Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • MS-DEFCON 2: March Patch Tuesday is right around the corner — turn off Auto Update

    Posted on March 12th, 2018 at 17:01 woody Comment on the AskWoody Lounge

    Once more unto the breach, dear friends, once more.

    In preparation for tomorrow’s Patch Tuesday, we’re at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

    Computerworld Woody on Windows.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums MS-DEFCON 2: March Patch Tuesday is right around the corner — turn off Auto Update

    This topic contains 34 replies, has 15 voices, and was last updated by  anonymous 6 months, 2 weeks ago.

    • Author
      Posts
    • #175033 Reply

      woody
      Da Boss

      Once more unto the breach, dear friends, once more. In preparation for tomorrow’s Patch Tuesday, we’re at MS-DEFCON 2: Patch reliability is unclear. U
      [See the full post at: MS-DEFCON 2: March Patch Tuesday is right around the corner — turn off Auto Update]

      6 users thanked author for this post.
    • #175036 Reply

      woody
      Da Boss

      Now this should give you pause. I got a message from an experienced Windows guy (which is to say, a victim, like many of us), who described his method for installing Win10 on a new computer. Here’s his checklist.

      My procedure for to get a working windows 10 (assuming they don’t want to (/can’t) return the computer and get a good computer (refurbished Windows 7/8.1, a Mac, convert to Linux)

      Install 10_1709 (I didn’t have any unexpected problems with 1709 — only the normal massive windows 10 problems)

      Start disconnected from the internet and stay that way until prelim settings are set.

      bcdedit /set {default} bootmenupolicy legacy (re-enables F8)

      display delete confirm dialog (recycle bin) — when I try to delete a file, please ask if I am sure rather than silently succeeding!

      “hide merge conflicts” — If I combine to folders don’t overwrite the files with the same name without confirmation.

      “underline keyboard shortcuts” — always good (unless most of windows 10 doesn’t have shortcut and/or don’t do “underlines”)

      “always show menus” — don’t hide the menus!

      “don’t hide extensions” — “something.exe” (with a notepad icon) is NOT the same as “something.txt”!

      taskbar: never combine icons on task bar (just adds to confusion)

      “Allow troubleshooting to begin immediately” — off, don’t try to solve the “problem” you have “detected” before you’ve told me what it is!

      UAC — max (UAC is not perfect, but don’t make it have big obvious flaws by turning it down)

      Enable 64-bit and appcontainer modes in IE (for those who use IE)

      Hide “edge” because it’s icon looks too much like IE, and someone might try to use it.

      Disable the “dnscache” service (historically caused glitchy DNS behavior, plus we don’t need ANOTHER layer of DNS caching: ISP->router->OS->dnscache windows service->browser) — bonus you never need “ipconfig /flushdns” again.

      Disable the “WMPNetworkSvc” service (glitchy, useless)

      Disable WinHttpAutoProxySvc and iphlpsvc (windows 10 might fight you). — found my own post when I searched about this WPAD (forgot I even posted it — I was recomposing the same way I posted the first time).
      set (in the hosts file):
      255.255.255.255 WPAD

      Set computer not to auto reboot on BSoD. — if an unattended BSoD happens (and recurs on boot) it could allow win10 to start “fixing” the problem before you even see it (aka causing second and third problems)

      Set system restore to reasonable size (windows 10 deletes system restore points crazy often, this may not be super helpful anymore, also deletes ALL restore points on “massive upgrade” every 6 months)

      Disable hybrid shutdown / fast startup. May / will re-enable  every 6 months. (Maybe I should write a script to disable it)

      Disable ANY drivers from windows updates (I will install drivers from the OEM thank you — if there are none then windows 10 isn’t supported on this hardware — drivers are installed before connecting to the internet)
      DriverSearching: “DontSearchWindowsUpdate:1”, “DriverUpdateWizardWuSearchEnabled:0”, “SearchOrderConfig:0” and “ExcludeWUDriversInQualityUpdate:1” (last one barely does anything)
      Device Metadata – PreventDeviceMetadataFromNetwork: 1

      –WindowsUpdate Settings:
      Enable “microsoft update” — why is this separate and off by default!?
      ActiveHours: 7AM-1AM (why can’t I set 24 hours..)
      BranchReadinessLevel: 0x20 (for whatever good it will do)
      DeferFeatureUpdatesPeriodInDays: 125 (one could hope)
      RestartNotificationsAllowed: 1 — “please tell me right away if windows updates are partially installed and I should drop everything and reboot — I would have rather STARTED the installed at my leisure, but at least I won’t be doing a clean install of my antivirus only to find I am half way through a windows update”

      –DeliveryOptimization:
      DODownloadMode: 100 (0x64) bypass, which means don’t use “DO”, instead use BITS, download from microsoft not P2P (if you don’t set this even if you have disabled UPLOAD to P2P you may still be DOWNLOADING from there)
      Config DODownloadMode: 100 (0x64)
      Settings DODownloadMode: 100 (0x64)

      –WindowsStore:
      AutoDownload: 2 (prompt to update store apps)

      Disable windows defender, including services and drivers if a good antivirus will be replacing it (prevents limited periodic scanning from activating) — I had reports that LPS also triggers your normal antivirus to do a full system scan several times a day (to make it look bad?).

      –DataCollection:
      AllowTelemetry: 0
      DoNotShowFeedbackNotifications: 1

      –“Siuf Rules” aka feedback and diag (a bug in the first release of 1709 prevents this from saving from the GUI, which always set it to “full” and “always”):
      NumberOfSIUFInPeriod: 0
      PeriodInNanoSeconds: 0

      AdvertisingInfo: 0

      –Privacy:
      TailoredExperiencesWithDiagnosticDataEnabled: 0

      –Windows Search:
      AllowCortana: 0
      AllowSearchToUseLocation: 0
      DisableWebSearch: 1
      ConnectedSearchUseWeb: 0
      AllowCloudSearch: 0

      –disable,stop (don’t delete it…):
      DiagTrack
      dmwappushservice

      WMI Autologger AutoLogger-Diagtrack-Listener – Start: 0 (collects ETL for DiagTrack)

      –Bluetooth:
      AllowAdvertising: 0

      AllowExperimentation: 0

      NoLockScreenCamera: 1

      –Per user:
      Search:
      CortanaConsent: 0
      BingSearchEnabled: 0
      DeviceHistoryEnabled: 0
      CortanaInAmbientMode: 0
      SearchboxTaskbarMode: 0
      AnyAboveLockAppsActive: 0
      IsWindowsHelloActive: 0
      IsAssignedAccess: 0
      IsMicrophoneAvailable: 0

      Explorer Advanced:
      ShowSyncProviderNotifications: 0 (ads in explorer)
      Start_TrackProgs: 0

      ContentDeliveryManager:
      RotatingLockScreenEnabled: 0
      RotatingLockScreenOverlayEnabled: 0
      SilentInstalledAppsEnabled: 0
      SoftLandingEnabled: 0
      SystemPaneSuggestionsEnabled: 0

      And all the obvious setting in the privacy control panel. (there are more what I listed above, this was just the easy to explain list)

      Turn on Exploit Protection (emet) for hand selected and tested set of processes, including office. Office 2016 (2013 too probably) DELETES all the Exploit Protection settings for office after any repair and/or update so make a Scheduled Task to re-apply them.

      Keeping in mind that “Don’t Use High Entropy” (on) means “Do Use High Entropy”. So the setting is backwards!
      https://msdnshared.blob.core.windows.net/media/2017/11/WDEGConfig.png

      Also set to bits to make this system default.
      Turn all the “System setting” to on (since windows 10 is a little more lax in applying force rand ASLR it doesn’t break things)
      Also this a clean install so a broken system is a system restore away from fixed (also ENABLE system restore!).

      Repeat after every massive update (every 6 months), always make a full system backup. — You never know when your settings/preferences will be lost

      Comments?

       

      3 users thanked author for this post.
      • #175045 Reply

        bobcat5536
        AskWoody Lounger

        Ouch!  That reads like “Gone With The Wind”  🙂

        2 users thanked author for this post.
        • #175047 Reply

          geekdom
          AskWoody Lounger

          Ouch! That reads like “Gone With The Wind” 

          Naaahhh, more like War and Peace meets Iliad.

          Group G{ot backup} Win7 · x64 · SP1 · i3-3220 · TestBeta
          • This reply was modified 6 months, 2 weeks ago by  geekdom.
          1 user thanked author for this post.
        • #175066 Reply

          AJNorth
          AskWoody Lounger

          But we’ll always have Paris.

          1 user thanked author for this post.
      • #175078 Reply

        Jan K.
        AskWoody Lounger

        Comments?

        Sounds like fun!
        And you only have to keep up twice a year!

        Plus of course you probably have to check after updates/patches… wheeee!

        1 user thanked author for this post.
      • #175182 Reply

        zero2dash
        AskWoody Lounger

        Good Lord that’s a lot of stuff.
        I have a PowerShell script I run on all my Win10 machines, seems to do the trick. As time’s went on, I’ve commented out a lot of it (with #) because I’ve adjusted things elsewhere, but, it works. Quick and easy. https://pastebin.com/JdyJqhjf

        It’s a shame “this is what we have to resort to” in order to make Win10 tolerable.

        2 users thanked author for this post.
      • #175263 Reply

        MrJimPhelps
        AskWoody MVP

        Now this should give you pause. I got a message from an experienced Windows guy (which is to say, a victim, like many of us), who described his method for installing Win10 on a new computer. Here’s his checklist….

        When I perused through that list, I was immediately reminded of the “I’m a PC / I’m a MAC” commercials. Everything about Windows was such a hassle, while the MAC was simplicity.

        I continually wonder when all of the IT folks will get fed up with the whole song and dance that Microsoft makes them do continually just for the privilege of being an unpaid Windows “10” beta tester.

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
      • #175546 Reply

        woody
        Da Boss

        A follow-up from the anonymous poster:

        the format I presented was more of a “if you already know about these settings” rather than actual instructions (exact registry key locations were not included, etc..).

        Some highlights include:

        re-enable F8
        enable system restore (disabled by default? cleared after massive upgrades[1803 if the pattern holds]. limited number of restore points on win10 — to marginally improve performance just when that’s NOT what we need)
        Disable hybrid shutdown / fast startup (why would I want my shutdown button to turn into a “log off, then hibernate button” when I already have a hibernate button?)
        Disable auto driver update (which isn’t easy, most instructions are faulty)
        the privacy settings (half the list)

        Interesting:
        With hybrid shutdown / fast startup “revision 1.0” (you know at microsoft where marketing invents an idea, announces it to the public, then tells the developers to make it happen)
        In the first mention of this idea (pre Windows 8.0 release) it would “log off(exiting processes running under your[all?] users, exit all or most windows services leaving pretty much only system/kernel running (possibly unmount the filesystem), then hibernate”. Either they couldn’t actually accomplish this from a technical standpoint or it didn’t work well (buggy or no benefit), so instead we are left with hybrid shutdown / fast startup v2.0 (log off, hibernate) which doesn’t do anything worth while.

        “Don’t Use High Entropy” (sliderbox-on) means “Do Use High Entropy”.
        https://msdnshared.blob.core.windows.net/media/2017/11/WDEGConfig.png
        I don’t see this discussed anywhere. Either I’m the only one to notice or I can’t find the right phrasing to find the others (google used to work so much better a long time ago — now, sometimes your number 1,2,&3 search results contained none of your search terms)

        Another gotcha for 1709’s version of emet (WDEP – Windows Defender Exploit Protection) is “Audit”. If this box is checked that exploit mitigation is DISABLED. (the protection may as well be off, a few will log but not block an exploit with audit set)

        2 users thanked author for this post.
    • #175051 Reply

      Rick59
      AskWoody Lounger

      How to install Windows 10 ?

      Don’t!

      Insrall something else and save your time and mental health.

      2 users thanked author for this post.
    • #175074 Reply

      dononline
      AskWoody Lounger

      I think I’m having an anxiety attack!

      1 user thanked author for this post.
    • #175079 Reply

      Jan K.
      AskWoody Lounger

      Bummer!

      I missed January and February updates… and March too!

      Oh well, my loss.

      At least my machine is happily chugging along with no issues whatsoever, so… meh.

      3 users thanked author for this post.
    • #175080 Reply

      anonymous

      Ridiculous.

      That list, documenting how to “defang” Windows 10, shows how far beyond the mark Windows has fallen. Windows used to be a reliable operating system, one that people trusted to help them work and play. Now? Well, I don’t even think Microsoft knows what a good operating system is anymore.

      Microsoft will do the bare minimum needed to appease the enterprise. For everyone else, welcome to the Wild West.

      2 users thanked author for this post.
    • #175081 Reply

      anonymous

      I can’t wait for another force-feeding from “Father Knows Best” Microsoft. Plus, 1803 is right around the corner, so…you know…put your head back and say “ahhhhh.”

      A fitting quote from Ian Fleming: “Once is happenstance. Twice is coincidence. Three times is enemy action.”

      What are we up to now, three times for 1709? And that’s not even including GWX, “clicking X means give it to me, baby,” the mandatory telemetry vaccinations included in the rollups, or the other bone-headed decisions from On High.

      I didn’t used to be this jaded. Really.

      1 user thanked author for this post.
    • #175084 Reply

      anonymous

      Does someone knows what kinds of update will accompany the march patch? (adoble flash updates, windows defender update, etc)

    • #175131 Reply

      anonymous

      I have a question about “turn off Auto Update” said every month: who has still turned on auto update? 😀

      On my windows 7/8.1 machines auto update is deactivated since 2015, it will never ever be turned on again. So in my case there’s no need for turning something off which already is turned off for three years… 😀

      2 users thanked author for this post.
      • #175345 Reply

        Cascadian
        AskWoody Lounger

        There are newcomers arriving to this sanctuary every day. Somewhere Woody must have tucked away a little memo to himself to always write this first step caution so that all newcomers can see the wisdom. Hopefully it causes them to delve in and read more. Every new convert may eventually find the confidence to contribute. Or at least tell their friends where to find good advice.

        • #175458 Reply

          anonymous

          Ah, thanks! I didn’t think about newcomers! 😀

    • #175144 Reply

      geekdom
      AskWoody Lounger

      Patches are designed to provide security, performance, and enhancements.

      Instead, users must choose between:

      • patching for known vulnerabilities
      • potential crashes after installing patches

      Procedures for picking, choosing, debating, removing, and deferring patches are required and avoidance of patches has become normal.

      Group G{ot backup} Win7 · x64 · SP1 · i3-3220 · TestBeta
      1 user thanked author for this post.
    • #175152 Reply

      Pepsiboy
      AskWoody Lounger

      A fitting quote from Ian Fleming: “Once is happenstance. Twice is coincidence. Three times is enemy action.” 

      And to quote Gibbs (NCIS), “There is no such thing as coincidence.”

      This is just another case of MS force feeding stuff the VERY FEW people, if any, REALLY want ! !

      Dave

    • #175153 Reply

      anonymous

      Here we go again.  Strap in and get ready for a wild ride.

    • #175179 Reply

      anonymous

      When is the world / Corporations going to decide ENOUGH of this forced Windows garbage. Take almost any flavor of Linux. It’s capable of doing 95% of business and personal use stuff yesterday. Also a whole lot easier to manage.

      I use an older CentOS 6.x. I install a new box, issue ONE ‘yum update’ and I get a completely patched system in the FIRST Round. No constant reboots. NO forced games, applications, etc. Privacy concerns generally NOT an issue in Linux.

      Why does the world continue to insist on the M$ bull___t train of privacy violations. WHY doies M$ feel Windows 10 PRO users NEED Candy Crush, etc.

      5 users thanked author for this post.
    • #175191 Reply

      anonymous

      Try this little tool!

      Windows Update Blocker v1.0 (See @mrbrian ‘s information here)

    • #175214 Reply

      anonymous

      The updates caused serious problems for me. After I transfer all of my data to a USB, I’m switching to Linux. I’m done with Microsoft and Windows 10!

      1 user thanked author for this post.
    • #175219 Reply

      anonymous

      Windows 10; Oh what a tangled web we weave when at first we set out to deceive! I suppose the hits will just keep on keepin on.

    • #175227 Reply

      Microfix
      AskWoody MVP

      WU patch releases are earlier than usual today, just received:

      Kb4088876 Security monthly Quality rollup for W8.1 (parked for installation at MS-DEFCON 3)

      Installed: Kb4088785 Security Update for Adobe Flash Player.

      | W8.1 x64 | Linux x64 Hybrid | W7 Pro x64 | XP Pro/ Home Offline
        No problem can be solved from the same level of consciousness that created IT - AE
    • #175229 Reply

      EP
      AskWoody Lounger

      Uh-oh. New CU for Win7 (KB4088875) has known potential BSOD (blue screen) problems documented by MS-

      stop error or BSOD on non-SSE2 machines and 32bit/x86 computers with Physical Address Extension (PAE) mode disabled

      https://support.microsoft.com/en-us/help/4088875/windows-7-update-kb4088875

      definitely avoid installing this new Win7 update on older systems using non-SSE2 CPUs and those with PAE disabled

      • This reply was modified 6 months, 2 weeks ago by  EP.
      5 users thanked author for this post.
      • #175355 Reply

        anonymous

        ARGH!!!  Will this nonsense ever end?!

        Thanks for the heads-up.

      • #175476 Reply

        anonymous

        Until a month ago I was doing my Windows Update without even thinking but now that I discovered this website, I’m trembling with fear every time there is a Windows update
        XD

        1 user thanked author for this post.
        • #175713 Reply

          Cascadian
          AskWoody Lounger

          anonymous, you have had a very good run with your system. And if you have had no problems so far, it is also likely that with your current use patterns you may continue with uninterrupted use until Microsoft decides that your hardware has aged out of their plans. Many millions of users are having the same experience you describe. I am glad you find humor in a few other peoples misfortunes.

          A recent new voice seems intelligent and strongly displeased. I take McLachT at their word in #post-175673, a well written expression of frustration.

          Also Woody has displayed his usual high level of composure in #post-175524 where he points out the ratio of success or failure does not help the person struggling with an interruption caused by Microsoft.

          I have interpreted your ‘XD’ to mean raucous laughter at the expense of someone who may actually have learned a difficult lesson in trust. If instead your name is Xavier Daniels, I have misunderstood and offer my apologies.

          • This reply was modified 6 months, 2 weeks ago by  Cascadian. Reason: fixed format
        • #175725 Reply

          anonymous

          As long as you follow to heart the MSDEFCON system you shouldn’t worry about anything, have in mind that MSDEFCON-3 doesnt guarantee that your computer won’t have issues, that is why the best MSDEFCONs are level 4 and 5.

          • #175817 Reply

            anonymous

            Oh no no no I wasn’t laughing a the expense of anyone, I would never do that.

            I’m genuinely afraid with windows uptades since I discovered this website, the “XD” was just here to say that I find it funny because like I said, before I wasn’t even thinking about it and I could have “killed” my PC.

            Now I’m waiting to know if I can install KB4088875 🙂

    • #175240 Reply

      anonymous

      I got kb2976978 telemetry, kb4088876 security  updates, kb890830 [removal tool], kb4088875 adobe flash,  kb4011234 Access, kb4018291 Excel, kb4011695 for word, Office is 2013, Windows 8.1 Update

    • #175352 Reply

      anonymous

      This seems rather valuable. Isn’t there / shouldn’t there / shouldn’t this beon it’s own post or tutorial?

    • #175717 Reply

      JohnW
      AskWoody Lounger

      Windows 10 Pro is fine.  I like it.  But it does help if you are as geeky as a typical Linux user, and don’t mind getting your hands dirty.

      Signed,

      ‘Windows 10 Wrangler’

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: MS-DEFCON 2: March Patch Tuesday is right around the corner — turn off Auto Update

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: