With Patch Tuesday imminent, get Windows Update locked down

Patch Tuesday’s poised for another turn on the karmic wheel. Now’s a good time to check and make sure you’ve told Windows to pause patching. Wait for the crowdsourced beta testing to kick in. Let other folks take one for the team.

Every month we see the same pattern: Microsoft releases its Patch Tuesday regimen; the blogosphere flies into a frenzy about security holes that have to be patched right now; some patches have bugs; Microsoft fixes many of them in a week or two, warns about others, and stays mum on far too many.

Normal Windows users are left in the lurch. On the one hand, you have the threat of imminent malware mayhem. On the other, you have the threat of poorly tested patches. Wash. Rinse. Repeat.

It’s been like that for years. Don’t believe it? Computerworld has month-by-month details for the past three years starting here.

Meanwhile, the raging zero-days -- the patches that are released with known in-the-wild exploits -- make for great headlines. But they rarely, if ever, find their way into working exploits right away. It takes months, or even years, for new exploits to appear in malware that affects you and me. 

If you’re working with nuclear launch codes or top secret government communication, it’s another story of course. But for normal people, the threat from bad patches greatly exceeds the threat from freshly patched security holes.

To be sure, you have to get patched eventually. Some systems at high risk (for example, Windows DNS Servers two months ago) need to be patched right away. But for the vast majority of Windows users, waiting a couple of weeks to get the latest patches applied doesn’t hurt a bit -- and it gives Microsoft a chance to fix the bugs they invariably introduce.

If you don’t do anything, you get to beta test the patches as soon as they come out. But if you temporarily pause updating -- using a setting first introduced in Win10 version 1903 -- you can sit back and watch as the pioneers take one for the team.

Blocking automatic update on Win7 and 8.1

Those who paid for Win7 Extended Security Updates should be cautious about installing patches immediately. Those who didn’t will either ignore the patches (large majority there), or wait to see if free alternatives appear -- and 0patch has filled in several cracks. We’ll be covering both intently on AskWoody.com.

If you’re using Windows 7 or 8.1, click Start > Control Panel > System and Security. Under Windows Update, click the "Turn automatic updating on or off" link. Click the "Change Settings" link on the left. Verify that you have Important Updates set to "Never check for updates (not recommended)" and click OK.

Blocking automatic update on Windows 10

By now, almost all of you are on Win10 version 1903 or 1909. Not sure which version of Win10 you’re running? Down in the Search box, near the Start button, type winver, then click Run command. The version number appears on the second line.

If you’re using Win10 1803 or 1809, I strongly urge you to move on to Win10 version 1909. If you insist on sticking with Win10 1809 (hard to blame ya!), you can block updates by following the steps in December’s Patch Tuesday warning. Be acutely aware of the fact that MS won’t be handing out any more security patches for 1809 Home or Pro after November 10. The end is near.

If you’re tempted to move to version 2004, I say wait. There’s a huge bunch of bug fixes poised to be released this week, and I’m still seeing reports of odd bugs cropping up here and there, like RDP bugs (thx, MikeMc) or a conflict with QuickBooks (thx, PatchLady). While it’s laudable that Microsoft’s finally exterminating the latest bugs en masse -- some of which have been known for eight months -- we still have a way to go before 2004 is ready for prime time.

My general recommendation relies on the Pause updates feature introduced in version 1903. But if you’re willing to dig a little deeper, and you’re running Win10 Pro, Education, or Enterprise, you might want to rummage around in the Group Policy Editor, and set this policy:

Configure Automatic Updates = Enabled, value = 2 Notify before downloading and installing any updates.

PKCano has an extensive, step-by-step discussion of the setting and its uses in AKB 2000016, Guide for Windows Update Settings for Windows 10.

If you’d rather take the easier Pause updates approach,  using an administrator account, click Start > Settings > Update & Security. If your Updates paused timer is set before October 4 (see screenshot), I urge you to click Resume Updates and let the automatic updater kick in -- and do it now, before noon in Redmond on Tuesday, when the Patch Tuesday patches get released.

(screenshot - 1909 Updates paused 2020-10)

If Pause is set to expire before the end of September, or if you don’t have a Pause in effect, you should set up a defense perimeter that keeps patches off your machine for the rest of this month. Using that administrators account, click the Pause updates for 7 days button, then click it again and again, if necessary, until you’re paused out into late September or early October. (Note that the next Patch Tuesday falls on October 13.)

If you see an invitation to “Download and install” version 2004 (as shown in the screenshot), carefully consider that Win10 version 2004 is still exhibiting lots of strange little bugs -- and turn down the offer. Don’t click anything.

Don’t be spooked. Don’t be stampeded. Don’t click “Check for updates.” And don’t install any patches that require you to click “Download and install.” 

If there are any immediate widespread problems protected by this month’s Patch Tuesday -- a rare occurrence, but it does happen -- we’ll let you know here, and at AskWoody.com, in very short order. Otherwise, sit back and watch while our usual monthly crowdsourced patch watch proceeds. Let’s see what problems arise.

We’re at MS-DEFCON 2 on AskWoody.

Copyright © 2020 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon