If you haven’t patched your Windows machine since May, you’re in harm’s way and need to get your BlueKeep inoculation right away. That goes for PCs running Windows XP (!), Vista, Win7, Server 2003, Server 2008 or Server 2008 R2. There’s a working-but-not-yet-fully-armed exploit for the BlueKeep hole making the rounds right now, and it’s only a matter of time before it’s fully weaponized. With 700,000+ machines unpatched and immediately accessible, BlueKeep is a disaster waiting to happen. Tell your friends.
With that very notable exception, now would be an excellent time to make sure Windows automatic update is reined in. I call it crowdsourced bug hunting, and describe it in "The case against knee-jerk installation of Windows patches."
Blocking automatic update on Win7 and 8.1
If you’re using Windows 7 or 8.1, click Start > Control Panel > System and Security. Under Windows Update, click the "Turn automatic updating on or off" link. Click the "Change Settings" link on the left. Verify that you have Important Updates set to "Never check for updates (not recommended)" and click OK.
Blocking automatic update on Win10 Pro 1803 or 1809
Not sure which version of Win10 you’re running? Down in the Search box, near the Start button, type "About," then click "About your PC." The version number appears on the right under Windows specifications.
If you’re on Win10 Pro version 1803, you have three options: Stick with version 1803 a while longer (the last scheduled patch for 1803 arrives on Nov. 12); upgrade to version 1809; or go for 1903, which has had teething problems lately. I have details on the options, what they entail, and how to pursue them in last month’s column, "Is Windows pushing you to upgrade? Don’t be bullied. There’s a middle path."
If you’re using Win10 Pro version 1809, or if you’re on 1803 and want to stay there a bit longer, I recommend an update blocking technique that Microsoft recommends for “Broad Release” in its obscure Build deployment rings for Windows 10 updates — which is intended for admins, but applies to you, too. (Thx, @zero2dash.)
Step 1. Using an administrative account, click Start > Settings > Update & Security.
Step 2. On the left, choose Windows Update. On the right, click the link for Advanced options. If you’re using Win10 version 1803 or 1809, you see the settings in the screenshot.
Step 3. The first box — “Semi-Annual Channel” — is no longer recognized by Microsoft. It has changed the terminology over and over again. In our newly redefined update world, choosing “Semi-Annual Channel” adds 60 days to the “feature update” setting discussed in the next step. I recommend that you nod, wink and, in the first box, choose Semi-Annual Channel.
Step 4. To further delay new versions until they’ve been minimally tested, roll the “feature update” deferral setting all the way up to 365 days. That tells the Windows Updater (unless Microsoft makes another “mistake,” as it has numerous times in the past) that it should wait until 425 days after a new version is released (60 days for Semi-Annual Channel + 365 days deferral) before upgrading and reinstalling Windows on your machine.
Of course, nobody expects Microsoft to keep its mitts off your 1803 machine until Jan. 12, 2020 ( = the version 1809 release date + 425 days) or refrain from upgrading your 1809 machine until July 19, 2020 ( = version 1903 release date + 425 days): Even though those settings appear here, Microsoft is sure to ignore them and blast you onto the next version, somehow, at some point. We just don’t know how or when quite yet.
If you’d like to block a forced upgrade to 1903 for the foreseeable future, follow the instructions in "How to block the Windows 10 May 2019 Update, version 1903, from installing."
Step 5. To delay cumulative updates, set the “quality update” deferral to 15 days or so. (“Quality update” = cumulative update = bug fix.) In my experience, Microsoft usually yanks bad Win10 cumulative updates within a couple of weeks of their initial release. By setting this to 10 or 15 or 20 days, Win10 will update itself after the major screams of pain have subsided and (with some luck) the bad cumulative updates have been pulled or reissued. Notably, in February 2019, it took Microsoft 18 days to fix its first-Tuesday bugs.
Step 6. Just “X” out of the settings pane. You don’t need to explicitly save anything.
Step 7. Don’t click Check for updates. Ever.
If there are any real howlers — months where the cumulative updates were irretrievably bad, and never got any better, as they were in July of last year — we’ll let you know, loud and clear.
Tired old approach for Win10 Home 1803 and 1809
If you have Win10 Home, version 1803 or 1809, your only reasonable option (other than installing a third-party patch blocker) is to set your internet connection to “metered.” Metered connections are an update-blocking kludge that seems to work to fend off cumulative updates, but as best I can tell still doesn’t have Microsoft’s official endorsement as a cumulative update prophylactic. Worryingly, there are some reports that Microsoft is pushing for upgrades even if they go over metered connections.
To set your Ethernet connection as metered: Click Start > Settings > Network & Internet. On the left, choose Ethernet. On the right, click on your Ethernet connection. Then move the slider for Metered connection to On.
To set your Wi-Fi connection as metered: Click Start > Settings > Network & Internet. On the left, choose Wi-Fi. On the right, click on your Wi-Fi connection. Move the slider for Metered connection to On.
If you set your internet connection to metered, you need to watch closely as the month unfolds, and judge when it’s safe to let the demons in the door. At that point, turn “metered” off, and just let your machine update itself. Don’t click Check for updates.
There’s a better way with Win10 version 1903
I still don’t run 1903 on my production machines — it’s still causing undue anguish — but if you’ve taken the plunge, your patching life is considerably simpler. Although Microsoft hasn’t officially documented the changes anywhere I can see, it now appears as if the Win10 version 1903 patch blocking mechanism works.
In version 1903 (either Home or Pro), using an administrator account, click Start > Settings > Update & Security. At the top, click the "Pause updates for 7 days" button.
That button changes so it says, "Pause updates for 7 more days." Click it two more times, for a total of 21 paused days. That defers all updates on your machines until 21 days after you click the button. You can’t extend the deferral any longer unless you install all the outstanding cumulative updates to that point.
Historically, 21 days has sufficed to avoid the worst problems.
It looks like Win10 version 1909 will be distributed just like a cumulative update, later this month or early next month. We’ll have more details as the update/upgrade/version/service pack unfolds.
We’re at MS-DEFCON 2 on AskWoody.