MS-DEFCON 2: Get Windows automatic update locked down

Topic

New Reply

Tomorrow’s Patch Tuesday, and y’all know what that means. Take a few seconds right now to make sure Windows Automatic Update is turned off. If you’re
[See the full post at: MS-DEFCON 2: Get Windows automatic update locked down]

2 users thanked author for this post.

abbodi86, geekdom

Reply | Quote

Replies

[geekdom]

In the event that automatic update didn’t get turned off, make backups now.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

• This reply was modified 5 years, 8 months ago by geekdom.

Reply | Quote

woody wrote:

Details in Computerworld Woody on Windows.

There’s a better way with Win10 version 1903

Although Microsoft hasn’t officially documented the changes anywhere I can see,

That’s a very strange comment in view of detailed instructions appearing at:

Download and install now option
Extended ability to pause updates
New features that put customers more in control of updates

We know that sometimes, updates can come at inconvenient times. So, now you’ll be able to pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times).
Windows 10 Tip: More choices for updates

If you’re not ready to get recommended updates, you can choose to temporarily pause them from being downloaded and installed.
Manage updates in Windows 10

How can I stop updates from downloading and installing?
Windows Update: FAQ

1 user thanked author for this post.

woody

Reply | Quote

We can bat this one around a bit but, in general, until Ed posted his summary of the options and what they actually do, none of these official pages include the whole story. (And I believe that several important details changed in the past month.)

Reply | Quote

I have another option for blocking updates and use them “manually”. I don’t know if it doesn’t work anymore since it’s not listed as an option. What I do is disable the Windows Update service and only enable it when AskWoody.com is no longer in Ms-Defcon 1 or 2. So, you have (sort-of) again the functionality to decide WHEN to update like in Windows 7, and not when MS wants you to.

Reply | Quote

Anonymous, you didn’t mention what o/s you have; but if it’s a recent version of Win 10 then just disabling the Windows Update service likely isn’t good enough.  MS tries to defeat those kinds of measures now by “fixing” Windows Update if they find that it’s “broken” (in their opinion).  So you may not be quite as protected against updates as you think.

Reply | Quote

Oh! That’s bad news! I didn’t know. I have Win10 in one PC and have been using this method without problems… Maybe is because I have not updated to the last version of Win10?

Anyway, thank you for the input!

Reply | Quote

https://greatis.com/stopupdates10/ seems to work ok for Win10.  It says for 10-home too.  The only downside seems to be if you forget to turn it off at some point [when the coast is clear, once the month’s updates have had a few weeks to settle down] and let updates do their thing.

Reply | Quote

A question for anyone out there who might know about this.  I just added a brand new system this week to my collection that came preloaded with Win 10 Home version 1903.  If I decide to pause updates on this system for the maximum of 35 days (to Oct. 14th), does that force me to wait until Oct. 14th before I can download and install any updates?  What if I change my mind and decide that I want to get updates say on Sep. 30th?  How would I go about doing that after I’ve paused the updates until Oct. 14th?

Also, another question about 1903.  In the scenario above where I want to un-pause updates on Sep. 30th, does that mean I would get all the updates available on that date — including not just the Patch Tuesday updates, but also any additional ones issued after Patch Tuesday up to and including Sep. 30th?

Reply | Quote

[Wayne]

After you click the pause updates button twice or three times, a “Resume updates” button appears to cancel the pausing.

I think, though I’m not positive, that you can change your mind afterwards and use the pause button again.

• This reply was modified 5 years, 8 months ago by Wayne.

1 user thanked author for this post.

woody

Reply | Quote

Yep, you can Pause again — but only after installing the outstanding patches.

There’s an exception for “optional” patches, but we haven’t seen it used enough times to tell for sure how it’ll eventually work — what is considered “optional” in this case, and what isn’t.

Reply | Quote

Ok, why would I want to stop updates from automatically installing I’d they protect my machine from being exploited by bluekeep or other vulnerabilities.  Doesn’t make sense to me.

Reply | Quote

To quote Woody:

Those of you who feel it’s important to install Windows and Office patches the moment they come out – I salute you. The Windows world needs more cannon fodder. When the bugs come out, as they inevitably will, I hope you’ll drop by AskWoody.com and tell us all about them.
For those who feel that, given Microsoft’s track record of pernicious patches, a bit of reticence is in order, I have some good news. Microsoft’s Security Response Center says that only a tiny percentage of patched security holes get exploited within 30 days of the patch becoming available….

1 user thanked author for this post.

woody

Reply | Quote

See https://www.computerworld.com/article/3402718/the-case-against-knee-jerk-installation-of-windows-patches.html

Reply | Quote

woody

the newly released KB4515384 security update for v1903 claims to fix the high CPU usage w/ SearchUI.exe problem with KB4512941.

also new Adobe Flash security updates (v32.0.0.255) came out from Adobe and MS:
https://helpx.adobe.com/security/products/flash-player/apsb19-46.html
https://support.microsoft.com/help/4516115

Reply | Quote

Direct flash DL links:

http://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.255/install_flash_player.exe

http://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.255/install_flash_player_ax.exe

 

Reply | Quote

Just looking at the Sept. Windows 7 updates and noticed that KB 4474419 security update is offered again this month. I show that I installed it in the Aug. updates. What’s the difference if any?

Reply | Quote

The MS pages for KB 4474419 say

• This security update was released March 12, 2019 for Windows 7 SP1 and Windows Server 2008 R2 SP1.
• This security update was updated May 14, 2019 to add support for Windows Server 2008 SP2.
• This security update was updated June 11, 2019 for Windows Server 2008 SP2 to correct an issue with the SHA-2 support for MSI files.
• This security update was updated August 13, 2019 to include the bootmgfw.efi file to avoid startup failures on IA64 versions Windows 7 SP1 and Windows Server 2008 R2 SP1.
• This security update was updated September 10, 2019 to include boot manager files to avoid startup failures on versions Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.

1 user thanked author for this post.

georgea

Reply | Quote

This security update was updated September 10, 2019 to include boot manager files to avoid startup failures on versions Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.

Thanks for the clarification, lets hope that those boot manager files don’t make things worse. We’ll find out when Woody gives the go ahead for Sept. later this month. ( Fingers Crossed )

Reply | Quote

September Beta Test Report Windows 7 x64 Updates

Important
– September 2019 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 SP1 and Server 2008 R2 SP1 (KB4514602)
– September 2019 Security Monthly Quality Rollup Windows7 for x64 (KB4516065)
– September 2019 Security Update for Windows 7 for x64 (KB4474419)

Updates installed without error and the system rebooted without error.

Prompted/Checked for updates. (“Check for updates but let me choose whether to download and install them” is set. Normally, I have to click the button to check for updates, even with this setting, but this time I was prompted with an update. It was already at the gate.)

Important
– September 2019 Servicing Stack Update for Windows 7 for x64-based Systems (KB4516655)

Update installed without error. Although reboot not required, I rebooted, and the system rebooted without error.

Checked for updates and no further updates.

Nice.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

fernlady

Reply | Quote

? says:

thank you brave geekdom! looks like yet another round of servicing stack and sha-2 patches before applying the IE and rollup(s). i see them listed here under prerequisite:

https://support.microsoft.com/en-us/help/4516033/windows-7-update-kb4516033

Reply | Quote

See #1947004.

Reply | Quote

Woody,

I am running Windows 1809 with the August Quality Update.  This morning, I looked at Windows Update and saw that I was being teased with the names of one or two updates moving quickly across part of the screen.  I could not read them fast enough.

Around lunchtime today, having read what you learned from Ed Bott and associated messages, I took the risk and clicked on “Updates are available.”  When I did so, the screen changed and I now could read the titles of the two updates which are available, which are the September Quality Update and a .NET update.  I cancelled out of Windows Update after I saw this.

When I came back to Windows Update later today, the top of the Windows Update screen said “Restart required,”  which made me feel as though I had made a mistake by clicking on “Updates are available.”  I did not want to “Restart now” so I clicked on “Schedule the restart.”  Below, “Schedule the restart” on the new page it says “Schedule the time” with an off-on toggle set to off. I relaxed quickly.”  I am hoping that this will now stay this way until 20 days – which was my Quality Update Delay period that I had selected and has now disappeared.

This is not exactly what I expected to see.  Maybe it will change again with Windows 1903.

Hope this helps.

Reply | Quote

I was only offered 3. KB4516115 for Flash Player, KB4514359 for dot NET 3.5 and 4.8, and Cumulative Update KB4515384.

Nothing to report; everything’s runnin’ just fine.  I got some on the B side of m dual-boot as well, but forgot to write those down.  That’s the side where I do my slicing and dicing, so I cause the problems there, not updates.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote