It's time to block Windows Automatic Updating
Credit to Author: Woody Leonhard| Date: Mon, 11 Feb 2019 05:15:00 -0800
Those of you who feel it’s important to install Windows and Office patches the moment they come out – I salute you. The Windows world needs more cannon fodder. When the bugs come out, as they inevitably will, I hope you’ll drop by AskWoody.com and tell us all about them.
For those who feel that, given Microsoft’s track record of pernicious patches, a bit of reticence is in order, I have some good news. Microsoft’s Security Response Center says that only a tiny percentage of patched security holes get exploited within 30 days of the patch becoming available.
Yes, it’s possible that you’ll be among the unlucky few. But in my experience, if you steer clear of Internet Explorer and Edge, and avoid hideously buggy packages like Adobe Flash and Reader, you’re much better off waiting a couple of weeks before applying the latest patches.
Of course, you have to patch sooner or later. In some rare cases, you need to install specific patches shortly after they’re released. We’ll warn you about the stinkers. But in almost all cases, you can afford to wait a couple of weeks to get patches installed – and that’s usually enough time for the bad bugs to show themselves.
It’s true. Windows 7 originally shipped with an automatic update feature that was turned off by default. How times change, eh?
If you’re using Windows 7 or 8.1, click Start > Control Panel > System and Security. Under Windows Update, click the “Turn automatic updating on or off” link. Click the “Change Settings” link on the left. Verify that you have Important Updates set to “Never check for updates (not recommended)” and click OK.
If you’re using Windows 10 Pro version 1709, 1803, or 1809, I recommend an update blocking technique that Microsoft lists for “Broad Release” in its obscure Build deployment rings for Windows 10 updates — which is intended for admins, but applies to you, too. (Thx, @zero2dash)
Step 1. Using an administrative account, click Start > Settings > Update & Security.
Step 2. On the left, choose Windows Update. On the right, click the link for Advanced options. You see the settings in the screenshot.
Step 3. To pull yourself out of beta testing, in the first box, choose Semi-Annual Channel. (“Semi-Annual Channel” is this month’s bafflegab version of the old “Current Branch for Business,” which was a euphemism for “ready for paying customers.”)
Step 4. To further delay new versions until they’ve been minimally tested, set the “feature update” deferral setting to 120 days or more. That tells the Windows Updater (unless Microsoft makes another “mistake,” as it has numerous times in the past) that it should wait until 120 days after a new version is declared ready for broad deployment before upgrading and re-installing Windows on your machine.
That has the added benefit of blocking Microsoft’s forced upgrade to Win10 version 1809, if you’re on 1703 or 1709. You should choose when you want to upgrade. Don’t leave it up to Microsoft’s “next generation advanced learning” algorithm which, presumably, is more advanced than the current-generation advanced learning algorithm.
Step 5. To delay cumulative updates, set the “quality update” deferral to 15 days or so. (“Quality update” = bug fix.) In my experience, Microsoft usually yanks bad Win10 cumulative updates within a couple of weeks of their initial release. By setting this to 10 or 15 or 20 days, Win10 will update itself after the major screams of pain have subsided and (with some luck) the bad cumulative updates have been pulled or re-issued.
Step 6. Just “X” out of the settings pane. You don’t need to explicitly save anything.
Step 7. Don’t click Check for updates. Ever.
If there are any real howlers – months where the cumulative updates were irretrievably bad, and never got any better, as they were in July of last year – we’ll let you know, loud and clear.
Here’s the thing about Windows 10 Home. Microsoft considers Home customers fair game. They really should call it Win10 Guinea Pig edition. Microsoft has no qualms whatsoever in pushing its new, untested (perhaps I should say “less-than-thoroughly-tested”) updates and upgrades onto Windows 10 Home machines.
This isn’t a mistake or an oversight. Win10 Home customers by design are Microsoft’s extended beta-plus testing force. Cannon fodder. It’s been that way since day one. As Susan Bradley says, “Every version of Windows should be able to defer and pause updates…. Microsoft, your customers deserve better than this.”
If upgrading to Win10 Pro isn’t an option – and I sympathize if you’d rather not hand over another $100 to Microsoft for something that should come standard – your only other reasonable option is to set your internet connection to “metered.” Metered connections are an update-blocking kludge that seems to work to fend off cumulative updates, but as best I can tell still doesn’t have Microsoft’s official endorsement as a cumulative update prophylactic.
To set your Ethernet connection as metered: Click Start > Settings > Network & Internet. On the left, choose Ethernet. On the right, click on your Ethernet connection. Then move the slider for Metered connection to On.
To set your Wi-Fi connection as metered: Click Start > Settings > Network & Internet. On the left, choose Wi-Fi. On the right, click on your Wi-Fi connection. Move the slider for Metered connection to On.
If you set your internet connection to metered, you need to watch closely as the month unfolds, and judge when it’s safe to let the demons in the door. At that point, turn “metered” off, and just let your machine update itself. Don’t click Check for updates.
The current beta test version of the next (“19H1” or “1903”) version of Win10 Home includes the ability to Pause updates for seven days. While that’s certainly a step in the right direction, it doesn’t help much in the real world:
All of which makes Win10 Home “Pause updates” a really nifty marketing setting (“Look! You can pause updates in Win10 Home!”) that’s basically useless. Unless you’re Carnac the Magnificent.
We’re at MS-DEFCON 2 on AskWoody.