Get the March Windows and Office patches installed, but watch out for known bugs
It’s been another Keystone Kops month, with a reasonably stable Patch Tuesday, followed by a hasty Patch Thursday to cover a security hole Microsoft accidentally blabbed, then the usual buggy “optional, non-security, C/D Week” patch, finishing with a fix for yet another bug introduced by earlier patches.
Plus ça change …
Along the way we got a quiet fix for a bug in Windows Defender. And a warning about yet another bad-font-takes-over-your-PC security hole. Microsoft has toned down its original warning about that Type 1 Font Parsing security hole, and now says it’s mostly a less-severe problem with Windows 7 and related servers.
All the while, in spite of loud sirens from many corners, there have been exactly zero emergencies, where a Microsoft patch fixed a hole that’s being widely exploited.
Which means it’s a good time to make sure you have the March patches installed, in preparation for what awaits in WFH April. Here’s how to do it.
Make a full backup
Make a full system image backup before you install the latest patches.
There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.
Install the latest Win10 March Cumulative Update
If you haven’t yet moved to Win10 version 1909 (in the Windows search box type winver and hit Enter), I recommend that you do so. The bugs in version 1903 are largely replicated in 1909 and vice versa, so there’s very little reason to hold off on making the switch — although, admittedly, there’s almost nothing worthwhile that’s new in version 1909. I have detailed instructions for moving to 1909 here.
To get the latest March Cumulative Update installed, click Start > Settings > Update & Security. If you see a Resume updates box (screenshot), click on it.
That’s all you need to do. Windows, in its infinite wisdom, will install the March Cumulative Update at its own pace. If you don’t see a Resume updates box, you already have the March Cumulative update and you’re good to go.
If you see a come-on for the “optional, non-security, C/D Week” patch KB 4541335 (screenshot), simply ignore it. There’s absolutely nothing in that patch that you need or want, and it’s causing all sorts of problems.
There’s a reason why Microsoft is discontinuing these step-in-the-mess “optional” patches.
When your machine comes back up for air, don’t panic if your desktop doesn’t look right, or you can’t log in to your usual account. You got bit by the “temporary profile” bug, which we’ve known about — and complained about — for more than a month. We have three separate threads on AskWoody about solving the problem (1, 2, 3) and if you need additional help, you can always post a question. (Thx @PKCano.)
Also, don’t be overly surprised if you discover that, after installing the March patches, your internet connection disappears when you connect to a virtual private network. Yep, that’s another bug introduced by this month’s patches. For a change, Microsoft has actually documented the bug — and released a fix. You should only install the manual-download-only patch of a patch KB 4554364 if you’re getting knocked offline when connecting to a VPN. If your internet stays connected, simply ignore this warning. You’ll get updated in April. At least, theoretically.
While you’re mucking about with Windows Update, it wouldn’t hurt to pause updates, to take you out of the direct line of fire the next time Microsoft releases a buggy bunch of patches. Click Start > Settings > Update & Security. Click “Pause updates for 7 days.” Next, click on the newly revealed link, which says “Pause updates for 7 more days,” four more times. That pauses all updates for 35 days, until early May. With a little luck that’ll be long enough for Microsoft to fix any bugs it introduces in April. And the March stragglers, for that matter.
Patch Win7, Win8.1, or associated servers
If you’ve paid for Win7 Extended Security Updates and you’re having trouble getting them installed, Microsoft has a new article called Troubleshoot issues in Extended Security Updates that may be of help. We’re also fielding questions on AskWoody.
0patch continues to provide patches for Win7, going so far as to fix the announced new font parsing bug, which Microsoft itself hasn’t even fixed as yet.
If you’re running Win7 and haven’t been able to get Extended Security Updates working (there are lots of reported problems!), @abbodi86 offers a script that’ll let you install the latest Win7 security patches, bypassing the ESU restrictions.
Several high-profile security guri, including Patch Lady Susan Bradley, have called on Microsoft to open up its March 2020 Win7 patches to everybody, particularly considering the number of people who are working from home, on older machines, through no fault of their own.
Windows 8.1 continues to be the most stable version of Windows around. To get this month’s puny Monthly Rollup installed, follow AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. You should have one Windows patch, dated March 10 (the Patch Tuesday patch). No, you don’t want the Preview of Monthly Rollup.
After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. If you want to thoroughly cut out the telemetry, see @abbodi86’s detailed instructions in AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model.
Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.
We’ve moved to MS-DEFCON 3 on the AskWoody Lounge.
Copyright © 2020 IDG Communications, Inc.