MS-DEFCON 2: Get Windows Update locked down

Topic

New Reply

While Microsoft’s timing for patches has wobbled quite a bit in recent times, we’re still getting a substantial number of patches on the second Tuesda
[See the full post at: MS-DEFCON 2: Get Windows Update locked down]

Reply | Quote

Replies

Being involved a lot with Windows 10 and Windows 7 for many years now, I entirely agree with Woody that Win 10 is only for enthusiasts or professionals testing at this stage.
I am all in favour of Windows 10 as a replacement for Windows 7 and 8 flavours, only that most users need a bit more patience still.
The metered network setting recommendations keeps coming back every few posts and it is extremely useful for a lot of people. What about those not using Wi-Fi but Ethernet? As far as I know, there is still no easy way to avoid forced updating, although easy is something relative.

Reply | Quote

Now here’s a strange thing…

I’ve got a laptop and desktop, both Windows 7 64 bit. Same settings for everything pretty much, including ‘Never check for updates’ (I do it manually). A week or two back, a new patch arrived on both offering the addition of another language or characters – something like that – it was 15 or more MB and optional, so I left it. Last week KB3112343 arrived, I checked here first and read your article, ‘Windows Update patches KB3112336 and 3112343 are all about Win10’. So I left that one as well.

Here’s the mystery: I checked for updates last night and this morning and ‘poof’ both had vanished, from both machines. Is it just me I wonder?

Reply | Quote

That’s correct. Wihtout completely disabling Windows Update services, I know of no way to block the forced Win10 updates.

Changing from an Ethernet connection to a WiFi connection is cheap and easy for many people – but it’ll also take a toll on your internet speed.

Reply | Quote

MS has been staging the Updates for Windows through the “optional” updates. Sometime yesterday KB3112343 and KB 3112336 disappeared from the optionals. They will show up sometime today in the “important” updates when MS releases this month’s patches.

Reply | Quote

I have been hiding the “Improvements to Windows Update Client” patches since June (KB3050265, 3065987, 3075851, 3083324, 3083710, 3102810 for Win7 and KB3050267, 3065988, 3075853, 3083325, 3083711, 3102812 for Win8/8.1) the GWX app KB3035583 on several occasions, and those patches related to telemetry.

That said, none of my computers have lost the Windows Update notification in the notification area. And none of my computers (so far) have been assaulted with the Win10 preparations (GWX or the Win10 installation bits).

I have read that the GWX_Control_Panel v1.6 is now reporting that the changes it monitors are being reset, sometimes multiple times a day. Perhaps the changes MS has been making to the Update Client over the past six months have been greasing the skids for this.

So, no matter the DEFCON rating, I will be denying KB3112343 (Win7) and KB3112336 (Win8/8.1) this month. And anything else that relates to Win10. Better safe than sorry!!

Reply | Quote

I’ve found that when I disable the windows firewall service on my laptop with a hardwired connection that is running win10, the updates check fails and will not complete until it is re-enabled. I run a separate firewall on it and I don’t recommend running any machine without a firewall completely (even if it is the built in one) but this may be a workaround to stop the automatic updates with a hard wired connection and a 3rd party firewall. If someone else can verify that it does work that would be good as I only have one pc that is running win10 at the present.

Reply | Quote

Certainly a reasonable approach. Gregg Keizer had a good article yesterday about the new reports of switched privacy settings. I’m holding off on writing it up until I can figure out what in the tarnation is causing the switches…

Reply | Quote

Not just you. My W7 x64 work PC had the 3112343 disappear as well.
But I wouldn’t worry about it, because I expect MS is still prepping its “patch-Tuesday” roll-out, and that particular patch might either reappear or another new patch supersedes it.
FYI, there have been plenty of Windows Update Client, and Telemetry related patches that eventually stopped being pushed to WU as other patches replaced them.

Reply | Quote

I bought a W8 Sony Vaio laptop in August 2013. I upgraded to W8.1, and then in early August this year, to W10. All was OK, but not a single Cumulative Update would install. Windows Defender updates were fine. I started hibernating rather than switching off, to save the tedious and invariably failed attempts to install the CUs whenever I switched on. Then W10 stopped seeing the USB 3.0 ports on the LHS of the laptop: the USB 2.0 ports on the RHS were fine. I did a system restore and all ports can now be seen. Then I disabled ALL Microsoft updates, using the Services menu (and installed Panda antivirus to replace Defender). I use Ninite to update all my programs when necessary, and DriverBoost for drivers.

This is working fine for me now. All ports are seen, my programs update, and I don’t waste time trying to install CUs, new builds, nor do I risk the other problems that these can create. I make full image backups, and am ready to return to W8 by a factory reset if necessary. I don’t use any specifically W10 features. I do wonder whether this is this viable for the long term. It’s difficult to find out whether Sony or Microsoft has brought the drivers etc for my laptop (model SVF1521C5E) up to date for W10.

Reply | Quote

Phew! It’s a comfort to know I’m not the only one afflicted by these Houdini style patches.

Reply | Quote

@Woody,
W7 x64 IE9

Got 10 new patches “manually” downloaded this afternoon.

I’m still having an issue when checking for updates. I’m receiving error code 80244019.
I could not successfully check for updates until I disabled “monitor Mode” on the GWX Control Panel [V1.6.0.1].

MSFT’s more info indicates that error is virus related but a scan produced nothing. After googling 80244019 others have had the issue, scanned and found nothing also.
Also wondering if this related to forcing me to move to IE11.

Anyone else finding an error after enabling “monitor mode” in GWX Control panel? I left Ultimate Outsider a comment and am waiting for a reply.

Thanks Woody

Reply | Quote

See the Ultimate Outsider post under the MS-DEFCON 4 blog….

Reply | Quote

Also using W7 x64 IE9

And also using GWX Control Panel 1.6.0.1 with Monitor Mode enabled.

WU found 10 patches for me at 19.24 GMT.

It was slow to find them, but no grief from GWX Control Panel.

Anyone know what KB3112148 is for ?
The KB article ‘does not exist’.

Reply | Quote

It’s a cumulative time zone update. The article should be there now, I had the same problem earlier today.

Reply | Quote

Woody mentions people struggling with Win 8 / 8/1.

Before you move to Win 10, you should at least try installing a shell (free Classic Shell is great!) and setting the PC to boot to desktop.

I did that long ago, and have been very happy with my setup since then. For most desktop users, Win 10 offers no must-have benefits, a few nicities, and huge headaches on privacy and system updating.

If MS gave us some control over the timing of updates, even just the ability to delay them for up to 3 weeks, I’d consider moving to Win 10. But until then I’m fine with Win 8.1

Reply | Quote

@ Woody

I ran across this article by Gregg Keizer at Computer World:

*Anyone can use ‘Windows Update for Business’ controls to delay changes and patches to Windows 10 Pro*

http://www.computerworld.com/article/3005569/microsoft-windows/how-to-defer-upgrades-and-updates-in-windows-10-pro.html

I guess you have to have Win10 Pro in order to use this *feature*–but according to the article anyone with the Pro version of Win10 can use it!

I thought thought this might be of interest.

Reply | Quote

I’d be interested in hearing from people who have used this method to successfully defer updates. Like today’s, for example. I’m not convinced that it works in all cases.

Reply | Quote

@ Randall

“If MS gave us some control over the timing of updates, even just the ability to delay them for up to 3 weeks…..”

This might interest you–if you get Win 10 Pro, you can delay updates for up to 4 weeks, and upgrades for up to 12 months:

I ran across this article by Gregg Keizer at Computer World:

*Anyone can use ‘Windows Update for Business’ controls to delay changes and patches to Windows 10 Pro*

http://www.computerworld.com/article/3005569/microsoft-windows/how-to-defer-upgrades-and-updates-in-windows-10-pro.html

I guess you have to have Win10 Pro in order to use this *feature*–but according to the article anyone with the Pro version of Win10 can use it!

Reply | Quote

I posted something more descriptive in the MS-DEFCON 4 thread, but to answer your question specifically, I am running IE10 on three Win7-64 PCs and IE11 on a fourth Win7-64 PC. All four had Monitor Mode enabled but one of the PCs with IE10 and the one with IE11 got hit with the 80244019 error. I hadn’t tried it on the IE10 machine (in fact, I went with your own procedure to change Win Update settings that you posted in that same thread), but on the IE11 PC I was able to get Win Update running after disabling Monitor Mode and restarting the PC.

However, if you do as Woody suggested and read Ultimate Outsider’s post, you will find what I now believe is the probable cause of that error.

Reply | Quote

@Bruce,

Did you do a manual check for updates or was it an auto check?

I lost the auto check after Nov.’s IE 9 CU… let me know.

Thanks.

Reply | Quote

There’s the Windows Update MiniTool, which I’m testing on a non-critical HP Pavilion PC that I recently put Win10 v1511 build 10586 on there.

Though I’m also fine with using Win8.1 w/ Update 3 on my father’s Toshiba C55Dt touchscreen laptop; no need to upgrade the Toshiba laptop to Win10 yet.

Reply | Quote

To Louis and anybody else still running IE-9 on a Windows 7 system…

Note the advice at the bottom of this post and try the “tip” shown at the very top for enabling automatic upgrades within IE. If that doesn’t work for you there are also links in the search results to download & install IE-11 manually.

IMHO you’re going to continually experience issues going forward until you upgrade IE from 9 to 11. Within the next 30 days or so IE-9 on a Windows 7 system will not be supported according to MS, so I’d have to say the sooner you upgrade to IE-11 the better. Even if you don’t use IE you have to consider that it IS rooted to the OS!

Copy the words between the quotes below into a Google search box…

“how do I upgrade from internet explorer 9 to 11”

Reply | Quote

I would really love to hear from people who are trying this approach in the wild. I’m not sure I understand precisely how and what is delayed, how it interacts with the check box in the Windows Update Advanced Settings pane, and whether it can be turned off at will.

Reply | Quote

I did a manual check on this PC yesterday. (I’m in the UK).

Today I let No3 PC do an automatic check, and then did a manual check on No2 PC.

In both cases their were no problems.
The manual check took much longer to find and list updates.

Both No 2 & 3 PCs are Win 7 x64, but they have been upgraded to IE11 recently.

All 3 PCs have GWX Control Panel, with the Monitor Mode enabled.

This whole business has become weirdly inconsistent. I try to remember that I have no idea what I’m doing.

Reply | Quote

Ha! Join the club.

Reply | Quote

Today I experienced 2 real intresting things with Windows 10.

First, on good friend’s Windows 7 Alienware, the GWX app was running without KB3035583 (Check for updates was turned off since I do this manually). that update was the first one I blocked and, upon double checking, it was not re-issued on her’s.

Luckily, with GWX control panel, a crisis has been averted and, I’m ready to start a war against the GWX takeover’

Then, later today I was using the family’s XPS 18 (a testing computer) and, it has Windows 10. Today, it showed the processor (a 4th gen core i7) maxing out at 100% CPU Usage. Strangely, the internet was all haywire (1MB per second) so, my hypothesis is that it’s receiving Threshold 2?

Reply | Quote

Here’s a strange one! On Patch Tuesday, I received KB 3112148 (3.2 MB). Showing Recommended.

Then “out of band”, here it comes again TODAY. Showing “optional” (680 KB). I had it on a different page, so didn’t notice that it has the same KB number. Long story short, I hid the optional update. When I check the first KB 3112148, has disappeared from the updates.

Also TODAY, KB 3112343 appeared out of the blue. It must have shown “optional” because I hid it. In the “hidden” it shows “important”.

What in tarnation is occurring here?

Reply | Quote

It looks like MS re-issued KB 3112343 as an “important” update. Whether that describes your symptoms or not… it could be a matter of timing.

Reply | Quote

Possible. But not definitive!

Reply | Quote

I wish that I read this sooner. I just had to uninstall KB3112336 from my Windows 8.1 laptop after it wouldn’t connect to the internet. I was one of those people that let any updates download and install automatically. Never again! The wifi connection completely stopped working after this said update, but only on the laptop. Every other wireless device worked fine. I’m not really tech savvy so I don’t know why this happened, but just in case anyone else experiences the same problem in the near future, KB3112336 was the culprit, and the solution is to uninstall it. This should have never been considered “Important” since I have no intention of upgrading to Windows 1o right now. This issue confirmed my suspicions.

Reply | Quote

Glad I read the comments here as Luis saved me alot of headaches as my sisters Win 7 PC that I maintain didn’t recieve any updates Tues. I told her to run the ” Check for Updates”. All that did was keep running and running after a half hour I told her to close it and disable the Monitor setting in her GWX Control Panel and then Check for Updates again and guess what? The Updates came. Hmmmm. Thanks Luis.
Pat

Reply | Quote

I have no intention of upgrading to Windows 10. I seriously can’t because i have a monthly usage allawance on my Internet. If i would upgrade i would go why over it.

I did 11 updates today. Well running GWX control Panel.

I do agree it’s best not to upgrade to Windows 10 with all the bugs.

Reply | Quote