Managing Windows updates… for regular people

Topic

New Reply

Just got a great question from a new Plus member: I’ve just read a bunch of your articles providing detailed steps on how to manage the Windows Update
[See the full post at: Managing Windows updates… for regular people]

4 users thanked author for this post.

abbodi86, Cayennejim, Microfix, Pepsiboy

Reply | Quote

Replies

Most likely it is the same old story, “Darned if we do, darned if we don’t”. (Substituted for original word) I will probably update our 2 machines Saturday.

Many thanks, again, Woody for all the help you and the team have provided.

Dave

1 user thanked author for this post.

woody

Reply | Quote

Hi woody, which is the version that you currently recommend? 1809 or 1903?
I’m thinking of bringing my long out of support machines to the latest recommended version soon… and I guess I should be doing that around the time of the month with we move to MSDEFCON-3 or above to avoid getting buggy cumulative update(s) automatically patched in the upgrade process?

Reply | Quote

I don’t speak for Woody.
But my choice at this point would be to move to v1809. You have 6 more months before v1809 is EOL. It has been stable for me lately.

v1903 still has some problems. It hasn’t stabelized yet. But one thing you should do NOW is download the v1903 ISO or use the Media Creation Tool to create the ISO on your computer. Once v1909 is released, you will have a hard time getting a copy of the v1903 installer for use when you want to upgrade to it.

4 users thanked author for this post.

abbodi86, Alex5723, Cayennejim, Microfix

Reply | Quote

I’m with PKCano on this one. All of my production machines run 1809.

For once – perhaps the first time ever, actually – the latest version of Win10 has a truly compelling feature, delaying updates. I just hope 1903 settles down a bit.

Reply | Quote

You have 6 more months before v1809 is EOL

On a Gregorian calendar, EOL works out at just over seven months but nevertheless, still a good option 😉

If debian is good enough for NASA...

Reply | Quote

Also, I didn’t know that with 1903 Home I could delay til 10/28 by repeated clks. I initially delayed 7d from KB 4522016 Breaking my HP Printer and uninstalling it. KB 4517211 (that breaks Print, too) didn’t show til 9/30 so THAT was the Delay reason initially.

BUT, you mention in the latest article that too long of delays bumps you against the Next regular updates, so …. WHAT do you recommend for Delay Time starting from 10/3 ref KB 4517211 Print issue, etc. Thanks as always!

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

Reply | Quote

One thing you have to realize about Pausing updates is, when the Pause period is up, you cannot Pause again until you have installed the available updates.

If you Pause for 35 days, and you wait all 35 days, that puts you into the next month’s updates right after they come out. BUT, if you don’t wait the full 35 days, you can undo the Pause and install what is available at any time. Which means you can wait till the DEFCON number is 3 or above, undo the Pause, and install the updates according to DEFCON.

3 users thanked author for this post.

G, CraigS26, woody

Reply | Quote

With WSUS, the system we work with is:

1. Patch Tuesday + 24 hours – keep an eye on AskWoody and Internet Storm Centre for Patch nows (if there is a patch now then assess the impact in our environment, apply if needed or wait if not)
2. Patch Tuesday + 1 week –  again check for any alerts if the patches have been causing more problems than fixing them, if all seems relatively calm then we push updates to the IT team and low level servers that wont break anything of much importance if something were to happen. Leaves patches for a week being aware of any knock on affects of them
3. Patch Tuesday + 2 weeks – again checking for any problems other have had we push to a larger group that we can easily support but allows us to get a good idea of any issues cause among the organisation
4. Patch Tuesday + 3 weeks – if all has been fine then we pushout to the rest of our organisation of about 300 pcs and 100 servers, which is roughly the same time that MS-Defcon goes to level 3.

By following this we allow the updates in our environment to see that they work while also not fully pushing out to all devices

Reply | Quote

That seems to me like a workable approach.

Reply | Quote

Sticking to an older version can have its drawbacks. Bugs that are corrected in newer versions will continue to exist. New features which may be of value are not available. And, changes in technology could make some third party software packages not updatable.

You can continue to live in a cave and heat by fire. But, it really is nice to have a home with gas heat and electric lights.

I have 3 PCs. They are all up yo v1903. I have no issues … which I am aware of.

Byte me!

Reply | Quote

Martin Brinkmann at Ghack.net has posted regarding a new portable Windows Automatic Updates Manager (WAU Manager) tool.

The developer designed WAU Manager to replace automatic updating in Windows….

You may run the program from any location without installation. The main interface separates settings into three main groups:

The option to disable the built-in automatic Windows Update to manage updates exclusively in WAU Manager.
Update mode and behavior.
Shortcut and schedule options.
The program runs in normal mode by default which means that it will search for updates automatically when you run it but will not download or install any unless you give your okay to do so. It will search for driver and software updates by default.

You can switch that to passive or quiet modes instead. Passive mode searches for, downloads, and installs updates automatically and shows the progress while quiet mode does the same but shows notifications only.

https://www.ghacks.net/2019/10/03/windows-automatic-updates-manager-review/

3 users thanked author for this post.

columbia2011, TonyS, SkipH

Reply | Quote

Where exactly are you in the 1809 patching universe?  You’ve not installed any security updates?

Security updates should be installed, yes they can be delayed but the idea that one can’t install *any* updates because they will blow up your machine is dead wrong.  A healthy computer installs updates all the time with zero issues.  Ignore the optional updates, push out the install at least a week and that is a normal updating process.  Every day devices update all over the world with zero issues.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

AlexEiffel

Reply | Quote

A healthy computer installs updates all the time with zero issues.

Well, except for maybe the update process causing SFC integrity violations.

Fortunately, as you can see, the situation is correctable by someone willing to brave the CMD prompt.

-Noel

1 user thanked author for this post.

AlexEiffel

Reply | Quote

[SonicMojo]

WSUS is the only true way to apply “nothing” if that’s your thing.

I could literally install Windows ENT 1903 today and never approve any updates and nothing would ever reach the machine.

Now – could I? Sure. Would I? No. I agree with the WSUS schedules posted here and with Susan – you need to get your security patches on for certain and stay up to date on all the rest of the action here as it breaks (or does not break).

Sonic

• This reply was modified 5 years, 5 months ago by SonicMojo.

Reply | Quote

I personally choose to maintain user control over when updates are applied via gpedit.msc:

I’ve been moving up to each of the latest Win 10 builds at about 5 months after their original release, so haven’t had to deal with holding back from a prior release.

So far, I’ve found it pain- and trouble-free to follow Woody’s advice generally. For example, I just put in Windows 10 v1903’s September patches. I put in v1903 in August.

My advice: Make and maintain full system image backups!

You never know when you might be surprised after a major version install that your particular hardware has suddenly dropped out of support or something. I’ve had folks (for example) report to me that they’ve updated to the latest Win 10 on their laptop and lo and behold they just don’t have any OpenGL support any more – because Intel doesn’t support any newer version of Windows for their hardware.

If you choose to continue to use a given system, you may find it “ages out”. Laptops tend to “age out” sooner than desktops. Be prepared to drop back to the prior major version of Windows and avoid the major version “upgrades” thereafter. You could even get to the point (e.g., with old hardware running an older major version of Windows) that you’ll want to stop updates entirely. I’m not saying this is the right strategy – or even a good strategy for everyone – but it’s actually doable.

-Noel

1 user thanked author for this post.

Microfix

Reply | Quote