MS-DEFCON 2: With Patch Tuesday tomorrow, and a Win10 1909 upgrade waiting in the wings, now’s a good time to check that Automatic Update’s temporarily turned off

Topic

New Reply

As usual, I have full step-by-step instructions coming in Computerworld.
[See the full post at: MS-DEFCON 2: With Patch Tuesday tomorrow, and a Win10 1909 upgrade waiting in the wings, now’s a good time to check that Automatic Update’s temporarily turned off]

1 user thanked author for this post.

abbodi86

Reply | Quote

Replies

woody wrote:

As usual, I have full step-by-step instructions coming in Computerworld.
[See the full post at: MS-DEFCON 2: With Patch Tuesday tomorrow, and a Win10 1909 upgrade waiting in the wings, now’s a good time to check that Automatic Update’s temporarily turned off]

If 1909 is CU update it will probably require 1903 installed. On older Win10 versions it will probably mean a full feature OS upgrade.

Reply | Quote

It’s that time again, and I still need to get the Oct 2019  W7 Security Only and IE patches installed on one more laptop, including that Servicing stack update from a few months back as well before installing the other updates.

So on to Nov and waiting for DEFCON3 once again and I always have my Windows update in the OFF mode because that’s the update mode that’s the best for me.  I’ll always be checking Askwoody often around this time of the month and it’s probably a good idea to check daily what with all the issues that have appeared over that past 4+ months with Windows updates across all of MS’s OS versions .

 

Reply | Quote

I hear you regarding “Oct 2019 W7 Security Only and IE patches…” As for completely stopping any updates on W7 or W8.1 can Windows Defender allow updates to flow into the box – even if Never Check for updates is checked?

Reply | Quote

I have a 90 day delay set. I hope that is long enough.

Byte me!

Reply | Quote

In version 1903 (either Home or Pro), using an administrator account, click Start > Settings > Update & Security. At the top, click the Pause updates for 7 days button. That button changes so it says Pause updates for seven more days. Click it two more times, for a total of 21 paused days. That defers all updates on your machines until 21 days after you click the button. You can’t extend the deferral any longer unless you install all the outstanding cumulative updates to that point. Historically, 21 days has sufficed to avoid the worst problems.

That’s the problem I have with 1903.  You’re forced into guessing in advance just how long you’re going to need to pause those updates.  And, if you happen to guess wrong — and you find that you needed a longer pause — well, too bad for you.  Once that countdown clock expires, MS forces you into installing all the outstanding updates whether or not you want them, and whether or not they may be known to cause problems.

Even though 1903 is a small step in the right direction for returning some small measure of control to the user, it’s just not enough.  I also don’t trust MS to continue respecting the Metered Connection trick for avoiding updates.  My solution is to disable all the tasks and services involved in the automatic updating process.  That includes stopping and disabling all the following services and/or scheduled tasks on my 1903 systems:

• Windows Update service (wuauserv)
• Update Orchestrator service (UsoSvc)
• Windows Update Medic Service (WaaSMedicSvc)
• All tasks in the Windows\UpdateOrchestrator folder
• All tasks in the Windows\WindowsUpdate folder
• All tasks in the Windows\WaaSMedic folder
• All tasks in the Windows\InstallService folder

For added safety, I also created and enabled outbound Firewall Rules that block the following services and programs:

• Windows Update service
• Windows Update Medic Service
• Update Orchestrator Service
• WaaSMedicAgent.exe program
• SIHClient.exe program

By stopping, disabling and/or blocking the above items I feel like I’ve been finally able to get back control over the updating process on my Win 10 systems.  I started using this method back with version 1709, and it worked to keep 1803 at bay until I (not MS) decided I was ready to upgrade.  And I used the same method to stay on 1803 until once again I decided to upgrade to 1903.

The only time I unblock and re-enable these services and programs is when Woody sets the MS-DEFCON level to 4 or higher.  And I keep them enabled just long enough to run wushowhide and install whatever updates I decide I want or need.  Once I get the updates installed, I disable and re-block those services and programs until the following month, when I re-evaluate whether or not to allow the next set of updates onto my systems.

Yes, it’s a little extra work to have to re-enable and un-block these components whenever I want to install the latest updates. But it’s worth it (to me) to take back control of the Windows 10 updating process — and to not be at the mercy of a 21-day countdown clock.

Reply | Quote

Every try wushowhide?

Reply | Quote

Yes I do … every month.  But first you have to make sure MS doesn’t push all the updates out to you automatically without your consent.

The only time I unblock and re-enable these services and programs is when Woody sets the MS-DEFCON level to 4 or higher. And I keep them enabled just long enough to run wushowhide and install whatever updates I decide I want or need.

Reply | Quote

[EP]

I’d rather use 3rd party apps like WUMT (windows update minitool), WuMgr 1.0 or even Carifred’s WAU manager 2.1 to manage & control updates. they even have options to disable automatic updates while safely checking for updates manually without having to automatically download them

• This reply was modified 5 years, 5 months ago by EP.
• This reply was modified 5 years, 5 months ago by EP.
• This reply was modified 5 years, 5 months ago by EP.

1 user thanked author for this post.

Tom-R

Reply | Quote

EP, Thanks for the suggestions.  I’ve considered using WUMT in the past; but I decided against it due to comments from Woody not recommending it.  His main issues with it seemed to be that no one really knows who the developer is, or what the utility is actually doing to interact with the system.  However, you also suggested Carifred’s WAU Manager, which I hadn’t heard of previously.  Based on what I read on their web page that utility sounds promising, and I might give that a try.  So thanks for that tip.

Reply | Quote

G’day folks

Just wondering why the “hit pause updates for 7 days three times” is still recommended over the advanced option of setting a specific day/date, as per my previous post #2001357?

Is it the case that the recommended method holds for each month without having to be reset (which the advanced method requires)?

If so, is that really an advantage? Is the timing automatically synchronised at each patch Tuesday, or from whenever the updates start to download (not really a safe option)?

Cheers

Reply | Quote

frankus333 wrote:

Just wondering why the “hit pause updates for 7 days three times” is still recommended over the advanced option of setting a specific day/date, as per my previous post #2001357?

I don’t think there’s any good reason for that. As you’ve found, one-click pausing up to 35 days works fine.

frankus333 wrote:

Is it the case that the recommended method holds for each month without having to be reset (which the advanced method requires)?

Pause doesn’t repeat.

frankus333 wrote:

If so, is that really an advantage? Is the timing automatically synchronised at each patch Tuesday, or from whenever the updates start to download (not really a safe option)?

Pause is not synchronized.

1 user thanked author for this post.

frankus333

Reply | Quote

frankus333 wrote:

why the “hit pause updates for 7 days three times” is still recommended over the advanced option of setting a specific day/date

It simplifies the article – the Pause Updates option is available for both Home and Pro.

For the other points, @b is right. Update deferral persists month-to-month. Pause doesn’t persist at all. We also have the weird situation where out-of-bad cumulative updates may get tossed into the fray, as they were just last month.

In addition, I think it’s important for people to check their Pause/Defer settings once a month, to avoid any unexpected surprises.

1 user thanked author for this post.

frankus333

Reply | Quote

[frankus333]

 

This reply should be up under #2004100 but I can’t seem to get it there.  (Also, the site search function is not taking me to post numbers I enter into the search box; goes to other posts of mine in same thread.?!)

Thanks b and Woody

I agree that checking and confirming whatever settings used each month is wise, and no real bother.

If I become aware of any worthwhile updates that are issued during the pause period, I presume I can take the pause off with the “Resume updates” button, and filter with wushowhide.   After that, resetting the pause to any specific day/date again (probably back to the weekend before Patch Tuesday) is quick and easy.

woody wrote:

It simplifies the article – the Pause Updates option is available for both Home and Pro.

I only have Home, so can’t see, but does this mean the “Advanced options” possibility of setting a specific day/date to pause until is not available in Pro?  If so, that seems a bit unfair for Pro users who don’t want to get into the intricacies of policy settings.

Cheers

Moderator note: To “nest” a reply to a post, click on REPLY at the top of post you want to respond to.

• This reply was modified 5 years, 5 months ago by frankus333.
• This reply was modified 5 years, 5 months ago by frankus333.

Reply | Quote

[frankus333]

Thanks Moderator; that was what I did, twice, but it failed both times.

Cheers

Edit; it worked this time, but the search is still misfiring.

• This reply was modified 5 years, 5 months ago by frankus333.

Reply | Quote

[Tom-R]

If I become aware of any worthwhile updates that are issued during the pause period, I presume I can take the pause off with the “Resume updates” button, and filter with wushowhide.

I’m curious as to whether or not this presumption is valid.  What will happen in the case where updates have been Paused; but then the user clicks the “Resume Updates” button?  Will it still be possible to run wushowhide to check for and review what updates are currently available in the queue — and to do so before Windows jumps in and starts automatically downloading and installing those updates?

Does anyone have any first-hand experience with this scenario to say for sure what exactly will happen once you click on “Resume Updates”?  Will the user still have time to run wushowhide?  Or will all the queued updates just get installed immediately — before the user has any chance to intervene?

• This reply was modified 5 years, 5 months ago by Tom-R.
• This reply was modified 5 years, 5 months ago by Tom-R.

1 user thanked author for this post.

frankus333

Reply | Quote

[frankus333]

Thanks Tom-R

I am planning to check this out later in the month when the updates become acceptable.  I’m hoping that the “Resume updates” button doesn’t include an immediate “Check for Updates” command, and there will be enough time to run wushowhide and deal with them.   I will leave my wifi set to Metered as well, in the hope of a little extra shielding.  Fingers crossed.

• This reply was modified 5 years, 5 months ago by frankus333.

Reply | Quote

frankus333 wrote:

I only have Home, so can’t see, but does this mean the “Advanced options” possibility of setting a specific day/date to pause until is not available in Pro?  If so, that seems a bit unfair for Pro users who don’t want to get into the intricacies of policy settings.

Pausing updates now works the same for Pro and Home, but Pro has had the capability for a couple of years since version 1703 whereas Home only acquired it this year with version 1903.

1 user thanked author for this post.

frankus333

Reply | Quote

Thanks b

If Pro has the same Pause options as Home now does (plus the additional policy setting options that are recommended to be used), I still find it curious why these Pause options have never been mentioned in the recommendations as far as I have noticed.  If the Pause option is reliable, it seems an easier and more precise way to hold off updates, to a consistent predictable date (e.g.; weekend prior to Patch Tuesday, reset each month).  Hence my original question about their reliability.

I must be missing something here, but that is fine; I will continue my experiments with the new pause options, which so far seem to be working great for me. Fingers crossed.

Reply | Quote

[frankus333]

G’day folks

I have had a closer look over the previous posts about setting up deferral of updates in Pro and Home, and it seems to me there is a difference in the dialogue boxes offered under the Advanced Options button on the Windows Update settings page.

This may account for my sense of missing something in these exchanges.

In Pro, there are apparently two dialogue boxes (plus the Semi Annual Channel box), which allow you to set the number of days (not a specific day/date) deferral of both quality updates and feature updates. In Home, there is only 1 dialogue box, but it allows you to set a specific Pause Updates day/date, which allows easier, more precise synchronisation around Patch Tuesday each month.

If Pro doesn’t have the specific day/date selection that Home now has, that would seem to make prediction of exactly when updates will become available relative to the next Patch Tuesday less easy to calculate in Pro. I think I prefer the Home option over the more involved Pro option, as long as it is reliable (my original concern).

• This reply was modified 5 years, 5 months ago by frankus333.
• This reply was modified 5 years, 5 months ago by frankus333.

Reply | Quote

Home Edition only has pause. Pro Edition has both Pause, and pulldowns in the GUI that allow Deferal for both Feature and Quality updates.

2 users thanked author for this post.

Lars220, frankus333

Reply | Quote

[frankus333]

Thanks PKCano

If that Select Date pulldown has both day and date showing, as in Home, then Pro has everything Home does, to make precise sync around Patch Tuesday easy.

• This reply was modified 5 years, 5 months ago by frankus333.

Reply | Quote

The hoops one has to jump through with 10 is just amazing and I guess that’s why folks are using some interesting hacks to get 7/8.1 installed on the newer Intel and AMD processor generations that are not officially whitelisted/supported on any OS but windows 10.

Sure there are some Windows Kernel features that are only available with 10 but that forcing and constant game of update whack-a-mole is sure maddening. So most users will need the Pro version of Windows 10 to get sufficient permissions options offered or they will have to make us of regedit and that requires a little more work.

Well that’s sure makes for a cottage industry for the third party windows update management  software makers in order to try and retain a more 7 like update environment on windows 10.

Reply | Quote

sheldon wrote:

Every try wushowhide?

Ever tried WPD ?

https://www.askwoody.com/2019/freeware-spotlight-wpd/

Reply | Quote

Alex, I haven’t actually tried WPD; but based on what I read in the Freeware Spotlight article it doesn’t seem like it would help with stopping Windows updates getting pushed onto a system.  WPD appears to focus mainly on three areas: privacy settings, telemetry, and MS store apps.  I’m not seeing anything (at least not in the article) about what the utility can do to stop MS from downloading and installing updates.

1 user thanked author for this post.

b

Reply | Quote

I sat on version 1803 for as long as I could as it was incredibly stable.  With the pending release of 1909 and the depreciation of 1803 I decided to take the chance on upgrading.  I have Windows 10 Pro set for a features delay of 365 days.  I changed it to 120 days and after some time Windows update prompted me to upgrade.  After an hour upgrade process and several automated reboots, I am on 1809.  So far stable and I intend to sit on this version for as long as possible.  The feature delay once again set to 365 days.

Reply | Quote

I have a question about deferred/paused updates and getting the October updates. I have Win 10 Pro v 1903, and I have deferred regular updates for 35 days through group policy, and feature updates for 365 days.

For the Oct 8/9 updates, that means that they should start appearing today, Nov 12. Right now in wushowhide I see the following:

KB4517389
KB4524100
KB890830
KB2267602

The servicing stack KB4521863 is not showing there.

When I checked the Windows Update screen within Win 10 I see this :

I don’t think I’ve actually ever seen that screen saying to check for updates before. It generally will list whatever is in wushowhide when it is time to get them. I wonder nowif I should go ahead and check for updates – since it seems that only the ones shown in wushowhide should then appear for downloading – or should I wait till those updates show up in the Windows Update screen on their own?

I am looking for the October updates listed – not any newer ones. Those should be safe at this point, I believe, but don’t want to trigger something else by actually clicking on “check for updates” there.

I’m also thinking that I should change that deferral time since I keep running into issues where the older ones defer till a date close to or after the newer ones and I am never sure which ones I may accidentally “stumble into.”

Thanks for the help!

Reply | Quote

Here is some information on the settings I use in Win10 Pro and an explanation of why they are set that way. Perhaps it will help you.

Your Quality deferral is too long, often expiring after the next Patch Tues. You may end up having to hide the Nov. updates to get those Oct updates unless you go ahead and search before the Nov updates are issued.

1 user thanked author for this post.

LHiggins

Reply | Quote

Thanks!!

PKCano wrote:

Your Quality deferral is too long, often expiring after the next Patch Tues. You may end up having to hide the Nov. updates to get those Oct updates unless you go ahead and search before the Nov updates are issued.

Yes, that is what I was afraid of.

LHiggins wrote:

Here is some information on the settings I use in Win10 Pro and an explanation of why they are set that way. Perhaps it will help you.

Thanks! So I guess I am confused. Thought I had it all figured, but not!

From your guidelines:

Defer Quality Updates = 0 allows Monthly CUs to be seen immediately after release. I set this to zero, b/c I want to be able to see what’s out there. If you set this to a number, the updates do not show up in the queue for that many days.

Group Policy
Windows Update = Enabled, value = 2 (notify download/install)
This prevents the updates from downloading to your PC until you click on download. If the updates are not on your computer, they can’t install. Quality updates deferral = 0 allows you to SEE the pending updates so you know what to hide if you don’t want it. But they do not download automatically.

I do have Windows Update in Group policy set as you specified – value =2. So if I set the quality updates deferral to 0, then I should always be able to see them, and hide them, but none will download?

So to address this current situation – is it “safe” to check for updates now since none of the Nov. updates are out yet? And then make the change in the deferral days?

Thanks!

Reply | Quote

LHiggins wrote:

I do have Windows Update in Group policy set as you specified – value =2. So if I set the quality updates deferral to 0, then I should always be able to see them, and hide them, but none will download?

That is correct. You have to click the download button.

LHiggins wrote:

So to address this current situation – is it “safe” to check for updates now since none of the Nov. updates are out yet? And then make the change in the deferral days?

You have 10 minutes from the time of my typing. Updates are released at 10:00am PDT.

1 user thanked author for this post.

LHiggins

Reply | Quote

OK – seems I made it – LOL! Those installed and I’ll go ahead and change that quality update deferral to 0 and that should do it. Thanks so much – this ALWAYS gives me the biggest headache!! 😉

Reply | Quote

Having taken your advice about temporarily switching off the Windows automatic updates, as mentioned in your Windows 10 all-in-one for dummies book and on this website, I now get a pop up asking me whether I want to sync my One Drive every day I log on. Is this normal and is there any way to automatically answer this question or avoid it altogether? Or, is it just another idiosyncrasy of Windows that we have to endure?

Reply | Quote

If you’re using a metered connection, you can set OneDrive sync to use it anyway:

How to Enable or Disable Automatic Pause OneDrive Sync when on Metered Network in Windows 10

Reply | Quote

Thanks b! Implemented the instructions on your link and I no longer receive the pesky pop-up question each time that I log in.

1 user thanked author for this post.

b

Reply | Quote