Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • MS-DEFCON 2: Get auto update turned off — and watch out for SMBv1 blocking complications this month

    Posted on June 11th, 2018 at 14:58 woody Comment on the AskWoody Lounge

    Patch Tuesday’s tomorrow. You know what that means.

    I’m moving us to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

    Computerworld Woody on Windows

    If that helped, take a second to support AskWoody on Patreon

    Home Forums MS-DEFCON 2: Get auto update turned off — and watch out for SMBv1 blocking complications this month

    This topic contains 61 replies, has 19 voices, and was last updated by  anonymous 1 month, 1 week ago.

    • Author
      Posts
    • #197264 Reply

      woody
      Da Boss

      Patch Tuesday’s tomorrow. You know what that means. I’m moving us to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing
      [See the full post at: MS-DEFCON 2: Get auto update turned off — and watch out for SMBv1 blocking complications this month]

      1 user thanked author for this post.
    • #197285 Reply

      OscarCP
      AskWoody Lounger

      What is SMBv1 blocking and what are those complications?

       

      • #197293 Reply

        anonymous

        Coming soon to a Computerworld article near you.
        This topic reserves a place to put the link when a different team finishes their tasks.

    • #197295 Reply

      anonymous

      Crash diving again…had just enough time to recharge the batteries and pull in some fresh air.

      Ah, me.  Why does life with MS feel like a scene out of “Das Boot?”

      5 users thanked author for this post.
      • #197304 Reply

        OscarCP
        AskWoody Lounger

        It reminds me also of the bunker scenes in the last part of the “Der Untergang” (Downfall).

         

        2 users thanked author for this post.
    • #197303 Reply

      b
      AskWoody Lounger

      For those running Win10 Pro, Microsoft kindly eviscerated the easy way to set it to defer cumulative updates, but you can still dig into the belly of the machine and turn them off. Unfortunately, you need to revert to the manual Group Policy method that worked in Win10 1607, which I describe here in Steps 3C, E and F.

      Susan Bradley has some pithy observations about 1803 removing the easy-to-use GUI that’s available in 1703 and 1709. Yet another reason to avoid the 1803 version.

      This is nonsense. Defer feature updates and defer quality updates exist in 1803 PRO Settings GUI just as before, as was pointed out by several users here six weeks ago.

    • #197309 Reply

      OscarCP
      AskWoody Lounger

      OK, dear Woody,

      I have read your article in Computerworld, and gone through the German gentleman’s article you provide a link to, in there, and it still is not clear to me whether: (1) This also applies to mine (or to anybody’s) Win 7 machine, and (2) What to do if my peripherals suddenly become unresponsive after installing this month’s patches, other than de-installing those patches — and then living with that? Or should one just join Group W, and be done with all this?

       

       

      • #197321 Reply

        anonymous

        Not Woody, but making a prediction from recent observations. You are asking for an article that will not be written for 19 to 24 more days. Forecast reliability approximately that of the old Gypsy lady from Archer. Slightly more reliable is the prediction that we will witness actual fallout, if any, and developing coping methods over the first 11 days. Then opinion voicing and refinement over the following week. When my personal Magic 8-ball (a children’s toy answer generator) decides things are not so cloudy and the answer is YES, I might install on my own. Otherwise I will wait for Woody’s next Computerworld article for directions through the minefield. Administrators and users requiring more timely results have been well served by Patch Lady’s assessment of individual items available.

        2 users thanked author for this post.
        • #197342 Reply

          OscarCP
          AskWoody Lounger

          Oh Anonymous! A mere “Thanks” just wouldn’t do here.

          So:

          My uncertain (but hopeful, looking at the possible future collapse of the Schrödinger’s function in its relevant configuration space, while eagerly entangled with greatly undefined hopes that some lives may still be left to his cat)  thanks, as befits such a cloudy, vaporous, ghostly and still indistinct — if vaguely scary — issue!

           

          1 user thanked author for this post.
    • #197316 Reply

      b
      AskWoody Lounger

      Many of us are anticipating widespread axing of SMBv1 in this month’s round of Windows updates. (It’s long overdue, in my opinion. SMBv1 is a wide open security hole.) Günter Born has a detailed analysis of the current state of the problem, and the effects of its possible solution, on his Born City blog.

      SMBv1 was axed eight months ago in 1709. How can it be axed again?

      SMBv1 is not installed by default in Windows 10 Fall Creators Update and Windows Server, version 1709 and later versions

      • #197326 Reply

        anonymous

        SMBv1 wasn’t installed in 1709, but the installation was kept if upgrading from a previous version of Windows 10.
        So I think the axing refers to it soon to be forcibly removed from existing installations.

    • #197320 Reply

      Grond
      AskWoody Lounger

      Hi all. This may not be the best place to post this, and I am sorry if it is, but:

      I’m running a Win7 SP1 x64 Home Premium self-built PC as my main/only box.

      Due to the great help from AskWoody’s site here, and Josh Mayfield’s most timely and
      excellent GWX Control Panel, I avoided the GWX forced Win10 upgrade campaign/malware of
      2016. This PC’s last reformat/reinstall of Win 7 was on 3/3/2015. I’m a Group A
      (modified) updater; i.e. I typically wait until after Patch Tuesday for the Defcon 3 go-
      ahead to install anything from WU, with the exception of Defender, which I keep updated.
      I use Kaspersky as my AV and MBAM as my malware defenses. My WU setting is “Never Check
      for Updates,” with Recommended Updates checked. I’m currently (safely?) updated through May 2018.

      To my horror, a couple of days ago, I checked WU’s “Installed Updates” and found these:

      KB2952664 4/8/2016
      KB3150513 5/6/2016
      KB3021917 3/3/2015
      KB3068708 6/17/2015
      KB3080149 8/19/2015
      KB3022345 5/7/2015

      Since it appears Microsoft *may* be renewing a GWX-style initiative, would it be best/safe to uninstall these updates?
      I do fairly regular folder/file backups to optical media and it’s way past time for a reformat and fresh reinstall of Win 7.

      Thanks much for any advice!
      -Grond

      • #197322 Reply

        PKCano
        AskWoody MVP

        You can uninstall those patches, BUT you are going to have a problem with uninstalling KB 2952664. It has been reissued many times. When you uninstall it, the next earliest version shows up (it appears it didn’t uninstall, but it’s one earlier version you see). Bottom line, you have to remove all of them.

        This has been discussed in length on this site. If you search for 2952664, you will find methods to remove it and even scripts for the purpose.

        But GWX is over and Microsoft has said it will not repeat it again.

        3 users thanked author for this post.
        • #197610 Reply

          MrJimPhelps
          AskWoody MVP

          It is possible to see an attempted upgrade to Windows 10, even at this late date. I worked on a Windows 8.1 laptop about four months ago, and when I powered it on, the first thing it did was begin the upgrade process to Windows 10. I was able to stop the upgrade in time; I then installed GWX Control Panel and used it to erase all traces of Windows 10.

          I don’t know how it happened that GWX got onto that laptop at that late date; but somehow it did. Moral of the story, there is no harm in installing GWX Control Panel and setting it to prevent an upgrade to Windows 10; and doing so might save you from having to reverse an unwanted upgrade to Windows 10.

          Group "L" (Linux Mint)
          with Windows 8.1 running in a VM
          1 user thanked author for this post.
      • #202554 Reply

        anonymous

        @grond: You say: to your horror. Does that mean you did not install these updates yourself? It would be really bad if Microsoft has sneaked them onto your pc …

    • #197324 Reply

      AlexEiffel
      AskWoody MVP

      Issue you might have with 1803 : drive letter appearing and your computer complaining you don’t have enough space.

      Ok, just to make me mad today, I got bitten by a 1803’s idiotic issue.

      Some poor folks running home version got updated recently to 1803 and called me today (two unrelated parties) with the same issue. I am glad I don’t have too many Home versions to support.

      What happened is a drive letter somehow got assigned to their 450mb recovery partition that should be hidden and is now showing nothing (when you click on it to see the content in File Explorer) and almost full at the same time (because, you know, it contains the recovery stuff and it takes up almost all space). So the computer complains that you run low on space. One person told me it was warning him every half hour, but maybe it was the installed but not paid cleaning premium Avast product that complained that often, I am not sure. I didn’t even bother to ask the other person if it was bothering him often and I did the same procedure right away.

      Normally, I would have gone into disk management to quickly remove the drive letter. However, when right-clicking on this partition in disk management (and good luck finding it if you don’t do WIN-R diskmgmt.msc), it offers nothing in that regard now. Great. The storage screen in the control panel replacement for dummy doesn’t even show anything about managing disks, resizing partitions, or accessing the old but trusted disk management. Greater. That’s the best Windows ever.

      So the best way is to go the way of the Linux folks with the command prompt. Glad to see we now have to start managing Windows the same way as some obscure half maintained distro of Linux, even with the weird things not working right out of the box.

      Open a file explorer box just for the fun of seeing the drive letter disappear while performing the surgical operation that follows. Since you’re not on my PC which defaults to show my drives like before, you might have to click on the left “This computer” (not “My computer” anymore as some observant individual noted here). There you will see the drive that shouldn’t be.

      So go into an admin command prompt : WIN-X-A

      Then type diskpart

      list volume

      check which volume contains a drive letter, is 450Mb and should be your recovery partition. Don’t get the wrong drive or you could hide a good one. The letter will likely be E or F, but if you think it is C, take a deep breath and look again more carefully.

      type select volume 2 if the drive number is 2, well you get the idea it might or might not be 2 and you need to type the right number, right?

      then, after also having noted what letter was assigned to that drive, type the following:

      remove letter F if the letter is F or change F for the right letter.

      Look at the drive disappearing from File Explorer. Don’t worry, it will still be there for recovery, just not for Windows complaining you lack space.

      type exit, then press enter, rinse and repeat.

      Some more advanced folks might note this partition should be hidden (it is on my 1703) and obviously it is not anymore if you had this issue. The thing is, I tried hiding it using attributes volume set hidden on the selected volume but it says the object is not found, so I lost patience too quickly to continue and anyway removing the letter was enough.

      Thanks, Microsoft, for another stupid issue none of your beta testers made you quickly fix before release, but 2 of the few I support did notice.

      • #197328 Reply

        b
        AskWoody Lounger

        That was covered here six weeks ago:

        2. After 1803 seeing several reports of recovery drive being assigned a drive letter. Not expected. Workaround: Use Diskpart to remove drive letter. Acknowledged by Microsoft.

        https://www.askwoody.com/2018/patch-lady-early-trending-issues-with-1803/

        How long ago did they update?

        • #197371 Reply

          AlexEiffel
          AskWoody MVP

          Thanks, i guess it didn’t leave a long lasting impression when I quickly read about it a few weeks ago and to be honest, I think I waste less time not running the latest build and waste time looking at issues that will be likely fixed by the time I do run the build. I quickly glance at the threads to have an idea what to expect if I get a call from poor Home versions folks, but this issue was minor for me and easy to fix.

          They have been force updated recently, maybe a week or two ago.

          But still, how come this simple issue hasn’t been fixed yet? How do Microsoft expect home folks to fix that themselves if they are not IT savvy? This is such a shame.

          1 user thanked author for this post.
          • #197614 Reply

            MrJimPhelps
            AskWoody MVP

            How come this simple issue hasn’t been fixed yet? How do Microsoft expect home folks to fix that themselves if they are not IT savvy? This is such a shame.

            Alex:

            Thanks for the detailed explanation of how to address this bug.

            You’re absolutely right; a non-IT person wouldn’t have a clue where to begin fixing this one. And if they tried, they would likely mess things up even more.

            Jim

            Group "L" (Linux Mint)
            with Windows 8.1 running in a VM
            1 user thanked author for this post.
    • #197325 Reply

      anonymous

      Concerning SMB1, I have an old Buffalo Linkstation network drive which cannot run smb above v1. Buffalo claim to have firmware (unfortunately not for my drive though) to plug the vulnerability for SMB1 and still use it.

      My question is, is there a way to plug the vulnerability in Windows (eg by a third-party method) so that I can continue to connect to my old drive (relatively) safely?

      • #197354 Reply

        Ascaris
        AskWoody MVP

        The vulnerability (EternalBlue/WannaCry) that was there months ago was already fixed, but since Microsoft knows best, they’re again taking it upon themselves to make your decision for you about whether SMB1 will be available.

        The problems that exist in SMB1 now are not vulnerabilities in the sense that we usually use the word, which is to mean particular security bugs that can/should be fixed.  They’re simply a lack of security features that reflect the age of SMB1 and the simpler time we lived in when it was current.  The fix IS to use later versions… that’s what they are for.

        Still, as CH100 pointed out all that time ago when the WannaCry vulnerability was patched, removing SMB1 can cause network browsing issues and other annoyances, and that the later SMB versions were not meant to replace SMB1 in the sense that SMB1 would be deleted, but to exist alongside of it so it can still do its thing (apologies to CH100 if I am paraphrasing incorrectly; it’s been a while) if needed.

        In my case, and I’d guess in the case of many home networking users, none of the security features they added to SMB in later versions will mean anything to me.  My network shares are open, since no one but me has physical access to any bit of the network, from the router to the ethernet cables to the PCs themselves, and I want the convenience of an open pipeline between my various PCs.  None of the security features mean a thing in this case, so there’s no benefit to prohibiting SMB1 for me, with several potential downsides.

        Of course, I’m not all users, but the point is (as I have said so many times since this “Windows as a Dictator Service” debacle began) that one size does not fit all.  Remove it as a default option if you wish (which they did), but leave it at that.  Average people who have no need for SMB1 (or understanding of what it is) are not going to inadvertently stumble into the “Turn Windows features on or off” dialog, then accidentally scroll down to SMB1, then errantly click the box to enable it, then unintentionally hit the Ok button.  If someone’s going to do that, it’s for a reason, and it’s not Microsoft’s or Ned Pyle’s job to tell me, or anyone else, NO.

        8 users thanked author for this post.
        • #197370 Reply

          anonymous

          Many thanks for the reply. So are you saying that if I am a home user with only 2 pc’s and a NAS, I shouldn’t have to worry about the insecurities of SMB1?

          • #197399 Reply

            Ascaris
            AskWoody MVP

            I can’t make a recommendation without knowing more details than that, and even then, it’s just one opinion among many. I present it so people can make an informed decision, but please don’t just take it (or the words from any other person) as definitive on this or any matter!

            Are you using password-protected shares?  If not, SMB1’s weak security features won’t harm you, since you’re not using them anyway.  If you are using protected shares, how concerned are you that someone might gain access to the network without authorization?  If that’s a concern for you at all, you might want to consider ditching SMB1, because its security features are not very robust.  MS is not making that up… my point is that it doesn’t matter to every one of their users, yet they’re making the feature unavailable to every one of their users (of 10) just the same.

            For some people, keeping SMB1 is about keeping older network devices working.  A number of them don’t and will never support anything other than SMB1, so this edict from Microsoft essentially renders those pieces of hardware useless.  Home users don’t even get the opportunity to block the automatic upgrade to keep their network fully functional unless they use tricks like setting the connection to metered, and even then who knows if MS will decide that this is one of those things that is important enough to ignore the metered connection setting?

            When you ditch SMB1, you also ditch NetBIOS and the Computer Browser functionality.  They’re old and dusty relics for sure, but they still work, and a lot of home networks still use them, since they are well suited to the simple, decentralized type of network that is often seen in the home.  With Homegroups gone, and now NetBIOS and Computer Browser going away, I don’t know what is meant to replace them in home networks.  I tried disabling SMB1 in my own home network back when WannaCry was in the news, and I immediately lost any ability to browse the network (that is, to see what shared items were available on the network, and from whom).  I was able to connect to my shares directly by IP address easily enough, and I can also very easily set the router up to act as a DNS server so that I can access any PC on the network without knowing the IP address.  That’s all I would need to build a working network, but the ability for each share to be discovered and automounted via NetBIOS is just so convenient, and the benefit of ditching SMB1 was for me so… well, nonexistent, that I never did so.

            I still don’t know what’s supposed to replace CIFS/Browser (or “Bowser” as it is misspelled in the registry) and NetBIOS for home networking users who don’t know how to connect to a share other than clicking the icon associated with it, and who are used to the largely self-configuring nature of previous Windows machines when it comes to networking.  While I use myself as an example of someone who would not benefit from dropping SMB1 completely, I could do it without any real hardship… I just wonder what the regular home networking users are supposed to do without it.  Maybe there is something and I am just not aware of it.  Even if there is, it won’t bring back functionality to those NAS devices, printers, scanners, etc., that rely on SMB1 to work, and for users who aren’t using secured shares anyway, it’s all loss and no gain to lose SMB1.

            • This reply was modified 2 months ago by  Ascaris.
            2 users thanked author for this post.
            • #197489 Reply

              anonymous

              Many thanks again for replying, don’t worry I wasn’t planning on blaming you if I follow your advice and things go wrong! I’m just collecting information to help make a better decision and your opinion is valuable.

              No-one but myself has access to any of my computers and I have enabled file+print sharing and client for MS networks on my ethernet connection only, both are diabled on my wifi connection which is the one connected to the internet. I read somewhere though that disabling these might not be honored.

              Does this look like a safe-ish setup to keep SMBv1 with?

            • #197528 Reply

              Ascaris
              AskWoody MVP

              It looks like a relatively safe-ish setup to keep SMB1 on, yes.

              It boils down to whether you consider the security features of SMB essential on your network or not.  If they are important, you should ditch SMB1, because its security features are so weak and easily compromised that they can pretty much be considered to be irrelevant.  By running SMB1, you’re pretty close to running an unsecured network… in my case, I actually am running an unsecured network, so it doesn’t matter at all that SMB1 is weak on security.

              Again, Microsoft is not lying when they say SMB1 is insecure.  They’re not wrong to try to phase it out as long as people who still want to use it despite its weak security features can enable it.  Windows still allows open shares to be created, and a network full of those is less secure than a password protected SMB1 network, so it seems silly to draw such a hard line on SMB1 in context.

              I probably shouldn’t go any further with that line of thought, lest I give them more ideas for features to rip out of Windows (for our own good, of course).  Never mind, MS, I didn’t say a word!

              2 users thanked author for this post.
    • #197331 Reply

      KWGuy
      AskWoody Lounger

      The metered connection trick is successfully blocking Win 1803 on my W10 Home box.  The bad news is that this is also blocking my ability to install any other updates that I want, e.g. Flash, MSRT, and others that appear along with 1803 on Settings>Update Status list.  It also is blocking any 1709 updates from appearing as available.  I’ve used wushowhide to hide 1803 (presumably successfully), hoping that WU will refresh the pending list without 1803.  No joy…1803 still there.  The only option offered is “Download Now”.  I ran WU Troubleshooter which identified (insultingly!) the problem as being “Pending updates — Download now”.  Wushowhide is not hiding 1803 effectively.  Do I have to forego ALL future updates if I wish to NOT install 1803?  Suggestions sought and appreciated.

    • #197339 Reply

      anonymous

      Are almost all windows updates rubbish anymore? I haven’t updated since like March and I feel like I should be updating by now but you always have it set on def com 2.  So am I right in not having updated since then?
      Windows 7 btw.

      • #197345 Reply

        Kirsty
        AskWoody MVP

        …but you always have it set on def com 2

        Ah,no, it’s not always set at MS-Defcon 2! Ok, it’s not gone above MS-Defcon 3 this year, but 😉

        4 users thanked author for this post.
        • #197615 Reply

          MrJimPhelps
          AskWoody MVP

          I remember when it was on MS-Defcon 5 about a year ago! What a momentous occasion!

          Group "L" (Linux Mint)
          with Windows 8.1 running in a VM
          1 user thanked author for this post.
          • #197618 Reply

            BobbyB
            AskWoody Lounger

            Not often but definitely a rare Momentous occasion worth noting 🙂

            woody-defcon-5

            Attachments:
            You must be logged in to view attached files.
            4 users thanked author for this post.
            • #197662 Reply

              Jan K.
              AskWoody Lounger

              I was just about to request proof of Mr. Jim Phelps’ outrageous claim! 😀

              You were shocked and knew nobody would ever believe you, so took a screen shot? Smart!

            • #197665 Reply

              Mr. Natural
              AskWoody Lounger

              Must be a photochop.  🙂

              1 user thanked author for this post.
    • #197348 Reply

      anonymous

      Never a dull day with Microsoft.
      I cant recall a date where no buggy patches were introduced.
      Therefore i always have my Windows of Pain Updating procedure set to Check for Updates and let me choose when to install them, (no idea what category I am in)?
      I also leave the: Give me recommended updates the same way I receive important updates Un-checked.
      All in all this gives me time to trawl through those updates to find out what they are and their implications to systems before installing.
      I have just installed the previous month’s (May) complete roll-up and net on the 11/06/18 on my Win 7 Pro system when the Updates were flagged Defcon 3 and thankfully all worked ok without any bugs or issues to the computer or system, (Thanks to Woody and the Patch Lady with explanations and links).
      (No doubt this also depends on hardware and software installed and configuration of said as no system is identical).
      (as a side note I don`t think we will ever see a Defcon 5 anymore).
      As I am in AU I have only seen the preview of this months and I am not to impressed to what I have read so again the long wait to the end of June before I even contemplate installing any of these which are yet to arrive.
      I dread the day when I will have to switch to Win 10 which I have installed only on a spare test bed computer and what I see is not very impressive.
      To be honest all I need is a good operating system much like XP or 7 has been in the past and not a computer what seems more and more Android like of which one is give little adjust-ability in relations to Security and MS continually spying on you.
      Regards.
      Frank n St31n.

      EDITED for content – please respect the Lounge Rules

      • #197352 Reply

        OscarCP
        AskWoody Lounger

        Anonymous #197348 : “I cant recall a date where no buggy patches were introduced.

        Well, I can. But I’m really old. So don’t feel too bad about it.

         

        3 users thanked author for this post.
      • #197616 Reply

        MrJimPhelps
        AskWoody MVP

        To be honest all I need is a good operating system much like XP or 7 has been in the past and not a computer what seems more and more Android like of which one is give little adjust-ability in relations to Security and MS continually spying on you.

        Frank, have you considered Linux Mint? Or, for a less capable computer, Elementary OS.

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
        1 user thanked author for this post.
    • #197356 Reply

      fred
      AskWoody Lounger

      @woody : This thread is becoming “literature”, almost.
      but, really, thank you all.    😀

    • #197359 Reply

      anonymous

      I have had an on-going parade of BSODs with 1803.  I have gone through and made sure that drivers are up-to-date.

      SFC /SCANNOW is now unable to complete.  The same is true with DISM.  I Bluescreen before the Media Creation Tool can complete an ISO to a USB.

      Does Microsoft have a support page for the 1803 issues?

      • #197361 Reply

        PKCano
        AskWoody MVP

        The Media Creation Tool can be used to create a bootable install CD/USB from any PC without installing Win10 on that PC. If you have another computer available (even temporarily), you can make an install CD/USB.

        You may also have another option. If you can boot into the Recovery environment (a Rescue CD/USB, or an F-key on bootup), you may be able to roll back to a previous version of Win10, access System Restore to an earlier restore point, or reinstall the OEM OS from the recovery partition.

        There have been hardware incompatibilities with 1803 (like certain SSDs). It would help to know more about the specs of your computer.

    • #197367 Reply

      millerah
      AskWoody Lounger

      I don’t trust Microsoft especially after Woody saying several times that Microsoft sometimes bypasses the settings within Windows to defer updates and upgrades.

      I still use the Group Policy editor to set these deferrals. Because of this the settings in Windows Update are grayed out. More important, there is a notice in yellow at the top: “*Some settings are managed by your organization.”

      My reasoning is that Microsoft might want to bypass an individual, but an organization less so. They don’t want a big business complaining that their IT was flooded with issues of buggy quality updates and even buggier feature updates. Perhaps that notice says that my organization’s IT (me) is in charge of these matters and not to mess with them.

      A while back, I read of a way to update group policy without a restart.
      Launch an elevated Command Prompt and run the command “gpupdate/force”. This automatically causes any sort of change you made to the Group Policy to take effect.
      For the most part, this works really well.

      Edit to remove HTML. Please use the “Text” tab in the entry box when you copy/paste.

      1 user thanked author for this post.
      • #197374 Reply

        AlexEiffel
        AskWoody MVP

        I do that also on multiple computers and it worked well for me. I guess your hypothesis is still valid for now on the Pro version. Also, it is better to follow what Microsoft says, like don’t put telemetry to zero on a non Enterprise version, as it won’t work anyway and it might create other unexpected issues to punish you like disabling other group policies effects.

      • #197617 Reply

        MrJimPhelps
        AskWoody MVP

        I still use the Group Policy editor to set these deferrals. Because of this the settings in Windows Update are grayed out. More important, there is a notice in yellow at the top: “*Some settings are managed by your organization.”

        My reasoning is that Microsoft might want to bypass an individual, but an organization less so

        Very clever. I’ll have to remember that trick.

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
    • #197377 Reply

      Mr. Natural
      AskWoody Lounger

      I’ve observed this script attempting to run on our Windows 10 machines at various intervals for quite some time. I do let it run when I see it. It disables SMB1 if it detects that it has not been used for a specified period of time.

      [*COMMAND*] & C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client

      1 user thanked author for this post.
      • #197520 Reply

        anonymous

        You can turn this script off from the same place you can disable SMBv1.

        In Control Panel under “Programs and Features” click on “Turn Windows features on or off” (you’re probably familiar with this tool already). Under “SMB 1.0/CIFS File Sharing Support” (click on the + to its left), untick “SMB 1.0/CIFS Automatic Removal”, click OK and Windows will delete the script and its trigger.

        Doing this and ticking it again puts the script and trigger back. No reboot necessary either way.

        4 users thanked author for this post.
    • #197378 Reply

      geekdom
      AskWoody Lounger

      Avoid catastrophic computer failure.
      Make your backups now.

      Group G{ot backup} Win7|64-bit|SP1|TestBeta

      1 user thanked author for this post.
    • #197387 Reply

      CADesertRat
      AskWoody Lounger

      The metered connection trick is successfully blocking Win 1803 on my W10 Home box. The bad news is that this is also blocking my ability to install any other updates that I want, e.g. Flash, MSRT, and others that appear along with 1803 on Settings>Update Status list. It also is blocking any 1709 updates from appearing as available. I’ve used wushowhide to hide 1803 (presumably successfully), hoping that WU will refresh the pending list without 1803. No joy…1803 still there. The only option offered is “Download Now”. I ran WU Troubleshooter which identified (insultingly!) the problem as being “Pending updates — Download now”. Wushowhide is not hiding 1803 effectively. Do I have to forego ALL future updates if I wish to NOT install 1803? Suggestions sought and appreciated.

      I’m in the same boat except that I have Pro instead of Home and I don’t have Wushowhide installed. I watch Susan’s patch list and go to the MS catalog site and D/L and install the relevant patches that are safe. So far so good.

      1 user thanked author for this post.
    • #197401 Reply

      Charlie
      AskWoody Lounger

      Getting back to SNBv1 Blocking Complications . . . I’m wondering if this will affect my Win 7?  All of the discussion I’ve seen here so far centers around Win 10 1803 vs. 1709, etc.  It would be nice to know if all current Windows OS’s are affected by whatever is going to happen.

      Win 7 Home Premium, x64, Intel i3-2120 3.3GHz, Group B

    • #197403 Reply

      anonymous

      I would like to know the following, as an explanation does not seem to be available in the previous postings, at least in terms both obvious and comprehensible enough for me:

      Given that:

      (1) I have an 11 years old PC with Windows 7 Pro, SP1, x 64, and an Intel I-7 “sandy bridge” CPU.

      (2) I have access to the Internet via one router for wide-band radio and Ethernet connection to my PC and also to my Mac, one at the time, and to nothing else.

      (3) I patch my PC the Group B Way.

      Am I going to have a problem because of the issues discussed here?

      Thanks for any clear answers someone might be kind enough to give.

       

    • #197404 Reply

      anonymous

      Okay I hid the updates-Although I got the monthly malware update and the antivirus thing for windows defender (which has a seem or same one each day)-I did see 1803 feature was among the updates-it must of got reupdated or so by microsoft. So I hid that too.

      It’s almost like Microsoft is trying to force people to update to 1803, BUT I say no thank you-I am hiding it until you sort your issues out

    • #197410 Reply

      anonymous

      Windows 8.1 x64.   I’ve had good luck with system restore if needed, so I just tossed in the updates.   No problems found.    I’m happy with that OS.  It doesn’t have the update problems of 7 or 10.

    • #197420 Reply

      geekdom
      AskWoody Lounger

      Peabody here.

      June 12, 2018—KB4284826 (Monthly Rollup)
      Windows 7 Service Pack 1
      Windows Server 2008 R2 Service Pack 1

      Installed without error and system reboots without error.

      Group G{ot backup} Win7|64-bit|SP1|TestBeta

      2 users thanked author for this post.
    • #197423 Reply

      OscarCP
      AskWoody Lounger

      So: Once More With Feeling:

      Is this all about Windows 10? Am I, with Win 7 Pro, x64, I-7 “sandy bridge” in my old only for home use PC with a dedicated router for Internet connection, free from this kind of problem, whatever it is?

      I’ll really appreciate an answer concise and to the point.

      • This reply was modified 2 months ago by  OscarCP.
      1 user thanked author for this post.
      • #197473 Reply

        Mr. Natural
        AskWoody Lounger

        From a home user perspective running Windows 10, your only concern may be your router. As mentioned Microsoft has already been running scripts behind the scenes to disable SMB1 on Windows 10. Only thing folks should be aware of including Windows 7 users is if Microsoft releases a patch on this they need to wait for the green light from Askwoody. There should be no concern about completely removing SMB1 because if it breaks something, then that is a security concern that needs addressing. Only concern is any patch released by Microsoft. 🙂

        • This reply was modified 2 months ago by  Mr. Natural.
        3 users thanked author for this post.
        • #197496 Reply

          OscarCP
          AskWoody Lounger

          Mr. Natural, thanks!

          I hope I am not imposing too much already,  but I need to ask:

          So, is it safe to assume that a “good” patch that removes SMB1 will not stop me from using all my peripherals? Or will I have to be ready to uninstall such a patch, even if green-lighted by Woody, if it does make some peripherals unresponsive, because it very well might?

          Also, unless, of course, it is still too early to tell: is it known if this is going to come via the security only patch, or the IE security cumulative patch, or through a separate patch altogether (not counting security rollups, which I never install, being Group B)?

           

          • #197526 Reply

            Ascaris
            AskWoody MVP

            Oscar,

            Right now, there is no patch that removes SMB1 from Windows 7 or 8.1 coming down the pike.  If you’re not using Windows 10, this alert about SMB1 isn’t going to affect you.  It’s just about Windows 10.

            No one but MS knows what patches may be planned for the future, but given that MS is doing the bare minimum with 7 and 8.1, my guess would be that MS will not roll out such a patch for the older Windows versions.  If it should ever come to pass that they do, we will deal with it at that time, and as always, Woody’s MS-DEFCON will be there to assist you.

            7 users thanked author for this post.
            • #197533 Reply

              OscarCP
              AskWoody Lounger

              Ascaris,

              A million thanks for that!

              By making that simple, forthright and clear statement, in plainest English, you just have made me, and possibly all those other umpteen Windows 7 and 8.1 users that throng this site — incredibly happy!!!

              Oh joy! This has noting to do with us… at least as far as one can be sure of anything that might come out of MS these days.

              1 user thanked author for this post.
            • #197648 Reply

              Charlie
              AskWoody Lounger

              Perseverance pays off Oscar!

              Win 7 Home Premium, x64, Intel i3-2120 3.3GHz, Group B

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: MS-DEFCON 2: Get auto update turned off — and watch out for SMBv1 blocking complications this month

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: