Don't Tell People to Turn off Windows Update, Just Don't

[Megalith]

Are you an idiot for turning off Windows Update? Yeah, you are, according to this author, who (after all of the WannaCry stuff) has decided to point out some of the bad advice that is out there: particularly, one CNET article that teaches users how to stop Windows 10 from automatically updating their PCs. While Windows Update could still see some improvement, isn’t this guy right? Naysayers suggest that it is not so simple, since Microsoft is mixing in potentially unwanted updates with security updates, aside from other supposed inconveniences.

When you position this article from a year ago next to the hundreds of thousands of machines that have just had their files encrypted, it's hard to conclude that it in any way constitutes good advice. I had the author of this post ping me and suggest that people should just manually update their things if they disabled Windows Update. That's fine in, say, a managed desktop environment such as many organizations run and let's be clear - disabling Windows Update isn't the issue in that situation because there are professionals managing the rollout of patches (with the obvious exception of the organizations that just got hit by WannaCry). But your average person is simply not going to keep on top of these things which is why auto-updaters are built into so many software products these days.

 

[Ididar]

If you're clever enough to protect yourself then by all means turn off Windows Update. That said, if you are clever enough to protect yourself then you rarely end up reading an article about how to turn off updates in Windows. You already know because you figured it out yourself. If you have to read an article about it then 9 chances out of 10 you shouldn't be doing it.

 

[B00nie]

I haven't had to do windows updates for years. The protection they offer is worthless as they're constantly playing catchup.

 

[MavericK]

I haven't had to do windows updates for years. The protection they offer is worthless as they're constantly playing catchup.

Enjoy your Chinese botnet zombie machine.

 

[grtitan]

Instead, help them install Linux!

 

[Brian_B]

I'm definitely not against updates.

I am against an update agent that sucks all my bandwidth, interferes in my using of the computer (both via being bandwidth vampire and by intrusive restarts) and won't allow me to delay, or even throttle, a download while I'm trying to do other stuff.

 

[Croak]

Enjoy your Chinese botnet zombie machine.

It's Russian botnet zombie machines. Because, Russia, right? Know your meme.

 

[otherweeb]

I haven't had to do windows updates for years. The protection they offer is worthless as they're constantly playing catchup.

So your angry MS isn't making better use of their Time Travelling Exploit Squad?

 

[Dead Parrot]

For the average end user without weird hardware or software installed, auto update for Security updates should be turned on. Unfortunately, Microsoft doesn't have that option. Allow MS Update, and you risk getting new poorly tested hardware drivers, unadvertised features, MS approved spyware, and maybe an entirely new OS.

 

[Armenius]

So your angry MS isn't making better use of their Time Travelling Exploit Squad?

Gamergate still has the keys to the time machine, last I checked. Or maybe they lent them to the Kekistanis.

 

[Simmonz]

Forcing people to update won't stop bad things from happening. People aren't losing their data because of ransomware. They're losing it because they were stupid and clicked on dumb shit and even worse for not backing their oh so precious data properly. If you play russian roulette every day by clicking on dumb shit and not backing up your stuff eventually you're going to get cornholed. Relying on Microsoft, av companies and God won't save you as much as common sense.

 

[SuperSubZero]

I haven't had to do windows updates for years. The protection they offer is worthless as they're constantly playing catchup.

This makes me want to cry.

 

[Simmonz]

This makes me want to cry.

He's not entirely wrong. I get people in evey week with Windows 10 that have viruses that are up to date. Updates aren't some magic defense against stupidity.

 

[Quartz-1]

One of the problems with Windows Update is that you get so little information about the update. Sure you get a link you can click, but it would help immensely to have a brief description.

 

[Dan_D]

The problem is that too many people are ignorant about the dangers of not updating your OS regularly. Conversely, they are ignorant of the issues that updating too quickly can cause. People who tell you to blindly update all the time haven't ever had a Windows update fuck their OS install up beyond repair. Likewise, people who tell you not to update Windows probably had a bad experience once and assume every patch is going to make their PC shit sparks and die. Disabling or deferring updates can be a good thing, but only if you look at the updates and ensure that you do them at some point when you are reasonably certain of success.

Windows updates aren't as problematic as they used to be. Do what you want with your own PC, but for those friends and family who are PC illiterate, its best to leave automatic updates enabled. Of course Windows 10 Home users don't get any choice anyway.

 

[Clovis559]

I only update when I want to like when CU came out. The windows update service is stopped.
My computer consists of games and games, Chrome Browser, Photoshop. Everything else is backed up. If you steal my computer oh well. If you encrypt my computer oh well.
There isn't anything there I cannot replace.

 

[DeathFromBelow]

Frustration with slow and broken updates was part of what drove me to Linux Mint. It's so much better.

 

[ir0nw0lf]

Only update issue I had was a Windows 10 driver for our color Laserjet printer, it kept trying to install and would fail everytime. I hid the update with a "wushowhide.diagcab" file I found from Microsoft. Did the trick in hiding that update.

 

[InorganicMatter]

Sure thing.

I'll stop turning Windows Update off when Microsoft stops releasing updates that "accidentally" revert all my privacy settings and install Candy Crush. Again.

 

[bigdogchris]

I don't turn off updates but I'm really considering switching to CBB before the update comes out this fall.

 

[Sovereign]

I'm definitely not against updates.

I am against an update agent that sucks all my bandwidth, interferes in my using of the computer (both via being bandwidth vampire and by intrusive restarts) and won't allow me to delay, or even throttle, a download while I'm trying to do other stuff.

I'm against updates that...
1. Restart my PC whenever the hell they feel like it, causing me to lose work (only being able to disable this "feature" by creating a dummy folder in the Scheduled Tasks store).
2. Power on my PC whenever the hell they feel like it, wasting electricity and possibly also restarting my computer (risk of work loss again).
3. Use my bandwidth without permission to seed updates to other users (have to dig into settings to toggle this only to local network).
4. Use updates as an excuse to change personalized settings (like previously mentioned privacy options).

 

[TrailRunner]

1year+ ago I was running Insider Previews leading up to the Anniversary Update, and MS started pushing a bad Radeon driver that wouldn't render my screen correctly. No mouse cursor, UI controls not being rendered in all applications (including Explorer), and within 2 minutes a refusal to do any screen updating. Every fsking time it would push the same shit driver, which I'd have to roll back blind using keyboard controls, and then it would push the same thing again. You bet I disabled updates.

But with the officially released stuff, I haven't had any problems.

 

[Zarathustra[H]]

If you're clever enough to protect yourself then by all means turn off Windows Update. That said, if you are clever enough to protect yourself then you rarely end up reading an article about how to turn off updates in Windows. You already know because you figured it out yourself. If you have to read an article about it then 9 chances out of 10 you shouldn't be doing it.

Security depends on layers.

NO ONE is clever enough to run an unpatched system. You cannot rely on firewalls, security software and behavior to make up for unpatched vulnerabilities. All of them are required in conjunction.

Anyone who thinks they are smart enough or capable enough to disregard patches is just suffering from hubris and even more likely to become a victim.

It reminds me of the idiots who used to disable UAC because they found it annoying. It's facepalm worthy.

I agree that Microsoft have been assholes for using security updates to shove unwanted features down people's throats. It is awful, and it needs to change, but if there is ever a choice between getting an unwanted feature or running unpatched, always, always, always choose the unwanted feature, no matter what.

Having a fully patched system out to be a basic requirement to be allowed on the internet.

I don't care who you are, or how smart or knowledgeable you think you are, always, always, always patch everything, and if your OS/Software is old enough that it is no longer receiving security patches, IMMEDIATELY discontinue its use.

There are a lot of really smart knowledgeable IT professionals trying to explain to their businesses this week why all their data is encrypted.

Just like how only an absolute idiot gets into a car without immediately buckling up, only an absolute idiot delays a security patch.

Yes, any time there is a patch, there is a risk something will break, but that's a small price to pay for having a secured system. I do that care who you are, or what you do, we have to alter the mentality such that EVERYONE is on board with that it is better to go offline than be online and be exposed.

 

[nutzo]

For the average end user without weird hardware or software installed, auto update for Security updates should be turned on. Unfortunately, Microsoft doesn't have that option. Allow MS Update, and you risk getting new poorly tested hardware drivers, unadvertised features, MS approved spyware, and maybe an entirely new OS.

And that is the problem.

The current updates in Windows 10 home would be fine, if it was just the default setting.
There should at least be options to turn off or delay updates, and the settings should be by category, such as security, drivers, features or major revisions.


For example, let me wait for 2 week on security updates, and 60 days on the other stuff (unless I manually run updates).

 

[ChoGGi]

"I'm Troy Hunt, an Australian Microsoft Regional Director and also a Microsoft Most Valuable Professional for Developer Security"

Not that I don't keep my systems updated, but he doesn't seem like the best person to be giving advice about Windows...

 

[Ur_Mom]

So you guys skipped over the link with the Saudi prince offering a few million dollars?? Your LOSS!!

I think this is the reason why you get or don't get a virus. They need to pound it in peoples head about this.

That's not a virus. That's a very useful application that monitors my PC for my safety. Every so often, the people will call to clean up my PC remotely. They seem to do a good job and it's only $50 each time and they find a lot of stuff.

Of course, they haven't called and I think I have a problem now... What is Bitcoin? I only have 2 days left....

 

[nutzo]

He's not entirely wrong. I get people in evey week with Windows 10 that have viruses that are up to date. Updates aren't some magic defense against stupidity.

Have an older relative like this. He says he never clicks on links or installs anything.

He accidently installed Windows 10.

Every month he complains about the computer starting to run slow.
When you check the computer, there are multiple new adware/malware installed including new junk AV software, etc.

Really hate those gremlins that mess up his computer at night.

 

[lcpiper]

I haven't had to do windows updates for years. The protection they offer is worthless as they're constantly playing catchup.

Really? This entire conversation, the related articles, and the effects of Wannacry are ALL because of malware written to take advantage of a vulnerability that was patched over a month ago ...........

You should rethink your reasoning on this one.

EDITED: I changed year to month, if someone corrected me, then I stand corrected.

 

[Jovian]

Security depends on layers.

NO ONE is clever enough to run an unpatched system. You cannot rely on firewalls, security software and behavior to make up for unpatched vulnerabilities. All of them are required in conjunction.

Anyone who thinks they are smart enough or capable enough to disregard patches is just suffering from hubris and even more likely to become a victim.

It reminds me of the idiots who used to disable UAC because they found it annoying. It's facepalm worthy.

I agree that Microsoft have been assholes for using security updates to shove unwanted features down people's throats. It is awful, and it needs to change, but if there is ever a choice between getting an unwanted feature or running unpatched, always, always, always choose the unwanted feature, no matter what.

Having a fully patched system out to be a basic requirement to be allowed on the internet.

I don't care who you are, or how smart or knowledgeable you think you are, always, always, always patch everything, and if your OS/Software is old enough that it is no longer receiving security patches, IMMEDIATELY discontinue its use.

There are a lot of really smart knowledgeable IT professionals trying to explain to their businesses this week why all their data is encrypted.

Just like how only an absolute idiot gets into a car without immediately buckling up, only an absolute idiot delays a security patch.

Yes, any time there is a patch, there is a risk something will break, but that's a small price to pay for having a secured system. I do that care who you are, or what you do, we have to alter the mentality such that EVERYONE is on board with that it is better to go offline than be online and be exposed.

Well said and I agree with all of it. If you are responsible and do your updates as your should, there should be no surprise restarts or lost work. And for businesses you have WSUS servers so there really is no excuses.

Having a check for recent updates to connect to the Internet could be something I could stand behind if implemented correctly.

 

[M76]

It reminds me of the idiots who used to disable UAC because they found it annoying. It's facepalm worthy.

UAC is annoying. The only thing more annoying than UAC is windows not allowing me access to the program files folder, only "trusted installer" If the only way you can protect my computer is if you lock me out as well, then you're doing something wrong.
Imagine your security company telling you OK we'll protect you, but you're not allowed to use the swimming pool, and you can't access the garage during off hours, and from time to time you'll have to evacuate to the street even if you're in the middle of a shower because "you need some updates".

 

[lcpiper]

Forcing people to update won't stop bad things from happening. People aren't losing their data because of ransomware. They're losing it because they were stupid and clicked on dumb shit and even worse for not backing their oh so precious data properly. If you play russian roulette every day by clicking on dumb shit and not backing up your stuff eventually you're going to get cornholed. Relying on Microsoft, av companies and God won't save you as much as common sense.

While you are not wrong at all this is two entirely different issues. It's one thing to be an idiot on the internet and it's a different thing entirely to do it with an un-patched machine. Either one can fuck you over.

Being smart about where you go and what you click on is great, but it won't save you if you are doing it from a vulnerable platform. At the same time, you can be fully patched and when you do a search for "AVG Free Anti-Virus" and click on the first search linked without noting that Avast.com is not part of the url, and when the site loads you are greeted with a warning about the 1000+ infected files on your computer and how if you "click here" you can download a majic bullet ......... yes, even the best patching won't save this person from digital doom.

You need good computing practices and those practices include good patching, automatic or otherwise.

 

[lcpiper]

Sure thing.

I'll stop turning Windows Update off when Microsoft stops releasing updates that "accidentally" revert all my privacy settings and install Candy Crush. Again.

Write a script that sets your privacy settings and have it run by Windows Task at a time determined by you ....... and have it uninstall Candy Crush "if exists"

BTW: You might already know all about writing scripts, I'm an armature myself, but for those that are completely unfamiliar with writing scripts, some can be pretty simple. A batch or command script is about as easy as they get and all you really have to do is create a new empty .txt file and add lines of commands like you would do from command line, (cmd.exe). Once you put these commands into your text file and save it, you change the file extension from .txt to .bat for a batch file or .com for a command file. Most of the time it won't matter which you use but sometimes you have to pick the right type.

Then just go into the task scheduler and set up a new task that will run your script at a convenient time. At work I have one that runs every day and backs up my storage system's configuration files, every day. That way if I ever make a change to the files, I have the originals from earlier in the day I can reference or restore from if I blow something up or need to see what is what. If the entire system died I could put together a new one and configure it simply by using these files, then I could restore the data from backup tapes. Yes tapes are old, but they still work.
.

 

[ymer]

How about Windows allowed you to select to install Security Updates ONLY without all their other crap?

That's the only reason why people turn OFF that chit. Bunch of smarty pants ITT.

 

[Delicieuxz]

Trying to get people to update their systems through intimidation and insults? If the person had convincing consideration of why it was important to use WU, then they would have provided it, rather than ad hominem.

Windows Update borked my PC following the AU, and I had to fully reinstall Windows 10. WU semi-borked my PC again following the CU, and so far I'm just dealing with the issues (such as graphical flicking after Windows startup [I've reinstalled GPU drivers], and sleep-mode no longer waking properly, instead hanging and then rebooting my system). Truth is, I've had more system problems due to accepting updates from Microsoft the last couple of years, than I've ever had before from anything.

My system that has been running without updates for a couple of years is still going without issue - meanwhile, the system which I've kept updated in that same timeframe has had more problems than I ever had before, including requiring at least 3 full reinstallations of Windows 10 to deal with problems that updates brought, and which Microsoft support was unable to fix despite spending many hours working on via remote system control.

Security depends on layers.

NO ONE is clever enough to run an unpatched system. You cannot rely on firewalls, security software and behavior to make up for unpatched vulnerabilities. All of them are required in conjunction.

Anyone who thinks they are smart enough or capable enough to disregard patches is just suffering from hubris and even more likely to become a victim.

It reminds me of the idiots who used to disable UAC because they found it annoying. It's facepalm worthy.

Who actually leaves UAC on? I've had it fully disabled since 2007, and having it disabled hasn't caused a single issue, and I look forward to the next forever of not running UAC and yet having no issue caused by not running it. Also, by this time, the time it would take to reinstall Windows following a worst-case scenario of something happening due to not running UAC, would be less than the amount of time I would have lost by leaving UAC running and just dealing with its prompts. So, disabling UAC has already paid for itself, probably a couple of times over - and that's just in regards to time. There's still something to be said about the annoyance and inconvenience of it.

 

[SparkedFire]

I have a few boxes that run Windows 10, with updates disabled. I can't have them randomly restart due to Windows Update. I manually update them periodically. All other machines update automatically.

 

[lcpiper]

Trying to get people to update their systems through intimidation and insults? If the person had convincing consideration of why it was important to use WU, then they would have provided it, rather than ad hominem.

Windows Update borked my PC following the AU, and I had to fully reinstall Windows 10. WU semi-borked my PC again following the CU, and so far I'm just dealing with the issues (such as graphical flicking after Windows startup [I've reinstalled GPU drivers], and sleep-mode no longer waking properly, instead hanging and then rebooting my system). Truth is, I've had more system problems due to accepting updates from Microsoft the last couple of years, than I've ever had before from anything.

My system that has been running without updates for a couple of years is still going without issue - meanwhile, the system which I've kept updated in that same timeframe has had more problems than I ever had before, including requiring at least 3 full reinstallations of Windows 10 to deal with problems that updates brought, and which Microsoft support was unable to fix despite spending many hours working on via remote system control.



Who actually leaves UAC on? I've had it fully disabled since 2007, and having it disabled hasn't caused a single issue, and I look forward to the next forever of not running UAC and yet having no issue caused by not running it. Also, by this time, the time it would take to reinstall Windows following a worst-case scenario of something happening due to not running UAC, would be less than the amount of time I would have lost by leaving UAC running and just dealing with its prompts. So, disabling UAC has already paid for itself, probably a couple of times over - and that's just in regards to time. There's still something to be said about the annoyance and inconvenience of it.

Well it's all very simple isn't it?

It's only a question of how much you have to loose. Be it time, data, identity, work product, whatever it is that your computer holds or provides, it's only ever about what you have to loose, vs what it takes to get back to where you were before the "event".

 

[EODetroit]

I choose when and which updates are applied, not Microsoft. I'll take whatever steps are necessary to make that the case on any OS I install on every PC I control, or else the OS won't get installed at all.

 

[lcpiper]

I choose when and which updates are applied, not Microsoft. I'll take whatever steps are necessary to make that the case on any OS I install on every PC I control, or else the OS won't get installed at all.

Yes, there is an option that notifies you of the available updates and allows you to choose to install them. But you knew that and you are just stating your stance on the issue

 

[lilbabycat]

I kinda feel like a fool just this week learning that there are standalone "security only" updates available for windows, allowing me to keep my system up-to-date without the cryptic "rollup" patches. Why did no one tell me about this?

 

[lcpiper]

OK, so I just finished reading the article and truth is, for the most part, I agree with the author.

Keep in mind, the author isn't the Troy Hunt dude that tweeted the bit about turning off Windows Update is Stupid. In fact, the author doesn't really even support this statement although he does seem to be supportive of Windows Update.

But along with his support he does acknowledge that there are problems with Windows Update, and he has supplied recommendations on how to avoid some of the pains people complain about with Windows Update.

At least when this guy makes recommendations, he backs them up with a "How to" that helps with some common annoyances some people experience and may not realize their is a fix for them. I didn't say there is a fix for all of them. The article is worth the read even if it's just to familiarize yourself with features you may not be aware of, like you can frame out a time range that you don't want Windows Update to interrupt you during.