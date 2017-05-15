'Don't Tell People To Turn Off Windows Update, Just Don't' (troyhunt.com) 71
Security researchers Troy Hunt, writing on his blog: Often, the updates these products deliver patch some pretty nasty security flaws. If you had any version of Windows since Vista running the default Windows Update, you would have had the critical Microsoft Security Bulletin known as "MS17-010" pushed down to your PC and automatically installed. Without doing a thing, when WannaCry came along almost 2 months later, the machine was protected because the exploit it targeted had already been patched. It's because of this essential protection provided by automatic updates that those advocating for disabling the process are being labelled the IT equivalents of anti-vaxxers and whilst I don't fully agree with real world analogies like this, you can certainly see where they're coming from. As with vaccinations, patches protect the host from nasty things that the vast majority of people simply don't understand. This is how consumer software these days should be: self-updating with zero input required from the user. As soon as they're required to do something, it'll be neglected which is why Windows Update is so critical.
Unless you have a production environment with a software product that breaks with Windows update turned on. In which case you have to take additional security and maintenance measures and have a team that is tasked with (and funded properly) to do testing and updates on a regular basis.
For me, it takes around three manual restarts, because I have a dual-boot system and the default option is to boot into Linux. Even if Windows does download the update, it then sits around for so long with no indication of what it is doing that the screen blanks out. Then it just sits there pondering and reboots into Linux. Then I reboot back into Windows, which tells me that updates have to be installed. Then it sits around a bit more with a blank screen, then it reboots.
This is generally sound advice, although some IT shops prefer to manage the process to ensure that either (a) a particular update doesn't break some proprietary code, or (b) because of regulatory reasons particular machines may not be permitted to have the software changed without some sort of documentation being generated.
I would do that if (1) MS didn't cram W10 down my throat; (2) every major update doesn't reset browser preferences; (3) stop updating and breaking hardware drivers; and (4) I could disable telemetry. My Macbook and Ubuntu machines are auto-update enabled. Not my Windows gaming box. No thanks.
Yep. I had a laptop that came with Windows 8 on it.
I booted it once into Windows to change UEFI settings and then put Lubuntu on it.
Well, a friend had a Windows question for me when I was away at a conference. No problem! I booted my laptop into Win8, looked up how to do the thing, and told her. I went to bed.
I woke up to find that my system had:
1) autoupdated to Windows 10
2) fucked the bootloader so I couldn't boot into Linux any more.
(1) It was ultra-scammy when they were doing that, but it's been more than 6 months since they've stopped, so it's time to throw out this reason.
I've worked in those kinds of environments, where we had propretary applications that were not compatible with the latest stuff. This is especially aggravating when you've got three web-delivered systems, all of which have mutually exclusive requirements. At one time users had to have Chrome, Firefox, and IE, and we had to block updates to IE so that the legacy system would work.
Microsoft's fault (Score:5, Insightful)
If they hadn't done shit such as the forced Win10 update, or forced GWA, or done a lot of other crap that broke peoples systems (in the name of marketing), then maybe people wouldn't have said, "Turn it off".
Pretty much. I had to take some fairly convoluted measures to keep my wife's laptop on 8.1 or some of my various other systems on 7 without entirely disabling updates. It's not that I liked 8.1, but I did not like what I read about 10.
Plus, if Anti-Vaxxers could actually point to widespread deaths, they might have a point.
People who advocate turning off Windows Update Can point to widespread windows deaths due to errant updates.
It's a very complex ecosystem. Generally, the benefits of the many outweigh the "sacrifice" of the few.
For every machine negatively affected by a forced update, there's a million which benefited from it. Unfortunately, that million machines don't yell "fault!" like that one which messed up does.
The telemetry spying though,,,
Windows Update also wanted to install telemetry on my Windows 7 system until I removed the patch. Then for 12 months Windows Update wanted to 'upgrade' me to Windows 10, the software employed all sorts of tricks to make me say yes and in the end I just disabled updates as it was less hassle.
My Windows 7 system was not affected by the events over the weekend as all it does is run some test equipment. It still has Windows Update disabled and it's going to stay that way.
Why would anyone *disable* automatic updates on Windows? With it being widely known as such an insecure OS, that just seems insane. I've never heard anyone give such advice, but if they did, they surely deserve a smack on the head.
Enjoy the Windows 10 telemetry yet?
I mean, I use Windows 10 too but only as the OS required to run games. As far as Microsoft knows, all I use is Battle.net, Steam and GoG.
Because of getwin10
Maybe if Windows Update behaved decently... (Score:4, Insightful)
The reason folks turn off Windows Update is that it behaves kind of like malware itself! I'm technologically savvy enough to set my registry and so on to disable the awful "Get Windows Ten" updates, but when so many users got shafted by Windows "self-updating with zero input required from the user" to a completely new operating system (a new operating system that actively thwarts end-user control over updates!), is it any wonder that so many of them switched it off?
The comparison to anti-vaxxers is interesting, and apt in more ways than Troy may have known. Much like Microsoft hijacked their Windows Update program to push Windows 10, the CIA used a Pakistani polio vaccination campaign to gather intelligence about Osama bin Laden (see here: https://en.wikipedia.org/wiki/... [wikipedia.org]). This has resulted in the killing of other relief workers and general suspicion of medical aid programs in that region, and so polio persists.
What about the updates that hurt users? (Score:3)
There is, it's the "critical updates only" checkbox.
The problem isn't the lack of said checkbox, it's the fact that Microsoft doesn't respect that checkbox and considers all sorts of marketing fluff and malware to be "critical"
If you buy Microsoft software, you get what you paid for.
I haven't that problem since Windows XP. Then again, I'm not running on minimum spec hardware.
Problem solved, permanently.
I used to be one of those annoying people who said (Score:2)
I am in favour of auto-updating Windows, don't get me wrong; however, it could be catastrophic if anyone ever manages to figure out a way to spread a virus via the auto update.
I'm not sure the technical route someone would have to take to do this; If, perhaps someone could somehow infect a DNS server to treat an infected server as a Microsoft update server.
Those fuckers at MSFT ruined security updates by force-feeding the user spyware, or even forcing an "upgrade" to Windows 10.
Now nobody trusts Microsoft, and would rather take their chances without the "essential updates".
the continual additions of resource-heavy snooping spyware and telemetry services for in-app advertising delivery hammer many institutions that would otherwise happily install security patches, if they were JUST security patches.
But many of the Important patches we have recieved from MSFT are just that. Ads, telemetry to try to sell us stuff that blows out the bandwidth in mission critical software and pops up things that get in the way of doing actual work.
As a side note, the delay to release PDB symbols on MS's symbol server after a Patch Tuesday has been at least days and sometimes more than a week for the last two months (at least for the Win10 symbols I tried). I use them a lot with WinDbg.
If Microsoft would just go back to the days when security patches were done separately from other sorts of updates, that would be a huge help. I know a lot of people who disable updates to avoid feature changes, but would accept automatic security updates.
Microsoft's position of not making a distinction between the two is a large disincentive to allowing automatic updates for a lot of people.
It's more accurate to tailor the message about automatic updates to the audience.
For computer savvy people that are likely to read the message about available updates and install them, than turning off automatic installation is appropriate, because many of us can't afford to have long running processes or tasks dumped from memory with a reboot.
For your average user or nontechnical person, absolutely, advise them to leave it at defaults (and to save often).
at troyhunt.com [troyhunt.com]
Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals
It's obviously in his interest to make everyone Microsoft's puppets.
Microsoft only have themselves to blame for people disabling Windows Updates because they made it untrustworthy:
Except if vaccines failed as much as a Microsoft patch did there would be no doctors... because people would be shooting them in the street.
Yeah, yeah... I can already hear the autistic fast typing from some keyboard warrior looking to 'correct' me on this one. But sorry... Microsoft no longer has any credibility to tell people what to do with their machines. The entire roll out of Windows 10 has been nothing but train wreck after train wreck. And you know what? Even if we get the occasional virus it's still better than having to deal with the rest of the continuing train wreck that is Microsoft. People are just going to have go back to the old day when people had to actually learn how to protect themselves. Instead of waiting on the industry to sell you a next generation of device that 'might' be eventually patched.
I don't think I've ever worked at a company that had "automatic updates" turned on. The reason being, company ecosystems tend to be predominantly all the same hardware, same Windows version and same patch level, and a bug in an update that affects that particular collection of hardware and software can take an astounding number of seats offline. (In much the same way a biological virus can take out an entire species if they're not sufficiently genetically diverse.) So yeah, no. Companies that want to st
