Ask Slashdot: Make Windows Update Install Only Security Updates Automatically?

An anonymous reader writes: After the news earlier this month about Microsoft forcing the Windows 10 upgrade on people who don't want it, my sizeable extended family has been coming to me for a solution. They don't want to be guinea pigs this early in the Windows 10 release cycle, but it looks like Microsoft may not be giving them a choice. My reading of Woody Leonhard's advice is that the only way to ensure the upgrade doesn't happen is to disable Windows Update, but that seems extreme. I want my family to install security updates, but I don't relish the idea of explaining to them how to install just those and hide the less-desireable updates.

The ideal solution would be to have only security updates install automatically, but it looks like it's easier said than done. I've looked at third-party tools like Autopatcher and Portable Update, but a security-only option doesn't seem to be very standard. From what I've read, Microsoft doesn't even package security updates separately, sometimes mixing merely Important and Recommended updates in the downloaded CAB file. I wish I could get them off Windows, but it's not an option. They use Windows at work or school, and don't want to go through the process of learning another OS. Maybe the current situation with Windows 10 will convince them eventually, but they need something now. I would really like to come up with a solution before the next Patch Tuesday on October 13. Do any of the more knowledgeable Slashdotters out there have any advice?

Fail idea

[drinkypoo]

If any number of people did this, then Microsoft would just push a "security" update that offered you Windows 10 or installed spying on the basis that they could somehow offer you more security. "KB6666666 - improve security by making windows phone home at every opportunity"

Re: Fail idea

Now, of course, I read the descriptions.

Don't worry, Microsoft has a solution for that: with Windows 10, they simply don't offer descriptions. They've also started bundling feature updates and security updates into single patches. Probably. From what people have been able to determine that existing patches do.

There's no reason they can't decide to start doing that for all updates. Will KB414140 force you to install Windows 10? Include telemetry? Fix a zero-day exploit that's being actively exploited? All of the above? Who knows!

Re:Fail idea

[Z00L00K]

It's time to start asking the question about "security" updates - is it for you or for Microsoft they improve the security?

Re: Fail idea

[FeriteCore]

They already do this by offering totally meaningless descriptions. Reading descriptions does no good when they contain no actual information.

Sorry, but you're screwed

[Irate+Engineer]

You'll get what Microsoft wants and like it, or not - they don't care about your preferences anymore.

If you want to send them a message, stop buying their software. This is a less painful option than it used to be, believe it or not.

Re:Sorry, but you're screwed

[LVSlushdat]

You'll get what Microsoft wants and like it, or not - they don't care about your preferences anymore.

If you want to send them a message, stop buying their software. This is a less painful option than it used to be, believe it or not.
--

Not only stop buying, but STOP USING their software.. The reason Windows 10 is free is because YOU ARE THE PRODUCT that MS is *selling* to
anybody with the right # of $, plus I have to imagine they're in tight with the NSA, since the NSA needs to fill that giant datacenter in Utah, and what better
data than EVERYTHING you type, say and see on the computer that *used* to be YOURS and now belongs to MS.. Its a proven fact that 10 keylogs and captures large quantities of video/audio from any microphones/cameras on said system.. I used/admin'ed Windows for over 25 years (1991-2010) and when I retired I swore I'd quit using MS products and stay on Linux. It pains me to see how Americans have become nothing but lemmings running full-tilt off the cliff when it comes to computers... I have no fear either, that *if* enough of us non-lemmings skip sucking on MS's tit, and instead use of the many Linux/BSD distros, it won't be long before we're branded terrorists by this "government".... Hope I'm dead and buried by then (65 now..)

run and hide

[denbesten]

Unless you wish to become the IT department for your sizeable extended family, don't touch this. The moment you take over patch management is the moment that others (Microsoft, Geek Squad, MS Fixit, etc.) cease being able to fix minor problems when their PCs go goofy.

If you do want to become the IT department, look into Microsoft's Enterprise solutions. They continue to allow personalized patch management there.

Re:I was going to suggest Debian GNU/Linux.

[drinkypoo]

Knowing how frustrating it can be when an operating system provider ends up trashing an existing installation through what should be routine updates, I realized that I could not possibly recommend Debian. Perhaps the submitter could do what I did: switch to FreeBSD.

Well, there's also switching to Linux Mint, which is what I suggest at this time. I'll probably keep advocating that at least up until they decide what to do about systemd in the long term. Hopefully, longer.

FreeBSD has shown itself to be the future.

It's not even the present if you want a decent nVidia driver or if you want to run vmware, which I still use to handle some cases that make KVM shit itself. Other than that, I have nothing against it, but that's enough to make it a show-stopper for me. Linux also runs on more hardware, and I prefer to have more or less one OS on everything for my convenience. My router runs Linux, my NAS runs Linux, my desktop (not the gaming one, but anyway) runs Linux, my handhelds even run Linux, albeit a kind of wacky version thereof. Oh yeah, got a fire stick coming, that runs Linux. All my game consoles with ethernet ports run Linux when I want them to, except for the 360... which I am probably about to donate to someone who lost all their shit in the recent fires. Guess I should put the screws back in it just in case they ever drop it.

Downloading != Installing

[sanf780]

Let us assume Windows is downloading Windows 10 automatically, even if you did not reserve it. Do you get Windows 10 installed by doing the typical "You need to restart your computer in order to get security updates"? If that is not what happens, then the only thing wrong is downloading 3.5GB worth of unwanted data. It is still wrong, though. I do not think people are installing Windows 10 without ever clicking on YES somewhere. I am sure it is the user's fault if they click. It is always the user's fault if they install unwanted/malware software that was bundled with other software by clicking a YES button.
So, do not spread wrong rumours, pretty please. I have not heard of anybody installing Windows 10 without his/her consent.

Re:Downloading != Installing

[ITRambo]

You are incorrect. I have a couple of customers that had Windows 10 install automatically while they were away. They claim to never have authorized this. One of my own workstations kept trying to install Windows 10 as an update for Windows 7 Pro, until I turned off Automatic Updates. A second identical workstation hasn't done this. It may be random. You have too much faith in Microsoft software being infallible. All software is buggy. You don't need to click YES this time around. PC's having Windows 7 replaced with Windows 10 with no user input is real. On the other hand, I've had a couple of customers that had broken Windows 7 installations. After making drive images, I got their okay to upgrade to Windows 10. In each case the PC ran much better and the problems. broken IE11 for one, were fixed. So, Windows 10 is a mixed bag. I like it when it's not being force fed.

Install Linux

[Greyfox]

The slashdot knee-jerk response is "Install Linux". But it might actually be time to have that conversation. You don't feel your OS vendor has your best interests in mind and is trying to jam some crap you don't want down your throat. Do you stick with them because they're familiar or do you switch vendors? The answer is going to be different for everyone. My parents use their computer as a dumb terminal to the internet, use OpenOffice.org for the few documents they do write and they aren't gamers. I could switch them to Linux and they'd never notice the difference. People with a lot of games, photography professionals who have to run Photoshop and people who do video editing might have a different answer.

Of course, you don't have to install Linux. Maybe some people would be happier with Apple. You run into a lot of the same problems with them -- Apple looks out for Apple. I got tired of beating my head against my computer to make it work in the mid 2000s and ran Apple hardware for nearly a decade. You plug their shit in, it just works. It's tempting. But even more than Microsoft, their software thinks it knows how you should be working and it's difficult or impossible to do anything differently. You start banging your head against your computer again, and at least with Linux when you do that, you damn well can make the system do what you want it to. Apple's gaming scene when I was using them was only marginally better than Linux's -- you could make a couple of big MMOs and some decade-old games work with their systems.

You could also go with FreeBSD. I don't know a lot about them, but with the whole systemd debacle, a lot of people are moving in that direction now. I'd have to set it up and run it for a while before I could recommend it to relatives.

So that pretty much leaves me with Linux. If you're moving away from Microsoft because you don't like their agenda, you probably don't want a commercial distribution of Linux, either. Find one with an active community that has politics you like and go with them. Or just decide that maybe you can put up with Microsoft's bullshit after all. That's your choice, right there, and you should be able to talk intelligently with your relatives about it.

You don't have to stay there once you make that move, either. I've just about eliminated all the Apple stuff I had going on -- my old Core 2 Duo Macbook is running Linux and my destop dual boots windows and Linux. I'm still booting back to Windows for the games collection and because getting files off my Android phone is easier with Windows. I prefer Kdenlive in Linux for editing my GoPro videos, but I mostly just clip a bit off the front and back of the video and tweak the contrast and sharpening.

The point is that for all these things you always have that choice. Live with your current vendor's bullshit or find some vendor whose bullshit you can tolerate.

Re:Windows 7 EOL is coming soon

[Kjella]

That Win7 EOL is "coming soon" is a pretty good exaggeration. Very soon now Ubuntu 15.10 is being released, you'll have 16.04 LTS, 16.10, 17.04, 17.10, 18.04 LTS, 18.10, 19.04, 19.10 and 20.04 LTS before Win7 expires. Ten distro versions and three long time support releases later, a lot could change between now and then. I switched to Linux back in early 2007 because Vista was terrible but returned to Win7 in late 2010 mainly because of gaming. And I do have a laptop upgraded to Win10, unlike Vista it's not a bad OS except it comes with too many bundled privacy invasions. The OS is stable, the drivers work, IO handling seems faster, technically I haven't found any reason not to upgrade.except the anti-features.

Zorin OS for Windows users

[nickweller]

"Zorin OS is a multi-functional operating system designed specifically for Windows users who want to have easy and smooth access to Linux."

Re:DisableGWX

[drinkypoo]

First off, If there's no reason not to upgrade other than FUD,

Look, shill, Microsoft actively spying on users isn't FUD. It's not a fear, because they're doing it. It's not uncertainty, because they're doing it. And it's not doubt, because they're doing it.

Easiest method to disable windows 10 from updating is to use the DisableGWX Policy setting

That is not the question, which the summary makes obvious, since the poster mentioned Windows 10 attempting to install itself. Clearly they want to avoid Windows 10.

If you just want security patches from that point forward go to windows update settings and uncheck "give me Recommended updates the same way I receive important updates"

The problem, as I pointed out in the top comment in this thread, is that you cannot trust Microsoft not to put other things into "Security Updates". This is especially true on Windows 10 where they are providing less information about what is actually in patches than literally ever before, as pointed out by a comment in that part of this thread. So no, that doesn't work.

How to disable GWX and Telemetry

[Yer+Mum]

The three registry keys to disable GWX and the GWX advert in Windows Update are these...

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GWX]

"DisableGwx"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]

"DisableOSUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade]

"ReservationsAllowed"=dword:00000000

Then open an elevated command prompt (search for cmd in the start menu, right click and Run as Administrator) and uninstall the following telemetry KBs...

wusa /uninstall /kb:3068708 /norestart
wusa /uninstall /kb:3022345 /norestart
wusa /uninstall /kb:3075249 /norestart
wusa /uninstall /kb:3080149 /norestart

In Control Panel > Windows Update > Change Settings, untick "Give me recommended updates the same way as I receive important updates" as some optional updates have been used to send down unwanted GWX/Telemetry updates.

Also in Control Panel > Windows Update, search for updates, then view the optional ones, then hide three of those KBs above (3022345 shouldn't appear as it's superseded) by right-clicking on them and choosing the hide option.

Now reboot the computer, search for CEIP in the start menu, run it, and change the setting to disable telemetry to MS.

If the C:\$WINDOWS.~BT then your computer is downloading Windows 10 in the background. Search for CleanMgr in the start menu and run it to remove the "Windows Update temporary files" category. Although that may unhide those three KBs above and you many need to rehide them.

Telemetry info from http://www.ghacks.net/2015/08/28/microsoft-intensifies-data-collection-on-windows-7-and-8-systems/

Unless MS send a recommended update which adds more GWX or Telemetry stuff to Windows 7/8, your extended family's computers will look after themselves from now on.