MS-DEFCON 2: Get auto update turned off — and watch out for SMBv1 blocking complications this month

Topic

New Reply

Patch Tuesday’s tomorrow. You know what that means. I’m moving us to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing
[See the full post at: MS-DEFCON 2: Get auto update turned off — and watch out for SMBv1 blocking complications this month]

1 user thanked author for this post.

walker

Reply | Quote

Replies

What is SMBv1 blocking and what are those complications?

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Coming soon to a Computerworld article near you.
This topic reserves a place to put the link when a different team finishes their tasks.

Reply | Quote

Crash diving again…had just enough time to recharge the batteries and pull in some fresh air.

Ah, me.  Why does life with MS feel like a scene out of “Das Boot?”

5 users thanked author for this post.

HiFlyer, anita.yk, Fred, BobbyB, Bill C.

Reply | Quote

It reminds me also of the bunker scenes in the last part of the “Der Untergang” (Downfall).

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

HiFlyer, Fred

Reply | Quote

woody wrote:

For those running Win10 Pro, Microsoft kindly eviscerated the easy way to set it to defer cumulative updates, but you can still dig into the belly of the machine and turn them off. Unfortunately, you need to revert to the manual Group Policy method that worked in Win10 1607, which I describe here in Steps 3C, E and F.

Susan Bradley has some pithy observations about 1803 removing the easy-to-use GUI that’s available in 1703 and 1709. Yet another reason to avoid the 1803 version.

This is nonsense. Defer feature updates and defer quality updates exist in 1803 PRO Settings GUI just as before, as was pointed out by several users here six weeks ago.

Reply | Quote

OK, dear Woody,

I have read your article in Computerworld, and gone through the German gentleman’s article you provide a link to, in there, and it still is not clear to me whether: (1) This also applies to mine (or to anybody’s) Win 7 machine, and (2) What to do if my peripherals suddenly become unresponsive after installing this month’s patches, other than de-installing those patches — and then living with that? Or should one just join Group W, and be done with all this?

 

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Not Woody, but making a prediction from recent observations. You are asking for an article that will not be written for 19 to 24 more days. Forecast reliability approximately that of the old Gypsy lady from Archer. Slightly more reliable is the prediction that we will witness actual fallout, if any, and developing coping methods over the first 11 days. Then opinion voicing and refinement over the following week. When my personal Magic 8-ball (a children’s toy answer generator) decides things are not so cloudy and the answer is YES, I might install on my own. Otherwise I will wait for Woody’s next Computerworld article for directions through the minefield. Administrators and users requiring more timely results have been well served by Patch Lady’s assessment of individual items available.

2 users thanked author for this post.

HiFlyer, anita.yk

Reply | Quote

Oh Anonymous! A mere “Thanks” just wouldn’t do here.

So:

My uncertain (but hopeful, looking at the possible future collapse of the Schrödinger’s function in its relevant configuration space, while eagerly entangled with greatly undefined hopes that some lives may still be left to his cat)  thanks, as befits such a cloudy, vaporous, ghostly and still indistinct — if vaguely scary — issue!

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

anita.yk

Reply | Quote

woody wrote:

Many of us are anticipating widespread axing of SMBv1 in this month’s round of Windows updates. (It’s long overdue, in my opinion. SMBv1 is a wide open security hole.) Günter Born has a detailed analysis of the current state of the problem, and the effects of its possible solution, on his Born City blog.

SMBv1 was axed eight months ago in 1709. How can it be axed again?

SMBv1 is not installed by default in Windows 10 Fall Creators Update and Windows Server, version 1709 and later versions

Reply | Quote

SMBv1 wasn’t installed in 1709, but the installation was kept if upgrading from a previous version of Windows 10.
So I think the axing refers to it soon to be forcibly removed from existing installations.

Reply | Quote

Hi all. This may not be the best place to post this, and I am sorry if it is, but:

I’m running a Win7 SP1 x64 Home Premium self-built PC as my main/only box.

Due to the great help from AskWoody’s site here, and Josh Mayfield’s most timely and
excellent GWX Control Panel, I avoided the GWX forced Win10 upgrade campaign/malware of
2016. This PC’s last reformat/reinstall of Win 7 was on 3/3/2015. I’m a Group A
(modified) updater; i.e. I typically wait until after Patch Tuesday for the Defcon 3 go-
ahead to install anything from WU, with the exception of Defender, which I keep updated.
I use Kaspersky as my AV and MBAM as my malware defenses. My WU setting is “Never Check
for Updates,” with Recommended Updates checked. I’m currently (safely?) updated through May 2018.

To my horror, a couple of days ago, I checked WU’s “Installed Updates” and found these:

KB2952664 4/8/2016
KB3150513 5/6/2016
KB3021917 3/3/2015
KB3068708 6/17/2015
KB3080149 8/19/2015
KB3022345 5/7/2015

Since it appears Microsoft *may* be renewing a GWX-style initiative, would it be best/safe to uninstall these updates?
I do fairly regular folder/file backups to optical media and it’s way past time for a reformat and fresh reinstall of Win 7.

Thanks much for any advice!
-Grond

Windows 10 Pro x64 v1909 Desktop PC

Reply | Quote

You can uninstall those patches, BUT you are going to have a problem with uninstalling KB 2952664. It has been reissued many times. When you uninstall it, the next earliest version shows up (it appears it didn’t uninstall, but it’s one earlier version you see). Bottom line, you have to remove all of them.

This has been discussed in length on this site. If you search for 2952664, you will find methods to remove it and even scripts for the purpose.

But GWX is over and Microsoft has said it will not repeat it again.

3 users thanked author for this post.

jburk07, walker, Grond

Reply | Quote

It is possible to see an attempted upgrade to Windows 10, even at this late date. I worked on a Windows 8.1 laptop about four months ago, and when I powered it on, the first thing it did was begin the upgrade process to Windows 10. I was able to stop the upgrade in time; I then installed GWX Control Panel and used it to erase all traces of Windows 10.

I don’t know how it happened that GWX got onto that laptop at that late date; but somehow it did. Moral of the story, there is no harm in installing GWX Control Panel and setting it to prevent an upgrade to Windows 10; and doing so might save you from having to reverse an unwanted upgrade to Windows 10.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

jburk07

Reply | Quote

@Grond: You say: to your horror. Does that mean you did not install these updates yourself? It would be really bad if Microsoft has sneaked them onto your pc …

Reply | Quote

Issue you might have with 1803 : drive letter appearing and your computer complaining you don’t have enough space.

Ok, just to make me mad today, I got bitten by a 1803’s idiotic issue.

Some poor folks running home version got updated recently to 1803 and called me today (two unrelated parties) with the same issue. I am glad I don’t have too many Home versions to support.

What happened is a drive letter somehow got assigned to their 450mb recovery partition that should be hidden and is now showing nothing (when you click on it to see the content in File Explorer) and almost full at the same time (because, you know, it contains the recovery stuff and it takes up almost all space). So the computer complains that you run low on space. One person told me it was warning him every half hour, but maybe it was the installed but not paid cleaning premium Avast product that complained that often, I am not sure. I didn’t even bother to ask the other person if it was bothering him often and I did the same procedure right away.

Normally, I would have gone into disk management to quickly remove the drive letter. However, when right-clicking on this partition in disk management (and good luck finding it if you don’t do WIN-R diskmgmt.msc), it offers nothing in that regard now. Great. The storage screen in the control panel replacement for dummy doesn’t even show anything about managing disks, resizing partitions, or accessing the old but trusted disk management. Greater. That’s the best Windows ever.

So the best way is to go the way of the Linux folks with the command prompt. Glad to see we now have to start managing Windows the same way as some obscure half maintained distro of Linux, even with the weird things not working right out of the box.

Open a file explorer box just for the fun of seeing the drive letter disappear while performing the surgical operation that follows. Since you’re not on my PC which defaults to show my drives like before, you might have to click on the left “This computer” (not “My computer” anymore as some observant individual noted here). There you will see the drive that shouldn’t be.

So go into an admin command prompt : WIN-X-A

Then type diskpart

list volume

check which volume contains a drive letter, is 450Mb and should be your recovery partition. Don’t get the wrong drive or you could hide a good one. The letter will likely be E or F, but if you think it is C, take a deep breath and look again more carefully.

type select volume 2 if the drive number is 2, well you get the idea it might or might not be 2 and you need to type the right number, right?

then, after also having noted what letter was assigned to that drive, type the following:

remove letter F if the letter is F or change F for the right letter.

Look at the drive disappearing from File Explorer. Don’t worry, it will still be there for recovery, just not for Windows complaining you lack space.

type exit, then press enter, rinse and repeat.

Some more advanced folks might note this partition should be hidden (it is on my 1703) and obviously it is not anymore if you had this issue. The thing is, I tried hiding it using attributes volume set hidden on the selected volume but it says the object is not found, so I lost patience too quickly to continue and anyway removing the letter was enough.

Thanks, Microsoft, for another stupid issue none of your beta testers made you quickly fix before release, but 2 of the few I support did notice.

Reply | Quote

That was covered here six weeks ago:

2. After 1803 seeing several reports of recovery drive being assigned a drive letter. Not expected. Workaround: Use Diskpart to remove drive letter. Acknowledged by Microsoft.

https://www.askwoody.com/2018/patch-lady-early-trending-issues-with-1803/

How long ago did they update?

Reply | Quote

Thanks, i guess it didn’t leave a long lasting impression when I quickly read about it a few weeks ago and to be honest, I think I waste less time not running the latest build and waste time looking at issues that will be likely fixed by the time I do run the build. I quickly glance at the threads to have an idea what to expect if I get a call from poor Home versions folks, but this issue was minor for me and easy to fix.

They have been force updated recently, maybe a week or two ago.

But still, how come this simple issue hasn’t been fixed yet? How do Microsoft expect home folks to fix that themselves if they are not IT savvy? This is such a shame.

1 user thanked author for this post.

Elly

Reply | Quote

AlexEiffel wrote:

How come this simple issue hasn’t been fixed yet? How do Microsoft expect home folks to fix that themselves if they are not IT savvy? This is such a shame.

Alex:

Thanks for the detailed explanation of how to address this bug.

You’re absolutely right; a non-IT person wouldn’t have a clue where to begin fixing this one. And if they tried, they would likely mess things up even more.

Jim

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Concerning SMB1, I have an old Buffalo Linkstation network drive which cannot run smb above v1. Buffalo claim to have firmware (unfortunately not for my drive though) to plug the vulnerability for SMB1 and still use it.

My question is, is there a way to plug the vulnerability in Windows (eg by a third-party method) so that I can continue to connect to my old drive (relatively) safely?

Reply | Quote

The vulnerability (EternalBlue/WannaCry) that was there months ago was already fixed, but since Microsoft knows best, they’re again taking it upon themselves to make your decision for you about whether SMB1 will be available.

The problems that exist in SMB1 now are not vulnerabilities in the sense that we usually use the word, which is to mean particular security bugs that can/should be fixed.  They’re simply a lack of security features that reflect the age of SMB1 and the simpler time we lived in when it was current.  The fix IS to use later versions… that’s what they are for.

Still, as CH100 pointed out all that time ago when the WannaCry vulnerability was patched, removing SMB1 can cause network browsing issues and other annoyances, and that the later SMB versions were not meant to replace SMB1 in the sense that SMB1 would be deleted, but to exist alongside of it so it can still do its thing (apologies to CH100 if I am paraphrasing incorrectly; it’s been a while) if needed.

In my case, and I’d guess in the case of many home networking users, none of the security features they added to SMB in later versions will mean anything to me.  My network shares are open, since no one but me has physical access to any bit of the network, from the router to the ethernet cables to the PCs themselves, and I want the convenience of an open pipeline between my various PCs.  None of the security features mean a thing in this case, so there’s no benefit to prohibiting SMB1 for me, with several potential downsides.

Of course, I’m not all users, but the point is (as I have said so many times since this “Windows as a Dictator Service” debacle began) that one size does not fit all.  Remove it as a default option if you wish (which they did), but leave it at that.  Average people who have no need for SMB1 (or understanding of what it is) are not going to inadvertently stumble into the “Turn Windows features on or off” dialog, then accidentally scroll down to SMB1, then errantly click the box to enable it, then unintentionally hit the Ok button.  If someone’s going to do that, it’s for a reason, and it’s not Microsoft’s or Ned Pyle’s job to tell me, or anyone else, NO.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

8 users thanked author for this post.

Elly, SueW, columbia2011, JCCWsusser, johnf, AlexEiffel, anita.yk, Cybertooth

Reply | Quote

Many thanks for the reply. So are you saying that if I am a home user with only 2 pc’s and a NAS, I shouldn’t have to worry about the insecurities of SMB1?

Reply | Quote

I can’t make a recommendation without knowing more details than that, and even then, it’s just one opinion among many. I present it so people can make an informed decision, but please don’t just take it (or the words from any other person) as definitive on this or any matter!

Are you using password-protected shares?  If not, SMB1’s weak security features won’t harm you, since you’re not using them anyway.  If you are using protected shares, how concerned are you that someone might gain access to the network without authorization?  If that’s a concern for you at all, you might want to consider ditching SMB1, because its security features are not very robust.  MS is not making that up… my point is that it doesn’t matter to every one of their users, yet they’re making the feature unavailable to every one of their users (of 10) just the same.

For some people, keeping SMB1 is about keeping older network devices working.  A number of them don’t and will never support anything other than SMB1, so this edict from Microsoft essentially renders those pieces of hardware useless.  Home users don’t even get the opportunity to block the automatic upgrade to keep their network fully functional unless they use tricks like setting the connection to metered, and even then who knows if MS will decide that this is one of those things that is important enough to ignore the metered connection setting?

When you ditch SMB1, you also ditch NetBIOS and the Computer Browser functionality.  They’re old and dusty relics for sure, but they still work, and a lot of home networks still use them, since they are well suited to the simple, decentralized type of network that is often seen in the home.  With Homegroups gone, and now NetBIOS and Computer Browser going away, I don’t know what is meant to replace them in home networks.  I tried disabling SMB1 in my own home network back when WannaCry was in the news, and I immediately lost any ability to browse the network (that is, to see what shared items were available on the network, and from whom).  I was able to connect to my shares directly by IP address easily enough, and I can also very easily set the router up to act as a DNS server so that I can access any PC on the network without knowing the IP address.  That’s all I would need to build a working network, but the ability for each share to be discovered and automounted via NetBIOS is just so convenient, and the benefit of ditching SMB1 was for me so… well, nonexistent, that I never did so.

I still don’t know what’s supposed to replace CIFS/Browser (or “Bowser” as it is misspelled in the registry) and NetBIOS for home networking users who don’t know how to connect to a share other than clicking the icon associated with it, and who are used to the largely self-configuring nature of previous Windows machines when it comes to networking.  While I use myself as an example of someone who would not benefit from dropping SMB1 completely, I could do it without any real hardship… I just wonder what the regular home networking users are supposed to do without it.  Maybe there is something and I am just not aware of it.  Even if there is, it won’t bring back functionality to those NAS devices, printers, scanners, etc., that rely on SMB1 to work, and for users who aren’t using secured shares anyway, it’s all loss and no gain to lose SMB1.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

2 users thanked author for this post.

Elly, Cybertooth

Reply | Quote

Many thanks again for replying, don’t worry I wasn’t planning on blaming you if I follow your advice and things go wrong! I’m just collecting information to help make a better decision and your opinion is valuable.

No-one but myself has access to any of my computers and I have enabled file+print sharing and client for MS networks on my ethernet connection only, both are diabled on my wifi connection which is the one connected to the internet. I read somewhere though that disabling these might not be honored.

Does this look like a safe-ish setup to keep SMBv1 with?

Reply | Quote

It looks like a relatively safe-ish setup to keep SMB1 on, yes.

It boils down to whether you consider the security features of SMB essential on your network or not.  If they are important, you should ditch SMB1, because its security features are so weak and easily compromised that they can pretty much be considered to be irrelevant.  By running SMB1, you’re pretty close to running an unsecured network… in my case, I actually am running an unsecured network, so it doesn’t matter at all that SMB1 is weak on security.

Again, Microsoft is not lying when they say SMB1 is insecure.  They’re not wrong to try to phase it out as long as people who still want to use it despite its weak security features can enable it.  Windows still allows open shares to be created, and a network full of those is less secure than a password protected SMB1 network, so it seems silly to draw such a hard line on SMB1 in context.

I probably shouldn’t go any further with that line of thought, lest I give them more ideas for features to rip out of Windows (for our own good, of course).  Never mind, MS, I didn’t say a word!

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

2 users thanked author for this post.

Elly, Cybertooth

Reply | Quote

The metered connection trick is successfully blocking Win 1803 on my W10 Home box.  The bad news is that this is also blocking my ability to install any other updates that I want, e.g. Flash, MSRT, and others that appear along with 1803 on Settings>Update Status list.  It also is blocking any 1709 updates from appearing as available.  I’ve used wushowhide to hide 1803 (presumably successfully), hoping that WU will refresh the pending list without 1803.  No joy…1803 still there.  The only option offered is “Download Now”.  I ran WU Troubleshooter which identified (insultingly!) the problem as being “Pending updates — Download now”.  Wushowhide is not hiding 1803 effectively.  Do I have to forego ALL future updates if I wish to NOT install 1803?  Suggestions sought and appreciated.

Reply | Quote

Consider using the  Windows Update MiniTool  Wrapper Script,  most commonly referenced as  WUMT  Wrapper Script.   Read about it before trying, and post back with results.

https://www.ghacks.net/2017/04/19/run-windows-update-on-windows-10-manually-only/
https://forums.mydigitallife.net/threads/wumt-wrapper-script-controls-windows-update-service.72203/page-23
http://www.majorgeeks.com/files/details/wumt_wrapper_script.html

Reply | Quote

Thanks much for your suggestion, but I’m not a techie and these steps are likely outside my comfort zone.  I was hoping that after hiding 1803 with wushowhide that a future update scan would recognize the hidden 1803 and release the blocked updates…as mentioned in one of Woody’s articles.  This didn’t happen for me so I’m faced with an all of nothing decision.

Reply | Quote

Are almost all windows updates rubbish anymore? I haven’t updated since like March and I feel like I should be updating by now but you always have it set on def com 2.  So am I right in not having updated since then?
Windows 7 btw.

Reply | Quote

anonymous wrote:

…but you always have it set on def com 2

Ah,no, it’s not always set at MS-Defcon 2! Ok, it’s not gone above MS-Defcon 3 this year, but 😉

4 users thanked author for this post.

SueW, walker, Elly, ch100

Reply | Quote

I remember when it was on MS-Defcon 5 about a year ago! What a momentous occasion!

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

SueW

Reply | Quote

Not often but definitely a rare Momentous occasion worth noting 🙂

4 users thanked author for this post.

SueW, Elly, walker, Cybertooth

Reply | Quote

I was just about to request proof of Mr. Jim Phelps’ outrageous claim! 😀

You were shocked and knew nobody would ever believe you, so took a screen shot? Smart!

Reply | Quote

Must be a photochop.  🙂

Red Ruffnsore

1 user thanked author for this post.

BobbyB

Reply | Quote

Never a dull day with Microsoft.
I cant recall a date where no buggy patches were introduced.
Therefore i always have my Windows of Pain Updating procedure set to Check for Updates and let me choose when to install them, (no idea what category I am in)?
I also leave the: Give me recommended updates the same way I receive important updates Un-checked.
All in all this gives me time to trawl through those updates to find out what they are and their implications to systems before installing.
I have just installed the previous month’s (May) complete roll-up and net on the 11/06/18 on my Win 7 Pro system when the Updates were flagged Defcon 3 and thankfully all worked ok without any bugs or issues to the computer or system, (Thanks to Woody and the Patch Lady with explanations and links).
(No doubt this also depends on hardware and software installed and configuration of said as no system is identical).
(as a side note I don`t think we will ever see a Defcon 5 anymore).
As I am in AU I have only seen the preview of this months and I am not to impressed to what I have read so again the long wait to the end of June before I even contemplate installing any of these which are yet to arrive.
I dread the day when I will have to switch to Win 10 which I have installed only on a spare test bed computer and what I see is not very impressive.
To be honest all I need is a good operating system much like XP or 7 has been in the past and not a computer what seems more and more Android like of which one is give little adjust-ability in relations to Security and MS continually spying on you.
Regards.
Frank n St31n.

EDITED for content – please respect the Lounge Rules

Reply | Quote

Anonymous #197348 : “I cant recall a date where no buggy patches were introduced.”

Well, I can. But I’m really old. So don’t feel too bad about it.

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

3 users thanked author for this post.

Elly, HiFlyer, anita.yk

Reply | Quote

anonymous wrote:

To be honest all I need is a good operating system much like XP or 7 has been in the past and not a computer what seems more and more Android like of which one is give little adjust-ability in relations to Security and MS continually spying on you.

Frank, have you considered Linux Mint? Or, for a less capable computer, Elementary OS.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

1 user thanked author for this post.

Bill C.

Reply | Quote

@Woody : This thread is becoming “literature”, almost.
but, really, thank you all.    😀

* _ ... _ *

Reply | Quote

I have had an on-going parade of BSODs with 1803.  I have gone through and made sure that drivers are up-to-date.

SFC /SCANNOW is now unable to complete.  The same is true with DISM.  I Bluescreen before the Media Creation Tool can complete an ISO to a USB.

Does Microsoft have a support page for the 1803 issues?

Reply | Quote

The Media Creation Tool can be used to create a bootable install CD/USB from any PC without installing Win10 on that PC. If you have another computer available (even temporarily), you can make an install CD/USB.

You may also have another option. If you can boot into the Recovery environment (a Rescue CD/USB, or an F-key on bootup), you may be able to roll back to a previous version of Win10, access System Restore to an earlier restore point, or reinstall the OEM OS from the recovery partition.

There have been hardware incompatibilities with 1803 (like certain SSDs). It would help to know more about the specs of your computer.

Reply | Quote

I was actually using the instructions at:

https://www.windowscentral.com/how-use-dism-command-line-utility-repair-windows-10-image

Would you know where Microsoft has posted info on specific hardware that is incompatible with 1803?  This would be a useful resource.

Reply | Quote

I don’t think MS has a definitive list. We had reports here of problems with some Intel and Toshiba SSDs, and a smattering of other problems.

Reply | Quote

I don’t trust Microsoft especially after Woody saying several times that Microsoft sometimes bypasses the settings within Windows to defer updates and upgrades.

I still use the Group Policy editor to set these deferrals. Because of this the settings in Windows Update are grayed out. More important, there is a notice in yellow at the top: “*Some settings are managed by your organization.”

My reasoning is that Microsoft might want to bypass an individual, but an organization less so. They don’t want a big business complaining that their IT was flooded with issues of buggy quality updates and even buggier feature updates. Perhaps that notice says that my organization’s IT (me) is in charge of these matters and not to mess with them.

A while back, I read of a way to update group policy without a restart.
Launch an elevated Command Prompt and run the command “gpupdate/force”. This automatically causes any sort of change you made to the Group Policy to take effect.
For the most part, this works really well.

Edit to remove HTML. Please use the “Text” tab in the entry box when you copy/paste.

1 user thanked author for this post.

MrJimPhelps

Reply | Quote

I do that also on multiple computers and it worked well for me. I guess your hypothesis is still valid for now on the Pro version. Also, it is better to follow what Microsoft says, like don’t put telemetry to zero on a non Enterprise version, as it won’t work anyway and it might create other unexpected issues to punish you like disabling other group policies effects.

Reply | Quote

millerah wrote:

I still use the Group Policy editor to set these deferrals. Because of this the settings in Windows Update are grayed out. More important, there is a notice in yellow at the top: “*Some settings are managed by your organization.”

My reasoning is that Microsoft might want to bypass an individual, but an organization less so

Very clever. I’ll have to remember that trick.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

I’ve observed this script attempting to run on our Windows 10 machines at various intervals for quite some time. I do let it run when I see it. It disables SMB1 if it detects that it has not been used for a specified period of time.

[*COMMAND*] & C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client

Red Ruffnsore

1 user thanked author for this post.

AlexEiffel

Reply | Quote

You can turn this script off from the same place you can disable SMBv1.

In Control Panel under “Programs and Features” click on “Turn Windows features on or off” (you’re probably familiar with this tool already). Under “SMB 1.0/CIFS File Sharing Support” (click on the + to its left), untick “SMB 1.0/CIFS Automatic Removal”, click OK and Windows will delete the script and its trigger.

Doing this and ticking it again puts the script and trigger back. No reboot necessary either way.

4 users thanked author for this post.

Elly, Mr. Natural, MrJimPhelps, b

Reply | Quote

Avoid catastrophic computer failure.
Make your backups now.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

amraybt

Reply | Quote

KWGuy wrote:

The metered connection trick is successfully blocking Win 1803 on my W10 Home box. The bad news is that this is also blocking my ability to install any other updates that I want, e.g. Flash, MSRT, and others that appear along with 1803 on Settings>Update Status list. It also is blocking any 1709 updates from appearing as available. I’ve used wushowhide to hide 1803 (presumably successfully), hoping that WU will refresh the pending list without 1803. No joy…1803 still there. The only option offered is “Download Now”. I ran WU Troubleshooter which identified (insultingly!) the problem as being “Pending updates — Download now”. Wushowhide is not hiding 1803 effectively. Do I have to forego ALL future updates if I wish to NOT install 1803? Suggestions sought and appreciated.

I’m in the same boat except that I have Pro instead of Home and I don’t have Wushowhide installed. I watch Susan’s patch list and go to the MS catalog site and D/L and install the relevant patches that are safe. So far so good.

Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

1 user thanked author for this post.

KWGuy

Reply | Quote

As far as I understand,  the  wushowhide  from Microsoft is a stand-alone diag.cab utility that does not  “install”.  I downloaded to my Downloads folder and then moved it to my Desktop. Double clicking it launchs it, remember to be connected to internet,  AND  more important, as per  Woody/Da Boss  instructions,  Click Advanced, and  Un-check the Box marked “Apply repairs automatically.  Woody says  that part is important.  Link to read follows:
https://www.computerworld.com/article/3232632/microsoft-windows/how-to-block-windows-10-april-2018-update-from-installing.html?page=2

Reply | Quote

Getting back to SNBv1 Blocking Complications . . . I’m wondering if this will affect my Win 7?  All of the discussion I’ve seen here so far centers around Win 10 1803 vs. 1709, etc.  It would be nice to know if all current Windows OS’s are affected by whatever is going to happen.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

I would like to know the following, as an explanation does not seem to be available in the previous postings, at least in terms both obvious and comprehensible enough for me:

Given that:

(1) I have an 11 years old PC with Windows 7 Pro, SP1, x 64, and an Intel I-7 “sandy bridge” CPU.

(2) I have access to the Internet via one router for wide-band radio and Ethernet connection to my PC and also to my Mac, one at the time, and to nothing else.

(3) I patch my PC the Group B Way.

Am I going to have a problem because of the issues discussed here?

Thanks for any clear answers someone might be kind enough to give.

 

Reply | Quote

If you’re referring to the SMB v1 issue, you’ll need to decide whether or not you want to disable SMB v1. SMB v1 is an old protocol for allowing your devices to communicate on your home network. If SMB v1 is enabled, you won’t have much security on your network. However, if it is disabled, you may have some old devices which need v1, and so they will no longer be able to communicate on your home network.

I suggest that you disable SMB v1 and see what effect it has. There probably won’t be any bad effect for you, and by disabling v1, you will make your home network more secure.

Read through the following thread:
https://www.askwoody.com/forums/topic/ms-defcon-2-get-auto-update-turned-off-and-watch-out-for-smbv1-blocking-complications-this-month/#post-197325

In the above thread, Ascaris gives an excellent explanation of the security concerns with SMB v1.

Here’s how to disable SMB v1:
https://www.askwoody.com/forums/topic/ms-defcon-2-get-auto-update-turned-off-and-watch-out-for-smbv1-blocking-complications-this-month/#post-197520

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Okay I hid the updates-Although I got the monthly malware update and the antivirus thing for windows defender (which has a seem or same one each day)-I did see 1803 feature was among the updates-it must of got reupdated or so by microsoft. So I hid that too.

It’s almost like Microsoft is trying to force people to update to 1803, BUT I say no thank you-I am hiding it until you sort your issues out

Reply | Quote

Windows 8.1 x64.   I’ve had good luck with system restore if needed, so I just tossed in the updates.   No problems found.    I’m happy with that OS.  It doesn’t have the update problems of 7 or 10.

Reply | Quote

Peabody here.

June 12, 2018—KB4284826 (Monthly Rollup)
Windows 7 Service Pack 1
Windows Server 2008 R2 Service Pack 1

Installed without error and system reboots without error.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

2 users thanked author for this post.

Chessie, columbia2011

Reply | Quote

So: Once More With Feeling:

Is this all about Windows 10? Am I, with Win 7 Pro, x64, I-7 “sandy bridge” in my old only for home use PC with a dedicated router for Internet connection, free from this kind of problem, whatever it is?

I’ll really appreciate an answer concise and to the point.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Charlie

Reply | Quote

From a home user perspective running Windows 10, your only concern may be your router. As mentioned Microsoft has already been running scripts behind the scenes to disable SMB1 on Windows 10. Only thing folks should be aware of including Windows 7 users is if Microsoft releases a patch on this they need to wait for the green light from Askwoody. There should be no concern about completely removing SMB1 because if it breaks something, then that is a security concern that needs addressing. Only concern is any patch released by Microsoft. 🙂

Red Ruffnsore

3 users thanked author for this post.

walker, jburk07, Charlie

Reply | Quote

Mr. Natural, thanks!

I hope I am not imposing too much already,  but I need to ask:

So, is it safe to assume that a “good” patch that removes SMB1 will not stop me from using all my peripherals? Or will I have to be ready to uninstall such a patch, even if green-lighted by Woody, if it does make some peripherals unresponsive, because it very well might?

Also, unless, of course, it is still too early to tell: is it known if this is going to come via the security only patch, or the IE security cumulative patch, or through a separate patch altogether (not counting security rollups, which I never install, being Group B)?

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Oscar,

Right now, there is no patch that removes SMB1 from Windows 7 or 8.1 coming down the pike.  If you’re not using Windows 10, this alert about SMB1 isn’t going to affect you.  It’s just about Windows 10.

No one but MS knows what patches may be planned for the future, but given that MS is doing the bare minimum with 7 and 8.1, my guess would be that MS will not roll out such a patch for the older Windows versions.  If it should ever come to pass that they do, we will deal with it at that time, and as always, Woody’s MS-DEFCON will be there to assist you.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

7 users thanked author for this post.

SueW, Elly, jburk07, Charlie, Cybertooth, Mr. Natural, columbia2011

Reply | Quote

Ascaris,

A million thanks for that!

By making that simple, forthright and clear statement, in plainest English, you just have made me, and possibly all those other umpteen Windows 7 and 8.1 users that throng this site — incredibly happy!!!

Oh joy! This has noting to do with us… at least as far as one can be sure of anything that might come out of MS these days.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Charlie

Reply | Quote

Perseverance pays off Oscar!

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote