By Woody Leonhard,
Some people believe that you need to get new Windows and Office patches installed the minute they roll out the Windows Update chute. Those who snooze get bit by malware, or so the theory goes.
In fact, we’ve seen very few instances in the past years where a newly patched security hole has turned into a widespread security threat in less than a few weeks. If you’re protecting uranium enrichment centrifuges from deep-pocket adversaries, all bets are off, of course. But for normal, everyday Windows users, the chance of getting bit by a bad patch far outweighs the immediate threat to your trusty ol’ PC.
Yes, you need to get patched eventually.
Those of you running Windows Server 2008 R2 through 2019, for example, had to install the August patches within five weeks of release to avoid the ZeroLogon threat. It’s an unusually gnarly security hole, and it took the bad guys five weeks to crack. But for the vast majority of Windows users, waiting a couple of weeks to get the latest patches applied doesn’t hurt a bit — and it gives Microsoft a chance to fix the bugs they invariably introduce.
If you don’t do anything, you get to beta test the patches as soon as they come out. I salute your allegiance to the politically correct cause — and urge you to report any problems on AskWoody.com. But if you temporarily pause updating, you can sit back and watch as we crowdsource patch quality control. Install the patches on your own schedule, not Microsoft’s.
Those who paid for Win7 Extended Security Updates should be cautious about installing patches immediately. Those who didn’t will either ignore the patches (large majority there), or wait to see whether any free alternatives appear. 0patch has filled in several cracks, including a ZeroLogon Server 2008 R2 micropatch that works even if you haven’t paid for Extended Security Updates.
If you’re using Windows 7 or 8.1, click Start > Control Panel > System and Security. Under Windows Update, click the “Turn automatic updating on or off” link. Click the “Change Settings” link on the left. Verify that you have Important Updates set to “Never check for updates (not recommended)” and click OK.
By now, almost all of you are on Windows 10 version 1903 or later. Not sure which version of Win10 you’re running? In the Search box near the Start button, type winver, then click Run command. The version number appears on the second line.
If you’re using Win10 1803 or 1809, I strongly urge you to move on to Win10 version 1909. If you insist on sticking with Win10 1809, you can block updates by following the steps in December’s Patch Tuesday warning. Be acutely aware of the fact that Microsoft won’t be handing out any more security patches for 1809 Home or Pro after Nov. 10. The Fat Lady sings next month.
If you’re tempted to move to version 2004, I say wait. There’s a huge bunch of bug fixes poised to be released this week — and the benefits of 2004 are tiny at best. If this month’s cumulative update for 2004 doesn’t introduce any spectacular problems, I’ll likely move on to 2004 next month. At that point, having a clean copy of Win10 version 2004 in your hip pocket will make life much simpler, especially if Microsoft has started pushing version 20H2 by then.
My general recommendation relies on the Pause updates feature introduced in version 1903. But if you’re willing to dig a little deeper, and you’re running Win10 Pro, Education, or Enterprise, you might want to rummage around in the Group Policy Editor, and set this policy:
Configure Automatic Updates = Enabled, value = 2 Notify before downloading and installing any updates.
PKCano has an extensive, step-by-step discussion of the setting and its uses in AKB 2000016, Guide for Windows Update Settings for Windows 10.
If you’d rather take the easier Pause updates approach, using an administrator account, click Start > Settings > Update & Security. If your Updates paused timer is set before early November (see screenshot below), click Resume Updates and let the automatic updater kick in — and do it before noon in Redmond on Oct. 13, when the Patch Tuesday patches get released.
Use an admin account to pause updates.
If Pause is set to expire before the end of October, or if you don’t have a Pause in effect, you should set up a patching defense perimeter that keeps patches off your machine for the rest of this month. Using that administrators account, click the Pause updates for 7 days button, then click it again and again, if necessary, until you’re paused out into early November. (Note that the next Patch Tuesday falls on November 10.)
If you see an invitation to “Download and install” version 2004 (as shown in the screenshot), my advice at this point is to turn down the offer. Don’t click anything.
Don’t be spooked. Don’t be stampeded. Don’t click “Check for updates.” And don’t install any patches that require you to click “Download and install.”
If there are any immediate widespread problems protected by this month’s Patch Tuesday — a rare occurrence, but it does happen — we’ll let you know here, and at AskWoody.com, in very short order. Otherwise, sit back and watch while our usual monthly crowdsourced patch watch proceeds. Let’s see what problems arise.
We’re at MS-DEFCON 2 on AskWoody.
Woody Leonhard is a columnist at Computerworld and author of dozens of Windows books, including “Windows 10 All-in-One for Dummies.”
Copyright © 2020 IDG Communications, Inc.
Copyright © 2020 IDG Communications, Inc.