Patches are coming Tuesday. Make sure Windows Update gets locked down.

With Patch Tuesday arriving, this is the time to make sure that you have your patching mechanism thoroughly clogged. You’ll have to apply the May patches sooner or later but, as has been amply demonstrated many times recently, you’re better off letting the unwashed masses test them first.

patch on top of Windows logo
Thinkstock/Microsoft

This month should bring some interesting new developments on the Windows Update front. Microsoft is committed to shipping the new version of Win10, officially called the Windows 10 March Delayed to May 2019 Update, but better known to its friends as version 1903, later this month. It’s still in beta testing at this point.

As prelude to that momentous occasion, we’ve been promised a simple mechanism to block the rollout, known as “Download and install.” We’ve only seen “Download and install” once, and in a confusing way. Microsoft has to push the means to block 1903 at some point, if it hasn’t already. I expect that we’ll learn more tomorrow for Patch Tuesday.

I also expect Patch Tuesday to have yet another round of bug fixes for the Japanese date change bug that’s been hounding Windows for half a year.

In short, I don’t expect to see any patches tomorrow that you have to install, like, right now. Far more likely is a motley assortment of fixes, and another round of random bugs, some of them painful, introduced by the patches. Just like every other month in the past year or two.

Get Windows Update locked down on your machines, to avoid very unpleasant surprises.

Blocking automatic update on Win7 and 8.1

If you’re using Windows 7 or 8.1, click Start > Control Panel > System and Security. Under Windows Update, click the "Turn automatic updating on or off" link. Click the "Change Settings" link on the left. Verify that you have Important Updates set to "Never check for updates (not recommended)" and click OK.

Blocking automatic update on Win10 Pro

If you’re using Win10 Pro version 1803, or 1809 I recommend an update blocking  technique that Microsoft recommends for “Broad Release” in its obscure Build deployment rings for Windows 10 updates — which is intended for admins, but applies to you, too. (Thx, @zero2dash.)

Step 1. Using an administrative account, click Start > Settings > Update & Security.

Step 2. On the left, choose Windows Update. On the right, click the link for Advanced options. If you’re using Win10 version 1803 or 1809, you see the settings in the screenshot.

1809 advanced updates Woody Leonhard

Step 3. To pull yourself out of beta testing (or, as Microsoft would say, to delay new versions until they’re “for broad deployment”), in the first box, choose Semi-Annual Channel.

Microsoft once declared that its old terminology is no longer in effect, then later declared that Win10 version 1809 is Semi-Annual Channel, using the old terminology, and thus ready for widespread deployment. Right now, you can find different terminology in different places, but Microsoft says Win10 version 1809 is certified fresh. You don’t have to agree — you get to choose whether to stay with 1803 or move to 1809. Even though I’ve upgraded my production machines to 1809, I can certainly understand if you don’t want to.

Step 4. To further delay new versions until they’ve been minimally tested, set the “feature update” deferral setting to 180 days or more. That tells the Windows Updater (unless Microsoft makes another “mistake,” as it has numerous times in the past) that it should wait until 240 days after a new version is released (60 days for Semi-Annual Channel + 180 days deferral) before upgrading and re-installing Windows on your machine.

Win10 version 1809 was nominally released on Nov. 11, 2018. Add 240 days and you get July 11, 2019. So if you’re running Win10 1803 and set it to update on Semi-Annual Channel, and you set the “feature update” deferral to 180 days, you won’t be forcibly upgraded to 1809 until July 11, at the earliest.

I have a feeling the terminology will change again in the next month or two. Don’t sweat it.

Step 5. To delay cumulative updates, set the “quality update” deferral to 15 days or so. (“Quality update” = cumulative update = bug fix.) In my experience, Microsoft usually yanks bad Win10 cumulative updates within a couple of weeks of their initial release. By setting this to 10 or 15 or 20 days, Win10 will update itself after the major screams of pain have subsided and (with some luck) the bad cumulative updates have been pulled or re-issued. Notably, in February 2019, it took Microsoft 18 days to fix its first-Tuesday bugs.

Step 6. Just “X” out of the settings pane. You don’t need to explicitly save anything.

Step 7. Don’t click Check for updates. Ever.

If there are any real howlers — months where the cumulative updates were irretrievably bad, and never got any better, as they were in July of last year — we’ll let you know, loud and clear.

Tired old approach for Windows 10 Home

We’re hearing a lot of promises about the ability to delay cumulative updates in Win10 Home version 1903. I’ll believe it when I see it.

If you have Win10 Home, your only reasonable option is to set your internet connection to “metered.” Metered connections are an update-blocking kludge that seems to work to fend off cumulative updates, but as best I can tell still doesn’t have Microsoft’s official endorsement as a cumulative update prophylactic.

To set your Ethernet connection as metered: Click Start > Settings > Network & Internet. On the left, choose Ethernet. On the right, click on your Ethernet connection. Then move the slider for Metered connection to On.

To set your Wi-Fi connection as metered: Click Start > Settings > Network & Internet. On the left, choose Wi-Fi. On the right, click on your Wi-Fi connection. Move the slider for Metered connection to On.

If you set your internet connection to metered, you need to watch closely as the month unfolds, and judge when it’s safe to let the demons in the door. At that point, turn “metered” off, and just let your machine update itself. Don’t click Check for updates.

While you’re thinking about patching Windows, now’s a good time to download and squirrel away an official, free copy of Win10 version 1809.

We’re at MS-DEFCON 2 on AskWoody.

Related:

Copyright © 2019 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon