May had a hair-raising threat from a worm that still hasn’t emerged, but if you’re using Windows 7, 8.1, XP, Vista, or one of the Server variants and skipped the May patches, you need to drop everything and get the May or June patches installed. BlueKeep is coming. Those of you who blocked a specific port to keep BlueKeep at bay may be in for a nasty surprise.
Special shout-out for iSCSI and Event Viewer custom views
If you have problems connecting to your iSCSI array after installing this month’s patches, you need to click “Check for Updates” and allow Microsoft to install the fix for iSCSI bugs they introduced in earlier patches.
If you have custom views in Event Viewer (which is probably more widespread than you think) and after installing this month’s updates you get a “MMC has detected an error in a snap-in and will unload it” error, you didn’t do anything wrong. If it really, uh, bugs you, there’s a fix in the Monthly Rollup previews, KB 450327 for Windows 7 and KB 4503283 for Windows 8.1.
Unless you have those specific problems, I recommend (as always) that you avoid anything called “Preview” like the plague. Pass the Preview problems on to the gullible.
About Windows 10, version 1903
The latest version of Windows 10, version 1903, is still on my no-fly list. We’re seeing more odd problems emerge, and the Update advanced options vanishing trick remains unexplained. I’m sorely tempted to keep my production machines on 1809 until we see Win10 version 1903 Service Pack 1 – also known as version 1909. Waiting for the first Service Pack is traditionally good advice.
How to update your Windows system
Here’s how to get your Windows system updated the (relatively) safe way.
Step 1. Make a full system image backup before you install the latest patches.
There’s a non-zero chance that the patches — even the latest, greatest patches of patches of patches — will hose your machine. Best to have a backup that you can reinstall even if your machine refuses to boot. This, in addition to the usual need for System Restore points.
There are plenty of full-image backup products, including at least two good free ones: Macrium Reflect Free and EaseUS Todo Backup. For Windows 7 users, if you aren’t making backups regularly, take a look at this thread started by Cybertooth for details. You have good options, both free and not so free.
Step 2a. For Windows XP, Server 2003, and Embedded POSReady 2009
If you haven’t yet installed the May BlueKeep patch, manually download and install KB 4500331. In the Microsoft Update Catalog listing, find the version of Windows XP that concerns you, and on the right, click Download. Choose the language you’re using, and click the link underneath that language. Click Save File. When the windowsxp-kb4500331-blah-blah.exe file has downloaded, double-click on it and stand back.
Step 2b. For Windows 7 and 8.1
Microsoft is blocking updates to Windows 7 and 8.1 on recent computers. If you are running Windows 7 or 8.1 on a PC that’s 24 months old or newer, follow the instructions in AKB 2000006 or @MrBrian’s summary of @radosuaf’s method to make sure you can use Windows Update to get updates applied.
If you’re very concerned about Microsoft’s snooping on you and want to install just security patches, realize that the privacy path is getting more difficult. The old “Group B” — security patches only — isn’t dead, but it’s no longer within the grasp of typical Windows customers, and you absolutely must install the appropriate May security patch. If you insist on manually installing security patches only, follow the instructions in @PKCano’s AKB 2000003 and be aware of @MrBrian’s recommendations for hiding any unwanted patches.
For most Windows 7 and 8.1 users, I recommend following AKB 2000004: How to apply the Win7 and 8.1 Monthly Rollups. Realize that some or all of the expected patches for June may not show up. Or if they do show up, they may not be checked. DON’T CHECK any unchecked patches. Unless you’re very sure of yourself, DON’T GO LOOKING for additional patches. In particular, if you install the June Monthly Rollup, you won’t need (and probably won’t see) the concomitant patches for May. Don’t mess with Mother Microsoft.
If you see KB 4493132, the “Get Windows 10” nag patch, make sure it’s unchecked.
Watch out for driver updates — you’re far better off getting them from a manufacturer’s website.
After you’ve installed the latest Monthly Rollup, if you’re intent on minimizing Microsoft’s snooping, run through the steps in AKB 2000007: Turning off the worst Win7 and 8.1 snooping. If you want to thoroughly cut out the telemetry, see @abbodi86’s detailed instructions in AKB 2000012: How To Neutralize Telemetry and Sustain Windows 7 and 8.1 Monthly Rollup Model.
Realize that we don’t know what information Microsoft collects on Window 7 and 8.1 machines. But I’d be willing to bet that fully-updated Win7 and 8.1 machines are leaking almost as much personal info as that pushed in Windows 10.
Step 3. For Windows 10 prior to version 1903
If you’re running Windows 10 1803 and want to upgrade to Windows 10 1809, just to put off the inevitable push to 1903, there’s good news. @PKCano has gone through the steps to navigate an upgrade from 1803 to 1809, without poking the 1903 dog.
If you want to stick with your current version of Win10 Pro, you can follow my advice from February and set “quality update” (cumulative update) deferrals to 15 days, per the screenshot below. If you have quality updates set to 15 days, your machine already updated itself on June 26. Don’t touch a thing; in particular, don’t click Check for updates.
For the rest of you, including those of you stuck with Windows 10 Home, go through the steps in “8 steps to install Windows 10 patches like a pro.” Make sure that you run Step 3 to hide any updates you don’t want (such the Windows 10 1809 upgrade or any driver updates for non-Microsoft hardware) before proceeding.
Step 3a. For Windows 10 version 1903
If you’ve already moved to Windows 10 Pro, version 1903, and you set a 15-day deferral on quality updates, you’ll no doubt discover that the settings shown in the screenshot no longer appear on your machine. Microsoft hasn’t yet deigned to tell us what’s going on, but you can rest assured that your 15-day deferral was obeyed — and you got the June patches on June 26. Don’t worry about changing the deferral settings just yet.
Windows 10 version 1903 customers are starting to play with the “Pause updates for 7 days” button, but the results I’ve seen aren’t yet conclusive.
When we have more experience with the new settings in Windows 10 1903, I’ll update these steps specifically for 1903. Until then, we’re watching and waiting to see how things really work — and in the interim, these steps should work just fine in 1903. Stay tuned for details.
Thanks to the dozens of volunteers on AskWoody who contribute mightily, especially @sb, @PKCano, @abbodi86 and many others.
We’ve moved to MS-DEFCON 4 on the AskWoody Lounge.