'Don't Tell People To Turn Off Windows Update, Just Don't'

Security researchers Troy Hunt, writing on his blog: Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as "MS17-010" pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched. It's because of this essential protection provided by automatic updates that those advocating for disabling the process are being labelled the IT equivalents of anti-vaxxers and whilst I don't fully agree with real world analogies like this, you can certainly see where they're coming from. As with vaccinations, patches protect the host from nasty things that the vast majority of people simply don't understand. This is how consumer software these days should be: self-updating with zero input required from the user. As soon as they're required to do something, it'll be neglected which is why Windows Update is so critical.

Excluding the unfortunate exceptions

[JimToo]

Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.

Re:Excluding the unfortunate exceptions

[xxxJonBoyxxx]

Or the Windows 10 update doesn't work and keeps downloading/restarting/bluescreening your computer. (Looking at you, "Anniversary" edition.)

Re:Excluding the unfortunate exceptions

[mikael]

For me, it takes around three manual restarts, because I have a dual-boot system and the default option is to boot into Linux. Even if Windows does download the update, it then sits around for so long with no indication of what it is doing that the screen blanks out. Then it just sits there pondering and reboots into Linux. Then I reboot back into Windows, which tells me that updates have to be installed. Then it sits around a bit more with a blank screen, then it reboots.

So an automatic update isn't going to be automatic, and it comes as a rather unpleasant surpise to boot into Windows, only to find that the updates weren't installed or need to be downloaded and installed before I can get any work done. If this update system were designed correctly, it should simply clone the existing Windows config, apply the updates, and only say a new version is available when everything is working correctly.

Re:Excluding the unfortunate exceptions

[mhollis]

Mod this up, folks!

I know at least five different business environments which have been, essentially, shut down by a Windows update. One of them was signing a new service contract as I was talking to him—he had been down all day, unable to see his customer files, his books, the jobs his company was supposed to be doing, unable to route his employees to where they were supposed to go. They went back to a paper only system they have not used since 2002 and they were guessing at that. They were taking credit cards over their website, but could not record the result in their books and had to just save all of the emails and spend an additional day or so just doing data entry into their bookkeeping system.

Of course, these are anecdotes (which is what the anti-vax community uses instead of Science). The problem is not the update, it is what Microsoft does to the computer upon emerging from the update. Elsewhere, people have written of resetting all of the browser preferences, BSODs and other issues. Microsoft needs to restore the previous state of the computer or server (as much as is practical) after the patch. They need to go in like a surgeon with the same motto: "First, do no harm." And if they figure out how to do that, their updates will be seen as innocuous as Apple's

Re:Excluding the unfortunate exceptions

[mysidia]

Makes sense, but not an excuse for turning off Updates.

How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

Leave Windows Update Enabled, schedule all new updates to install on X Day; However, If Windows updates rolls out the patch its own, then YOUR TEAM failed to conduct its job appropriately, which was to perform a controlled rollout in a timely manner (BEFORE The update is a week old, And the failsafe triggers to protect your organization's security).

Re:Excluding the unfortunate exceptions

[Austerity+Empowers]

Unless you have a production environment with a software product that breaks with Windows update turned on

And this is the scenario that happens more often than a patch was ahead of the exploit. It still makes the most sense to keep update OFF.

Re:Excluding the unfortunate exceptions

[peragrin]

Yep. Whenever work preforms security updates we literally lose a days worth of business as everything has to get reset. Local printers vanish as thier connections are disabled, with office 365 and outlook down for so long those caches get flushed, etc.
    You wanna know fun? Get 30 people to download 3-5 gigs of emails in an hour on a 100 mbit connecting because that's the best the area has.. talk about a wasted day.

All because vendors reset settings that had no requirement of beingâ reset for siad Patch.

Re:Excluding the unfortunate exceptions

> And if they figure out how to do that, their updates will be seen as innocuous as Apple's

"Innocuous", like downloading multiple GBs worth of update files over my slow DSL connection, only to tell me *after* the fact that my MacBook Pro is too old for Sierra. Gotcha.

Re:Excluding the unfortunate exceptions

[xxxJonBoyxxx]

>> How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

So...Windows shouldn't be used by small or medium-sized business without IT workstation teams then?

Microsoft, can you confirm?

Re:Excluding the unfortunate exceptions

[toonces33]

Or WU that literally runs for 24 hours with the CPU pegged at 100%. I haven't seen that in a while - maybe they finally have it fixed. Or if your C:\ drive is full - then you get all sorts of weird failures. You go and clean some space up, and within a day it has gone and downloaded more junk to fill it back up again. Or your WU databases have somehow gotten corrupted, and WU just runs and runs and never actually does anything. I have seen that one as well.

Re: Excluding the unfortunate exceptions

[Anonymous+Brave+Guy]

You need dedicated people or else shit breaks.

That's strange. I'm sure I've worked in several different organisations with 25-50 people and no dedicated IT staff, yet they all managed to keep their systems working just fine.

Oh, wait, that was before the modern updates-every-ten-minutes junk. Never mind.

Re:Excluding the unfortunate exceptions

[Anonymous+Brave+Guy]

You do understand that the majority of professional work is done by small businesses, and most of those don't have dedicated IT teams at all, right?

Enterprise IT is actually the exception, not the norm.

Re:Excluding the unfortunate exceptions

[Wolfrider]

--What I did for dual-boot is to set Grub to boot last selected entry, might work for you...

Re: Excluding the unfortunate exceptions

[mhollis]

Okay, you are an expert. And you patch systems and I want to thank you for the un-thanked-for work that you do all of the time. But we're talking about the Microsoft-pushed updates that destroy everything (you can see all the anecdotes, so I know you are aware.

I will offer you this: I know a company with $3M in sales that signed a contract with a (hopefully) good IT firm right in front of me that I would have loved to refer to you. Send me a private message with your location and I will refer you if you are local.

Re:Excluding the unfortunate exceptions

[bongey]

Windows update(10) all the way back to XP, is horribly slow is part of the problem and it has just gotten worse. Run into a problems with windows update and you can lose 1-3 days, just because it takes forever for it to eventually fail. I went to update the windows load on my dual boot machine and it took 3 freaking hours on 4.5Ghz machine, ssd and 32GB of RAM. Same machine with Ubuntu updates took all of 2-3 minutes even with multiple dkms modules being built. Microsoft there is no excuse for it being that slow, I can just have btrfs root, take a snapshot before updates and have the equivalent of your system restore and your horrible over engineered windows installer without the headaches.

Re:Excluding the unfortunate exceptions

[darkain]

1) There is one particular update that addressed and fixed the WU CPU issue (I don't remember the KB number right now, but it is easy to find)

2) Just slipstream a Windows WIM file. Take the ISO, download the cumulative updates, inject them into the WIM, and then install Windows from there. It'll be a smaller install over all (less SxS crud), and current as of which ever updates you slipstream into it. Additionally, you can add drivers this way too such as NVMe, USB3, and 10gbe if you use stuff like that.

Re:Excluding the unfortunate exceptions

[Drethon]

>> How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

So...Windows shouldn't be used by small or medium-sized business without IT workstation teams then?

Microsoft, can you confirm?

Yep and they shouldn't use Apple or Linux because of the lack of document compatibility with customers and suppliers. So this leaves us with...

Re:Excluding the unfortunate exceptions

It also doesn't help that when I try to find details about updates there's no information in the Windows Update panel. "Install this update to resolve issues with Windows." Thanks you fuckers... what issues? "Click here for more information." I click and get taken to a page that says "Install this update to resolve issues with Windows." Oh for fucks sake...

Re:Excluding the unfortunate exceptions

[networkBoy]

no, they haven't. Just happened to me two days ago on my work lappy.

Re:Excluding the unfortunate exceptions

[CFTM]

So, if you read the article, you'd know that he's actually talking about home users and states before hand that enterprise environments have their own processes and procedures for dealing with these things (and if they got hacked, they screwed up because it's been three months).

The problem is that technical users, like those found on Slashdot, tell home users that they should turn this stuff off because it causes all these problems, when it really doesn't when you're running a system with known hardware and under typical operating conditions.

By typical, I mean you use Chrome and maybe a few other applications. You're not a developer, you're not a big time game player.

This is 95% of MS home users. These people should all have Windows Update on at all times and what's more, they could care less about the crap that Microsoft packages in along the way. We may consider it invasive but most people just shrug their shoulders and move on.

Re:Excluding the unfortunate exceptions

[networkBoy]

as I *abruptly* learned a year ago when I left Intel and started at a relatively tiny 40 person shop.
We have an IT guy (actually rather spectacular dude really) but there's no way he can get much past firefighter and core infrastructure maintenance mode... and there's no money for more people for something that simply doesn't make money.

Yes we all know that IT doesn't make money, it prevents you from losing it all... but my intro to the "real world" after two decades in multinational corp. environment has been eye opening.
I think of our 20 or so clients, only 2 have serious pro level IT, another 5 have functional IT. The rest? bwahahahahahaaaaaa

Re:Excluding the unfortunate exceptions

[sbjornda]

So...Windows shouldn't be used by small or medium-sized business without IT workstation teams then?

You contract that stuff out to a local computer company. Doesn't have to be in-house.

--
.nosig

Re:Excluding the unfortunate exceptions

[mysidia]

So...Windows shouldn't be used by small or medium-sized business without IT workstation teams then?

If you're a SMB, then it is vanishingly unlikely that an Update-induced outage will cause a critical interruption of business.
If it would, then either change your design, Develop a plan to mitigate Update-induced outage, OR else, it really is worth paying
for the team to do this right.

ON THE OTHER HAND, a Security-breach-induced-outage could very well put you out of business;
if Uptime of this application is as critical as you would like to suggest.

Re:Excluding the unfortunate exceptions

[StormReaver]

I love Windows 10. Because of it, I have people asking me to install Linux over Windows 10 that would never before have considered such an option. Thank you, Microsoft!

Re:Excluding the unfortunate exceptions

[nine-times]

Sure, but then... you really should have maintenance with the vendor, and the vendor should be keeping the software product up to date so that it works with the latest Windows patches.

I'll admit it's not that easy. Sometimes you're stuck with some weird application that nobody supports anymore, but you need to keep it going. However, there's a part of me that wants to point out that, to some extent, it's the fault of whoever purchased that application. What I mean is, I've seen companies that are still running on some product that was purchased 20 years ago, and they just haven't updated. I've seen companies that rely completely on some application that a company built in-house before firing their development staff, leaving nobody who knows how the code works. To some extent, if you base your business around some random janky application that nobody is supporting, it's kind of your own fault. Businesses should anticipate that, for any business-critical application, they should have a support contract with developers capable of patching/fixing/updating that application. If you can't find someone to do that, then find a different application. If you can't do that (or can't afford it), then your business just isn't sustainable. Sorry.

Re:Excluding the unfortunate exceptions

Seriously? LbreOffice runs fine across Linux, Windows, Mac stuff AND it has 'document compatibility' with Office. I presume you tell people not to use Google Docs because of 'document compatibility'. Here's an idea, tell MS to make their shit 'compatible' with other products NOT the other way around.

Re:Excluding the unfortunate exceptions

[h4ck7h3p14n37]

You could also just not connect any Windows computers with Internet access (used for email or browsing) to your internal, secure network. Yeah, you'll probably need multiple devices at your desk, but you won't have to worry about email viruses getting to the secure network.

Re:Excluding the unfortunate exceptions

[EndlessNameless]

It'll be a smaller install over all (less SxS crud)

For the sake of completeness, it should be mentioned that the SxS crud will only be removed if DISM is run with the /cleanup-image option.

On Windows 7, KB2852386 must be installed to run the cleanup from the GUI.

Windows 8 and newer include a scheduled task which does this automatically every 30 days.

Re:Excluding the unfortunate exceptions

[scdeimos]

Local printers vanish as thier connections are disabled, with office 365 and outlook down for so long those caches get flushed, etc.

We had a large percentage of Win10 computers stop working with one or more network printers after the Anniversary update. They could access the affected printers' web management pages, could telnet to the affected printers' IPP ports, but the printer icons had disappeared from the Printers control panel applet and could not be re-added via the Add Printers wizard. We've never solved it, but my suspicion is that GUI settings got trashed in the upgrade and there's still some evidence of the prior printer registrations in the Registry preventing them from appearing again in the Add Printers wizard.

Re:Excluding the unfortunate exceptions

All because you keep clinging to windows despite these troubles. There are alternatives. Linux if you want to save the most money, Mac if you enjoy paying for a polished product. Even the mac is cheaper than windows - because you don't get that sort of downtime & panic fixing.

Re: Excluding the unfortunate exceptions

[dougdonovan]

i just love the computer intelligence level of the global general public. i know they change oil every 3k in their vehicles but to maintain a computer. seriously. not gonna happen. computers are supposed to be self sufficient.

Re: Excluding the unfortunate exceptions

So you have never used Windows. Why didn't you mention that up front?

Re:Excluding the unfortunate exceptions

[mhkohne]

Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.

That's a nice sentiment, but I for one have never been lucky enough to know beforehand that a Windows update was going to break shit. I just have to put them on and hope. So I can hardly blame any company that relies on software for taking a very critical approach to them.

Re:Excluding the unfortunate exceptions

[Trogre]

How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

And... then what?

If the update causes unacceptable behaviour, which does in the GP's case, what exactly can you do about it?

Re:Excluding the unfortunate exceptions

[mhkohne]

Seriously? LbreOffice runs fine across Linux, Windows, Mac stuff AND it has 'document compatibility' with Office. I presume you tell people not to use Google Docs because of 'document compatibility'. Here's an idea, tell MS to make their shit 'compatible' with other products NOT the other way around.

Ahh, you naive child. LibreOffice for all that it does try VERY hard to be compatible with the M$ products regularly fails on relatively simple documents created by people who have no idea they are doing anything strange. It's not really LO's fault, but you can't run a mixed LO & M$ shop if you care about your documents looking the same all over - the M$ formats are just too arcane and goofy for that to ever work 100%.

If you can go all LO, you're set, but if you have to interact with other companies that want M$ documents, you're hosed.

Re:Excluding the unfortunate exceptions

[Gr8Apes]

How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

How about MS actually doesn't screw its customers over and only sends security patches down the pike? New/changed features should be optional downloads selected by the users, never forced.

Re:Excluding the unfortunate exceptions

[tjanke]

Not even a production environment.

Awhile back, windows update nearly bricked my computer. The new driver for the Southbridge chip was corrupt, and suddenly the mouse stopped working. The keyboard and everything else still worked, so I was able to limp along. It took me nearly two weeks to diagnose the problem and then find and install the right driver. Two very long, very, very frustrating weeks.

Since then I've never let windows automatically install anything. I always review the updates, and choose which ones to install and which not. As you can imagine, the recent move to monolithic updates is really pissing me off.

Re:Excluding the unfortunate exceptions

[BarbaraHudson]

The people who blindly accept all updates are also the people who blindly click on every link in an email or on a web page. So it doesn't matter if they have updates turned on - they're going to fsck up anything more complicated than an Etch-a-Sketch.

Re:Excluding the unfortunate exceptions

[JohnFen]

If you can go all LO, you're set, but if you have to interact with other companies that want M$ documents, you're hosed.

I hear this quite a lot, and I could see it being true for very complex documents. But I use LO exclusively, and have for a very long time. I exchange documents with Office users daily. I don't remember ever having a serious problem. I have, on occasion, experienced an easily-corrected glitch.

My experience is hardly statistically sound, but it does not support the extreme incompatibility claims I see frequently.

Re:Excluding the unfortunate exceptions

[Excelcia]

Really, are you forgetting the turmoil that people with pre-Windows 10 versions were put through when Windows updates first started inviting them to upgrade to Windows 10? First it was hey do you wanna? Then it was hey, we're just going to go ahead and "upgrade" you unless you say no. Then it was we're just going to upgrade you. That's what automatic windows update buys you.

No one should give Microsoft unfettered access to their computer. With Windows update turned on, Microsoft deletes features, they take away options and control, they upgrade drivers you don't want to have upgraded, they break things. More problems have been caused by bad updates than by any malware I've ever had, which has been exactly none. A good firewall will protect you better than Windows update will.

I vet each and every update that goes into my computer. I look every one up, which is increasingly hard because all they want to tell you is "this is an update that addresses an issue in your computer." I avoided all the Windows 10 upgrade nag nonsense pain. When I finally had to buy a computer with Windows 10 on it, I immediately disabled Microsoft's automatic update mechanism and installed Windows Update Mini Tool, which lets me choose which updates to install again. As such, I have drivers that work, a computer that is stable, and a platform I can trust to be there when I want it.

Do you think the NSA needed that vulnerability to get into computers? They only needed that vulnerability to get into pre-Windows-10 computers, because after Windows 10's auto-update nonsense, any other computer they want to get into just gets pushed an auto-update the user can't stop.

The very last thing anyone should have is a computer that just blindly installs whatever Microsoft decides.

Re:Excluding the unfortunate exceptions

So it's not just me that loses printer access after so many updates. Having to reinstall the driver package so often is getting annoying. Nothing else seems to work.

Re:Excluding the unfortunate exceptions

[0111+1110]

The problem is that technical users, like those found on Slashdot, tell home users that they should turn this stuff off because it causes all these problems, when it really doesn't when you're running a system with known hardware and under typical operating conditions.

Probably they only get told to turn it off after it causes some kind of problem. If I get a call from a friend about a computer problem that was caused by a MS update what the fuck do you think I'm going to tell him to do after that.?

I keep it turned off on my own computer because it caused me similar problems and is a total nightmare in almost every way. Microsoft thought that randomly taking over someone's computer for a few hours at a time without any warning was a good idea, but actually it's not. Even on Windows 7 I keep it off. Can't even imagine what it would be like to run Windows 10 with auto update on. Jesus. That must be a nightmare. I don't ever want to know what that is like. There is enough suffering in this world without that.

Re:Excluding the unfortunate exceptions

[Tough+Love]

they shouldn't use Apple or Linux because of the lack of document compatibility with customers and suppliers. So this leaves us with...

This leaves us with Apple and Linux, which do not have document compatibility problems. Only Microsoft does. Honestly, just cut that turd loose and let it float away into oblivion.

Re: Excluding the unfortunate exceptions

[roc97007]

In fairness, the general public doesn't change the oil in their vehicles. If you're lucky they'll pull into a lube station and pay someone else to do it, if it's not too expensive. Mostly, I suspect, cars don't get serviced until something goes wrong. Kinda like computers.

Re:Excluding the unfortunate exceptions

[Tough+Love]

LibreOffice for all that it does try VERY hard to be compatible with the M$ products regularly fails on relatively simple documents...

That what you don't get, you aging Microsoft shill. Nobody needs Microsoft documents any more. Hey, hey, hey, goo-ood bye. There are better, cheap and faster ways of doing everything that the poor clueless Microsoft victims have been suffering with for so long.

And if should they choose voluntarily to go on suffering, then fuck em. It's their choice, it's not on me.

Re:Excluding the unfortunate exceptions

[mea_culpa]

No, but they can budget for and hire a reputable IT service provider that does, most of which can be done remotely. Problem is many of these small businesses don't see the need and pay as little as they can get away with or do it themselves.
They have no problem paying for proper preventive maintenance on their fleet of vehicles but heaven forbid they give IT similar focus.

Re:Excluding the unfortunate exceptions

[Anonymous+Brave+Guy]

You "need" a lot of things even in a small business. Plenty of problems can kill a young business before it becomes established at all. The reality is that you almost certainly won't be able to deal with some of the issues for a while, and you have to prioritise and do the best job you can in the meantime.

Re:Excluding the unfortunate exceptions

[Anonymous+Brave+Guy]

There are plenty of IT consultancy businesses that will stand in for an in-house IT group.

There are also plenty of small businesses who aren't tech experts and have no idea why they would need such a service or how to judge who can competently provide it. Most people have absolutely no idea how crazily bad most software is.

Re:Excluding the unfortunate exceptions

[LVSlushdat]

Yup.... Came here to say the same thing... I've had friends who bought new systems at a big-box store come to me when their new i7 system that came with Windows NSA Edition (my name for it) shit the bed, and want me to fix it.. ummm... no? I spent 20 years cleaning up after MS, and when I retired, I left that ecosystem for my favorite OS.. That being Linux.. I show the Windows "victim" a LiveUSB of Linux and tell them this is what they need to avoid the abuse that MS heaps upon people who *still* use Windows. Assuming their machine use-case allows it, everyone I've shown Linux to has opted to have me upgrade their systems to it.. FUCK YOU MS!

Re:Excluding the unfortunate exceptions

[arglebargle_xiv]

Exactly. At the moment I have several machines on which Windows Update causes them to go into a bluescreen-reboot loop. If I turn off updates, the machines keep working. There's a chance they may get pwned at some point, but probably they won't. So turning off updates is vastly less damaging than what Microsoft will do to them if updates are enabled.

Ergo, Updates are disabled, and will have to stay disabled in order for the machines to continue functioning. Thanks, Microsoft, you've created a "solution" that's a worse option than the malware.

Re:Excluding the unfortunate exceptions

[Pentium100]

Also, why does almost every update require a reboot? I mean on Linux you need to reboot only when updating the kernel (though there are ways to avoid even that) or a reboot may be more convenient if the update affected a lib that pretty much everything uses (glibc).

But with Windows, almost any update requires a reboot, sometimes more than once. Couldn't they just restart the affected services (in this case, the SMB service)? I remember somebody writing that Microsoft places special empty space in all its libs so that they can be patched while in memory. I guess this feature is not used...

Re:Excluding the unfortunate exceptions

[Pentium100]

Well, the different OSs serve a bit different purposes. Linux is great on a server and good on a desktop if it is managed by somebody competent. Linux on a desktop is kind of like an automatic system (say, a car with automatic transmission) - whne it works, it's great, but when there is a problem, there problem is usually difficult to solve.
For example - video card drivers. Usually Linux detects the video card automatically and works OK (disregarding games for now), but if it does not have the proper driver for my video card, then installing it is much more difficult than doing that on Windows.

Also, there are software that only works on Windows or even a specific version of Windows. I have a good navigation software (Garmin MobilePC), but it does not work on Windows 10 or Linux.

In addition, Linux can run some games, but not all games that Windows can.

So, In some cases, Linux is an incomplete solution (games for example), so I would need to dual boot (since VMs usually do not have good graphics performance), but since Windows can do pretty much everything that Linux can, I might as well run Windows and use a Linux VM or server (for things that Linux does better than Windwos).

Re:Excluding the unfortunate exceptions

[Slayer]

You do realize, that it was huge enterprise scale deployments which were hit by this worm. Nobody bats an eye if small mom&pop shops get wormed and ransomwared.

Re:Excluding the unfortunate exceptions

[Drethon]

they shouldn't use Apple or Linux because of the lack of document compatibility with customers and suppliers. So this leaves us with...

This leaves us with Apple and Linux, which do not have document compatibility problems. Only Microsoft does. Honestly, just cut that turd loose and let it float away into oblivion.

I tried open source office products (never tried Apple, I like the OS but not the price premium) when working on my Thesis in college. They mostly work but some weird format inconsistencies crept into word document and excel formulas kept getting mangled. I just couldn't use the open source programs if I wanted to send my paper to a professor.

Re:Excluding the unfortunate exceptions

[Drethon]

I have a number of professors I would love you to convince that I don't need to give them Microsoft documents. Best of luck.

Re: Excluding the unfortunate exceptions

[Marxist+Hacker+42]

Yep. STILL dealing with this on my laptop. Of course, I do not have idiots opening spam links in emails either, and SMB is blocked even for LAN on my network

Re:Excluding the unfortunate exceptions

[Ol+Olsoc]

Ergo, Updates are disabled, and will have to stay disabled in order for the machines to continue functioning.

Rinse and repeat, just like those eternal reboots or other update fun..

mustn't..........rant.........arrrrrghhhhh!

Jeebuz fucking kryste on a goddamned pigsticker, it's 2017 for fucking gawd's sake. And this piece of shit company and it's amalgamated pus from the unholy taint of Beelzabub operating systems are still wrecking updates, are still vulnerable to ridiculously simple malware attacks.

And the Stockholm syndrome mental patient assholes that browbeat people who can't update because of Microsoft's criminal incompetence need to accept that slavish BOHICA on updates isn't a fucking fix when you have acomputer that was working one day, then the next day it was all fucked up.

Security through malfunction.

Okay, I feel better now, sorry for the rant.

Re: Excluding the unfortunate exceptions

[Ol+Olsoc]

Yep. STILL dealing with this on my laptop. Of course, I do not have idiots opening spam links in emails either, and SMB is blocked even for LAN on my network

I just had my ass handed to me by a PC expert who insisted that SMB was safe and I was full of shit for calling it an insecure security attack surface. Went absolutely nuts on me.

While he was of course wrong, I think it illustrates why this sort of thing is continually happening to Windows. Deny, insult, and make certain to blame the victims. We've seen it over the years, and it shows no sign of abatement.

Re:Excluding the unfortunate exceptions

[Ol+Olsoc]

> And if they figure out how to do that, their updates will be seen as innocuous as Apple's

"Innocuous", like downloading multiple GBs worth of update files over my slow DSL connection, only to tell me *after* the fact that my MacBook Pro is too old for Sierra. Gotcha.

So tell us why Apple doesn't detect which hardware you are using? Calling bullshit.

Re: Excluding the unfortunate exceptions

[Marxist+Hacker+42]

He wanted to leave the 4xx ports open to the internet? I block them at Windows Firewall, or in Linux and Android, I refuse to even install SMB derived protocols (SFTP is good enough)

Re: Excluding the unfortunate exceptions

[radiumsoup]

One word: VirtualBox

Re:Excluding the unfortunate exceptions

[Tough+Love]

I just couldn't use the open source programs if I wanted to send my paper to a professor.

Sounds like 100% bullshit to me. Ever heard of TeX?

Re:Excluding the unfortunate exceptions

[Tough+Love]

I have a number of professors I would love you to convince that I don't need to give them Microsoft documents.

If your professor forces you to use Microsoft products then you went to the wrong school.

Re: Excluding the unfortunate exceptions

[pfg23]

Unless you're producing a virus, your program shouldn't break with Update turned on.

Re:Excluding the unfortunate exceptions

[Agent0013]

I would change that to say Windows should only be used for playing games. It is too much of a pain to use for work related stuff. And if the games ran the same on another OS, I wouldn't be using Windows still.

Re:Excluding the unfortunate exceptions

[Agent0013]

Microsoft Office regularly fail to open its own documents. I have had to use Open Office to open a document and save it again just so Microsoft Office would be able to open it again. No version changes or anything either. Office saved the document but could not open it again.

Re:Excluding the unfortunate exceptions

[unicornzvi]

It's not really LO's fault, but you can't run a mixed LO & M$ shop if you care about your documents looking the same all over - the M$ formats are just too arcane and goofy for that to ever work 100%.

If you can go all LO, you're set, but if you have to interact with other companies that want M$ documents, you're hosed.

While this is true, you also can't run a pure M$ shop if you want your documents to look the same all over. Even if you have all your machines running the same version of office you're going to get occasional differences, if try running different versions - disappearing graphs, margins jumping around header and footer font change at random, etc, In other words libre office does at least as good a job as M$.

Re:Excluding the unfortunate exceptions

[Cederic]

Yeah, my Windows 8.1 machine had Windows Update disabled in June 2015.

Comically I can't re-enable it. Just hangs there now, waiting for updates, hammering a CPU core.

Re:Excluding the unfortunate exceptions

[tendrousbeastie]

There's an outrageous amount of exaggeration going on in this thread. I have Windows 10 installed on a few machines at home, and the update process is almost invisible. There is no trouble or hassle involved in it at all.

Basically, once a month the computer asks to restart. That's all there is. I can choose to do it manually, or it claims it will do it automatically at a quiet time. There is nothing else that I have ever noticed, no intrusion, no taking over the computer, nothing. Just a restart request once a month. I have one gaming desktop with some good specs, I have an old laptop with some fairly low specs, and a couple in between, and this holds true for all of them.

I agree it would be nice, in an abstract sort of way, to have the option of whether to install non-security feature updates. But honestly, in a practical rather than abstract way, it has never bothered me in the slightest. The only time I have ever noticed any changes was the recent 'creators' update, when a few basic options and menus got a bit easier to use (e.g. connecting to a VPN now requires few clicks).

All the hysteria going on here on this thread does not correspond in the slightest with my experiences - talking about it being a 'nightmare' and adding the 'suffering in the world' suggests either people haven't actual any experience of it, or they have a system so unusual that it can't possibly be used as being representative of anything.

Re: Excluding the unfortunate exceptions

[tendrousbeastie]

If been thinking this while reading this whole page. What sort of software are people running or writing that is being broken so easily by a Windows Update process? And why are they purchasing or writing better software that isn't so fragile? Repeatedly it seems, since many people are claiming this is a constant problem for them.

Re:Excluding the unfortunate exceptions

[hierofalcon]

TeX and pals. For when you really care about how your document looks - and you don't have too many embeded pictures - cause they are still a pain in TeX. I keep hoping, and have some basic ways to do particular things - I want a picture on the left, right, or full column - I do these things. But getting the text to actually freely flow around it without a lot of effort is still tough.

Re: Excluding the unfortunate exceptions

[Ol+Olsoc]

He wanted to leave the 4xx ports open to the internet? I block them at Windows Firewall, or in Linux and Android, I refuse to even install SMB derived protocols (SFTP is good enough)

He's an idiot. "SMB is a cornerstone of industry and is constantly updated, and is not a security risk".

Except when it is, of course. Which is most of the time.

He really hated my citations. Whatever, he's an example of why this stuff happens. A supposed expert who makes things worse.

Re:Excluding the unfortunate exceptions

[david_thornley]

Sure I've heard of TeX. Everybody in the mathematics and computer science departments has. My default format for writing stuff was LaTeX. Get into the less technical departments, and people haven't heard about it, and don't know what to do with it. TeX is great if your professor wants a hard copy or a PDF. It isn't if your professor wants a Word file.

Re:Excluding the unfortunate exceptions

[Anonymous+Brave+Guy]

It was huge organisations that are widely reported as being hit. It's more obvious when a big organisation takes a hit. But small organisations have been hit as well, and in any case the advice about whether or not to install updates is being repeated all over the place without reference to organisation size.

Re:Excluding the unfortunate exceptions

[Anonymous+Brave+Guy]

The only things I have seen failing were custom software jobs

Then you have been very lucky. Unfortunately, not everyone is. I've had to reinstall entire machines because of things as stupid as bad updates to malware signatures for the security software that wound up quarantining/removing critical files so the system would no longer boot, for example.

Re:Excluding the unfortunate exceptions

[Slayer]

Small companies with few installations were only affected, if they opened and executed the malicious email (let's for a moment ignore imbeciles with XP servers and port 139/445 open to the internet, these are beyond redemption anyway). The exploit kit packaged with this piece of malware affected large companies mostly and most strongly, because one single mistake (opening email by any staff member) could corrupt so many computers at once.

As far as small outfits are concerned, this attack was no different from previous malware laden email mass attacks and could have struck any OS or version thereof.

Re: Excluding the unfortunate exceptions

[Dudds]

I worked as a desktop support consultant for several years supporting organizations like the ones you're describing: 20, 50, 100 staff and no dedicated IT. These places were a nightmare of "we had a problem and worked around it" solutions that took caused hours long appointments for just simple "the printer doesn't show up on one computer".

A lot of these places I had remote contracts with that I would go in and do maintenance on their "servers" (somebody's machine under the desk, usually the office secretary or boss) that staved off a lot of problems, but the point still stands: these places were in no way stable on their own.

Re:Excluding the unfortunate exceptions

[LienRag]

This is 95% of MS home users. These people should all have Windows Update on at all times and what's more, they could care less about the crap that Microsoft packages in along the way.

Or they should not have Windows at all...

Re:Excluding the unfortunate exceptions

[Tough+Love]

TeX is great if your professor wants a hard copy or a PDF. It isn't if your professor wants a Word file.

If your professor wants a Word file then your professor is a drivelling idiot and/or you don't have much taste in institutions.

Generally Sound Advice

[maz2331]

This is generally sound advice, although some IT shops prefer to manage the process to ensure that either (a) a particular update doesn't break some proprietary code, or (b) because of regulatory reasons particular machines may not be permitted to have the software changed without some sort of documentation being generated.

Re:Generally Sound Advice

[dc29A]

I would do that if (1) MS didn't cram W10 down my throat; (2) every major update doesn't reset browser preferences; (3) stop updating and breaking hardware drivers; and (4) I could disable telemetry. My Macbook and Ubuntu machines are auto-update enabled. Not my Windows gaming box. No thanks.

Re:Generally Sound Advice

[Kili]

This!

Re:Generally Sound Advice

[TWX]

I've worked in those kinds of environments, where we had propretary applications that were not compatible with the latest stuff. This is especially aggravating when you've got three web-delivered systems, all of which have mutually exclusive requirements. At one time users had to have Chrome, Firefox, and IE, and we had to block updates to IE so that the legacy system would work.

It's extremely labor-intensive and requires excellent recordkeeping if one wants to do updates in this kind of environment, which means that it becomes expensive. It's usually cheaper in the short-term to just turn off updates, and it's often very difficult to convince a nontechnical upper-level director of the need to spend the money before the problem hits.

Re:Generally Sound Advice

The blame for people not updating/patching computers lies squarely on Microsoft.

Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.

And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.

Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.

Re:Generally Sound Advice

[Entropius]

Yep. I had a laptop that came with Windows 8 on it.

I booted it once into Windows to change UEFI settings and then put Lubuntu on it.

Well, a friend had a Windows question for me when I was away at a conference. No problem! I booted my laptop into Win8, looked up how to do the thing, and told her. I went to bed.

I woke up to find that my system had:

1) autoupdated to Windows 10
2) fucked the bootloader so I couldn't boot into Linux any more.

This is on top of the fact that Windows updates take about a year to complete and reenable a bunch of crap that I keep disabling ("Windows Media x").

Re:Generally Sound Advice

The blame for people not updating/patching computers lies squarely on Microsoft.

Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.

And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.

Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.

Exactly correct. MS lost many people's trust with updating around the Win10 forced-upgrade fiasco. I've deleted wusa.exe from my win7 box and I've done the same for any number of family and friends on various win7/8.1 boxes. I just make sure backups are in place and re-image if infected.

If these devices get pwned and cause damage blame MS for destroying trust in their update platform.

Re:Generally Sound Advice

[phayes]

So how often should people re-evaluate when a company like Microsoft breaks their trust by forcing upgrades and other such nonsense? 6 months are sufficient according to you apparently.

News flash: When a company breaks it's users trust, the time it takes can be measured in years and is often never. Yeah it'd be great for security if people were applying upgrades ASAP but MS's new policy of only making rollup updates forcing the inclusion of all previous updates can only backfire making people even less apt to apply them. Hey, they've already broken our trust once, they're likely to do it again.

The problem is in large part MS's own creation.

Re: Generally Sound Advice

[Entropius]

I had to turn off "Fast Boot" anyway, and wanted to preserve the ability to boot off of other things as well. Boot-sector shenanigans are pretty uncommon these days, so on balance I wanted it off.

Re:Generally Sound Advice

Exactly. If Microsoft behaved decently and simply provided security patches that fix vulnerabilities ONLY, there would be no issue. However Microsoft does shit like changing user settings (making IE/Edge your default browser), breaking hardware drivers, installing spyware etc.

In my particular case I run a pirated Windows 7 gaming machine, with the "Genuine Microsoft" Windows activation disabled via a pirate-written patch. Both were downloaded via a Piratebay torrent. It turns out every time I update this machine, the Windows activation gets re-installed and I get this "Your computer is not running Genuine Microsoft, certain features have been disabled, you have 30 days to register Windows blah blah" message. And I have to dig out the pirate patch again and re-do the activation all over again.

So I stopped updating, and changed the Windows Update setting to "Never". This was back in 2014. My Windows has not been updated since then.

So did I get hit by shitload of viruses and malware and Wannacry? Nope. Not been infected with anything, not one single issue that I'm aware of. I'm typing this on the same pirated Win7 machine, connected to the internet full-time 24/7, and it's running like a champ.

This is possible because 1) I don't click on email links or open attachments. In fact I don't even bother reading any emails unless I know exactly who is sending it. Rest get mass-moved into Junk folder. And 2) I run Ublock Origin adblocker, so I don't even get to see most of the malicious web adverts. And if I do see a web advert, I'm smart enough to not click on them. And yes, I never click on or buy any shit advertised on interwebs sites and I'm not missing anything as far as I know. Anything I need, I just go straight to Amazon or ebay and buy it that way, not through any ads. And 3) my firewall blocks random people trying to port scan or connect to my machine.

Re:Generally Sound Advice

This. I was fine to leave auto-update on for security fixes but then microsoft started cramming their telemetry and other crap into them - making them bundled so you couldn't get your security fix without letting microsoft scoop up every piece of info on your computer that it wanted.

Re:Generally Sound Advice

[Tailhook]

This is hard to argue with. I personally prepared for this by preventing the Win 10 upgrade (even using third party software to stop the constant, malware like badgering complete with deliberately misleading prompts) until I was good and ready to deal with it, then I did a full clean install and manually migrated stuff over because I knew there was no way my complex, roughly used installation could possibly upgrade well automatically. One simply cannot, however, expect a planet full of Windows users to take this conservative approach; even if they were inclined to, which they aren't; most of them simply aren't competent to deal with this stuff and would do more damage than what the upgrade inflicted.

So they all got put through the upgrade ringer creating bad outcomes for millions and leading to widespread "anti-vaxxer" behavior. Since then the "anti-vaxxers" have had their behavior affirmed by disruptive updates doing unwelcome stuff. The glacial slowness of the Windows 10 update process alone is a huge failure in my mind; this has badly regressed from earlier releases; I have a laptop I boot maybe once a month and I've come to expect the Windows 10 updates to take a hour or more. Ridiculous.

After putting the whole world through all this shit one simply can't point a finger at millions of beleaguered users and blame them for their negligence. I'm sure they'd be happy to have they're system automatically updated, as long as it wasn't the computing equivalent of getting a SOA style beat down every few months.

Re:Generally Sound Advice

[Anonymous+Brave+Guy]

Windows 7 and 8 also include essentially the same telemetry now.

None of my systems do. Oh, wait, that's because with previous Windows versions I could just choose not to install that crap in the first place.

Re:Generally Sound Advice

[bongey]

You can trick windows from messing with it and bios that only look for a windows efi boot file. This will boot to grub and allow you to select windows if you want, and windows update doesn't mess with it.
open cmd.exe as Administrator and lunch the command vmount s: /s
go to s: and navigate the directories until you find where the grubx64.efi is located. Mine was under s:\EFI\debian\.
go to s:\EFI\Microsoft\boot and create a backup of the bootmgfw.efi file and then overwrite it with the grubx64.efi.
reboot. Now you should be able to reach the grub menu and boot to Linux but you'll be unable to boot to Windows. Boot to Linux then.

On linux you
open a shell and go to /boot/efi/EFI/Microsoft/Boot and restore the previously backed up bootmgfw.efi.
run grub-install (it may require root privilege - sudo)
run update-grub2 (it may require root privilege - sudo)

Re:Generally Sound Advice

[BronsCon]

Indeed they did. That, coupled with the fact that they would then never go manually apply updates, and the ensuing malware shitstorm, is why we have forced updates in Win 10.

Thanks, assholes. And I don't mean Microsoft.

Re:Generally Sound Advice

[Darinbob]

The problem with the sound advice is that Microsoft is actively undermining the update process by treating customers so badly. They don't test their updates well, they make them forced in later versions, they tie the updates to earlier updates, and worst of all their malware inspired forcing of Windows 10 on people has justifiably trained customers to distrust Microsoft.

It's time consuming to check out each and every update to make sure it's safe. But I have to do that because I cannot trust microsoft not to play games with my systems.

Applications too, I don't update iTunes because every time I do it screws up, changing the UI in drastic ways, and takes me a very long time to get it working properly again. But that's ok, I do not use the store in iTunes, it does not execute any strange attachments, and as a malware vector it's pretty low compared to the OS itself. If it played nice then I'd update it more regularly.

Re:Generally Sound Advice

[Darinbob]

I don't on macbook. Too many updates require reboots and that's very disruptive if it happens outside of my control.

Re:Generally Sound Advice

[Darinbob]

You do hear people defend Microsoft that way. As in "but that was in the past!" They forget that trust has to be earned.

Re:Generally Sound Advice

[Darinbob]

It's been 6 months but have they done even one thing to earn back trust? They have not even apologized! This reason is still valid.

Re:Generally Sound Advice

[h4ck7h3p14n37]

Why not just run Windows 8 inside a VM, or fire up an EC2 instance?

Re:Generally Sound Advice

[HiThere]

Even then... the thing that drove me from Apple to Linux was a security update. It worked without problem...but they used it to smuggle a license change in that I found unacceptable. So that machine was immediately disconnected from the internet, and everything that could touch the internet was migrated to Linux.

I'll grant that what Microsoft is doing is arguably worse. I don't know, I left MS for Apple when THEY forced a license change on me that I found unacceptable. I think these companies rely on people either not reading or not believing the EULAs.

Re:Generally Sound Advice

[HiThere]

It's not really impossible to regain, but it takes a lot more effort the second time, and MS hasn't yet started. PR doesn't count in my book.

OTOH, that's actually about trust that is lost due to inattentiveness. When trust is lost because of what appears to be malice, it actually *may* be impossible to regain...but if it is then it's a lot harder than it would be from mere inattentiveness.

Re:Generally Sound Advice

[DRJlaw]

None of my systems do. Oh, wait, that's because with previous Windows versions I could just choose not to install that crap in the first place.

So you haven't installed any security updates since they switched to monthly rollups where you cannot pick-and-choose?

Shame on you...

Re:Generally Sound Advice

[Gr8Apes]

Thanks, assholes. And I don't mean Microsoft.

You can still "thank" MS. They are the reason people turned off auto-update, all the way back when XP SP2 or whatever it was first came out. The standard practice for a MS OS install: Create install image, disable and remove wusa, install selected updates, use that image to install systems and manage "updates" as necessary for fixes. MS has this nasty habit of including all sorts of crap in their updates which coupled with their terrible non-modular architecture regularly resulted in overwriting non-MS drivers and support files and generally shitting on systems that might dare to run something non-MS. Managing that kind of infrastructure for more than 2 or 3 machine configurations requires a decent team, and most that have teams are not up to the job.

Re:Generally Sound Advice

[Gr8Apes]

I'm curious as to the license change.

Re:Generally Sound Advice

[Anonymous+Brave+Guy]

On unmanaged systems, we install the security-only rollups, not the all-in ones that you get through Windows Update. As far as we're aware, the security-only bundles don't include the telemetry malware. If you know better, please cite, because finding detailed information about exactly what each of the new monthlies includes is often a pain.

Re: Generally Sound Advice

[BronsCon]

Businesses with have IT staff who manage updates and ensure that security updates are installed regularly are not the problem. Though, with more than say 5 (the minimum enterprise license) workstations should have had their own WSUS servers in the first place.

Home user's were not doing all of that. They would just (stupidly) turn off WU and never install a single update. Those idiots are why we now cannot turn off automatic updates in Win 10.

Re:Generally Sound Advice

[Darinbob]

Ha I'm on Windows 8.1 so it doesn't do the forced updates. But does require the reboot for even the most innocuous changes. So I delay the reboot because I know it may take half an hour. Then when I'm done I shut down. However this doesn't count as a reboot! Because Windows essentially hibernates, those updates don't end up getting applied and I am not warned later on that I hadn't actually rebooted. So three or four weeks later if I reboot for some other update, then the Windows update finally takes effect and the quick reboot is suddenly a major effort.

Re:Generally Sound Advice

[LVSlushdat]

I'm betting I'm like most, such that once a company has lost my trust, it has lost it for good... I used/supported Windows for 20 years as a sysadmin. I retired in 2010, and decided I was tired of MS's insane licensing schemes, and since I'd been using and supporting Linux for about 1/2 of that 20 years, I made the decision to "yank the bandage off" and move 100% to Linux. Been MS-free now for nearly 7 years and couldn't be happier.. As for trust in MS.... hehe I trust them as far as I can throw them, and thats not ever gonna change...

Re:Generally Sound Advice

[cm5oom]

So you're bitching about windows update not working with your pirated copy of windows? Holy fuck are you retarded.

Re: Generally Sound Advice

[Gr8Apes]

WSUS servers weren't even available at one time. :) As for 5 licenses, no, most won't have a running WSUS. Maybe at 50 or 100, when they decide they actually need an IT service or person and that person goes "Hey, for a mere 5K (license and hardware) you can manage all this with minimal fuss" and then still have issues as stuff gets pushed. But, as for Win10, that doesn't make any difference either because everything will get pushed within 9 or 12 months, whatever the latest arbitrary deadline is.

Home user's were not doing all of that. They would just (stupidly) turn off WU and never install a single update. Those idiots are why we now cannot turn off automatic updates in Win 10.

Home users had just as many reasons to turn off WU as businesses did. In fact, they more likely would be affected by an update screwing up their system and would be less likely to be able to fix it. That they did not know enough to intelligently apply security fixes over time isn't really their fault. The fault still lies with MS for not breaking up "updates" into mandatory "security patches" and optional everything else and then not abusing that system with crap like the "Upgrade to Windows 10" program. MS is still the root of the problem, and always will be. Facts are facts.

For comparison, look at Apple's update program which also has a mandatory update process. It's only been used once or twice AFAIK to push actual fixes down. For the most part, their updates don't screw up their systems, although there's been upgrades that have caused some issues. Then again, they upgrade once a year, sometimes more, across multiple devices and OSes. And yet they have yet to have a single screw up as big as any of the reported ones by MS just in the last year. Linux I've always carefully managed, mainly because I like to know what my server configurations are.

Re:Generally Sound Advice

[HiThere]

I don't remember the exact language, but it essentially said "We have the right to add, modify, copy, or delete any file on your computer". MS used that first, and Apple followed a few years later.

P.S.: When I showed the license to the company lawyer his reaction was "I'd like to see them try to enforce that.". He didn't seem to realize that this was merely to cover them for actions that they took technically, and which required no legal enforcement.

Re:Generally Sound Advice

[Agent0013]

Most of the computers that were infected with the WannaCry crap were in China and Russia. Where most of the Windows installs are pirated. Pretending otherwise isn't going to solve anything. Who is the retarded one again?

Re: Generally Sound Advice

[BronsCon]

WSUS servers weren't even available at one time. :)

When were WSUS servers not available for Windows 10? It's been a standard offering wince Win2k3.

As for 5 licenses, no, most won't have a running WSUS.

Won't and can't are two different things. I was stating the 5 license minimum for Enterprise versions of Windows.

Maybe at 50 or 100, when they decide they actually need an IT service or person and that person goes "Hey, for a mere 5K (license and hardware) you can manage all this with minimal fuss" and then still have issues as stuff gets pushed.

No competent IT person would quote $5k, as you only the Windows Server 2012 or newer system that is already running your domain controller and AD; tick the box to enable WSUS and add it to your policies; done. As an added bonus, a competent IT person would thoroughly test each update before adding it to WSUS and avoid the "issues" you allude to. It shouldn't take more than a day for a mid-level ($75-100/hr) tech to get working; in fact, it should only take an hour or two. That's $75-200 for a competent tech, up to $800 if he's really really slow.

As for the ongoing cost of having someone review updates, if your team is big enough that bad or poorly-timed updates are actually incurring a measurable cost in lost productivity, paying someone to properly test updates and only apply those which don't break anything will surely be cheaper than the lost productivity. The peace of mind that comes with knowing what's running on your systems, on the other hand, is priceless.

This isn't even what I do for a living, but I could set it up with one hand tied behind my back.

But, as for Win10, that doesn't make any difference either because everything will get pushed within 9 or 12 months, whatever the latest arbitrary deadline is.

Not so with WSUS. No version of Windows that is configured to use a WSUS server looks anywhere other than the configured WSUS server for updates.

Home users had just as many reasons to turn off WU as businesses did.

And anyone who turns it off also has a responsibility to periodically install that shit themselves. Guess who didn't live up to that responsibility and lost the ability to decide for themselves!

In fact, they more likely would be affected by an update screwing up their system and would be less likely to be able to fix it.

Then they should have learned what they were doing before they did it.

That they did not know enough to intelligently apply security fixes over time isn't really their fault.

Will you say the same of Mac users who disable automatic updates because Apple has released a few bad video drivers (more than just that, but it's what I recall off the top of my head) for older Macs? What of Linux and BSD users?

The fault still lies with MS for not breaking up "updates" into mandatory "security patches" and optional everything else and then not abusing that system with crap like the "Upgrade to Windows 10" program.

So it's Microsoft's fault people disabled Windows Update during the time before Windows 10, back when Microsoft did allow you to install updates by category? Going back at least as far as XP SP2, I know you could opt to have just "Critical Updates" installed, and those were just security patches.

It wasn't until Windows 10 that they began abusing that, so you can't really cite that abuse as the reason Windows XP users disabled Windows Update on day one and never installed a single update.

MS is still the root of the problem, and always will be.

Interesting opinion; I prefer to believe that ignorant users are the problem, as they are on any system.

Facts are fac

Re:Generally Sound Advice

[Cederic]

Sorry but I fear you're missing his point: When did leaving a system running overnight justifiably ever need you to fix the bootloader the next morning?

Re:Generally Sound Advice

[Gr8Apes]

I fully expect that. It's why we keep offline backups. So far, no problem, even on a hack.

Re: Generally Sound Advice

[Gr8Apes]

WSUS servers weren't even available at one time. :)

When were WSUS servers not available for Windows 10? It's been a standard offering wince Win2k3.

I wasn't aware we were only discussing Win10, or even just post 2k3. Since most people in business are running flavors of XP through W7 that I've been aware of (yes, at least 3 Fortune 100 companies I personally know of were running XP as recently as 2 years ago) and only recently moved to W7. At least 2 have had issues with upgrades, in one case taking down 30% of the company's computers for about 2 days. This is with dedicated IT support teams in place, and they still can't get it right. At least they only rolled it out to portions of the company at a time.

As for 5 licenses, no, most won't have a running WSUS.

No competent IT person would quote $5k, as you only the Windows Server 2012 or newer system that is already running your domain controller and AD; tick the box to enable WSUS and add it to your policies; done. As an added bonus, a competent IT person would thoroughly test each update before adding it to WSUS and avoid the "issues" you allude to. It shouldn't take more than a day for a mid-level ($75-100/hr) tech to get working; in fact, it should only take an hour or two. That's $75-200 for a competent tech, up to $800 if he's really really slow.

You're living in MS fairytale land. I can assure you that small businesses don't as a rule run WSUS, nor have IT folks that deal with it. They generally contract with a low-bid support firm that sends some random clown over when called to "support" them. The going rate is under $60/hr for what the SMB considers no more than helpdesk support. And they complain about it. These are under 100 people shops. They they don't run their own internal mail, they don't even have servers actually, and they're running off the shelf systems they buy from Dell. So the $5K quote is actually realistic for them to upgrade to Windows Enterprise and get a domain server.

This isn't even what I do for a living, but I could set it up with one hand tied behind my back.

As could I, but I won't do it for $20 or $30 / hr.

But, as for Win10, that doesn't make any difference either because everything will get pushed within 9 or 12 months, whatever the latest arbitrary deadline is.

Not so with WSUS. No version of Windows that is configured to use a WSUS server looks anywhere other than the configured WSUS server for updates.

Right, and that WSUS server will push those updates after 'x' time, as determined by MS, unless you take steps to isolate your WSUS server and do some other non-standard things to it. There's a reason W10 uptake by business has been, well, let's say it's been "slow". There's also a reason IBM chose to go with Apple instead and invest the resources to generate a new business service model for Apple.

Will you say the same of Mac users who disable automatic updates because Apple has released a few bad video drivers (more than just that, but it's what I recall off the top of my head) for older Macs? What of Linux and BSD users?

You're shifting the blame conversation. :) As for bad video drivers, I don't recall those and was never subject to them. I was subject to the upgrade issues with 10.11 and 10.12, but that's a different issue and can be fixed. However, Apple doesn't automatically update (or doesn't on my systems, but will nag. I do apply updates on my schedule.

So it's Microsoft's fault people disabled Windows Update during the time before Windows 10, back when Microsoft did allow you to install updates by category? Going back at least as far as XP SP2, I know you could opt to have just "Critical Updates" installed, and those were just security patches.

"Critical

Re: Generally Sound Advice

[BronsCon]

I wasn't aware we were only discussing Win10, or even just post 2k3.

Prior to Windows 10 you could disable automatic updates entirely and manually select which updates to install. Absent WSUS, which we were only without for a year and a half, the procedure followed by competent IT staff was to disable automatic updates in the standard images applied to end user workstations and manually apply those updates (to the images, not to the workstations individually) after testing. Roll out the new images over the weekend and, since user profiles and documents are stored on the network (remember, competent IT staff), everyone comes in Monday to find working and updates computers.

Since most people in business are running flavors of XP through W7 that I've been aware of (yes, at least 3 Fortune 100 companies I personally know of were running XP as recently as 2 years ago) and only recently moved to W7.

So you're saying most companies don't upgrade to the newest OS right away? They typically wait two years or longer (that's been my experience, at least; and you're demonstrating that they often wait much longer) as the software they run on a daily basis doesn't support the new OS right away? So, you mean, by the time most businesses would have upgraded to XP, WSUS was out and this whole back-and-forth is largely pointless?

Got it.

At least 2 have had issues with upgrades, in one case taking down 30% of the company's computers for about 2 days. This is with dedicated IT support teams in place, and they still can't get it right. At least they only rolled it out to portions of the company at a time.

I stipulated competent IT teams, not just dedicated.

You're living in MS fairytale land. I can assure you that small businesses don't as a rule run WSUS, nor have IT folks that deal with it.

Does that mean they can't? I mean, if all of this is really a concern and there is a solution available, why can't they utilize that solution?

They generally contract with a low-bid support firm that sends some random clown over when called to "support" them. The going rate is under $60/hr for what the SMB considers no more than helpdesk support. And they complain about it.

Sounds like they need more than they're paying for. Poor management exhibiting incompetent decision making that ends up costing the company more than it saves in terms of downtime incurred by not having someone on staff. That's not Microsoft's fault; I've seen it happen in all Mac offices as well.

These are under 100 people shops.

Then they should have an AD to manage logins, at the very least. It costs less to pay someone to click a few buttons to add and remove accounts on a central server than it costs to have them walk across the building to do the same thing. Bonus if they install even a low-end SAN solution and store user profiles and documents on it; then they don't even have to reimage machines when someone leaves the company. These are things that should be considered once a company reaches about 20-25 workstation users and should certainly be in place by 50.

If they had that (and you can pay the $60/hr places to install and maintain it, by the way), they'd be set. Again, outsourcing IT doesn't eliminate the incompetence, it simply shifts it from the IT department to the manager or exec who decided to outsource to the low bidder and ignore IT infrastructure as a whole. An, again, this happens in all Mac shops as well, so no, it's not Microsoft's fault.

If anything, Microsoft makes it easier to get it right by offering the tools to do so as part of their server OS and actively trying to educate IT workers about those tools. Apple, on the other hand, killed off the server version of OS X and never bothered migrating the management tools; those are just gone

Re: Generally Sound Advice

[Gr8Apes]

Prior to Windows 10 you could disable automatic updates entirely

That's kind of the point regarding the Win10 you must update statement that started these discussions.

Absent WSUS, which we were only without for a year and a half,

Really? (W)SUS didn't come out until 2005. Last I recall, XP was released in 2001.

So, you mean, by the time most businesses would have upgraded to XP, WSUS was out and this whole back-and-forth is largely pointless?

Nice rewording there. I said companies remained on XP. Nothing about XP's own take up could be inferred from that statement.

I stipulated competent IT teams, not just dedicated.

So MS Services isn't competent? I'll be sure to note that next time.

You're living in MS fairytale land. I can assure you that small businesses don't as a rule run WSUS, nor have IT folks that deal with it.

Does that mean they can't? I mean, if all of this is really a concern and there is a solution available, why can't they utilize that solution?

Sure, they can, if they'd prefer to run in the red.

Then they should have an AD to manage logins, at the very least. It costs less to pay someone to click a few buttons to add and remove accounts on a central server than it costs to have them walk across the building to do the same thing. Bonus if they install even a low-end SAN solution and store user profiles and documents on it; then they don't even have to reimage machines when someone leaves the company. These are things that should be considered once a company reaches about 20-25 workstation users and should certainly be in place by 50.

It's a solid argument. Many won't pay for it. I've seen 5 year old Dell laptops with busted keys and cracked screens in daily use. If they won't spend $300 for a new base laptop, you really think you're going to get them to pay $50+/hr for IT support?

Apple, on the other hand, killed off the server version of OS X and never bothered migrating the management tools; those are just gone now. If I recall correctly, Microsoft has actually stepped up to fill that gap on the Mac platform.

It's IBM.

Most companies don't run local mail anymore; it's too much of a hassle to deal with RBL bullshit and spam. What's mail got to do with this, anyway?

Essentially, pointing out that while they use computers, they aren't IT shops in any sense of the word.

You can't, on one hand, say downtime costs tens of thousands of dollars (30% of a Fortune 100's workstation users being unable to work for 2 days), then turn around and say $5000 is too much to pay to fix it. If something is going to cost me $10k to ignore or $5k to fix, the reality is that it's actually going to save me $5k to fix it.

Who said anything like that? Honestly, those kind of remarks are bordering on Trumpian claims. A small shop that uses computers won't be idle for days if their systems are down. It'll be inconvenient, maybe, but not serious. A Fortune 100 has a dedicated IT staff. This portion of the discussion doesn't apply to them.

Re: Generally Sound Advice

[BronsCon]

Really? (W)SUS didn't come out until 2005. Last I recall, XP was released in 2001.

My mistake, I did misread. It came out in March 2005, which I read as March 2003. Either way, the same system of test, add-to-image, deploy-image that was used prior to XP should have been maintained until WSUS, and should have been kept in instances where WSUS wasn't used. As far as I know, it was kept anywhere that had competent IT.

I said companies remained on XP. Nothing about XP's own take up could be inferred from that statement.

You are not the only source for that information; I was in the industry back then and I remember how slow the move from NT4 and 2K was. It was a hair faster than the move from 98, which companies which didn't need a true multi-user environment were just getting around to installing over 95 around the time XP came out.

At any rate, good to see you finally cite a source.

Re: Generally Sound Advice

[Gr8Apes]

You are not the only source for that information; I was in the industry back then and I remember how slow the move from NT4 and 2K was. It was a hair faster than the move from 98, which companies which didn't need a true multi-user environment were just getting around to installing over 95 around the time XP came out.

At any rate, good to see you finally cite a source.

Honestly, if sources you want, I could have provided more, including for the (W)SUS stuff. I just figured that was so minor I didn't provide them. They're 1 google away, after all. :)

As for the image/deploy process you're talking about, that's great, if you run a 1 or 2 machine type shop. Try running with 100s of different sets of hardware and about half as many configurations as you have people. I wasn't in a regular shop with clone copies for everyone. Each one of our special snowflakes had their own needs, and were spending upwards of 20K per machine to get those needs fulfilled. IT's support requirements where more like "here's our configuration, you support it". Were I in a standard shop, sure, that would be awesome.

Finally, for XP uptake, it was far far faster than NT4 or 2K where I was. In fact, 2K wasn't even a blip on our radar when XP came out, which was a rather big blob. TBH, XP was just 2K with the fisher-price GUI. I was never really a fan of anything related to it other than the default background, which was nice green rolling hills. Win95 had tons of issues in our environment, so many never ran it, staying on WFW 3.11 instead. And post 95 it was pretty much a straight migration to NT as new machines came in for those on windows, 98/ME never had a chance.

Re: Generally Sound Advice

[BronsCon]

First they won't even replace a broken $300 laptop, so spending $5k to set up WSUS is a no-go... now they're using $20k workstations and $5k wouldn't even be a drop in the bucket...

Can you pick one side of your mouth to talk out of, please?

Re: Generally Sound Advice

[Gr8Apes]

Different shops, different needs. Shop A has special snowflakes with disparate machines. This was far prior to the age of WSUS. Was talking specifically about the pre WSUS statement regarding images and best practices. Doesn't always work.

The small money bound shops, call them B, most wouldn't spend a dime on IT unless they absolutely had to.

I have dealt with both extremes, and the "happy" middle.

Microsoft's fault

[sconeu]

If they hadn't done shit such as the forced Win10 update, or forced GWA, or done a lot of other crap that broke peoples systems (in the name of marketing), then maybe people wouldn't have said, "Turn it off".

Re:Microsoft's fault

[TWX]

Pretty much. I had to take some fairly convoluted measures to keep my wife's laptop on 8.1 or some of my various other systems on 7 without entirely disabling updates. It's not that I liked 8.1, but I did not like what I read about 10.

The easiest way to avoid having 10 forced on me would have been to just disable updates. Instead I had to read up on every individual update that would push 10, and ultimately resorted to third-party software to block or remove those specific nuggets from Microsoft so that my platforms would be left in the state I wanted them in.

Re: Microsoft's fault

[macsforme]

Agreed. A level of trust is required when you allow vendors to push automated updates to your system, and unfortunately there have been breaches of this trust when vendors saw this as an opportunity for more than enhancing user security.

Re:Microsoft's fault

Anniversary Update that broke a lot of people's computers.
Rebooting my computer when I don't want it rebooted.

Re:Microsoft's fault

Exactly. As I was reading the top post, I was thinking, I don't want Win10. I turn on automatic updates and one morning I wake up and there it is on my machine. Basically if I want to change the computer (OS version in this case) I change the computer.

Re:Microsoft's fault

Plus, if Anti-Vaxxers could actually point to widespread deaths, they might have a point.

People who advocate turning off Windows Update Can point to widespread windows deaths due to errant updates.

Re:Microsoft's fault

[war4peace]

It's a very complex ecosystem. Generally, the benefits of the many outweigh the "sacrifice" of the few.
For every machine negatively affected by a forced update, there's a million which benefited from it. Unfortunately, that million machines don't yell "fault!" like that one which messed up does.

Yes, Microsoft were too aggressive with pushing people towards updating to Windows 10, and they should have toned it down. But ultimately, it was not the "upgrade push" which pissed people off, but the whole telemetry debacle. People were turning updates off and messing with hidden Windows setting because of telemetry, not security updates. Problem is, Microsoft pushed back and started mixing security updates with telemetry, then people pushed back and turned updates off altogether, etc. It was, and still is, a general cat fight.

I was never worried about a few machines coughing up during an automating update. Serious businesses should have internal update QA and separate WSUS servers. genpop users usually don't have really expensive stuff on their machines, and if they do, they should at least afford paying someone knowledgeable to help them with their setup in such a way they won't lose but a couple hours if an update fails. What I (and pretty much everyone with a bit of IT knowledge) was worried about was the telemetry additions, which really should have been opt-in since day 1.

Re:Microsoft's fault

[G00F]

Because of other faults of Microsoft pushing updates that don't benefit the end user. Like void your installed windows, change your settings, or even broke your system.

MS can't be trusted. They use security updates to force what ever they want on end users.

Re:Microsoft's fault

[phayes]

but it does break some software and installs unwanted telemetry.

Re:Microsoft's fault

[war4peace]

/. is not representative for genpop.
My take is that if there were no telemetry components, the whole thing would have been a lot smoother than it was.

Re:Microsoft's fault

[Tailhook]

unwanted telemetry

Most of that telemetry has been backported; you're not protecting yourself by avoiding Windows 10. All of Microsoft's supported operating systems are spyware and what distinctions exist between versions are trivial; if you care about keeping clear of Microsoft's collection system you're not running any contemporary Microsoft operating system. If you're clinging to Win7/Vista/whatever because you think you're saving your privacy then you're an idiot.

Re:Microsoft's fault

[evolutionary]

Uh, typo: you mean WGA, right? :D

Re:Microsoft's fault

[doom]

Yeah, that's it: don't abuse the automatic update channel, and people maybe people won't shut them off. And abuse means pushing your fabulous new design changes because you're too lazy to figure out how to support multiple versions of the UI.

(I'm not a Windows user, but I've been tortured enough by Firefox UI changes to understand the dynamic.)

Re:Microsoft's fault

[sgage]

Does anyone know about the efficacy of Spybot Anti-Beacon? It purports to block all the telemetry, or whatever bits you specify.

Re:Microsoft's fault

[HiThere]

You think MSWind10 is the first time this happened? Read the older news. MS was just more aggressive this time, and made it more difficult to avoid without jumping ship. (I jumped ship around 1998.)

Re:Microsoft's fault

[sconeu]

Yes, I meant WGA. Thanks.

Re:Microsoft's fault

[phayes]

That would depend on which patchs you have applied to your pre win10 installation. If you haven't installed the patches that apply the back ported snooping...
It's a major reason why they removed individual patches in my opinion

Re:Microsoft's fault

[citylivin]

"Yes, Microsoft were too aggressive with pushing people towards updating to Windows 10, and they should have toned it down. But ultimately, it was not the "upgrade push" which pissed people off, but the whole telemetry debacle."

Revisionist history. Before we even knew the extent of windows spying we had the windows update advisor (GWX) show up in the system tray on everyones windows 7 machine in it seems june 2015 ( https://tech.slashdot.org/stor... ) and a year later, forced it on everyone ( https://tech.slashdot.org/stor... ). That is the day that microsoft lost my confidence that they had worked since windows 95 to build.

You can go read that slashdot article to see the day when everyone lost trust in microsoft, and people started recommending that people deactivate windows updates Very few people mention telemetry. What they do mention is that MS pushed a "security update" that was anything but.

I turned windows updates off that day, but being an industry person, i found a work around that allowed me to keep them on. There was a program quickly developed called GWX blocker or something like that which allowed the gwx framework to be stopped.

So yes, its bad to not run windows updates, but its also 100% microsofts own god damn fault.

Re:Microsoft's fault

[Darinbob]

Windows 10 does bite, and on Windows 8.1 I do remove the telemetry updates (because it's allowed to do so on 8.1). There's a distinct difference between basic opt-in telemetry and what Windows 10 does. Note especially that the enterprise edition allows disabling telemetry because they have more clout than home users. If it's a big enough issue for corporations to turn off then it should be a big enough issues to allow home users to disable. Microsoft didn't even disclose the types of data it is collecting until this year, they message was "trust us" which is a ridiculous rationale from one of the least trusted corporations out there. Most other applications or operating systems make the telemetry opt-in, and that's the way it should be because they're not so utterly arrogant as to demand it from everyone.

Re:Microsoft's fault

[Sir+Holo]

I'm about to install Windows 8.1 on a Boot Camp partition of my laptop's HD.

Please share any tips or web-links that you found most helpful. Or to the 3rd-party software.

Re:Microsoft's fault

[F.Ultra]

And the complex ecosystem is mostly Microsoft's fault as well so this is their old behaviour biting them in the ass finally. I.e look at how completely insane some of the ACPI tables are on many systems that break the specs but they still "work" in Windows due to Microsoft implementing workarounds instead of enforcing vendors to adhere to a defined standard.

Re:Microsoft's fault

[david_thornley]

Most people don't care about telemetry. It's widely publicized here because we're largely geeks, many of whom are interested in computer security and privacy. Any large-scale disabling of Windows Update was caused by other things.

But... but...

The telemetry spying though,,,

Telemetry and Windows 10

Windows Update also wanted to install telemetry on my Windows 7 system until I removed the patch. Then for 12 months Windows Update wanted to 'upgrade' me to Windows 10, the software employed all sorts of tricks to make me say yes and in the end I just disabled updates as it was less hassle.

My Windows 7 system was not affected by the events over the weekend as all it does is run some test equipment. It still has Windows Update disabled and it's going to stay that way.

Maybe if Windows Update behaved decently...

[ToTheStars]

The reason folks turn off Windows Update is that it behaves kind of like malware itself! I'm technologically savvy enough to set my registry and so on to disable the awful "Get Windows Ten" updates, but when so many users got shafted by Windows "self-updating with zero input required from the user" to a completely new operating system (a new operating system that actively thwarts end-user control over updates!), is it any wonder that so many of them switched it off?

The comparison to anti-vaxxers is interesting, and apt in more ways than Troy may have known. Much like Microsoft hijacked their Windows Update program to push Windows 10, the CIA used a Pakistani polio vaccination campaign to gather intelligence about Osama bin Laden (see here: https://en.wikipedia.org/wiki/...). This has resulted in the killing of other relief workers and general suspicion of medical aid programs in that region, and so polio persists.

Re:Maybe if Windows Update behaved decently...

[Gilgaron]

That is a shame about the polio.... so very close to being eradicated, too

Re:Maybe if Windows Update behaved decently...

Thank you. The polio vaccination ruse by the CIA and the telemetry comparison is exactly what I thought of as well.

On a separate note, WU used to specifically tell you what the update fixed, right in WU. Then they started making you click a link to go to the MS web site. After a while the web page stopped saying anything useful. Now you have to research each one manually, which is unacceptable. There is no reason MS would go to those lengths to obfuscate what a patch does, unless it's so they can foist more crapware on you. I can't think of a good vaccination analogy for that, but it pisses me off.

Re:Windows Users...

[Gilgaron]

It is pretty common to see people recommend setting it to only do the critical updates, so with somebody that doesn't understand what they're doing, playing a little telephone and purple monkey dishwasher disable all security features in Windows.

Re:Windows Users...

[DontBeAMoran]

Enjoy the Windows 10 telemetry yet?

I mean, I use Windows 10 too but only as the OS required to run games. As far as Microsoft knows, all I use is Battle.net, Steam and GoG.

What about the updates that hurt users?

[evolutionary]

The problem is that around 30% of MS Updates actually hurt the user, either by introducing "features" that (like Apple) inadvertently or deliberately adding things that are of no benefit to anyone but MS and in many case hurt he users. Windows 10 Basically is capable of hijiacking itself (as per it's design) so it's hard to know what is good and what is not especially MS gives VERY vague descriptions of it's updates as per the new windows 10+ policy to tell users, it's our update, just take it (up the rear end). The sooner we start admiting that we don't in fact NEED MS Windows at this point, the better. Linux anyone?

Re:What about the updates that hurt users?

[JohnFen]

Basically you kiss all mechanical engineering and PCB/schematic capture goodbye.

That's a BS argument. There is Linux software that is reasonable to use for such activities. It's not as good as the Windows stuff, true, but it is fully functional and usable.

And if Windows went away completely, all of the really great tools would be implemented on Linux very, very quickly.

Re:What about the updates that hurt users?

[HiThere]

And even if they remained MSWindows only, you could run it virtualized. Others have said that's the only way to run MSWindows. I would only disagree because I wouldn't agree to the EULA needed to do that.

Re:What about the updates that hurt users?

[Darinbob]

Most still run on XP as well, no need to upgrade :-)

Same problem with vaccines: trust

Vaccines worked in a society that had trust and a belief in a brighter future. Our society is no longer trustworthy. The wolves are running the hen house. Anti-vaxxers are a natural consequence of the loss of societal trust. I am not an anti-vaxxer, but, as a conspiracy theorist, I understand how anti-vaxxers came to be. We, as a people, no longer trust our government, pretty much at all. Any trust is blind trust placed at our political parties and idols. We are blind fools to give that trust at all, but it is just about the only thing left keeping this obviously corrupt system running.

And, guess what. We're seeing the same fucking thing from Microsoft. We can't trust them. The problem with the author (and as a security engineer by trade, everyone makes this mistake all the time) is that he does not understand the threat he's protecting against. People who advocate for disabling automatic updates have assessed the software vendor to be the bigger threat than hackers. They're not wrong, and the author has completely misunderstood the owner's threat model.

Don't Tell People To Use Windows, Just Don't

[Tough+Love]

Problem solved, permanently.

Re:Don't Tell People To Use Windows, Just Don't

[Tough+Love]

Linux as a desktop continues to be a joke.>

Indeed. I get that joke. The joke is a great one, the joke is on assholes like you. HA ha. (suffer, you idiot)

Turn off Windows Update

[Dunbal]

But don't be a retard. Keep reading this site and others. I manually installed MS17-010 a month ago even though Windows Update has been off for years. People get what they deserve. You need to actively pursue your own security, not ignore it or worse, pretend that Microsoft is going to do it for you. Windows Update is more trouble than it's worth. Especially since Windows 10.

I used to be one of those annoying people who said

[Presto+Vivace]

get a Mac. Now I am one of those annoying people who say switch to Linux.

Auto Update Virus

[Oswald+McWeany]

I am in favour of auto-updating Windows, don't get me wrong; however, it could be catastrophic if anyone ever manages to figure out a way to spread a virus via the auto update.

I'm not sure the technical route someone would have to take to do this; If, perhaps someone could somehow infect a DNS server to treat an infected server as a Microsoft update server.

Re:Pirated software.

[__aaclcg7560]

If you use pirated software, you get what you paid for.

Those fuckers at MSFT ruined security updates

Those fuckers at MSFT ruined security updates by force-feeding the user spyware, or even forcing an "upgrade" to Windows 10.

Now nobody trusts Microsoft, and would rather take their chances without the "essential updates".

The problem is spyware and telemetry

[WillAffleckUW]

the continual additions of resource-heavy snooping spyware and telemetry services for in-app advertising delivery hammer many institutions that would otherwise happily install security patches, if they were JUST security patches.

But many of the Important patches we have recieved from MSFT are just that. Ads, telemetry to try to sell us stuff that blows out the bandwidth in mission critical software and pops up things that get in the way of doing actual work.

There's your problem. That and the "patching" of things in a way that breaks apps that believe the public documentation instead of the actual way MSFT codes and tests its apps.

Re:The problem is spyware and telemetry

[WillAffleckUW]

In a corporate build network. Not when you don't use MSFT network servers.

Unlike you, I was/am paying attention. Not everyone works in your exact network space.

PDB symbols

[yuhong]

As a side note, the delay to release PDB symbols on MS's symbol server after a Patch Tuesday has been at least days and sometimes more than a week for the last two months (at least for the Win10 symbols I tried). I use them a lot with WinDbg.

Re:Windows Users...

[Khashishi]

Because of getwin10

Re:Poor advice.

nobody cares what you do on your PC

Then why did they implement telemetry in Windows?

Re:There should be a separate "Security Updates On

[green1]

There is, it's the "critical updates only" checkbox.
The problem isn't the lack of said checkbox, it's the fact that Microsoft doesn't respect that checkbox and considers all sorts of marketing fluff and malware to be "critical"

Microsoft could be a big help here

[JohnFen]

If Microsoft would just go back to the days when security patches were done separately from other sorts of updates, that would be a huge help. I know a lot of people who disable updates to avoid feature changes, but would accept automatic security updates.

Microsoft's position of not making a distinction between the two is a large disincentive to allowing automatic updates for a lot of people.

Re:Microsoft could be a big help here

[evolutionary]

That would be great, is MS didn't outright LIE about some of their updates. One of the "critical "updates turned out to be an ad server. That was a riot. Problem is, once the source proves untrustworthy, you can't rely on what they say. Question is, can you still rely on their OS? It think we all know the answer to that one.

Re:Microsoft could be a big help here

[JohnFen]

Microsoft is an extremely weaselly company. The instant they stopped using the descriptor "security" and replaced it with "critical" was the moment it became clear that the update mechanism was going to be used for deceptive purposes.

No, you tailor your message to the audience

[satsuke]

It's more accurate to tailor the message about automatic updates to the audience.

For computer savvy people that are likely to read the message about available updates and install them, than turning off automatic installation is appropriate, because many of us can't afford to have long running processes or tasks dumped from memory with a reboot.

For your average user or nontechnical person, absolutely, advise them to leave it at defaults (and to save often).

Consider the source.

[Gravis+Zero]

at troyhunt.com

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

It's obviously in his interest to make everyone Microsoft's puppets.

Re:Consider the source.

[mugnyte]

This isn't necessarily a problem. The problem arises from a cult-of-brand and groupthink that MS cannot do wrong. If Troy Hunt wrote honestly, he'd explore the customers that had turned off MS Update with some interviewing and surveys, then report the results, give a nod to their core cause, report MS's renewed efforts to address these *core* causes and then talk about why Updates should be left on. Instead he delivers these sugar-free platitudes:

It's not fun, it costs money and it can still break other dependencies, but the alternative is quite possibly ending up like the NHS or even worse. Bottom line is that it's an essential part of running a desktop environment in a modern business.

He's a fly-around shill just trying to look good in the eyes of Sales. His "workshops" are an insanely expensive way of selling low-calorie information that's already discussed online in much finer detail. His Ghost-powered blog site doesn't offer a search feature, but I'd bet it wouldn't return any meaningful results for two-factor authentication, separation-of-concerns, what certifications exist for software security, or the track record of non-MS products. Quick example: There's no mention of Google's recent publishing of security flaws in open-source projects. Instead we get a pass-the-buck, blame-the-victim blog post that ignores the annoyances of MS Update and tells everyone to "just deal with it".

Re:Consider the source.

[RespekMyAthorati]

Did anybody else read that in Troy McClure's voice?
"Hi, I'm Troy Hunt. You may remember me from such hits as "MicroSoft: You Must Obey" and "How the Grinch Stole Updates".

Microsoft only have themselves to blame

[Gadget_Guy]

Microsoft only have themselves to blame for people disabling Windows Updates because they made it untrustworthy:

• The Windows 10 upgrade fiasco
• The backporting of the telemetry to previous versions of Windows
• The updates that crash or cause problems
• The update mechanism that in older Windows peg the CPU usage at 99%
• The forced reboots at highly inconvenient times
• The massive Windows 10 updates that mean that I have to reinstall some of our legacy software because Windows keeps resetting some crucial registry entries
• The bundling of updates into a single entity so that we don't have control over what gets installed on our systems
• And the hiding of what is in those updates so that we don't ask questions.

Re:Microsoft only have themselves to blame

[Hartree]

"The bundling of updates into a single entity so that we don't have control over what gets installed on our systems"

This! Abso-fracking-lutely this!

Give me the info on what the update is, and I can decide whether it's worth the risk to install immediately or if I need to run it on a non-important machine first to vet it. Yes, theoretically I can drill down on MSDN and the knowledge base but with some much redirection and info hiding in the documentation, in truth it takes too much time. Exactly as Microsoft intended it.

Re:Microsoft only have themselves to blame

[Hartree]

" Telemetry.. the feature you are yelling to turn off. :/"

Odd. I don't think I mentioned that in my comment.

But what the hey, obviously in your view it would be impossible for them to issue unbundled patches the way they did for a couple of decades before this change.

It's sad that MS has fallen so far that they no longer have the ability to do that. I guess Nadella et al just aren't up to the standard of the Gates/Balmer years.

Re:Microsoft only have themselves to blame

[toddestan]

There are literally hundreds of Windows 7 patches, and hundreds more hotfixes. That's billions of possible combinations of pick-and-choose updates. How do you propose that Microsoft test these possible combinations?

I would propose that once they've got a large enough number of patches, they could roll them all into one large patch which could be used to both apply all those patches at once, and to "reset" the state of the OS so that everyone is once again running the same base version. They could call these large patches something like a "Service Pack".

Re:Pirated software.

[__aaclcg7560]

If you buy Microsoft software, you get what you paid for.

I haven't that problem since Windows XP. Then again, I'm not running on minimum spec hardware.

Patches are just like vaccines...

[Noishkel]

Except if vaccines failed as much as a Microsoft patch did there would be no doctors... because people would be shooting them in the street.

Yeah, yeah... I can already hear the autistic fast typing from some keyboard warrior looking to 'correct' me on this one. But sorry... Microsoft no longer has any credibility to tell people what to do with their machines. The entire roll out of Windows 10 has been nothing but train wreck after train wreck. And you know what? Even if we get the occasional virus it's still better than having to deal with the rest of the continuing train wreck that is Microsoft. People are just going to have go back to the old day when people had to actually learn how to protect themselves. Instead of waiting on the industry to sell you a next generation of device that 'might' be eventually patched.

Re:Patches are just like vaccines...

[mattventura]

Easy: if MS takes private information, I can't put that cat back in the bag. If ransomware effectively deletes all my files, worst case I can treat it like a failed drive and restore from a backup.

Problems Caused by Updates vs Caused by Attacks

The number of problems caused by installing Windows updates for our IT department: THOUSANDS
The number of problems caused by holes left in the Windows OS that an update or patch supposedly has fixed: 20

Easy decision.

A bit conflicted

[roc97007]

I don't think I've ever worked at a company that had "automatic updates" turned on. The reason being, company ecosystems tend to be predominantly all the same hardware, same Windows version and same patch level, and a bug in an update that affects that particular collection of hardware and software can take an astounding number of seats offline. (In much the same way a biological virus can take out an entire species if they're not sufficiently genetically diverse.) So yeah, no. Companies that want to stay in business don't do that. Of course, they *do* have a team that tests updates in a lab and sends out validated updates to the rest of the company, often a subset of what Microsoft spews out.

I do something similar at home. We have three Winders boxes, and none of them have auto update turned on. Every week or so, I look at what updates are available, and apply at minimum the security updates to the least used of those three boxes. If it survives a reboot and some reasonable amount of smoke testing, I install on the game machine, and if that works out ok, after a day or two I'll install it on my own workstation. I have to take care because my machine is (a) my only conduit to my "day job", and (b) my main workstation for my side-business. I can't afford to be down because Microsoft botched a patch any more than any large company can.

So yeah, security updates are important. Vital, even. But that doesn't mean you just install every update the moment it becomes available. An important part of "security" is "availability". And that's just as important as "confidentiality" and "integrity".

Another contributor had it right -- there should be a way to auto install security updates only. So if Microsoft botched a driver update and it renders unbootable a certain brand of PC running a certain brand of video card, it's less likely to take large numbers of users offline.

I know there are essential and optional updates (or whatever words they use) but most updates are considered by Microsoft to be essential.

And this doesn't even address compatibility of updates with installed applications. You know, the software you use to actually do work.

All that said, it does seem like Microsoft is doing a better job vetting their patches before release than they did the earlier part of this century. But being burned a few times breeds caution.

Consumers Yes, Business No

[sqorbit]

Making a blanket statement like this is not really valid. I think for the average consumer desktop that searches the web, maybe plays some games and does some basic office stuff it is probably a good idea not to turn off updates. Telling a corporation that they absolutely need to update every time Microsoft releases something is probably a bad idea. The better advice would be for companies would be to educate themselves, hire people that know what they are doing, or hire outside contractors that are reputable and educated to handle their security. Simply saying "Update Windows" does not define a good security policy.

Patch failure rate...

[oic0]

If you're managing hundreds or thousands of systems, you've always got a few with failed Windows updates. It's a never ending battle. It's nigh impossible to stay 100% up to date. THAT is Microsofts fault.

No way do I have updates on in production...

[bobbied]

No way! I will NOT allow windows to just install updates into my production environment... Yes, I know it is a risk to leave systems unpatched, but given the frequency of Microsoft breaking my systems with their patches, the risk of downtime from a security flaw is usually LESS than the risk of having some exploit that causes down time.

However.... This doesn't mean I don't pay attention to the released updates. Oh no, we have a test system where we DO let them load as soon as they are released and a functionality and performance test that we run as soon as we can. We update only after successfully passing the test suit (and fixing any issues we found), which sometimes can take more than a week. I choose when the updates go out, not Microsoft.

So, for mission critical applications and systems, I recommend you NOT enable updates.... But I also recommend that you have resources available to test the updates and try to stay reasonably current with Microsoft's patches....

But, that's business.... At home? I generally don't turn on updates either... But I'm aware of what's coming out, so I generally know when the really important stuff gets released so I will update accordingly... Of course, I'm in charge of the In-Laws computer maintenance needs and they live in another state. For them, I have automatic updates turned on, at least until things get hosed and I have to make a multi-state trip to get them going again.

Mr Hunt should talk to Microsoft...

[QuietLagoon]

... and tell them to stop using the security update distribution channel to trick me into doing an unwanted operating system update. Recently, Windows Update has looked a lot like malware in the way it operated to trick customers into upgrading to Windows 10.

100% Microsoft's fault for forcing Windows 10

[Thud457]

Don't use the channel for security updates to force advertising on your customers, just don't.

Re:100% Microsoft's fault for forcing Windows 10

[ITRambo]

I pictured managers at MS seeing the comment and laughing their asses off. They just don't care what anyone, other than their largest Enterprise customers, wants anymore.

Re:100% Microsoft's fault for forcing Windows 10

[NormalVisual]

They don't even care about the enterprise customers. My employer does about $8 billion in business every year, and we're still on Win7 because of all of the MS shenanigans.

Re:There should be a separate "Security Updates On

There is, it's the "critical updates only" checkbox.
The problem isn't the lack of said checkbox, it's the fact that Microsoft doesn't respect that checkbox and considers all sorts of marketing fluff and malware to be "critical"

But they are critical updates from Microsoft's point of view: critical to marketing.

also...

[Comboman]

also, doctors don't break into your house in the middle of the night to give you a vaccine (and snoop around your house while they're there).

Re:also...

[RespekMyAthorati]

(and snoop around your house while they're there).

And ever after.

Windows users have two options

[JoeyRox]

Option A) Turn automatic updates ON and risk Microsoft making your machine unusable due to a faulty update
Option B) Turn automatic updates OFF and risk Microsoft making your machine unusable due to the absence of a security update

Except

[ArhcAngel]

When I go to update it just spins for hours and when it finally does update my tablets keyboard no longer works.

MS thinks "update" means "upgrade"

[mugnyte]

If an MS Update actually updated just the software you have (taking into account anything you've disabled or removed) - then this feature would be useful. As-is, it seems to Upgrade, Re-enable, Reset the OS to a state that is disruptive. This is not what such a feature should be doing. We've seen this before when updates required clicking (no scripting mode) and when updates required accepting EULA's that didn't allow a "No" - you were left with the half-way install. Each time, MS had to learn that their platform would be far more secure if they kept it simple. When they fail doing this well, the feature is disabled. The platform silently becomes a haven for compromised equipment - and a continued poor reputation for service. Has nobody written down the requirements for this type of tool over there? Or more clearly: The requirements should include what NOT to do as well as what is required. I'm very surprised, given that MS wants to be the go-to OS for corporate use. Every OS has flaws and attacks, but making patches into sales gimmicks is what pushes people away.

Re:Windows Users...

[squiggleslash]

Because Windows Update reboots your computer without your permission or control over the process. We're essentially back to Windows 95 in terms of operating system stability because Microsoft cannot figure out how to update an operating system without resetting the computer in the process.

If Windows 10 (1) avoided reboots unless absolutely 100% necessary, and (2) prompted you to reboot (perhaps nagging you until you do) rather than running a timer you often don't even see before it expires do it, then, well, people would be a little happier about the tool.

Updating is good. Microsoft's implementation is shit. If you want people to install security updates, don't do implement it in a way that's indistinguishable from a kernel level bug that crashes your computer every few days.

Re:Windows Users...

[Hognoxious]

It goes further than that. Plenty of times my XP laptop would hang after an update, or the networking was disabled. The latter was great since it stopped you downloading the update that fixed the other update unless you had another machine.

Still, it made me learn about restore points.

Didn't MS just block updates on Win7/8 for Ryzen?

[future+assassin]

Yah blame the user for the virus exploits and not the vendor that created the software with huge holes and the vendor who is blocking updates when running new gen CPU's on older OS versions just to try and push people to W10.

Windows Updates

[StonyCreekBare]

The last time I left updates enabled, update started updating my machine and demanded a reboot in the middle of a major corporate presentation in front of a large audience. This is UNACCEPTABLE behavior!

Windows Updates (1) Constantly reset browser preferences, (2) Frequently break hardware drivers, and (3) Often interfere with critical, urgent work tasks. Don't tell me not to turn them off! Don't tell me not to tell others to turn them off! NOT GONNA HAPPEN!!!

Windows Updates should be TURNED OFF, during all business / production usage. Then updates should be enabled/installed manually during weekends, vacations or other non-critical times. I DECIDE when my machine can be down for maintenance. Not Microsoft. The Updates STAY OFF, until I purposely enable them when I am willing to allow time for reboots, and have the time to restore my machine to proper configuration and operation afterward.

umm NO!

I tell people to turn off the automatic downloading and installing of updates all the time. Instead of having updates shoved down their throats i TEACH people how to look up the updates that microsoft is putting out and how to decide whether or not those are updates that they need. I also teach people how to conduct regular backups in case they do miss something.

Because blindly accepting anything from anyone is a bad idea. period. full stop! It encourages ignorance and helplessness, teaching people how to use these tools we call computers is the only way to stop shit like this and in the cast that something does happen a full and proper backup is only a wipe and reinstall away.

also how are the words of a microsoft employee "news for nerds" we already have enough shills that post int he comments.

Windows 10 automatic install

[mgandalf]

Tell Microsoft to stop pushing patches which install Windows 10 without my agreeing upon it, and I'll let Windows update run. No, I suppose Microsoft stopped with the whole Windows 10 thing a few months back, but there's now a trust issue I personally have to get past. The fact of the matter is, I don't trust Microsoft anymore.

- Mark.

Re:Windows 10 automatic install

[cfalcon]

It is only Microsoft's fault that Windows Update is not trusted. It is a usability issue and a privacy nightmare. It is Microsoft's fault that there is no setting to get security fixes without also by default slurping down megabytes of spyware and telemetry downdates.

Microsoft is fully to blame. Disable Windows Update. Manually apply security patches. This is necessary because Microsoft is not willing to provide such a list universally to allow this correct and common use case. This omission is absolutely deliberate, as is their newly obfuscated KB notes.

Take the ransomware out of WU

[istartedi]

WU is ransomware. It's just a different kind of ransom.

WannaCry: "send us $300 in BTC or we'll kill your data if you don't have backups".

WU: "Send us personal data via telemetry, take un upgrade you don't want, let us chew your CPU and interfere with your games. If you don't, we'll force you to do a lot of busy work to separate the security wheat from the marketing chaff, and if you don't do it right you'll be vulnerable to things like WannaCry".

MS bears a lot of blame until they stop holding the familiar Windows experience hostage, and return it to us without forcing us to pay a ransom.

Broken drivers, AND broken updates break stuff

We personally have TWO laptops that got repeatedly broken by non-disableable driver updates (already told Windows to never update drivers, hid the offending update, etc) and it still managed to get through, multiple times, and do the blue-screen tango repeatedly until I gave up trying to fix, it went into safe mode and disabled the Windows Update service. I had to keep it that way for a couple months until I was able to load a "newer" driver from the video chip manufacturer that fixed it and/or MS stopped pushing the broken one. Then I was able to turn updates back on again.

All was fine, I THOUGHT, until several months later when the Anniversary updated got pushed to these systems. I bugged both my laptop manufacturer and Microsoft, repeatedly. Microsoft swore up and down that it would "only try to load the update once" and then stop trying if it failed. They also said the Anniversry update wasn't "certified" for this laptop model so I should just not install it, which would be fine except that _they forecully push it out, including to this laptop mode_! When I told them it had already attempted to update, failed and hung, at least twice they said it tries twice and then won't try again. Still incorrect. I tried basically everything including downloading the update to a USB and installing it manually, updating the drivers, downgrading the drivers, removing what I think was the suspect driver causing the hang during the update install, hiding the update with show/hide update tool, etc. Hiding disabled it for a while, but the dang thing is relentless, after a while it still comes back. The only 100% reliable way to make sure it will never try again, and hang the system (usually leaving it in a hung state with the fan blaring and screen showing 32% or something, all night long) is to completely disable the Windows Update service, or buy a new computer, or downgrade to an earlier version of Windows, or say to hell with and load Linux. The latter isn't an option because the laptops are used by family members who require Windows for specific applications.

Re:Broken drivers, AND broken updates break stuff

[hierofalcon]

Load Linux. Run the Windows in a virtual environment.

Re:Broken drivers, AND broken updates break stuff

[Shirley+Marquez]

One deterrent to doing that is that it will cost you extra. The Windows license that comes with your computer licenses one copy on that computer. A virtual Windows machine ON THE SAME COMPUTER does not qualify, so you would have to buy another license for that.

Re:Broken drivers, AND broken updates break stuff

[hierofalcon]

When you kill the installed on iron copy, you just have one copy. I haven't messed with Microsoft at home for a long time. I generally shrink or move the MS partition out of the way or nuke it completely and install Linux. But if you're having problems with device drivers and updates, running virtual with a simplified and generally older chipset emulated means fewer driver problems.

Are there issues? Of course. Getting sound to work may be problematic. You won't be able to game at the highest resolution or speed as on iron - just buy a console. But for most general work, running the few remaining "must have" applications that haven't gone over to Google or some other cloud provider or which have a Linux equivalent is generally good enough and not a performance hit that you notice.

If Microsoft can try to co-opt Linux into running on it, they really shouldn't bitch about people running their stuff virtualized on Linux especially when it is to try to prevent downtime and problems that they are causing themselves. It's really convenient to be able to just copy back a known working image of your system onto a broken image when some update breaks things. That is true whether the system is Linux or Microsoft.

Re:Broken drivers, AND broken updates break stuff

[Shirley+Marquez]

It's not the number of copies. It's that the OEM license only authorizes a bare iron install. The only Microsoft licenses that authorize virtual machine installations are full retail copies and certain forms of enterprise licensing, plus the exception of XP Mode in Windows 7 Professional which gave you a license for one copy of XP in a virtual machine on the system that was running W7. Upgrade licenses can be used for a virtual machine install IF they are used as an upgrade of a full retail license; they retain the same rights that the upgraded copy had.

Even then, the licensing terms are unreasonably restrictive in that they only authorize ONE virtual machine. Not one running at a time, one period. (The licensing terms for virtual machines under enterprise licensing are more reasonable and do allow multiple VMs.) The net effect is to eliminate nearly all reasonable uses of virtual machines for home and small office users. And if you want both Windows and Linux on your system simultaneously you're forced to run a Windows host and a Linux VM, because doing it the other way around will cost you a bunch of additional money.

I will grant that Microsoft has legitimate business reasons for some of the restrictions. A case they're trying to prevent is somebody running a hosting company or a remote terminal server on the cheap. If they allowed you to run unlimited VMs, somebody could buy a big honking piece of server-grade hardware with hundreds of gigabytes of RAM and run dozens of clients in virtual machines while only using one Windows license. I think a more reasonable restriction would be to stipulate that you can run as many VMs as you like with one license, so long as they are all used by the same human being at any given time. They could not be used to provide a UI to somebody else, nor to offer services to other people or computers.

Anti-Vaxxers

[StormReaver]

...are being labelled the IT equivalents of anti-vaxxers...

So, people who have done their research, and have decided that the cost/benefit ratio is too low. Sounds about right.

Re:Anti-Vaxxers

[StormReaver]

I meant that the cost/benefit ratio is too high, not low.

Re:Anti-Vaxxers

[RespekMyAthorati]

I don't think you know what the fuck you mean.

Repeat After Me

[John+Allsup]

If you value security, don't run the mission-critical parts of your infrastructure on a general purpose operating system like Windows, but rather run it on a minimalist, locked-down OS that has _only_ the facilities needed to do its job. The update carousel is a nightmare. If you want to ensure your Windows box doesn't sporadically reboot during a long unattended operation in order to update, what do you do? If you want to lock Windows down so it can only do the job to hand, and nothing else, you're screwed. If you run mission-critical stuff on a full-featured general purpose OS (and the same can be said for off-the-shelf Linux distros like Ubuntu and Fedora), you are kinda asking for it.

That this idea is older than me, but is ignored, is laughable.

Re:Repeat After Me

[Bearhouse]

Indeed - but who has the competence, and the budget, to do that these days?
Of course you will (correctly) reply that budget should not be an issue, since the investment should recoup itself in opportunity cost of not having to spend a fortune in ongoing security efforts, and or recovery.
But try explaining that to your average suit...

Damned if you do, damned if you don't.

[Opportunist]

Basically, you have the choice between being taken down by one of their fucked up updates or by the malware.

Pick your poison. No, survival is not a choice. Unless you dump that shit.

No, fuck Windows update.

[cfalcon]

I turn off Windows update on the boxes that I still have. I recommend everyone I know disable Windows update on all boxes that they have.

If you leave Windows update on, and just take the security updates by default, you will get owned by Microsoft. Constant telemetry will stream from your box.

I also recommend people look up how to stop this on Windows 7 and 8, where it is possible to stop it. It is not possible in 10, though some people have had some success at limiting it.

The article's advice is horseshit. WU should be disabled for personal computers if privacy is any manner of concern. Microsoft has revectored their security update mechanism to: try to upgrade you to Windows 10. Install sleeper services that only months after installation began transmitting telemetry. Remove useful names from KBs to prevent successful system administration. Transmit information about what programs you use, when you use them, how often you use them. Transmit information regarding crashes. Broadly expose envelope information about your non-Microsoft related activities to Microsoft and anyone they choose to share that information with.

Disable WU on 7 and 8. Tear out the bad patches. Only EVER manually apply patches that you actually require for security and functioinality.

Comparing being a sensible system administrator who doesn't want to transfer control over their personal activities to Microsoft to antivaxxers is disgusting. Anyone making this comparison is irresponsible.

https://superuser.com/question...

The list of KBs that you must manually remove (and prevent reinstallation of) to keep Windows without telemetry is provided on that su post. The list is:

KB3065988 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: July 2015 more info
KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
KB2976978 Compatibility update for Windows 8.1 and Windows 8 more info
KB3075853 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: August 2015 more info
KB3065987 Windows Update Client for Windows 7 and Windows Server 2008 R2: July 2015 more info
KB3050265 Windows Update Client for Windows 7: June 2015 more info
KB3050267 Windows Update Client for Windows 8.1: June 2015 more info
KB3075851 Windows Update Client for Windows 7 and Windows Server 2008 R2: August 2015 more info
KB2902907 MS Security Essentials/Windows Defender related update [no description/information available]
KB3068708 Update for customer experience and diagnostic telemetry more info
KB3022345 Update for customer experience and diagnostic telemetry more info
KB2952664 Compatibility update for upgrading Windows 7 more info
KB2990214 Update that enables you to upgrade from Windows 7 to a later version of Windows more info
KB3035583 Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1 more info
KB971033 Description of the update for Windows Activation Technologies more info
KB3021917 Update to Windows 7 SP1 for performance improvements more info
KB3044374 Update that enables you to upgrade from Windows 8.1 to a later version of Windows more info
KB3046480 Update helps to determine whether to migrate the .NET Framework 1.1 when you upgrade Windows 8.1 or Windows 7 more info
KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 more info
KB3080149 Update for customer experience and diagnostic telemetry more info
KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
KB3083710 Windows Update Client for Windows 7 and Windows Server 2008 R2: Octobe

Re:That assumes Windows update works at all

[Z00L00K]

One of the more common things that causes problems with the updates is if the clock on your computer isn't correctly set, and that includes timezone and daylight saving.

Re:Windows Users...

[prunus.avium]

... rather than running a timer you often don't even see before it expires do it...

HAH! That's exactly how I wound up running Windows 10. Left my Windows 7 machine running over the weekend and came back to Windows 10. Fuck!

Re:Windows Users...

[EnsilZah]

Because getting some kind of virus is a hypothetical, while seeing several people's presentations ruined, my own work stopped for half an hour on three occasions, bad drivers installed multiple times, all those are tangible experiences.

Tell Microsoft to fix it without funny business!

[Chas]

The problems here with people turning off Windows Updates can be laid right at the feet of Microsoft.

Sneaking in "Urgent" patchs that introduce unwanted functionality, start spying on the end user, etc?
Not to mention the older issues with newer patches breaking production software.
And the oldest issue of all, Windows updates breaking (and bricking) systems to the point of needing a complete reload.

If those jackasses up in Redmond would pay attention, and hire people to ride herd on all the Indian and Chinese programmers they're paying pennies a day for, they'd know this by now.

But nope! Gotta shovel this shit out as fast as humanly possible. QA is for pussies! Isn't that what our paying user base is paying for?

This situation has been going on for decades now. And it's only getting worse...

Re:A Profound, Reliable Solution...

[CAOgdin]

P.S.: I agree on the Windows Updates that delivery telemetry (above). I've removed all that junk, and my systems run smoother...and faster...without clogging up my system with "data for M$" and without using my Internet connection for something that appears to offer me absolute NO perceived benefit.

If M$ has competent quality control practices, this "telemetry" would have no value. I suspect much of it is used to justify their own internal practices ("See how many people never use XYZ feature? Let's not waste time patching that PoS.")

Re:Windows Users...

[fazig]

I disabled automatic updates on my Windows 7 machines when MS started to offer only cumulative updates for Windows 7 through the updater that combine security updates with non security updates. Before that I installed security updates automatically. But with rollup updates, this is something of the past. I don't want them to install whatever crapware they want on my machine. For that reason I already avoid Windows 10 whenever I can.
So I prefer to download security updates manually from http://www.catalog.update.micr... (yes, you can do it without using IE) and pay something like ~$30 a year for a proper proprietary anti-virus than putting up with Microsoft's shit. Hey, I'd even be willing to pay that money to MS every year if they offered a better service and didn't try to screw me over every chance they get.

Re:Poor advice.

Guess what, nobody cares what you do on your PC or what porn sites you visit.

There are MANY companies that want EXACTLY this data. The marketing/analytics business is pretty huge.

Only an idiot would worry about telemetry.

So have you stopped beating your wife yet?

The problem isn't the update

[JoePete]

The controversy over whether to run Windows update or not misses the larger point. If you choose to buy a car with a deplorable safety record, despite its expense, then sure, by all means follow the recall notices and bring the car to the dealer every week to get the latest problem fixed. But suggesting Windows update is the "smart" move is like suggesting the same car owners are brilliant for wearing their seatbelt while driving their risk laden vehicles. The smart thing is just don't use a product with an horrendous security record.

Re:Windows Users...

[JohnFen]

Why would anyone *disable* automatic updates on Windows?

To avoid all the nastiness that comes with Windows updates, perhaps?

Re:Windows Users...

[JohnFen]

And how would that stop the rebooting?

MS Office runs fine on Apple (nt)

[Brannon]

nt

Re:MS Office runs fine on Apple (nt)

[Chris+Mattern]

But how do you get NT to run on an Apple?

Re:MS Office runs fine on Apple (nt)

[Gr8Apes]

Parallels.

Re:MS Office runs fine on Apple (nt)

[Drethon]

Nice to know, I will definitely switch to an apple computer as soon as their price is the same as an ASUS or Lenovo laptop and I can change the hard drive or memory. (tangent rant I know, but these are the reasons I haven't switched to an Apple or upgraded from my galaxy s5 to a newer galaxy yet).

Re:MS Office runs fine on Apple (nt)

[Ol+Olsoc]

Nice to know, I will definitely switch to an apple computer as soon as their price is the same as an ASUS or Lenovo laptop and I can change the hard drive or memory. (tangent rant I know, but these are the reasons I haven't switched to an Apple or upgraded from my galaxy s5 to a newer galaxy yet).

If you have to have the cheapest shit, that's what you get.

Re:MS Office runs fine on Apple (nt)

[Drethon]

Nice to know, I will definitely switch to an apple computer as soon as their price is the same as an ASUS or Lenovo laptop and I can change the hard drive or memory. (tangent rant I know, but these are the reasons I haven't switched to an Apple or upgraded from my galaxy s5 to a newer galaxy yet).

If you have to have the cheapest shit, that's what you get.

Well when I have so much money I can blow it on paying more for a product that gets the job done as well as a cheaper product, I'll consider it. M$ is annoying but rarely impacts productivity, worked at a place with Linux and the bugs are much more frequent.

Re:MS Office runs fine on Apple (nt)

[Ol+Olsoc]

Nice to know, I will definitely switch to an apple computer as soon as their price is the same as an ASUS or Lenovo laptop and I can change the hard drive or memory. (tangent rant I know, but these are the reasons I haven't switched to an Apple or upgraded from my galaxy s5 to a newer galaxy yet).

If you have to have the cheapest shit, that's what you get.

Well when I have so much money I can blow it on paying more for a product that gets the job done as well as a cheaper product, I'll consider it. M$ is annoying but rarely impacts productivity, worked at a place with Linux and the bugs are much more frequent.

Great if yout time is worth nothing. Annoying You are willing to put up with an insecure product that gets disabled with many updates. Penny wise, dollar foolish. Enjoy that.

Microsoft made that pretty hard

[gweihir]

It used to be that you had the option to only install security patches, but with Win10, not anymore. MS routinely breaks things by adding functionality now. The push UI changes some people do not want and that can also break things.

If anybody needs to change something here, it is Microsoft. First, they should stop writing really bad software. And second, they should stop forcing people to accept functionality-changes bundled with security patches.

Or, don't use Windows?

[Brannon]

There are 7 billion people in the world, do you really think the right answer is for all of them to read /. and "hacker news" every day?

Do you think bridge designers sit around saying "you shouldn't be allowed to drive across my bridge unless you understand how retention walls work"?

Use an OS from a company that doesn't hate you and you won't have to disable auto-update.

Re:Or, don't use Windows?

[Dunbal]

This is not rocket science. It's like wearing a condom before having sex with a stranger.

More hype than substance

[WaffleMonster]

People get WannaCry by clicking on the wrong email not by SMB exploits. I get that repurposed NSA exploit angle makes for interesting and irresistible news stories but substantively it's way overhyped and using it to support blanket assertions is a nonstarter in my view.

There is compelling quantifiable evidence to support the position vaccines help more than they hurt. The case for updates is closer to the question of whether throwing billions into the intelligence industrial complex makes real people quantifiably safer from being terrorized given opportunity cost of not investing these funds to address significantly more statistically substantial problems such as pulling down US murder rate.

What we know for sure is social engineering accounts for 90% of general p0wnage worldwide. Even if all unintentional software bugs were patched with 100% coverage overnight absolutely nothing would change.

In 2017 given Microsoft's proven track record of both incompetence and sleaze when it comes to updates it's an open question as far as I'm concerned whether updates are still worth applying at all. Majority of end users are behind stealth mode firewalls and the only whackable thing they have sticking out is a web browser. If you keep firefox or chromium or whatever up to date and lock down some associated configuration are you really appreciably safer vs probability of computer failing to boot or introduction of some new Microsoft "telemetry" malware or Microsoft false choice prompt dismissal scam? I honestly don't know the answer. I do know it very much depends on context not only in terms of the users needs and environment but the value judgments of the end user.

If Microsoft would stop constantly peddling malware, firing QA staff, fix updates to not use insane amounts of resources while taking forever and requiring a reboot to sneeze... If only updates were properly labeled and people trusted Microsoft not to screw with them... my guess less will find value in disabling updates.

I personally believe coordinated automated updates of billions of systems globally in a matter of days is an extraordinarily perilous activity in and of itself no matter how careful you are. Sooner or later this is bound to end in a major disaster. While updates do fix problems quicker they also significantly lower the cost and tolerance for releasing defective software. It sends a signal to the market releasing defective software is a cost free activity.

Re:It needs to be less intrusive

[rudy_wayne]

Windows Update needs a few changes to be trusted:

1) An option that only installs critical security updates and not features
2) Needs to stop rebooting your machine when it is busy doing something. This includes intrusive nags that interrupt what you're doing
3) They need to stop breaking things like they did with third party boot loaders a year or so ago

You are right, of course, but you fail to understand the mentality that exists within Microsoft.

Windows 7 is by far still the most popular version. Microsoft could have left it alone and just made security and performance improvements "under the hood". But Microsoft suffers from "New Coke Syndrome", i.e., making pointless, needless changes that are driven by marketing, not by technical necessity.

Re:like just a little bit pregnant

[BronsCon]

Playing devil's advocate, here...

By disabling automatic updates in earlier versions, before Microsoft played these games, the end users put themselves in a position of trust, in control of the security, stability, and performance of not only their own computers, but every computer connected to the internet, regardless of OS or version. Those same users also put themselves in a position of trust regarding the perception of the security of Microsoft's OS.

Those users failed miserably to live up to the position they chose for themselves.

As a result, Microsoft have, and perhaps rightly so, removed the option that previously allowed those users to put themselves in that position.

It does have the side effect of screwing those of us who both disabled automatic updates and manually installed updates within a reasonable timeframe (or took sufficient security measures to mitigate the risk of not having installed updates). Now, we no longer have that choice and yes, that does suck.

It sucks a bit less, though, when you take a moment to realize that, over time, the mess that is older versions of Windows with Windows Update disabled and manual updates literally never applied will clean itself up as those systems naturally remove themselves from the environment, either through obsolescence or hardware failure. They'll be replaced with new systems on which the user can't disable updates irresponsibly (that is, turn it off and "forget" to ever manually install updates that are actually important) and we'll all be better off for it.

Yes, even those of us who are suffering with forced updates now.

MS fix ReFS CoW filesystem, kill windows installer

[bongey]

Windows system restore and windows installer basically implement a horrible copy on write file system on top of ntfs. Windows installer does enormous amount of time upfront calculating how to rollback back the install if it is fails. Run into problems and windows update gets in endless loops , spending most of the time re-calculating how to do a failed install again. Microsoft bite the bullet and fix ReFS to have proper CoW filesystem with snapshots and shocker the ability to boot from a ReFS volume.

Tell Microsoft to give me back some control then

[Solandri]

I *have* to disable the update service on my laptop. Win 10 insists on installing newer Intel graphics drivers, except they don't work with the Optimus setup on my laptop. With the newer Intel drivers, any 3D game I start crashes when it tries to use the Nvidia card. So I have to let Windows 10 update my laptop, disable the update service, then reinstall the Intel GPU drivers provided by my laptop vendor (and also the Nvidia drivers if Windows 10 has auto-updated those).

When Win 10 first came out, it gave you the option to disable updates to a specific device driver. But for some inexplicable reason, Microsoft removed this option in the Oct 2016 update. Because of Microsoft's brain-dead update policies, I literally cannot use my gaming laptop to play games if I have Windows Update enabled.

Re:I have always run auto update

[JohnFen]

Translation: "I've never had a problem myself, so other people claiming to have problems are clearly either being hyperbolic or lying."

some are just control freaks and don't want anything done without their say

Your use of the disparaging term "control freaks" betrays your disdain for people who actually dare to think that their computer belongs to them and want to treat it as if it were.

My computer should never do anything that I didn't approve of or ask it to do. If it does, then I call that "malfunctioning".

Microsoft nanny state

[MattiasAndersson]

The so called "security experts" are preaching about the immense dangers of disabling automatic updates. Never mind the time consumed involuntarily by consumers having to patch their systems every second week. Never mind the unsaved files, permanently lost, due to automatic reboots in the middle of the night. Never mind the havoc wrecked on production and development environments running multiple virtual machines. It's time the security people stepped down from their high horses and realized that automatic updates should never be enforced -- only strongly recommended. Developers and power users don't want to live in the Microsoft nanny state of supervised reboots -- not even if you're able to schedule them.

Re:Poor advice.

[BronsCon]

Because they do care about what crashes on your computer and why, so they can fix those issues. That's more to do with what other people (software developers) do on your computer than what you do on it.

It's all give and take and they just TAKE

[Rick+Schumann]

Companies like Microsoft have to be responsible to their customers and not push updates that violate their sovereign right to control their own bought-and-paid-for hardware, not install unwanted 'features' like things that shove ads in your face, not brick people's computers, and otherwise not subvert and annex peoples' bought-and-paid-for hardware into their surveillance network. Companies like Microsoft seem to think that THEY own people's computers, not the PEOPLE WHO PAID FOR THEM, and that is FLAT OUT WRONG, AND FURTHERMORE POSITIVELY OFFENSIVE. If companies like Microsoft had a respectful attitude and respectful business practices THEN PEOPLE WOULDN'T BE TURNING OFF AUTOMATIC UPDATES IN THE FIRST PLACE!

Re:Windows Users...

[BronsCon]

Because getting some kind of virus is a hypothetical

Until it happens to you or you see it happen to someone else. According to you, seeing it happen is enough; after all, you did say

seeing several people's presentations ruined [...] are tangible experiences.

All of the "ruined presentations" I've seen have been reported in the news media. The very same news media who reports on these viruses people are getting, mind you.

And yes, I've had updates interrupt my work before. Twice, on two different systems. I treat those incidents as bluescreens and, well, even with those, Windows 10 is still more stable and reliable than any previous version.

Don't make your software update so painful

[rahenri]

Don't push unwanted updates down people's throat. Don't make updates so annoying that you have to reboot your computer so often. People shouldn't be forced to stop everything they are doing to reboot their computer so often. If you want everyone to do them, these updates should be seamless.

MS, we're looking at you

[Altrag]

If MS really wants to make people do updates promptly, they need to get their heads back out of their asses. In the late WinXP and into the early Win7 era, there was a strong push for security and the updates were usually both relevant and easy to install.

Fast forward to now, and half the updates you get are MS pushing their latest piece of crapware (*coughskypecough*) that you don't want, and like 90% of them require a full computer reboot -- which they'll happily do with our without your input and hope to hell you saved your work that day.

If MS wants people to install critical updates then:
a) Stop calling every fucking sales pitch "critical," and
b) Go back to putting in the effort to avoid reboots. I know its easier to just reset and not worry about internal version conflicts and whatnot, but its a serious detriment to anyone who doesn't normally shut off their computer in the first place (and those people are the ones who least need to be force into an unwanted reboot!)

Unfortunately MS has decided to do the exact opposite of that and compensate by giving you no choice -- enjoy losing your work.. what're you gonna do about it? Switch to Mac? Oh you are? Well fuck.

Tell Microsoft to stop breaking stuff!

[duke_cheetah2003]

Automatic updates are great and all, until the update becomes a problem in itself, breaking something.

Microsoft really should have two update paths: CRITICAL (and take it seriously, no more stupid updates labeled as CRITICAL)
And: Non-CRITICAL (everything else goes here, especially driver updates!!!!)

Make one optional, make one mandatory. Problem solved, assuming M$ can adhere to a fairly strict no-nonsense policy to what gets flagged critical.

Yes, don't do it.

[eriks]

How about: Whether or not you have automatic updates enabled, don't ever put a windows box on a public-facing IP, unless it's super-dooper-hardened/firewalled and has a 24/7 NOC staff to monitor it.

Re:Windows Users...

[EnsilZah]

The ruined presentations are ones that I've actually attended and had to sit through Windows suddenly deciding to reboot and the presenter not knowing what to do, and the attendees having to sit through the installation process.
Or ones that I watched live streamed.

I do digital painting from live model, after a few times of having Windows install an update for 40 minutes or botching a driver update that took me a similar amount of time to figure out how to fix, that's the limited time I have with the model, and the money paid wasted, I'm not enabling updates on this device again.

Now on my main desktop I still have Windows 7 so I'm less apprehensive and do update manually every couple of months.

Microsoft is part of the problem

[iCEBaLM]

In Server 2016 you have two options: allow the server a full 8 hour window to reboot itself when updates need to be applied, or disable the whole thing via group policy. Nothing in between.

I've been hit by this numerous times. HyperV server running a bunch of VDIs? FUCK IT, I'm Windows Update, I get to take the whole fucking thing down! Exchange for an international corporation that relies on 24/7 email? SCREW YOU, I'm Windows Update, reboot that bitch!

Guess how many people have no choice but to disable them because they don't want their servers randomly rebooting?

Re:Excluding the unfortunate exceptions - Ya!

We had THREE Production servers that got Windows updates (Windows 2012 R2) and suddenly wouldn't boot! Our Windows admin spent the whole day on the phone with Microsoft and we had to rebuild ALL THREE servers!. Backups you say - yeah they wouldn't boot either. You see the servers didn't get rebooted until 5 days AFTER the updates got applied. So the backups were no good either. This latest Ransomware is just another death kneel for Windows now our IT executive management are looking at how soon we can start migrating anything we can to Linux servers even out Enterprise Architect is highly recommending it.

As an alternative suggestion...

[sigmabody]

... one could implore the software vendors to make the update process less arduous, cumbersome, error prone, and OBNOXIOUS AS ALL HOLY HELL.

As someone who has, on multiple occasions/systems, got frustrated enough with Windows Update to disable the service (hint: that's the ONLY way to prevent it from randomly rebooting your system when you are trying to use it, whether you like it or not), I can say with some certainty that I would have no issue with leaving updates enabled, if the process wasn't so GODDAMN TERRIBLE. Suggestion to vendors and prognosticators: the vendors are as much, if not more, to blame as the users who respond to the INFURIATING behavior of their devices. Instead of blaming the users, I'd suggest perhaps it might be more productive to blame the vendors for the poor quality software which drives the users to disable it.

Re:like just a little bit pregnant

[Gr8Apes]

Playing devil's advocate, here... By disabling automatic updates in earlier versions, before Microsoft played these games,

I believe they started playing those games with the second or third update. I can't tell you exactly which update it was, but it was way way early in the game and they fubarred lots of systems. Something about an internal MS driver updating and overriding third party drivers IIRC. They also have always pushed new features in "updates".

Where is the answer then?

[ShamblerBishop]

How in fuck do I safely update a Windows install, without risking telemetry and all of the shove-Win10-down-my-throat bullshit? Nobody has a fucking answer to this. I need to update my installs, ASAP - but I'm holding off because I don't know how to avoid all of the fucking MS-produced malware... Someone give me a fucking answer...don't link me to offline installers, that just install all of the problematic updates as well...

Re: like just a little bit pregnant

[BronsCon]

Second or third update to...???

Re:Poor advice.

[JohnFen]

I don't think that's the complete explanation. If that's all it was, then we'd have the ability to turn the telemetry off.

That telemetry is mandatory tells me that Microsoft has much more nefarious reasons afoot. Probably centered around monetization.

Re:Windows Users...

[Darinbob]

"Automatic" updates are routinely disabled. Most updates from Microsoft are crap. The updates take lots of wasted time (seriously, I've applied a service pack in the past that installed faster than some of these new Windows updates). Not every update is for security, even Microsoft still manages to make a distinction So you can be routinely applying security updates (manually or automatically) while still disabling other updates and remain secure.

And precisely because Windows is known for being insecure means you should never trust it for security. Many of it's holes came about from updates either to it or to its applications. The fact that Microsoft shoved out a marketing feature as a security update should say very clearly to never trust them. ALWAYS review each and every update manually to see if it's safe. Pro users are allowed to delay updates for some months, even security updates can be delayed, and Enterprise users can put off updates indefinitely. Only the Home users (known internally in Microsoft as "suckers) are forced to take updates immediately.

Re: Poor advice.

[BronsCon]

Crash reporting is literally the only telemetry you can't turn off...

Re:Microsoft/NSA, trust either of them?

[JohnFen]

No, end users made this mess and are hoping to blame Microsoft.

No, Microsoft made this mess and you are blaming end users. If security updates were implemented and deployed with care, and if Microsoft behaved in a trustworthy way, then very few people would object to their being automatically installed.

false dichotomy as business model

[epine]

Few sane individuals would turn off security updates at the critical security level concerning defects offering networked remote execution with escalation.

These little reason for this relatively small group of patches to disrupt normal operations, if Microsoft were to take a conservative stance.

But somehow Microsoft manages to bundle in weird instability bycatch, and you're either left with your pants down, or your pants on fire. For which the only viable solution is an OS-upgrade cycle with a new-and-improved EULA, which somehow never fails to be ever more Orwellian.

Pants or privacy. Choose one.

Nice business model, should your customers willingly board the train.

Windows update IS the nasty exploit

[Tyr07]

There are a lot of ways to protect your hardware, yes a bare system on the internet directly is vulnerable to a lot of exploits but IT professionals have been protecting these systems for decades from things before microsoft releases a patch and protects them.

Windows 10 single handedly caused far more problems and cost for users of production software that any viruses for one company I worked for.
We were flooded with calls from users who were FORCED into windows 10 and now ALL THEIR SHIT DON'T WORK.

Trusting microsoft completely is bullshit, review the updates, decide if they're relevant. We can't trust these companies to blindly accept all their software "updates", a lot of them these days aren't even things that affect you, but they want their software to gather more data or other garbage.

I don't think so

[sentiblue]

What you have is the opinion of a person having limited knowledged ... You only looked at one single threat and decided what you asked is good for everyone. Obviously you haven't done any risk assessment.

In environments where hundreds/thousands of comptuers run to put together a massive operation, we don't do "automatic" updates... which gives MS the decision of when and what. Instead we evaluate the credibility of the patches even if it comes from its authentic provide MS. Why? Because unlike the patch that you mentioned, there were other patches that crashed thousands of servers worldwide... or upgraded the OS from Windows server 2003/2008 to Windows10 and render all of its applications useless because those apps are not compatible with Windows 10.

Even if a patch is credible and verified... we run it through test, then QA, then Staging, then Production in that order. So you see... just because MS provides a patch, doesn't mean you have to install it. MS is not the only provider here. There are other providers that issued patches which consequentially created disasters and we were left with fixing their problems.

For personal use computers, yeah sure it would be OK to have an abrupt patch that causes problems or do an upgrade without consent. For some that's still unacceptable since they rely on their machines to make a living.

'nough said... what you said is wrong. Let the experienced speak and you'll learn from them.

Real world experience?

[kugeln]

I'm guessing as a security researcher, he's never had any real world experience.

Allowing a software vendor to automatically apply updates and patches might sound like a good idea "in theory" but it requires a level of trust--something which Microsoft has never achieved in my organization over the past 17 years.

As others stated, the *only* way for a business to manage updates properly requires building a test environment and funding knowledgeable staff to test updates against their system and software configurations. Turning on Windows Update without any oversight almost guarantees you eventually having a Really Bad Day at the office when you come in and MS has decided to update something having to do with the login authentication and none of your users can log in.

Fast forward to Windows 10 and you have the "installing, failing, rolling back, rebooting" cycle and if you think calling Microsoft is going to get you a 5-minute fix, you're probably going to find yourself needing a new job.

Re:Windows Users...

[Darinbob]

Most malware doesn't cause the kinds of damage that Windows does.

No thanks!

[sinij]

I would rather restore my mother PC from a backup than have to deal with Win10 on her machine. They turned it off for now, but it takes one under-perform quarter for them to get back at it.

Re:There should be a separate "Security Updates On

[Darinbob]

"Security update KB12345: This update changes the color of the mouse cursor. Be aware that this update is required for all future updates to Windows 7 and 8.1. For a list of incognito non-security changes, please visit ."

I promise to not say that

[rewardian]

But I'm not enabling automatic updates in any environment I manage.

Too many times have I been alerted of a new security issue by a client, though I was already aware, and was asked to install the patches that correct the issue. The environment's already designed to prevent many of these issues (ACLs, competent firewall rules) and I'm not worried, but want to qualm their fears with something real, like Microsoft patches. ...

So it's 3AM and I'm rebooting and I receive a real blue screen of death (i.e. 'we can't boot to shit, you want to recover?'), I scramble around and restore the last backup. The client isn't pleased, neither am I, and we forget about the ordeal because it's already solved.

What I'm saying is just like many others. I don't need your patches, they usually fuck things up, but some people do. So, it's a deal. Microsoft can deal with a swathe of angry customers who fail to boot or reboot loop to oblivion and I'll keep my mouth shut (other than blaming Troy Hunt, maybe).

Bad patches plus forced reboots

[dbIII]

Due to bad patches and forced reboots on some machines where losing time in working hours was a serious problem you just had to turn off updates. The sensible thing after that is disk imaging then manually applying the updates (and waiting through whatever patch rollbacks are needed) every few weeks.
The extent of the current problem is partly due to windows updates being very poorly managed and used as a vector for a new product that is in some ways inferior to the one it replaces. Some people did the necessary for them step of stopping automatic updates and then never took the time consuming steps of doing the manual updates.
Microsoft behaved badly and lost trust, leaving malware to exploit other areas where MS has behaved badly with bandaid fixes later.
Blaming the users doesn't get anyone anywhere. They had their reasons. They may not be entirely good reasons but MS should be working on regaining their trust instead of blaming them.

Well tell the carriers to stop metoring

[DarkOx]

For people on low capped 30 - 60gig cellular and satellite connection, Windows updates are often simply unworkable.

You can't demand I use a day's worth of internet activity to install a updates. Sorry does not work that way. If M$ won't make individual updates available so people on the meter can pick just the critical, that affect them, people will continue to disable updates.

 

Re:Poor advice.

[Voyager529]

Because they do care about what crashes on your computer and why, so they can fix those issues.

If Microsoft wants telemetry data to resolve issues with system crashes, they can earn it. Start by actually reading through the forum posts with thousands of people reporting the same issue, and work to address that issue, rather than having an offshored 'support rep' copy/paste a 'solution', mark the issue as solved, never following up on the thread, and then waiting until page 807 for some enterprising individual to figure out the registry hack + permissions change + third party utility that *actually* solves the problem. This is the norm in the Microsoft support forums. Microsoft cannot simultaneously argue that they need telemetry in order to address crashes, performance issues, and system instabilities, while also ignoring the green pastures of such information volunteered to them that goes unaddressed and unresolved unless another end user provides a workaround.

That's more to do with what other people (software developers) do on your computer than what you do on it.

So then why don't they provide an opt-out if I would prefer to deal with the crashes personally and not get their help? Why don't they provide the raw data that gets sent back? You are defending Microsoft taking data that my computer has generated and not showing it to me while appearing to be perplexed as to why "*.microsoft.com DENY ANY ANY" is becoming a progressively more common firewall rule. They want information about how well my computer runs, they can ask for it, and I will be more than happy to give it to them (fairly commonly in the forums, see point #1). MS wants to take it, not show it to me, write a EULA indicating that they can do whatever they want with that data, and expect me to trust them to do the right thing on my behalf? Sorry, no.

-Linux

[stooo]

>>'Don't Tell People To Turn Off Windows Update, Just Don't'

Yep. Better tell people to use Linux.

Re:Excluding the unfortunate exceptions - Ya!

[stooo]

>> Our Windows admin spent the whole day on the phone with Microsoft and we had to rebuild ALL THREE server
That'S normal when administrating MS machines

Re: like just a little bit pregnant

[Gr8Apes]

Second or third update served through WU. That was a long time ago, so I could be off by a couple of updates as I don't keep records of the number of times MS screwed me anymore.

Re:Poor advice.

[BronsCon]

If Microsoft wants telemetry data to resolve issues with system crashes, they can earn it. Start by actually reading through the forum posts with thousands of people reporting the same issue, and work to address that issue

How many of those thousands of people do you think can actually accurately describe the actual problem they're facing, let along provide the technical details that come from crash telemetry? It's honestly like Ford asking someone who was involved in a car accident due to a bug in their car's anti-lock braking system to help them fix it, rather than asking the car itself what went wrong; cars store post-crash and post-fault telemetry for a reason, and Windows does for the very same reason. Only the system knows why the system failed.

This is the norm in the Microsoft support forums. Microsoft cannot simultaneously argue that they need telemetry in order to address crashes, performance issues, and system instabilities, while also ignoring the green pastures of such information volunteered to them that goes unaddressed and unresolved unless another end user provides a workaround.

A feature or function not behaving as expected and a program crash are two different things. One (the program crash) will provide telemetry and the other will not. Microsoft does not need telemetry to learn that sometimes the Start menu does not open when you click it; and telemetry will not tell them that, either. Those types of issues do belong in forums, as they're not crashes but, rather, UI and UX bugs that telemetry can't possibly nail down; they're not failures of the system, they're failures of the design of the system.

A program crash, on the other hand, is much easier to track down and fix when you have the actual system that experienced it provide details about it that the end user who was sitting at that system can't possibly even be aware of. Sure, you can have a thousand people report the crash, each giving a slightly different account of the issue, and you can assume that all of those similar-sounding crashes follow the same root cause, spend countless hours attempting to reproduce an intermittent problem, finally get it to happen once so you can now confirm that a problem does exist, then spend countless more hours trying to reproduce it again and again with every proposed fix because, well, it's an intermittent problem, it doesn't happen every time you do the thing that triggers it...

Or, you can have the failing system tell you how and why it failed, immediately know what needs to be fixed and how to verify that it ha been fixed, and possibly learn that there are a handful of "whys" for a given "how". That's something a thousand forum posts can't give you.

Imagine a thousand people posting about Word crashing when they open files saved by a certain older version of Word. You read all thousand reports, they all say Word 2016 sometimes crashes when opening files saved by Word 2003. Do you know, from a thousand descriptions of the crash scenario, what caused those crashes? Do you know that there was just one cause? Might there be multiple causes? I mean, come on, we're talking about Microsoft, right? Even you should agree that a single issue in their software is likely to have multiple causes.

So, what, they see the forum posts, reproduce the issue on their end--they found a working test case, they're not gonna keep looking for more of them--and fix the issue they reproduced. Well... They fix one cause of that issue. Then they report back that it has been fixed.

And it has, for about 10% of the people who reported it.

Telemetry lets them see the actual problem, and not just the result of the problem, so they can fix it right the first time.

You can't honestly be sitting there with a straight face, comparing pre-XP Windows to post-XP Windows, and telling me it doesn't work. Every version of Windows released since XP has been more stab

Re:Pirated software.

[djinn6]

I don't think having tons of vulnerable machines out there is good, even from a justice or karma perspective.

Unlike IoT gadgets, which are exclusively bought by people with far too much money in their pockets, a regular computer is a necessity in the modern world, and not having one closes the door on many good careers.

Now consider that some people are very poor and uneducated. The machine might have already cost them a year's salary, and a license would've been another year's. They probably don't have know anyone who knows Linux. They might not know what an OS is, or even what pirating is. And many of the cheaper computers are simply sold with a pirated version.

Besides, the attacker could've just as easily made them a part of a botnet rather than asking for ransom.

Re: Poor advice.

[JohnFen]

This is almost, but not quite, true.

If we accept that Microsoft is being forthright and truthful about this, then the telemetry you can't turn off includes "basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information."

This is quite a bit more than only crash reports. Also, crash reports are not exactly innocuous. They can contain very sensitive information themselves.

Re:Poor advice.

[JohnFen]

It's honestly like Ford asking someone who was involved in a car accident due to a bug in their car's anti-lock braking system to help them fix it, rather than asking the car itself what went wrong; cars store post-crash and post-fault telemetry for a reason, and Windows does for the very same reason.

Except that, with the exception of more modern cars (which are just as unacceptable as Microsoft's mandatory telemetry), your car is not constantly phoning home with that telemetry. Someone has to physically retrieve it, which involves your active consent.

If, in the event of a crash, Windows asked if it could send the crash report to Microsoft (like it used to!), there'd be no issue.

Telemetry lets them see the actual problem, and not just the result of the problem, so they can fix it right the first time.

You're arguing in favor of telemetry, but I don't see anyone arguing against it. What people are arguing against is that it is mandatory.

Re: like just a little bit pregnant

[BronsCon]

Update to what? Not from where. Windows XP? Because that's what I was talking about... you know, when I said "disabling automatic updates in earlier versions" and "before Microsoft played these games".

If people hadn't done that, then not held up their responsibility (to the rest of the users, not to themselves or Microsoft) to install security patches to ensure their machines didn't become shit-spewing bot nests, perhaps Microsoft wouldn't have taken away the ability.

You seem to only be able to mentally go as far back as the release of Windows 10, but we're discussing things that happened long, long before then, which lead to many of Microsoft's (admittedly ill-thought) decisions regarding Windows 10. Logical fallacy: attributing decisions made prior to an event to occurrences which followed. Correct that, then we'll talk.

Re: Poor advice.

[BronsCon]

If we accept that Microsoft is being forthright and truthful about this, then the telemetry you can't turn off includes "basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information."

Basic device information (such as CPU type, RAM and storage sizes and utilization, and what hardware and drivers are installed) would seem to be somewhat required as part of a crash report. In fact, quality-related information would seem to be more user-friendly name for "why did it crash", coupled with "app compatibility" as a way of saying "what crashed". It really seems as though they've broken "crash report" into its component elements; likely in an attempt to be somewhat more transparent about what's in them. Looks like that backfired.

Also, I would certainly hope Microsoft, and not some other party, is getting information about how I use the Microsoft Store. How do you suspect the Windows Store works? Do you think every Windows install comes with a full copy of everything that has ever resided in, or will ever reside in, the Windows store (including the app I am currently writing), and just calculates the current state of the store based on the current date and time? Or do you think, more reasonably, that the current state of the store resides on Microsoft's servers and you have to send data back to those servers so they know what to serve you?

I don't think Microsoft has devised a way to see into the future and determine every single piece of software that will even be submitted to the Microsoft Store, nor have they invented a compression algorithm efficient enough to fit all of that onto a single DVD, so I'm leaning toward the server solution.

This is quite a bit more than only crash reports. Also, crash reports are not exactly innocuous. They can contain very sensitive information themselves.

There is actually a setting (set to disallow by default) to allow or disallow automatic sending of potentially sensitive contents (e.g. contents of RAM or files) along with crash reports. I don't recall where I saw it, but I do know it's there and defaults to asking the user prior to sending such data.

Re:Poor advice.

[BronsCon]

Someone has to physically retrieve it, which involves your active consent.

You gave that consent to Microsoft by installing a non-Enterprise version of Windows 10 and accepting the license agreement, or by installing an Enterprise version of Windows 10 and not disabling automatic error reporting.

If, in the event of a crash, Windows asked if it could send the crash report to Microsoft (like it used to!), there'd be no issue.

If Microsoft wasn't, then, forced to deal with idiots who insist they fix their crashing programs, yet refuse to provide crash reports when asked, there'd be no issue.

You're arguing in favor of telemetry, but I don't see anyone arguing against it. What people are arguing against is that it is mandatory.

Except that it's not. Either you work in an industry where Windows is mandatory, in which case you can afford the 5-license minimum for Enterprise and disable the telemetry, or you don't and you can use something else.

Re: Excluding the unfortunate exceptions - Ya!

[hierofalcon]

Well, one good reason is that most IT departments in the world can't afford to have exactly the same hardware on every production platform. It would be nice, and we'd like to have an exact duplicate of every hardware configuration / software configuration, but we just don't have unlimited cash to do that. So no matter how we test on the most prevalent hardware configuration, you can still get bitten by a particular hardware anomaly on a particular box. It's easy to blame the IT guys, but everybody has a budget they have to deal with and arguing for hardware to just test on is rarely going to be on higher management radar until there is a huge downtime that is public facing.

That's another reason that running Microsoft Windows only virtually on Linux is nice. You can have better control of the hardware it sees. But there are some PHBs out there that want it running on the bare metal for whatever good reasons, so you can never be completely free of the similar hardware issues.

Also, it is very rare for IT to use software in all the same ways that the actual end users do. It can appear to work fine, but fail when some engineer does "their" thing with the software that perhaps no other engineer does. Again, it's easy to blame the IT guys.

Sorry Troy Hunt...

[agrisea]

Sorry Troy Hunt... Out here in the real world, Windows Update bricks PCs without notice. Most of my clients are in business and rely on their PCs & Servers to work day in and out reliably, yet when Windows Update pushes something out that brings that client to the paper & pencil age, that is not exactly a way to inspire confidence. And removing descriptions of just what a patch does, we should not have to play Russian Roulette.

The Windows 10 upgrade was yet another example of a company not knowing when "No means No" and deserved to be blocked.

So instead of blaming organizations for not patching, why isn't anyone telling Microsoft that we have had enough of their hole-filled software and to fix it or get your wallet out.

Re:Poor advice.

[BronsCon]

Perhaps they should... What they're doing now seems to be working just as well, if not better, given that Win 10 is more stable than previous versions; but I imagine it would be even more so if they still had a QA team.

Re:Poor advice.

[BronsCon]

You say it was reading and writing your hard drive, but you don't at any point mention network activity. Considering that the only way, out of the box, to monitor disk access is Task Manager and you specifically mention that this was the first 5 minutes, that's what you must have been using. Did you see network activity in that time? And which process are you referring to as "diagtrack"? If you have a process that's actually called "diagtrack", that's not Windows and you should contact your OEM about it.

Re:Microsoft/NSA, trust either of them?

[Pentium100]

Microsoft is the cause why a lot of end users disable updates. There is/was a setting to only install security patches and not install the rest. Microsoft then made telemetry and Windows10 appear as security patches so they would get installed. The users disabled automatic updates and started installing security patches manually (those users who bothered to do it, anyway). After that, Microsoft stopped providing patches individually, so that if you wanted to install a security patch, you had to install telemetry and GWX as well. So the users stopped installing updates completely.

If Microsoft made it possible to only install security patches (and chose which ones, I may not need a patch that protects my computer from a local user) and preferable made it so that not every patch required a reboot, I think more people would update their OS. Of course, now that Microsoft has lost the trust of its users, it may be extremely difficult to earn in back.

I chose to uninstall the protocol from my Windows 10 computer (Microsoft published workaround) instead of installing the patch because I do not trust the patch to not re-enable telemetry on my PC.

Re: like just a little bit pregnant

[Gr8Apes]

I'm talking XP for this one. I thought that was obvious, as that's where WU on the client started? WU always had the ability to do exactly what MS has completed with Win10, so disabling it way back then was the intelligent move for systems admins that needed to keep things running and avoid fire drills. Had MS followed a sensible update process with mandatory critical patches that only fixed holes and with proper warning if it would fubar an API which, admittedly, can happen, then people would have trusted them. As it was, MS acted like they knew better what should run on your computer and treated the updates as en blanc permission to reconfigure whatever they deemed appropriate. So admins started disabling this WU process, word got out, and many others saw their problems go away when they disabled it, so it spread. If disabling WU hadn't fixed something, then people would have stopped disabling WU.... So who do you blame?

In truth, MS systems can be semi-secure at least from the bot-net spewing bits if MS had a sensible configuration and firewall in place on their OS. Ideally you'd have a separate firewall between you and the internet, but not having one on system caused massive issues. (I'm sure you recall the study that dropping a new XP system without an external firewall on the internet to update it via WU would infect it before it could even start downloading?) Also running all processes at System was another problem, directly with XP and still an issue with W10, although it's a touch more difficult to execute an overflow as System. (This is the root of most if not all of MS's exploit issues with their apps)

Re:Microsoft/NSA, trust either of them?

[BronsCon]

Microsoft is the cause why a lot of end users disable updates. There is/was a setting to only install security patches and not install the rest. Microsoft then made telemetry and Windows10 appear as security patches so they would get installed.

So you're saying that end users began disabling updates on Windows XP in 2001 because of something Microsoft did with Windows 10 in 2015?

Nah. Don't think so.

Before Windows 10 was released, end users spent 14 years making it clear they can not be trusted to keep their systems up to date with patches for critical vulnerabilities, so we've now all lost the ability to decide for ourselves. Even in the face of the option to only install critical (security) updates, people entirely disabled them, then never went back and manually applied patches which truly were critical, consistently enough over the course of a decade and a half that the end result was a mass of shit-spewing bot nests (which then formed shit-spewing botnets) and the general idea that Windows was inherently insecure, when the reality is that a patched Windows system is no more or less secure than any other fully patched system and, with those security patches regularly installed, the shit-spewing botnet problem would largely not exist.

We've been dealing with that particular problem for as long as we have precisely because users chose not to install updates, and have made that choice for far longer than Windows 10 had been out.

If Microsoft made it possible to only install security patches

I like where this is going; we might see eye-to-eye on this after all...

(and chose which ones,

Oh, so close. The problem, here, is that when you can choose which updates to install, you can choose to install no updates, which is what people have been doing since 2001 when they were first given the option, which is why we can no longer make that choice.

I may not need a patch that protects my computer from a local user)

Right, because nobody every breaks into buildings and messes with (or steals) computers. You may be the only intended user of a system, but that doesn't stop someone else from gaining access. There is also the possibility of a trusted software vendor getting hacked and their application ending up with some code that exploits that "local user" vulnerability you didn't patch. You use that software regularly, you install the bad update, you run the application... you are the local user and now you've been exploited. Guess you needed that patch, after all.

and preferable made it so that not every patch required a reboot,

So many patches don't, actually. It just seems like they all do because there's usually (but not always) one that does in every update set.

I think more people would update their OS.

History has shown us otherwise.

I chose to uninstall the protocol from my Windows 10 computer (Microsoft published workaround) instead of installing the patch because I do not trust the patch to not re-enable telemetry on my PC.

Link, please? Actually, nevermind, I'm calling bullshit either way. You don't trust Microsoft's patch to do the job, but you trust their manual procedures? And you trust that no part of the system will act to protect the services you've removed? You do realize that Windows has had system file protection (and automatic repair and restoration of said files) since Windows 7, right?

Re:Poor advice.

[JohnFen]

You gave that consent to Microsoft by installing a non-Enterprise version of Windows 10 and accepting the license agreement, or by installing an Enterprise version of Windows 10 and not disabling automatic error reporting.

Legally, yes. In the real world, though, no. Consent through EULAs cannot be considered "active consent" by any reasonable definition.

If Microsoft wasn't, then, forced to deal with idiots who insist they fix their crashing programs, yet refuse to provide crash reports when asked, there'd be no issue.

Fine. If Microsoft doesn't want to deal with people who think that clicking the "send crash report" button means that Microsoft will fix the crash, then do it in the background -- but let people disable the automatic reporting if they wish.

Except that it's not. Either you work in an industry where Windows is mandatory, in which case you can afford the 5-license minimum for Enterprise and disable the telemetry, or you don't and you can use something else.

Well, yes, in the big picture, nothing about Windows is mandatory. Even using a computer at all is optional. But that argument is a bit disingenuous. I was talking about telemetry being mandatory if you're using consumer level Windows.

Re: like just a little bit pregnant

[BronsCon]

I'm talking XP for this one.

I don't recall early issues with WU, actually. I do recall being surprised that such a new system seemed to work quite well out of the box.

I thought that was obvious, as that's where WU on the client started?

One would think, but you seemed to be fixed on more recent events so I wanted to be sure.

WU always had the ability to do exactly what MS has completed with Win10, so disabling it way back then was the intelligent move for systems admins that needed to keep things running and avoid fire drills.

We actually agree on this point. Where it falls apart is that, while sysadmins would go back and eventually install updates after testing them, end users were disabling the updates, then not installing them later.

WSUS or no WSUS, sysadmins can still disable automatic updates on Win 10 Enterprise, so nothing changes for a company that has at least 5 computers and buys the right version of Windows (which is no more expensive, mind you; it gets cheaper in a volume license). The same actually applies to someone with a single computer, if they're willing to pay the 5 license minimum.

I've always been one to disable updates, myself. I've also always been one to manually install them. That is not the problem! The problem is when people do the first step, but not the second!

Again, we're not talking about sysadmins, here. We're talking about end users who really have no business managing their own updates.

In truth, MS systems can be semi-secure at least from the bot-net spewing bits if MS had a sensible configuration and firewall in place on their OS. Ideally you'd have a separate firewall between you and the internet, but not having one on system caused massive issues.

Well, then, I guess it's a good thing one has been included since XP SP2. Mind you, it didn't really get good until Vista, but it was there. It's really a non-issue wince Vista, though, as one has been included, with a "deny by default" configuration, since Vista.

Ideally you'd have a separate firewall between you and the internet, but not having one on system caused massive issues.

Well, yeah, the same can be said of any OS, though, if no firewall is enabled. In fact, hardware firewalls should really be the norm (even cheap routers include basic firewall functions now), especially in the face of Intel's AMT exploits, which are OS-agnostic; even the best software firewall won't stop that from being exploited as the ME grabs the packets and the OS never even sees them.

I'm sure you recall the study that dropping a new XP system without an external firewall on the internet to update it via WU would infect it before it could even start downloading?

Actually, no, I didn't know any study was necessary. Blaster was so bad a friend of mine ended up having to reinstall 4 times to get the patch before infection occurred. I was there, watching and laughing the whole time.

Also running all processes at System was another problem, directly with XP and still an issue with W10, although it's a touch more difficult to execute an overflow as System.

Was, was, was, was, was. All I hear from you is a stream of "was". Really, only system services run as System anymore; it's something they started fixing with Vista and it's taken some time to get all the software vendors on board with running their applications as the user, but we're finally there. If it's still an issue on your Win 10 system, talk to the app vendor who hasn't been keeping up; Microsoft made it a pain in the ass to keep following the old and insecure model and that's really all they can do without everyone bitching about how they broke that one mission critical application.

Yes, the problem dates

Re:Poor advice.

[BronsCon]

Legally, yes. In the real world, though, no. Consent through EULAs cannot be considered "active consent" by any reasonable definition.

You actively clicked the "Agree" button. If you didn't actively read what you were agreeing to, that's your own fault. Perhaps, if people actively refused to agree to shit that was onerously long and difficult to read, that shit would be made a lot shorter and in plain English. Companies care about market share and they won't change as long as we keep giving it to them. Take responsibility, say "NO!" to things you don't agree to, rather than lying and saying "I AGREE!", then trying to make it someone else's fault when the thing you claimed to agree to happens to you and you don't like it.

Fine. If Microsoft doesn't want to deal with people who think that clicking the "send crash report" button means that Microsoft will fix the crash, then do it in the background -- but let people disable the automatic reporting if they wish.

You misunderstand. These aren't people who think clicking the button means MS will fix the crashes, these are people who REFUSE TO CLICK THE BUTTON and bitch that MS never fixes the crashes. Go back and read what I wrote again, because you clearly missed something.

Well, yes, in the big picture, nothing about Windows is mandatory. Even using a computer at all is optional. But that argument is a bit disingenuous. I was talking about telemetry being mandatory if you're using consumer level Windows.

And what we have here is an informed market. We all know telemetry is there. Don't like it? Don't use it. You really do have a choice.

Just don't believe that Apple collects any less telemetry, or that you can disable all of it. They don't and you can't. You might know this if you ever read that EULA we were just talking about.

Re:Microsoft/NSA, trust either of them?

[Pentium100]

Right, because nobody every breaks into buildings and messes with (or steals) computers.

If somebody broke into my home and stole my computer, I would be more unhappy because they stole my computer and not because now they can hack it (they can just pull the HDD out and connect it to another PC or boot my PC from a live CD if they want to access the data).

There is also the possibility of a trusted software vendor getting hacked and their application ending up with some code that exploits that "local user" vulnerability you didn't patch. You use that software regularly, you install the bad update, you run the application... you are the local user and now you've been exploited. Guess you needed that patch, after all.

And in Windows XP days my user was the admin - there was no need to exploit privilege escalation bug if the program was bad. Now my user is still the admin, but UAC sometimes pops up asking for my approval.

OTOH, if I opened a wrong email attachment, it could encrypt my data even if running as limited user (me) on a fully patched system (or Linux). So, on a single user computer it is kinda pointless ("The malware encrypted all my data, but at least the system files are unaffected, yay!").

History has shown us otherwise.

So, with today's forced updates, everybody updates more often? Even Windows 7 or 8? I used to update my Windows 7 PCs (not very often, but I did), until GWX and telemetry showed up. And now I cannot even pick and choose to not install telemetry, so Windows Update got disabled. Though I will install the specific patch on my Windows 7 and Windows XP laptops as those may be exposed to the internet without a router.

I would say that when telemetry and GWX came out, more people disabled updates if they wanted to avoid installing Windows 10.

Link, please?

https://technet.microsoft.com/...

You don't trust Microsoft's patch to do the job, but you trust their manual procedures? And you trust that no part of the system will act to protect the services you've removed? You do realize that Windows has had system file protection (and automatic repair and restoration of said files) since Windows 7, right?

Microsoft's patch means running their (new) code on my computer. It may just do what is promised, but it may also flip some registry or group policy setting that disables telemetry (enterprise edition). I do not know either way, so I would be back to sniffing packets on my router looking for any communication between that PC and Microsoft.
On the other hand, I expect the manual workaround to work as promised, because I really doubt that Microsoft had the foresight to make uninstalling SMBv1 support also mess up the other settings.

Re: like just a little bit pregnant

[Gr8Apes]

We actually agree on this point. Where it falls apart is that, while sysadmins would go back and eventually install updates after testing them, end users were disabling the updates, then not installing them later.

And my point is that the same forces driving sys admins to disable it drove regular users to disable it. I do agree with your conclusion about them not following through afterwards, however the fault remains with MS in the first place, for forcing more than necessary down users throats. By way of comparison, Apple AFAIK has only used the mandatory push once. In over 5 years.

WSUS or no WSUS, sysadmins can still disable automatic updates on Win 10 Enterprise, so nothing changes for a company that has at least 5 computers and buys the right version of Windows

And with Win10, Enterprise or not, you will be forced to accept all updates within a 9-12 month window. I'm too lazy to look it up again for precision. It is no longer your choice. You will upgrade, soon or sooner.

Well, then, I guess it's a good thing one has been included since XP SP2. Mind you, it didn't really get good until Vista, but it was there. It's really a non-issue wince Vista, though, as one has been included, with a "deny by default" configuration, since Vista.

I recall some vague thing around SP2+ that while things were better, it was still best to not connect directly without a router + firewall in place. You are correct that once Vista came out, that concern seemed to diminish significantly.

especially in the face of Intel's AMT exploits, which are OS-agnostic; even the best software firewall won't stop that from being exploited as the ME grabs the packets and the OS never even sees them.

Well, if you have hardware with AMT in it. :)

Also running all processes at System was another problem, directly with XP and still an issue with W10, although it's a touch more difficult to execute an overflow as System.

Was, was, was, was, was. All I hear from you is a stream of "was". Really, only system services run as System anymore; it's something they started fixing with Vista and it's taken some time to get all the software vendors on board with running their applications as the user, but we're finally there. If it's still an issue on your Win 10 system, talk to the app vendor who hasn't been keeping up; Microsoft made it a pain in the ass to keep following the old and insecure model and that's really all they can do without everyone bitching about how they broke that one mission critical application.

I can honestly tell you it's still a problem with Server 2012. It has little to do with the fact that the app process has a lower than system token. If any DLL used by the app, or, honestly, if the app can load a DLL, you can execute any arbitrary code with System privs. Like I mentioned, it used to be simple, it's harder now, but by no means impossible. The problem I'm highlighting is the core issue with Windows itself - it's insecure by design. That design has not changed since 2012 or, in fact, since NT4, in any meaningful way. Bandaids are starting to lean.

Yes, the problem dates back to early versions of Windows, but the problem persists due to recent versions of applications.

As mentioned above - it has little to do with the apps. It's actually an inherent "feature" if you will of the OS.

Microsoft could fix it in the next release, but all of those applications that rely on it (still, even though they should not) would break and users would blame Microsoft, rather than the application vendors. Like you're doing right now.

Hopefully I've laid clear why the blame is appropriately laid at MS's feet.

Re:Microsoft/NSA, trust either of them?

[BronsCon]

If somebody broke into my home and stole my computer, I would be more unhappy because they stole my computer and not because now they can hack it (they can just pull the HDD out and connect it to another PC or boot my PC from a live CD if they want to access the data).

Why, when full disk encryption is so easy?

And in Windows XP days my user was the admin - there was no need to exploit privilege escalation bug if the program was bad. Now my user is still the admin, but UAC sometimes pops up asking for my approval.

Ok, so you don't care about security.

OTOH, if I opened a wrong email attachment, it could encrypt my data even if running as limited user (me) on a fully patched system (or Linux). So, on a single user computer it is kinda pointless ("The malware encrypted all my data, but at least the system files are unaffected, yay!").

Unless you run backups as an admin user; then, at least, it couldn't encrypt your backups without privilege escalation.

I would say that when telemetry and GWX came out, more people disabled updates if they wanted to avoid installing Windows 10.

Why do all of you idiots act like telemetry is something that's brand new? Not being able to turn it off is brand new, but it's nothing new at all and most of you have probably had it enabled this whole damn time. The best part? Many of you probably still have it enabled! Hell, most of you probably wanted it enabled and are just now starting to even care because you're losing the ability to turn it off any everyone is talking about it.

Microsoft's patch means running their (new) code on my computer. It may just do what is promised, but it may also flip some registry or group policy setting that disables telemetry (enterprise edition). I do not know either way, so I would be back to sniffing packets on my router looking for any communication between that PC and Microsoft. On the other hand, I expect the manual workaround to work as promised, because I really doubt that Microsoft had the foresight to make uninstalling SMBv1 support also mess up the other settings.

Oh, you were talking about disabling SMB; you mentioned telemetry, so that's what I thought you were talking about. I was confused, as I was not aware that Microsoft ever released an official method (manual or via patch) to remove telemetry from Windows 10. Hell, it's still not clear until you read the last sentence of that paragraph, as you still talk about disabling telemetry.

You may be all over the place but, well hey, you're keeping the price of my Reynolds stock high. That is, unless you buy generic tinfoil.

Re: like just a little bit pregnant

[BronsCon]

And with Win10, Enterprise or not, you will be forced to accept all updates within a 9-12 month window. I'm too lazy to look it up again for precision. It is no longer your choice. You will upgrade, soon or sooner.

I can't find anything pointing to that so, really, if you could be so kind as to look it up and provide a link, that'd be great. Otherwise, well, I'm having a really hard time trusting your "facts" when I can't verify them; I have sources for what I say, and I provide them when I make my more unbelievable claims, but I see none from you. Without some indication that your "facts" are anything more than conjecture, there's not a whole lot of point continuing this conversation.

Re: like just a little bit pregnant

[Gr8Apes]

Sure, this has some discussion of when Business/Enterprise customers can expect to see updates, but doesn't relate the "forced" aspect. Note that there is no statement that they can be avoided. There's wishy-washy wording in there. This, while older, has the verbiage I remember being finalized last year. Another story implying there's no stopping the upgrades, but, like you, I cannot find the original smoking gun that made me walk away from Win10 as a viable OS. That was over 2 years ago, and digging through thousands of google stories on "forced enterprise windows 10 upgrades" isn't what I am doing today.