|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
.Today Woody recommended that you wait on the February updates and pass on them until the March updates come out. I honestly wouldn’t wait that long.
[See the full post at: Patch Lady – not every side effect is widespread]
Susan Bradley Patch Lady/Prudent patcher
Susan Bradley wrote: “you need to be more scared of ransomware than of updating. As long as you have a backup, neither one will be a worry to you.”
I entirely agree that keeping ones files with data, software one has written, with all the usual attendant annoyances and effort, as well as valuable and even personal “electronic” documents is very important and neither updating, nor ransomware can cause their loss if one has a good backup policy and sticks consistently to it. However, with ransomware, I tend to suspect that the need to buy a new computer in a hurry would bother me somewhat.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
However, with ransomware, I tend to suspect that the need to buy a new computer in a hurry would bother me somewhat.
You’re missing the point. With drive imaging, the entire, complete contents of your PC can be backed up. There’s no need to buy a new computer, not even new drives. Just be comprehensive in backing up your PC.
I have complete drive images all six drives in my PC on an air-gaped 3TB drive. If ransomware somehow managed to get past my defenses and encrypted everything on my PC, I would boot my restore USB, run a full format on all drives first, to completely remove the ransomware, then restore my drive images, which would in turn put all 21 of my various partitions back in place.
I would then use my latest individual partition images for OS, Programs and Users folders to get everything completely up to date, still on the same old PC, now completely clean. The point is to be prepared beforehand, not wring one’s hands after the fact.
I do not intend, in any way, to interfere with the disagreement, which I respect. However, and for the better understanding of those of us who are part of this community, I believe that the rule established for it, the DEFCON system, still applies. This being the case, it would be up to the person who manages to define when it is time to apply the patches.Am I right?
You’re right, but consider…
Susan’s audience is IT Pros.
My audience is Dummies. Of which I am one.
I am trying to maintain a balanced perspective these days. I have my updates on Pause until 9/3/20, as Woody recommends, but I know the I.T. guy for the charity which own the P.C.s I use (he tests these patches for M/S as part of his computer business!) will want me to update long before then – he wanted me to install the next feature update as soon as it came out, but I’m holding back on that for the time being. Probably I’ll install the updates a little before 9/3/20, as soon as I feel ready. After all, I’m the one who has to cope with any glitches!
TSP: Same situation here with my other, government issued, Mac: the IT guy in charge of such matters in our working group always wants things to be done by the book: if MS or Apple says patch! then patch it is! I simply ignore him, as do the rest of the group. My own understanding is that his advice is a reflex CYA act performed by someone who likes his job very much and wants to keep it for as long as possible and even improve things by getting promotions. I do not know if this, to some extent, might not also apply to your IT guy. So if you chose, and were able to abide by the DEFCON and other useful pointers available here and elsewhere on the Web, then follow your inclination, as I do myself, and good for you!
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
There’s lots that needs to be said on this issue. But my music program is going to end soon, and I’m not sure I want to stay awake long enough to finish writing this diatribe. But let’s begin and see how far we get.
BACKUPS
Yeah, great. With you and bbearren all the way on this one. Problem is… What you WANT to have is a backup that was made (and verified) within MINUTES of the time the update occurs, so you can be SURE you have captured EVERYTHING of value.
Under the current Win10 update regime you cannot do that because you typically do NOT have control over EXACTLY WHEN the update will occur. So the best you can do is an approximation… what the machine state looked like when the backup program was last run, NOT what the state of the machine was just prior to the update.
If you have to restore under a condition of approximation, then you have a rock and hard place choice to make: Abandon everything that didn’t make it onto the backup, or try to capture it from the failed system and merge it into the restored system. I’ve done both; NEITHER is acceptable to me. I want FULL CONTROL over updates. MY timeline, NOT someone else’s.
TELEMETRY
If I could be SURE that MS’s telemetry could actually do all the wonderful things you claim it can do for us, then yes, I would be in favor of it, too. But I do NOT believe it can. Or ever will.
In a former lifetime I did program development in a world-class scientific research lab. I once tried to write code that watched one of my programs run and gave me feedback on what went wrong. That’s a VERY HARD task. MUCH harder than writing the code itself. Perhaps impossible. As in NP Complete impossible. And I suspect Gödel himself might have a few words to say about the theoretical impossibility of doing it, too.
Why? Because the ONLY things your telemetry code can test for are things you already know to look for, and how to test for. But in order to do what you want MS’s telemetry to do that code has to watch for all the UNEXPECTED things that by definition cannot be predicted IN ADVANCE before you actually SEE them happen at least once.
Here’s another way to look at this. What MS is trying to do is analogous to trying to write a diagnostic program that runs within the OS. But writing diagnostic programs that REALLY and FULLY test hardware and/or software is well known to be a thankless and difficult task.
In that same former lifetime, my fellow engineers and I used to quip that our application programs were better at diagnosing failures of the DEC hardware we were running on than the diagnostic programs that DEC wrote and supplied to us.
We’d have a failure and call in a DEC FE. First thing he did was run the standard diag. Most of the time it would come up clean. But our app would crash consistently. And if we could get the FE to try a few board swaps, oftentimes the problem would vanish with one of them. And magically reappear if the original board was swapped back in. QED
But sometimes it wouldn’t, because the failure was intermittent. Then we would have to pare down our code until we found something that would repeatably provoke a failure. Once we knew EXACTLY what to look for, and how to tickle it, then AND ONLY THEN could we write a diagnostic that reliably demonstrated the fail.
How is that different than Win10 updates? If MS knew what was going to fail in a new patch, then they certainly could write telemetry code to test for that particular failure. But why would they do that, when they could more easily use that same insight to correct the problem in the patch BEFORE it shipped.
How does the telemetry code know to look for a particular profile failure mode when there are hundreds or thousands of ways that something can go wrong? Or identify a race condition that cannot even be defined let alone tested for? And again, if MS knew what to look for, a more straight-forward approach would be simply to FIX THE CODE, either in the OS or the patch, and be done with it. Writing yet more telemetry code gets you nowhere useful. It’s a REACTIVE strategy whereas what you really want is a PROACTIVE approach.
And don’t tell me “AI can do it”. Nope. Still have to train it. And if there’s a category missing from the training set, AI won’t help you find it. AI is good for finding exotic variants of things you already know something about, NOT for exploring the unknown. Which is what bad code is, because if you KNEW in advance it was bad, then you wouldn’t ship it until it was fixed. Or at least most competent programmers wouldn’t.
One final point. There are also fundamental limits on HOW MUCH telemetry you can gather before your telemetry becomes a drag on productivity. So even if you know what to look for, you may not be able to gather sufficient data to perform the needed analysis, because the computation required is so cpu- or disk-intensive that the user would immediately notice the slowdown.
Bottom line: NO, I do NOT believe telemetry BY ITSELF can now or ever will compensate for MS’s poor coding. Or make updating easier or safer for the average user or sysadmin.
And with that, I’m donning my flame-proof nightgown and heading off to bed…
— EstherD
rc primak, 
Bengalensis, 
Kranium, 
LH, 
OscarCP, 
Lars220, 
Charlie, 
DriftyDonN, 
woody, 
SueW, 
jburk07, 
wavy, 
Cybertooth, 
phaolo, 
zat_so, 
Kathy Stevens, 
Fred, 
David F, 
migongo 
In order to be able to make a backup immediately before a windows update, you could use some Registry tweaks to provide/restore a “Download” button to the Update section of the Settings App.
I have seen this sort of thing described in a few places, but I stumbled upon it towards the end of one of Federico Dossena’s “Windows 10 Privacy Guide”s – see https://fdossena.com/?p=w10debotnet/index_1903.frag for the latest and last W10 1903 guide – in the section titled NO MORE FORCED UPDATES. This involves adding/changing 4 policies – setting numerical values to the 4 DWORD sub-keys of a key. (You probably need to restart your PC after this?)
W10 still checks for updates and gives notifications (the bottom right corner thing), but does not download or install. When you open the Settings App, the Update section shows a “Download” button and above this the oustanding updates are marked as “ready to download” or some such wording (I’m writing this in W8.1 so cannot check). This does not give any granularity about which of these updates are downloaded and installed, but does give you the opportunity to make a backup before clicking the “Download” button. (There are 3rd party programs giving more granularity, but I have not looked at these.)
BTW: Federico has now given up these guides and switched to Linux (he wrote), but I found that this did still work with W10 1909 when I tried it on a spare disk a few weeks ago. I normally use W8.1, but out of curiosity I check out the new W10 version/”feature upgrade” every few months to see if W10 is improving (it isn’t!).
Your words about Telemetry are probably the best I have read about this subject on this site or elsewhere. 100% spot on!
HTH. Garbo.
BTW: Federico has now given up these guides and switched to Linux (he wrote), but I found that this did still work with W10 1909 when I tried it on a spare disk a few weeks ago.
Good post, Garbo–and thank you. It was interesting to read Federico Dossena’s explanation for abandoning Windows 10:
With the release of the 1903 update a few weeks ago, which broke a lot of things on my computer, I just couldn’t take it anymore; I’m sorry to let you down but Windows nowadays is as unstable as a c***** arch linux distro, I cannot be productive if the OS keeps breaking with every update.
Thanks for telling us about Federico’s site. You know what I’ll be reading this weekend! 
Backups have always been a point in time. Even if you do a backup immediately before applying an update it is still a point in time. Most people are not willing to endure the overhead it takes to do “real time” file backups. Most people don’t’ really need that either. A good backup regime is meant to get you to a known good state so you may recover from that point forward. If you are doing real time backups all you are doing is inviting problems to replicated when you restore the most recent backup which is what most would do. Trying to determine when a problem was injected into a system is very time consuming and difficult.
In a former lifetime, I’ve architected and written OS code (not Windows), device drivers, major modifications to packages, and applications used worldwide. Telemetry was expected to report events that occurred or capture error information in dedicated error reporting routines. It is up to the people interpreting the telemetry to determine further action. That action may be additional debugging code, further isolated testing, or identifying an issue and correcting it. If you do not have telemetry available you are shooting in the dark as distinct problems many times have the same external symptoms.
--Joe
Yes you can control when updates occur. Also I backup daily.
Susan Bradley Patch Lady/Prudent patcher
So the chance of your PC rendered useless with $thousands in damages is way greater that being hit by ransomware, virus, identity theft…
That statement is patently false, not born out in the least by data.
So the chance of your PC rendered useless with $thousands in damages is way greater that being hit by ransomware, virus, identity theft…
That statement is patently false, not born out in the least by data.
OH Yes it is. Just read the forum for posts here where tens/hundreds PC/servers were hit by a Microsoft update bug and administrators had to work days to bring them back to life. There are many such stories here. Each such incident = $ten-thousands in damages.
Just read the forum for posts here where tens/hundreds PC/servers were hit by a Microsoft update bug and administrators had to work days to bring them back to life. There are many such stories here. Each such incident = $ten-thousands in damages.
Please point me to just one post here where hundreds of computers were hit by a Microsoft update bug causing multiple administrators to work for multiple days to bring them back to life (or anything that may have cost damages amounting to tens of thousands of dollars).
With Microsoft, more than fear, it should be rage. A multibillion-dollar company doing the same thing for decades and still has problems that a relative new company like 0patch fixes with less drama.
By the way, a quick note regarding backups and fear: if the ransomware exfiltrates data, it won’t save you.
By the way, a quick note regarding backups and fear: if the ransomware exfiltrates data, it won’t save you.
Again, I’m talking about a comprehensive backup regimen. Until someone codes some ransomware that can jump an air gap, my data, my entire PC, is completely safe from ransomware.
>>Until someone codes some ransomware that can jump an air gap There are many ways to exfiltrate data in air-gap cases. It is a long topic, you can read https://hackaday.com/2017/02/02/hacking-the-aether/ as an introduction and then Google some more.
I didn’t find any method even remotely capable of reading data from afar off of a 3TB HDD unplugged and in storage. Maybe I should have specified “Dead Air Gap”. The storage drive to which I refer has no power, no connection, is not in a PC. It’s in a box, dead.
I’m not afraid of ransomware.
I automatically run a scheduled backup script on each and every computer, with the schedules set so that only one computer at-a-time is performing a backup, all starting after my customary quitting time for the day (I’ve got five Windows systems). I create a unique, local partition on each computer for a “cascade” of backups. The cascade is simply a pattern of subfolders: The script merely deletes the last folder (and contents) down the list, and then creates a new, empty folder for today’s backup at the top. The number of subfolders is up to you. (Do ya feel lucky?)
One of those computers also has an additional external drive, to which all backups are copied, automatically, every night, from the local backup drive, to that central drive…I change that drive every few weeks, and have a few (six) in rotation.
After each backup is added to the top of the cascade, then copied to the central cascade, the script then shuts down the computer. So, I could, theoretically, go back as far as 42 days to recover any system, if needs be.
I believe in the value of redundancy…and the cost of 1TB drives is significantly lower than the angst of having to rebuild a computer from scratch! (Admittedly, I started with one backup on one computer…but, like Topsy, it “…just growed…”)
It’s all automated, so I never forget to do it; it’s after hours, so I can relax with my family, and it has “saved my bacon” many times over the past decade.
I’m not sure this is the place for this…I invite the Leadership of these fora to move it where you think it would be most appropriate. –CAO
I had intended to keep my system on pause for updates, but this morning I updated my relatives computer without issue. They have a new Dell laptop Win10 1909 running Norton.
I have a new Dell XPS8930 desktop also running Norton with win10 1909 … decided to give the update a shot and everything seems to have updated fine!
So that’s 2 more data points for the 1909 update, and it appears at least for me that Norton isn’t causing update issues on newer Dell machines
I am not sure why my original post was deleted but let me try again.
First thank you Susan for a well thought out and written Post. There are many of us on this site who every month report that we download all updates as soon as they come out with no problems . We are ether ignored or shouted down. I think in many cases instead of screaming about Microsoft you should be taking a long hard look at your own computer and how its configured.
I have long believed but can offer no proof that the large majority of problems people have with patches are due to third party apps that try to force Windows into doing things it was never meant to do. In my many years of using win7 and now many years of using win10 i can count on one hand the number of problems i have had and they were all minor. i too do regular back ups but to be be honest i have been forced to use one.
Barry
Windows 11 v23H2
Some say if you have issues w/ windows(MICROSOFT) use linux,IOS or whatever. So, you folks say “let ’em eat cake?” Really.
Regarding Susan’s opine, I respectfully have to ask does msfts telemetry collection of EVERY machine running windows REALLY come under scrutiny to determine what needs patching/repairing? Not a chance. It’s a scatter gun approach and anything on MY computer is not taken into consideration to any real effect. If it were there would NEVER be any problems with the coding they force feed us(eventually.) There is no responsibility taken by them(and they say so up front, always have.) So damage hardware all over the world w/ no consequences and charge an exorbitant price. Nice for them.
What came first? Hardware or software?
BTW, this is not a personal attack- I admire Susan and woody very much. I’ve been playing w/ pc’s since keypunch days. Not to say I have an IT degree-just alot of self taught experience. Windows 10 is so different from ANY windows OS that its not truly even a cousin IMO. Having to relearn almost from ground up is proof positive to me. I suppose I have to say I skipped win8-which was a foretaste from what I heard- cancer has a way of taking time away from msfts shenanigans.
Tirade end.
Peace and love everyone!
DriftDonN
So damage hardware all over the world w/ no consequences and charge an exorbitant price.
When has any Windows or Office patch ever damaged PC hardware? Software breaks, the OS breaks, web browsers break. Occasionally, firmware gets messed with. But hardware?
All I have ever had to do to recover from a bad MS update was to restore the partition(s) using a free system imaging program. Never had to throw out the PC and start over, or replace any PC hardware. Maybe (rarely) restore a previous firmware version.
I’ve had to spend time and effort to recover from bad MS Updates, but never had to spend money on replacing hardware.
-- rc primak
While I agree with what Susan has said, there are also reasons why some people (including myself) should follow Woody’s advice and defer this month’s CU. Like Susan, none of my clients have reported borked systems – at least not yet.
At the top of the list is the lack of transparency on the part of Microsoft. Simply stating that they are “aware of the problem and investigating” with NO ongoing progress reports is simply unacceptable. More than likely, telemetry doesn’t provide much in the way of useful or actionable metrics in this situation. Apparently, for those who experienced the profile issue, the patch installed without error.
In my case, I have gone to extremes to prevent the CU from installing on one of my Win 10 machines. Why? Well for one, it is an AMD 3800x build with some cutting edge components (WiFi 6, PCIe v4 bus, multiple PCIe v4 M.2s, 2.5gb ethernet, etc.). Susan believes the problem is a race condition (or maybe timing related). If so, is a machine with 8 cores that boots to desktop in 3 seconds at a high queue depth (with fast boot, hibernate etc. disabled) more likely to fail? Is the problem related to recent drivers for this relatively new hardware?
By now, Microsoft has most likely identified the hardware (OEM, computer SKUs) that seem to be most impacted. They probably know the cause for many of the failures. It’s a certainty that OEMs and software vendors are aware and are in communication with Microsoft. Any information from Microsoft, even if incomplete or unverified, would help.
Because of Microsoft’s lack of transparency, however, I cannot make an informed decision. Yes, I have multiple off-line backups (image, differential), separate USB backups of critical files, and data is even synced to a Win 7 ESU fallback machine. Even so, if this AMD machine gets bricked, it’d take days to do a bare metal restore since it contains more than 4 million files (terabytes). This is time I cannot afford to lose.
I suspect that installing the CU would not cause issues on this computer. I know that the security risk of not installing the CU is probably greater. Still, the risk of patch failure is too high for me because of time constraints. I’m therefore following Woody’s advice. For people that only have one computer, or don’t have a disaster recovery plan or in-depth computer experience, they may also choose to follow Woody’s advice. None of us want to become “cannon fodder”.
Let’s be honest here, Microsoft’s track record hasn’t been great lately. I fell victim to the 1909 GUI search bug after installing a CU which initially rendered the computer not usable. Because of the unusual manner in which the computer was behaving, I thought bad actors had taken control of the computer and I wasted time barking up the wrong tree.
So, each to his own I guess …
More than likely, telemetry doesn’t provide much in the way of useful or actionable metrics in this situation. Apparently, for those who experienced the profile issue, the patch installed without error.
What telemetry most likely provides in these cases is an opportunity to know how big the issue will eventually be.
For example, if Patch A is a problem for some folks, and that problem can eventually be found to be caused by Configuration B, then knowing how many systems in your installed base have Configuration B would help you decide how many resources to assign to resolve the issue, as well as the urgency of the situation.
Conversely, if Patch A is found to affect everyone, you put all hands on deck, pull the nasty patch, and push Patch B as soon as possible.
Properly-configured and properly-analyzed telemetry would make that possible.
I don’t know if we can have that telemetry-collection and analysis process be completely transparent without also making it a completely-exploitable avenue of attack for the rotten folks out there.
You’re right, but consider…
Susan’s audience is IT Pros.
My audience is Dummies. Of which I am one.
I do agree with Woody. A really good pro ought to act in a humble and simple way, and prepare for infectiondamage; Instread of acting to know it all, like most admins tend to. (no offence ment). Patience is always a good advisor
* I don’t allow driver updates – if it ain’t broke, don’t fix it. If your devices are working just fine, you do not need a driver update. If you have a reason for a driver update, you can always do it manually; but you are asking for trouble if you let driver updates happen automatically.
In this day of “Rollup, everything in one huge pile” updates that MS foisted upon us back in 2016, I wasn’t aware that driver updates could be pulled out or otherwise gotten separately. This has been one of the main reasons that I’ve been a Group B updater – not knowing what on earth I might get that I don’t want! Can other things be separated? Does this apply only to Win 8.1 or 10? It’s news to me. Thanks.
Woody has good reason for his advice being different from yours. As I see it, you present advice for enterprise IT folks. Woody provides advice for the rest of us.
Updating for enterprise installations has very different requirements because the need for security is dramatically and substantially greater.
The threat profile has changed radically in the last 10 or 20 years. Threats are principally coming from criminal organizations seeking to profit from the damage they can do. In years gone by, the threat was the nerd in the basement out to have fun. The criminal organizations know that there is little if any profit to made from damaging joe/mary-ordinary.
CT
Like Susan I often “jump the gun” and do my own update testing (e.g., in virtual machines) because I have the skills to repair/restore from backups in a pinch. I haven’t, however, chosen to put in February’s updates yet on the systems I care most about.
I do want to say one thing, though: I dislike it when companies or people try to motivate other people into acting by holding the specter of Ransomware or other malware up as a sole reason to act. Don’t do things out of fear! Weigh your risks, take your time. And don’t hope that someone else will make decisions for you. If you don’t feel you have enough info, seek it out. Wait until things are more clear. Common sense stuff.
Sure, malware can be scary, but it’s not a given that you’ll fall victim to it if you just practice common sense while computing.
-Noel
The advice given in this thread is useful to those with the necessary skills to create disk images, use them to restore the system from serious malware attacks such as ransomware ones and, most particularly, know what to do when (as sometimes happens with anything we do) the restore fails and leaves a mess in the hard drive or SSD, instead of the desired outcome: a restored system plus personal data and applications that do not have to be reinstalled, exactly as if something bad had never happened.
That does not help much the majority of users, that consists of those who try to deal with their computers the way they do with their other home appliances. That computers are not like other home appliances — although, in an ideal world at least, they ought to be — obeys to many, many reasons. But the fact remains that those reasons are of no help from the particular point of view of the average home or small business user. Which makes for jobs for technical savvy people that set up shop to help those who can afford their services. (Some do it on a voluntary basis, of course, and that is a most excellent thing to do.)
As Woody has pointed out, here, now, as well as in several previous occasions, Susan Bradley writes for IT people, not common users, but, in my most humble opinion, it might be a good idea if this fact were to be made very clear in each and everyone of her posts, at the very top of her initial comment. Just a thought.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
For the home user who does not want to get involved with detailed selective patching the best practices are fairly simple:
In other words, most folks would be happiest if they treated Windows PCs like Chromebooks, iPads or phones. The main difference is that PC software can be downloaded and installed from sources other than a Company Store.
We have to keep things simple for most folks. They just want to use a computer, not master its intricacies.
The advice offered at this site and in these forums is not always aimed at the typical home user. But all are welcome to come here and look around. Then decide if you are ready to get into some system details.
-- rc primak
Speaking of motivating other people to act, computer viruses do have some similarity to real viruses. If you don’t have good backups, or time to do a restore, as an individual it benefits you to avoid updates until someone else has told you they are good. But, if enough people avoid a security update, that lowers the herd immunity and makes criminals more likely to try to exploit the security flaw. If all users automatically got the security patches in a few days, there would be little reason to try to exploit those flaws. So, it is in Microsoft’s, and everyone’s, interest to try to make it hard for most other users (other than yourself) to avoid automatically getting the patches.
I wish I had data to back it up, but one or two decades ago, most computers I looked at for users were not up to date, had expired antivirus software, and a large portion maybe over a third had viruses. With Windows 10, most people do not know how to turn off updates and I rarely see a computer that is not updated or has expired antivirus, and I don’t see viruses anymore except for users who seek out the darkest corners of the web.
If users could learn to backup their system and data more often, that is the main thing I would want to tell them. Also many people only have a few files and data for a few programs that are really important to them, and if they would copy those to some backup it would make everything easier. Woody seems to be recommend Chromebook more often, and threads about how to make kiosks seem to recommend Chromebook more often. If you trust Google, I can see why people would enjoy not having to worry so much about backup.
I made similar points about folks who have very basic computer needs. Also about needing mostly a data backup solution, not so much a system backup. That is, if folks don’t mess with Windows default settings. See above:
https://www.askwoody.com/forums/topic/patch-lady-not-every-side-effect-is-widespread/#post-2170558
-- rc primak
Hence the need for incremental and image backups as well as storage media rotation (or possibly more than 1 cloud provider if that’s the strategy). The last small business I worked with that was hit by ransomware had to go back two sets (1 day lost).
Even on my home network, I use multiple external hard drives for backup. Also, separate ones for imaging purposes. No near-line backups. Also keep a dedicated computer that is synced every three days or so with it’s own separate set of backups.
I do realize this not feasible for most users here though.
I am not a fan of incremental backups. If even one link in the chain is corrupted or infected, this can affect the whole backup set. I use full backups. And three copies (original drive plus two archival drives.) But then, I only do one or two backups for my system each month, and I only support three PCs at most. (One archival drive would probably suffice — I haven’t had issues affecting two backup drives at once, as long as they are kept separate from each other.)
-- rc primak
Use the consolidate feature to create a single backup regularly.
cheers, Paul
I think we should let people choose, I prefer to wait until Mr.Woody gives the greenlight, since not everyone has backup software or archives.
but I think that if people think that updates dangerous, shouldn’t they skip it? (its the safer way for them I guess) , nothing gonna happen if you skip 1 month of updateds, (unless we are talking about 2 months or more..)
I would like to believe I know a bit more than most “dummy” users on PC issues, but I am not an IT Pro, nor do I want to be one. I do have the necessary expertise to create disk images and recover from problems, but that’s about it.
As Canadian Tech said, security requirements in the Enterprise is stricter than us users. As Susan’s audience is the Enterprise IT, I can understand her views, but I disagree with and won’t adopt her advice on this issue. I place my computers’ stability over their “security” every time.
Personally, I have no wish to act as a tester for Microsoft, nor do I want to become “cannon folder”. I will wait for as long as I want, until the time I am satisfied that installing these updates won’t cause any significant problems on my machines. For example, after Meltdown/Spectre broke out in January 2018, I decided that the updates Microsoft put out at the time had far too many problems, and I therefore waited several months (until early June) to patch my Windows 7 systems. During the time period from January to June 2018 ALL my Windows 7 machines were on December 2017 patch level, and I didn’t have a problem.
I have been wary of the quality of Microsoft updates ever since its CEO decided to fire its testing department and replaced those testers with “Insiders”. And I don’t think there has been any improvement on this more than 4 years after the release of Windows 10. I therefore require FULL CONTROL of ALL updates (including drivers and security updates) including the right to decide when to apply them. Windows 10 (at least in its default configuration) does not offer that, which is one big reason why I am still on Windows 8.1 and Windows 7.
I know I will eventually be forced to Windows 10 (well, at least some of my machines) so I have been experimenting with the LTSC version of Windows 10 1809. I use a group policy setting to completely disable Windows Update (meaning it will NOT search for, download or install updates on its own) and it seems to be working for me. It also has patch support for 10 years and will not be offered feature updates (to 1903 or whatever). So this is probably what I will be going to in the future, but NOT before the end of support of Windows 8.1.
If you are OK with installing updates (on any version of Windows, but in particular Windows 10) soon after they arrived and you don’t encounter significant problems every time you do that, good for you. I won’t adopt such a policy as I consider it too risky, but I am not going to persuade you to my view either. Let’s agree to disagree.
Hope for the best. Prepare for the worst.
007, you are so right!!
If you will recall, i am strictly on Win7. I look after 120 Win7 systems.
Update:
Not one of those 120 machines has had a MICROSOFT update since May, 2017. That is 33 months now. not a single instance of any kind of a problem. Those machines are so stable and reliable that my phone rarely rings. My support work has fallen of by 90%.
Again, not one of them are in an enterprise. Just ordinary folk.
I did this 33 months ago because I decided the risk of fouling up these systems from allowing Microsoft updates was far greater than the risk of not installing them. 3,960 computer operation months later, the proof is positive.
CT
“You’re right, but consider… Susan’s audience is IT Pros. My audience is Dummies. Of which I am one.”-Woody
I agree fully with Woody.
For the average non-techie doctor, lawyer or college student, following Woody’s Defcon ratings are warranted and cause less man-hours repairing computers. Microsoft has been hostile and not transparent towards a portion of their users. Further, not all MS customers can spend huge amounts of time and money on MS products or new equipment.
Susan runs some Domain controllers and domain attached clients. When Susan says “all of the machines” under her control… I wonder what if she is saying all domain members machines and domain controllers. This not very helpful to the average Microsoft user.
I don’t like the logic here. You do not ignore something simply because it may be rare, if you don’t know how frequent it actually is. The risk is not worth it–if you [messed] up all of those computers under your control because you decided to go ahead, you’ve just made a whole lot more work for yourself in having to fix them.
There is no reason for an arbitrary time limit for when things become insecure. You are not at significantly more risk waiting two months to patch instead of one. If you have sane policies, it shouldn’t be a huge deal.
As for Ransomware–you should already have that mitigated. Not only the backups everyone mentions (which do at least require some downtime to implement), but also blocking unauthorized software from running and having proper Ransomware detection that would stop any ransomware before it gets very far, because it can detect thta files are getting encrypted in some way.
I don’t even worry about ransomware on my home computer, which isn’t as locked down, because I have multiple mitigation strategies for Ransomware employed. It’s no more scary than any other malware.
Bottom line, I don’t fine any of the logic used in Patch Lady’s post compelling. I would not follow her advice on this issue. I would only deploy if I had some way of knowing with reasonable certainty that I would not face the profile problem. I wouldn’t just assume that a problem is not widespread because we lack data.
And, no, I would not expect any security-minded organization to turn telemetry on. I expect it to be turned off on all software, not just Windows. The good it provides can be adequately substituted with a good IT staff that voluntarily reports data for bug reports and such, without risking sending data they don’t want to give out. There’s no need to trust a black box.
Windows 10 Pro ( 1903 )
I did an image first and then installed the Feb. updates this morning and surprise!, no bugs or profile problems to report. All went well.
No one runs to a tech forum announcing that they survived the update.
Actually, plenty do, and there’s even some here. Definitely a minority, but they do tend to repeat themselves a lot.
Group B for WIN7 w/ ESU, plus trying out Linux builds in dual boot.
And also looks like finally M$ recognize there are difficulties:
And also looks like finally M$ recognize there are difficulties:
Perhaps there is a bit of movement by Micr0$0ft, I don’t see a real solution yet.yes, a lot of adds and messages how great all other things are.
As for a common soul, I read mrs.Susans letters very careful, and try to learn. For the rest is Woodys “Defcon index” is leading, and will follow his advise. It surely has proven to be a “quiet” way to follow, as being a not-knowing-it-all consumer. X
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
