'Don't Tell People To Turn Off Windows Update, Just Don't' (troyhunt.com) 507
Security researchers Troy Hunt, writing on his blog: Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as "MS17-010" pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched. It's because of this essential protection provided by automatic updates that those advocating for disabling the process are being labelled the IT equivalents of anti-vaxxers and whilst I don't fully agree with real world analogies like this, you can certainly see where they're coming from. As with vaccinations, patches protect the host from nasty things that the vast majority of people simply don't understand. This is how consumer software these days should be: self-updating with zero input required from the user. As soon as they're required to do something, it'll be neglected which is why Windows Update is so critical.
Excluding the unfortunate exceptions (Score:5, Insightful)
Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.
Re:Excluding the unfortunate exceptions (Score:5, Insightful)
Re:Excluding the unfortunate exceptions (Score:5, Interesting)
For me, it takes around three manual restarts, because I have a dual-boot system and the default option is to boot into Linux. Even if Windows does download the update, it then sits around for so long with no indication of what it is doing that the screen blanks out. Then it just sits there pondering and reboots into Linux. Then I reboot back into Windows, which tells me that updates have to be installed. Then it sits around a bit more with a blank screen, then it reboots.
So an automatic update isn't going to be automatic, and it comes as a rather unpleasant surpise to boot into Windows, only to find that the updates weren't installed or need to be downloaded and installed before I can get any work done. If this update system were designed correctly, it should simply clone the existing Windows config, apply the updates, and only say a new version is available when everything is working correctly.
Re: (Score:3)
--What I did for dual-boot is to set Grub to boot last selected entry, might work for you...
Re: (Score:3, Informative)
Windows update(10) all the way back to XP, is horribly slow is part of the problem and it has just gotten worse. Run into a problems with windows update and you can lose 1-3 days, just because it takes forever for it to eventually fail. I went to update the windows load on my dual boot machine and it took 3 freaking hours on 4.5Ghz machine, ssd and 32GB of RAM. Same machine with Ubuntu updates took all of 2-3 minutes even with multiple dkms modules being built. Microsoft there is no excuse for it being that
Re: Excluding the unfortunate exceptions (Score:3)
One word: VirtualBox
Broken drivers, AND broken updates break stuff (Score:3, Interesting)
We personally have TWO laptops that got repeatedly broken by non-disableable driver updates (already told Windows to never update drivers, hid the offending update, etc) and it still managed to get through, multiple times, and do the blue-screen tango repeatedly until I gave up trying to fix, it went into safe mode and disabled the Windows Update service. I had to keep it that way for a couple months until I was able to load a "newer" driver from the video chip manufacturer that fixed it and/or MS stopped
Re:Broken drivers, AND broken updates break stuff (Score:5, Interesting)
Re: (Score:3)
I love Windows 10. Because of it, I have people asking me to install Linux over Windows 10 that would never before have considered such an option. Thank you, Microsoft!
Re:Excluding the unfortunate exceptions (Score:4, Interesting)
1) There is one particular update that addressed and fixed the WU CPU issue (I don't remember the KB number right now, but it is easy to find)
2) Just slipstream a Windows WIM file. Take the ISO, download the cumulative updates, inject them into the WIM, and then install Windows from there. It'll be a smaller install over all (less SxS crud), and current as of which ever updates you slipstream into it. Additionally, you can add drivers this way too such as NVMe, USB3, and 10gbe if you use stuff like that.
Re:Excluding the unfortunate exceptions (Score:5, Insightful)
Mod this up, folks!
I know at least five different business environments which have been, essentially, shut down by a Windows update. One of them was signing a new service contract as I was talking to him—he had been down all day, unable to see his customer files, his books, the jobs his company was supposed to be doing, unable to route his employees to where they were supposed to go. They went back to a paper only system they have not used since 2002 and they were guessing at that. They were taking credit cards over their website, but could not record the result in their books and had to just save all of the emails and spend an additional day or so just doing data entry into their bookkeeping system.
Of course, these are anecdotes (which is what the anti-vax community uses instead of Science). The problem is not the update, it is what Microsoft does to the computer upon emerging from the update. Elsewhere, people have written of resetting all of the browser preferences, BSODs and other issues. Microsoft needs to restore the previous state of the computer or server (as much as is practical) after the patch. They need to go in like a surgeon with the same motto: "First, do no harm." And if they figure out how to do that, their updates will be seen as innocuous as Apple's
Re: (Score:3)
Yep. Whenever work preforms security updates we literally lose a days worth of business as everything has to get reset. Local printers vanish as thier connections are disabled, with office 365 and outlook down for so long those caches get flushed, etc.
You wanna know fun? Get 30 people to download 3-5 gigs of emails in an hour on a 100 mbit connecting because that's the best the area has.. talk about a wasted day.
All because vendors reset settings that had no requirement of beingâ rese
Re: (Score:3, Insightful)
Makes sense, but not an excuse for turning off Updates.
How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.
Leave Windows Update Enabled, schedule all new updates to install on X Day; However, If Windows updates rolls out the patch its own, then YOUR TEAM failed to conduct its job appropriately, which was to perform a controlled rollout in a timely manner (BEFORE The update is a week old, A
Re:Excluding the unfortunate exceptions (Score:5, Insightful)
So...Windows shouldn't be used by small or medium-sized business without IT workstation teams then?
Microsoft, can you confirm?
Re: (Score:3)
But how do you get NT to run on an Apple?
Re: (Score:3)
If you can go all LO, you're set, but if you have to interact with other companies that want M$ documents, you're hosed.
I hear this quite a lot, and I could see it being true for very complex documents. But I use LO exclusively, and have for a very long time. I exchange documents with Office users daily. I don't remember ever having a serious problem. I have, on occasion, experienced an easily-corrected glitch.
My experience is hardly statistically sound, but it does not support the extreme incompatibility claims I see frequently.
Re:Excluding the unfortunate exceptions (Score:4, Informative)
You do understand that the majority of professional work is done by small businesses, and most of those don't have dedicated IT teams at all, right?
Enterprise IT is actually the exception, not the norm.
Re: (Score:3)
as I *abruptly* learned a year ago when I left Intel and started at a relatively tiny 40 person shop.
We have an IT guy (actually rather spectacular dude really) but there's no way he can get much past firefighter and core infrastructure maintenance mode... and there's no money for more people for something that simply doesn't make money.
Yes we all know that IT doesn't make money, it prevents you from losing it all... but my intro to the "real world" after two decades in multinational corp. environment has b
Re: (Score:3)
How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.
And... then what?
If the update causes unacceptable behaviour, which does in the GP's case, what exactly can you do about it?
Re: (Score:2)
Unless you have a production environment with a software product that breaks with Windows update turned on
And this is the scenario that happens more often than a patch was ahead of the exploit. It still makes the most sense to keep update OFF.
Re:Excluding the unfortunate exceptions (Score:4, Insightful)
So, if you read the article, you'd know that he's actually talking about home users and states before hand that enterprise environments have their own processes and procedures for dealing with these things (and if they got hacked, they screwed up because it's been three months).
The problem is that technical users, like those found on Slashdot, tell home users that they should turn this stuff off because it causes all these problems, when it really doesn't when you're running a system with known hardware and under typical operating conditions.
By typical, I mean you use Chrome and maybe a few other applications. You're not a developer, you're not a big time game player.
This is 95% of MS home users. These people should all have Windows Update on at all times and what's more, they could care less about the crap that Microsoft packages in along the way. We may consider it invasive but most people just shrug their shoulders and move on.
Re: (Score:3)
Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.
That's a nice sentiment, but I for one have never been lucky enough to know beforehand that a Windows update was going to break shit. I just have to put them on and hope. So I can hardly blame any company that relies on software for taking a very critical approach to them.
Generally Sound Advice (Score:3)
This is generally sound advice, although some IT shops prefer to manage the process to ensure that either (a) a particular update doesn't break some proprietary code, or (b) because of regulatory reasons particular machines may not be permitted to have the software changed without some sort of documentation being generated.
Re:Generally Sound Advice (Score:5, Insightful)
I would do that if (1) MS didn't cram W10 down my throat; (2) every major update doesn't reset browser preferences; (3) stop updating and breaking hardware drivers; and (4) I could disable telemetry. My Macbook and Ubuntu machines are auto-update enabled. Not my Windows gaming box. No thanks.
Re:Generally Sound Advice (Score:5, Insightful)
The blame for people not updating/patching computers lies squarely on Microsoft.
Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.
And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.
Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.
Re:Generally Sound Advice (Score:5, Interesting)
Yep. I had a laptop that came with Windows 8 on it.
I booted it once into Windows to change UEFI settings and then put Lubuntu on it.
Well, a friend had a Windows question for me when I was away at a conference. No problem! I booted my laptop into Win8, looked up how to do the thing, and told her. I went to bed.
I woke up to find that my system had:
1) autoupdated to Windows 10
2) fucked the bootloader so I couldn't boot into Linux any more.
This is on top of the fact that Windows updates take about a year to complete and reenable a bunch of crap that I keep disabling ("Windows Media x").
Re:Generally Sound Advice (Score:4, Informative)
You can trick windows from messing with it and bios that only look for a windows efi boot file. This will boot to grub and allow you to select windows if you want, and windows update doesn't mess with it. /s
open cmd.exe as Administrator and lunch the command vmount s:
go to s: and navigate the directories until you find where the grubx64.efi is located. Mine was under s:\EFI\debian\.
go to s:\EFI\Microsoft\boot and create a backup of the bootmgfw.efi file and then overwrite it with the grubx64.efi.
reboot. Now you should be able to reach the grub menu and boot to Linux but you'll be unable to boot to Windows. Boot to Linux then.
On linux you /boot/efi/EFI/Microsoft/Boot and restore the previously backed up bootmgfw.efi.
open a shell and go to
run grub-install (it may require root privilege - sudo)
run update-grub2 (it may require root privilege - sudo)
Re: (Score:3)
I had to turn off "Fast Boot" anyway, and wanted to preserve the ability to boot off of other things as well. Boot-sector shenanigans are pretty uncommon these days, so on balance I wanted it off.
Re: (Score:3, Interesting)
The blame for people not updating/patching computers lies squarely on Microsoft.
Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.
And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.
Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.
Exactly correct. MS lost many people's trust with updating around the Win10 forced-upgrade fiasco. I've deleted wusa.exe from my win7 box and I've done the same for any number of family and friends on various win7/8.1 boxes. I just make sure backups are in place and re-image if infected.
If these devices get pwned and cause damage blame MS for destroying trust in their update platform.
Re:Generally Sound Advice (Score:5, Insightful)
This is hard to argue with. I personally prepared for this by preventing the Win 10 upgrade (even using third party software to stop the constant, malware like badgering complete with deliberately misleading prompts) until I was good and ready to deal with it, then I did a full clean install and manually migrated stuff over because I knew there was no way my complex, roughly used installation could possibly upgrade well automatically. One simply cannot, however, expect a planet full of Windows users to take this conservative approach; even if they were inclined to, which they aren't; most of them simply aren't competent to deal with this stuff and would do more damage than what the upgrade inflicted.
So they all got put through the upgrade ringer creating bad outcomes for millions and leading to widespread "anti-vaxxer" behavior. Since then the "anti-vaxxers" have had their behavior affirmed by disruptive updates doing unwelcome stuff. The glacial slowness of the Windows 10 update process alone is a huge failure in my mind; this has badly regressed from earlier releases; I have a laptop I boot maybe once a month and I've come to expect the Windows 10 updates to take a hour or more. Ridiculous.
After putting the whole world through all this shit one simply can't point a finger at millions of beleaguered users and blame them for their negligence. I'm sure they'd be happy to have they're system automatically updated, as long as it wasn't the computing equivalent of getting a SOA style beat down every few months.
Re: (Score:2, Insightful)
This. I was fine to leave auto-update on for security fixes but then microsoft started cramming their telemetry and other crap into them - making them bundled so you couldn't get your security fix without letting microsoft scoop up every piece of info on your computer that it wanted.
Re: (Score:3)
Even then... the thing that drove me from Apple to Linux was a security update. It worked without problem...but they used it to smuggle a license change in that I found unacceptable. So that machine was immediately disconnected from the internet, and everything that could touch the internet was migrated to Linux.
I'll grant that what Microsoft is doing is arguably worse. I don't know, I left MS for Apple when THEY forced a license change on me that I found unacceptable. I think these companies rely on pe
Re: (Score:3, Insightful)
Exactly. If Microsoft behaved decently and simply provided security patches that fix vulnerabilities ONLY, there would be no issue. However Microsoft does shit like changing user settings (making IE/Edge your default browser), breaking hardware drivers, installing spyware etc.
In my particular case I run a pirated Windows 7 gaming machine, with the "Genuine Microsoft" Windows activation disabled via a pirate-written patch. Both were downloaded via a Piratebay torrent. It turns out every time I update this ma
Re:Generally Sound Advice (Score:5, Insightful)
So how often should people re-evaluate when a company like Microsoft breaks their trust by forcing upgrades and other such nonsense? 6 months are sufficient according to you apparently.
News flash: When a company breaks it's users trust, the time it takes can be measured in years and is often never. Yeah it'd be great for security if people were applying upgrades ASAP but MS's new policy of only making rollup updates forcing the inclusion of all previous updates can only backfire making people even less apt to apply them. Hey, they've already broken our trust once, they're likely to do it again.
The problem is in large part MS's own creation.
Re: (Score:3)
It's been 6 months but have they done even one thing to earn back trust? They have not even apologized! This reason is still valid.
Re: (Score:3)
I've worked in those kinds of environments, where we had propretary applications that were not compatible with the latest stuff. This is especially aggravating when you've got three web-delivered systems, all of which have mutually exclusive requirements. At one time users had to have Chrome, Firefox, and IE, and we had to block updates to IE so that the legacy system would work.
It's extremely labor-intensive and requires excellent recordkeeping if one wants to do updates in this kind of environment, whic
100% Microsoft's fault for forcing Windows 10 (Score:5, Insightful)
Don't use the channel for security updates to force advertising on your customers, just don't.
Re:Generally Sound Advice (Score:4, Insightful)
The problem with the sound advice is that Microsoft is actively undermining the update process by treating customers so badly. They don't test their updates well, they make them forced in later versions, they tie the updates to earlier updates, and worst of all their malware inspired forcing of Windows 10 on people has justifiably trained customers to distrust Microsoft.
It's time consuming to check out each and every update to make sure it's safe. But I have to do that because I cannot trust microsoft not to play games with my systems.
Applications too, I don't update iTunes because every time I do it screws up, changing the UI in drastic ways, and takes me a very long time to get it working properly again. But that's ok, I do not use the store in iTunes, it does not execute any strange attachments, and as a malware vector it's pretty low compared to the OS itself. If it played nice then I'd update it more regularly.
Microsoft's fault (Score:5, Insightful)
If they hadn't done shit such as the forced Win10 update, or forced GWA, or done a lot of other crap that broke peoples systems (in the name of marketing), then maybe people wouldn't have said, "Turn it off".
Re:Microsoft's fault (Score:5, Informative)
Pretty much. I had to take some fairly convoluted measures to keep my wife's laptop on 8.1 or some of my various other systems on 7 without entirely disabling updates. It's not that I liked 8.1, but I did not like what I read about 10.
The easiest way to avoid having 10 forced on me would have been to just disable updates. Instead I had to read up on every individual update that would push 10, and ultimately resorted to third-party software to block or remove those specific nuggets from Microsoft so that my platforms would be left in the state I wanted them in.
Re: (Score:3)
but it does break some software and installs unwanted telemetry.
Re: Microsoft's fault (Score:5, Insightful)
Re:Microsoft's fault (Score:5, Insightful)
Plus, if Anti-Vaxxers could actually point to widespread deaths, they might have a point.
People who advocate turning off Windows Update Can point to widespread windows deaths due to errant updates.
Re: (Score:3, Interesting)
It's a very complex ecosystem. Generally, the benefits of the many outweigh the "sacrifice" of the few.
For every machine negatively affected by a forced update, there's a million which benefited from it. Unfortunately, that million machines don't yell "fault!" like that one which messed up does.
Yes, Microsoft were too aggressive with pushing people towards updating to Windows 10, and they should have toned it down. But ultimately, it was not the "upgrade push" which pissed people off, but the whole telemetr
Re:Microsoft's fault (Score:4, Interesting)
Revisionist history. Before we even knew the extent of windows spying we had the windows update advisor (GWX) show up in the system tray on everyones windows 7 machine in it seems june 2015 ( https://tech.slashdot.org/stor... [slashdot.org] ) and a year later, forced it on everyone ( https://tech.slashdot.org/stor... [slashdot.org] ). That is the day that microsoft lost my confidence that they had worked since windows 95 to build.
You can go read that slashdot article to see the day when everyone lost trust in microsoft, and people started recommending that people deactivate windows updates Very few people mention telemetry. What they do mention is that MS pushed a "security update" that was anything but.
I turned windows updates off that day, but being an industry person, i found a work around that allowed me to keep them on. There was a program quickly developed called GWX blocker or something like that which allowed the gwx framework to be stopped.
So yes, its bad to not run windows updates, but its also 100% microsofts own god damn fault.
Re: (Score:3, Informative)
Because of other faults of Microsoft pushing updates that don't benefit the end user. Like void your installed windows, change your settings, or even broke your system.
MS can't be trusted. They use security updates to force what ever they want on end users.
But... but... (Score:2, Insightful)
The telemetry spying though,,,
Telemetry and Windows 10 (Score:5, Insightful)
Windows Update also wanted to install telemetry on my Windows 7 system until I removed the patch. Then for 12 months Windows Update wanted to 'upgrade' me to Windows 10, the software employed all sorts of tricks to make me say yes and in the end I just disabled updates as it was less hassle.
My Windows 7 system was not affected by the events over the weekend as all it does is run some test equipment. It still has Windows Update disabled and it's going to stay that way.
Maybe if Windows Update behaved decently... (Score:5, Insightful)
The reason folks turn off Windows Update is that it behaves kind of like malware itself! I'm technologically savvy enough to set my registry and so on to disable the awful "Get Windows Ten" updates, but when so many users got shafted by Windows "self-updating with zero input required from the user" to a completely new operating system (a new operating system that actively thwarts end-user control over updates!), is it any wonder that so many of them switched it off?
The comparison to anti-vaxxers is interesting, and apt in more ways than Troy may have known. Much like Microsoft hijacked their Windows Update program to push Windows 10, the CIA used a Pakistani polio vaccination campaign to gather intelligence about Osama bin Laden (see here: https://en.wikipedia.org/wiki/... [wikipedia.org]). This has resulted in the killing of other relief workers and general suspicion of medical aid programs in that region, and so polio persists.
Re: (Score:3)
Re: (Score:3, Insightful)
Thank you. The polio vaccination ruse by the CIA and the telemetry comparison is exactly what I thought of as well.
On a separate note, WU used to specifically tell you what the update fixed, right in WU. Then they started making you click a link to go to the MS web site. After a while the web page stopped saying anything useful. Now you have to research each one manually, which is unacceptable. There is no reason MS would go to those lengths to obfuscate what a patch does, unless it's so they can foist more
What about the updates that hurt users? (Score:5, Insightful)
Don't Tell People To Use Windows, Just Don't (Score:3)
Problem solved, permanently.
Turn off Windows Update (Score:2, Insightful)
I used to be one of those annoying people who said (Score:2)
Auto Update Virus (Score:2)
I am in favour of auto-updating Windows, don't get me wrong; however, it could be catastrophic if anyone ever manages to figure out a way to spread a virus via the auto update.
I'm not sure the technical route someone would have to take to do this; If, perhaps someone could somehow infect a DNS server to treat an infected server as a Microsoft update server.
Those fuckers at MSFT ruined security updates (Score:5, Interesting)
Those fuckers at MSFT ruined security updates by force-feeding the user spyware, or even forcing an "upgrade" to Windows 10.
Now nobody trusts Microsoft, and would rather take their chances without the "essential updates".
The problem is spyware and telemetry (Score:4, Informative)
the continual additions of resource-heavy snooping spyware and telemetry services for in-app advertising delivery hammer many institutions that would otherwise happily install security patches, if they were JUST security patches.
But many of the Important patches we have recieved from MSFT are just that. Ads, telemetry to try to sell us stuff that blows out the bandwidth in mission critical software and pops up things that get in the way of doing actual work.
There's your problem. That and the "patching" of things in a way that breaks apps that believe the public documentation instead of the actual way MSFT codes and tests its apps.
PDB symbols (Score:2)
As a side note, the delay to release PDB symbols on MS's symbol server after a Patch Tuesday has been at least days and sometimes more than a week for the last two months (at least for the Win10 symbols I tried). I use them a lot with WinDbg.
Microsoft could be a big help here (Score:5, Insightful)
If Microsoft would just go back to the days when security patches were done separately from other sorts of updates, that would be a huge help. I know a lot of people who disable updates to avoid feature changes, but would accept automatic security updates.
Microsoft's position of not making a distinction between the two is a large disincentive to allowing automatic updates for a lot of people.
Re: (Score:3)
Re: (Score:3)
Microsoft is an extremely weaselly company. The instant they stopped using the descriptor "security" and replaced it with "critical" was the moment it became clear that the update mechanism was going to be used for deceptive purposes.
No, you tailor your message to the audience (Score:2)
It's more accurate to tailor the message about automatic updates to the audience.
For computer savvy people that are likely to read the message about available updates and install them, than turning off automatic installation is appropriate, because many of us can't afford to have long running processes or tasks dumped from memory with a reboot.
For your average user or nontechnical person, absolutely, advise them to leave it at defaults (and to save often).
Consider the source. (Score:5, Interesting)
at troyhunt.com [troyhunt.com]
Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals
It's obviously in his interest to make everyone Microsoft's puppets.
Re:Consider the source. (Score:5, Informative)
It's not fun, it costs money and it can still break other dependencies, but the alternative is quite possibly ending up like the NHS or even worse. Bottom line is that it's an essential part of running a desktop environment in a modern business.
He's a fly-around shill just trying to look good in the eyes of Sales. His "workshops" are an insanely expensive way of selling low-calorie information that's already discussed online in much finer detail. His Ghost-powered blog site doesn't offer a search feature, but I'd bet it wouldn't return any meaningful results for two-factor authentication, separation-of-concerns, what certifications exist for software security, or the track record of non-MS products. Quick example: There's no mention of Google's recent publishing of security flaws in open-source projects. Instead we get a pass-the-buck, blame-the-victim blog post that ignores the annoyances of MS Update and tells everyone to "just deal with it".
Microsoft only have themselves to blame (Score:5, Informative)
Microsoft only have themselves to blame for people disabling Windows Updates because they made it untrustworthy:
Re:Microsoft only have themselves to blame (Score:4, Insightful)
"The bundling of updates into a single entity so that we don't have control over what gets installed on our systems"
This! Abso-fracking-lutely this!
Give me the info on what the update is, and I can decide whether it's worth the risk to install immediately or if I need to run it on a non-important machine first to vet it. Yes, theoretically I can drill down on MSDN and the knowledge base but with some much redirection and info hiding in the documentation, in truth it takes too much time. Exactly as Microsoft intended it.
Patches are just like vaccines... (Score:5, Insightful)
Except if vaccines failed as much as a Microsoft patch did there would be no doctors... because people would be shooting them in the street.
Yeah, yeah... I can already hear the autistic fast typing from some keyboard warrior looking to 'correct' me on this one. But sorry... Microsoft no longer has any credibility to tell people what to do with their machines. The entire roll out of Windows 10 has been nothing but train wreck after train wreck. And you know what? Even if we get the occasional virus it's still better than having to deal with the rest of the continuing train wreck that is Microsoft. People are just going to have go back to the old day when people had to actually learn how to protect themselves. Instead of waiting on the industry to sell you a next generation of device that 'might' be eventually patched.
also... (Score:5, Insightful)
Problems Caused by Updates vs Caused by Attacks (Score:5, Interesting)
The number of problems caused by installing Windows updates for our IT department: THOUSANDS
The number of problems caused by holes left in the Windows OS that an update or patch supposedly has fixed: 20
Easy decision.
A bit conflicted (Score:4, Interesting)
I don't think I've ever worked at a company that had "automatic updates" turned on. The reason being, company ecosystems tend to be predominantly all the same hardware, same Windows version and same patch level, and a bug in an update that affects that particular collection of hardware and software can take an astounding number of seats offline. (In much the same way a biological virus can take out an entire species if they're not sufficiently genetically diverse.) So yeah, no. Companies that want to stay in business don't do that. Of course, they *do* have a team that tests updates in a lab and sends out validated updates to the rest of the company, often a subset of what Microsoft spews out.
I do something similar at home. We have three Winders boxes, and none of them have auto update turned on. Every week or so, I look at what updates are available, and apply at minimum the security updates to the least used of those three boxes. If it survives a reboot and some reasonable amount of smoke testing, I install on the game machine, and if that works out ok, after a day or two I'll install it on my own workstation. I have to take care because my machine is (a) my only conduit to my "day job", and (b) my main workstation for my side-business. I can't afford to be down because Microsoft botched a patch any more than any large company can.
So yeah, security updates are important. Vital, even. But that doesn't mean you just install every update the moment it becomes available. An important part of "security" is "availability". And that's just as important as "confidentiality" and "integrity".
Another contributor had it right -- there should be a way to auto install security updates only. So if Microsoft botched a driver update and it renders unbootable a certain brand of PC running a certain brand of video card, it's less likely to take large numbers of users offline.
I know there are essential and optional updates (or whatever words they use) but most updates are considered by Microsoft to be essential.
And this doesn't even address compatibility of updates with installed applications. You know, the software you use to actually do work.
All that said, it does seem like Microsoft is doing a better job vetting their patches before release than they did the earlier part of this century. But being burned a few times breeds caution.
Consumers Yes, Business No (Score:2)
Patch failure rate... (Score:2)
No way do I have updates on in production... (Score:2)
No way! I will NOT allow windows to just install updates into my production environment... Yes, I know it is a risk to leave systems unpatched, but given the frequency of Microsoft breaking my systems with their patches, the risk of downtime from a security flaw is usually LESS than the risk of having some exploit that causes down time.
However.... This doesn't mean I don't pay attention to the released updates. Oh no, we have a test system where we DO let them load as soon as they are released and a func
Mr Hunt should talk to Microsoft... (Score:2)
Windows users have two options (Score:5, Insightful)
Option B) Turn automatic updates OFF and risk Microsoft making your machine unusable due to the absence of a security update
Except (Score:2)
MS thinks "update" means "upgrade" (Score:2)
Didn't MS just block updates on Win7/8 for Ryzen? (Score:4, Informative)
Yah blame the user for the virus exploits and not the vendor that created the software with huge holes and the vendor who is blocking updates when running new gen CPU's on older OS versions just to try and push people to W10.
Windows Updates (Score:3)
The last time I left updates enabled, update started updating my machine and demanded a reboot in the middle of a major corporate presentation in front of a large audience. This is UNACCEPTABLE behavior!
Windows Updates (1) Constantly reset browser preferences, (2) Frequently break hardware drivers, and (3) Often interfere with critical, urgent work tasks. Don't tell me not to turn them off! Don't tell me not to tell others to turn them off! NOT GONNA HAPPEN!!!
Windows Updates should be TURNED OFF, during all business / production usage. Then updates should be enabled/installed manually during weekends, vacations or other non-critical times. I DECIDE when my machine can be down for maintenance. Not Microsoft. The Updates STAY OFF, until I purposely enable them when I am willing to allow time for reboots, and have the time to restore my machine to proper configuration and operation afterward.
Windows 10 automatic install (Score:2)
Tell Microsoft to stop pushing patches which install Windows 10 without my agreeing upon it, and I'll let Windows update run. No, I suppose Microsoft stopped with the whole Windows 10 thing a few months back, but there's now a trust issue I personally have to get past. The fact of the matter is, I don't trust Microsoft anymore.
- Mark.
Repeat After Me (Score:5, Insightful)
If you value security, don't run the mission-critical parts of your infrastructure on a general purpose operating system like Windows, but rather run it on a minimalist, locked-down OS that has _only_ the facilities needed to do its job. The update carousel is a nightmare. If you want to ensure your Windows box doesn't sporadically reboot during a long unattended operation in order to update, what do you do? If you want to lock Windows down so it can only do the job to hand, and nothing else, you're screwed. If you run mission-critical stuff on a full-featured general purpose OS (and the same can be said for off-the-shelf Linux distros like Ubuntu and Fedora), you are kinda asking for it.
That this idea is older than me, but is ignored, is laughable.
Re: (Score:3)
Indeed - but who has the competence, and the budget, to do that these days?
Of course you will (correctly) reply that budget should not be an issue, since the investment should recoup itself in opportunity cost of not having to spend a fortune in ongoing security efforts, and or recovery.
But try explaining that to your average suit...
No, fuck Windows update. (Score:5, Informative)
I turn off Windows update on the boxes that I still have. I recommend everyone I know disable Windows update on all boxes that they have.
If you leave Windows update on, and just take the security updates by default, you will get owned by Microsoft. Constant telemetry will stream from your box.
I also recommend people look up how to stop this on Windows 7 and 8, where it is possible to stop it. It is not possible in 10, though some people have had some success at limiting it.
The article's advice is horseshit. WU should be disabled for personal computers if privacy is any manner of concern. Microsoft has revectored their security update mechanism to: try to upgrade you to Windows 10. Install sleeper services that only months after installation began transmitting telemetry. Remove useful names from KBs to prevent successful system administration. Transmit information about what programs you use, when you use them, how often you use them. Transmit information regarding crashes. Broadly expose envelope information about your non-Microsoft related activities to Microsoft and anyone they choose to share that information with.
Disable WU on 7 and 8. Tear out the bad patches. Only EVER manually apply patches that you actually require for security and functioinality.
Comparing being a sensible system administrator who doesn't want to transfer control over their personal activities to Microsoft to antivaxxers is disgusting. Anyone making this comparison is irresponsible.
https://superuser.com/question... [superuser.com]
The list of KBs that you must manually remove (and prevent reinstallation of) to keep Windows without telemetry is provided on that su post. The list is:
KB3065988 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: July 2015 more info .NET Framework 1.1 when you upgrade Windows 8.1 or Windows 7 more info
KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
KB2976978 Compatibility update for Windows 8.1 and Windows 8 more info
KB3075853 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: August 2015 more info
KB3065987 Windows Update Client for Windows 7 and Windows Server 2008 R2: July 2015 more info
KB3050265 Windows Update Client for Windows 7: June 2015 more info
KB3050267 Windows Update Client for Windows 8.1: June 2015 more info
KB3075851 Windows Update Client for Windows 7 and Windows Server 2008 R2: August 2015 more info
KB2902907 MS Security Essentials/Windows Defender related update [no description/information available]
KB3068708 Update for customer experience and diagnostic telemetry more info
KB3022345 Update for customer experience and diagnostic telemetry more info
KB2952664 Compatibility update for upgrading Windows 7 more info
KB2990214 Update that enables you to upgrade from Windows 7 to a later version of Windows more info
KB3035583 Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1 more info
KB971033 Description of the update for Windows Activation Technologies more info
KB3021917 Update to Windows 7 SP1 for performance improvements more info
KB3044374 Update that enables you to upgrade from Windows 8.1 to a later version of Windows more info
KB3046480 Update helps to determine whether to migrate the
KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 more info
KB3080149 Update for customer experience and diagnostic telemetry more info
KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
KB3083710 Windows Update Client for Windows 7 and Windows Server 2008 R2: Octobe
More hype than substance (Score:5, Interesting)
People get WannaCry by clicking on the wrong email not by SMB exploits. I get that repurposed NSA exploit angle makes for interesting and irresistible news stories but substantively it's way overhyped and using it to support blanket assertions is a nonstarter in my view.
There is compelling quantifiable evidence to support the position vaccines help more than they hurt. The case for updates is closer to the question of whether throwing billions into the intelligence industrial complex makes real people quantifiably safer from being terrorized given opportunity cost of not investing these funds to address significantly more statistically substantial problems such as pulling down US murder rate.
What we know for sure is social engineering accounts for 90% of general p0wnage worldwide. Even if all unintentional software bugs were patched with 100% coverage overnight absolutely nothing would change.
In 2017 given Microsoft's proven track record of both incompetence and sleaze when it comes to updates it's an open question as far as I'm concerned whether updates are still worth applying at all. Majority of end users are behind stealth mode firewalls and the only whackable thing they have sticking out is a web browser. If you keep firefox or chromium or whatever up to date and lock down some associated configuration are you really appreciably safer vs probability of computer failing to boot or introduction of some new Microsoft "telemetry" malware or Microsoft false choice prompt dismissal scam? I honestly don't know the answer. I do know it very much depends on context not only in terms of the users needs and environment but the value judgments of the end user.
If Microsoft would stop constantly peddling malware, firing QA staff, fix updates to not use insane amounts of resources while taking forever and requiring a reboot to sneeze... If only updates were properly labeled and people trusted Microsoft not to screw with them... my guess less will find value in disabling updates.
I personally believe coordinated automated updates of billions of systems globally in a matter of days is an extraordinarily perilous activity in and of itself no matter how careful you are. Sooner or later this is bound to end in a major disaster. While updates do fix problems quicker they also significantly lower the cost and tolerance for releasing defective software. It sends a signal to the market releasing defective software is a cost free activity.
Tell Microsoft to give me back some control then (Score:4, Informative)
When Win 10 first came out, it gave you the option to disable updates to a specific device driver. But for some inexplicable reason, Microsoft removed this option in the Oct 2016 update. Because of Microsoft's brain-dead update policies, I literally cannot use my gaming laptop to play games if I have Windows Update enabled.
MS, we're looking at you (Score:3)
If MS really wants to make people do updates promptly, they need to get their heads back out of their asses. In the late WinXP and into the early Win7 era, there was a strong push for security and the updates were usually both relevant and easy to install.
Fast forward to now, and half the updates you get are MS pushing their latest piece of crapware (*coughskypecough*) that you don't want, and like 90% of them require a full computer reboot -- which they'll happily do with our without your input and hope to hell you saved your work that day.
If MS wants people to install critical updates then:
a) Stop calling every fucking sales pitch "critical," and
b) Go back to putting in the effort to avoid reboots. I know its easier to just reset and not worry about internal version conflicts and whatnot, but its a serious detriment to anyone who doesn't normally shut off their computer in the first place (and those people are the ones who least need to be force into an unwanted reboot!)
Unfortunately MS has decided to do the exact opposite of that and compensate by giving you no choice -- enjoy losing your work.. what're you gonna do about it? Switch to Mac? Oh you are? Well fuck.
Re: (Score:2)
Re: (Score:3)
Enjoy the Windows 10 telemetry yet?
I mean, I use Windows 10 too but only as the OS required to run games. As far as Microsoft knows, all I use is Battle.net, Steam and GoG.
Re: (Score:2)
Because of getwin10
Re: (Score:2)
It goes further than that. Plenty of times my XP laptop would hang after an update, or the networking was disabled. The latter was great since it stopped you downloading the update that fixed the other update unless you had another machine.
Still, it made me learn about restore points.
Comment removed (Score:4, Interesting)
Re: (Score:3)
Why would anyone *disable* automatic updates on Windows?
To avoid all the nastiness that comes with Windows updates, perhaps?
Re: (Score:3)
The ruined presentations are ones that I've actually attended and had to sit through Windows suddenly deciding to reboot and the presenter not knowing what to do, and the attendees having to sit through the installation process.
Or ones that I watched live streamed.
I do digital painting from live model, after a few times of having Windows install an update for 40 minutes or botching a driver update that took me a similar amount of time to figure out how to fix, that's the limited time I have with the model,
Re: (Score:2)
Re: (Score:3)
If you buy Microsoft software, you get what you paid for.
I haven't that problem since Windows XP. Then again, I'm not running on minimum spec hardware.
Re:Poor advice. (Score:5, Insightful)
nobody cares what you do on your PC
Then why did they implement telemetry in Windows?
Re: (Score:3, Insightful)
Re:There should be a separate "Security Updates On (Score:5, Insightful)
There is, it's the "critical updates only" checkbox.
The problem isn't the lack of said checkbox, it's the fact that Microsoft doesn't respect that checkbox and considers all sorts of marketing fluff and malware to be "critical"
Re: (Score:3)
No, end users made this mess and are hoping to blame Microsoft.
No, Microsoft made this mess and you are blaming end users. If security updates were implemented and deployed with care, and if Microsoft behaved in a trustworthy way, then very few people would object to their being automatically installed.