News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • MS-DEFCON 2: Get Windows automatic update locked down

    Home Forums AskWoody blog MS-DEFCON 2: Get Windows automatic update locked down

    This topic contains 23 replies, has 12 voices, and was last updated by  anonymous 1 month ago.

    • Author
      Posts
    • #1944894 Reply

      woody
      Da Boss

      Tomorrow’s Patch Tuesday, and y’all know what that means. Take a few seconds right now to make sure Windows Automatic Update is turned off. If you’re
      [See the full post at: MS-DEFCON 2: Get Windows automatic update locked down]

      2 users thanked author for this post.
    • #1945002 Reply

      geekdom
      AskWoody Plus

      In the event that automatic update didn’t get turned off, make backups now.

      Group G{ot backup} TestBeta
      Win7Pro · x64 · SP1 · i3-3220 · RAM 8GB · Firefox: uBlock Origin - NoScript · HDD · Canon Printer · Microsoft Security Essentials · Windows: Backup - System Image - Rescue Disk - Firewall
      • This reply was modified 1 month ago by  geekdom.
    • #1945337 Reply

      b
      AskWoody Plus

      Details in Computerworld Woody on Windows.

      There’s a better way with Win10 version 1903

      Although Microsoft hasn’t officially documented the changes anywhere I can see,

      That’s a very strange comment in view of detailed instructions appearing at:

      Download and install now option
      Extended ability to pause updates

      New features that put customers more in control of updates

      We know that sometimes, updates can come at inconvenient times. So, now you’ll be able to pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times).
      Windows 10 Tip: More choices for updates

      If you’re not ready to get recommended updates, you can choose to temporarily pause them from being downloaded and installed.
      Manage updates in Windows 10

      How can I stop updates from downloading and installing?
      Windows Update: FAQ

      Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1909

      1 user thanked author for this post.
      • #1946749 Reply

        woody
        Da Boss

        We can bat this one around a bit but, in general, until Ed posted his summary of the options and what they actually do, none of these official pages include the whole story. (And I believe that several important details changed in the past month.)

    • #1945431 Reply

      anonymous

      I have another option for blocking updates and use them “manually”. I don’t know if it doesn’t work anymore since it’s not listed as an option. What I do is disable the Windows Update service and only enable it when AskWoody.com is no longer in Ms-Defcon 1 or 2. So, you have (sort-of) again the functionality to decide WHEN to update like in Windows 7, and not when MS wants you to.

      • #1946107 Reply

        Tom-R
        AskWoody Plus

        Anonymous, you didn’t mention what o/s you have; but if it’s a recent version of Win 10 then just disabling the Windows Update service likely isn’t good enough.  MS tries to defeat those kinds of measures now by “fixing” Windows Update if they find that it’s “broken” (in their opinion).  So you may not be quite as protected against updates as you think.

        • #1950951 Reply

          anonymous

          Oh! That’s bad news! I didn’t know. I have Win10 in one PC and have been using this method without problems… Maybe is because I have not updated to the last version of Win10?

          Anyway, thank you for the input!

    • #1946001 Reply

      georgea
      AskWoody Plus

      https://greatis.com/stopupdates10/ seems to work ok for Win10.  It says for 10-home too.  The only downside seems to be if you forget to turn it off at some point [when the coast is clear, once the month’s updates have had a few weeks to settle down] and let updates do their thing.

    • #1946127 Reply

      Tom-R
      AskWoody Plus

      A question for anyone out there who might know about this.  I just added a brand new system this week to my collection that came preloaded with Win 10 Home version 1903.  If I decide to pause updates on this system for the maximum of 35 days (to Oct. 14th), does that force me to wait until Oct. 14th before I can download and install any updates?  What if I change my mind and decide that I want to get updates say on Sep. 30th?  How would I go about doing that after I’ve paused the updates until Oct. 14th?

      Also, another question about 1903.  In the scenario above where I want to un-pause updates on Sep. 30th, does that mean I would get all the updates available on that date — including not just the Patch Tuesday updates, but also any additional ones issued after Patch Tuesday up to and including Sep. 30th?

      • #1946279 Reply

        Wayne
        AskWoody Plus

        After you click the pause updates button twice or three times, a “Resume updates” button appears to cancel the pausing.

        I think, though I’m not positive, that you can change your mind afterwards and use the pause button again.

        • This reply was modified 1 month ago by  Wayne.
        1 user thanked author for this post.
        • #1946751 Reply

          woody
          Da Boss

          Yep, you can Pause again — but only after installing the outstanding patches.

          There’s an exception for “optional” patches, but we haven’t seen it used enough times to tell for sure how it’ll eventually work — what is considered “optional” in this case, and what isn’t.

    • #1946108 Reply

      anonymous

      Ok, why would I want to stop updates from automatically installing I’d they protect my machine from being exploited by bluekeep or other vulnerabilities.  Doesn’t make sense to me.

      • #1946165 Reply

        Kirsty
        Da Boss

        To quote Woody:

        Those of you who feel it’s important to install Windows and Office patches the moment they come out – I salute you. The Windows world needs more cannon fodder. When the bugs come out, as they inevitably will, I hope you’ll drop by AskWoody.com and tell us all about them.
        For those who feel that, given Microsoft’s track record of pernicious patches, a bit of reticence is in order, I have some good news. Microsoft’s Security Response Center says that only a tiny percentage of patched security holes get exploited within 30 days of the patch becoming available….

        1 user thanked author for this post.
      • #1946752 Reply

        woody
        Da Boss
    • #1946865 Reply

      EP
      AskWoody_MVP

      woody

      the newly released KB4515384 security update for v1903 claims to fix the high CPU usage w/ SearchUI.exe problem with KB4512941.

      also new Adobe Flash security updates (v32.0.0.255) came out from Adobe and MS:
      https://helpx.adobe.com/security/products/flash-player/apsb19-46.html
      https://support.microsoft.com/help/4516115

    • #1946964 Reply

      anonymous

      Just looking at the Sept. Windows 7 updates and noticed that KB 4474419 security update is offered again this month. I show that I installed it in the Aug. updates. What’s the difference if any?

      • #1946968 Reply

        PKCano
        Da Boss

        The MS pages for KB 4474419 say

        • This security update was released March 12, 2019 for Windows 7 SP1 and Windows Server 2008 R2 SP1.
        • This security update was updated May 14, 2019 to add support for Windows Server 2008 SP2.
        • This security update was updated June 11, 2019 for Windows Server 2008 SP2 to correct an issue with the SHA-2 support for MSI files.
        • This security update was updated August 13, 2019 to include the bootmgfw.efi file to avoid startup failures on IA64 versions Windows 7 SP1 and Windows Server 2008 R2 SP1.
        • This security update was updated September 10, 2019 to include boot manager files to avoid startup failures on versions Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.
        1 user thanked author for this post.
        • #1946974 Reply

          anonymous

          This security update was updated September 10, 2019 to include boot manager files to avoid startup failures on versions Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2.

          Thanks for the clarification, lets hope that those boot manager files don’t make things worse. We’ll find out when Woody gives the go ahead for Sept. later this month. ( Fingers Crossed )

    • #1946969 Reply

      geekdom
      AskWoody Plus

      September Beta Test Report Windows 7 x64 Updates

      Important
      – September 2019 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 SP1 and Server 2008 R2 SP1 (KB4514602)
      – September 2019 Security Monthly Quality Rollup Windows7 for x64 (KB4516065)
      – September 2019 Security Update for Windows 7 for x64 (KB4474419)

      Updates installed without error and the system rebooted without error.

      Prompted/Checked for updates. (“Check for updates but let me choose whether to download and install them” is set. Normally, I have to click the button to check for updates, even with this setting, but this time I was prompted with an update. It was already at the gate.)

      Important
      – September 2019 Servicing Stack Update for Windows 7 for x64-based Systems (KB4516655)

      Update installed without error. Although reboot not required, I rebooted, and the system rebooted without error.

      Checked for updates and no further updates.

      Nice.

      Group G{ot backup} TestBeta
      Win7Pro · x64 · SP1 · i3-3220 · RAM 8GB · Firefox: uBlock Origin - NoScript · HDD · Canon Printer · Microsoft Security Essentials · Windows: Backup - System Image - Rescue Disk - Firewall
      1 user thanked author for this post.
    • #1947003 Reply

      anonymous

      ? says:

      thank you brave geekdom! looks like yet another round of servicing stack and sha-2 patches before applying the IE and rollup(s). i see them listed here under prerequisite:

      https://support.microsoft.com/en-us/help/4516033/windows-7-update-kb4516033

    • #1947617 Reply

      Jonathan Handler
      AskWoody Lounger

      Woody,

      I am running Windows 1809 with the August Quality Update.  This morning, I looked at Windows Update and saw that I was being teased with the names of one or two updates moving quickly across part of the screen.  I could not read them fast enough.

      Around lunchtime today, having read what you learned from Ed Bott and associated messages, I took the risk and clicked on “Updates are available.”  When I did so, the screen changed and I now could read the titles of the two updates which are available, which are the September Quality Update and a .NET update.  I cancelled out of Windows Update after I saw this.

      When I came back to Windows Update later today, the top of the Windows Update screen said “Restart required,”  which made me feel as though I had made a mistake by clicking on “Updates are available.”  I did not want to “Restart now” so I clicked on “Schedule the restart.”  Below, “Schedule the restart” on the new page it says “Schedule the time” with an off-on toggle set to off. I relaxed quickly.”  I am hoping that this will now stay this way until 20 days – which was my Quality Update Delay period that I had selected and has now disappeared.

      This is not exactly what I expected to see.  Maybe it will change again with Windows 1903.

      Hope this helps.

    • #1947633 Reply

      bbearren
      AskWoody MVP

      I was only offered 3. KB4516115 for Flash Player, KB4514359 for dot NET 3.5 and 4.8, and Cumulative Update KB4515384.

      Nothing to report; everything’s runnin’ just fine.  I got some on the B side of m dual-boot as well, but forgot to write those down.  That’s the side where I do my slicing and dicing, so I cause the problems there, not updates.

      Create a fresh drive image before making system changes, in case you need to start over!
      "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Captain Jack Sparrow
      "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns

      "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: MS-DEFCON 2: Get Windows automatic update locked down

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel