MS-DEFCON 2: March Patch Tuesday is right around the corner — turn off Auto Update

Topic

New Reply

Once more unto the breach, dear friends, once more. In preparation for tomorrow’s Patch Tuesday, we’re at MS-DEFCON 2: Patch reliability is unclear. U
[See the full post at: MS-DEFCON 2: March Patch Tuesday is right around the corner — turn off Auto Update]

6 users thanked author for this post.

SueW, geekdom, AJNorth, Elly, WildBill, JDeC

Reply | Quote

Replies

Now this should give you pause. I got a message from an experienced Windows guy (which is to say, a victim, like many of us), who described his method for installing Win10 on a new computer. Here’s his checklist.

My procedure for to get a working windows 10 (assuming they don’t want to (/can’t) return the computer and get a good computer (refurbished Windows 7/8.1, a Mac, convert to Linux)

Install 10_1709 (I didn’t have any unexpected problems with 1709 — only the normal massive windows 10 problems)

Start disconnected from the internet and stay that way until prelim settings are set.

bcdedit /set {default} bootmenupolicy legacy (re-enables F8)

display delete confirm dialog (recycle bin) — when I try to delete a file, please ask if I am sure rather than silently succeeding!

“hide merge conflicts” — If I combine to folders don’t overwrite the files with the same name without confirmation.

“underline keyboard shortcuts” — always good (unless most of windows 10 doesn’t have shortcut and/or don’t do “underlines”)

“always show menus” — don’t hide the menus!

“don’t hide extensions” — “something.exe” (with a notepad icon) is NOT the same as “something.txt”!

taskbar: never combine icons on task bar (just adds to confusion)

“Allow troubleshooting to begin immediately” — off, don’t try to solve the “problem” you have “detected” before you’ve told me what it is!

UAC — max (UAC is not perfect, but don’t make it have big obvious flaws by turning it down)

Enable 64-bit and appcontainer modes in IE (for those who use IE)

Hide “edge” because it’s icon looks too much like IE, and someone might try to use it.

Disable the “dnscache” service (historically caused glitchy DNS behavior, plus we don’t need ANOTHER layer of DNS caching: ISP->router->OS->dnscache windows service->browser) — bonus you never need “ipconfig /flushdns” again.

Disable the “WMPNetworkSvc” service (glitchy, useless)

Disable WinHttpAutoProxySvc and iphlpsvc (windows 10 might fight you). — found my own post when I searched about this WPAD (forgot I even posted it — I was recomposing the same way I posted the first time).
set (in the hosts file):
255.255.255.255 WPAD

Set computer not to auto reboot on BSoD. — if an unattended BSoD happens (and recurs on boot) it could allow win10 to start “fixing” the problem before you even see it (aka causing second and third problems)

Set system restore to reasonable size (windows 10 deletes system restore points crazy often, this may not be super helpful anymore, also deletes ALL restore points on “massive upgrade” every 6 months)

Disable hybrid shutdown / fast startup. May / will re-enable  every 6 months. (Maybe I should write a script to disable it)

Disable ANY drivers from windows updates (I will install drivers from the OEM thank you — if there are none then windows 10 isn’t supported on this hardware — drivers are installed before connecting to the internet)
DriverSearching: “DontSearchWindowsUpdate:1”, “DriverUpdateWizardWuSearchEnabled:0”, “SearchOrderConfig:0” and “ExcludeWUDriversInQualityUpdate:1” (last one barely does anything)
Device Metadata – PreventDeviceMetadataFromNetwork: 1

–WindowsUpdate Settings:
Enable “microsoft update” — why is this separate and off by default!?
ActiveHours: 7AM-1AM (why can’t I set 24 hours..)
BranchReadinessLevel: 0x20 (for whatever good it will do)
DeferFeatureUpdatesPeriodInDays: 125 (one could hope)
RestartNotificationsAllowed: 1 — “please tell me right away if windows updates are partially installed and I should drop everything and reboot — I would have rather STARTED the installed at my leisure, but at least I won’t be doing a clean install of my antivirus only to find I am half way through a windows update”

–DeliveryOptimization:
DODownloadMode: 100 (0x64) bypass, which means don’t use “DO”, instead use BITS, download from microsoft not P2P (if you don’t set this even if you have disabled UPLOAD to P2P you may still be DOWNLOADING from there)
Config DODownloadMode: 100 (0x64)
Settings DODownloadMode: 100 (0x64)

–WindowsStore:
AutoDownload: 2 (prompt to update store apps)

Disable windows defender, including services and drivers if a good antivirus will be replacing it (prevents limited periodic scanning from activating) — I had reports that LPS also triggers your normal antivirus to do a full system scan several times a day (to make it look bad?).

–DataCollection:
AllowTelemetry: 0
DoNotShowFeedbackNotifications: 1

–“Siuf Rules” aka feedback and diag (a bug in the first release of 1709 prevents this from saving from the GUI, which always set it to “full” and “always”):
NumberOfSIUFInPeriod: 0
PeriodInNanoSeconds: 0

AdvertisingInfo: 0

–Privacy:
TailoredExperiencesWithDiagnosticDataEnabled: 0

–Windows Search:
AllowCortana: 0
AllowSearchToUseLocation: 0
DisableWebSearch: 1
ConnectedSearchUseWeb: 0
AllowCloudSearch: 0

–disable,stop (don’t delete it…):
DiagTrack
dmwappushservice

WMI Autologger AutoLogger-Diagtrack-Listener – Start: 0 (collects ETL for DiagTrack)

–Bluetooth:
AllowAdvertising: 0

AllowExperimentation: 0

NoLockScreenCamera: 1

–Per user:
Search:
CortanaConsent: 0
BingSearchEnabled: 0
DeviceHistoryEnabled: 0
CortanaInAmbientMode: 0
SearchboxTaskbarMode: 0
AnyAboveLockAppsActive: 0
IsWindowsHelloActive: 0
IsAssignedAccess: 0
IsMicrophoneAvailable: 0

Explorer Advanced:
ShowSyncProviderNotifications: 0 (ads in explorer)
Start_TrackProgs: 0

ContentDeliveryManager:
RotatingLockScreenEnabled: 0
RotatingLockScreenOverlayEnabled: 0
SilentInstalledAppsEnabled: 0
SoftLandingEnabled: 0
SystemPaneSuggestionsEnabled: 0

And all the obvious setting in the privacy control panel. (there are more what I listed above, this was just the easy to explain list)

Turn on Exploit Protection (emet) for hand selected and tested set of processes, including office. Office 2016 (2013 too probably) DELETES all the Exploit Protection settings for office after any repair and/or update so make a Scheduled Task to re-apply them.

Keeping in mind that “Don’t Use High Entropy” (on) means “Do Use High Entropy”. So the setting is backwards!
https://msdnshared.blob.core.windows.net/media/2017/11/WDEGConfig.png

Also set to bits to make this system default.
Turn all the “System setting” to on (since windows 10 is a little more lax in applying force rand ASLR it doesn’t break things)
Also this a clean install so a broken system is a system restore away from fixed (also ENABLE system restore!).

Repeat after every massive update (every 6 months), always make a full system backup. — You never know when your settings/preferences will be lost

Comments?

 

3 users thanked author for this post.

Microfix, liamZ, HiFlyer

Reply | Quote

Ouch!  That reads like “Gone With The Wind”  🙂

2 users thanked author for this post.

Charlie, HiFlyer

Reply | Quote

bobcat5536 wrote:

Ouch! That reads like “Gone With The Wind” 

Naaahhh, more like War and Peace meets Iliad.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

1 user thanked author for this post.

HiFlyer

Reply | Quote

But we’ll always have Paris.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Comments?

Sounds like fun!
And you only have to keep up twice a year!

Plus of course you probably have to check after updates/patches… wheeee!

1 user thanked author for this post.

HiFlyer

Reply | Quote

Good Lord that’s a lot of stuff.
I have a PowerShell script I run on all my Win10 machines, seems to do the trick. As time’s went on, I’ve commented out a lot of it (with #) because I’ve adjusted things elsewhere, but, it works. Quick and easy. https://pastebin.com/JdyJqhjf

It’s a shame “this is what we have to resort to” in order to make Win10 tolerable.

2 users thanked author for this post.

Jan K., MrBrian

Reply | Quote

woody wrote:

Now this should give you pause. I got a message from an experienced Windows guy (which is to say, a victim, like many of us), who described his method for installing Win10 on a new computer. Here’s his checklist….

When I perused through that list, I was immediately reminded of the “I’m a PC / I’m a MAC” commercials. Everything about Windows was such a hassle, while the MAC was simplicity.

I continually wonder when all of the IT folks will get fed up with the whole song and dance that Microsoft makes them do continually just for the privilege of being an unpaid Windows “10” beta tester.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

Reply | Quote

A follow-up from the anonymous poster:

the format I presented was more of a “if you already know about these settings” rather than actual instructions (exact registry key locations were not included, etc..).

Some highlights include:

re-enable F8
enable system restore (disabled by default? cleared after massive upgrades[1803 if the pattern holds]. limited number of restore points on win10 — to marginally improve performance just when that’s NOT what we need)
Disable hybrid shutdown / fast startup (why would I want my shutdown button to turn into a “log off, then hibernate button” when I already have a hibernate button?)
Disable auto driver update (which isn’t easy, most instructions are faulty)
the privacy settings (half the list)

Interesting:
With hybrid shutdown / fast startup “revision 1.0” (you know at microsoft where marketing invents an idea, announces it to the public, then tells the developers to make it happen)
In the first mention of this idea (pre Windows 8.0 release) it would “log off(exiting processes running under your[all?] users, exit all or most windows services leaving pretty much only system/kernel running (possibly unmount the filesystem), then hibernate”. Either they couldn’t actually accomplish this from a technical standpoint or it didn’t work well (buggy or no benefit), so instead we are left with hybrid shutdown / fast startup v2.0 (log off, hibernate) which doesn’t do anything worth while.

“Don’t Use High Entropy” (sliderbox-on) means “Do Use High Entropy”.
https://msdnshared.blob.core.windows.net/media/2017/11/WDEGConfig.png
I don’t see this discussed anywhere. Either I’m the only one to notice or I can’t find the right phrasing to find the others (google used to work so much better a long time ago — now, sometimes your number 1,2,&3 search results contained none of your search terms)

Another gotcha for 1709’s version of emet (WDEP – Windows Defender Exploit Protection) is “Audit”. If this box is checked that exploit mitigation is DISABLED. (the protection may as well be off, a few will log but not block an exploit with audit set)

2 users thanked author for this post.

liamZ, MrBrian

Reply | Quote

How to install Windows 10 ?

Don’t!

Insrall something else and save your time and mental health.

2 users thanked author for this post.

Charlie, HiFlyer

Reply | Quote

I think I’m having an anxiety attack!

1 user thanked author for this post.

HiFlyer

Reply | Quote

Bummer!

I missed January and February updates… and March too!

Oh well, my loss.

At least my machine is happily chugging along with no issues whatsoever, so… meh.

3 users thanked author for this post.

HiFlyer, BobbyB, Cybertooth

Reply | Quote

Ridiculous.

That list, documenting how to “defang” Windows 10, shows how far beyond the mark Windows has fallen. Windows used to be a reliable operating system, one that people trusted to help them work and play. Now? Well, I don’t even think Microsoft knows what a good operating system is anymore.

Microsoft will do the bare minimum needed to appease the enterprise. For everyone else, welcome to the Wild West.

2 users thanked author for this post.

Charlie, HiFlyer

Reply | Quote

I can’t wait for another force-feeding from “Father Knows Best” Microsoft. Plus, 1803 is right around the corner, so…you know…put your head back and say “ahhhhh.”

A fitting quote from Ian Fleming: “Once is happenstance. Twice is coincidence. Three times is enemy action.”

What are we up to now, three times for 1709? And that’s not even including GWX, “clicking X means give it to me, baby,” the mandatory telemetry vaccinations included in the rollups, or the other bone-headed decisions from On High.

I didn’t used to be this jaded. Really.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Does someone knows what kinds of update will accompany the march patch? (adoble flash updates, windows defender update, etc)

Reply | Quote

I have a question about “turn off Auto Update” said every month: who has still turned on auto update? 😀

On my windows 7/8.1 machines auto update is deactivated since 2015, it will never ever be turned on again. So in my case there’s no need for turning something off which already is turned off for three years… 😀

2 users thanked author for this post.

Charlie, amraybt

Reply | Quote

There are newcomers arriving to this sanctuary every day. Somewhere Woody must have tucked away a little memo to himself to always write this first step caution so that all newcomers can see the wisdom. Hopefully it causes them to delve in and read more. Every new convert may eventually find the confidence to contribute. Or at least tell their friends where to find good advice.

Reply | Quote

Ah, thanks! I didn’t think about newcomers! 😀

Reply | Quote

Patches are designed to provide security, performance, and enhancements.

Instead, users must choose between:

• patching for known vulnerabilities
• potential crashes after installing patches

Procedures for picking, choosing, debating, removing, and deferring patches are required and avoidance of patches has become normal.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox114.0b8 MicrosoftDefender

1 user thanked author for this post.

HiFlyer

Reply | Quote

anonymous wrote:

A fitting quote from Ian Fleming: “Once is happenstance. Twice is coincidence. Three times is enemy action.” 

And to quote Gibbs (NCIS), “There is no such thing as coincidence.”

This is just another case of MS force feeding stuff the VERY FEW people, if any, REALLY want ! !

Dave

Reply | Quote

Here we go again.  Strap in and get ready for a wild ride.

Reply | Quote

When is the world / Corporations going to decide ENOUGH of this forced Windows garbage. Take almost any flavor of Linux. It’s capable of doing 95% of business and personal use stuff yesterday. Also a whole lot easier to manage.

I use an older CentOS 6.x. I install a new box, issue ONE ‘yum update’ and I get a completely patched system in the FIRST Round. No constant reboots. NO forced games, applications, etc. Privacy concerns generally NOT an issue in Linux.

Why does the world continue to insist on the M$ bull___t train of privacy violations. WHY doies M$ feel Windows 10 PRO users NEED Candy Crush, etc.

5 users thanked author for this post.

Charlie, MrJimPhelps, David F, Jan K., Cybertooth

Reply | Quote

Try this little tool!

Windows Update Blocker v1.0 (See @MrBrian ‘s information here)

Reply | Quote

The updates caused serious problems for me. After I transfer all of my data to a USB, I’m switching to Linux. I’m done with Microsoft and Windows 10!

1 user thanked author for this post.

amraybt

Reply | Quote

Windows 10; Oh what a tangled web we weave when at first we set out to deceive! I suppose the hits will just keep on keepin on.

Reply | Quote

WU patch releases are earlier than usual today, just received:

Kb4088876 Security monthly Quality rollup for W8.1 (parked for installation at MS-DEFCON 3)

Installed: Kb4088785 Security Update for Adobe Flash Player.

Keeping IT Lean, Clean and Mean!

Reply | Quote

Uh-oh. New CU for Win7 (KB4088875) has known potential BSOD (blue screen) problems documented by MS-

stop error or BSOD on non-SSE2 machines and 32bit/x86 computers with Physical Address Extension (PAE) mode disabled

https://support.microsoft.com/en-us/help/4088875/windows-7-update-kb4088875

definitely avoid installing this new Win7 update on older systems using non-SSE2 CPUs and those with PAE disabled

5 users thanked author for this post.

SueW, MrBrian, Elly, amraybt, Microfix

Reply | Quote

ARGH!!!  Will this nonsense ever end?!

Thanks for the heads-up.

Reply | Quote

Until a month ago I was doing my Windows Update without even thinking but now that I discovered this website, I’m trembling with fear every time there is a Windows update
XD

1 user thanked author for this post.

amraybt

Reply | Quote

anonymous, you have had a very good run with your system. And if you have had no problems so far, it is also likely that with your current use patterns you may continue with uninterrupted use until Microsoft decides that your hardware has aged out of their plans. Many millions of users are having the same experience you describe. I am glad you find humor in a few other peoples misfortunes.

A recent new voice seems intelligent and strongly displeased. I take McLachT at their word in #post-175673, a well written expression of frustration.

Also Woody has displayed his usual high level of composure in #post-175524 where he points out the ratio of success or failure does not help the person struggling with an interruption caused by Microsoft.

I have interpreted your ‘XD’ to mean raucous laughter at the expense of someone who may actually have learned a difficult lesson in trust. If instead your name is Xavier Daniels, I have misunderstood and offer my apologies.

Reply | Quote

As long as you follow to heart the MSDEFCON system you shouldn’t worry about anything, have in mind that MSDEFCON-3 doesnt guarantee that your computer won’t have issues, that is why the best MSDEFCONs are level 4 and 5.

Reply | Quote

Oh no no no I wasn’t laughing a the expense of anyone, I would never do that.

I’m genuinely afraid with windows uptades since I discovered this website, the “XD” was just here to say that I find it funny because like I said, before I wasn’t even thinking about it and I could have “killed” my PC.

Now I’m waiting to know if I can install KB4088875 🙂

Reply | Quote

I got kb2976978 telemetry, kb4088876 security  updates, kb890830 [removal tool], kb4088875 adobe flash,  kb4011234 Access, kb4018291 Excel, kb4011695 for word, Office is 2013, Windows 8.1 Update

Reply | Quote

This seems rather valuable. Isn’t there / shouldn’t there / shouldn’t this beon it’s own post or tutorial?

Reply | Quote

Windows 10 Pro is fine.  I like it.  But it does help if you are as geeky as a typical Linux user, and don’t mind getting your hands dirty.

Signed,

‘Windows 10 Wrangler’

Windows 10 Pro 22H2

Reply | Quote