ISSUE 16.13.0 • 2019-04-08

Help: customersupport@askwoody.com

---

In this issue

---

WOODY’S WINDOWS WATCH

By Woody Leonhard

On Windows 7 systems, controlling updates is easy: Simply turn Windows Update on or off, and pick the patches you want.

From its very beginning, Win10 hasn’t been nearly so kind. Win10 Pro users might have a complex phalanx of controls, but they can be blown away simply by clicking “Check for updates.” Win10 Home users have no controls at all — they’re the designated cannon fodder.

That’s going to change with the next version of Windows 10, we’re now told — Win10 customers will gain more control over when updates are installed.

No, we haven’t seen these new controls in any Version 1903 betas, but there is a (rather confusing) set of promises from official sources. If what’s described is implemented, the new updating options should go a long way toward getting us out of the Win10 muck we’re currently in.

Whenever Microsoft talks about something new, one of first hurdles we must clear is the company’s infernal terminology.

Put succinctly, the next release of Win10 will be Version 1903. That’s the only version of Win10 likely to ship before October.

Microsoft currently calls it “Windows 10 May 2019 Update,” but that’s marketing drivel — on par with “Creators Update” (Version 1703). Inside Version 1903 itself, you can see references to Win10 Version 1903 (as you might expect), Windows 10 April 2019 Update, Win10 Version 19H1, and Redstone 6. They’re all different names for the same thing — Win10 Version 1903.

We now know that a more-or-less final build of Win10 1903 will be released to beta testers — Windows Insiders — sometime this week, with the final version rolling out in late May.

As mentioned earlier, Version 1903 will reportedly have significant changes to the Windows Update routine. But within the next few weeks, there will also be changes to Windows Update in Version 1803 (the version you’re likely using) and Version 1809 (the version du jour).

And therein lies the story of how we’ll control updating in the near future.

It seems everyone and his brother has written a (often breathless) story about how Win10 1903 will finally allow everybody to take full control over updates. Most of what’s reported is stupendous oversimplification — more often than not based on people reading things into the official announcement that aren’t there.

Here’s what we know.

Last Thursday, Microsoft VP Mike Fortin posted a remarkable announcement on the official Windows Blog. The key points are these:

There’s also a repeated promise that — really! — MS is going to try harder to get the bugs out of patches before they’re released — in Version 1903’s case, by having the update spend more time in the Insider Preview Ring. I’ll just note in passing that increased time in the Insider Preview Ring didn’t catch a bluescreen bug in last week’s Win10 1809 cumulative update. But never mind.

Fortin’s announcement jumbles together a bunch of different Win10 patching strategies. Let’s sort them out and toss in a bit of hard reality.

The key contributor to my graying hair isn’t going away — two new versions of Win10 every year. But everybody (by which I mean those using Pro and Home Versions 1803, 1809, and 1903, and who are not connected to an update server) will get more options to block forced version changes. At least, that’s what Fortin states. I haven’t seen those options yet, so I’m skeptical; but if true, it’s a serious improvement to the way Win10 works.

Fortin’s announcement includes a screenshot (Figure 1) which helps shed some light.

Figure 1. A new Windows Update screen for downloading and installing Version 1903. Source: Microsoft

The screen shot appears to be taken from a Win10 1809 Home machine that’s being offered the upgrade to Version 1903. Let’s hope that the final release looks like this.

Assuming I’ve read Fortin’s announcement correctly, if you don’t click on the “Download and install now” link, Win10 won’t upgrade to the next version. That’s great — no stupid tricks; you stay on your current version of Windows until you click the link, or your current version hits End of Life. If it ends up working like that, my hat’s off to whoever made the decision. This is the right way to run an upgrade.

But of course, the details are probably more complicated. Fortin says that you’ll continue to get a “Download and install now” notice from the time a new Win10 version is made available to when your current version reaches its end of life, give or take a few days. Right now, for Pro and Home users, every new Win10 version has an official life span of 18 months. So if you decide to ignore the “Download and install now” notice for as long as you can, you’ll end up installing the most recently released (and likely much less tested) Win 10 version.

Say you’re running Win10 1803, and you decide to studiously ignore the “Download and install now” notifications. After 18 months, you can then expect that Microsoft will push you onto a new Win10 version. Microsoft hasn’t said exactly when it’ll start the push, but given the current timing, it’s possible that you’ll end up with Version 1909, which at that point will be only a few days or weeks old.

The obvious solution is to pick your own time for moving to the next version — but don’t wait a full 18 months.

Let’s see how that works out.

The preceding section covers new versions — “feature updates” in Microbafflegab. You only have to worry about those twice a year.

But what about cumulative updates — aka quality updates — that arrive at least twice a month, and sometimes more frequently? That’s a different kettle of fish.

Fortin describes the option this way:

“We’re making it possible for all users to pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, users will need to update their device before pausing again.”

Unfortunately, that description doesn’t match up with an animated screen capture recently posted by Leopeva64 on Reddit. Figure 2 is a snapshot of his Windows Update/Advanced options pane in Win10 Home 1903.

Figure 2. A screenshot of a Version 1903 Windows Update Advanced options differs from Microsoft’s description. Source: Leopeva64

If Microsoft ships Win10 1903 with the option shown in the screenshot — and every indication so far says that they will — Fortin’s description isn’t accurate. This screenshot shows that Win10 1903 Home users will be able to pause updates for up to 35 days without jumping through a 7+7+7+7+7-day hoop.

This setting isn’t automatic, and it certainly isn’t obvious. But if Win10 1903 ships as shown, it’ll be quite useful. As soon as you know a cumulative update is coming (say, the day before Patch Tuesday), you can scurry over to the Windows Update/Advanced options pane and tell Windows Update to pause for 15 or 20 days — then sit back and relax.

Why 15 or 20 days? Historically, Microsoft has identified and yanked (or modified) its worst cumulative update bugs within a week or two. If you wait for 15 or 20 days, you should get a fresh patch that’s pretty well tested.

As best I can tell, this is a one-way setting: You can reduce the number of paused days, but you can’t increase it. If you decide that your 15 or 20 days isn’t long enough, you’re out of luck — you must install all paused patches before you can use the deadline extension again.

We don’t know. Win10 commonly gets patches other than version changes and cumulative updates — e.g., driver changes, servicing-stack updates, various “silver bullet” fixes, and oddball patches — and it isn’t at all clear how they’ll fall into the new brackets.

We do know (thanks to Zac Bowden) that one sequence won’t work the way you might think. If you click “Download and install now” and then change your mind and click Pause updates, that only interrupts the version change for as long as the Pause lasts. You can’t take the “Download and install” selection back.

Wait.

If Microsoft makes good on its promise and delivers a version-upgrade canceling mechanism for installation in Win10 1803 — the version you’re likely running right now — or version 1809, it’ll be big news. I’ll be giving details on how it really works on the AskWoody main blog page, and in Computerworld, and in future Newsletters and Alerts.

By the time Microsoft ships Win10 1903, theoretically in late May, we’re supposed to have the tools necessary to block it. At the very least, you should block it until Microsoft says it’s ready to be deployed on business machines (what used to be called “Current Branch for Business,” then the “Semi-Annual Channel” — and now it doesn’t have a name).

Fortunately, if this all works as promised, you won’t have to do anything to block Win10 1903. You just have to avoid clicking “Download and install now.”

I’m still not comfortable with the contradictory language we’ve seen for our old favorite, the “Check for updates” button. Avoid it. Studiously.

Hang in there. It’s almost certain we’ll get worthwhile Windows Update changes for all current versions of Win10 — very soon. In the past, I’ve recommended that Win10 Home customers pay to upgrade to Win10 Pro just to keep the update/upgrade monkey off their backs. If these developments work out, that won’t be necessary.

Let’s see what Microsoft does. If we get what’s been promised, there’ll likely be some new traps to avoid, but life will indeed be better.

And if you run into someone who tells you that you need to install all Windows updates as soon as they’re available, you have my permission to give ’em a Bronx cheer.

Questions? Comments? Thinly veiled prognostications of impending doom? Join us on the AskWoody Lounge. Bring your sense of humor.

Eponymous factotum Woody Leonhard writes lots of books about Windows and Office, creates the Woody on Windows columns for Computerworld, and raises copious red flags in sporadic AskWoody Plus Alerts.

---

LANGALIST

By Fred Langa

It looked like a weird screen problem, but it was actually something much, much worse!

Plus: How to control — or stop! — those ad-like notifications in Windows 10.

A reader (who requested anonymity) asks:

Yikes! It’s not your screen that’s bulging; it’s the battery behind the screen! And that’s really dangerous!

Lithium-ion batteries produce gases when they’re stressed — such as when they’re overheated, overcharged, or too rapidly discharged — or, eventually, by the cumulative effects of simple aging.

The shell of the battery is designed to contain the gases produced during normal operation and aging. But when the quantity of gas is beyond what the battery is designed to handle, the battery case swells and deforms. (See the article “Why Do Lithium-Ion Batteries Swell?” plus more info about this topic on Google.)

A bulging battery is already past the end of its service life — and well on its way to becoming an honest-to-god fire and electrical hazard. Bulging Li-ion batteries will also suffer from dendrites (info; more info), which are internal spike-like growths that can pierce the battery’s insulating layers and cause a short circuit. The excess heat created by the short causes the already stressed shell to burst, venting a shockingly large quantity of toxic, flaming gases in the process.

Think I’m exaggerating? Take a look at this brief YouTube video that shows what happens when a small, Li-ion smartphone battery is deliberately shorted. Would you want something like this to happen on your lap or in your home?

Even if a battery doesn’t fail that destructively, a bulging battery can still damage adjacent components. Screens, for example, can flex and compress only so far before sustaining permanent damage.

Bottom line: Any deformed Li-ion battery should be taken out of service and replaced ASAP! If your device is still under warranty, take it immediately to an official repair shop. If you’re on your own, it may be possible to replace the battery yourself. For example, there are many online guides (Google search) to replacing Surface Pro batteries.

If you do try the self-repair route, use extreme caution when handling — or working on and around — any defective Li-ion battery. It’s not just an electrical device; think of it as a compromised container full of high-pressure, flammable gas — because that’s exactly what it is! Be careful!

If you’d like some tips on stretching the life of Li-ion batteries — and how to avoid dangerous bulging in the first place — check out an old Windows Secrets column, “How to make lithium-ion batteries last for years.” It’s a free re-post on Langa.com.

Like many of us, reader Raylon Rogers doesn’t much care for all the ad-like notifications that Win10 normally tries to show you.

Usually, yes.

Win10 itself offers three levels of control over notifications, ranging from the very broad to the very fine. Plus, your apps may separately offer their own notification controls.

I recommend starting with the most general level; click the Win10 Start button and then select Settings/System/Notifications & actions (see Figure 1).

The top of the Notifications & actions page lets you choose the type and order of “quick-action” tiles you’ll see in the action center. That’s useful, but it has nothing to do with notifications, per se, so let’s keep moving. Scroll down to the section specifically labeled Notifications (see Figure 2) and make any adjustments you wish.

For finer app-by-app control of notifications, scroll down a bit more to the Get notifications from these senders section, where you can mute or allow notifications from the apps that use Win10-compliant notification methods. See Figure 3.

The third and finest level of notification control lets you select — also on an app-by-app basis — whether, where, when, and how notifications are displayed; what priority they should take; whether they make noise or are silent; how many notifications can be displayed at a time; and more.

To access this third level of control, click any of the apps shown in Get notifications from these senders. For example, when I click Google Chrome in my list of senders, I see the settings shown in Figure 4.

As mentioned earlier, many apps also offer their own set of notification controls. (In fact, with some older apps that bypass Win10’s official notification system, those internal controls may be the only way to control their notifications.) So if Win10’s own controls don’t do what you want, try looking at the settings for whatever app is generating the unwanted notifications/ads.

And a final note: You didn’t mention the Windows lock screen, but some ad-like matter can appear there, too. To control that, start by clicking Settings/Personalization/Lock screen. Next, scroll down to Get fun facts, tips, and more from Windows and Cortana and uncheck it.

While you’re there, check out the quick status and detailed status options to gain more control over what’s displayed on the lock screen — and what’s not!

Send your questions and topic suggestions to Fred at fred@askwoody.com. Feedback is also always welcome in the AskWoody Lounge!

Fred Langa has been writing about tech — and, specifically, about personal computing — for as long as there have been PCs. And he is one of the founding members of the original Windows Secrets newsletter. Check out Langa.com for all Fred’s current projects.

---

On Security

By Susan Bradley

To ensure that patches maintain integrity, Microsoft is dropping all support for SHA-1 and mandating SHA-2.

Here’s why everyone running Windows 7 and editions of Windows Server 2008 really need to install some up-coming patches.

To understand the importance of the changes in Microsoft’s application of Secure Hash Algorithm (SHA), it’s helpful to know a bit of history.

Secure Hash Algorithm 1 (SHA-1) has been for years a key technology used to ensure code integrity. Software is code. In the past, when we received software (typically as applications), we’d have to trust that none of the code has been tampered with — from the time it left the developer’s server to its installation on our machines.

These days, it’s a given that malicious hackers will try to attack our systems with compromised software, if given the opportunity. Here’s an example: A recent Motherboard article reported that bogus ASUS firmware updates allowed the installation of malicious backdoors on about half a million Windows PCs. Unwitting users downloaded the bad code from ASUS servers, and the updates had official ASUS signatures — meaning they came from a “trusted” source (ASUS).

Many years ago, when Microsoft built the Windows updating process, the company anticipated this threat. It created a system in which the bits and pieces of, say, a patch could be split apart and then reassembled into usable code on each PC. The system would thus ensure that all bits in the received patch were identical to those written in Redmond (or wherever Microsoft builds patches these days). It was a way of confirming that the patch had arrived without unwanted changes.

To secure its patches and other transmitted code, Microsoft has used the SHA-1 cryptographic-hash system, developed by the U.S. National Security Agency. (Other software vendors such as Google, Apple, and Mozilla also used this code-security technology.) SHA-1 worked by mapping the original code into a cryptographic, 160-bit hash value or message digest — typically a 40-digit-long hexadecimal number. When the code is reassembled at its destination, its hash value is compared to that of the original. If the values match, it’s almost guaranteed that code has not been tampered with.

“Almost” is the key word. Since 2005, SHA-1 has not been considered secure, as noted in a Wikipedia article. Security researchers showed that SHA-1 could be broken. (An earlier version of SHA — Version 0 — was shown to be vulnerable back in 1998.)

For years, Microsoft has continued to use SHA-1, assuming that the chances of a valid attack are small. Currently, Windows 10 supports both SHA-1 and the more secure SHA-2, but Win7 systems have supported only SHA-1. Later this year, however, things will change — Microsoft’s entire infrastructure and patching mechanisms will require SHA-2.

And that’s the reason Windows 7 and several other platforms will need some important patches that are coming out soon. (Windows 10 systems will be updated automatically.)

As noted in KB 4472027, blocking SHA-1 and fully enabling SHA-2 will require several updates and actions over the next few months. Again, all current Windows platforms still support SHA-1 and may receive updates signed with both SHA-1 and SHA-2. Going forward, these systems will accept only code signed with SHA-2 hash algorithms.

WSUS 3.0 SP2

On Windows Server 2008 R2 systems with Windows Software Update Services (WSUS) 3.0 SP2 installed, admins need to add KB 4484071 — a patch only for WSUS 3.0 SP2 — to ensure that their servers will support future SHA-2–only Windows updates. The patch isn’t available via Windows Update — it must be manually downloaded and installed.

On Small Business Server 2008 and SBS 2011, manually download KB 4484071 from the Microsoft Update Catalog. The patch is fully tested and compatible with these servers.

(Note that KB 4484071 won’t change the limitations of WSUS 3.0 SP2 — that version of the update service will continue to install security updates on Windows 10 systems but still won’t install feature updates.)

Note: Before adding KB 4484071, admins need to install the March updates: KB 4489880 (or the April rollup) for Server 2008 SP2; KB 4489878 for Server 2008 R2 SP2. (WSUS 4.0 and later versions already support SHA-2.)

These updates must be completed by June 18, 2019, in order to support the SHA-2–only patches that’ll be required by Windows 10 systems. In other words, if you are still using WSUS 3.0 SP2 to patch Win10 machines on your network, you must have this WSUS update installed no later than June 18 — or your Win10 workstations will no longer receive updates.

Windows 7 and Server 2008 R2

Windows 7 and Server 2008 R2 systems need two key updates before the SHA-2 deadline.

KB 4474419, released March 12, 2019, adds SHA-2 code-signing support. KB 4490628, released the same day, is a servicing-stack update that must be installed separately from all other patches. If you have any pending updates, KB 4490628 won’t show up.

Win7 and Server 2008 R2 systems need to have these two updates installed no later than August 13, 2019, or you’ll no longer receive any new patches (which, again, will all require SHA-2).

Other deadlines

On Windows Server 2008 SP2 systems, the SHA-2 updates released on April 9 must be installed no later than July 16, 2019. If you haven’t added the updates before then, your servers will no longer receive security updates.

On July 16, 2019, updates for Win10 Versions 1507, 1607, and 1703 will flip those OSes from dual-signed (SHA-1 and SHA-2) certificate support to SHA-2 only. No action is needed on the user’s part — this will all be done by Microsoft on its end.

On September 16, 2019, all legacy Windows platforms — Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows Server 2012 R2 — will need to have been updated or they’ll not receive security updates. On my systems, I’ve yet to see any side effects with these patches. But I’ll keep looking for issues that might crop up when the mandated SHA-2 updates appear in September.

I recommend you not install any of these SHA-related updates on the regular Patch Tuesdays (the second week of each month). Rather, add them at the end of the month to ensure they’re installed by themselves and that there’s no interference from feature and security patches.

Questions or comments? Feedback is also always welcome in the AskWoody Lounge!

In real life, Susan Bradley is a Microsoft Security MVP and IT wrangler at a California accounting firm, where she manages a fleet of servers, virtual machines, workstations, iPhones, and other digital devices. She also does forensic investigations of computer systems for the firm.

---

Best Utilities

By Deanna McElveen

We store a huge amount of personal information in application-based user profiles — especially for our browsers.

That information can include passwords, favorites, custom settings, browsing history, and more. If those profiles become corrupted, restoring them can be a lot of work.

Over the years, there’ve been various browser plugins that let you easily back up, restore, or move browser profiles. Most, however, have fallen by the wayside. Several for Firefox, for instance, just couldn’t keep up with the fast-changing browser — and further development simply stopped.

So I was pretty excited when I found Hekasoft Backup & Restore (see Figure 1). It not only backs up a ton of different browsers, it also backs up other types of programs! (Yes, some apps have built-in tools for backing up and restoring/moving user profiles — Firefox, for example; more info — but the tools are limited to the app.)

Figure 1. Hekasoft B & R has a simple main screen for managing app profiles.

This small, portable program supports most of the browsers you’ve heard of plus others that are relatively obscure or specialized. Here’s a list:

Gecko-based browsers

Chromium-based browsers

Other browsers

Other programs

Have another program whose user profile you want to back up? Just choose Add Software under the Options menu, as shown in Figure 2.

Figure 2. Hekasoft B & R lets you add applications not included on its default list.

Next, choose the folder and/or file that contains the program’s user data and create your own backup module. How cool is that?!

Figure 3. When adding another program, simply enter the location where the user data is stored.

For this exercise, we’re going to back up Firefox. We start with choosing the browser from the list of known apps. (Note: Before clicking on a specific app or browser, make sure it’s not running.)

Figure 4. Choosing an app to back up is as simple as selecting its name from a drop-down list.

After you’ve selected the target program, click Start, give the backup file a name, navigate to where you want it saved, and click Save.

Figure 5. You can save profile-backup files to wherever you like.

Next, sit back and let the utility go to work.

Figure 6. Hekasoft B & R shows its backup progress.

To restore a program’s user-profile data, simply choose Restore on the main screen and navigate to the saved backup file.

Here’s something reeeeally cool: As long as both browsers use the same engine, you can restore a profile from one browser to another — for example, a Firefox backup to Waterfox or a Chrome backup to Slimjet!

But there’s more! (Sorry, I watched too many infomercials when I was young.) Under Tools, you can migrate a profile directly from one browser to another (see Figure 7).

Figure 7. You can quickly clone the user profile of one browser to another, as long as the two browsers use the same engine.

Hekasoft B & R also includes tools for optimizing your browsers. Optimization cleans out unneeded bloat from the browser, such as logs, thumbnails of pictures from websites, bookmark backups (some browsers do this automatically), cached content from websites, and crash logs (mini-dumps). It makes the browser run more smoothly and with less memory use.

Figure 8. Another tool in Hekasoft B & R lets you select profile components to optimize.

It’ll also check for dead links stored in user profiles.

Figure 9. The utility lists Web links saved in a user profile and checks whether they are still valid.

Another tool scans your browser plugins and lets you remove those you no longer want.

Figure 10. Use Hekasoft B & R to remove unwanted plugins.

That’s a lot of bang for no bucks. This free utility is another must-have tool for system administrators, computer techs, and advanced Windows users. Again, it’s portable, so it can be added to a flash drive–based tool kit.

To get Hekasoft Backup & Restore, head over to its download page on OlderGeeks.com

Questions or comments? Feedback is also always welcome in the AskWoody Lounge!

Deanna and Randy McElveen are celebrating 20 years in the computer business, seven years running OlderGeeks.com and 26 years of putting up with each other. Their computer store is in a small town in the Missouri Ozarks. Believing that happy customers are always the best advertisement, they hope to do it for another 20 years.

---