Time to block Windows Automatic Update — with a new twist for Win10 Pro

With Patch Tuesday right around the corner, it’s time to make absolutely sure that you won’t get the latest offal pushed onto your machine before we’ve had a chance to take a look. For those of you with any Win10 Pro version, I have an extra cumulative-blocking flourish.

hand at keyboard with Windows logo
Thinkstock/Microsoft

Rumors swirling all over the blogosphere have Microsoft re-releasing the ill-fated Win10 version 1809 on Patch Tuesday this month. Personally, given the dearth of worthwhile features in 1809 and the painful first release last month, I’d rather that they just wait a week or a month or six, until it’s fully baked, but that probably won’t happen.

Better still, I wish they’d wait a year or two, roll in some new features worthy of a full reinstall, and then unleash something new and worthwhile. If wishes were horses ...

While we wait for Pennywise the September October November 2018 Update clown to appear again, now’s a very good time to make sure your machine won’t install it — or any other poorly tested patches — until the cannon fodder has weighed in.

If you leave Automatic Updates turned on in the aftermath of what we’ve seen in the past month, I salute you. Somebody has to walk around with a “Kick Me” sign stuck on their back.

The methods for blocking Windows Update are pretty straightforward.

If you’re using Windows 7 or 8.1, click Start > Control Panel > System and Security. Under Windows Update, click the "Turn automatic updating on or off" link. Click the "Change Settings" link on the left. Verify that you have Important Updates set to "Never check for updates (not recommended)" and click OK.

If you’re using Windows 10 Pro version 1703, the jig is up — Microsoft stops supplying security updates effective this Patch Tuesday. I’ve been testing ways to upgrade to 1709 or 1803 with minimal hassle, and should have a report for you shortly.

New approach for Windows 10 Pro

If you’re using Win10 Pro version 1709, 1803, or 1809 (yes, some folks got pushed onto 1809 during the four days Microsoft let it out of the Ninth Circle), I have some new advice. Ends up, this is the same technique Microsoft recommends for “Broad Release” in its obscure Build deployment rings for Windows 10 updates — which is intended for admins, but applies to you, too. (Thx, @zero2dash)

After watching Microsoft stumble over Win10 updates and upgrades for more than three years, this approach seems to hit the sweet spot: It holds your machine in limbo until Microsoft has a chance to yank or re-issue its worst mistakes, and (just as importantly) it lets you off the hook for clicking “Check for Updates.”

You may recall that clicking “Check for Updates” turns you into a “seeker,” which is the Microsoft version of a mortal sinner: When you’re a seeker, Microsoft feels it has permission to push anything and everything onto your machine.

Here’s how to get your Win10 Pro machine out of the direct line of fire:

Step 1. Using an administrative account, click Start > Settings > Update & Security.

Step 2. On the left, choose Windows Update. On the right, click the link for Advanced options. You see the settings in the screenshot.

1809 advanced updates Woody Leonhard

Step 3. To pull yourself out of beta testing (or, as Microsoft would say, to delay new versions until they’re ready for broad deployment), in the first box, choose Semi-Annual Channel.

Step 4. To further delay new versions until they’ve been minimally tested, set the “feature update” deferral setting to 120 days or more. That tells the Windows Updater (unless Microsoft makes another “mistake,” as it has numerous times in the past) that it should wait until 120 days after a new version is declared ready for broad deployment before upgrading and reinstalling Windows.

Step 5. To delay cumulative updates, set the “quality update” deferral to 15 days or so. In my experience, Microsoft usually yanks bad Win10 cumulative updates within a couple of weeks or so. By setting this to 10 or 15 or 20 days, Win10 will update itself after the major screams of pain have subsided and (with some luck) the bad cumulative updates have been pulled or reissued.

Step 6. Just “X” out of the settings pane. You don’t need to explicitly save anything.

Step 7. Don’t click Check for updates. Ever.

If there are any real howlers — months where the cumulative updates were irretrievably bad, and never got any better, as they were in July of this year — we’ll let you know, loud and clear.

Tired old approach for Windows 10 Home

Here’s the thing about Windows 10 Home. Microsoft considers Home customers fair game. It really should call it Win10 Guinea Pig edition. Microsoft has no qualms whatsoever in pushing its new, untested (perhaps I should say “less-than-thoroughly-tested”) updates and upgrades onto Windows 10 Home machines.

Gregg Keizer nailed it when he said:

One of the foundational characteristics of Windows 10 is Microsoft's two-tier classification of customers. The lower tier includes those who operate Windows 10 Home, the upper tier, all others. … Windows 10 Home users — predominantly consumers — are forced to accept every feature upgrade and are not meant to delay the installation of those upgrades, or the monthly waves of security and non-security updates.

This isn’t a mistake or an oversight. Win10 Home customers by design are Microsoft’s extended beta-plus testing force. Cannon fodder. It’s unconscionable, and it’s been that way since day one. As Susan Bradley says, “Every version of Windows should be able to defer and pause updates. … Microsoft, your customers deserve better than this.”

If upgrading to Win10 Pro isn’t an option — and I sympathize if you’d rather not hand over another $100 to Microsoft for something that should come standard — your only option is to set your internet connection to “metered.” Metered connections are an update-blocking kludge that seems to work to fend off cumulative updates, but as best I can tell still doesn’t have Microsoft’s official endorsement as a cumulative update prophylactic.

To set your Ethernet connection as metered: Click Start > Settings > Network & Internet. On the left, choose Ethernet. On the right, click on your Ethernet connection. Then move the slider for Metered connection to On.

To set your Wi-Fi connection as metered: Click Start > Settings > Network & Internet. On the left, choose Wi-Fi. On the right, click on your Wi-Fi connection. Move the slider for Metered connection to On.

If you set your internet connection to metered, you need to watch closely as the month unfolds, and judge when it’s safe to let the demons in the door. At that point, turn “metered” off, and just let your machine update itself. Don’t click "Check for Updates."

We’re at MS-DEFCON 2 on AskWoody.

Related:

Copyright © 2018 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon