With Windows 10 version 1903 imminent, it’s more important than ever to lock down Windows updates

This month's Patch Tuesday will likely include the usual swamp of buggy patches – we’ve seen it over and over again for most of the past year. Now, though, you should be extra careful to block the new Win10 version 1903 in case it appears.

3 patch training update software band aid laptop with virus binary
Getty Images
Current Job Listings

Every month’s a circus in the Windows patching realm. It’s hard to remember a single month in the past year where the initial monthly cumulative updates/monthly rollups didn’t include a real dog. (Which is not to disparage dogs, but never mind.)

The simple fact is that almost every version of Windows, almost every month, gets a bug that’s bad enough to warrant an official acknowledgment at some point later in the month. You don’t need to take my word for it. Just look at the official patching lists for Windows 10, Windows 8.1, or Windows 7.

When we’re lucky, the second monthly cumulative update fixes bugs introduced in the first cumulative update. When we aren’t so lucky, the bugs persist.

Granted, the bugs frequently afflict only small subsets of all Windows users. On any given Tuesday your chance of getting zapped are small. But you have to ask yourself if the risk is worth the protection.

Yes, you have to patch sooner or later. But why not let the cannon fodder send back their reports before you offer up your machine to Microsoft’s latest missives?

Blocking automatic update on Win7 and 8.1

I recently installed Windows 7 on a new (refurbished) machine, all the better to witness its ultimate demise in January. After several hundred such installs, I’m still tickled by the fact that automatic updating was only a recommendation back in the day. With Win10, it's a straitjacket.

Here’s how to take control back.

If you’re using Windows 7 or 8.1, click Start > Control Panel > System and Security. Under Windows Update, click the "Turn automatic updating on or off" link. Click the "Change Settings" link on the left. Verify that you have Important Updates set to "Never check for updates (not recommended)" and click OK.

Blocking automatic update on Win10 Pro

If you’re using Win10 Pro version 1709, 1803, or 1809 I recommend an update blocking  technique that Microsoft recommends for “Broad Release” in its obscure Build deployment rings for Windows 10 updates – which is intended for admins, but applies to you, too. (Thx, @zero2dash)

Step 1. Using an administrative account, click Start > Settings > Update & Security.

Step 2. On the left, choose Windows Update. On the right, click the link for Advanced options. If you’re using Win10 version 1803 or 1809, you see the settings in the screenshot. Microsoft has changed its terminology – there’s no longer a Semi-Annual Channel, and we don’t know when/if Win10 1809 will be declared “ready for widespread use in organizations” – but the tenets remain the same.

1903 windows update advanced options Microsoft

Windows 10 update advanced options.

Step 3. To pull yourself out of beta testing (or, as Microsoft would say, to delay new versions until they’re ready for broad deployment), in the first box, choose Semi-Annual Channel.

Step 4. To further delay new versions until they’ve been minimally tested, set the “feature update” deferral setting to 120 days or more. That tells the Windows Updater (unless Microsoft makes another “mistake,” as it has numerous times in the past) that it should wait until 120 days after a new version is declared ready for broad business deployment before upgrading and re-installing Windows on your machine.

If you’re using Win10 version 1803, that has the added beneficial effect of blocking Microsoft’s forced upgrade to Win10 version 1809. If you’re using Win10 1809, it’ll keep Win10 1903 from being pushed on your machine, whenever it’s sent out the automatic update chute. You should choose when you want to upgrade. Don’t leave it up to Microsoft’s “next generation advanced learning” algorithm which, presumably, is more advanced than the current generation advanced learning algorithm.

Step 5. To delay cumulative updates, set the “quality update” deferral to 15 days or so. (“Quality update” = cumulative update = bug fix.) In my experience, Microsoft usually yanks bad Win10 cumulative updates within a couple of weeks of their initial release. By setting this to 10 or 15 or 20 days, Win10 will update itself after the major screams of pain have subsided and (with some luck) the bad cumulative updates have been pulled or re-issued. Notably, in February 2019, it took Microsoft 18 days to fix its first-Tuesday bugs.

Step 6. Just “X” out of the settings pane. You don’t need to explicitly save anything.

Step 7. Don’t click Check for updates. Ever.

If there are any real howlers – months where the cumulative updates were irretrievably bad, and never got any better, as they were in July 2018 – we’ll let you know, loud and clear.

Tired old approach for Windows 10 Home

Here’s the thing about Windows 10 Home. Microsoft considers Home customers fair game. They really should call it Win10 Guinea Pig edition. Microsoft has no qualms whatsoever in pushing its new, untested (perhaps I should say “less-than-thoroughly-tested”) updates and upgrades onto Windows 10 Home machines.

This isn’t a mistake or an oversight. Win10 Home customers by design are Microsoft’s extended beta-plus testing force. Cannon fodder. It’s unconscionable, and it’s been that way since day one. As Susan Bradley says, “Every version of Windows should be able to defer and pause updates… Microsoft, your customers deserve better than this.”

If upgrading to Win10 Pro isn’t an option – and I sympathize if you’d rather not hand over another $100 to Microsoft for something that should come standard – your only other reasonable option is to set your internet connection to “metered.” Metered connections are an update-blocking kludge that seems to work to fend off cumulative updates. But as best I can tell, it still doesn’t have Microsoft’s official endorsement as a cumulative update prophylactic.

To set your Ethernet connection as metered: Click Start > Settings > Network & Internet. On the left, choose Ethernet. On the right, click on your Ethernet connection. Then move the slider for Metered connection to On.

To set your Wi-Fi connection as metered: Click Start > Settings > Network & Internet. On the left, choose Wi-Fi. On the right, click on your Wi-Fi connection. Move the slider for Metered connection to On.

If you set your internet connection to metered, you need to watch closely as the month unfolds, and judge when it’s safe to let the demons in the door. At that point, turn “metered” off, and just let your machine update itself. Don’t click Check for updates.

We’re at MS-DEFCON 2 on AskWoody.

Related:
How collaboration apps foster digital transformation
  
Shop Tech Products at Amazon