'Don't Tell People To Turn Off Windows Update, Just Don't'

Security researchers Troy Hunt, writing on his blog: Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as "MS17-010" pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched. It's because of this essential protection provided by automatic updates that those advocating for disabling the process are being labelled the IT equivalents of anti-vaxxers and whilst I don't fully agree with real world analogies like this, you can certainly see where they're coming from. As with vaccinations, patches protect the host from nasty things that the vast majority of people simply don't understand. This is how consumer software these days should be: self-updating with zero input required from the user. As soon as they're required to do something, it'll be neglected which is why Windows Update is so critical.

Excluding the unfortunate exceptions

[JimToo]

Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.

Re:Excluding the unfortunate exceptions

[xxxJonBoyxxx]

Or the Windows 10 update doesn't work and keeps downloading/restarting/bluescreening your computer. (Looking at you, "Anniversary" edition.)

Re:Excluding the unfortunate exceptions

[mikael]

For me, it takes around three manual restarts, because I have a dual-boot system and the default option is to boot into Linux. Even if Windows does download the update, it then sits around for so long with no indication of what it is doing that the screen blanks out. Then it just sits there pondering and reboots into Linux. Then I reboot back into Windows, which tells me that updates have to be installed. Then it sits around a bit more with a blank screen, then it reboots.

So an automatic update isn't going to be automatic, and it comes as a rather unpleasant surpise to boot into Windows, only to find that the updates weren't installed or need to be downloaded and installed before I can get any work done. If this update system were designed correctly, it should simply clone the existing Windows config, apply the updates, and only say a new version is available when everything is working correctly.

Re:Excluding the unfortunate exceptions

[mhollis]

Mod this up, folks!

I know at least five different business environments which have been, essentially, shut down by a Windows update. One of them was signing a new service contract as I was talking to him—he had been down all day, unable to see his customer files, his books, the jobs his company was supposed to be doing, unable to route his employees to where they were supposed to go. They went back to a paper only system they have not used since 2002 and they were guessing at that. They were taking credit cards over their website, but could not record the result in their books and had to just save all of the emails and spend an additional day or so just doing data entry into their bookkeeping system.

Of course, these are anecdotes (which is what the anti-vax community uses instead of Science). The problem is not the update, it is what Microsoft does to the computer upon emerging from the update. Elsewhere, people have written of resetting all of the browser preferences, BSODs and other issues. Microsoft needs to restore the previous state of the computer or server (as much as is practical) after the patch. They need to go in like a surgeon with the same motto: "First, do no harm." And if they figure out how to do that, their updates will be seen as innocuous as Apple's

Re:Excluding the unfortunate exceptions

[xxxJonBoyxxx]

>> How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

So...Windows shouldn't be used by small or medium-sized business without IT workstation teams then?

Microsoft, can you confirm?

Microsoft's fault

[sconeu]

If they hadn't done shit such as the forced Win10 update, or forced GWA, or done a lot of other crap that broke peoples systems (in the name of marketing), then maybe people wouldn't have said, "Turn it off".

Re:Microsoft's fault

[TWX]

Pretty much. I had to take some fairly convoluted measures to keep my wife's laptop on 8.1 or some of my various other systems on 7 without entirely disabling updates. It's not that I liked 8.1, but I did not like what I read about 10.

The easiest way to avoid having 10 forced on me would have been to just disable updates. Instead I had to read up on every individual update that would push 10, and ultimately resorted to third-party software to block or remove those specific nuggets from Microsoft so that my platforms would be left in the state I wanted them in.

Re: Microsoft's fault

[macsforme]

Agreed. A level of trust is required when you allow vendors to push automated updates to your system, and unfortunately there have been breaches of this trust when vendors saw this as an opportunity for more than enhancing user security.

Re:Microsoft's fault

Plus, if Anti-Vaxxers could actually point to widespread deaths, they might have a point.

People who advocate turning off Windows Update Can point to widespread windows deaths due to errant updates.

Telemetry and Windows 10

Windows Update also wanted to install telemetry on my Windows 7 system until I removed the patch. Then for 12 months Windows Update wanted to 'upgrade' me to Windows 10, the software employed all sorts of tricks to make me say yes and in the end I just disabled updates as it was less hassle.

My Windows 7 system was not affected by the events over the weekend as all it does is run some test equipment. It still has Windows Update disabled and it's going to stay that way.

Maybe if Windows Update behaved decently...

[ToTheStars]

The reason folks turn off Windows Update is that it behaves kind of like malware itself! I'm technologically savvy enough to set my registry and so on to disable the awful "Get Windows Ten" updates, but when so many users got shafted by Windows "self-updating with zero input required from the user" to a completely new operating system (a new operating system that actively thwarts end-user control over updates!), is it any wonder that so many of them switched it off?

The comparison to anti-vaxxers is interesting, and apt in more ways than Troy may have known. Much like Microsoft hijacked their Windows Update program to push Windows 10, the CIA used a Pakistani polio vaccination campaign to gather intelligence about Osama bin Laden (see here: https://en.wikipedia.org/wiki/...). This has resulted in the killing of other relief workers and general suspicion of medical aid programs in that region, and so polio persists.

Re:Generally Sound Advice

[dc29A]

I would do that if (1) MS didn't cram W10 down my throat; (2) every major update doesn't reset browser preferences; (3) stop updating and breaking hardware drivers; and (4) I could disable telemetry. My Macbook and Ubuntu machines are auto-update enabled. Not my Windows gaming box. No thanks.

What about the updates that hurt users?

[evolutionary]

The problem is that around 30% of MS Updates actually hurt the user, either by introducing "features" that (like Apple) inadvertently or deliberately adding things that are of no benefit to anyone but MS and in many case hurt he users. Windows 10 Basically is capable of hijiacking itself (as per it's design) so it's hard to know what is good and what is not especially MS gives VERY vague descriptions of it's updates as per the new windows 10+ policy to tell users, it's our update, just take it (up the rear end). The sooner we start admiting that we don't in fact NEED MS Windows at this point, the better. Linux anyone?

Those fuckers at MSFT ruined security updates

Those fuckers at MSFT ruined security updates by force-feeding the user spyware, or even forcing an "upgrade" to Windows 10.

Now nobody trusts Microsoft, and would rather take their chances without the "essential updates".

The problem is spyware and telemetry

[WillAffleckUW]

the continual additions of resource-heavy snooping spyware and telemetry services for in-app advertising delivery hammer many institutions that would otherwise happily install security patches, if they were JUST security patches.

But many of the Important patches we have recieved from MSFT are just that. Ads, telemetry to try to sell us stuff that blows out the bandwidth in mission critical software and pops up things that get in the way of doing actual work.

There's your problem. That and the "patching" of things in a way that breaks apps that believe the public documentation instead of the actual way MSFT codes and tests its apps.

Re:Poor advice.

nobody cares what you do on your PC

Then why did they implement telemetry in Windows?

Re:There should be a separate "Security Updates On

[green1]

There is, it's the "critical updates only" checkbox.
The problem isn't the lack of said checkbox, it's the fact that Microsoft doesn't respect that checkbox and considers all sorts of marketing fluff and malware to be "critical"

Microsoft could be a big help here

[JohnFen]

If Microsoft would just go back to the days when security patches were done separately from other sorts of updates, that would be a huge help. I know a lot of people who disable updates to avoid feature changes, but would accept automatic security updates.

Microsoft's position of not making a distinction between the two is a large disincentive to allowing automatic updates for a lot of people.

Consider the source.

[Gravis+Zero]

at troyhunt.com

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

It's obviously in his interest to make everyone Microsoft's puppets.

Re:Consider the source.

[mugnyte]

This isn't necessarily a problem. The problem arises from a cult-of-brand and groupthink that MS cannot do wrong. If Troy Hunt wrote honestly, he'd explore the customers that had turned off MS Update with some interviewing and surveys, then report the results, give a nod to their core cause, report MS's renewed efforts to address these *core* causes and then talk about why Updates should be left on. Instead he delivers these sugar-free platitudes:

It's not fun, it costs money and it can still break other dependencies, but the alternative is quite possibly ending up like the NHS or even worse. Bottom line is that it's an essential part of running a desktop environment in a modern business.

He's a fly-around shill just trying to look good in the eyes of Sales. His "workshops" are an insanely expensive way of selling low-calorie information that's already discussed online in much finer detail. His Ghost-powered blog site doesn't offer a search feature, but I'd bet it wouldn't return any meaningful results for two-factor authentication, separation-of-concerns, what certifications exist for software security, or the track record of non-MS products. Quick example: There's no mention of Google's recent publishing of security flaws in open-source projects. Instead we get a pass-the-buck, blame-the-victim blog post that ignores the annoyances of MS Update and tells everyone to "just deal with it".

Microsoft only have themselves to blame

[Gadget_Guy]

Microsoft only have themselves to blame for people disabling Windows Updates because they made it untrustworthy:

• The Windows 10 upgrade fiasco
• The backporting of the telemetry to previous versions of Windows
• The updates that crash or cause problems
• The update mechanism that in older Windows peg the CPU usage at 99%
• The forced reboots at highly inconvenient times
• The massive Windows 10 updates that mean that I have to reinstall some of our legacy software because Windows keeps resetting some crucial registry entries
• The bundling of updates into a single entity so that we don't have control over what gets installed on our systems
• And the hiding of what is in those updates so that we don't ask questions.

Re:Generally Sound Advice

The blame for people not updating/patching computers lies squarely on Microsoft.

Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.

And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.

Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.

Patches are just like vaccines...

[Noishkel]

Except if vaccines failed as much as a Microsoft patch did there would be no doctors... because people would be shooting them in the street.

Yeah, yeah... I can already hear the autistic fast typing from some keyboard warrior looking to 'correct' me on this one. But sorry... Microsoft no longer has any credibility to tell people what to do with their machines. The entire roll out of Windows 10 has been nothing but train wreck after train wreck. And you know what? Even if we get the occasional virus it's still better than having to deal with the rest of the continuing train wreck that is Microsoft. People are just going to have go back to the old day when people had to actually learn how to protect themselves. Instead of waiting on the industry to sell you a next generation of device that 'might' be eventually patched.

Problems Caused by Updates vs Caused by Attacks

The number of problems caused by installing Windows updates for our IT department: THOUSANDS
The number of problems caused by holes left in the Windows OS that an update or patch supposedly has fixed: 20

Easy decision.

Re:Generally Sound Advice

[Entropius]

Yep. I had a laptop that came with Windows 8 on it.

I booted it once into Windows to change UEFI settings and then put Lubuntu on it.

Well, a friend had a Windows question for me when I was away at a conference. No problem! I booted my laptop into Win8, looked up how to do the thing, and told her. I went to bed.

I woke up to find that my system had:

1) autoupdated to Windows 10
2) fucked the bootloader so I couldn't boot into Linux any more.

This is on top of the fact that Windows updates take about a year to complete and reenable a bunch of crap that I keep disabling ("Windows Media x").

100% Microsoft's fault for forcing Windows 10

[Thud457]

Don't use the channel for security updates to force advertising on your customers, just don't.

also...

[Comboman]

also, doctors don't break into your house in the middle of the night to give you a vaccine (and snoop around your house while they're there).

Windows users have two options

[JoeyRox]

Option A) Turn automatic updates ON and risk Microsoft making your machine unusable due to a faulty update
Option B) Turn automatic updates OFF and risk Microsoft making your machine unusable due to the absence of a security update

Re:Generally Sound Advice

[phayes]

So how often should people re-evaluate when a company like Microsoft breaks their trust by forcing upgrades and other such nonsense? 6 months are sufficient according to you apparently.

News flash: When a company breaks it's users trust, the time it takes can be measured in years and is often never. Yeah it'd be great for security if people were applying upgrades ASAP but MS's new policy of only making rollup updates forcing the inclusion of all previous updates can only backfire making people even less apt to apply them. Hey, they've already broken our trust once, they're likely to do it again.

The problem is in large part MS's own creation.

Repeat After Me

[John+Allsup]

If you value security, don't run the mission-critical parts of your infrastructure on a general purpose operating system like Windows, but rather run it on a minimalist, locked-down OS that has _only_ the facilities needed to do its job. The update carousel is a nightmare. If you want to ensure your Windows box doesn't sporadically reboot during a long unattended operation in order to update, what do you do? If you want to lock Windows down so it can only do the job to hand, and nothing else, you're screwed. If you run mission-critical stuff on a full-featured general purpose OS (and the same can be said for off-the-shelf Linux distros like Ubuntu and Fedora), you are kinda asking for it.

That this idea is older than me, but is ignored, is laughable.

No, fuck Windows update.

[cfalcon]

I turn off Windows update on the boxes that I still have. I recommend everyone I know disable Windows update on all boxes that they have.

If you leave Windows update on, and just take the security updates by default, you will get owned by Microsoft. Constant telemetry will stream from your box.

I also recommend people look up how to stop this on Windows 7 and 8, where it is possible to stop it. It is not possible in 10, though some people have had some success at limiting it.

The article's advice is horseshit. WU should be disabled for personal computers if privacy is any manner of concern. Microsoft has revectored their security update mechanism to: try to upgrade you to Windows 10. Install sleeper services that only months after installation began transmitting telemetry. Remove useful names from KBs to prevent successful system administration. Transmit information about what programs you use, when you use them, how often you use them. Transmit information regarding crashes. Broadly expose envelope information about your non-Microsoft related activities to Microsoft and anyone they choose to share that information with.

Disable WU on 7 and 8. Tear out the bad patches. Only EVER manually apply patches that you actually require for security and functioinality.

Comparing being a sensible system administrator who doesn't want to transfer control over their personal activities to Microsoft to antivaxxers is disgusting. Anyone making this comparison is irresponsible.

https://superuser.com/question...

The list of KBs that you must manually remove (and prevent reinstallation of) to keep Windows without telemetry is provided on that su post. The list is:

KB3065988 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: July 2015 more info
KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
KB2976978 Compatibility update for Windows 8.1 and Windows 8 more info
KB3075853 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: August 2015 more info
KB3065987 Windows Update Client for Windows 7 and Windows Server 2008 R2: July 2015 more info
KB3050265 Windows Update Client for Windows 7: June 2015 more info
KB3050267 Windows Update Client for Windows 8.1: June 2015 more info
KB3075851 Windows Update Client for Windows 7 and Windows Server 2008 R2: August 2015 more info
KB2902907 MS Security Essentials/Windows Defender related update [no description/information available]
KB3068708 Update for customer experience and diagnostic telemetry more info
KB3022345 Update for customer experience and diagnostic telemetry more info
KB2952664 Compatibility update for upgrading Windows 7 more info
KB2990214 Update that enables you to upgrade from Windows 7 to a later version of Windows more info
KB3035583 Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1 more info
KB971033 Description of the update for Windows Activation Technologies more info
KB3021917 Update to Windows 7 SP1 for performance improvements more info
KB3044374 Update that enables you to upgrade from Windows 8.1 to a later version of Windows more info
KB3046480 Update helps to determine whether to migrate the .NET Framework 1.1 when you upgrade Windows 8.1 or Windows 7 more info
KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 more info
KB3080149 Update for customer experience and diagnostic telemetry more info
KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
KB3083710 Windows Update Client for Windows 7 and Windows Server 2008 R2: Octobe

Re:Broken drivers, AND broken updates break stuff

[hierofalcon]

Load Linux. Run the Windows in a virtual environment.

Re:Generally Sound Advice

[Tailhook]

This is hard to argue with. I personally prepared for this by preventing the Win 10 upgrade (even using third party software to stop the constant, malware like badgering complete with deliberately misleading prompts) until I was good and ready to deal with it, then I did a full clean install and manually migrated stuff over because I knew there was no way my complex, roughly used installation could possibly upgrade well automatically. One simply cannot, however, expect a planet full of Windows users to take this conservative approach; even if they were inclined to, which they aren't; most of them simply aren't competent to deal with this stuff and would do more damage than what the upgrade inflicted.

So they all got put through the upgrade ringer creating bad outcomes for millions and leading to widespread "anti-vaxxer" behavior. Since then the "anti-vaxxers" have had their behavior affirmed by disruptive updates doing unwelcome stuff. The glacial slowness of the Windows 10 update process alone is a huge failure in my mind; this has badly regressed from earlier releases; I have a laptop I boot maybe once a month and I've come to expect the Windows 10 updates to take a hour or more. Ridiculous.

After putting the whole world through all this shit one simply can't point a finger at millions of beleaguered users and blame them for their negligence. I'm sure they'd be happy to have they're system automatically updated, as long as it wasn't the computing equivalent of getting a SOA style beat down every few months.

More hype than substance

[WaffleMonster]

People get WannaCry by clicking on the wrong email not by SMB exploits. I get that repurposed NSA exploit angle makes for interesting and irresistible news stories but substantively it's way overhyped and using it to support blanket assertions is a nonstarter in my view.

There is compelling quantifiable evidence to support the position vaccines help more than they hurt. The case for updates is closer to the question of whether throwing billions into the intelligence industrial complex makes real people quantifiably safer from being terrorized given opportunity cost of not investing these funds to address significantly more statistically substantial problems such as pulling down US murder rate.

What we know for sure is social engineering accounts for 90% of general p0wnage worldwide. Even if all unintentional software bugs were patched with 100% coverage overnight absolutely nothing would change.

In 2017 given Microsoft's proven track record of both incompetence and sleaze when it comes to updates it's an open question as far as I'm concerned whether updates are still worth applying at all. Majority of end users are behind stealth mode firewalls and the only whackable thing they have sticking out is a web browser. If you keep firefox or chromium or whatever up to date and lock down some associated configuration are you really appreciably safer vs probability of computer failing to boot or introduction of some new Microsoft "telemetry" malware or Microsoft false choice prompt dismissal scam? I honestly don't know the answer. I do know it very much depends on context not only in terms of the users needs and environment but the value judgments of the end user.

If Microsoft would stop constantly peddling malware, firing QA staff, fix updates to not use insane amounts of resources while taking forever and requiring a reboot to sneeze... If only updates were properly labeled and people trusted Microsoft not to screw with them... my guess less will find value in disabling updates.

I personally believe coordinated automated updates of billions of systems globally in a matter of days is an extraordinarily perilous activity in and of itself no matter how careful you are. Sooner or later this is bound to end in a major disaster. While updates do fix problems quicker they also significantly lower the cost and tolerance for releasing defective software. It sends a signal to the market releasing defective software is a cost free activity.