|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
So over on Twitter Dave Kunkle is taking Woody (and I for that matter as I use the same wait to patch philosophy) to task for telling people to not pa
[See the full post at: Patch Lady – Does Woody tell you to not patch?]
Susan Bradley Patch Lady/Prudent patcher
Well put!
There’s a reason why MS put Pause Updates in Win10 1903 and 1909. Too many people complained, rightfully, about the horrendous problems with knee-jerk patching.
History has shown that better others be beta testers with updates than myself. It’s that old saying is the cure worse than the disease? We’re all adults we can decide for ourselves what to do or not do.
How do you know if there is an issue, it could take months before you realize
…or it could take a year, or five years…..
But the greatest possibility is that problems affecting many users will show up in the first days after the patch is released. Particularly if it is a wide-spread problem.
I have VMs with different versions of Windows running in them. I make a backup of the VMs prior to installing updates. If I patch in the first day or two after release, and it borks the VM, so what. Replacing it is simply restoring the backup. I can then report the issue and see if it’s widespread.
But if a user has ONE machine and does the same thing (the average user doesn’t backup even their data much less make an image), they are up a creek with loss of computer temporarily and loss of data probably permanently.
So those of us that can, test patches by installing early. And those that can’t test patches, wait for the DEFCON number to be 3 or greater.
My experience has been that 98% of the time, setting Featured updates to be delayed 90 days and Quality updates delayed to 30 days lines up well with giving MS enough time to resolve stuff. Is it consistent? Yea I’d say so. Is it safe to not pay attention and let MS push stuff down without looking? Never. But it’s a decent start, and I can monitor patching resources for a few weeks to wait for stability.
Who the heck is Dave Kunkle? If he’s happy being an early patch adopter (read: Microsoft’s guinea pig) then good for him. You, Woody, Amy and Ted haven’t steered me wrong or let me down yet, Susan. Thank you all for the hard work you put into keeping us safe and up to date on when it’s appropriate and necessary to patch.
i7-10700k - ASROCK Z590 Pro4 - 1TB 970 EVO Plus M.2 - DDR4 3200 x 32GB - GeForce RTX 3060 Ti FTW - Windows 10 Pro
Another member of the “you must take every patch offered the moment it is released” brigade. There are a lot of them out there, and it’s hard to have a serious conversation about when one should patch when they reflexively denounce anyone that advocates waiting until the dust settles before patching.
If the aforementioned individual thinks Woody is bad for suggesting people wait, perhaps he is also willing to direct his ire to, erm, Microsoft, which has long done the same thing with its CBB nomenclature initially, information that now comes in the form of an announcement that a given feature build is “ready for broad deployment.” The idea is to use consumers as cannon fodder, and to have the valued customers (the corporations) benefit from this second layer of “testing,” behind the first (and obviously inadequate) layer of “testing” by the untrained, unpaid Insiders.
All Woody suggests is to not volunteer to be cannon fodder, and to be one of the ones receiving the benefits of the additional testing, rather than one of the ones unwittingly performing that testing at their own risk. It’s obvious why Microsoft would not be happy with encouraging people to opt-out of beta testing Windows, but everyone else should realize that it’s merely acting in one’s own interest.
If enough people refused to beta test software they’ve paid for, perhaps MS would have to reconsider its strategy and actually return to a system where testing was done by paid professionals rather than the lowest, least valued caste of Windows users. The well-meaning but misguided people who reflexively demand everyone take every patch the moment it is offered are only enabling Microsoft’s cynical behavior.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)
If the aforementioned individual thinks Woody is bad for suggesting people wait, perhaps he is also willing to direct his ire to, erm, Microsoft, which has long done the same thing with its CBB nomenclature initially, information that now comes in the form of an announcement that a given feature build is “ready for broad deployment.” The idea is to use consumers as cannon fodder, and to have the valued customers (the corporations) benefit from this second layer of “testing,” behind the first (and obviously inadequate) layer of “testing” by the untrained, unpaid Insiders.
True, but …
Microsoft’s “ready for broad deployment” is only ever for feature updates, never quality (ha!) updates. So, nothing to do with security risk.
For monthly updates, Microsoft always says; “Take action: We recommend that you install these updates promptly.” [i.e. everyone, not just consumers]
If a feature update that is released to consumers needs to be vetted more before being trusted by customers MS actually cares about, it validates the idea that the first round of testing (insiders) is inadequate. Even if MS had the same QA they did in the past, though, it is still safer in terms of avoiding regressions to let other people take the risk first. The risk has to be balanced with the payoff, and that’s true whether the payoff is greater security or more features. There is no black and white, only shades of grey, when it comes to balancing costs with benefits.
There is a risk from malware, but there’s also a risk to installing an update before someone else absorbs the hits, if there are any hits to be absorbed. The malware threat can be largely mitigated by being smart about what you do with the computer, but the one where there might be new bugs can’t. You have to balance the risk of unknown bugs with the risk of the vulnerability being patched. It’s seldom the case that it’s a real emergency that must be patched right this second, and if it was, Woody would take that into account when giving his advice (which, of course, anyone is free to take or not take).
The reality of malware is that most people end up infecting themselves. It’s not that the malware has scaled or crumbled the castle walls, usually; the more common story is that it asked someone to lower the drawbridge and let them in, and someone did. Making the walls higher and stronger won’t do a thing if you’re gonna let the bad guy in voluntarily, and that’s by far the bigger threat. It’s kind of silly to suggest that waiting a week or two is going to make a huge difference with most threats without addressing that the majority of them are invited in by the victims-to-be. The people who are aware enough to keep up with a blog like Woody’s are less likely to be the “come on in” type, and the actual nature of the threats extant at any given moment is always a subject of discussion.
If I had a PC that I had to loan to someone for a year, and I could either put Windows 10 on it (with updates unblocked, so it’s always patched, at least in theory) if I hand it to a regular user who isn’t aware of anything technical, or I could have Windows 7 (such that it is now, just out of support) on it and give it to someone who is really aware of such things, I’d pick the latter if I had to bet on which one would be more likely to return the PC to me in a malware-free state. Patching is good and I certainly do not advise that people ignore it, but it’s only one of a bunch of factors, and certainly not the only one.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)
Please recognize that Dave Kunkle is offering bait and it’s best not to react.
One of the reasons I love this site its so that we can check the issues that are rising with Windows 10
I don’t get why people BLINDLY install any patch that Microsoft offer you
Ok, lets pretend Mr.Woody an Ms.Susan are trolling us, then explain to me, why people are always having issues with Windows 10
I partially agree with Miss Susan, some bad patches may not affect you for now, BUT one day, one bad patch will hit you, and then you will understand why people here are so careful around updates.
Please recognize that Dave Kunkle is offering bait and it’s best not to react.
Either baiting or posting out of sheer ignorance. Neither of which deserve a response other than to say, “hey, you’re being ignorant”. 🙂
I’d ask Dave Kunkle a simple question – when he says…
“there’s major security vulnerabilities out in the wild that could be fixed by said patches.”
… to what is he referring, and on what evidence?
But then Woody has already asked him that question, and we await an answer…
Furthermore, if you look at the articles that have been posted, none of us are recommending browsing from a Windows 7 computer if you don’t get updates for it. … We do not want you to use Windows 7 for online banking, tax preparation or ANY sensitive info. I’ve even urged folks to change the DNS settings and take it off the web and isolate it.
Nothing in Woody’s summary of a week ago about not browsing, not banking etc. or isolating:
No, running Win7 after Jan. 14 doesn’t “put [your] company and staff data at risk, as well as that of suppliers, partners, and customers, because security patches will no longer be available.”
Windows 7 end of support: Separating the bull from the horns
I’ve personally never touched internet banking, and have no intention of ever doing so. As for browsing, it rather depends on how one strikes the balance between the importance of browser updates and OS updates. Woody has long argued against using IE, and the other browsers continue to be supported/updated beyond 14th January, as do the anti-virus/malware programs that also form a critical part of the balance where security is concerned.
As I read Woody’s articles, they follow the same logic for upgrading from Windows 7 as they do for patching Windows Updates – it needs to be done when the time is right, but that doesn’t mean there’s a panic to get it done this instant.
On February 11, Windows 7 updates will come out for those with ESUs. If you don’t have ESUs, it’s highly likely that attackers (who, these days are not teenagers in their parents houses, but financed government IT geeks) will have access to those same ESUs and be able to reverse engineer the vulnerabilities. Thus each month that goes by there will be a potential for more and more risk to that operating system. Will it be insecure on January 15th? No. Will it be a smidge more insecure even with a patched Chrome browser on February 11th? I’d argue yes, and we will know more at that time. Anytime someone says “I’ve browsed with an XP for years and been fine” I cringe. One can never guarantee that you will be fine on an unpatched machine… forever. I would not do online banking or anything with sensitive data as that machine gets more and more unpatched as the months go by.
Susan Bradley Patch Lady/Prudent patcher
I thank Woody et all for all the advice here. Have been following this site since Win 10 was forcibly thrown down the update chute in 2015 and almost broke my Windows 7 PC. With valued guidance I was able to resurrect it and get rid of GWX and all it’s nastiness. Also, was able to get windows update service going several years back when the .CAB went outdated.
I don’t work in IT, however, understand about computers and value my equipment.
In following the recommendations for December, the updates went very smoothly and was able to identify and disable the nag screen commencing 1/15/20.
Right now, January patches are waiting and will be installed on Win 7 and also on Win 10.
I’d rather know what I’m dealing with rather than disabling valuable equipment.
What’s even more interesting, have been able to identify problems and concerns with the work PC, and help my team through minor issues.
Will continue to utilize Win 7 and patch for January and run a strong AV in the background. I am not a world wide web surfer and just need it for some creative work for my own self satisfaction and have banking protection built in from the strong AV.
Thanks, over and out. 🙂
Win 10 Home 22H2
Patching your systems should be an exercise in making sure you are ready for recovery of your system. If you can’t restore from a backup, you can’t not only deal with an update side effect, you can’t deal with the bigger problem of ransomware.
This cannot be emphasized enough. It’s the first line in my signature, in bold red. This is why I can be a seeker/cannon fodder, because my PC is safe in multiple drive images in two separate places (one of which is air-gapped) so that regardless of what might happen, I’m ~6 minutes away from just before the patch(es) downloaded.
That really fries my grits. This is another example of an all-too-common, internet-driven phenomenon: Someone who wants to gain attention by broadcasting a point of view begins by mischaracterizing and misquoting someone like Woody, then uses that mischaracterization and misquote as a launching pad for an attention-getting rant. No, AskWoody has never said “Don’t patch”; AskWoody has always said, “Don’t patch mindlessly.” Those of us who are computer professionals caring for tens, hundreds, or thousands of workstations have far-too-often been bitten by poorly tested MS patches as a result of which we’ve had to listen to the anquised cries of suddenly-non-productive clients–not to say having lost clients because of this; we badly want never to have that happen again. AskWoody has been invaluable not only by educating us about patches–something Microsoft never adequately took on to begin with and then abandonned any pretense of doing at all–but also by helping us quickly ameliorate the problems caused by culprit patches by identifying those culprit patches and suggesting fixes. We can’t be too grateful.
Edit: Please follow the –Lounge Rules– no personal attacks
GaryK
The proof is in the pudding…already we have some reports that having “wallpaper stretch” engaged will cause an issue with KB4534310 for Win 7: (https://www.bleepingcomputer.com/news/microsoft/final-windows-7-update-breaks-desktop-wallpaper-functionality/)
Another reason not to jump the gun, and (were it needed) another validation. for Woody’s methodology.
Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty
I’m maintaining a single Win7 PC that runs Windows Media Center on my TV with a cable card tuner. There’s no other option here other than to rent a cable box from Verizon at $20/month (with DVR capability). I don’t do any mission critical work on this PC and plan to use it until it no longer works. The only Internet stuff this does is streaming Netflix, Amazon Prime, and ESPN+. I’ve migrated to the new MSFT Edge browser which will continue to be patched as necessary for Win7 machines for at least the next 18 months.
As far as banking and bill paying are concerned, I do all of this on the Internet these days. As long as one is careful to make sure and look at the SSL certificate and URL so that you know you are at the right website, you should be OK. To date, I’ve never had and credit or bank information compromised. Skimmers at ATMs, gas pumps, and other locations are far more problematic in terms of stealing credit card information than the Internet as long as one is prudent.
I thank my lucky stars for you and woody. Like most people, I lack your skill set and really appreciate any help that I can get. I do believe that your insight has helped me many times over. As always, one can accept or reject your advice. I am not sure what this guy was complaining about? Maybe it’s just his 15 seconds in the Sun.
KEEP UP THE GREAT WORK
THANK YOU
I patch when deferrals are up, which are recommended by MS and seconded by Woody.
https://docs.microsoft.com/en-us/windows/deployment/update/waas-deployment-rings-windows-10-updates
This usually coincides with the DEFCON rating reduction, or happens within a few days of it happening.
120 days feature update, 14 days quality update has worked great for me. 0 problems going back all the way to 1703 which is when Win10 became something I recommended, instead of avoided.
In fact, Woody has regularly advised against joining (as he calls it) the Group W bench.
Thank you for your post.
To patch or not to patch, that is the question. And you have clearly answered the question, “hold back and wait for the dust to settle.”
Then there is your comment regarding CCcleaner.
Since at least 2014, my practice has been to run CCcleaner after each internet browsing session to remove cookies and other detritus that has accumulated on my C drive while online and cannot recall an instance where I had a problem with any of my computers afterwards.
After running CCcleaner I tend to find that it has removed 50 or more MD of stuff – the bulk of which coming from Microsoft Edge, Internet Explorer, and Firefox. I do not use Microsoft Edge or Internet Explorer but somehow they accumulate bits of data in their Internet caches, as cookies, and temporary internet files.
Am I better off letting the detritus accumulate?
I don’t like it when it removes registry entries. I have seen too many side effects from that detrimental action. Why not browse in inprivate mode or use the brave browser and the duckduckgo search engine?
Susan Bradley Patch Lady/Prudent patcher
Susan
Just to be clear, you do not like using CCleaner due to the risk of removing registry entries.
When I open CCleaner it opens to the Custom Clean – a tool that clears up detritus from Microsoft Edge; Internet Explorer; Windows Explore; System files; Firefox; Thunderbird; Windows Store; Applications; Multimedia; Utilities; and Windows including MS Management Console, RegEdit, and Remote Desktop.
In order to delete registry files you have to open the stand alone Registry window. Therefore, you can run Custom Clean without touching any registry files.
So, is okay to run CCleaner’s Custom Clean utility while avoiding the registry cleanup option?
Also, our computers are equipped with HP’s Performance Tune – a tool that can perform system tune-ups by deleting temporary files; deleting prefetch files; running a system file checker; emptying the recycle bin; and clearing history, cookies, and cache of installed web browsers including Internet Explorer V. 11, Google Chrome, and Firefox.
Any thoughts regarding a preference for CCleaner versus the HP Performance Tune-up?
May the Force be with you.
Other Registry Cleaners have caused me problems like those. But never CCleaner, and seldom if ever with Glary Utilities.
That said, the current Microsoft Windows Storage Sense cleanups do almost exactly the same job as CCleaner, except maybe for some third-party software temporary caches.
-- rc primak
The categories are basically the same as the old Disk Cleanup Tool.
I make sure the Downloads Folder is NOT checked, then clean everything else.
EXCEPT for the ten-days retention period for Windows.old after a Feature Update (upgrade) and about a week or two before cleaning up the Windows Update remnants.
-- rc primak
The old Disk Cleanup tool still works quite well. I did a running comparison between CCleaner and my extended Disk Cleanup batch file for over four years, keeping CCleaner updated all the while. I would first run CCleaner to scan for detritus, then close it and run my Disk Cleanup batch file.
After that ran, I would again open CCleaner and check for leftovers. The only thing left would be temporary internet files, and those I wanted to leave where they were, anyway. CCleaner was of no real use to me. I finally uninstalled it with Revo Uninstaller. Speaking of Revo Uninstaller, it also has a Junk Files Cleaner, and a Windows Cleaner.
CCleaner is a good tool to use, but not blindly.
My experience with it for registry cleaning is that the approach is *very* conservative, and using it will *probably* not cause problems. However, the effects of cleaning are entirely cosmetic, and doing a cleaning will not enhance either performance or system stability, and comes with a small risk of doing damage. There really is no reason to be using CCleaner (or any other tool) on your registry.
CCleaner is one tool (and technique) that arose in in the era before Vista, and really isn’t needed anymore. Even though Vista was reviled for its UI, it was still a major step forward, making significant improvements in system stability. I’m convinced that many of the issues that registry tools were written for were for the effects of registry corruption that happened too often in XP and earlier vintages of Windows. Since Vista, Windows has been *very* stable, and those kinds of tools aren’t really needed, anymore.
To that end, I strongly discourage anybody from using any kind of registry scanning tools, whether cleaners, defragmenters or compression tools. They’re not needed, and run real risks of causing more problems than they solve.
The benefits of CCleaner are with other tasks. Most prominently, that would be cleaning the contents of browser caches, temporary files and emptying trash. I also find the various tools in the Tools section to be useful, especially in being able to get to the list of installed programs quickly, and being able to export to a file that can be imported into a spreadsheet.
Use CCleaner for those functions, but don’t bother with registry cleaning. The registry cleaner is a solution set for a problem that no longer exists.
My first computer was XP in 2002. Have had Vista, 7 and now 10 1903. My experience with installing patches? Well in 18 years I can recall perhaps 4 times I had issues with patches. That’s 4 times after installing probably over 1,000 patches in 18 years. This also includes recommended and optional patches I installed on a computer just to see what would happen. 99% of the time nothing happened. People say to to install drivers from MS update. Well lately when I go to manufacturers site for drivers, I am directed to go to MS update, Western Digital for example.
I installed Windows 10 January patches the day they came out. No issues. Same on Windows 7. Now this is not just me. Through the years when talking to friends they also had no issue installing patches except for 4 or 5 through the years.
It’s a catch-22. Install patches to prevent exploits or wait 30 days to apply and risk being exploited. Which shall it be? System restore is your friend. If system restore won’t work, system image and up and running in no time.
I am talking about home computers here. Businesses have different needs and they have an IT department. Here at my house, I am my IT department.
Susan makes a great point in her article when she says “Also many times the act of rebooting will expose [an] issue that was hiding all along. Patching wasn’t the root cause, rebooting the machine finally exposed the issue.”
I wish that she would urge people to reboot a machine BEFORE installing patches. This is a critical, can’t-miss step in the patching process. If your machine has problems booting, then you will be really glad you didn’t install any patches. And if you had a hidden problem and failed to reboot before applying patches, now you will be troubleshooting two problems simultaneously, and you will be looking for a problem with the patch that was not caused by the patch. When rolling back the patch doesn’t fix the problem, you are still liable to blame the patch for causing it. Headaches galore….
It is an interesting question whether you should reboot before backing up (and if you have a hidden problem, you may not be able to make that backup) or backup before rebooting (in which case, you have a backup of a failing system, which may not be restore-able). Everyone can have their own preference, please share yours. But rebooting before patching is as important as backing up, plus it is faster and easier so you are more likely to do it.
So please, folks, reboot before backing up. And please, Susan, make that part of your standard advice.
-- Peter R --
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
