It’s patch protection time again.
Sometimes when Windows patches arrive, they need to be installed immediately. We saw that happen in May with the BlueKeep patches. But in most cases, you stand a greater chance of getting hurt by a bad patch (which are legion) than by getting zapped by a just-patched security hole.
That’s an unpopular opinion, but one that’s served me well for more than a decade. There’s a detailed manifesto in The case against knee-jerk installation of Windows patches.
If you want to get the latest patches as soon as they’re out, you needn’t do a thing. Microsoft has undoubtedly rigged your machine already so it’ll install the patches the minute they come rolling out the Automatic Update chute. All I ask is that you tell us of any problems you encounter on AskWoody.com.
If you’d rather minimize the drama — and don’t mind keeping an eye out for problems like the one we had in May — temporarily turning off Automatic Update can protect you from the slings and arrows of outrageous bad patches.
Blocking Automatic Update on Win7 and 8.1
If you haven’t recently patched Windows XP, Vista, Win7, Server 2003, 2008 or 2008 R2 systems, drop everything and get patched now. Once you’ve installed the BlueKeep patches, come back here and turn Automatic Update off. (No need to bother with XP and Vista; they aren’t getting automatically updated anyway.)
If you’re using Windows 7 or 8.1, click Start > Control Panel > System and Security. Under Windows Update, click the “Turn automatic updating on or off” link. Click the “Change Settings” link on the left. Verify that you have Important Updates set to “Never check for updates (not recommended)” and click OK.
Blocking Automatic Update on Win10 Pro 1803 or 1809
If you’re using Win10 Pro version 1803 or 1809 I recommend an update blocking technique that Microsoft recommends for “Broad Release” in its obscure Build deployment rings for Windows 10 updates — which is intended for admins, but applies to you, too. (Thx, @zero2dash.)
Step 1. Using an administrative account, click Start > Settings > Update & Security.
Step 2. On the left, choose Windows Update. On the right, click the link for Advanced options. If you’re using Win10 version 1803 or 1809, you see the settings in the screenshot.
Step 3. The first box — “Semi-Annual Channel” — is no longer recognized by Microsoft. It has changed the terminology and hasn’t changed Windows to match the latest diktat. In our newly redefined update world, choosing “Semi-Annual Channel” adds 60 days to the “feature update” setting discussed in the next step. I recommend that you nod, wink and, in the first box, choose Semi-Annual Channel.
Step 4. To further delay new versions until they’ve been minimally tested, set the “feature update” deferral setting to 240 days or more. That tells the Windows Updater (unless Microsoft makes another “mistake,” as it has numerous times in the past) that it should wait until 300 days after a new version is released (60 days for Semi-Annual Channel + 240 days deferral) before upgrading and reinstalling Windows on your machine.
Win10 version 1809 was nominally released on Nov. 11, 2018. Add 300 days and you get Sept. 7, 2019. So if you’re running 1803 Advanced options on Semi-Annual Channel, and you set the “feature update” deferral to 240 days, you won’t be forcibly upgraded to 1809 until Sep. 7, at the earliest.
At least, that’s the theory. In practice, Microsoft is actively pushing Win10 1803 machines onto 1903. Many of us would like to give 1903 more time to age before making the leap. We still don’t know how hard Microsoft is going to push — if it’s going to offer the 1903 upgrade sweetly with a “Download and install now” option, or if it’s just going to shove 1803 customers under the 1903 bus. If you’d like to block 1903 for the foreseeable future, follow the instructions in How to block the Windows 10 May 2019 Update, version 1903, from installing.
Step 5. To delay cumulative updates, set the “quality update” deferral to 15 days or so. (“Quality update” = cumulative update = bug fix.) In my experience, Microsoft usually yanks bad Win10 cumulative updates within a couple of weeks of their initial release. By setting this to 10 or 15 or 20 days, Win10 will update itself after the major screams of pain have subsided and (with some luck) the bad cumulative updates have been pulled or re-issued. Notably, in February 2019, it took Microsoft 18 days to fix its first-Tuesday bugs.
Step 6. Just “X” out of the settings pane. You don’t need to explicitly save anything.
Step 7. Don’t click Check for updates. Ever.
If there are any real howlers — months where the cumulative updates were irretrievably bad, and never got any better, as they were in July of last year — we’ll let you know, loud and clear.
Tired old approach for Win10 Home 1803 and 1809
If you have Win10 Home, version 1803 or 1809, your only reasonable option (other than installing a third-party patch blocker) is to set your internet connection to “metered.” Metered connections are an update-blocking kludge that seems to work to fend off cumulative updates, but as best I can tell still doesn’t have Microsoft’s official endorsement as a cumulative update prophylactic.
To set your Ethernet connection as metered: Click Start > Settings > Network & Internet. On the left, choose Ethernet. On the right, click on your Ethernet connection. Then move the slider for Metered connection to On.
To set your Wi-Fi connection as metered: Click Start > Settings > Network & Internet. On the left, choose Wi-Fi. On the right, click on your Wi-Fi connection. Move the slider for Metered connection to On.
If you set your internet connection to metered, you need to watch closely as the month unfolds, and judge when it’s safe to let the demons in the door. At that point, turn “metered” off, and just let your machine update itself. Don’t click Check for updates.
And then there’s Win10 version 1903
If you’re running Win10 version 1903, you’re entering uncharted water. We’ve heard lots of promises about the new updating regimen, but haven’t been through enough update cycles to know exactly what’s going to happen. The recent announcement that Win10 1909 will act like a cumulative update, but rate as a version change/Service Pack in some undefined sense just adds to the confusion.
If you’re using Win10 1903 Home, we still don’t have enough experience — or reliable documentation — to say for sure, but it seems to be a good idea to both set your connection to metered (as discussed in the preceding section) and to click Pause updates twice on the Windows Update page — for a total of 14 paused days. Historically, that’s been sufficient to avoid the worst problems.
If you’re using Win10 1903 Pro, and you haven’t yet set feature update or cumulative update deferrals, the instructions for setting them are the same as those for setting Win10 1803 or 1809 deferrals, as explained earlier. On the other hand, if you have set deferrals for either, the “Choose when updates are installed” deferral piece of the Advanced Options pane disappears.
If you can see “Choose when updates are installed,” I suggest you defer feature updates by 365 days, although with Win10 “19H2” still a great unknown, it’s hard to guess how this setting will come into play. I also suggest you defer quality updates (cumulative updates) by 15 days. You won’t be able to see those settings once they’ve been changed unless you dive into the registry, but it looks like they “stick” even if you can’t see them.
Maybe Microsoft will get its patching act together before 1909 becomes a reality. Or maybe not. I think it’s great that we’re finally getting some relief from the insane two-versions-a-year pace. But has anybody thought through how this is, you know, actually going to work?