Windows 10 forced updates: Don't panic

Microsoft's plans to force updates on Windows 10 has users in an uproar, but there's more to the story

The blogosphere has erupted over Microsoft's newly acknowledged plans to force updates onto Windows 10 Home customers. Many say the move's long overdue. Some rail against the specter of forcibly bricked machines. Both sides have legitimate points, but three key factors need to be taken into account. Here's the untold story.

Ed Bott at ZDNet started the circus rolling on July 15 by reviewing the new EULA terms for Windows 10. "For consumers and small business," Bott says, "Windows 10 delivers automatic updates, with no option to selectively delay or reject individual updates." He goes on to quote an excerpt from the applicable piece of the EULA.

On July 16, Tim Anderson at The Register read the EULA anew and came to the conclusion, "The downside is that feature upgrades can potentially break applications, or drivers for peripherals such as printers and scanners. Those who value stability above having the latest features may prefer to install security updates only."

That evening, Peter Bright at Ars Technica weighed in, "If a future update breaks something essential, the user is going to be out of luck."

Ina Fried, at re/code, received an unambiguous response from Microsoft (finally!) when questioned: “The license terms for Windows 10 require Automatic Updates be enabled as a part of keeping our customers secure and delivering Windows as a service.” 

The EULA statement says:

6. Updates. The software periodically checks for system and app updates, and downloads and installs them for you," reads the EULA's section 6. "You may obtain updates only from Microsoft or authorized sources, and Microsoft may need to update your system to provide you with those updates. By accepting this agreement, you agree to receive these types of automatic updates without any additional notice.

This won't come as a surprise to those of you who have been reading my columns. I first wrote about the possible effects of forced updating in February, then followed up with a more detailed analysis in May.

Now that we know some (but not all!) of the details, three important points have to be kept in mind.

Historically, the big problems are security patches, not feature updates

In every discussion I've seen, security patches appear to be going out automatically to all branches (Consumer/Current Branch, Current Branch for Business, Long-Term Service Branch). It's not yet certain if Windows Server Update Services, Windows Update for Business, and/or other update distribution servers will allow admins to hold security patches. Microsoft's come up with an elaborate way of allowing admins to hold off on feature upgrades for varying lengths of time. But I haven't seen any discussion of blocking security patches. We only know for sure that those who are not connected to an update server will get security patches as soon as they're released.

To a first approximation, that means all Windows 10 Home users and Windows 10 Pro users who aren't attached to a server are going to get security patches as they're rolled out, all around the clock, all months long.

Historically, that's the problem. Major feature upgrades (usually in the form of Service Packs, but most recently in the form of Windows 8.1 Update 1) may not install properly on many machines, but it's unusual for them to trigger massive outages, blue screens, inexplicable behavior or hangs. Mostly, feature upgrades simply refuse to install, often for inscrutable reasons.

The problem's with security patches.

The new Insider program rings -- the fast and slow opt-in rings that Microsoft will use to test upgrades -- don't enter into the discussion. From everything I've seen, it doesn't look like Microsoft will release security patches to the Insiders first. 

I've been keeping a list of buggy KB articles released so far this year, and of the 40 or so problematic patches I've logged, the large majority are security patches.

Microsoft's changes don't mention security patches specifically. They're tossed out with the baby and bathwater. By removing the ability to block specific patches -- specific KB numbers -- it looks like those who aren't attached to update servers will get the full brunt of future security screw-ups.

As you know, Microsoft has a horrible record with machine-bricking Windows Automatic patches. They don't happen very often -- maybe once or twice a year -- but when they do, entire swaths of Windows users get hit. Perhaps we should forget the past and hope for the future. Notably, the past three months of Patch Tuesdays haven't been bad at all. Maybe Microsoft can continue to dish out fully tested patches.

I hope so.

In Windows 10, there's no way to block a specific patch

I'm seeing more and more complaints about lousy drivers sent out via Windows 10 updates. As best I can tell, the Win10 updater checks daily to see if you have the right drivers. If you delete a bad driver and manually replace it with a better one, the checker discovers that you don't have the "right" driver and reinstalls the bad one for you.

It's like a punchline from "The Jetsons."

You can use Device Manager to remove a bad driver. The old Control Panel has a place where you can remove individual patches (right-click Start, Control Panel, Programs, Programs and Features, Uninstall an Update). But even if you can uninstall the bad driver or patch, inside Windows 10, there's no way to keep Windows 10 from reinstalling it.

The solution right now is the "Show or hide updates" troubleshooter, available in KB 307930. Download the troubleshooter and run it; you're given the option of selectively turning off specific driver updates and preventing them from coming back again.

The troubleshooter appears to work for some KBs that are not related to drivers, but it isn't clear if it will pluck off all installed patches. It's a remedial reaper: You can only tell it to block (the troubleshooter calls it "hide") an update that's already been installed -- by which time it may be too late.

Windows 10 Pro has a new "Defer Upgrades" setting

Also overlooked in the discussion, Windows 10 Pro build 10240 has a new check box in the Settings, Update & security, Advanced Options dialog. My guess is it only appears on Win 10 Pro systems that aren't attached to update servers. The box says "Defer upgrades." There's a Learn More link that leads to a Microsoft page that states:

Some Windows 10 editions let you defer upgrades to your PC. When you defer upgrades, new Windows features won’t be downloaded or installed for several months. Deferring upgrades doesn’t affect security updates. Note that deferring upgrades will prevent you from getting the latest Windows features as soon as they’re available.

I haven't seen any additional information about that option, and the description here, as you can see, is quite vague. (It's also bizarre because you can choose that option while you're in the Insider fast track, but that's probably a bug.)

Moreover, the option doesn't allow you to temporarily turn off security patches -- the most problematic patches of all.

The fallout from forced updates

Some Windows customers will throw up their hands in disgust at these new revelations and claim that they're fleeing to the relative freedom of Ubuntu. Consumers (and enterprise customers who aren't connected to an update server) act as cannon fodder. Why should the penguin-inclined function as unpaid beta testers?

Others say, in effect, everybody else does it, so why shouldn't Microsoft? Chrome and Firefox run forced updates. Apple has a take-it-or-leave-it attitude to new versions, and if you lag too far behind you won't get security fixes. ChromeOS is updated all the time, whether you like it or not. I find those arguments specious because a broken Windows is nothing like a broken browser.

Many couldn't care less.

My advice: Wait. You don't need to install Windows 10 on July 29. Or even July 30. I know that's heresy in some circles.

Let's see if any really bad patches roll out the Windows 10 chute. When Microsoft releases a less-than-stellar patch (it will) and the cannon fodder starts screaming (they will), let's see how quickly, and how well, Microsoft reacts.

I won't say that Microsoft's patching history deserves our trust. It doesn't. I am saying that we'll know a whole lot more about forced updates three or six months from now.

Copyright © 2015 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon