News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • MS-DEFCON 2: Patch Tuesday’s tomorrow – make sure you have Automatic Update paused

    Home Forums AskWoody blog MS-DEFCON 2: Patch Tuesday’s tomorrow – make sure you have Automatic Update paused

    • This topic has 13 replies, 9 voices, and was last updated 4 weeks ago.
    Viewing 7 reply threads
    • Author
      Posts
      • #2279797 Reply
        woody
        Da Boss

        Once more around the ol’ Windows karmic wheel…. Tomorrow’s Patch Tuesday. Today’s the day you should double-check and make sure you have Windows Upd
        [See the full post at: MS-DEFCON 2: Patch Tuesday’s tomorrow – make sure you have Automatic Update paused]

        11 users thanked author for this post.
      • #2279989 Reply
        Elly
        AskWoody MVP

        I’d like to remind people using W10 Pro Group Policy setting #2 not to use the Pause setting.

        If GP is set to #2, when resume updating is clicked, all updates will start downloading, without notification, completely disregarding the #2 setting of ‘notify for download and install’.

        Pausing updates is important for W10 Home users, and as Woody says in the Computer World article, should be reset now, to avoid unwanted updating.

        Non-techy Win 10 Pro and Linux Mint experimenter

        3 users thanked author for this post.
      • #2280116 Reply
        geekdom
        AskWoody Plus

        Make backups before the big day because an unplanned update is possible.

        G{ot backup} TestBeta
        offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 Windows{Image/Defender/Firewall}
        online▸ Win10Pro 1909.18363.1016 x64 i5-9400 RAM16GB HDD Firefox80.0b8 Windows{Image/Defender/Firewall}
        2 users thanked author for this post.
      • #2280323 Reply
        anonymous
        Guest

        Just so I understand. MS issues security updates for vulnerabilities, but the advice is not to patch those vulnerabilities for 3 more weeks, leaving your computer vulnerable to exploits that the patch is supposed to prevent.

        • #2280331 Reply
          PKCano
          Da Boss

          Obviously, you don’t understand.
          MS issues security updates with BUGS, and the advice is to wait until those bugs are identified (unless there is an active exploit that makes immediate patching necessary, which there rarely is)  so you don’t end up with computer problems. We keep an eye out for active exploits always, but we also collect information about patch problems. When the time is right and the problems are known, Woody gives the go-ahead and publishes instructions for safe patching.

          But for those who want to be Guinea pigs on the front line, feel free to test things for us.

          6 users thanked author for this post.
          • #2280355 Reply
            anonymous
            Guest

            Obviously I do understand that my computers over the past 20 years have never exploded by installing a patch the same day it’s available.

             

            And the sun still came up the next day too, as it did for millions of other computers.

            • #2280372 Reply
              anonymous
              Guest

              True. But just because a lot of people don’t have problems doesn’t mean that some people didn’t have any—and received no shortage of headache from it.

              A healthy dose of skepticism and caution doesn’t hurt. It’s usually impulse that burns.

            • #2280382 Reply
              The Surfing Pensioner
              AskWoody Plus

              Mine never exploded either, but I stopped installing patches the same day they were issued donkeys years ago, when I discovered that not infrequently following installation various programs/software packages failed to function properly and I was left chasing websites for fixes. More hassle than it’s worth. And I’ve never landed a virus through waiting for Defcon 3:)

              1 user thanked author for this post.
            • #2280417 Reply
              Alex5723
              AskWoody Plus

              I have a Windows 7 laptop is use at home, which never exploded too, with blocked Microsoft updates since day 1 of Windows 10 ( 5 years !!). No viruses as well.

        • #2280384 Reply
          woody
          Da Boss

          Every month I get this question, and every month I post a challenge:

          Tell me one — just one — zero-day patch that was widely exploited within a few weeks of the patch being delivered.

          Here’s the list that I came up with a couple of months ago:

          • WannaCry/EternalBlue – patched April 11, 2017. Exploited May 12, 2017. More than a  month from patch to exploit – and it was a bad exploit! UPDATE: Andy Greenberg at Wired just published an excellent story about Marcus Hutchins, the guy who corralled WannaCry.
          • Blaster – patched May 28, 2003. Exploited August 11, 2003. Almost three months.
          • Sasser – patched April 13, 2004. Exploited April 30, 2004. Two weeks to exploit, and that’s scary. But it was 16 years ago.

          So it’s true that, 16 years ago, a patched zero-day was widely exploited within a couple of weeks. Other than Sasser, all of the major exploits I know about took many weeks or months. You have to patch sooner or later, but there’s no reason to patch right away.

          Do you know of any others?

          (By contrast, every month we get bugs, some major some simply annoying. I have a running month-by-month three year history of the bugs in Computerworld.)

          1 user thanked author for this post.
      • #2280434 Reply
        bbearren
        AskWoody MVP

        KB4565503 Cumulative Update for Windows 10 Version 2004 for x64 based Systems
        KB4565627 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 2004 for x64

        Successfully installed on both sides of my dual boot; no hiccups.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      • #2280650 Reply
        Speed Racer
        AskWoody Plus

        So I have a few items to review please…

        1.  Article: “Reports of Win10 1909 users getting pushed onto version 2004.”

        • Kudos and Thank You to @Paul T, @PKCano, and @Alex5723 regarding my 6/15 post.  All went smoothly and v2004 did not install on either of my Win10 Pro PC’s.  Strange thing is on one of them I was able to pause updates all the way to November…who’d a thunk?

        2.  Regarding “MS-DEFCON 2: Patch Tuesday’s tomorrow – make sure you have Automatic Update paused”

        • @PKCano…Monday night I ran data & system image backups then followed AKB2000016 .  Per the KB article I followed your setup in Step 4 (GP: 2; Feature updates: 365; Quality updates: 0; Metered connection: off).  On Tuesday morning I ran and installed the June CU’s (hopefully this was the right action as I don’t recall seeing an “all clear notice” from Woody).  I also ran wush and hid the Silverlight update since its dead anyways.  I immediately paused updates until 8/17.  After reading the post, “Win10 May Uninstalled – Wait for June “Approval”​ from @WSTerryGH and replies from @Elly, I saw I should not have set up the pause updates.  I have a couple questions for clarification please:

         

        • PC #1 has the following message, “The windows 10 May 2020 update is on the way once it’s ready for your device you’ll see the update available on this page” and PC #2 does not.  It appears PC #1 will not get the v2004 update any time soon, therefore I should probably remove the pause, let this PC automatically check for updates, and immediately run wush to prevent the July updates from installing, until Woody gives the ok, then keep pause updates cleared to allow GP2 to work properly.  Am I understanding this & how the Step 4 setup is supposed to work?  Then on PC #2, which may be offered the v2004 update, I should follow the same steps as I did for PC #1, using wush to hopefully prevent v2004 from installing, then leave pause alone.  Again, am I understanding correctly?

         

        • PC #2: Using regedit to verify the GP and WU settings, I saw this PC was missing the semi-annual channel setting “BranchReadinessLevel” value of (32).  Why would PC #1 show this correctly and PC #2 not?  Should I be concerned, and if so, how do I go about correcting this?
        Other miscellaneous questions:
        • In using EaseUS Todo Backup (free version) for my System Image, I noticed in the app/program there is a restore function.  Since the free version allows for backup & restore to the same drive, would I be in a bind if I had a catastrophic failure where I had a boot drive failure (which I’ve had before)?  Also, if I had to recover (without a drive failure) using my System Image backup, would I simply be able to reimage using my backup, or would I need to use the restore function from EaseUS Todo?

         

        • Regarding backups.  I’m currently using 2 Seagate Backup Plus (2TB) drives with their included Toolkit backup software for my data backups, one for each PC, keeping them separate.  I’m also using 2 128GB USB sticks for my system image backup, 1 for each PC, again keeping them separate.  In keeping with the principle of using a separate 2TB drive for each PC, should I go ahead and save PC #1 Data backup & System Image to one drive, and PC #2 to the other, eliminating the USB sticks altogether?  Is there any good reason to keep the System Image backups separated from the Data backup?

        Sorry for being a bit long winded.  Looking forward to hearing back. Thanks again!!!

         

        ASUS TUF SABERTOOTH Z170s Motherboard, Intel i7-6700k CPU, Corsair 32GB DDR4-3200 RAM, ASUS ROG STRIX GeForce GTX-1070 Video Card, 1x BPX M.2 240GB NVMe SSD, 1x Samsung 850 EVO 1TB SSD, 2x WD Black 6TB HDD, Windows 10 Pro 64bit v1909

        • #2280654 Reply
          PKCano
          Da Boss

          Read carefully the caveats in Sections 3 & 4. If you are using GP “2” (notify download/install) you don’t need Pause or Metered connections in v1903/1909. Pause will keep you from seeing what is coming. And both are an invitation to installs when you remove them.

          I think if you disconnect from the Internet, remove Pause and let the search fail, that it will clear the WU queue. Then with your settings of Quality deferral = 0 and GP = “2” you should see the July updates but they won’t download. Feature deferral = 365 should keep you from getting v2004 until you lower the deferral. In fact, with that setting you won’t get the optional section “Download and install now” either.

          The Semi-Annuul Channel setting comes from a Windows Update for Business setting in GP. All of the Windows Update for Business settings should be “not configured” for v1903/1909, but will be needed for v2004 (Section 5) when the pulldowns in the GUI disappear. See the second screenshot in #2275043.

          3 users thanked author for this post.
      • #2280819 Reply
        anonymous
        Guest

        OK, so what do you do if you weren’t aware Micrsoft was about to update Microsoft Office and it started automatically when I turned my laptop on.
        I then encountered an error message when I tried to open Microsoft Outlook.
        What do I do now?  I don’t want to uninstall and reinstall Office, or Outlook, because I have a large .pst file which has been brought forward critical records from three successive laptops.

      • #2281483 Reply
        mulletback
        AskWoody Plus

        Oh joy. Two of five W10Pro 1909 boxes automatically installed the July updates in spite of  W10 Pro Group Policy setting #2. GP setting is still in place, reflecting the config after 1909 install. No, I did NOT push the button. Sigh.

        • #2281484 Reply
          PKCano
          Da Boss

          Did you set any Pause? If you did, when the Pause ends it ignores the “2” setting and installs anyway. If you use Group Policy “2” and the deferrals in v1909, do not use Pause or Metered connections. See the caveats in AKB2000016 in Sections 3 and 4.

          • #2281494 Reply
            mulletback
            AskWoody Plus

            No pause set, no metered connection, on either offending box.

    Viewing 7 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: MS-DEFCON 2: Patch Tuesday’s tomorrow – make sure you have Automatic Update paused

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.