'Don't Tell People To Turn Off Windows Update, Just Don't'

Security researchers Troy Hunt, writing on his blog: Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as "MS17-010" pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched. It's because of this essential protection provided by automatic updates that those advocating for disabling the process are being labelled the IT equivalents of anti-vaxxers and whilst I don't fully agree with real world analogies like this, you can certainly see where they're coming from. As with vaccinations, patches protect the host from nasty things that the vast majority of people simply don't understand. This is how consumer software these days should be: self-updating with zero input required from the user. As soon as they're required to do something, it'll be neglected which is why Windows Update is so critical.

Excluding the unfortunate exceptions

[JimToo]

Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.

Re:Excluding the unfortunate exceptions

[xxxJonBoyxxx]

Or the Windows 10 update doesn't work and keeps downloading/restarting/bluescreening your computer. (Looking at you, "Anniversary" edition.)

Re:Excluding the unfortunate exceptions

[mikael]

For me, it takes around three manual restarts, because I have a dual-boot system and the default option is to boot into Linux. Even if Windows does download the update, it then sits around for so long with no indication of what it is doing that the screen blanks out. Then it just sits there pondering and reboots into Linux. Then I reboot back into Windows, which tells me that updates have to be installed. Then it sits around a bit more with a blank screen, then it reboots.

So an automatic update isn't going to be automatic, and it comes as a rather unpleasant surpise to boot into Windows, only to find that the updates weren't installed or need to be downloaded and installed before I can get any work done. If this update system were designed correctly, it should simply clone the existing Windows config, apply the updates, and only say a new version is available when everything is working correctly.

Re:Excluding the unfortunate exceptions

[mhollis]

Mod this up, folks!

I know at least five different business environments which have been, essentially, shut down by a Windows update. One of them was signing a new service contract as I was talking to him—he had been down all day, unable to see his customer files, his books, the jobs his company was supposed to be doing, unable to route his employees to where they were supposed to go. They went back to a paper only system they have not used since 2002 and they were guessing at that. They were taking credit cards over their website, but could not record the result in their books and had to just save all of the emails and spend an additional day or so just doing data entry into their bookkeeping system.

Of course, these are anecdotes (which is what the anti-vax community uses instead of Science). The problem is not the update, it is what Microsoft does to the computer upon emerging from the update. Elsewhere, people have written of resetting all of the browser preferences, BSODs and other issues. Microsoft needs to restore the previous state of the computer or server (as much as is practical) after the patch. They need to go in like a surgeon with the same motto: "First, do no harm." And if they figure out how to do that, their updates will be seen as innocuous as Apple's

Re:Excluding the unfortunate exceptions

[mysidia]

Makes sense, but not an excuse for turning off Updates.

How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

Leave Windows Update Enabled, schedule all new updates to install on X Day; However, If Windows updates rolls out the patch its own, then YOUR TEAM failed to conduct its job appropriately, which was to perform a controlled rollout in a timely manner (BEFORE The update is a week old, And the failsafe triggers to protect your organization's security).

Re:Excluding the unfortunate exceptions

[peragrin]

Yep. Whenever work preforms security updates we literally lose a days worth of business as everything has to get reset. Local printers vanish as thier connections are disabled, with office 365 and outlook down for so long those caches get flushed, etc.
    You wanna know fun? Get 30 people to download 3-5 gigs of emails in an hour on a 100 mbit connecting because that's the best the area has.. talk about a wasted day.

All because vendors reset settings that had no requirement of beingâ reset for siad Patch.

Re:Excluding the unfortunate exceptions

[xxxJonBoyxxx]

>> How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

So...Windows shouldn't be used by small or medium-sized business without IT workstation teams then?

Microsoft, can you confirm?

Re:Excluding the unfortunate exceptions

[Anonymous+Brave+Guy]

You do understand that the majority of professional work is done by small businesses, and most of those don't have dedicated IT teams at all, right?

Enterprise IT is actually the exception, not the norm.

Re:Excluding the unfortunate exceptions

[Wolfrider]

--What I did for dual-boot is to set Grub to boot last selected entry, might work for you...

Re:Excluding the unfortunate exceptions

[bongey]

Windows update(10) all the way back to XP, is horribly slow is part of the problem and it has just gotten worse. Run into a problems with windows update and you can lose 1-3 days, just because it takes forever for it to eventually fail. I went to update the windows load on my dual boot machine and it took 3 freaking hours on 4.5Ghz machine, ssd and 32GB of RAM. Same machine with Ubuntu updates took all of 2-3 minutes even with multiple dkms modules being built. Microsoft there is no excuse for it being that slow, I can just have btrfs root, take a snapshot before updates and have the equivalent of your system restore and your horrible over engineered windows installer without the headaches.

Re:Excluding the unfortunate exceptions

[darkain]

1) There is one particular update that addressed and fixed the WU CPU issue (I don't remember the KB number right now, but it is easy to find)

2) Just slipstream a Windows WIM file. Take the ISO, download the cumulative updates, inject them into the WIM, and then install Windows from there. It'll be a smaller install over all (less SxS crud), and current as of which ever updates you slipstream into it. Additionally, you can add drivers this way too such as NVMe, USB3, and 10gbe if you use stuff like that.

Re:Excluding the unfortunate exceptions

It also doesn't help that when I try to find details about updates there's no information in the Windows Update panel. "Install this update to resolve issues with Windows." Thanks you fuckers... what issues? "Click here for more information." I click and get taken to a page that says "Install this update to resolve issues with Windows." Oh for fucks sake...

Re:Excluding the unfortunate exceptions

[CFTM]

So, if you read the article, you'd know that he's actually talking about home users and states before hand that enterprise environments have their own processes and procedures for dealing with these things (and if they got hacked, they screwed up because it's been three months).

The problem is that technical users, like those found on Slashdot, tell home users that they should turn this stuff off because it causes all these problems, when it really doesn't when you're running a system with known hardware and under typical operating conditions.

By typical, I mean you use Chrome and maybe a few other applications. You're not a developer, you're not a big time game player.

This is 95% of MS home users. These people should all have Windows Update on at all times and what's more, they could care less about the crap that Microsoft packages in along the way. We may consider it invasive but most people just shrug their shoulders and move on.

Re:Excluding the unfortunate exceptions

[networkBoy]

as I *abruptly* learned a year ago when I left Intel and started at a relatively tiny 40 person shop.
We have an IT guy (actually rather spectacular dude really) but there's no way he can get much past firefighter and core infrastructure maintenance mode... and there's no money for more people for something that simply doesn't make money.

Yes we all know that IT doesn't make money, it prevents you from losing it all... but my intro to the "real world" after two decades in multinational corp. environment has been eye opening.
I think of our 20 or so clients, only 2 have serious pro level IT, another 5 have functional IT. The rest? bwahahahahahaaaaaa

Re:Excluding the unfortunate exceptions

[StormReaver]

I love Windows 10. Because of it, I have people asking me to install Linux over Windows 10 that would never before have considered such an option. Thank you, Microsoft!

Re:Excluding the unfortunate exceptions

[mhkohne]

Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.

That's a nice sentiment, but I for one have never been lucky enough to know beforehand that a Windows update was going to break shit. I just have to put them on and hope. So I can hardly blame any company that relies on software for taking a very critical approach to them.

Re:Excluding the unfortunate exceptions

[Trogre]

How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

And... then what?

If the update causes unacceptable behaviour, which does in the GP's case, what exactly can you do about it?

Re:Excluding the unfortunate exceptions

[JohnFen]

If you can go all LO, you're set, but if you have to interact with other companies that want M$ documents, you're hosed.

I hear this quite a lot, and I could see it being true for very complex documents. But I use LO exclusively, and have for a very long time. I exchange documents with Office users daily. I don't remember ever having a serious problem. I have, on occasion, experienced an easily-corrected glitch.

My experience is hardly statistically sound, but it does not support the extreme incompatibility claims I see frequently.

Re:Excluding the unfortunate exceptions

[Excelcia]

Really, are you forgetting the turmoil that people with pre-Windows 10 versions were put through when Windows updates first started inviting them to upgrade to Windows 10? First it was hey do you wanna? Then it was hey, we're just going to go ahead and "upgrade" you unless you say no. Then it was we're just going to upgrade you. That's what automatic windows update buys you.

No one should give Microsoft unfettered access to their computer. With Windows update turned on, Microsoft deletes features, they take away options and control, they upgrade drivers you don't want to have upgraded, they break things. More problems have been caused by bad updates than by any malware I've ever had, which has been exactly none. A good firewall will protect you better than Windows update will.

I vet each and every update that goes into my computer. I look every one up, which is increasingly hard because all they want to tell you is "this is an update that addresses an issue in your computer." I avoided all the Windows 10 upgrade nag nonsense pain. When I finally had to buy a computer with Windows 10 on it, I immediately disabled Microsoft's automatic update mechanism and installed Windows Update Mini Tool, which lets me choose which updates to install again. As such, I have drivers that work, a computer that is stable, and a platform I can trust to be there when I want it.

Do you think the NSA needed that vulnerability to get into computers? They only needed that vulnerability to get into pre-Windows-10 computers, because after Windows 10's auto-update nonsense, any other computer they want to get into just gets pushed an auto-update the user can't stop.

The very last thing anyone should have is a computer that just blindly installs whatever Microsoft decides.

Re: Excluding the unfortunate exceptions

[radiumsoup]

One word: VirtualBox

Generally Sound Advice

[maz2331]

This is generally sound advice, although some IT shops prefer to manage the process to ensure that either (a) a particular update doesn't break some proprietary code, or (b) because of regulatory reasons particular machines may not be permitted to have the software changed without some sort of documentation being generated.

Re:Generally Sound Advice

[dc29A]

I would do that if (1) MS didn't cram W10 down my throat; (2) every major update doesn't reset browser preferences; (3) stop updating and breaking hardware drivers; and (4) I could disable telemetry. My Macbook and Ubuntu machines are auto-update enabled. Not my Windows gaming box. No thanks.

Re:Generally Sound Advice

[TWX]

I've worked in those kinds of environments, where we had propretary applications that were not compatible with the latest stuff. This is especially aggravating when you've got three web-delivered systems, all of which have mutually exclusive requirements. At one time users had to have Chrome, Firefox, and IE, and we had to block updates to IE so that the legacy system would work.

It's extremely labor-intensive and requires excellent recordkeeping if one wants to do updates in this kind of environment, which means that it becomes expensive. It's usually cheaper in the short-term to just turn off updates, and it's often very difficult to convince a nontechnical upper-level director of the need to spend the money before the problem hits.

Re:Generally Sound Advice

The blame for people not updating/patching computers lies squarely on Microsoft.

Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.

And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.

Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.

Re:Generally Sound Advice

[Entropius]

Yep. I had a laptop that came with Windows 8 on it.

I booted it once into Windows to change UEFI settings and then put Lubuntu on it.

Well, a friend had a Windows question for me when I was away at a conference. No problem! I booted my laptop into Win8, looked up how to do the thing, and told her. I went to bed.

I woke up to find that my system had:

1) autoupdated to Windows 10
2) fucked the bootloader so I couldn't boot into Linux any more.

This is on top of the fact that Windows updates take about a year to complete and reenable a bunch of crap that I keep disabling ("Windows Media x").

Re:Generally Sound Advice

The blame for people not updating/patching computers lies squarely on Microsoft.

Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.

And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.

Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.

Exactly correct. MS lost many people's trust with updating around the Win10 forced-upgrade fiasco. I've deleted wusa.exe from my win7 box and I've done the same for any number of family and friends on various win7/8.1 boxes. I just make sure backups are in place and re-image if infected.

If these devices get pwned and cause damage blame MS for destroying trust in their update platform.

Re:Generally Sound Advice

[phayes]

So how often should people re-evaluate when a company like Microsoft breaks their trust by forcing upgrades and other such nonsense? 6 months are sufficient according to you apparently.

News flash: When a company breaks it's users trust, the time it takes can be measured in years and is often never. Yeah it'd be great for security if people were applying upgrades ASAP but MS's new policy of only making rollup updates forcing the inclusion of all previous updates can only backfire making people even less apt to apply them. Hey, they've already broken our trust once, they're likely to do it again.

The problem is in large part MS's own creation.

Re: Generally Sound Advice

[Entropius]

I had to turn off "Fast Boot" anyway, and wanted to preserve the ability to boot off of other things as well. Boot-sector shenanigans are pretty uncommon these days, so on balance I wanted it off.

Re:Generally Sound Advice

Exactly. If Microsoft behaved decently and simply provided security patches that fix vulnerabilities ONLY, there would be no issue. However Microsoft does shit like changing user settings (making IE/Edge your default browser), breaking hardware drivers, installing spyware etc.

In my particular case I run a pirated Windows 7 gaming machine, with the "Genuine Microsoft" Windows activation disabled via a pirate-written patch. Both were downloaded via a Piratebay torrent. It turns out every time I update this machine, the Windows activation gets re-installed and I get this "Your computer is not running Genuine Microsoft, certain features have been disabled, you have 30 days to register Windows blah blah" message. And I have to dig out the pirate patch again and re-do the activation all over again.

So I stopped updating, and changed the Windows Update setting to "Never". This was back in 2014. My Windows has not been updated since then.

So did I get hit by shitload of viruses and malware and Wannacry? Nope. Not been infected with anything, not one single issue that I'm aware of. I'm typing this on the same pirated Win7 machine, connected to the internet full-time 24/7, and it's running like a champ.

This is possible because 1) I don't click on email links or open attachments. In fact I don't even bother reading any emails unless I know exactly who is sending it. Rest get mass-moved into Junk folder. And 2) I run Ublock Origin adblocker, so I don't even get to see most of the malicious web adverts. And if I do see a web advert, I'm smart enough to not click on them. And yes, I never click on or buy any shit advertised on interwebs sites and I'm not missing anything as far as I know. Anything I need, I just go straight to Amazon or ebay and buy it that way, not through any ads. And 3) my firewall blocks random people trying to port scan or connect to my machine.

Re:Generally Sound Advice

This. I was fine to leave auto-update on for security fixes but then microsoft started cramming their telemetry and other crap into them - making them bundled so you couldn't get your security fix without letting microsoft scoop up every piece of info on your computer that it wanted.

Re:Generally Sound Advice

[Tailhook]

This is hard to argue with. I personally prepared for this by preventing the Win 10 upgrade (even using third party software to stop the constant, malware like badgering complete with deliberately misleading prompts) until I was good and ready to deal with it, then I did a full clean install and manually migrated stuff over because I knew there was no way my complex, roughly used installation could possibly upgrade well automatically. One simply cannot, however, expect a planet full of Windows users to take this conservative approach; even if they were inclined to, which they aren't; most of them simply aren't competent to deal with this stuff and would do more damage than what the upgrade inflicted.

So they all got put through the upgrade ringer creating bad outcomes for millions and leading to widespread "anti-vaxxer" behavior. Since then the "anti-vaxxers" have had their behavior affirmed by disruptive updates doing unwelcome stuff. The glacial slowness of the Windows 10 update process alone is a huge failure in my mind; this has badly regressed from earlier releases; I have a laptop I boot maybe once a month and I've come to expect the Windows 10 updates to take a hour or more. Ridiculous.

After putting the whole world through all this shit one simply can't point a finger at millions of beleaguered users and blame them for their negligence. I'm sure they'd be happy to have they're system automatically updated, as long as it wasn't the computing equivalent of getting a SOA style beat down every few months.

Re:Generally Sound Advice

[bongey]

You can trick windows from messing with it and bios that only look for a windows efi boot file. This will boot to grub and allow you to select windows if you want, and windows update doesn't mess with it.
open cmd.exe as Administrator and lunch the command vmount s: /s
go to s: and navigate the directories until you find where the grubx64.efi is located. Mine was under s:\EFI\debian\.
go to s:\EFI\Microsoft\boot and create a backup of the bootmgfw.efi file and then overwrite it with the grubx64.efi.
reboot. Now you should be able to reach the grub menu and boot to Linux but you'll be unable to boot to Windows. Boot to Linux then.

On linux you
open a shell and go to /boot/efi/EFI/Microsoft/Boot and restore the previously backed up bootmgfw.efi.
run grub-install (it may require root privilege - sudo)
run update-grub2 (it may require root privilege - sudo)

Re:Generally Sound Advice

[Darinbob]

The problem with the sound advice is that Microsoft is actively undermining the update process by treating customers so badly. They don't test their updates well, they make them forced in later versions, they tie the updates to earlier updates, and worst of all their malware inspired forcing of Windows 10 on people has justifiably trained customers to distrust Microsoft.

It's time consuming to check out each and every update to make sure it's safe. But I have to do that because I cannot trust microsoft not to play games with my systems.

Applications too, I don't update iTunes because every time I do it screws up, changing the UI in drastic ways, and takes me a very long time to get it working properly again. But that's ok, I do not use the store in iTunes, it does not execute any strange attachments, and as a malware vector it's pretty low compared to the OS itself. If it played nice then I'd update it more regularly.

Re:Generally Sound Advice

[Darinbob]

It's been 6 months but have they done even one thing to earn back trust? They have not even apologized! This reason is still valid.

Re:Generally Sound Advice

[HiThere]

Even then... the thing that drove me from Apple to Linux was a security update. It worked without problem...but they used it to smuggle a license change in that I found unacceptable. So that machine was immediately disconnected from the internet, and everything that could touch the internet was migrated to Linux.

I'll grant that what Microsoft is doing is arguably worse. I don't know, I left MS for Apple when THEY forced a license change on me that I found unacceptable. I think these companies rely on people either not reading or not believing the EULAs.

Re:Generally Sound Advice

[Gr8Apes]

I'm curious as to the license change.

Microsoft's fault

[sconeu]

If they hadn't done shit such as the forced Win10 update, or forced GWA, or done a lot of other crap that broke peoples systems (in the name of marketing), then maybe people wouldn't have said, "Turn it off".

Re:Microsoft's fault

[TWX]

Pretty much. I had to take some fairly convoluted measures to keep my wife's laptop on 8.1 or some of my various other systems on 7 without entirely disabling updates. It's not that I liked 8.1, but I did not like what I read about 10.

The easiest way to avoid having 10 forced on me would have been to just disable updates. Instead I had to read up on every individual update that would push 10, and ultimately resorted to third-party software to block or remove those specific nuggets from Microsoft so that my platforms would be left in the state I wanted them in.

Re: Microsoft's fault

[macsforme]

Agreed. A level of trust is required when you allow vendors to push automated updates to your system, and unfortunately there have been breaches of this trust when vendors saw this as an opportunity for more than enhancing user security.

Re:Microsoft's fault

Plus, if Anti-Vaxxers could actually point to widespread deaths, they might have a point.

People who advocate turning off Windows Update Can point to widespread windows deaths due to errant updates.

Re:Microsoft's fault

[war4peace]

It's a very complex ecosystem. Generally, the benefits of the many outweigh the "sacrifice" of the few.
For every machine negatively affected by a forced update, there's a million which benefited from it. Unfortunately, that million machines don't yell "fault!" like that one which messed up does.

Yes, Microsoft were too aggressive with pushing people towards updating to Windows 10, and they should have toned it down. But ultimately, it was not the "upgrade push" which pissed people off, but the whole telemetry debacle. People were turning updates off and messing with hidden Windows setting because of telemetry, not security updates. Problem is, Microsoft pushed back and started mixing security updates with telemetry, then people pushed back and turned updates off altogether, etc. It was, and still is, a general cat fight.

I was never worried about a few machines coughing up during an automating update. Serious businesses should have internal update QA and separate WSUS servers. genpop users usually don't have really expensive stuff on their machines, and if they do, they should at least afford paying someone knowledgeable to help them with their setup in such a way they won't lose but a couple hours if an update fails. What I (and pretty much everyone with a bit of IT knowledge) was worried about was the telemetry additions, which really should have been opt-in since day 1.

Re:Microsoft's fault

[G00F]

Because of other faults of Microsoft pushing updates that don't benefit the end user. Like void your installed windows, change your settings, or even broke your system.

MS can't be trusted. They use security updates to force what ever they want on end users.

Re:Microsoft's fault

[phayes]

but it does break some software and installs unwanted telemetry.

Re:Microsoft's fault

[citylivin]

"Yes, Microsoft were too aggressive with pushing people towards updating to Windows 10, and they should have toned it down. But ultimately, it was not the "upgrade push" which pissed people off, but the whole telemetry debacle."

Revisionist history. Before we even knew the extent of windows spying we had the windows update advisor (GWX) show up in the system tray on everyones windows 7 machine in it seems june 2015 ( https://tech.slashdot.org/stor... ) and a year later, forced it on everyone ( https://tech.slashdot.org/stor... ). That is the day that microsoft lost my confidence that they had worked since windows 95 to build.

You can go read that slashdot article to see the day when everyone lost trust in microsoft, and people started recommending that people deactivate windows updates Very few people mention telemetry. What they do mention is that MS pushed a "security update" that was anything but.

I turned windows updates off that day, but being an industry person, i found a work around that allowed me to keep them on. There was a program quickly developed called GWX blocker or something like that which allowed the gwx framework to be stopped.

So yes, its bad to not run windows updates, but its also 100% microsofts own god damn fault.

But... but...

The telemetry spying though,,,

Telemetry and Windows 10

Windows Update also wanted to install telemetry on my Windows 7 system until I removed the patch. Then for 12 months Windows Update wanted to 'upgrade' me to Windows 10, the software employed all sorts of tricks to make me say yes and in the end I just disabled updates as it was less hassle.

My Windows 7 system was not affected by the events over the weekend as all it does is run some test equipment. It still has Windows Update disabled and it's going to stay that way.

Maybe if Windows Update behaved decently...

[ToTheStars]

The reason folks turn off Windows Update is that it behaves kind of like malware itself! I'm technologically savvy enough to set my registry and so on to disable the awful "Get Windows Ten" updates, but when so many users got shafted by Windows "self-updating with zero input required from the user" to a completely new operating system (a new operating system that actively thwarts end-user control over updates!), is it any wonder that so many of them switched it off?

The comparison to anti-vaxxers is interesting, and apt in more ways than Troy may have known. Much like Microsoft hijacked their Windows Update program to push Windows 10, the CIA used a Pakistani polio vaccination campaign to gather intelligence about Osama bin Laden (see here: https://en.wikipedia.org/wiki/...). This has resulted in the killing of other relief workers and general suspicion of medical aid programs in that region, and so polio persists.

Re:Maybe if Windows Update behaved decently...

[Gilgaron]

That is a shame about the polio.... so very close to being eradicated, too

Re:Maybe if Windows Update behaved decently...

Thank you. The polio vaccination ruse by the CIA and the telemetry comparison is exactly what I thought of as well.

On a separate note, WU used to specifically tell you what the update fixed, right in WU. Then they started making you click a link to go to the MS web site. After a while the web page stopped saying anything useful. Now you have to research each one manually, which is unacceptable. There is no reason MS would go to those lengths to obfuscate what a patch does, unless it's so they can foist more crapware on you. I can't think of a good vaccination analogy for that, but it pisses me off.

Re:Windows Users...

[DontBeAMoran]

Enjoy the Windows 10 telemetry yet?

I mean, I use Windows 10 too but only as the OS required to run games. As far as Microsoft knows, all I use is Battle.net, Steam and GoG.

What about the updates that hurt users?

[evolutionary]

The problem is that around 30% of MS Updates actually hurt the user, either by introducing "features" that (like Apple) inadvertently or deliberately adding things that are of no benefit to anyone but MS and in many case hurt he users. Windows 10 Basically is capable of hijiacking itself (as per it's design) so it's hard to know what is good and what is not especially MS gives VERY vague descriptions of it's updates as per the new windows 10+ policy to tell users, it's our update, just take it (up the rear end). The sooner we start admiting that we don't in fact NEED MS Windows at this point, the better. Linux anyone?

Don't Tell People To Use Windows, Just Don't

[Tough+Love]

Problem solved, permanently.

Those fuckers at MSFT ruined security updates

Those fuckers at MSFT ruined security updates by force-feeding the user spyware, or even forcing an "upgrade" to Windows 10.

Now nobody trusts Microsoft, and would rather take their chances without the "essential updates".

The problem is spyware and telemetry

[WillAffleckUW]

the continual additions of resource-heavy snooping spyware and telemetry services for in-app advertising delivery hammer many institutions that would otherwise happily install security patches, if they were JUST security patches.

But many of the Important patches we have recieved from MSFT are just that. Ads, telemetry to try to sell us stuff that blows out the bandwidth in mission critical software and pops up things that get in the way of doing actual work.

There's your problem. That and the "patching" of things in a way that breaks apps that believe the public documentation instead of the actual way MSFT codes and tests its apps.

Re:Poor advice.

nobody cares what you do on your PC

Then why did they implement telemetry in Windows?

Re:There should be a separate "Security Updates On

[green1]

There is, it's the "critical updates only" checkbox.
The problem isn't the lack of said checkbox, it's the fact that Microsoft doesn't respect that checkbox and considers all sorts of marketing fluff and malware to be "critical"

Microsoft could be a big help here

[JohnFen]

If Microsoft would just go back to the days when security patches were done separately from other sorts of updates, that would be a huge help. I know a lot of people who disable updates to avoid feature changes, but would accept automatic security updates.

Microsoft's position of not making a distinction between the two is a large disincentive to allowing automatic updates for a lot of people.

Re:Microsoft could be a big help here

[evolutionary]

That would be great, is MS didn't outright LIE about some of their updates. One of the "critical "updates turned out to be an ad server. That was a riot. Problem is, once the source proves untrustworthy, you can't rely on what they say. Question is, can you still rely on their OS? It think we all know the answer to that one.

Re:Microsoft could be a big help here

[JohnFen]

Microsoft is an extremely weaselly company. The instant they stopped using the descriptor "security" and replaced it with "critical" was the moment it became clear that the update mechanism was going to be used for deceptive purposes.

Consider the source.

[Gravis+Zero]

at troyhunt.com

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

It's obviously in his interest to make everyone Microsoft's puppets.

Re:Consider the source.

[mugnyte]

This isn't necessarily a problem. The problem arises from a cult-of-brand and groupthink that MS cannot do wrong. If Troy Hunt wrote honestly, he'd explore the customers that had turned off MS Update with some interviewing and surveys, then report the results, give a nod to their core cause, report MS's renewed efforts to address these *core* causes and then talk about why Updates should be left on. Instead he delivers these sugar-free platitudes:

It's not fun, it costs money and it can still break other dependencies, but the alternative is quite possibly ending up like the NHS or even worse. Bottom line is that it's an essential part of running a desktop environment in a modern business.

He's a fly-around shill just trying to look good in the eyes of Sales. His "workshops" are an insanely expensive way of selling low-calorie information that's already discussed online in much finer detail. His Ghost-powered blog site doesn't offer a search feature, but I'd bet it wouldn't return any meaningful results for two-factor authentication, separation-of-concerns, what certifications exist for software security, or the track record of non-MS products. Quick example: There's no mention of Google's recent publishing of security flaws in open-source projects. Instead we get a pass-the-buck, blame-the-victim blog post that ignores the annoyances of MS Update and tells everyone to "just deal with it".

Microsoft only have themselves to blame

[Gadget_Guy]

Microsoft only have themselves to blame for people disabling Windows Updates because they made it untrustworthy:

• The Windows 10 upgrade fiasco
• The backporting of the telemetry to previous versions of Windows
• The updates that crash or cause problems
• The update mechanism that in older Windows peg the CPU usage at 99%
• The forced reboots at highly inconvenient times
• The massive Windows 10 updates that mean that I have to reinstall some of our legacy software because Windows keeps resetting some crucial registry entries
• The bundling of updates into a single entity so that we don't have control over what gets installed on our systems
• And the hiding of what is in those updates so that we don't ask questions.

Re:Microsoft only have themselves to blame

[Hartree]

"The bundling of updates into a single entity so that we don't have control over what gets installed on our systems"

This! Abso-fracking-lutely this!

Give me the info on what the update is, and I can decide whether it's worth the risk to install immediately or if I need to run it on a non-important machine first to vet it. Yes, theoretically I can drill down on MSDN and the knowledge base but with some much redirection and info hiding in the documentation, in truth it takes too much time. Exactly as Microsoft intended it.

Re:Pirated software.

[__aaclcg7560]

If you buy Microsoft software, you get what you paid for.

I haven't that problem since Windows XP. Then again, I'm not running on minimum spec hardware.

Patches are just like vaccines...

[Noishkel]

Except if vaccines failed as much as a Microsoft patch did there would be no doctors... because people would be shooting them in the street.

Yeah, yeah... I can already hear the autistic fast typing from some keyboard warrior looking to 'correct' me on this one. But sorry... Microsoft no longer has any credibility to tell people what to do with their machines. The entire roll out of Windows 10 has been nothing but train wreck after train wreck. And you know what? Even if we get the occasional virus it's still better than having to deal with the rest of the continuing train wreck that is Microsoft. People are just going to have go back to the old day when people had to actually learn how to protect themselves. Instead of waiting on the industry to sell you a next generation of device that 'might' be eventually patched.

Problems Caused by Updates vs Caused by Attacks

The number of problems caused by installing Windows updates for our IT department: THOUSANDS
The number of problems caused by holes left in the Windows OS that an update or patch supposedly has fixed: 20

Easy decision.

A bit conflicted

[roc97007]

I don't think I've ever worked at a company that had "automatic updates" turned on. The reason being, company ecosystems tend to be predominantly all the same hardware, same Windows version and same patch level, and a bug in an update that affects that particular collection of hardware and software can take an astounding number of seats offline. (In much the same way a biological virus can take out an entire species if they're not sufficiently genetically diverse.) So yeah, no. Companies that want to stay in business don't do that. Of course, they *do* have a team that tests updates in a lab and sends out validated updates to the rest of the company, often a subset of what Microsoft spews out.

I do something similar at home. We have three Winders boxes, and none of them have auto update turned on. Every week or so, I look at what updates are available, and apply at minimum the security updates to the least used of those three boxes. If it survives a reboot and some reasonable amount of smoke testing, I install on the game machine, and if that works out ok, after a day or two I'll install it on my own workstation. I have to take care because my machine is (a) my only conduit to my "day job", and (b) my main workstation for my side-business. I can't afford to be down because Microsoft botched a patch any more than any large company can.

So yeah, security updates are important. Vital, even. But that doesn't mean you just install every update the moment it becomes available. An important part of "security" is "availability". And that's just as important as "confidentiality" and "integrity".

Another contributor had it right -- there should be a way to auto install security updates only. So if Microsoft botched a driver update and it renders unbootable a certain brand of PC running a certain brand of video card, it's less likely to take large numbers of users offline.

I know there are essential and optional updates (or whatever words they use) but most updates are considered by Microsoft to be essential.

And this doesn't even address compatibility of updates with installed applications. You know, the software you use to actually do work.

All that said, it does seem like Microsoft is doing a better job vetting their patches before release than they did the earlier part of this century. But being burned a few times breeds caution.

100% Microsoft's fault for forcing Windows 10

[Thud457]

Don't use the channel for security updates to force advertising on your customers, just don't.

also...

[Comboman]

also, doctors don't break into your house in the middle of the night to give you a vaccine (and snoop around your house while they're there).

Windows users have two options

[JoeyRox]

Option A) Turn automatic updates ON and risk Microsoft making your machine unusable due to a faulty update
Option B) Turn automatic updates OFF and risk Microsoft making your machine unusable due to the absence of a security update

Re:Windows Users...

[squiggleslash]

Because Windows Update reboots your computer without your permission or control over the process. We're essentially back to Windows 95 in terms of operating system stability because Microsoft cannot figure out how to update an operating system without resetting the computer in the process.

If Windows 10 (1) avoided reboots unless absolutely 100% necessary, and (2) prompted you to reboot (perhaps nagging you until you do) rather than running a timer you often don't even see before it expires do it, then, well, people would be a little happier about the tool.

Updating is good. Microsoft's implementation is shit. If you want people to install security updates, don't do implement it in a way that's indistinguishable from a kernel level bug that crashes your computer every few days.

Didn't MS just block updates on Win7/8 for Ryzen?

[future+assassin]

Yah blame the user for the virus exploits and not the vendor that created the software with huge holes and the vendor who is blocking updates when running new gen CPU's on older OS versions just to try and push people to W10.

Windows Updates

[StonyCreekBare]

The last time I left updates enabled, update started updating my machine and demanded a reboot in the middle of a major corporate presentation in front of a large audience. This is UNACCEPTABLE behavior!

Windows Updates (1) Constantly reset browser preferences, (2) Frequently break hardware drivers, and (3) Often interfere with critical, urgent work tasks. Don't tell me not to turn them off! Don't tell me not to tell others to turn them off! NOT GONNA HAPPEN!!!

Windows Updates should be TURNED OFF, during all business / production usage. Then updates should be enabled/installed manually during weekends, vacations or other non-critical times. I DECIDE when my machine can be down for maintenance. Not Microsoft. The Updates STAY OFF, until I purposely enable them when I am willing to allow time for reboots, and have the time to restore my machine to proper configuration and operation afterward.

Windows 10 automatic install

[mgandalf]

Tell Microsoft to stop pushing patches which install Windows 10 without my agreeing upon it, and I'll let Windows update run. No, I suppose Microsoft stopped with the whole Windows 10 thing a few months back, but there's now a trust issue I personally have to get past. The fact of the matter is, I don't trust Microsoft anymore.

- Mark.

Broken drivers, AND broken updates break stuff

We personally have TWO laptops that got repeatedly broken by non-disableable driver updates (already told Windows to never update drivers, hid the offending update, etc) and it still managed to get through, multiple times, and do the blue-screen tango repeatedly until I gave up trying to fix, it went into safe mode and disabled the Windows Update service. I had to keep it that way for a couple months until I was able to load a "newer" driver from the video chip manufacturer that fixed it and/or MS stopped pushing the broken one. Then I was able to turn updates back on again.

All was fine, I THOUGHT, until several months later when the Anniversary updated got pushed to these systems. I bugged both my laptop manufacturer and Microsoft, repeatedly. Microsoft swore up and down that it would "only try to load the update once" and then stop trying if it failed. They also said the Anniversry update wasn't "certified" for this laptop model so I should just not install it, which would be fine except that _they forecully push it out, including to this laptop mode_! When I told them it had already attempted to update, failed and hung, at least twice they said it tries twice and then won't try again. Still incorrect. I tried basically everything including downloading the update to a USB and installing it manually, updating the drivers, downgrading the drivers, removing what I think was the suspect driver causing the hang during the update install, hiding the update with show/hide update tool, etc. Hiding disabled it for a while, but the dang thing is relentless, after a while it still comes back. The only 100% reliable way to make sure it will never try again, and hang the system (usually leaving it in a hung state with the fan blaring and screen showing 32% or something, all night long) is to completely disable the Windows Update service, or buy a new computer, or downgrade to an earlier version of Windows, or say to hell with and load Linux. The latter isn't an option because the laptops are used by family members who require Windows for specific applications.

Re:Broken drivers, AND broken updates break stuff

[hierofalcon]

Load Linux. Run the Windows in a virtual environment.

Repeat After Me

[John+Allsup]

If you value security, don't run the mission-critical parts of your infrastructure on a general purpose operating system like Windows, but rather run it on a minimalist, locked-down OS that has _only_ the facilities needed to do its job. The update carousel is a nightmare. If you want to ensure your Windows box doesn't sporadically reboot during a long unattended operation in order to update, what do you do? If you want to lock Windows down so it can only do the job to hand, and nothing else, you're screwed. If you run mission-critical stuff on a full-featured general purpose OS (and the same can be said for off-the-shelf Linux distros like Ubuntu and Fedora), you are kinda asking for it.

That this idea is older than me, but is ignored, is laughable.

Re:Repeat After Me

[Bearhouse]

Indeed - but who has the competence, and the budget, to do that these days?
Of course you will (correctly) reply that budget should not be an issue, since the investment should recoup itself in opportunity cost of not having to spend a fortune in ongoing security efforts, and or recovery.
But try explaining that to your average suit...

No, fuck Windows update.

[cfalcon]

I turn off Windows update on the boxes that I still have. I recommend everyone I know disable Windows update on all boxes that they have.

If you leave Windows update on, and just take the security updates by default, you will get owned by Microsoft. Constant telemetry will stream from your box.

I also recommend people look up how to stop this on Windows 7 and 8, where it is possible to stop it. It is not possible in 10, though some people have had some success at limiting it.

The article's advice is horseshit. WU should be disabled for personal computers if privacy is any manner of concern. Microsoft has revectored their security update mechanism to: try to upgrade you to Windows 10. Install sleeper services that only months after installation began transmitting telemetry. Remove useful names from KBs to prevent successful system administration. Transmit information about what programs you use, when you use them, how often you use them. Transmit information regarding crashes. Broadly expose envelope information about your non-Microsoft related activities to Microsoft and anyone they choose to share that information with.

Disable WU on 7 and 8. Tear out the bad patches. Only EVER manually apply patches that you actually require for security and functioinality.

Comparing being a sensible system administrator who doesn't want to transfer control over their personal activities to Microsoft to antivaxxers is disgusting. Anyone making this comparison is irresponsible.

https://superuser.com/question...

The list of KBs that you must manually remove (and prevent reinstallation of) to keep Windows without telemetry is provided on that su post. The list is:

KB3065988 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: July 2015 more info
KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
KB2976978 Compatibility update for Windows 8.1 and Windows 8 more info
KB3075853 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: August 2015 more info
KB3065987 Windows Update Client for Windows 7 and Windows Server 2008 R2: July 2015 more info
KB3050265 Windows Update Client for Windows 7: June 2015 more info
KB3050267 Windows Update Client for Windows 8.1: June 2015 more info
KB3075851 Windows Update Client for Windows 7 and Windows Server 2008 R2: August 2015 more info
KB2902907 MS Security Essentials/Windows Defender related update [no description/information available]
KB3068708 Update for customer experience and diagnostic telemetry more info
KB3022345 Update for customer experience and diagnostic telemetry more info
KB2952664 Compatibility update for upgrading Windows 7 more info
KB2990214 Update that enables you to upgrade from Windows 7 to a later version of Windows more info
KB3035583 Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1 more info
KB971033 Description of the update for Windows Activation Technologies more info
KB3021917 Update to Windows 7 SP1 for performance improvements more info
KB3044374 Update that enables you to upgrade from Windows 8.1 to a later version of Windows more info
KB3046480 Update helps to determine whether to migrate the .NET Framework 1.1 when you upgrade Windows 8.1 or Windows 7 more info
KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 more info
KB3080149 Update for customer experience and diagnostic telemetry more info
KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
KB3083710 Windows Update Client for Windows 7 and Windows Server 2008 R2: Octobe

Re:Windows Users...

[JohnFen]

Why would anyone *disable* automatic updates on Windows?

To avoid all the nastiness that comes with Windows updates, perhaps?

More hype than substance

[WaffleMonster]

People get WannaCry by clicking on the wrong email not by SMB exploits. I get that repurposed NSA exploit angle makes for interesting and irresistible news stories but substantively it's way overhyped and using it to support blanket assertions is a nonstarter in my view.

There is compelling quantifiable evidence to support the position vaccines help more than they hurt. The case for updates is closer to the question of whether throwing billions into the intelligence industrial complex makes real people quantifiably safer from being terrorized given opportunity cost of not investing these funds to address significantly more statistically substantial problems such as pulling down US murder rate.

What we know for sure is social engineering accounts for 90% of general p0wnage worldwide. Even if all unintentional software bugs were patched with 100% coverage overnight absolutely nothing would change.

In 2017 given Microsoft's proven track record of both incompetence and sleaze when it comes to updates it's an open question as far as I'm concerned whether updates are still worth applying at all. Majority of end users are behind stealth mode firewalls and the only whackable thing they have sticking out is a web browser. If you keep firefox or chromium or whatever up to date and lock down some associated configuration are you really appreciably safer vs probability of computer failing to boot or introduction of some new Microsoft "telemetry" malware or Microsoft false choice prompt dismissal scam? I honestly don't know the answer. I do know it very much depends on context not only in terms of the users needs and environment but the value judgments of the end user.

If Microsoft would stop constantly peddling malware, firing QA staff, fix updates to not use insane amounts of resources while taking forever and requiring a reboot to sneeze... If only updates were properly labeled and people trusted Microsoft not to screw with them... my guess less will find value in disabling updates.

I personally believe coordinated automated updates of billions of systems globally in a matter of days is an extraordinarily perilous activity in and of itself no matter how careful you are. Sooner or later this is bound to end in a major disaster. While updates do fix problems quicker they also significantly lower the cost and tolerance for releasing defective software. It sends a signal to the market releasing defective software is a cost free activity.

Tell Microsoft to give me back some control then

[Solandri]

I *have* to disable the update service on my laptop. Win 10 insists on installing newer Intel graphics drivers, except they don't work with the Optimus setup on my laptop. With the newer Intel drivers, any 3D game I start crashes when it tries to use the Nvidia card. So I have to let Windows 10 update my laptop, disable the update service, then reinstall the Intel GPU drivers provided by my laptop vendor (and also the Nvidia drivers if Windows 10 has auto-updated those).

When Win 10 first came out, it gave you the option to disable updates to a specific device driver. But for some inexplicable reason, Microsoft removed this option in the Oct 2016 update. Because of Microsoft's brain-dead update policies, I literally cannot use my gaming laptop to play games if I have Windows Update enabled.

Re:Poor advice.

[BronsCon]

Because they do care about what crashes on your computer and why, so they can fix those issues. That's more to do with what other people (software developers) do on your computer than what you do on it.

Re:MS Office runs fine on Apple (nt)

[Chris+Mattern]

But how do you get NT to run on an Apple?

MS, we're looking at you

[Altrag]

If MS really wants to make people do updates promptly, they need to get their heads back out of their asses. In the late WinXP and into the early Win7 era, there was a strong push for security and the updates were usually both relevant and easy to install.

Fast forward to now, and half the updates you get are MS pushing their latest piece of crapware (*coughskypecough*) that you don't want, and like 90% of them require a full computer reboot -- which they'll happily do with our without your input and hope to hell you saved your work that day.

If MS wants people to install critical updates then:
a) Stop calling every fucking sales pitch "critical," and
b) Go back to putting in the effort to avoid reboots. I know its easier to just reset and not worry about internal version conflicts and whatnot, but its a serious detriment to anyone who doesn't normally shut off their computer in the first place (and those people are the ones who least need to be force into an unwanted reboot!)

Unfortunately MS has decided to do the exact opposite of that and compensate by giving you no choice -- enjoy losing your work.. what're you gonna do about it? Switch to Mac? Oh you are? Well fuck.

Re:Windows Users...

[EnsilZah]

The ruined presentations are ones that I've actually attended and had to sit through Windows suddenly deciding to reboot and the presenter not knowing what to do, and the attendees having to sit through the installation process.
Or ones that I watched live streamed.

I do digital painting from live model, after a few times of having Windows install an update for 40 minutes or botching a driver update that took me a similar amount of time to figure out how to fix, that's the limited time I have with the model, and the money paid wasted, I'm not enabling updates on this device again.

Now on my main desktop I still have Windows 7 so I'm less apprehensive and do update manually every couple of months.

Re:Microsoft/NSA, trust either of them?

[JohnFen]

No, end users made this mess and are hoping to blame Microsoft.

No, Microsoft made this mess and you are blaming end users. If security updates were implemented and deployed with care, and if Microsoft behaved in a trustworthy way, then very few people would object to their being automatically installed.