered \u201coptional\u201d). Visual Studio <\/span>had some hiccups<\/span><\/a>, but they\u2019re fixed now. <\/span><\/p>\n Folks trying to upgrade from Windows 10 version 1803 or 1809 to 1903 <\/span>encounter various problems<\/span><\/a>, but for now there\u2019s very little reason to push your machine onto 1903. We\u2019ll be talking a lot more about that later this month.<\/span><\/p>\n The big pimple on the patching butt this month: The Win7\/Server 2008 R2 \u201cSecurity-only\u201d patch. Without any warning or explanation from Microsoft, the July \u201cSecurity-only\u201d patch installs a full telemetry kit and hooks things up so information gets sent to Microsoft \u2013 precisely what most people are trying to avoid by taking the \u201cSecurity-only\u201d route.<\/span><\/p>\n We have late-breaking confirmation <\/span>from Windows guru @abbodi86<\/span><\/a> that the July Security-only patch installs the same kind of telemetry found in the Monthly Rollups. Many (dare I say \u201call\u201d?) of the folks who go to the bother of downloading and manually installing the Security-only patches specifically do so to avoid<\/em> the snooping. But if you want the July security fixes, telemetry comes along for the ride.<\/span><\/p>\n Fortunately, there are ways to circumvent the telemetry, or at least minimize it. Details following.<\/span><\/p>\n Again this month there are questions about McAfee Endpoint Protection\u2019s interaction with Windows updates. Kevin Beaumont (@GossiTheDog) kicked off the latest round of suspicion and vituperations <\/span>by posting<\/span><\/a>:<\/span><\/p>\n McAfee Endpoint Protection has an interesting one, they’ve added a rule called RDP which I think is designed around BlueKeep (?), but it stops Windows Update applying July’s security patches.<\/span><\/p>\n G\u00fcnter Born has taken up the call with an article on his <\/span>Borncity blog<\/span><\/a>, but I\u2019ve been unable to replicate the problem or find calls for help on the McAfee site. Anyway, if you have trouble installing the July patches and you\u2019re using McAfee Endpoint Protection, you might try turning it off before retrying.<\/span><\/p>\n Here\u2019s how to get your system updated the (relatively) safe way.<\/span><\/p>\n Step 1.<\/strong> Make a full system image backup before you install the latest patches.<\/span><\/p>\n There\u2019s a non-zero chance that the patches \u2014 even the latest, greatest patches of patches of patches \u2014 will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This comes in addition to the usual need for System Restore points.<\/span><\/p>\n There are plenty of full-image backup products, including at least two good free ones:<\/span> Macrium Reflect Free<\/span><\/a> and<\/span> EaseUS Todo Backup<\/span><\/a>. For Win7 users, If you aren\u2019t making backups regularly, take a look at this<\/span> thread started by Cybertooth<\/span><\/a> for details. You have good options, both free and not-so-free.<\/span><\/p>\n Step 2.<\/strong> For Win7 and 8.1<\/span><\/p>\n Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that\u2019s 24 months old or newer, follow the instructions in<\/span> AKB 2000006<\/span><\/a> or<\/span> @MrBrian\u2019s summary of @radosuaf\u2019s method<\/span><\/a> to make sure you can use Windows Update to get updates applied.<\/span><\/p>\n If you\u2019ve been relying on the Security-only \u201cGroup B\u201d patching approach to keep Microsoft\u2019s snooping software off your PC, you\u2019re faced with a tough decision:<\/span><\/p>\n If you\u2019ve been installing the Security-only patches and want to continue doing so, be sure to <\/span>follow @abbodi86\u2019s advice<\/span><\/a>, turn off the Customer Experience Improvement Program (gotta love the name) and, after the July patch is installed, disable the <\/span>new scheduled tasks<\/span><\/a>.<\/span><\/p>\n For most Windows 7 and 8.1 users, I recommend following<\/span> AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups<\/span><\/a>. Realize that some or all of the expected patches for July may not show up or, if they do show up, may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. In particular, if you install the July Monthly Rollup, you won\u2019t need (and probably won\u2019t see) the concomitant patches for June. Don’t mess with Mother Microsoft.<\/span><\/p>\n If you see<\/span> KB 4493132<\/span><\/a>, the \u201cGet Windows 10\u201d nag patch, make sure it\u2019s unchecked.<\/span><\/p>\n Watch out for driver updates \u2014 you\u2019re far better off getting them from a manufacturer\u2019s website.<\/span><\/p>\n After you\u2019ve installed the latest Monthly Rollup, if you\u2019re intent on minimizing Microsoft\u2019s snooping, run through the steps in<\/span> AKB 2000007: Turning off the worst Win7 and 8.1 snooping<\/span><\/a>. If you want to thoroughly cut out the telemetry, see @abbodi86\u2019s detailed instructions in<\/span> AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model<\/span><\/a>.<\/span><\/p>\n Realize that <\/span>we don\u2019t know <\/i><\/strong>what information Microsoft collects on Window 7 and 8.1 machines. But I\u2019d be willing to bet that fully-updated Win7 and 8.1 machines are leaking almost as much personal info as that pushed in Win10.<\/span><\/p>\n Step 3.<\/strong> For Windows 10 prior to version 1903<\/span><\/p>\n If you want to stick with your current version of Win10 Pro \u2014 a reasonable alternative \u2014 you can follow my<\/span> advice from February<\/span><\/a> and set \u201cquality update\u201d (cumulative update) deferrals to 15 days, per the screenshot below. If you have quality updates set to 15 days, your machine already updated itself on July 24, and will update again on August 21. Don\u2019t touch a thing and in particular don\u2019t click <\/span>Check for updates<\/span><\/i>.<\/span><\/p>\n For the rest of you, including those of you stuck with Win10 Home, go through the steps in “<\/span>8 steps to install Windows 10 patches like a pro<\/span><\/a>.” Make sure that you run Step 3 to hide any updates you don\u2019t want (such as the Win10 1903 upgrade or any driver updates for non-Microsoft hardware) before proceeding.<\/span><\/p>\n If you see a notice that, “You’re currently running a version of windows that’s nearing the end of support. We recommend you update to the most recent version of Windows 10 now to get the latest features and security improvements” you can safely chill. Win10 1803 is good through November. If you see a link to \u201cDownload and install now,\u201d ignore it \u2013 for the same reason.<\/span><\/p>\n Step 3A.<\/strong> For Windows 10 version 1903<\/span><\/p>\n If you\u2019ve already moved to Win10 Pro version 1903, and you set a 15-day deferral on quality updates, you\u2019ll no doubt discover that the settings shown in the screenshot are no longer available on your machine. Microsoft hasn\u2019t yet deigned to tell us what\u2019s going on, but you can rest assured that your 15-day deferral was obeyed \u2013 and you got the July patches on July 24. Don\u2019t worry about changing the deferral settings just yet. You\u2019re protected until Aug. 21.<\/span><\/p>\n We\u2019re still experimenting with all of the settings and seeing how they interact with one another, but at this point my best advice if you\u2019re on 1903 is to click the link on the Windows Update page that says \u201cPause updates for 7 days,\u201d then click on the newly revealed link, which says \u201cPause updates for 7 more days,\u201d then click it again.<\/span><\/p>\n By clicking that link three times, you\u2019ll defer cumulative updates for 21 days from the day you started clicking \u2013 if you do it today, you\u2019ll be protected until Aug. 23 \u2013 which compares favorably to my preferred 15-day deferral, mentioned earlier.<\/span><\/p>\n There are several group policies and a handful of registry settings working in the background when you make those changes. It still isn\u2019t clear to me how they interact (@PKCano has some details<\/a><\/span>\u00a0\u2013 and they\u2019re hairy). But if you\u2019re using Pro and set the quality update deferral to 15 days, <\/span>and <\/i><\/strong>punch the \u201cPause updates for 7 days\u201d button three times (on either Home or Pro), you should be in good shape.<\/span><\/p>\n Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.<\/span><\/i><\/p>\n We\u2019ve moved to MS-DEFCON 4 on the<\/span><\/i> AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Woody Leonhard| Date: Fri, 02 Aug 2019 10:09:00 -0700<\/strong><\/p>\n With one glaring exception, July was a <\/span>rather benign patching month<\/span><\/a>. The Win10 versions got their usual two cumulative updates (the second considered \u201coptional\u201d). Visual Studio <\/span>had some hiccups<\/span><\/a>, but they\u2019re fixed now. <\/span><\/p>\n<\/p>\n