Last time, I griped about Windows Update on Windows 7. Turns out, I left some gripes on the table.
Installing the most recent round of bug fixes, released May 10th, many experienced continued performance problems.
Despite installing the four recommended patches I wrote about previously, Windows Update still ran for a long time for me.
On one Windows 7 machine, after it had detected the missing patches, I clicked the button to install them, and waited. And waited. For what seemed like an eternity, the download process sat at zero percent complete (see above), while Process Explorer showed the CPU was busy running Windows Update.
As before, Woody Leonhard had a suggestion; install a single patch manually, before running Windows Update. The patch, KB3153199, was released this month. It comes in both 64 bit and 32 bit editions. I took Woody's advice and Windows Update ran much faster on subsequent machines. Thanks again, Woody.
But this illustrates an important issue with Windows Update - don't trust it.
The Defensive Computing approach is not not to install patches the day they are released. Too many Windows patches have caused too much grief over the years. Let others find the problems Microsoft did not.
Waiting a few days, gives Microsoft time to pull back or fix any bad patches. It also gives experts, such as Woody Leonhard, time to come up with workarounds to whatever issues crop up.
This approach translates to the settings shown above - Windows Update never runs automatically and recommend updates are not accepted.
Just last week, this would have saved Windows 7 users with Asus motherboards. As Woody Leonhard reported, Microsoft changed KB3133977 from an optional to a recommended patch. It's a long story, but the end result was that installing KB3133977 caused a Secure Boot Violation and Windows would not run.
Brian Krebs has his own defensive strategy for Windows updates. Writing a few days ago, about the last batch of bug fixes, he said
Anytime there’s a .NET Framework update available, I always uncheck those updates to install and then reboot and install the .NET updates; I’ve had too many .NET update failures muddy the process of figuring out which update borked a Windows machine after a batch of patches to do otherwise, but your mileage may vary.
Lessons learned the hard way.
Trusting Windows Update is part of a larger trust issue that Microsoft faces. For more on that see an article I linked to previously by Trevor Pott in The Register, The 'new' Microsoft? I still wouldn't touch them with a barge pole.