Slashdot Mirror
'Don't Tell People To Turn Off Windows Update, Just Don't' (troyhunt.com)
Security researchers Troy Hunt, writing on his blog: Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as "MS17-010" pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched. It's because of this essential protection provided by automatic updates that those advocating for disabling the process are being labelled the IT equivalents of anti-vaxxers and whilst I don't fully agree with real world analogies like this, you can certainly see where they're coming from. As with vaccinations, patches protect the host from nasty things that the vast majority of people simply don't understand. This is how consumer software these days should be: self-updating with zero input required from the user. As soon as they're required to do something, it'll be neglected which is why Windows Update is so critical.
Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.
This is generally sound advice, although some IT shops prefer to manage the process to ensure that either (a) a particular update doesn't break some proprietary code, or (b) because of regulatory reasons particular machines may not be permitted to have the software changed without some sort of documentation being generated.
Maybe. Except when it causes BSOD (google for Amazon Kindle).
If they hadn't done shit such as the forced Win10 update, or forced GWA, or done a lot of other crap that broke peoples systems (in the name of marketing), then maybe people wouldn't have said, "Turn it off".
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
The telemetry spying though,,,
What's worse, having guaranteed malicious software (windows telemetry), or possible malicious software?
I'll take my chances with other security measures until MS stops intentionally breaking security.
Windows Update also wanted to install telemetry on my Windows 7 system until I removed the patch. Then for 12 months Windows Update wanted to 'upgrade' me to Windows 10, the software employed all sorts of tricks to make me say yes and in the end I just disabled updates as it was less hassle.
My Windows 7 system was not affected by the events over the weekend as all it does is run some test equipment. It still has Windows Update disabled and it's going to stay that way.
Why would anyone *disable* automatic updates on Windows? With it being widely known as such an insecure OS, that just seems insane. I've never heard anyone give such advice, but if they did, they surely deserve a smack on the head.
I'll turn it on when they stop sending telemetry in the updates. Until then, no dice.
The reason folks turn off Windows Update is that it behaves kind of like malware itself! I'm technologically savvy enough to set my registry and so on to disable the awful "Get Windows Ten" updates, but when so many users got shafted by Windows "self-updating with zero input required from the user" to a completely new operating system (a new operating system that actively thwarts end-user control over updates!), is it any wonder that so many of them switched it off?
The comparison to anti-vaxxers is interesting, and apt in more ways than Troy may have known. Much like Microsoft hijacked their Windows Update program to push Windows 10, the CIA used a Pakistani polio vaccination campaign to gather intelligence about Osama bin Laden (see here: https://en.wikipedia.org/wiki/...). This has resulted in the killing of other relief workers and general suspicion of medical aid programs in that region, and so polio persists.
it's also why I run Linux.
The problem is that around 30% of MS Updates actually hurt the user, either by introducing "features" that (like Apple) inadvertently or deliberately adding things that are of no benefit to anyone but MS and in many case hurt he users. Windows 10 Basically is capable of hijiacking itself (as per it's design) so it's hard to know what is good and what is not especially MS gives VERY vague descriptions of it's updates as per the new windows 10+ policy to tell users, it's our update, just take it (up the rear end). The sooner we start admiting that we don't in fact NEED MS Windows at this point, the better. Linux anyone?
"Imagination is more important than knowledge" - Einstein
Vaccines worked in a society that had trust and a belief in a brighter future. Our society is no longer trustworthy. The wolves are running the hen house. Anti-vaxxers are a natural consequence of the loss of societal trust. I am not an anti-vaxxer, but, as a conspiracy theorist, I understand how anti-vaxxers came to be. We, as a people, no longer trust our government, pretty much at all. Any trust is blind trust placed at our political parties and idols. We are blind fools to give that trust at all, but it is just about the only thing left keeping this obviously corrupt system running.
And, guess what. We're seeing the same fucking thing from Microsoft. We can't trust them. The problem with the author (and as a security engineer by trade, everyone makes this mistake all the time) is that he does not understand the threat he's protecting against. People who advocate for disabling automatic updates have assessed the software vendor to be the bigger threat than hackers. They're not wrong, and the author has completely misunderstood the owner's threat model.
...checkbox. I don't need the marketing fluff or whatever other crap Microsoft wants to shove down my throat. Give me the option to only install security updates automatically, and leave the rest manual.
On the BBC news earlier, it was said that most of the Chinese machines that were infected had pirated Windows on them and because they were pirated, we not eligible for the upgrades. Those people got hit.
Problem solved, permanently.
When all you have is a hammer, every problem starts to look like a thumb.
If you find yourself, like many in the NHS or other regulated spaces, with no easy upgrade path. I understand the naive impression that 'the vendor is just trying to help, so let them'. I assure you that those of us in the regulated space where patches can cause life-threatening, and business altering affects on critical systems are always titrating risk on both sides. It has never been easy to run a network and mitigate change. It is true that there were a few months to patch for this issue. But the onslaught of all critical patches are beyond the resources of most IT departments that would make a best effort at patching their infrastructure every few weeks under a watchful eye of the FDA or the SEC.
But don't be a retard. Keep reading this site and others. I manually installed MS17-010 a month ago even though Windows Update has been off for years. People get what they deserve. You need to actively pursue your own security, not ignore it or worse, pretend that Microsoft is going to do it for you. Windows Update is more trouble than it's worth. Especially since Windows 10.
Seven puppies were harmed during the making of this post.
get a Mac. Now I am one of those annoying people who say switch to Linux.
Windows Update needs a few changes to be trusted:
1) An option that only installs critical security updates and not features
2) Needs to stop rebooting your machine when it is busy doing something. This includes intrusive nags that interrupt what you're doing
3) They need to stop breaking things like they did with third party boot loaders a year or so ago
I am in favour of auto-updating Windows, don't get me wrong; however, it could be catastrophic if anyone ever manages to figure out a way to spread a virus via the auto update.
I'm not sure the technical route someone would have to take to do this; If, perhaps someone could somehow infect a DNS server to treat an infected server as a Microsoft update server.
"That's the way to do it" - Punch
Those fuckers at MSFT ruined security updates by force-feeding the user spyware, or even forcing an "upgrade" to Windows 10.
Now nobody trusts Microsoft, and would rather take their chances without the "essential updates".
the continual additions of resource-heavy snooping spyware and telemetry services for in-app advertising delivery hammer many institutions that would otherwise happily install security patches, if they were JUST security patches.
But many of the Important patches we have recieved from MSFT are just that. Ads, telemetry to try to sell us stuff that blows out the bandwidth in mission critical software and pops up things that get in the way of doing actual work.
There's your problem. That and the "patching" of things in a way that breaks apps that believe the public documentation instead of the actual way MSFT codes and tests its apps.
-- Tigger warning: This post may contain tiggers! --
I've started to "screen" updates after they again and again pulled crap like WGA, Trying to smuggle in DiagTrack with every monthly update, or simply rolling out updates that blew up 90% of all PC, 'cause they didnt think to test is properly. And their response was basically, "fuck you, now you're not turning off ANY updates, happy now??!"
As a side note, the delay to release PDB symbols on MS's symbol server after a Patch Tuesday has been at least days and sometimes more than a week for the last two months (at least for the Win10 symbols I tried). I use them a lot with WinDbg.
There is, it's the "critical updates only" checkbox.
The problem isn't the lack of said checkbox, it's the fact that Microsoft doesn't respect that checkbox and considers all sorts of marketing fluff and malware to be "critical"
If Microsoft would just go back to the days when security patches were done separately from other sorts of updates, that would be a huge help. I know a lot of people who disable updates to avoid feature changes, but would accept automatic security updates.
Microsoft's position of not making a distinction between the two is a large disincentive to allowing automatic updates for a lot of people.
It's more accurate to tailor the message about automatic updates to the audience.
For computer savvy people that are likely to read the message about available updates and install them, than turning off automatic installation is appropriate, because many of us can't afford to have long running processes or tasks dumped from memory with a reboot.
For your average user or nontechnical person, absolutely, advise them to leave it at defaults (and to save often).
at troyhunt.com
Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals
It's obviously in his interest to make everyone Microsoft's puppets.
Anons need not reply. Questions end with a question mark.
What would happen if there were stockholder lawsuit charging Corp. X was not exercising corporate "due diligence" to protect stockholder interests by failing to apply vendor-recommended security patches?
Microsoft only have themselves to blame for people disabling Windows Updates because they made it untrustworthy:
"self-updating with zero input required from the user"
If that's the default, great. If it's the ONLY way, like Windows10, Google Chrome, and yes, Mozilla (try to permanently disable Auto-Update and keep the mostly just broken Mozilla-update-service away from windows, i dare you), just go fuck yourself. It's one thing trying to patch as much of the dumb-users as possible, it's another thing to *force* it upon users...
Except if vaccines failed as much as a Microsoft patch did there would be no doctors... because people would be shooting them in the street.
Yeah, yeah... I can already hear the autistic fast typing from some keyboard warrior looking to 'correct' me on this one. But sorry... Microsoft no longer has any credibility to tell people what to do with their machines. The entire roll out of Windows 10 has been nothing but train wreck after train wreck. And you know what? Even if we get the occasional virus it's still better than having to deal with the rest of the continuing train wreck that is Microsoft. People are just going to have go back to the old day when people had to actually learn how to protect themselves. Instead of waiting on the industry to sell you a next generation of device that 'might' be eventually patched.
I am in favour of auto-updating Windows, don't get me wrong; however, it could be catastrophic if anyone ever manages to figure out a way to spread a virus via the auto update.
I'm not sure the technical route someone would have to take to do this; If, perhaps someone could somehow infect a DNS server to treat an infected server as a Microsoft update server.
You walk around with a loaded gun pointed at your head and you hope that nobody pulls the trigger
The brainwashing has mellowed your perspective to the point where you barely even care
On none of our Vista systems, which we still have to run because Microsoft is just so horrific and backwards compatibility plus it's what our customers run that create the most support tickets, we are forced by Microsoft to use Vista. Updates hang at 0%. We've wasted hundreds of hours trying to get updates to run. I think they last time they worked as April 11, 2017. After the last Microsoft-created problem, we've had half a dozen people hammering on Vista machines trying to figure-out a work-around for Microsoft decision to break updates to their OS. It's great to say you shouldn't disable updates, but it is Microsoft that is disabling them.
The number of problems caused by installing Windows updates for our IT department: THOUSANDS
The number of problems caused by holes left in the Windows OS that an update or patch supposedly has fixed: 20
Easy decision.
I don't think I've ever worked at a company that had "automatic updates" turned on. The reason being, company ecosystems tend to be predominantly all the same hardware, same Windows version and same patch level, and a bug in an update that affects that particular collection of hardware and software can take an astounding number of seats offline. (In much the same way a biological virus can take out an entire species if they're not sufficiently genetically diverse.) So yeah, no. Companies that want to stay in business don't do that. Of course, they *do* have a team that tests updates in a lab and sends out validated updates to the rest of the company, often a subset of what Microsoft spews out.
I do something similar at home. We have three Winders boxes, and none of them have auto update turned on. Every week or so, I look at what updates are available, and apply at minimum the security updates to the least used of those three boxes. If it survives a reboot and some reasonable amount of smoke testing, I install on the game machine, and if that works out ok, after a day or two I'll install it on my own workstation. I have to take care because my machine is (a) my only conduit to my "day job", and (b) my main workstation for my side-business. I can't afford to be down because Microsoft botched a patch any more than any large company can.
So yeah, security updates are important. Vital, even. But that doesn't mean you just install every update the moment it becomes available. An important part of "security" is "availability". And that's just as important as "confidentiality" and "integrity".
Another contributor had it right -- there should be a way to auto install security updates only. So if Microsoft botched a driver update and it renders unbootable a certain brand of PC running a certain brand of video card, it's less likely to take large numbers of users offline.
I know there are essential and optional updates (or whatever words they use) but most updates are considered by Microsoft to be essential.
And this doesn't even address compatibility of updates with installed applications. You know, the software you use to actually do work.
All that said, it does seem like Microsoft is doing a better job vetting their patches before release than they did the earlier part of this century. But being burned a few times breeds caution.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Making a blanket statement like this is not really valid. I think for the average consumer desktop that searches the web, maybe plays some games and does some basic office stuff it is probably a good idea not to turn off updates. Telling a corporation that they absolutely need to update every time Microsoft releases something is probably a bad idea. The better advice would be for companies would be to educate themselves, hire people that know what they are doing, or hire outside contractors that are reputable and educated to handle their security. Simply saying "Update Windows" does not define a good security policy.
Sent from my TARDIS
If you're managing hundreds or thousands of systems, you've always got a few with failed Windows updates. It's a never ending battle. It's nigh impossible to stay 100% up to date. THAT is Microsofts fault.
No way! I will NOT allow windows to just install updates into my production environment... Yes, I know it is a risk to leave systems unpatched, but given the frequency of Microsoft breaking my systems with their patches, the risk of downtime from a security flaw is usually LESS than the risk of having some exploit that causes down time.
However.... This doesn't mean I don't pay attention to the released updates. Oh no, we have a test system where we DO let them load as soon as they are released and a functionality and performance test that we run as soon as we can. We update only after successfully passing the test suit (and fixing any issues we found), which sometimes can take more than a week. I choose when the updates go out, not Microsoft.
So, for mission critical applications and systems, I recommend you NOT enable updates.... But I also recommend that you have resources available to test the updates and try to stay reasonably current with Microsoft's patches....
But, that's business.... At home? I generally don't turn on updates either... But I'm aware of what's coming out, so I generally know when the really important stuff gets released so I will update accordingly... Of course, I'm in charge of the In-Laws computer maintenance needs and they live in another state. For them, I have automatic updates turned on, at least until things get hosed and I have to make a multi-state trip to get them going again.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
> This is how consumer software these days should be: self-updating with zero input required from the user
I have no problem with making it "zero input from the user", *IF* it was also zero impact on the user. Meaning, no inconvenient reboots that'll shut down 50 opened windows that won't come back.
... and tell them to stop using the security update distribution channel to trick me into doing an unwanted operating system update. Recently, Windows Update has looked a lot like malware in the way it operated to trick customers into upgrading to Windows 10.
Don't use the channel for security updates to force advertising on your customers, just don't.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
There is, it's the "critical updates only" checkbox.
The problem isn't the lack of said checkbox, it's the fact that Microsoft doesn't respect that checkbox and considers all sorts of marketing fluff and malware to be "critical"
But they are critical updates from Microsoft's point of view: critical to marketing.
(Or rather 25% since this system could use four threads.)
I had to shut it down for while until I got around to figuring out what the heck was wrong with it.
It turns out I had to clear the files out from C:\Windows\SoftwareDistribution.
It took a while to find this out, since it isn't the first piece of advice I came across. Microsoft's own Windows Update diagnostic tool doesn't clear out these files and other solutions involved messing with tons of services via the command prompt.
also, doctors don't break into your house in the middle of the night to give you a vaccine (and snoop around your house while they're there).
Support Right To Repair Legislation.
See subject: Wana can't get to a setup w/ no SMB/port 445 access secured via CIS Tool (highly esteemed & took fixes from "yours truly" too) & does only SMB2 or better + I don't run Server or Workstation services, Client for Microsoft Networks (any AD stuff too), File or Printer Sharing OR NetBIOS over TCP/IP soliciting connections (wastes for me - no home LAN/network) saving CPU/RAM (& other I/O wasted along w/ longer networking packet train data) which automatically protects me right there 2 ways:
1.) Nothing to get a 'handle' on to connect to via a port 445 listener in the 1st place & EVEN IF it did?
2.) I am SMB2++ secured.
* FOR SINGLE SYSTEMS NOT ON A NETWORK @ HOME (no LAN)? It works.
It's ALL here how to do it FROM 11++ yrs. ago too no less "A look @ the future - & the FUTURE was THEN" + got me paid too, will wonders NEVER cease https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/
APK
P.S.=> Yes - "I AM LEGEND" immune here - didn't need Windows Update to do so (not knocking update though) ... apk
Microsoft has no basis for bitching about people turning off Windows Updates when they were the reason it was turned off. Ever changing privacy settings, re-enabling adware/nagware/malware/updates after the user had disabled them? Everything or nothing updates where we can't see what you're doing?
NSA hiding exploits that got leaked. You want to ban encryption for consumer products because we're supposed to trust you're the good guys and will never leak the backdoor you want created to the bad guys?
No, both parties made this mess, each is hoping to blame the other.
I'm not buying what either of them is trying to sell.
I built a Windows 8.1 gaming desktop in Oct 2014. In Dec 2014, the keyboard and mouse would randomly stop working for about 10 seconds. This would happen a few times an hour. When you're online gaming, that generally means you die.
After three months of troubleshooting and frustration, the root cause was the Windows Nov 2014 cumulative patch. After rolling back that update and disabling automatic updates, I've had no issues. Every few months, I'd only take critical security patches.
Unfortunately, starting last year, Microsoft doesn't release security patches by themselves. You have to take the cumulative patches. 2.5 years have gone by, so I'd hope they fixed whatever bug I was experiencing, but I just can't risk taking the new cumulative patches! So my computer goes unpatched.
Option A) Turn automatic updates ON and risk Microsoft making your machine unusable due to a faulty update
Option B) Turn automatic updates OFF and risk Microsoft making your machine unusable due to the absence of a security update
When I go to update it just spins for hours and when it finally does update my tablets keyboard no longer works.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
If an MS Update actually updated just the software you have (taking into account anything you've disabled or removed) - then this feature would be useful. As-is, it seems to Upgrade, Re-enable, Reset the OS to a state that is disruptive. This is not what such a feature should be doing. We've seen this before when updates required clicking (no scripting mode) and when updates required accepting EULA's that didn't allow a "No" - you were left with the half-way install. Each time, MS had to learn that their platform would be far more secure if they kept it simple. When they fail doing this well, the feature is disabled. The platform silently becomes a haven for compromised equipment - and a continued poor reputation for service. Has nobody written down the requirements for this type of tool over there? Or more clearly: The requirements should include what NOT to do as well as what is required. I'm very surprised, given that MS wants to be the go-to OS for corporate use. Every OS has flaws and attacks, but making patches into sales gimmicks is what pushes people away.
Having been a victim of M$ updates over the years, I can understand why users want to be in complete control of the update process! every update seems to break something, and requires multiple reboots. I have heard that with the Win10 Spy-Virus, updates can occur at any time, most often in the middle of the user doing something important. I have also heard that some updates change user's settings, and interrupted work is not saved when the update starts.
So now users have a choice of taking the chance of getting hit with ransomware, or taking the chance having M$ interrupt important work, change user settings, or make the users computer unusable (broken/wrong drivers). Some choice!
"disable as much of this as trivially possible" is another way to say "not disabled". And your comment that enabling auto updates in Win 7&8 will also infect you with MS spyware that cannot be disabled is precisely why this person said they have disable auto update on even their older Windows installations.
MS *is* largely to blame for the severity of this because they were put in a position of trust and then abused the shit out of it.
The very last Windows 10 update bricked my work laptop. It took most of a day to recover. At least it only cost me time. Backup, backup backup!
Yah blame the user for the virus exploits and not the vendor that created the software with huge holes and the vendor who is blocking updates when running new gen CPU's on older OS versions just to try and push people to W10.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
The last time I left updates enabled, update started updating my machine and demanded a reboot in the middle of a major corporate presentation in front of a large audience. This is UNACCEPTABLE behavior!
Windows Updates (1) Constantly reset browser preferences, (2) Frequently break hardware drivers, and (3) Often interfere with critical, urgent work tasks. Don't tell me not to turn them off! Don't tell me not to tell others to turn them off! NOT GONNA HAPPEN!!!
Windows Updates should be TURNED OFF, during all business / production usage. Then updates should be enabled/installed manually during weekends, vacations or other non-critical times. I DECIDE when my machine can be down for maintenance. Not Microsoft. The Updates STAY OFF, until I purposely enable them when I am willing to allow time for reboots, and have the time to restore my machine to proper configuration and operation afterward.
I tell people to turn off the automatic downloading and installing of updates all the time. Instead of having updates shoved down their throats i TEACH people how to look up the updates that microsoft is putting out and how to decide whether or not those are updates that they need. I also teach people how to conduct regular backups in case they do miss something.
Because blindly accepting anything from anyone is a bad idea. period. full stop! It encourages ignorance and helplessness, teaching people how to use these tools we call computers is the only way to stop shit like this and in the cast that something does happen a full and proper backup is only a wipe and reinstall away.
also how are the words of a microsoft employee "news for nerds" we already have enough shills that post int he comments.
Just don't.
I have a windows 10 laptop. It's great, but I primarily use Linux on the desktop. So I turn it on once or twice a week. This usually involves an update of some sort, deferred until the battery drains and I have to plug it in. Every updates seems to involve exercising the fan for two hours doing god knows what because process monitor is too vague and there's no notification of what's going on.
Tell Microsoft to stop pushing patches which install Windows 10 without my agreeing upon it, and I'll let Windows update run. No, I suppose Microsoft stopped with the whole Windows 10 thing a few months back, but there's now a trust issue I personally have to get past. The fact of the matter is, I don't trust Microsoft anymore.
- Mark.
WU is ransomware. It's just a different kind of ransom.
WannaCry: "send us $300 in BTC or we'll kill your data if you don't have backups".
WU: "Send us personal data via telemetry, take un upgrade you don't want, let us chew your CPU and interfere with your games. If you don't, we'll force you to do a lot of busy work to separate the security wheat from the marketing chaff, and if you don't do it right you'll be vulnerable to things like WannaCry".
MS bears a lot of blame until they stop holding the familiar Windows experience hostage, and return it to us without forcing us to pay a ransom.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
We personally have TWO laptops that got repeatedly broken by non-disableable driver updates (already told Windows to never update drivers, hid the offending update, etc) and it still managed to get through, multiple times, and do the blue-screen tango repeatedly until I gave up trying to fix, it went into safe mode and disabled the Windows Update service. I had to keep it that way for a couple months until I was able to load a "newer" driver from the video chip manufacturer that fixed it and/or MS stopped pushing the broken one. Then I was able to turn updates back on again.
All was fine, I THOUGHT, until several months later when the Anniversary updated got pushed to these systems. I bugged both my laptop manufacturer and Microsoft, repeatedly. Microsoft swore up and down that it would "only try to load the update once" and then stop trying if it failed. They also said the Anniversry update wasn't "certified" for this laptop model so I should just not install it, which would be fine except that _they forecully push it out, including to this laptop mode_! When I told them it had already attempted to update, failed and hung, at least twice they said it tries twice and then won't try again. Still incorrect. I tried basically everything including downloading the update to a USB and installing it manually, updating the drivers, downgrading the drivers, removing what I think was the suspect driver causing the hang during the update install, hiding the update with show/hide update tool, etc. Hiding disabled it for a while, but the dang thing is relentless, after a while it still comes back. The only 100% reliable way to make sure it will never try again, and hang the system (usually leaving it in a hung state with the fan blaring and screen showing 32% or something, all night long) is to completely disable the Windows Update service, or buy a new computer, or downgrade to an earlier version of Windows, or say to hell with and load Linux. The latter isn't an option because the laptops are used by family members who require Windows for specific applications.
But hey, I heard the total cost of ownership is much less than the alternatives! I'll even be able to buy a bridge with what I saved!
...are being labelled the IT equivalents of anti-vaxxers...
So, people who have done their research, and have decided that the cost/benefit ratio is too low. Sounds about right.
I tell them to install Linux.
Capcha: warfare
If you value security, don't run the mission-critical parts of your infrastructure on a general purpose operating system like Windows, but rather run it on a minimalist, locked-down OS that has _only_ the facilities needed to do its job. The update carousel is a nightmare. If you want to ensure your Windows box doesn't sporadically reboot during a long unattended operation in order to update, what do you do? If you want to lock Windows down so it can only do the job to hand, and nothing else, you're screwed. If you run mission-critical stuff on a full-featured general purpose OS (and the same can be said for off-the-shelf Linux distros like Ubuntu and Fedora), you are kinda asking for it.
That this idea is older than me, but is ignored, is laughable.
John_Chalisque
Or stop using Windows entirely, that will save time, money and Windows updates.
Basically, you have the choice between being taken down by one of their fucked up updates or by the malware.
Pick your poison. No, survival is not a choice. Unless you dump that shit.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I turn off Windows update on the boxes that I still have. I recommend everyone I know disable Windows update on all boxes that they have.
If you leave Windows update on, and just take the security updates by default, you will get owned by Microsoft. Constant telemetry will stream from your box.
I also recommend people look up how to stop this on Windows 7 and 8, where it is possible to stop it. It is not possible in 10, though some people have had some success at limiting it.
The article's advice is horseshit. WU should be disabled for personal computers if privacy is any manner of concern. Microsoft has revectored their security update mechanism to: try to upgrade you to Windows 10. Install sleeper services that only months after installation began transmitting telemetry. Remove useful names from KBs to prevent successful system administration. Transmit information about what programs you use, when you use them, how often you use them. Transmit information regarding crashes. Broadly expose envelope information about your non-Microsoft related activities to Microsoft and anyone they choose to share that information with.
Disable WU on 7 and 8. Tear out the bad patches. Only EVER manually apply patches that you actually require for security and functioinality.
Comparing being a sensible system administrator who doesn't want to transfer control over their personal activities to Microsoft to antivaxxers is disgusting. Anyone making this comparison is irresponsible.
https://superuser.com/question...
The list of KBs that you must manually remove (and prevent reinstallation of) to keep Windows without telemetry is provided on that su post. The list is:
KB3065988 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: July 2015 more info .NET Framework 1.1 when you upgrade Windows 8.1 or Windows 7 more info
KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
KB2976978 Compatibility update for Windows 8.1 and Windows 8 more info
KB3075853 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: August 2015 more info
KB3065987 Windows Update Client for Windows 7 and Windows Server 2008 R2: July 2015 more info
KB3050265 Windows Update Client for Windows 7: June 2015 more info
KB3050267 Windows Update Client for Windows 8.1: June 2015 more info
KB3075851 Windows Update Client for Windows 7 and Windows Server 2008 R2: August 2015 more info
KB2902907 MS Security Essentials/Windows Defender related update [no description/information available]
KB3068708 Update for customer experience and diagnostic telemetry more info
KB3022345 Update for customer experience and diagnostic telemetry more info
KB2952664 Compatibility update for upgrading Windows 7 more info
KB2990214 Update that enables you to upgrade from Windows 7 to a later version of Windows more info
KB3035583 Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1 more info
KB971033 Description of the update for Windows Activation Technologies more info
KB3021917 Update to Windows 7 SP1 for performance improvements more info
KB3044374 Update that enables you to upgrade from Windows 8.1 to a later version of Windows more info
KB3046480 Update helps to determine whether to migrate the
KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 more info
KB3080149 Update for customer experience and diagnostic telemetry more info
KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
KB3083710 Windows Update Client for Windows 7 and Windows Server 2008 R2: Octobe
software. Now who's the fool for running mission critical software on Windows!?
Microsoft installed their own malware on my old Windows 7 computer to hold it ransom. The malware was called Windows 10.
I can only remember one time when I decided to delay updates and turned off the auto updates for Windows. Otherwise I let em roll and have not have any issues I can say really significantly affected any of my PC's. I think things are over hyped and exaggerated to a point where some are just control freaks and don't want anything done without their say. I can see some critical PC's not wanting to risk a bad update, but these days the risks of not updating are also pretty risky. It would be easier to work through a bad update then a infectious attack.
why this update forces all applications to close without saving the documents. Holy FUCK what a *STUPID* default behavior. Terbaytes of cheap hard disk storage and you can't force a CTRL-S to every open application before closing??
Troy Hunt is a paid by Microsoft fanboy.
Move along.
The problems here with people turning off Windows Updates can be laid right at the feet of Microsoft.
Sneaking in "Urgent" patchs that introduce unwanted functionality, start spying on the end user, etc?
Not to mention the older issues with newer patches breaking production software.
And the oldest issue of all, Windows updates breaking (and bricking) systems to the point of needing a complete reload.
If those jackasses up in Redmond would pay attention, and hire people to ride herd on all the Indian and Chinese programmers they're paying pennies a day for, they'd know this by now.
But nope! Gotta shovel this shit out as fast as humanly possible. QA is for pussies! Isn't that what our paying user base is paying for?
This situation has been going on for decades now. And it's only getting worse...
Chas - The one, the only.
THANK GOD!!!
I've had countless systems borked by bad patches from microsoft, or applications behaving badly after a patch has been released. For a lot of business it's a balance of risks.
But then.........
When some clowns have the hubris to think they are the only ones to find an exploit, and that they can keep such exploits secret, no amount of patching will keep you safe if a vendor isn't advised of it or heaven forbid they are 'Witting Industry Partners' of the C.I.A. and N.S.A. creating backdoors (Heartbleed anyone?) you're screwed until it's too late.
We need a POLICY change to stop governments from behaving like this. Secure our computing for all, not weaken security for surveillance.
...I was being plagued by the utter unreliability of Windows Update in Windows 7 SP1...with my own LAN, and with all clients' systems. It's been a nightmare over the past three years, with so many different variations of Windows Update components and configurations showing up and breaking perfectly running systems.
But, I have FINALLY found a solution: It's Tweaking.com's "Windows Repair." (http://www.tweaking.com/content/page/windows_repair_all_in_one.html). For a mere $20 bucks, it's a clean, robust "reinstaller" that has cleaned up and improved performance of every system I've run it on (your single copy for $20 can be used on an unlimited number of computers, innumerable times). It's regularly updated, and it has never failed me, ever!
The process is simple: Do some one-time steps to clear common problems (it guides you), then run the "Repair" tool: It changes all the files, registry entries and permissions to what they're SUPPOSED to be...and, that includes Windows Update!. You run the program in "Safe Mode with Networking," and you run it twice!. Most computers take about 30-40 minutes to run the program once; the second run is the same duration, but takes care of "early-stage"changes that might of been incorrect due to "later-stage" fixes. Worst-case, I have one Windows 7 SP1 system that takes 1.5 hours/cycle...and, after two cycles, it spends about another hour doing "post-repair" updates and consistency checks. It does not affect ANY applications programs. And, it all happens without requiring your constant attention while it does it!
At the first sign of a problem (e.g., system gets sluggish, or updates don't get installed, etc.), I make a backup (usually overnight), then update and run Windows Repair...TWICE...and it's ready to use. It'll be a bit sluggish for the first hour or so, as the final stage of lots of reconciliation of different components get resolved.
I emerge with another, repaired, Windows 7 SP1 system, up-to-date and reliable. It can be another three-to-six months before I find it necessary to do again. I keep a record of when each computer has been "Repaired," so I can confirm that Microsoft's lousy quality control has finally corrupted something again...and I find time to restore the system to "fresh-as-new" state.
If you don't have this tool in your arsenal, you're wasting needless time trying to sort out a reliable source of information on how to fix some "0x85078630" error. If it's broken...again...just fix it, and go on with your life. I usually run my after business hours, while I'm enjoying time with my family. It runs for a long while...then you restart it, and it runs for another long while, but it only requires about 10 minutes to update the executable, and another 10 minutes to run it again. Then, leave it on overnight. You'll be a lot happy if you do!
NOW, I can safely let my "Windows Update" enabled (although I always use "Download, but let me decide what to install"), because...after Windows Repair...I can trust my Windows system. Gone are the days of running "Windows Update" all night long just to discover that nothing got fixed the next morning!
Unitil Microsoft stops ading in telemtry and forced updates and forced migration to a
PHONE OPERATING SYSTEM
like fuck you and hte story your trying to cry on.
I HAVE A FUCKING DESKTOP NOT A FUCKING PHONE
fuck microsoft and the nsa two in one butyfuck
what a bunch a losers at the nsa and microsoft
LOSERS
you cant get people to buy something so you trick and force them , then wonder why a explooit goes nuts on everyone.
ITS YOUR FAULT MICROSOFT FOR THIS 100%
xp would still be a great os had you kept developing that..heck even 7 is very very worthy
8 onwards is garbage looks like shit it has to be shit
I won't only tell them to stop updating,
i will tell them to switch to MacOS, Linux, BSD, anything other than Windows.
Vaccines doesn't change my hair color, my underwear pattern choice, or wich hand I use to scratch my arse
Strange when every fuct up patch was almost mentioned except the dhcp patch which had disconnected everyone who have enabled their Auto-update in Windows.
Except maybe Microsoft's PR people.
So clearly, most readers of our beloved Slashdot chose not to read the article. I'm shocked, shocked, I tell you!
The author isn't talking about enterprise environments. He's talking about home users, who listen to technical experts like those found on Slashdot, and proceed to turn off Windows Automatic Updates. For 99% of home users, they should just set it and forget it.
We are the ones who care about this other nonsense - most folks just want things to work and do not care about marketing fluff.
Maybe if Microsoft only used Windows update, or at least provided an option, for only installing critical upgrades more people would be likely to keep it running. How many stories have their been about the "Malicious Software Removal Tool" ripping out desired applications? Do I even have to mention the whole Windows 10 debacle?
The controversy over whether to run Windows update or not misses the larger point. If you choose to buy a car with a deplorable safety record, despite its expense, then sure, by all means follow the recall notices and bring the car to the dealer every week to get the latest problem fixed. But suggesting Windows update is the "smart" move is like suggesting the same car owners are brilliant for wearing their seatbelt while driving their risk laden vehicles. The smart thing is just don't use a product with an horrendous security record.
The problem I've been having is every time Windows updates starts...even on a fresh install; svchost begins a memory hole and is soon eating all the memory it can. No one has a solution; Microsoft blames everyone else, everyone else says they can't be a problem; Microsoft then said the only solution was Windows 10.
So I didn't disable update...it's so horribly broken I have to not run it or my computer will just...stall.
If MS just pushed bug fixes without cramming new features and worse, then perhaps folks would not feel the need to turn off updates.
Just say no is a great plan, but it need to start at MS.
nt
It used to be that you had the option to only install security patches, but with Win10, not anymore. MS routinely breaks things by adding functionality now. The push UI changes some people do not want and that can also break things.
If anybody needs to change something here, it is Microsoft. First, they should stop writing really bad software. And second, they should stop forcing people to accept functionality-changes bundled with security patches.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
There are 7 billion people in the world, do you really think the right answer is for all of them to read /. and "hacker news" every day?
Do you think bridge designers sit around saying "you shouldn't be allowed to drive across my bridge unless you understand how retention walls work"?
Use an OS from a company that doesn't hate you and you won't have to disable auto-update.
lets jsut say in 1999 i got warning ahead of the beta 2 ( xp ) and it had enabled all the telemtry and more that windows 10 has back then that they could do.
THEY KNEW what they wanted and that was it....THEY also knew no way anyone would go for it all at once so little by little each new version got to have a bit more....
there are still back doors in xp up to windows 8.1 that none of you know of.
no worries trust in microsoft and the nsa right....lol
and how do i know
This and not turning of the UAC, no matter how annoying it is
People get WannaCry by clicking on the wrong email not by SMB exploits. I get that repurposed NSA exploit angle makes for interesting and irresistible news stories but substantively it's way overhyped and using it to support blanket assertions is a nonstarter in my view.
There is compelling quantifiable evidence to support the position vaccines help more than they hurt. The case for updates is closer to the question of whether throwing billions into the intelligence industrial complex makes real people quantifiably safer from being terrorized given opportunity cost of not investing these funds to address significantly more statistically substantial problems such as pulling down US murder rate.
What we know for sure is social engineering accounts for 90% of general p0wnage worldwide. Even if all unintentional software bugs were patched with 100% coverage overnight absolutely nothing would change.
In 2017 given Microsoft's proven track record of both incompetence and sleaze when it comes to updates it's an open question as far as I'm concerned whether updates are still worth applying at all. Majority of end users are behind stealth mode firewalls and the only whackable thing they have sticking out is a web browser. If you keep firefox or chromium or whatever up to date and lock down some associated configuration are you really appreciably safer vs probability of computer failing to boot or introduction of some new Microsoft "telemetry" malware or Microsoft false choice prompt dismissal scam? I honestly don't know the answer. I do know it very much depends on context not only in terms of the users needs and environment but the value judgments of the end user.
If Microsoft would stop constantly peddling malware, firing QA staff, fix updates to not use insane amounts of resources while taking forever and requiring a reboot to sneeze... If only updates were properly labeled and people trusted Microsoft not to screw with them... my guess less will find value in disabling updates.
I personally believe coordinated automated updates of billions of systems globally in a matter of days is an extraordinarily perilous activity in and of itself no matter how careful you are. Sooner or later this is bound to end in a major disaster. While updates do fix problems quicker they also significantly lower the cost and tolerance for releasing defective software. It sends a signal to the market releasing defective software is a cost free activity.
Forced telemetry made us turn updates off.
We considered the issues carefully.
Based on our use of Windows, NOT agreeing to MSFT spying on our systems was more important than their updates. We use Windows only for very specific reasons, less than 1 hr a week. We never use email or surf the internet with it.
So, for the last 14+ months, we haven't patched our Win7 systems.
We've locked access for all Windows systems down at the network layer. No Win8, Win8.1 or Win10 here. If I wanted a touch-game system, I'd buy one.
We need business operating systems.
And we are religious about daily, versioned, backups.
Windows system restore and windows installer basically implement a horrible copy on write file system on top of ntfs. Windows installer does enormous amount of time upfront calculating how to rollback back the install if it is fails. Run into problems and windows update gets in endless loops , spending most of the time re-calculating how to do a failed install again. Microsoft bite the bullet and fix ReFS to have proper CoW filesystem with snapshots and shocker the ability to boot from a ReFS volume.
.... wasn't harmed by this whole thing because it is behind a Linux firewall and virus scanner. Which gets security updates without breaking functionality all the time, the way Windows update does.
Everyone who is running Windows in production for something other than Sandboxes legacy desktop applications and/or games (where you can backup an image, and just restore when something happens) is lost anyway.
I *have* to disable the update service on my laptop. Win 10 insists on installing newer Intel graphics drivers, except they don't work with the Optimus setup on my laptop. With the newer Intel drivers, any 3D game I start crashes when it tries to use the Nvidia card. So I have to let Windows 10 update my laptop, disable the update service, then reinstall the Intel GPU drivers provided by my laptop vendor (and also the Nvidia drivers if Windows 10 has auto-updated those).
When Win 10 first came out, it gave you the option to disable updates to a specific device driver. But for some inexplicable reason, Microsoft removed this option in the Oct 2016 update. Because of Microsoft's brain-dead update policies, I literally cannot use my gaming laptop to play games if I have Windows Update enabled.
The so called "security experts" are preaching about the immense dangers of disabling automatic updates. Never mind the time consumed involuntarily by consumers having to patch their systems every second week. Never mind the unsaved files, permanently lost, due to automatic reboots in the middle of the night. Never mind the havoc wrecked on production and development environments running multiple virtual machines. It's time the security people stepped down from their high horses and realized that automatic updates should never be enforced -- only strongly recommended. Developers and power users don't want to live in the Microsoft nanny state of supervised reboots -- not even if you're able to schedule them.
If you have been using a modern OS, this is fairly common sense. Only experts should be delaying updates, right? (Because, for example, they know their machine can't get to the internet.)
Alas, my wife has to use Microsoft Windows at work, and lately she's been bringing home a laptop that runs Windows. It has been an eye-opening experience in misery. I suspect that most pro-update people haven't seen MS Windows in a decade or so. If you've lived a 21st century existence lately, then you have no idea how unutterably horrible Windows is. If you think it's just another OS, you are out-of-touch with how the industry punishes people in the modern day.
Basically, imagine if updates were as painful and annoying and disruptive as possible. Then pause and ask yourself: How could I make it worse? Think of a way to make it even more inconvenient. Ok, got your idea? Now..
..lay down on your belly in a supine plaintive gesture of inadequacy and submission, and crawl with humility, because your imagination is so pathetic and limited. Windows updates are far worse than the worse thing a Linux user can imagine. They interrupt people, and they even happen at shutdown, where you're literally not allowed to turn the computer off. Microsoft takes your computer away from you.
To get some idea of what Windows updates are like, just imagine if a flu vaccine caused 12 months of explosive unpredictable diarreah. Get this shot, and you're immune from the flu, but for the next year, at least once per day at any time and any place, a liter of liquidishit is suddenly going to explode out your ass. Maybe you're driving, maybe you're sleeping, maybe you're in a meeting at work, maybe you're eating at a fine restaurant, or maybe you're at a bar chatting up a member of the opposite sex. And with 0 seconds notice, whatever you're doing is suddenly interrupted by a stinky, messy, embarrassing experience. Every day, for a year. Good thing you didn't catch the flu, huh?
Might you become an anti-vaxxer, if flu vaccines were like that? And so, you might avoid Windows Update, because it's hard to say whether malware can really be worse than Windows Update. What expertise in causing user misery do malware authors have, compared to the professionals in Redmond?
You are getting DOSed one way or another. You get to choose how it happens, but not if. That's what it's like for people who still have to run Windows.
And if you haven't seen Windows lately (e.g. since XP) I am dead serious: you don't know what it's like. You think you remember it as "bad." No. What you remember from before, is nothing like what it's like now.
Companies like Microsoft have to be responsible to their customers and not push updates that violate their sovereign right to control their own bought-and-paid-for hardware, not install unwanted 'features' like things that shove ads in your face, not brick people's computers, and otherwise not subvert and annex peoples' bought-and-paid-for hardware into their surveillance network. Companies like Microsoft seem to think that THEY own people's computers, not the PEOPLE WHO PAID FOR THEM, and that is FLAT OUT WRONG, AND FURTHERMORE POSITIVELY OFFENSIVE. If companies like Microsoft had a respectful attitude and respectful business practices THEN PEOPLE WOULDN'T BE TURNING OFF AUTOMATIC UPDATES IN THE FIRST PLACE!
It all starts with the shitty NSA infested OS called Microsoft Windows. Install Linux and forget about anti-virus protection and spying.
Windows updates can break a just repaired install. No one wants a non-billable re-service because someone went home and M$ flubbed a patch.
Just don't enable Windows Update - if you're in break/fix.
" As soon as they're required to do something, it'll be neglected which is why Windows Update is so critical.".
If' it's so important hn MS should not abuse thate criticality to push spying and adverts via that channel then.
Don't push unwanted updates down people's throat. Don't make updates so annoying that you have to reboot your computer so often. People shouldn't be forced to stop everything they are doing to reboot their computer so often. If you want everyone to do them, these updates should be seamless.
But I know what I'm doing. I haven't patched anything in almost two months. Haven't gotten WannaCry nor am I likely to. Even if malware/ransomware gets on my system, I have a simple solution: Scrub and reinstall everything. All of my data and apps are backed up to remote cloud hosts (and all of my backups are verified regularly) just in case the worst case scenario happens.
For the general user and IT department which manages multiple users, I agree that disabling Windows Update is a bad idea. But some users need total control over when they install updates.
I'm too lazy to google it right now but wasn't it the CIA who actually did mis-use vaccination NGO programs to steal DNA samples in order to find out where Osama Bin Laden was hiding (by detecting relatives' DNA)? That particular boneheaded move actually discredited real, life-saving vaccination programs in the developing world.
Microsoft's penchant for appropriating a *security update* mechanism for market-driven upgrades and advertising/telemetry feature installation has done the exact same thing: while there may be real security updates in their channel, nowadays we know it's proven there is actually harmful stuff being shoved through there as well. They've poisoned the well.
If MS really wants to make people do updates promptly, they need to get their heads back out of their asses. In the late WinXP and into the early Win7 era, there was a strong push for security and the updates were usually both relevant and easy to install.
Fast forward to now, and half the updates you get are MS pushing their latest piece of crapware (*coughskypecough*) that you don't want, and like 90% of them require a full computer reboot -- which they'll happily do with our without your input and hope to hell you saved your work that day.
If MS wants people to install critical updates then:
a) Stop calling every fucking sales pitch "critical," and
b) Go back to putting in the effort to avoid reboots. I know its easier to just reset and not worry about internal version conflicts and whatnot, but its a serious detriment to anyone who doesn't normally shut off their computer in the first place (and those people are the ones who least need to be force into an unwanted reboot!)
Unfortunately MS has decided to do the exact opposite of that and compensate by giving you no choice -- enjoy losing your work.. what're you gonna do about it? Switch to Mac? Oh you are? Well fuck.
Automatic updates are great and all, until the update becomes a problem in itself, breaking something.
Microsoft really should have two update paths: CRITICAL (and take it seriously, no more stupid updates labeled as CRITICAL)
And: Non-CRITICAL (everything else goes here, especially driver updates!!!!)
Make one optional, make one mandatory. Problem solved, assuming M$ can adhere to a fairly strict no-nonsense policy to what gets flagged critical.
How about: Whether or not you have automatic updates enabled, don't ever put a windows box on a public-facing IP, unless it's super-dooper-hardened/firewalled and has a 24/7 NOC staff to monitor it.
unless your idea of vaccinations is a permanently installed vein tap that is always connected to a drip line coming out of the wall. But they will only ever push good stuff through it, so don't worry.
In Server 2016 you have two options: allow the server a full 8 hour window to reboot itself when updates need to be applied, or disable the whole thing via group policy. Nothing in between.
I've been hit by this numerous times. HyperV server running a bunch of VDIs? FUCK IT, I'm Windows Update, I get to take the whole fucking thing down! Exchange for an international corporation that relies on 24/7 email? SCREW YOU, I'm Windows Update, reboot that bitch!
Guess how many people have no choice but to disable them because they don't want their servers randomly rebooting?
We had THREE Production servers that got Windows updates (Windows 2012 R2) and suddenly wouldn't boot! Our Windows admin spent the whole day on the phone with Microsoft and we had to rebuild ALL THREE servers!. Backups you say - yeah they wouldn't boot either. You see the servers didn't get rebooted until 5 days AFTER the updates got applied. So the backups were no good either. This latest Ransomware is just another death kneel for Windows now our IT executive management are looking at how soon we can start migrating anything we can to Linux servers even out Enterprise Architect is highly recommending it.
... one could implore the software vendors to make the update process less arduous, cumbersome, error prone, and OBNOXIOUS AS ALL HOLY HELL.
As someone who has, on multiple occasions/systems, got frustrated enough with Windows Update to disable the service (hint: that's the ONLY way to prevent it from randomly rebooting your system when you are trying to use it, whether you like it or not), I can say with some certainty that I would have no issue with leaving updates enabled, if the process wasn't so GODDAMN TERRIBLE. Suggestion to vendors and prognosticators: the vendors are as much, if not more, to blame as the users who respond to the INFURIATING behavior of their devices. Instead of blaming the users, I'd suggest perhaps it might be more productive to blame the vendors for the poor quality software which drives the users to disable it.
How in fuck do I safely update a Windows install, without risking telemetry and all of the shove-Win10-down-my-throat bullshit? Nobody has a fucking answer to this. I need to update my installs, ASAP - but I'm holding off because I don't know how to avoid all of the fucking MS-produced malware... Someone give me a fucking answer...don't link me to offline installers, that just install all of the problematic updates as well...
It's worse than a virus because you can at least theoretically get redress to a virus writer you track down.
And I recall saying this in slashdot before, so this has got to be a dupe, or the submitted quote is from another MS wally writing to slashdot before.
Few sane individuals would turn off security updates at the critical security level concerning defects offering networked remote execution with escalation.
These little reason for this relatively small group of patches to disrupt normal operations, if Microsoft were to take a conservative stance.
But somehow Microsoft manages to bundle in weird instability bycatch, and you're either left with your pants down, or your pants on fire. For which the only viable solution is an OS-upgrade cycle with a new-and-improved EULA, which somehow never fails to be ever more Orwellian.
Pants or privacy. Choose one.
Nice business model, should your customers willingly board the train.
have you consider that if many millions of people are turning down windows update maybe theres a reason for it?
i mean, to turn it off completely you actually have to google how to do it to do it fully, its not like people load up google and search random stuff
things ive avoided with windows update completely off:
windows 10 ninja install
diagtrack service making my computer hard drive unusable for the first 5 entire minutes after booting up
windows update corrupted sitting iddle wasting 25 per cent of all my cores on a 8 year old computer (imagine how that felt, if my computer had balls it probably felt like it was being kicked in its balls)
also, you can put the service up, download a patch from the microsoft update catalog, and put the service down again, in 2 months from a critical bug theres plenty of time
windows update was FINE before the arrival of windows 10, then it wasnt
theres no running, you shills CANNOT HIDE, microsoft did this indirectly because of windows 10, yet another reason windows 10 sucks, it manages to not only sucks itself, but make other versions of windows that were working perfectly fine for YEARS suddenly suck
so to be perfectly clear, you can keep your "advice"
There are a lot of ways to protect your hardware, yes a bare system on the internet directly is vulnerable to a lot of exploits but IT professionals have been protecting these systems for decades from things before microsoft releases a patch and protects them.
Windows 10 single handedly caused far more problems and cost for users of production software that any viruses for one company I worked for.
We were flooded with calls from users who were FORCED into windows 10 and now ALL THEIR SHIT DON'T WORK.
Trusting microsoft completely is bullshit, review the updates, decide if they're relevant. We can't trust these companies to blindly accept all their software "updates", a lot of them these days aren't even things that affect you, but they want their software to gather more data or other garbage.
Why are you applying untested updates to all production machines at the same time? I do it for a small shop with six year old hardware (cheapskates) and I stage test everything in a vm before rolling it out sequentially to other servers.
Sounds like you have a shitty IT guy. Maybe you should pay more for him, like you should do for a GOOD secretary.
What you have is the opinion of a person having limited knowledged ... You only looked at one single threat and decided what you asked is good for everyone. Obviously you haven't done any risk assessment.
In environments where hundreds/thousands of comptuers run to put together a massive operation, we don't do "automatic" updates... which gives MS the decision of when and what. Instead we evaluate the credibility of the patches even if it comes from its authentic provide MS. Why? Because unlike the patch that you mentioned, there were other patches that crashed thousands of servers worldwide... or upgraded the OS from Windows server 2003/2008 to Windows10 and render all of its applications useless because those apps are not compatible with Windows 10.
Even if a patch is credible and verified... we run it through test, then QA, then Staging, then Production in that order. So you see... just because MS provides a patch, doesn't mean you have to install it. MS is not the only provider here. There are other providers that issued patches which consequentially created disasters and we were left with fixing their problems.
For personal use computers, yeah sure it would be OK to have an abrupt patch that causes problems or do an upgrade without consent. For some that's still unacceptable since they rely on their machines to make a living.
'nough said... what you said is wrong. Let the experienced speak and you'll learn from them.
"As soon as they're required to do something, it'll be neglected"
If it fits your agenda, then it must be true.
I'm guessing as a security researcher, he's never had any real world experience.
Allowing a software vendor to automatically apply updates and patches might sound like a good idea "in theory" but it requires a level of trust--something which Microsoft has never achieved in my organization over the past 17 years.
As others stated, the *only* way for a business to manage updates properly requires building a test environment and funding knowledgeable staff to test updates against their system and software configurations. Turning on Windows Update without any oversight almost guarantees you eventually having a Really Bad Day at the office when you come in and MS has decided to update something having to do with the login authentication and none of your users can log in.
Fast forward to Windows 10 and you have the "installing, failing, rolling back, rebooting" cycle and if you think calling Microsoft is going to get you a 5-minute fix, you're probably going to find yourself needing a new job.
I would rather restore my mother PC from a backup than have to deal with Win10 on her machine. They turned it off for now, but it takes one under-perform quarter for them to get back at it.
"Security update KB12345: This update changes the color of the mouse cursor. Be aware that this update is required for all future updates to Windows 7 and 8.1. For a list of incognito non-security changes, please visit ."
But I'm not enabling automatic updates in any environment I manage.
Too many times have I been alerted of a new security issue by a client, though I was already aware, and was asked to install the patches that correct the issue. The environment's already designed to prevent many of these issues (ACLs, competent firewall rules) and I'm not worried, but want to qualm their fears with something real, like Microsoft patches. ...
So it's 3AM and I'm rebooting and I receive a real blue screen of death (i.e. 'we can't boot to shit, you want to recover?'), I scramble around and restore the last backup. The client isn't pleased, neither am I, and we forget about the ordeal because it's already solved.
What I'm saying is just like many others. I don't need your patches, they usually fuck things up, but some people do. So, it's a deal. Microsoft can deal with a swathe of angry customers who fail to boot or reboot loop to oblivion and I'll keep my mouth shut (other than blaming Troy Hunt, maybe).
Microsoft has criminally defiantly abused update to push technologies and other junk, and to force upgrades, etc. etc. with impunity. They can not be trusted.
Updates tend to mess things up, including non-windows updates.
Due to bad patches and forced reboots on some machines where losing time in working hours was a serious problem you just had to turn off updates. The sensible thing after that is disk imaging then manually applying the updates (and waiting through whatever patch rollbacks are needed) every few weeks.
The extent of the current problem is partly due to windows updates being very poorly managed and used as a vector for a new product that is in some ways inferior to the one it replaces. Some people did the necessary for them step of stopping automatic updates and then never took the time consuming steps of doing the manual updates.
Microsoft behaved badly and lost trust, leaving malware to exploit other areas where MS has behaved badly with bandaid fixes later.
Blaming the users doesn't get anyone anywhere. They had their reasons. They may not be entirely good reasons but MS should be working on regaining their trust instead of blaming them.
For people on low capped 30 - 60gig cellular and satellite connection, Windows updates are often simply unworkable.
You can't demand I use a day's worth of internet activity to install a updates. Sorry does not work that way. If M$ won't make individual updates available so people on the meter can pick just the critical, that affect them, people will continue to disable updates.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
The only thing worse than MS's OS is their Update scam.
1) Enable test-signing.
2) Generate your own key
3) Change driver version to maximum 32767.?.?.?
4) Install it
Problem gone.
Not for the faint of heart.
I just don't know what to do anymore. All I want is to play games on my custom built 4k gaming rig with the latest titles. I DO NOT WANT TO BE SPIED UPON by a machine I built. I would switch to linux in a snap if I knew the gaming houses would make a concerted effort to assist in the transition.
I am so lost.
Most of the ones complaining about Windows Update belong in the "shitty IT" category and should be required to surrender their Nerd Card. If all else fails MS does provide the utility necessary to uninstall any botched update and reset your system state. In a business environment you can turn off the automatic update and run the update any time you feel like. In the user space the overwhelming majority do want the automatic updates. If you can't take the time to review the update release notes BEFORE you allow the Windows Updater to install the update. And if you are going to complain about Windows Update you would be better off complaining to vendors providing their drivers to MS. A blue screen condition is almost always the result of a broken driver that was not developed by MS.
just don't.
Yes. Surrender your nerd card. You. And you. And you. You too. Surrender. Surrender.
(Why am I all alone?)
>>'Don't Tell People To Turn Off Windows Update, Just Don't'
Yep. Better tell people to use Linux.
>>'Don't Tell People To Turn Off Windows Update, Just Don't'
Yep. Better tell people to use Linux.
aaaaaaa
>> Our Windows admin spent the whole day on the phone with Microsoft and we had to rebuild ALL THREE server
That'S normal when administrating MS machines
aaaaaaa
Seconding (Sextillioning?) the counter-argument.
Microsoft has been increasingly abusing their Auto Update system with things they shouldn't be putting in there, lack of sufficient testing and general dickery.
Things like the telemetry are an abuse of the system, and windows 10 should *never* have been pushed as an update. That and the raft of faulty updates that actually broke computers causing them to enter reboot loops or pieces of hardware to stop working mean the 'cure' is almost as bad as the disease!
This inability to trust Microsoft is exactly why larger companies do their own regression testing before unleashing the updates on their users, and that takes a lot of time, leaving a window between patches that can be exploited. But frankly, this exploit apparently goes back to Windows 2000 and they only patched it in this March so who knows how many others there are.
This is the price of a monoculture.
If you want a secure system, you probably shouldn't be using an operating system designed for consumer users.
Like Windows 10. Or even if you go to the trouble of fetching and installing the "security-only" updates, the April 2017 one disables updates on Win8 for new processors.
The result is that I can't trust Microsoft. I don't want to choose between a remotely exploitable zero-day and being fucked by Microsoft, but the former happens less often than the latter.
Microsoft's invasion of my privacy, yeah.
BTW, like me on Facebook. /s
Latest update now forces a dirtbag popup every 3-5 min that I have "Unsupported Hardware" just because I want to continue running Win 7 on a newer processor which WORKS FINE. Have to disable the forced Information Theft in Win 7.
Can't go to Win 10 due to excessive forced Information Theft (Why is there not a lawsuit?). Was also going to by a Roomba, but no longer for the same reason.
Seems you can't use any technology enjoyably with out letting the companies steal your info.
However, I don't have automatic update enabled on my machines. First, one security patch was buggy and to this day if I enable automatic updates on one of my machines it will attempt to install it, fail, than rollback the changes. Once finished it will restart again trying to update this patch and fail. Instead I check monthly for updates and install the updates that are available. Another reason I don't automatically update is because one morning my laptop had a screen welcoming me to Windows 10 and that it is encountering problems with the update and is trying to fix it. I waited for it to finish but decided that my machine hung after 12 hours and tried to reboot. Sure enough, not only did I get upgraded to Windows 10 without my consent, I got the opportunity to re install my old windows from scratch. I'm not willing to take the gamble of waking up to a inoperable machine due to a botched Microsoft patch installation.
Since Windows 10 spam/Malware campaign I have had Windows updates disabled on my PC. I have not had any issues with this or any other exploit. Even if I get hit I don't care because I have backups. I have had issues with Windows update on multiple occasions. So what do you think I will be more likely to defend myself against hmmm?
Well, one good reason is that most IT departments in the world can't afford to have exactly the same hardware on every production platform. It would be nice, and we'd like to have an exact duplicate of every hardware configuration / software configuration, but we just don't have unlimited cash to do that. So no matter how we test on the most prevalent hardware configuration, you can still get bitten by a particular hardware anomaly on a particular box. It's easy to blame the IT guys, but everybody has a budget they have to deal with and arguing for hardware to just test on is rarely going to be on higher management radar until there is a huge downtime that is public facing.
That's another reason that running Microsoft Windows only virtually on Linux is nice. You can have better control of the hardware it sees. But there are some PHBs out there that want it running on the bare metal for whatever good reasons, so you can never be completely free of the similar hardware issues.
Also, it is very rare for IT to use software in all the same ways that the actual end users do. It can appear to work fine, but fail when some engineer does "their" thing with the software that perhaps no other engineer does. Again, it's easy to blame the IT guys.
I work in IT and like job security and an OS that always breaks.
Sorry Troy Hunt... Out here in the real world, Windows Update bricks PCs without notice. Most of my clients are in business and rely on their PCs & Servers to work day in and out reliably, yet when Windows Update pushes something out that brings that client to the paper & pencil age, that is not exactly a way to inspire confidence. And removing descriptions of just what a patch does, we should not have to play Russian Roulette.
The Windows 10 upgrade was yet another example of a company not knowing when "No means No" and deserved to be blocked.
So instead of blaming organizations for not patching, why isn't anyone telling Microsoft that we have had enough of their hole-filled software and to fix it or get your wallet out.
Agrisea Tsunami - Epyc Servers... https://agrisea.net/products
I turned off the auto update because almost every day Windows tried to take and overwrite the version I liked and needed, using their intrusive demand windows that were harder and harder to shut off or deflect. My wife accepted Windows 10 and hates it, and spends more time, some days, avoiding the ads than getting work done.
Here's how you fix that for your Intel Driver.
-Let Windows Update install the version of the driver it wants to, and do not uninstall it
-Go to device manager (devmgmt.msc) and find your device
-Right-click on it, and hit "Update driver software"
-Click "Browse my computer for driver software"
-Click "Let me pick from a list of device drivers on my computer"
-Select the version of the driver you want
Graphics drivers are responsible for a double-digit percentage of all BSODs. That's why MS is pusging these. Rolling back drivers is a huge irritant, but hopefully it will help a little to understand _why_.
Fuck you, I say turn it off. Then, immediately thereafter, install a REAL goddamned operating system, not a pile of dog shit, pathetic excuse for an operating system with a swiss-cheese-like security model, like for example just about ANY BSD variant, or GNU/Linux.
Even with Windows Update turned on, your computer can still easily be part of a bot-net, spam server, kiddie-porn server, ransom or other malware server, etc., or spreader of worms, trojans, viruses, root-kits, etc., etc., etc., and the VAST majority of this vulnerability is courtesy Microsoft DELIBERATELY and INTENTIONALLY shipping software that has deliberately added security flaws that COMPEL you, as a user, to USE Windows Update, which in turn requires you to REGISTER your copy of Windows, which in turn requires you to have a LEGITIMATE, recently purchased copy of Windows which you have NOT installed on TOO many machines, nor on the same one too many times, making it unable to be registered again. Making these be requirements means that you HAVE TO PAY for your copy, OR your data is subject to hacking, your computer subject to compromise, etc., and at the same time even if you do everything right, by the book, and legally, the holes could STILL risk your safety, all in an effort to prop-up Microsoft's failing, bullshit business model.
You read that right. Microsoft sacrifices the safety and security of your data and ignores your rights as a property owner, etc., jeopardizes your very life, potentially, for the sake of making the rich bastards who own their company even more obscenely wealthy at YOUR expense.
So yeah, I say FUCK Microsoft, and all who aid and abet their shenanigans, and if you're still one of those poor, unfortunate souls who has to use any kind of crippled crapware from Craposoft, PLEASE, for your own sake, upgrade to a REAL Operating System, and tell Microsoft that they can eat shit, die, and go straight to fucking hell where they belong to suffer for all eternity.
If you need help or advice to do this, I'm sure /. .org has about 1000 people reading it at any time who can help you learn.
Just... whatever you do, if someone tells you to open a terminal and change directories to root, and give it the command, "rm -rf *" or something like that... little bit of advice from me to you. DON'T.
Take care, good luck, and fuck Microsoft and all the evil those piles of horse shit puree they represent.
1) it's not a gaming laptop if you're using Intel graphics
2) where's the hate for Intel for supplying a broken driver update to Microsoft for publishing?
Removing a config option is MS fault, but they bulk of the blame for your specific issue lies with Intel.
...until the latest MS patch takes down all of your accounting department and part of production. Cleaning up that mess this morning. Sigh.