How to block automatic updates in the next version of Windows 10

Pro and Enterprise versions of Windows 10 Creators Update will finally get built-in tools to stall forced updates

Forced updating has rated as the No. 1 complaint about Windows 10 for almost two years. Now we’re going to see some significant improvements. Windows 10 Creators Update, due next month, will include the ability to temporarily block forced updates—but only for a subset of Win10 customers.

We don’t know exactly what the interface will look like, but answers released yesterday by Microsoft show in broad strokes what update blocking options will be available and how they’ll work. The functions will be coming next month, in version 1703 of Windows 10.

Let’s start with the basics.

Windows 10 computers attached to a managed network get their updates through the network. If your Win10 PC is on a network that runs WSUS, SCCM, or another update server, the network admin gets to decide which updates get applied and when.

Windows 10 Home computers, by design, will not be able to control updates using these new settings. That’s intentional–Microsoft uses the Win10 Home installed base to test new versions before they’re deemed ready for businesses.

The settings discussed here apply only to Windows 10 Pro, Enterprise, and Education systems that aren’t attached to managed networks.

Microsoft releases three different kinds of Windows 10 updates:

1. Version changes. Microsoft is turning out new updates roughly every eight months. To date, we’ve seen three versions of Win10: 1507, the original RTM version; 1511, the Fall Update; and 1607, the Anniversary Update. It looks like we’ll be getting a fourth version—1703, the Creators Update—late this month or early next month. 

2. Cumulative updates. Each version gets its own cumulative updates. The pace slows down as the version gets older, starting with about one cumulative update every week and gradually slowing to once a month. Some months, like last month, don’t get any cumulative updates at all.

3. Miscellaneous patches. It’s hard to predict when these will appear and what they’ll cover. For example, in January, we had two hotfix patches, 14393.577 and 14393.729, that were issued and documented but not rolled out automatically. Various Win10 customers get driver updates automatically, particularly firmware and driver updates for Surface Books and Surface Pros. Last month we saw an ad-hoc patch for IE11 and Edge. There are .Net patches almost every month, and the obligatory monthly version of the Malicious Software Removal Tool (MSRT). Windows Defender (antivirus signature) updates appear once or twice a day. It’s a very mixed bag.

Your mission, should you choose to accept it, is to apply those updates to your system(s) at your own pace, instead of in lockstep with Microsoft’s agenda.

Starting with version 1703, the Creators Update, Win10 Pro, Enterprise, and Education users will have two new group policies.

The Feature Update policy that appears in the latest beta test version of 1703, build 15046 (screenshot), can be found by typing gpedit in the Cortana Search box, pressing Enter, navigating to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates, and clicking on the entry Select when Feature Updates are received.

feature update policy InfoWorld

Similarly, the Quality Updates policy available in the latest beta build 15046 (screenshot) can be found by typing gpedit in the Cortana Search box, pressing Enter, navigating to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates, and clicking on the entry Select when Quality Updates are received.

quality update policy InfoWorld

If you’re confused by the “Feature” vs “Quality” terminology, and can’t make heads or tails of the descriptions, hold your horses: I’ll get to those.

There’s another interface (which I talked about earlier this week) that appears if you monkey around with the build 15046 Settings app. We don’t know if this hidden Settings panel will appear in the final, shipping version of version 1703 Creators Update, but if it does, the group policy mumbo-jumbo will be much more accessible.

windows update delay expanded InfoWorld

Even if that hidden Settings panel doesn’t show up in the final version of Win10 Creators Update, Win10 Pro and Enterprise users will be able to make more or less the same choices, albeit in a much less friendly way, using the group policies.

Here’s what you need to know about the terminology in the group policies and in the hidden Settings panel:

  • A feature update is Microsoft’s way of saying a version change.
  • Quality Updates aren’t so straightforward. They certainly include cumulative updates, driver updates, “bug fixes, etc.” (per Microsoft’s statement), but may or may not include hotfixes, Flash updates (like we just saw with IE and Edge), .Net patches, new versions of MSRT, and heaven-only-knows what may appear in the future. My guess is that Microsoft’s being intentionally vague; at this point, we don’t know exactly what will fall into the Quality Update bucket.

With that understanding, here’s what we know about the roles of the various settings:

  • Pause updates takes precedence over all other settings. If you have Pause turned on (either for Feature updates or Quality updates, in the policies, or overall in the hidden Settings panel), Windows stops all updates but Windows Defender updates.

When you set the slider in the hidden Settings panel to “On,” Windows Update adds 35 days to the current date and pauses all updates (Feature and Quality) until that date is reached. The individual group policy entries behave differently, with Feature updates limited in the group policy box to 60 days and Quality updates limited to 35 days.

Microsoft is very careful to mention that you can’t reset the Pause Update setting. If you try to turn it off and turn it back on again, “this device will need to get the latest updates before it can be paused again.” There’s no analogous warning in the group policy boxes, but it’s safe to assume the same rules apply as in the hidden Settings panel.

  • When a new Win10 version is released every eight months or so, Windows Update looks at the branch-readiness box to see if you’re set for Current Branch. If Current Branch is selected, and updates haven’t been paused, Windows Update looks at the deferral countdown box (which goes up to 365), and waits the specified number of days before installing the new version.
  • When a Win10 version is declared as the “Current Branch for Business” (typically four or so months after it’s initial release), Windows Update looks at the branch-readiness box to see if Current Branch for Business is selected. If so, and updates haven’t been paused, Windows Update looks at the deferral countdown box and waits the specified number of days before installing the new version.
  • When a cumulative update appears, Windows Update looks to see if updates have been paused. If so, the cumulative update isn’t applied until the expiration date (up to 35 days) has been passed. If updates haven’t been paused, Windows Update looks at the deferral countdown box, which maxes out at 30. When the deferral countdown hits zero, the cumulative update is applied.
  • When other patches appear, it’s hard to predict what will happen. Microsoft says that “security updates, driver updates, bug fixes, etc” will be treated the same way as cumulative updates—check whether updates have been paused, then look at the deferral countdown box. Windows Defender updates always go straight through, but as for the others—hotfixes, unexpected Flash updates, maybe Servicing stack updates—I guess we’ll have to wait and see.

Microsoft has added an additional safety net to the update routines, to make it easier to say “Now wait just a gosh durn minute” before updates take over your system for a few minutes—or a few hours. With the Creators Update, Microsoft says it will implement a new dialog that’ll kick in just before an update is applied (screenshot).

weve got an update for you InfoWorld

If you click Snooze, the “update process is paused completely for three days.” As best I can tell, this safety net operates independently of the other update delays mentioned in this article.

That’s how things work—or at least how they’re supposed to work—in version 1703, the Creators Update. Of course, version 1703 is still in beta, so the final product may include any or all of these settings. Most importantly, Microsoft hasn’t told us if it’ll unfurl the hidden Settings panel.

There are lots of niggling questions that likely won’t get answered until we have the shipping product. For example:

  • If you have Pause Update checked, is the deferral countdown box decremented while the pause is in effect?
  • Which patches are “Quality updates”?
  • Why the 35-day limit on Pause Quality updates? In general, cumulative updates appear every month on Patch Tuesday. If you Pause Quality updates, and a second cumulative update drops before the Pause expires, will you get the previous month’s Quality updates or the current month’s?
  • What happens if you change one of the settings mid-stream, e.g., if you switch off Pause Updates, but still have the Quality update deferral countdown going?

But the basic method now seems to be in place.

Many Windows 10 users don’t want to bother with all of this stuff. It’s easy to ignore, and fortunately, we haven’t yet seen widespread damage from a bad Win10 cumulative update. (You can judge for yourself if version changes are disruptive or not.) If Microsoft continues to distribute high quality cumulative updates, we’ll all be able to breathe easier. But the cynics in the crowd – I’ll raise my hand here – should feel good that they’re going to get some Microsoft-supplied ammo to fend off bad updates.

Meanwhile, if you’re running Win10 Home, you’re still out of luck.

I want to thank the folks at Microsoft and their PR agency, WE (formerly Wag-Ed) for detailed answers to some pretty pointed questions. I’ve been dealing with Wag-Ed for almost 30 years, and the response for this issue has been among the best.

Discussion continues on the AskWoody Lounge.

Copyright © 2017 IDG Communications, Inc.

8 highly useful Slack bots for teams
  
Shop Tech Products at Amazon