Every month we see the same pattern: Microsoft releases its Patch Tuesday regimen; the blogosphere flies into a frenzy about security holes that have to be patched right this minute; some patches have bugs; Microsoft fixes many of them in a week or two, warns about others, and stays mum on far too many.
Normal Windows users are left in the lurch. On the one hand, you have the threat of imminent malware mayhem. On the other, you have the threat of poorly tested patches. Wash. Rinse. Repeat.
It’s been like that for years. Don’t believe it? Computerworld has month-by-month details for the past three years here.
Meanwhile, the raging zero-days – the patches that are released with known in-the-wild exploits – make for great headlines. But they rarely, if ever, find their way into working exploits right away. It takes months, or even years, for new exploits to appear in malware that affects you and me.
If you’re working with nuclear launch codes or top secret government communication, it’s another story of course. But for normal people, the threat from bad patches greatly exceeds the threat from freshly patched security holes.
To be sure, you have to get patched eventually. Some systems at high risk (for example, Windows DNS Servers two months ago) need to be patched pronto. But for the vast majority of Windows users, waiting a couple of weeks to get the latest patches applied doesn’t hurt a bit – and it gives Microsoft a chance to fix the bugs they invariably introduce.
If you don’t do anything, you get to beta test the patches as soon as they come out. But if you temporarily pause updating – using a setting first introduced in Win10 version 1903 – you can sit back and watch as the pioneers take one for the team.
Blocking automatic update on Win7 and 8.1
Those who paid for Win7 Extended Security Updates should be cautious about installing patches immediately. Those who didn’t will either ignore the patches (large majority there), or wait to see whether free alternatives appear – and 0patch has filled in several cracks. We’ll be covering both intently on AskWoody.com.
If you’re using Windows 7 or 8.1, click Start > Control Panel > System and Security. Under Windows Update, click the “Turn automatic updating on or off” link. Click the “Change Settings” link on the left. Verify that you have Important Updates set to “Never check for updates (not recommended)” and click OK.
Blocking automatic update on Windows 10
By now, almost all of you are on Win10 version 1903 or 1909. Not sure which version of Win10 you’re running? Down in the Search box, near the Start button, type winver, then click Run command. The version number appears on the second line.
If you’re using Win10 1803 or 1809, I strongly urge you to move on to Win10 version 1909. If you insist on sticking with Win10 1809 (can’t really blame ya!), you can block updates by following the steps in December’s Patch Tuesday warning. Be acutely aware of the fact that Microsoft won’t be handing out any more security patches for 1809 Home or Pro after November 10.
The end is near.
If you’re tempted to move to version 2004, I say wait. There’s a huge bunch of bug fixes poised to be released this week, and I’m still seeing reports of odd bugs cropping up here and there, like RDP bugs (thx, MikeMc) or a conflict with QuickBooks (thx, PatchLady). While it’s laudable that Microsoft’s finally exterminating the latest bugs en masse – some of which have been known for eight months – we still have a way to go before 2004 is ready for prime time.
My general recommendation relies on the Pause updates feature introduced in version 1903. But if you’re willing to dig a little deeper, and you’re running Win10 Pro, Education, or Enterprise, you might want to rummage around in the Group Policy Editor, and set this policy:
Configure Automatic Updates = Enabled, value = 2 Notify before downloading and installing any updates.
PKCano has an extensive, step-by-step discussion of the setting and its uses in AKB 2000016, Guide for Windows Update Settings for Windows 10.
If you’d rather take the easier Pause updates approach, using an administrator account, click Start > Settings > Update & Security. If your Updates paused timer is set before Oct. 4 (see screenshot below), I urge you to click Resume Updates and let the automatic updater kick in – and do it before noon in Redmond on Tuesday, when the Patch Tuesday patches get released.
If Pause is set to expire before the end of September, or if you don’t have a Pause in effect, you should set up a defense perimeter that keeps patches off your machine for the rest of this month. Using that administrators account, click the Pause updates for 7 days button, then click it again and again, if necessary, until you’re paused out into late September or early October. (Note that the next Patch Tuesday falls on Oct. 13.)
If you see an invitation to “Download and install” version 2004 (as shown in the screenshot), carefully consider that Win10 version 2004 is still exhibiting lots of strange little bugs – and turn down the offer. Don’t click anything.
Don’t be spooked. Don’t be stampeded. Don’t click “Check for updates.” And don’t install any patches that require you to click “Download and install.”
If there are any immediate widespread problems protected by this month’s Patch Tuesday – a rare occurrence, but it does happen – we’ll let you know here and at AskWoody.com in very short order. Otherwise, sit back and watch while our usual monthly crowdsourced patch watch proceeds. Let’s see what problems arise.
We’re at MS-DEFCON 2 on AskWoody.
Copyright © 2020 IDG Communications, Inc.