News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • MS-DEFCON 2: Get Windows automatic update locked down

    Home Forums AskWoody blog MS-DEFCON 2: Get Windows automatic update locked down

    • This topic has 23 replies, 12 voices, and was last updated 10 months ago by anonymous.
    Viewing 12 reply threads
    • Author
      Posts
      • #1944894 Reply
        woody
        Da Boss

        Tomorrow’s Patch Tuesday, and y’all know what that means. Take a few seconds right now to make sure Windows Automatic Update is turned off. If you’re
        [See the full post at: MS-DEFCON 2: Get Windows automatic update locked down]

        2 users thanked author for this post.
      • #1945002 Reply
        geekdom
        AskWoody Plus

        In the event that automatic update didn’t get turned off, make backups now.

        G{ot backup} TestBeta
        offline▸ Win7Pro SP1 x64 Storage
        online▸ Win10Pro 1909.18363.959 x64 i5-9400 RAM8GB HDD Firefox79.0b7 Windows{Image/Defender/Firewall}
        • This reply was modified 10 months, 1 week ago by geekdom.
      • #1945337 Reply
        b
        AskWoody Plus

        Details in Computerworld Woody on Windows.

        There’s a better way with Win10 version 1903

        Although Microsoft hasn’t officially documented the changes anywhere I can see,

        That’s a very strange comment in view of detailed instructions appearing at:

        Download and install now option
        Extended ability to pause updates

        New features that put customers more in control of updates

        We know that sometimes, updates can come at inconvenient times. So, now you’ll be able to pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times).
        Windows 10 Tip: More choices for updates

        If you’re not ready to get recommended updates, you can choose to temporarily pause them from being downloaded and installed.
        Manage updates in Windows 10

        How can I stop updates from downloading and installing?
        Windows Update: FAQ

        1 user thanked author for this post.
        • #1946749 Reply
          woody
          Da Boss

          We can bat this one around a bit but, in general, until Ed posted his summary of the options and what they actually do, none of these official pages include the whole story. (And I believe that several important details changed in the past month.)

      • #1945431 Reply
        anonymous
        Guest

        I have another option for blocking updates and use them “manually”. I don’t know if it doesn’t work anymore since it’s not listed as an option. What I do is disable the Windows Update service and only enable it when AskWoody.com is no longer in Ms-Defcon 1 or 2. So, you have (sort-of) again the functionality to decide WHEN to update like in Windows 7, and not when MS wants you to.

        • #1946107 Reply
          Tom-R
          AskWoody Plus

          Anonymous, you didn’t mention what o/s you have; but if it’s a recent version of Win 10 then just disabling the Windows Update service likely isn’t good enough.  MS tries to defeat those kinds of measures now by “fixing” Windows Update if they find that it’s “broken” (in their opinion).  So you may not be quite as protected against updates as you think.

          • #1950951 Reply
            anonymous
            Guest

            Oh! That’s bad news! I didn’t know. I have Win10 in one PC and have been using this method without problems… Maybe is because I have not updated to the last version of Win10?

            Anyway, thank you for the input!

      • #1946001 Reply
        georgea
        AskWoody Lounger

        https://greatis.com/stopupdates10/ seems to work ok for Win10.  It says for 10-home too.  The only downside seems to be if you forget to turn it off at some point [when the coast is clear, once the month’s updates have had a few weeks to settle down] and let updates do their thing.

      • #1946127 Reply
        Tom-R
        AskWoody Plus

        A question for anyone out there who might know about this.  I just added a brand new system this week to my collection that came preloaded with Win 10 Home version 1903.  If I decide to pause updates on this system for the maximum of 35 days (to Oct. 14th), does that force me to wait until Oct. 14th before I can download and install any updates?  What if I change my mind and decide that I want to get updates say on Sep. 30th?  How would I go about doing that after I’ve paused the updates until Oct. 14th?

        Also, another question about 1903.  In the scenario above where I want to un-pause updates on Sep. 30th, does that mean I would get all the updates available on that date — including not just the Patch Tuesday updates, but also any additional ones issued after Patch Tuesday up to and including Sep. 30th?

        • #1946279 Reply
          Wayne
          AskWoody Plus

          After you click the pause updates button twice or three times, a “Resume updates” button appears to cancel the pausing.

          I think, though I’m not positive, that you can change your mind afterwards and use the pause button again.

          • This reply was modified 10 months, 1 week ago by Wayne.
          1 user thanked author for this post.
          • #1946751 Reply
            woody
            Da Boss

            Yep, you can Pause again — but only after installing the outstanding patches.

            There’s an exception for “optional” patches, but we haven’t seen it used enough times to tell for sure how it’ll eventually work — what is considered “optional” in this case, and what isn’t.

      • #1946108 Reply
        anonymous
        Guest

        Ok, why would I want to stop updates from automatically installing I’d they protect my machine from being exploited by bluekeep or other vulnerabilities.  Doesn’t make sense to me.

        • #1946165 Reply
          Kirsty
          Da Boss

          To quote Woody:

          Those of you who feel it’s important to install Windows and Office patches the moment they come out – I salute you. The Windows world needs more cannon fodder. When the bugs come out, as they inevitably will, I hope you’ll drop by AskWoody.com and tell us all about them.
          For those who feel that, given Microsoft’s track record of pernicious patches, a bit of reticence is in order, I have some good news. Microsoft’s Security Response Center says that only a tiny percentage of patched security holes get exploited within 30 days of the patch becoming available….

          1 user thanked author for this post.
        • #1946752 Reply
          woody
          Da Boss
      • #1946865 Reply
        EP
        AskWoody_MVP

        woody

        the newly released KB4515384 security update for v1903 claims to fix the high CPU usage w/ SearchUI.exe problem with KB4512941.

        also new Adobe Flash security updates (v32.0.0.255) came out from Adobe and MS:
        https://helpx.adobe.com/security/products/flash-player/apsb19-46.html
        https://support.microsoft.com/help/4516115

      • #1946964 Reply
        anonymous
        Guest

        Just looking at the Sept. Windows 7 updates and noticed that KB 4474419 security update is offered again this month. I show that I installed it in the Aug. updates. What’s the difference if any?

        • #1946968 Reply
          PKCano
          Da Boss

          The MS pages for KB 4474419 say

          • This security update was released March 12, 2019 for Windows 7 SP1 and Windows Server 2008 R2 SP1.
          • This security update was updated May 14, 2019 to add support for Windows Server 2008 SP2.
          • This security update was updated June 11, 2019 for Windows Server 2008 SP2 to correct an issue with the SHA-2 support for MSI files.
          • This security update was updated August 13, 2019 to include the bootmgfw.efi file to avoid startup failures on IA64 versions Windows 7 SP1 and Windows Server 2008 R2 SP1.
          • This security update was updated September 10, 2019 to include boot manager files to avoid startup failures on versions Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.
          1 user thanked author for this post.
          • #1946974 Reply
            anonymous
            Guest

            This security update was updated September 10, 2019 to include boot manager files to avoid startup failures on versions Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.

            Thanks for the clarification, lets hope that those boot manager files don’t make things worse. We’ll find out when Woody gives the go ahead for Sept. later this month. ( Fingers Crossed )

      • #1946969 Reply
        geekdom
        AskWoody Plus

        September Beta Test Report Windows 7 x64 Updates

        Important
        – September 2019 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 SP1 and Server 2008 R2 SP1 (KB4514602)
        – September 2019 Security Monthly Quality Rollup Windows7 for x64 (KB4516065)
        – September 2019 Security Update for Windows 7 for x64 (KB4474419)

        Updates installed without error and the system rebooted without error.

        Prompted/Checked for updates. (“Check for updates but let me choose whether to download and install them” is set. Normally, I have to click the button to check for updates, even with this setting, but this time I was prompted with an update. It was already at the gate.)

        Important
        – September 2019 Servicing Stack Update for Windows 7 for x64-based Systems (KB4516655)

        Update installed without error. Although reboot not required, I rebooted, and the system rebooted without error.

        Checked for updates and no further updates.

        Nice.

        G{ot backup} TestBeta
        offline▸ Win7Pro SP1 x64 Storage
        online▸ Win10Pro 1909.18363.959 x64 i5-9400 RAM8GB HDD Firefox79.0b7 Windows{Image/Defender/Firewall}
        1 user thanked author for this post.
      • #1947003 Reply
        anonymous
        Guest

        ? says:

        thank you brave geekdom! looks like yet another round of servicing stack and sha-2 patches before applying the IE and rollup(s). i see them listed here under prerequisite:

        https://support.microsoft.com/en-us/help/4516033/windows-7-update-kb4516033

      • #1947617 Reply
        Jonathan Handler
        AskWoody Plus

        Woody,

        I am running Windows 1809 with the August Quality Update.  This morning, I looked at Windows Update and saw that I was being teased with the names of one or two updates moving quickly across part of the screen.  I could not read them fast enough.

        Around lunchtime today, having read what you learned from Ed Bott and associated messages, I took the risk and clicked on “Updates are available.”  When I did so, the screen changed and I now could read the titles of the two updates which are available, which are the September Quality Update and a .NET update.  I cancelled out of Windows Update after I saw this.

        When I came back to Windows Update later today, the top of the Windows Update screen said “Restart required,”  which made me feel as though I had made a mistake by clicking on “Updates are available.”  I did not want to “Restart now” so I clicked on “Schedule the restart.”  Below, “Schedule the restart” on the new page it says “Schedule the time” with an off-on toggle set to off. I relaxed quickly.”  I am hoping that this will now stay this way until 20 days – which was my Quality Update Delay period that I had selected and has now disappeared.

        This is not exactly what I expected to see.  Maybe it will change again with Windows 1903.

        Hope this helps.

      • #1947633 Reply
        bbearren
        AskWoody MVP

        I was only offered 3. KB4516115 for Flash Player, KB4514359 for dot NET 3.5 and 4.8, and Cumulative Update KB4515384.

        Nothing to report; everything’s runnin’ just fine.  I got some on the B side of m dual-boot as well, but forgot to write those down.  That’s the side where I do my slicing and dicing, so I cause the problems there, not updates.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

    Viewing 12 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: MS-DEFCON 2: Get Windows automatic update locked down

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel