Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Windows Privacy Security IT Technology

'Don't Tell People To Turn Off Windows Update, Just Don't' (troyhunt.com) 507

Security researchers Troy Hunt, writing on his blog: Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as "MS17-010" pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched. It's because of this essential protection provided by automatic updates that those advocating for disabling the process are being labelled the IT equivalents of anti-vaxxers and whilst I don't fully agree with real world analogies like this, you can certainly see where they're coming from. As with vaccinations, patches protect the host from nasty things that the vast majority of people simply don't understand. This is how consumer software these days should be: self-updating with zero input required from the user. As soon as they're required to do something, it'll be neglected which is why Windows Update is so critical.
This discussion has been archived. No new comments can be posted.

'Don't Tell People To Turn Off Windows Update, Just Don't'

Comments Filter:
  • by JimToo ( 1304315 ) on Monday May 15, 2017 @02:03PM (#54420059)

    Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.

    • by xxxJonBoyxxx ( 565205 ) on Monday May 15, 2017 @02:18PM (#54420201)
      Or the Windows 10 update doesn't work and keeps downloading/restarting/bluescreening your computer. (Looking at you, "Anniversary" edition.)
      • by mikael ( 484 ) on Monday May 15, 2017 @02:31PM (#54420331)

        For me, it takes around three manual restarts, because I have a dual-boot system and the default option is to boot into Linux. Even if Windows does download the update, it then sits around for so long with no indication of what it is doing that the screen blanks out. Then it just sits there pondering and reboots into Linux. Then I reboot back into Windows, which tells me that updates have to be installed. Then it sits around a bit more with a blank screen, then it reboots.

        So an automatic update isn't going to be automatic, and it comes as a rather unpleasant surpise to boot into Windows, only to find that the updates weren't installed or need to be downloaded and installed before I can get any work done. If this update system were designed correctly, it should simply clone the existing Windows config, apply the updates, and only say a new version is available when everything is working correctly.

        • by Wolfrider ( 856 )

          --What I did for dual-boot is to set Grub to boot last selected entry, might work for you...

        • Re: (Score:3, Informative)

          by bongey ( 974911 )

          Windows update(10) all the way back to XP, is horribly slow is part of the problem and it has just gotten worse. Run into a problems with windows update and you can lose 1-3 days, just because it takes forever for it to eventually fail. I went to update the windows load on my dual boot machine and it took 3 freaking hours on 4.5Ghz machine, ssd and 32GB of RAM. Same machine with Ubuntu updates took all of 2-3 minutes even with multiple dkms modules being built. Microsoft there is no excuse for it being that

      • by Anonymous Coward

        We personally have TWO laptops that got repeatedly broken by non-disableable driver updates (already told Windows to never update drivers, hid the offending update, etc) and it still managed to get through, multiple times, and do the blue-screen tango repeatedly until I gave up trying to fix, it went into safe mode and disabled the Windows Update service. I had to keep it that way for a couple months until I was able to load a "newer" driver from the video chip manufacturer that fixed it and/or MS stopped

      • I love Windows 10. Because of it, I have people asking me to install Linux over Windows 10 that would never before have considered such an option. Thank you, Microsoft!

    • by mhollis ( 727905 ) on Monday May 15, 2017 @02:42PM (#54420419) Journal

      Mod this up, folks!

      I know at least five different business environments which have been, essentially, shut down by a Windows update. One of them was signing a new service contract as I was talking to him—he had been down all day, unable to see his customer files, his books, the jobs his company was supposed to be doing, unable to route his employees to where they were supposed to go. They went back to a paper only system they have not used since 2002 and they were guessing at that. They were taking credit cards over their website, but could not record the result in their books and had to just save all of the emails and spend an additional day or so just doing data entry into their bookkeeping system.

      Of course, these are anecdotes (which is what the anti-vax community uses instead of Science). The problem is not the update, it is what Microsoft does to the computer upon emerging from the update. Elsewhere, people have written of resetting all of the browser preferences, BSODs and other issues. Microsoft needs to restore the previous state of the computer or server (as much as is practical) after the patch. They need to go in like a surgeon with the same motto: "First, do no harm." And if they figure out how to do that, their updates will be seen as innocuous as Apple's

      • Yep. Whenever work preforms security updates we literally lose a days worth of business as everything has to get reset. Local printers vanish as thier connections are disabled, with office 365 and outlook down for so long those caches get flushed, etc.
        You wanna know fun? Get 30 people to download 3-5 gigs of emails in an hour on a 100 mbit connecting because that's the best the area has.. talk about a wasted day.

        All because vendors reset settings that had no requirement of beingâ rese

    • Re: (Score:3, Insightful)

      by mysidia ( 191772 )

      Makes sense, but not an excuse for turning off Updates.

      How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

      Leave Windows Update Enabled, schedule all new updates to install on X Day; However, If Windows updates rolls out the patch its own, then YOUR TEAM failed to conduct its job appropriately, which was to perform a controlled rollout in a timely manner (BEFORE The update is a week old, A

      • by xxxJonBoyxxx ( 565205 ) on Monday May 15, 2017 @03:03PM (#54420589)
        >> How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

        So...Windows shouldn't be used by small or medium-sized business without IT workstation teams then?

        Microsoft, can you confirm?
      • by Anonymous Brave Guy ( 457657 ) on Monday May 15, 2017 @03:23PM (#54420763)

        You do understand that the majority of professional work is done by small businesses, and most of those don't have dedicated IT teams at all, right?

        Enterprise IT is actually the exception, not the norm.

        • as I *abruptly* learned a year ago when I left Intel and started at a relatively tiny 40 person shop.
          We have an IT guy (actually rather spectacular dude really) but there's no way he can get much past firefighter and core infrastructure maintenance mode... and there's no money for more people for something that simply doesn't make money.

          Yes we all know that IT doesn't make money, it prevents you from losing it all... but my intro to the "real world" after two decades in multinational corp. environment has b

      • by Trogre ( 513942 )

        How about your company's team (with the prod. servers) does their job, then? And tests and Rolls out the updates BEFORE Windows update automatically installs it.

        And... then what?

        If the update causes unacceptable behaviour, which does in the GP's case, what exactly can you do about it?

    • Unless you have a production environment with a software product that breaks with Windows update turned on

      And this is the scenario that happens more often than a patch was ahead of the exploit. It still makes the most sense to keep update OFF.

    • by CFTM ( 513264 ) on Monday May 15, 2017 @04:11PM (#54421253)

      So, if you read the article, you'd know that he's actually talking about home users and states before hand that enterprise environments have their own processes and procedures for dealing with these things (and if they got hacked, they screwed up because it's been three months).

      The problem is that technical users, like those found on Slashdot, tell home users that they should turn this stuff off because it causes all these problems, when it really doesn't when you're running a system with known hardware and under typical operating conditions.

      By typical, I mean you use Chrome and maybe a few other applications. You're not a developer, you're not a big time game player.

      This is 95% of MS home users. These people should all have Windows Update on at all times and what's more, they could care less about the crap that Microsoft packages in along the way. We may consider it invasive but most people just shrug their shoulders and move on.

    • by mhkohne ( 3854 )

      Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.

      That's a nice sentiment, but I for one have never been lucky enough to know beforehand that a Windows update was going to break shit. I just have to put them on and hope. So I can hardly blame any company that relies on software for taking a very critical approach to them.

  • by maz2331 ( 1104901 ) on Monday May 15, 2017 @02:03PM (#54420063)

    This is generally sound advice, although some IT shops prefer to manage the process to ensure that either (a) a particular update doesn't break some proprietary code, or (b) because of regulatory reasons particular machines may not be permitted to have the software changed without some sort of documentation being generated.

    • by dc29A ( 636871 ) * on Monday May 15, 2017 @02:11PM (#54420121)

      I would do that if (1) MS didn't cram W10 down my throat; (2) every major update doesn't reset browser preferences; (3) stop updating and breaking hardware drivers; and (4) I could disable telemetry. My Macbook and Ubuntu machines are auto-update enabled. Not my Windows gaming box. No thanks.

      • by Anonymous Coward on Monday May 15, 2017 @02:22PM (#54420253)

        The blame for people not updating/patching computers lies squarely on Microsoft.

        Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.

        And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.

        Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.

        • by Entropius ( 188861 ) on Monday May 15, 2017 @02:31PM (#54420337)

          Yep. I had a laptop that came with Windows 8 on it.

          I booted it once into Windows to change UEFI settings and then put Lubuntu on it.

          Well, a friend had a Windows question for me when I was away at a conference. No problem! I booted my laptop into Win8, looked up how to do the thing, and told her. I went to bed.

          I woke up to find that my system had:

          1) autoupdated to Windows 10
          2) fucked the bootloader so I couldn't boot into Linux any more.

          This is on top of the fact that Windows updates take about a year to complete and reenable a bunch of crap that I keep disabling ("Windows Media x").

          • by bongey ( 974911 ) on Monday May 15, 2017 @03:55PM (#54421087)

            You can trick windows from messing with it and bios that only look for a windows efi boot file. This will boot to grub and allow you to select windows if you want, and windows update doesn't mess with it.
            open cmd.exe as Administrator and lunch the command vmount s: /s
            go to s: and navigate the directories until you find where the grubx64.efi is located. Mine was under s:\EFI\debian\.
            go to s:\EFI\Microsoft\boot and create a backup of the bootmgfw.efi file and then overwrite it with the grubx64.efi.
            reboot. Now you should be able to reach the grub menu and boot to Linux but you'll be unable to boot to Windows. Boot to Linux then.

            On linux you
            open a shell and go to /boot/efi/EFI/Microsoft/Boot and restore the previously backed up bootmgfw.efi.
            run grub-install (it may require root privilege - sudo)
            run update-grub2 (it may require root privilege - sudo)

        • Re: (Score:3, Interesting)

          by Anonymous Coward

          The blame for people not updating/patching computers lies squarely on Microsoft.

          Automatic updates, with no user action required, is a really great thing, but ONLY when the updates are strictly for important security patches, and NOT all sorts of other crap that randomly changes or breaks things.

          And then there's the whole "we're going to shove Windows 10 up your ass whether you want it or not" fiasco.

          Microsoft has fucked so many people, so many times, that users have become averse to automatic updates.

          Exactly correct. MS lost many people's trust with updating around the Win10 forced-upgrade fiasco. I've deleted wusa.exe from my win7 box and I've done the same for any number of family and friends on various win7/8.1 boxes. I just make sure backups are in place and re-image if infected.

          If these devices get pwned and cause damage blame MS for destroying trust in their update platform.

          • by Tailhook ( 98486 ) on Monday May 15, 2017 @03:18PM (#54420725)

            This is hard to argue with. I personally prepared for this by preventing the Win 10 upgrade (even using third party software to stop the constant, malware like badgering complete with deliberately misleading prompts) until I was good and ready to deal with it, then I did a full clean install and manually migrated stuff over because I knew there was no way my complex, roughly used installation could possibly upgrade well automatically. One simply cannot, however, expect a planet full of Windows users to take this conservative approach; even if they were inclined to, which they aren't; most of them simply aren't competent to deal with this stuff and would do more damage than what the upgrade inflicted.

            So they all got put through the upgrade ringer creating bad outcomes for millions and leading to widespread "anti-vaxxer" behavior. Since then the "anti-vaxxers" have had their behavior affirmed by disruptive updates doing unwelcome stuff. The glacial slowness of the Windows 10 update process alone is a huge failure in my mind; this has badly regressed from earlier releases; I have a laptop I boot maybe once a month and I've come to expect the Windows 10 updates to take a hour or more. Ridiculous.

            After putting the whole world through all this shit one simply can't point a finger at millions of beleaguered users and blame them for their negligence. I'm sure they'd be happy to have they're system automatically updated, as long as it wasn't the computing equivalent of getting a SOA style beat down every few months.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          This. I was fine to leave auto-update on for security fixes but then microsoft started cramming their telemetry and other crap into them - making them bundled so you couldn't get your security fix without letting microsoft scoop up every piece of info on your computer that it wanted.

        • by HiThere ( 15173 )

          Even then... the thing that drove me from Apple to Linux was a security update. It worked without problem...but they used it to smuggle a license change in that I found unacceptable. So that machine was immediately disconnected from the internet, and everything that could touch the internet was migrated to Linux.

          I'll grant that what Microsoft is doing is arguably worse. I don't know, I left MS for Apple when THEY forced a license change on me that I found unacceptable. I think these companies rely on pe

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        Exactly. If Microsoft behaved decently and simply provided security patches that fix vulnerabilities ONLY, there would be no issue. However Microsoft does shit like changing user settings (making IE/Edge your default browser), breaking hardware drivers, installing spyware etc.

        In my particular case I run a pirated Windows 7 gaming machine, with the "Genuine Microsoft" Windows activation disabled via a pirate-written patch. Both were downloaded via a Piratebay torrent. It turns out every time I update this ma

    • by TWX ( 665546 )

      I've worked in those kinds of environments, where we had propretary applications that were not compatible with the latest stuff. This is especially aggravating when you've got three web-delivered systems, all of which have mutually exclusive requirements. At one time users had to have Chrome, Firefox, and IE, and we had to block updates to IE so that the legacy system would work.

      It's extremely labor-intensive and requires excellent recordkeeping if one wants to do updates in this kind of environment, whic

    • by Thud457 ( 234763 ) on Monday May 15, 2017 @02:39PM (#54420385) Homepage Journal

      Don't use the channel for security updates to force advertising on your customers, just don't.

    • by Darinbob ( 1142669 ) on Monday May 15, 2017 @04:45PM (#54421629)

      The problem with the sound advice is that Microsoft is actively undermining the update process by treating customers so badly. They don't test their updates well, they make them forced in later versions, they tie the updates to earlier updates, and worst of all their malware inspired forcing of Windows 10 on people has justifiably trained customers to distrust Microsoft.

      It's time consuming to check out each and every update to make sure it's safe. But I have to do that because I cannot trust microsoft not to play games with my systems.

      Applications too, I don't update iTunes because every time I do it screws up, changing the UI in drastic ways, and takes me a very long time to get it working properly again. But that's ok, I do not use the store in iTunes, it does not execute any strange attachments, and as a malware vector it's pretty low compared to the OS itself. If it played nice then I'd update it more regularly.

  • Microsoft's fault (Score:5, Insightful)

    by sconeu ( 64226 ) on Monday May 15, 2017 @02:05PM (#54420077) Homepage Journal

    If they hadn't done shit such as the forced Win10 update, or forced GWA, or done a lot of other crap that broke peoples systems (in the name of marketing), then maybe people wouldn't have said, "Turn it off".

    • Re:Microsoft's fault (Score:5, Informative)

      by TWX ( 665546 ) on Monday May 15, 2017 @02:12PM (#54420139)

      Pretty much. I had to take some fairly convoluted measures to keep my wife's laptop on 8.1 or some of my various other systems on 7 without entirely disabling updates. It's not that I liked 8.1, but I did not like what I read about 10.

      The easiest way to avoid having 10 forced on me would have been to just disable updates. Instead I had to read up on every individual update that would push 10, and ultimately resorted to third-party software to block or remove those specific nuggets from Microsoft so that my platforms would be left in the state I wanted them in.

    • by macsforme ( 1735250 ) on Monday May 15, 2017 @02:14PM (#54420157)
      Agreed. A level of trust is required when you allow vendors to push automated updates to your system, and unfortunately there have been breaches of this trust when vendors saw this as an opportunity for more than enhancing user security.
    • by Anonymous Coward on Monday May 15, 2017 @02:21PM (#54420233)

      Plus, if Anti-Vaxxers could actually point to widespread deaths, they might have a point.

      People who advocate turning off Windows Update Can point to widespread windows deaths due to errant updates.

    • Re: (Score:3, Interesting)

      by war4peace ( 1628283 )

      It's a very complex ecosystem. Generally, the benefits of the many outweigh the "sacrifice" of the few.
      For every machine negatively affected by a forced update, there's a million which benefited from it. Unfortunately, that million machines don't yell "fault!" like that one which messed up does.

      Yes, Microsoft were too aggressive with pushing people towards updating to Windows 10, and they should have toned it down. But ultimately, it was not the "upgrade push" which pissed people off, but the whole telemetr

      • Re:Microsoft's fault (Score:4, Interesting)

        by citylivin ( 1250770 ) on Monday May 15, 2017 @07:10PM (#54422705)

        "Yes, Microsoft were too aggressive with pushing people towards updating to Windows 10, and they should have toned it down. But ultimately, it was not the "upgrade push" which pissed people off, but the whole telemetry debacle."

        Revisionist history. Before we even knew the extent of windows spying we had the windows update advisor (GWX) show up in the system tray on everyones windows 7 machine in it seems june 2015 ( https://tech.slashdot.org/stor... [slashdot.org] ) and a year later, forced it on everyone ( https://tech.slashdot.org/stor... [slashdot.org] ). That is the day that microsoft lost my confidence that they had worked since windows 95 to build.

        You can go read that slashdot article to see the day when everyone lost trust in microsoft, and people started recommending that people deactivate windows updates Very few people mention telemetry. What they do mention is that MS pushed a "security update" that was anything but.

        I turned windows updates off that day, but being an industry person, i found a work around that allowed me to keep them on. There was a program quickly developed called GWX blocker or something like that which allowed the gwx framework to be stopped.

        So yes, its bad to not run windows updates, but its also 100% microsofts own god damn fault.

  • But... but... (Score:2, Insightful)

    by Anonymous Coward

    The telemetry spying though,,,

  • by Anonymous Coward on Monday May 15, 2017 @02:07PM (#54420093)

    Windows Update also wanted to install telemetry on my Windows 7 system until I removed the patch. Then for 12 months Windows Update wanted to 'upgrade' me to Windows 10, the software employed all sorts of tricks to make me say yes and in the end I just disabled updates as it was less hassle.

    My Windows 7 system was not affected by the events over the weekend as all it does is run some test equipment. It still has Windows Update disabled and it's going to stay that way.

  • by ToTheStars ( 4807725 ) on Monday May 15, 2017 @02:10PM (#54420109)

    The reason folks turn off Windows Update is that it behaves kind of like malware itself! I'm technologically savvy enough to set my registry and so on to disable the awful "Get Windows Ten" updates, but when so many users got shafted by Windows "self-updating with zero input required from the user" to a completely new operating system (a new operating system that actively thwarts end-user control over updates!), is it any wonder that so many of them switched it off?

    The comparison to anti-vaxxers is interesting, and apt in more ways than Troy may have known. Much like Microsoft hijacked their Windows Update program to push Windows 10, the CIA used a Pakistani polio vaccination campaign to gather intelligence about Osama bin Laden (see here: https://en.wikipedia.org/wiki/... [wikipedia.org]). This has resulted in the killing of other relief workers and general suspicion of medical aid programs in that region, and so polio persists.

    • That is a shame about the polio.... so very close to being eradicated, too
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Thank you. The polio vaccination ruse by the CIA and the telemetry comparison is exactly what I thought of as well.

      On a separate note, WU used to specifically tell you what the update fixed, right in WU. Then they started making you click a link to go to the MS web site. After a while the web page stopped saying anything useful. Now you have to research each one manually, which is unacceptable. There is no reason MS would go to those lengths to obfuscate what a patch does, unless it's so they can foist more

  • by evolutionary ( 933064 ) on Monday May 15, 2017 @02:12PM (#54420127)
    The problem is that around 30% of MS Updates actually hurt the user, either by introducing "features" that (like Apple) inadvertently or deliberately adding things that are of no benefit to anyone but MS and in many case hurt he users. Windows 10 Basically is capable of hijiacking itself (as per it's design) so it's hard to know what is good and what is not especially MS gives VERY vague descriptions of it's updates as per the new windows 10+ policy to tell users, it's our update, just take it (up the rear end). The sooner we start admiting that we don't in fact NEED MS Windows at this point, the better. Linux anyone?
  • Problem solved, permanently.

  • But don't be a retard. Keep reading this site and others. I manually installed MS17-010 a month ago even though Windows Update has been off for years. People get what they deserve. You need to actively pursue your own security, not ignore it or worse, pretend that Microsoft is going to do it for you. Windows Update is more trouble than it's worth. Especially since Windows 10.
  • get a Mac. Now I am one of those annoying people who say switch to Linux.
  • I am in favour of auto-updating Windows, don't get me wrong; however, it could be catastrophic if anyone ever manages to figure out a way to spread a virus via the auto update.

    I'm not sure the technical route someone would have to take to do this; If, perhaps someone could somehow infect a DNS server to treat an infected server as a Microsoft update server.

  • by Anonymous Coward on Monday May 15, 2017 @02:16PM (#54420173)

    Those fuckers at MSFT ruined security updates by force-feeding the user spyware, or even forcing an "upgrade" to Windows 10.

    Now nobody trusts Microsoft, and would rather take their chances without the "essential updates".

  • by WillAffleckUW ( 858324 ) on Monday May 15, 2017 @02:17PM (#54420183) Homepage Journal

    the continual additions of resource-heavy snooping spyware and telemetry services for in-app advertising delivery hammer many institutions that would otherwise happily install security patches, if they were JUST security patches.

    But many of the Important patches we have recieved from MSFT are just that. Ads, telemetry to try to sell us stuff that blows out the bandwidth in mission critical software and pops up things that get in the way of doing actual work.

    There's your problem. That and the "patching" of things in a way that breaks apps that believe the public documentation instead of the actual way MSFT codes and tests its apps.

  • As a side note, the delay to release PDB symbols on MS's symbol server after a Patch Tuesday has been at least days and sometimes more than a week for the last two months (at least for the Win10 symbols I tried). I use them a lot with WinDbg.

  • by JohnFen ( 1641097 ) on Monday May 15, 2017 @02:19PM (#54420215)

    If Microsoft would just go back to the days when security patches were done separately from other sorts of updates, that would be a huge help. I know a lot of people who disable updates to avoid feature changes, but would accept automatic security updates.

    Microsoft's position of not making a distinction between the two is a large disincentive to allowing automatic updates for a lot of people.

    • That would be great, is MS didn't outright LIE about some of their updates. One of the "critical "updates turned out to be an ad server. That was a riot. Problem is, once the source proves untrustworthy, you can't rely on what they say. Question is, can you still rely on their OS? It think we all know the answer to that one.
      • Microsoft is an extremely weaselly company. The instant they stopped using the descriptor "security" and replaced it with "critical" was the moment it became clear that the update mechanism was going to be used for deceptive purposes.

  • It's more accurate to tailor the message about automatic updates to the audience.

    For computer savvy people that are likely to read the message about available updates and install them, than turning off automatic installation is appropriate, because many of us can't afford to have long running processes or tasks dumped from memory with a reboot.

    For your average user or nontechnical person, absolutely, advise them to leave it at defaults (and to save often).

  • Consider the source. (Score:5, Interesting)

    by Gravis Zero ( 934156 ) on Monday May 15, 2017 @02:21PM (#54420241)

    at troyhunt.com [troyhunt.com]

    Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

    It's obviously in his interest to make everyone Microsoft's puppets.

    • by mugnyte ( 203225 ) on Monday May 15, 2017 @03:14PM (#54420689) Journal
      This isn't necessarily a problem. The problem arises from a cult-of-brand and groupthink that MS cannot do wrong. If Troy Hunt wrote honestly, he'd explore the customers that had turned off MS Update with some interviewing and surveys, then report the results, give a nod to their core cause, report MS's renewed efforts to address these *core* causes and then talk about why Updates should be left on. Instead he delivers these sugar-free platitudes:

      It's not fun, it costs money and it can still break other dependencies, but the alternative is quite possibly ending up like the NHS or even worse. Bottom line is that it's an essential part of running a desktop environment in a modern business.

      He's a fly-around shill just trying to look good in the eyes of Sales. His "workshops" are an insanely expensive way of selling low-calorie information that's already discussed online in much finer detail. His Ghost-powered blog site doesn't offer a search feature, but I'd bet it wouldn't return any meaningful results for two-factor authentication, separation-of-concerns, what certifications exist for software security, or the track record of non-MS products. Quick example: There's no mention of Google's recent publishing of security flaws in open-source projects. Instead we get a pass-the-buck, blame-the-victim blog post that ignores the annoyances of MS Update and tells everyone to "just deal with it".

  • by Gadget_Guy ( 627405 ) on Monday May 15, 2017 @02:22PM (#54420249)

    Microsoft only have themselves to blame for people disabling Windows Updates because they made it untrustworthy:

    • The Windows 10 upgrade fiasco
    • The backporting of the telemetry to previous versions of Windows
    • The updates that crash or cause problems
    • The update mechanism that in older Windows peg the CPU usage at 99%
    • The forced reboots at highly inconvenient times
    • The massive Windows 10 updates that mean that I have to reinstall some of our legacy software because Windows keeps resetting some crucial registry entries
    • The bundling of updates into a single entity so that we don't have control over what gets installed on our systems
    • And the hiding of what is in those updates so that we don't ask questions.
    • by Hartree ( 191324 ) on Monday May 15, 2017 @03:20PM (#54420743)

      "The bundling of updates into a single entity so that we don't have control over what gets installed on our systems"

      This! Abso-fracking-lutely this!

      Give me the info on what the update is, and I can decide whether it's worth the risk to install immediately or if I need to run it on a non-important machine first to vet it. Yes, theoretically I can drill down on MSDN and the knowledge base but with some much redirection and info hiding in the documentation, in truth it takes too much time. Exactly as Microsoft intended it.

  • by Noishkel ( 3464121 ) on Monday May 15, 2017 @02:24PM (#54420271)

    Except if vaccines failed as much as a Microsoft patch did there would be no doctors... because people would be shooting them in the street.

    Yeah, yeah... I can already hear the autistic fast typing from some keyboard warrior looking to 'correct' me on this one. But sorry... Microsoft no longer has any credibility to tell people what to do with their machines. The entire roll out of Windows 10 has been nothing but train wreck after train wreck. And you know what? Even if we get the occasional virus it's still better than having to deal with the rest of the continuing train wreck that is Microsoft. People are just going to have go back to the old day when people had to actually learn how to protect themselves. Instead of waiting on the industry to sell you a next generation of device that 'might' be eventually patched.

  • by Anonymous Coward on Monday May 15, 2017 @02:28PM (#54420315)

    The number of problems caused by installing Windows updates for our IT department: THOUSANDS
    The number of problems caused by holes left in the Windows OS that an update or patch supposedly has fixed: 20

    Easy decision.

  • A bit conflicted (Score:4, Interesting)

    by roc97007 ( 608802 ) on Monday May 15, 2017 @02:30PM (#54420327) Journal

    I don't think I've ever worked at a company that had "automatic updates" turned on. The reason being, company ecosystems tend to be predominantly all the same hardware, same Windows version and same patch level, and a bug in an update that affects that particular collection of hardware and software can take an astounding number of seats offline. (In much the same way a biological virus can take out an entire species if they're not sufficiently genetically diverse.) So yeah, no. Companies that want to stay in business don't do that. Of course, they *do* have a team that tests updates in a lab and sends out validated updates to the rest of the company, often a subset of what Microsoft spews out.

    I do something similar at home. We have three Winders boxes, and none of them have auto update turned on. Every week or so, I look at what updates are available, and apply at minimum the security updates to the least used of those three boxes. If it survives a reboot and some reasonable amount of smoke testing, I install on the game machine, and if that works out ok, after a day or two I'll install it on my own workstation. I have to take care because my machine is (a) my only conduit to my "day job", and (b) my main workstation for my side-business. I can't afford to be down because Microsoft botched a patch any more than any large company can.

    So yeah, security updates are important. Vital, even. But that doesn't mean you just install every update the moment it becomes available. An important part of "security" is "availability". And that's just as important as "confidentiality" and "integrity".

    Another contributor had it right -- there should be a way to auto install security updates only. So if Microsoft botched a driver update and it renders unbootable a certain brand of PC running a certain brand of video card, it's less likely to take large numbers of users offline.

    I know there are essential and optional updates (or whatever words they use) but most updates are considered by Microsoft to be essential.

    And this doesn't even address compatibility of updates with installed applications. You know, the software you use to actually do work.

    All that said, it does seem like Microsoft is doing a better job vetting their patches before release than they did the earlier part of this century. But being burned a few times breeds caution.

  • Making a blanket statement like this is not really valid. I think for the average consumer desktop that searches the web, maybe plays some games and does some basic office stuff it is probably a good idea not to turn off updates. Telling a corporation that they absolutely need to update every time Microsoft releases something is probably a bad idea. The better advice would be for companies would be to educate themselves, hire people that know what they are doing, or hire outside contractors that are reputa
  • If you're managing hundreds or thousands of systems, you've always got a few with failed Windows updates. It's a never ending battle. It's nigh impossible to stay 100% up to date. THAT is Microsofts fault.
  • No way! I will NOT allow windows to just install updates into my production environment... Yes, I know it is a risk to leave systems unpatched, but given the frequency of Microsoft breaking my systems with their patches, the risk of downtime from a security flaw is usually LESS than the risk of having some exploit that causes down time.

    However.... This doesn't mean I don't pay attention to the released updates. Oh no, we have a test system where we DO let them load as soon as they are released and a func

  • ... and tell them to stop using the security update distribution channel to trick me into doing an unwanted operating system update. Recently, Windows Update has looked a lot like malware in the way it operated to trick customers into upgrading to Windows 10.
  • by JoeyRox ( 2711699 ) on Monday May 15, 2017 @02:43PM (#54420433)
    Option A) Turn automatic updates ON and risk Microsoft making your machine unusable due to a faulty update
    Option B) Turn automatic updates OFF and risk Microsoft making your machine unusable due to the absence of a security update
  • When I go to update it just spins for hours and when it finally does update my tablets keyboard no longer works.
  • If an MS Update actually updated just the software you have (taking into account anything you've disabled or removed) - then this feature would be useful. As-is, it seems to Upgrade, Re-enable, Reset the OS to a state that is disruptive. This is not what such a feature should be doing. We've seen this before when updates required clicking (no scripting mode) and when updates required accepting EULA's that didn't allow a "No" - you were left with the half-way install. Each time, MS had to learn that the
  • by future assassin ( 639396 ) on Monday May 15, 2017 @02:54PM (#54420517) Homepage

    Yah blame the user for the virus exploits and not the vendor that created the software with huge holes and the vendor who is blocking updates when running new gen CPU's on older OS versions just to try and push people to W10.

  • by StonyCreekBare ( 540804 ) on Monday May 15, 2017 @02:55PM (#54420521) Homepage

    The last time I left updates enabled, update started updating my machine and demanded a reboot in the middle of a major corporate presentation in front of a large audience. This is UNACCEPTABLE behavior!

    Windows Updates (1) Constantly reset browser preferences, (2) Frequently break hardware drivers, and (3) Often interfere with critical, urgent work tasks. Don't tell me not to turn them off! Don't tell me not to tell others to turn them off! NOT GONNA HAPPEN!!!

    Windows Updates should be TURNED OFF, during all business / production usage. Then updates should be enabled/installed manually during weekends, vacations or other non-critical times. I DECIDE when my machine can be down for maintenance. Not Microsoft. The Updates STAY OFF, until I purposely enable them when I am willing to allow time for reboots, and have the time to restore my machine to proper configuration and operation afterward.

  • Tell Microsoft to stop pushing patches which install Windows 10 without my agreeing upon it, and I'll let Windows update run. No, I suppose Microsoft stopped with the whole Windows 10 thing a few months back, but there's now a trust issue I personally have to get past. The fact of the matter is, I don't trust Microsoft anymore.

    - Mark.

  • Repeat After Me (Score:5, Insightful)

    by John Allsup ( 987 ) <moo.went.the.cow@al l s u p.co> on Monday May 15, 2017 @03:12PM (#54420679) Homepage Journal

    If you value security, don't run the mission-critical parts of your infrastructure on a general purpose operating system like Windows, but rather run it on a minimalist, locked-down OS that has _only_ the facilities needed to do its job. The update carousel is a nightmare. If you want to ensure your Windows box doesn't sporadically reboot during a long unattended operation in order to update, what do you do? If you want to lock Windows down so it can only do the job to hand, and nothing else, you're screwed. If you run mission-critical stuff on a full-featured general purpose OS (and the same can be said for off-the-shelf Linux distros like Ubuntu and Fedora), you are kinda asking for it.

    That this idea is older than me, but is ignored, is laughable.

    • Indeed - but who has the competence, and the budget, to do that these days?
      Of course you will (correctly) reply that budget should not be an issue, since the investment should recoup itself in opportunity cost of not having to spend a fortune in ongoing security efforts, and or recovery.
      But try explaining that to your average suit...

  • by cfalcon ( 779563 ) on Monday May 15, 2017 @03:18PM (#54420721)

    I turn off Windows update on the boxes that I still have. I recommend everyone I know disable Windows update on all boxes that they have.

    If you leave Windows update on, and just take the security updates by default, you will get owned by Microsoft. Constant telemetry will stream from your box.

    I also recommend people look up how to stop this on Windows 7 and 8, where it is possible to stop it. It is not possible in 10, though some people have had some success at limiting it.

    The article's advice is horseshit. WU should be disabled for personal computers if privacy is any manner of concern. Microsoft has revectored their security update mechanism to: try to upgrade you to Windows 10. Install sleeper services that only months after installation began transmitting telemetry. Remove useful names from KBs to prevent successful system administration. Transmit information about what programs you use, when you use them, how often you use them. Transmit information regarding crashes. Broadly expose envelope information about your non-Microsoft related activities to Microsoft and anyone they choose to share that information with.

    Disable WU on 7 and 8. Tear out the bad patches. Only EVER manually apply patches that you actually require for security and functioinality.

    Comparing being a sensible system administrator who doesn't want to transfer control over their personal activities to Microsoft to antivaxxers is disgusting. Anyone making this comparison is irresponsible.

    https://superuser.com/question... [superuser.com]

    The list of KBs that you must manually remove (and prevent reinstallation of) to keep Windows without telemetry is provided on that su post. The list is:

    KB3065988 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: July 2015 more info
    KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
    KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
    KB2976978 Compatibility update for Windows 8.1 and Windows 8 more info
    KB3075853 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: August 2015 more info
    KB3065987 Windows Update Client for Windows 7 and Windows Server 2008 R2: July 2015 more info
    KB3050265 Windows Update Client for Windows 7: June 2015 more info
    KB3050267 Windows Update Client for Windows 8.1: June 2015 more info
    KB3075851 Windows Update Client for Windows 7 and Windows Server 2008 R2: August 2015 more info
    KB2902907 MS Security Essentials/Windows Defender related update [no description/information available]
    KB3068708 Update for customer experience and diagnostic telemetry more info
    KB3022345 Update for customer experience and diagnostic telemetry more info
    KB2952664 Compatibility update for upgrading Windows 7 more info
    KB2990214 Update that enables you to upgrade from Windows 7 to a later version of Windows more info
    KB3035583 Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1 more info
    KB971033 Description of the update for Windows Activation Technologies more info
    KB3021917 Update to Windows 7 SP1 for performance improvements more info
    KB3044374 Update that enables you to upgrade from Windows 8.1 to a later version of Windows more info
    KB3046480 Update helps to determine whether to migrate the .NET Framework 1.1 when you upgrade Windows 8.1 or Windows 7 more info
    KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 more info
    KB3080149 Update for customer experience and diagnostic telemetry more info
    KB3083324 Windows Update Client for Windows 7 and Windows Server 2008 R2: September 2015 more info
    KB3083325 Windows Update Client for Windows 8.1 and Windows Server 2012 R2: September 2015 more info
    KB3083710 Windows Update Client for Windows 7 and Windows Server 2008 R2: Octobe

  • by WaffleMonster ( 969671 ) on Monday May 15, 2017 @04:16PM (#54421331)

    People get WannaCry by clicking on the wrong email not by SMB exploits. I get that repurposed NSA exploit angle makes for interesting and irresistible news stories but substantively it's way overhyped and using it to support blanket assertions is a nonstarter in my view.

    There is compelling quantifiable evidence to support the position vaccines help more than they hurt. The case for updates is closer to the question of whether throwing billions into the intelligence industrial complex makes real people quantifiably safer from being terrorized given opportunity cost of not investing these funds to address significantly more statistically substantial problems such as pulling down US murder rate.

    What we know for sure is social engineering accounts for 90% of general p0wnage worldwide. Even if all unintentional software bugs were patched with 100% coverage overnight absolutely nothing would change.

    In 2017 given Microsoft's proven track record of both incompetence and sleaze when it comes to updates it's an open question as far as I'm concerned whether updates are still worth applying at all. Majority of end users are behind stealth mode firewalls and the only whackable thing they have sticking out is a web browser. If you keep firefox or chromium or whatever up to date and lock down some associated configuration are you really appreciably safer vs probability of computer failing to boot or introduction of some new Microsoft "telemetry" malware or Microsoft false choice prompt dismissal scam? I honestly don't know the answer. I do know it very much depends on context not only in terms of the users needs and environment but the value judgments of the end user.

    If Microsoft would stop constantly peddling malware, firing QA staff, fix updates to not use insane amounts of resources while taking forever and requiring a reboot to sneeze... If only updates were properly labeled and people trusted Microsoft not to screw with them... my guess less will find value in disabling updates.

    I personally believe coordinated automated updates of billions of systems globally in a matter of days is an extraordinarily perilous activity in and of itself no matter how careful you are. Sooner or later this is bound to end in a major disaster. While updates do fix problems quicker they also significantly lower the cost and tolerance for releasing defective software. It sends a signal to the market releasing defective software is a cost free activity.

  • by Solandri ( 704621 ) on Monday May 15, 2017 @04:26PM (#54421427)
    I *have* to disable the update service on my laptop. Win 10 insists on installing newer Intel graphics drivers, except they don't work with the Optimus setup on my laptop. With the newer Intel drivers, any 3D game I start crashes when it tries to use the Nvidia card. So I have to let Windows 10 update my laptop, disable the update service, then reinstall the Intel GPU drivers provided by my laptop vendor (and also the Nvidia drivers if Windows 10 has auto-updated those).

    When Win 10 first came out, it gave you the option to disable updates to a specific device driver. But for some inexplicable reason, Microsoft removed this option in the Oct 2016 update. Because of Microsoft's brain-dead update policies, I literally cannot use my gaming laptop to play games if I have Windows Update enabled.
  • by Altrag ( 195300 ) on Monday May 15, 2017 @05:46PM (#54422211)

    If MS really wants to make people do updates promptly, they need to get their heads back out of their asses. In the late WinXP and into the early Win7 era, there was a strong push for security and the updates were usually both relevant and easy to install.

    Fast forward to now, and half the updates you get are MS pushing their latest piece of crapware (*coughskypecough*) that you don't want, and like 90% of them require a full computer reboot -- which they'll happily do with our without your input and hope to hell you saved your work that day.

    If MS wants people to install critical updates then:
    a) Stop calling every fucking sales pitch "critical," and
    b) Go back to putting in the effort to avoid reboots. I know its easier to just reset and not worry about internal version conflicts and whatnot, but its a serious detriment to anyone who doesn't normally shut off their computer in the first place (and those people are the ones who least need to be force into an unwanted reboot!)

    Unfortunately MS has decided to do the exact opposite of that and compensate by giving you no choice -- enjoy losing your work.. what're you gonna do about it? Switch to Mac? Oh you are? Well fuck.

"No, no, I don't mind being called the smartest man in the world. I just wish it wasn't this one." -- Adrian Veidt/Ozymandias, WATCHMEN