![](\"https:\/\/images.idgesg.net\/images\/article\/2017\/09\/windows_patch_security14-100734743-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Woody Leonhard| Date: Mon, 10 Jun 2019 04:22:00 -0700<\/strong><\/p>\n Much has changed in the past month. We\u2019ve seen an <\/span>emergency cry<\/span><\/a> for all Windows XP, Vista, Win7, Server 2003, 2008 and 2008 R2 systems to get patched in order to fend off widely anticipated BlueKeep attacks. We\u2019ve also seen Microsoft <\/span>officially release<\/span><\/a> Windows 10 version 1903, with unsuspecting \u201cseekers\u201d now the prime targets.<\/span><\/p>\n If you want to avoid the mayhem that seems to accompany every month\u2019s dump of partially-tested patches, it would behoove you to turn off Windows automatic update and wait to see what squishy stuff gets stuck in others\u2019 shoes.<\/span><\/p>\n You\u2019ll have to install the June 2019 patches at some point. But for now, discretion\u2019s demonstrably the better part of valor.<\/span><\/p>\n If you haven\u2019t recently patched Windows XP, Vista, Win7, Server 2003, 2008, or 2008 R2 systems, drop everything and <\/span>get patched now<\/span><\/a>. Once you\u2019ve installed the BlueKeep patches, come back here and turn automatic update off. (No need to bother with XP and Vista; they aren\u2019t getting automatically updated anyway.)<\/span><\/p>\n If you\u2019re using <\/span>Windows 7 or 8.1<\/strong>, click Start > Control Panel > System and Security. Under Windows Update, click the “Turn automatic updating on or off” link. Click the “Change Settings” link on the left. Verify that you have Important Updates set to “Never check for updates (not recommended)” and click OK.<\/span><\/p>\n If you\u2019re using <\/span>Win10 Pro<\/strong> version <\/span>1709<\/strong>, <\/span>1803<\/strong>, or <\/span>1809 <\/strong>I suggest an update blocking \u00a0technique that Microsoft recommends for \u201cBroad Release\u201d in its obscure<\/span> –<\/span>Build deployment rings for Windows 10 updates<\/a>\u00a0\u2013\u00a0which is intended for admins, but applies to you, too. (Thx, @zero2dash)<\/p>\n Step 1.<\/strong> Using an administrative account, click Start > Settings > Update & Security. <\/span><\/p>\n Step 2.<\/strong> On the left, choose Windows Update. On the right, click the link for Advanced options. If you\u2019re using Win10 version 1803 or 1809, you see the settings in the screenshot.<\/span><\/p>\n Step 3. <\/strong>To pull yourself out of beta testing (or, as Microsoft would say, to delay new versions until they\u2019re \u201cfor broad deployment\u201d), in the first box, choose Semi-Annual Channel.<\/span><\/p>\n Microsoft has declared that its old terminology is no longer in effect, then later declared that Win10 version 1809 is Semi-Annual Channel, using the old terminology, and thus ready for widespread deployment. You don\u2019t have to agree \u2013 you get to choose whether to stay with 1803 or move to 1809. Even though I\u2019ve upgraded my production machines to 1809, I can certainly understand if you don\u2019t want to. <\/span><\/p>\n Step 4.<\/strong> To further delay new versions until they\u2019ve been minimally tested, set the \u201cfeature update\u201d deferral setting to 180 days or more. That tells the Windows Updater (unless Microsoft makes another \u201cmistake,\u201d <\/span>as it has numerous times in the past<\/span><\/a>) that it should wait until 240 days <\/span>after <\/i><\/strong>a new version is released (60 days for Semi-Annual Channel + 180 days deferral) before upgrading and re-installing Windows on your machine.<\/span><\/p>\n Win10 version 1809 was nominally released on Nov. 11, 2018. Add 240 days and you get July 11, 2019. So if you\u2019re running 1803 update on Semi-Annual Channel, and you set the \u201cfeature update\u201d deferral to 180 days, you won\u2019t be forcibly upgraded to 1809 until July 11, at the earliest.<\/span><\/p>\n Step 5.<\/strong> To delay cumulative updates, set the \u201cquality update\u201d deferral to 15 days or so. (\u201cQuality update\u201d = cumulative update = bug fix.) In my experience, Microsoft usually yanks bad Win10 cumulative updates within a couple of weeks of their initial release. By setting this to 10 or 15 or 20 days, Win10 will update itself after the major screams of pain have subsided and (with some luck) the bad cumulative updates have been pulled or re-issued. Notably, in February 2019, it took Microsoft 18 days to fix its first-Tuesday bugs.<\/span><\/p>\n Step 6.<\/strong> Just \u201cX\u201d out of the settings pane. You don\u2019t need to explicitly save anything.<\/span><\/p>\n Step 7. <\/strong>Don\u2019t click Check for updates<\/i><\/strong>. Ever.<\/span><\/p>\n If there are any real howlers \u2013 months where the cumulative updates were irretrievably bad, and never got any better, as <\/span>they were in July 2018<\/a><\/span>\u00a0\u2013 we\u2019ll let you know, loud and clear. <\/span><\/p>\n If you have Win10 Home, version 1803 or 1809, your only reasonable option is to set your internet connection to \u201cmetered.\u201d Metered connections are an update-blocking kludge that seems to work to fend off cumulative updates, but as best I can tell still doesn\u2019t have Microsoft\u2019s official endorsement as a cumulative update prophylactic.<\/span><\/p>\n To set your Ethernet connection as metered: Click Start > Settings > Network & Internet. On the left, choose Ethernet. On the right, click on your Ethernet connection. Then move the slider for Metered connection to On.<\/span><\/p>\n To set your Wi-Fi connection as metered: Click Start > Settings > Network & Internet. On the left, choose Wi-Fi. On the right, click on your Wi-Fi connection. Move the slider for Metered connection to On.<\/span><\/p>\n If you set your internet connection to metered, you need to watch closely as the month unfolds, and judge when it\u2019s safe to let the demons in the door. At that point, turn \u201cmetered\u201d off, and just let your machine update itself. Don\u2019t click Check for updates.<\/span><\/p>\n Couldn\u2019t resist the temptation, eh?<\/span><\/p>\n If you\u2019ve already jumped ahead to Win10 version 1903, you\u2019re entering uncharted territory. We\u2019ve heard lots of promises about the new updating regimen, but haven\u2019t been through enough update cycles to know exactly what\u2019s going to happen.<\/span><\/p>\n If you\u2019re running Win10 1903 Pro, my advice is that you NOT click Pause updates on the main Windows Update page. Instead, click on Advanced Options and (as shown in the screenshot) choose to defer feature updates by 365 days and defer quality updates for 15 days.<\/span><\/p>\n If you\u2019re using Win10 1903 Home, we still don\u2019t have enough experience \u2013 or reliable documentation \u2013 to say for sure what\u2019ll happen. But it seems to be a good idea to both set your connection to metered, as discussed in the preceding section, and to click Pause updates twice \u2013 for a total of 14 paused days. Historically, that\u2019s been sufficient to avoid the worst problems.<\/span><\/p>\n We\u2019re at MS-DEFCON 2 <\/span><\/i>on AskWoody<\/span><\/i><\/a><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Woody Leonhard| Date: Mon, 10 Jun 2019 04:22:00 -0700<\/strong><\/p>\n Much has changed in the past month. We\u2019ve seen an <\/span>emergency cry<\/span><\/a> for all Windows XP, Vista, Win7, Server 2003, 2008 and 2008 R2 systems to get patched in order to fend off widely anticipated BlueKeep attacks. We\u2019ve also seen Microsoft <\/span>officially release<\/span><\/a> Windows 10 version 1903, with unsuspecting \u201cseekers\u201d now the prime targets.<\/span><\/p>\n<\/p>\n