Windows 10 version 1709 blocking security updates?
Windows 10 users and administrators who set a policy on machines running Windows 10 to delay the deployment of feature updates, may notice that cumulative security updates are not installed on PC systems with these configurations either.
Microsoft moved policies around a bit in the Fall Creators Update for Windows 10. Administrators and users have two options when it comes to delaying the installation of updates. One delays the installation of quality updates -- read cumulative updates that Microsoft releases on a monthly basis at the very least -- the other when feature updates are installed.
Feature updates are major updates for the operating system that are released twice a year by Microsoft.
When you delay the installation of feature updates in Windows 10 version 1709, Windows 10 may not install quality updates that include security updates as well.
Windows 10 admins can set the policy under Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received.
The setting "After a Preview Build or Feature Update is released, defer receiving it for this many days" can be set to a value between 0 and 365 (days). If the value is set to any positive number, cumulative updates are not picked up by Windows 10 anymore so the report.
Switching the value back to 0, or disabling the policy altogether (which has the same effect), has Windows 10 pick up the missing cumulative updates immediately according to the user who reported the issue on Microsoft's Technet forum.
A manual check for updates in the Settings application will find any update but cumulative updates. Updates for the Malicious Software Removal Tool or Flash Player are found for instance.
In a follow up message, the thread starter suggests that setting the deferral time in the Settings application causes the issue as well. This is found under Settings > Update & Security > Windows Update > Advanced Options > Choose when Updates are installed.
Several other users confirmed the issue in the thread. Microsoft has yet to confirm the issue however.
Administrators may install the missing updates manually by downloading the updates from the Microsoft Update Catalog website.
Windows 10 LTSB 2015 is a good version of Windows 10. By good, i mean that feauture updates aren’t installed unless You do it manually ! No cortana, no store, no apps and so on. “Basic telemetry” will still be sent to Microsoft and their “partners” (NSA ?). I did run it virtually for a while. Less buggy than any other Windows 10 version, but buggy !
Don’t worry about the bugs in Windows 10 they are new “feautures by design” !
I have stayed on Windows XP x64 and 7 x64 + some Linux distros. I trust Linux more than i trust Microsoft !
“Windows 10 LTSB 2015 is a good version of Windows 10”
Your talking about a version most people don’t have access to. If people did, we wouldn’t be having this conversation.
It’s unrealistic and unhelpful.
Instead of VirtualBox or VMware Player, you should install QEMU if you want near native performance 95-98%.
To install on Linux Mint/Ubuntu:
sudo apt install virt-manager qemu qemu-kvm qemu-system qemu-utils libvirt-bin virt-viewer virtinst gir1.2-spice-client-gtk-3.0
Once it’s done installing, restart PC.
Then open Virtual Machine Manager from Menu to install Windows on it.
Old news:
https://www.ghacks.net/2015/10/10/windows-update-minitool-is-a-third-party-client-for-updating-windows/
Old tools may work fine, but the issue is much different–“When you delay the installation of feature updates in Windows 10 version 1709, Windows 10 may not install quality updates that include security updates as well.”
Anyway, thanks for the notes, Martin.
I agree with InGSoC 1000 times. It is amazing tool. I use it 99% of the time.
WARNING!
This tool made by Russians, so if somebody has Russofobia, don’t use it. (just kidding).
Hello all.
There is a Tool for that, called Windows Mini Update Tool, no install needed, for x86 and x64 Bit Systems.
Within that Tool, u take back Control over Windows Updates and which u wanna install or hide and so on, like Windows 7 did.
U also can set Windows Updates to disabled and check manually etc. Google it, check with Security Program, then unzip, choose x86 or x64, set Settings, done… and thee Problem is gone.
Using it since 1607 and i am on 1709 now.
Greets, InGSoC.
Hi, I only read the description a bit but no one seems to mention about home version. Is it working on Home version too? Because Home version cannot disable update
@powe – not true……..Home version CAN disable update. Just go to services.msc and disable BITS and Windows update. But also have to check certain schedules, as it can sometimes turn itself back on again.
Yes. I have Lenovo Flex laptop with Windows 10 1709 and I just used Mini Update Tool. Works without problem.
If this is true, it’s no surprise.
Since the launch of Win 10 on 29 July 2015 with forced auto-cumulative-updates/upgrades and forced Telemetry & Data collection, Windows Update has become like a malware, even for Win 7/8.1. Remember M$’s aggressive GWX KB3035583 campaign against Win 7/8.1 users.?
Windows Update for Win 7/8.1 users who had rejected GWX KB3035583 and Telemetry KB2952664, was ‘somehow’ borked from April 2016 to Jan 2017. The affected users had to manually install security updates, one-by-one, via M$ Update Catalog. Such users who had to clean reinstall Win 7/8.1 were in deep sheet, ie about 200 pending important updates. In Oct 2016, M$ imposed Patch Rollups for Win 7/8.1 = to be like Win 10.
In April 2017, M$ used Windows Update to install processor-blocking updates(in the monthly Patch Rollups) on Win 7/8.1 computers, ie to block Win 7/8.1 computers running Intel Kabylake and AMD Ryzen processors from receiving any Patch Rollups.
In the Win 10 EULA, M$ can stop sending cumulative updates if the OEMs have stopped supporting their peripheral devices in Win 10 computers or the Win 10 Version has reached EOL, eg Version 1507/RTM and 1511. It may be illegal for M$ to stop cumulative updates for Win 10 Version 1709 users who have deferred feature updates or Version-upgrades. Maybe M$ has recently changed the EULA.
So, in Aug 2016, I was able to learn to move to Linux as I am just an ordinary home-user and kept my Win 7 SP1 as a spare computer. Most business-users and professionals are stuck with Windows which has an effective market-monopoly.
…
Just recently, M$ have acknowledged that they have been auto-upgrading Win 10 Pro Version 1703 computers to Version 1709 even if they have been set to defer until CBB or SAC.
If the above news article about the change-in-policy by M$ is true, it means that M$ are in desperate need of non-paid(= slaves) Win 10 Pro Beta-testers, in order to service their VIP Win 10 Ent existing and prospective users.
Windows Ent is M$’s cash cows. Shortage of Win 10 Pro Beta-testers will result in Win 10 Ent OS instability and constant buggy updates = many Win 7/8.1 Ent users refusing to upgrade to Win 10 Ent right up to EOL in 2020/2023 = M$ may be forced to extend the EOL for Win 7/8.1 = M$ lose profit$.
… Some Win 7/8.1 Ent users may even tell M$ that they will move to MacOS or Linux = M$ lose profit$.
Not everyone may agree with me, but my solution to Windows 10 and forced updates was to totally “freeze” at 1607 back around March 2017, totally disabling updates via services, fully disabling Cortana, locking down on every privacy setting possible, numerous registry changes, disabling of Defender, many other tweaks and hacks, extensive use of Hosts, large amounts of filters and controls in UblockO, many Task Schedules removed, some other services disabled…..and then to run almost everything in a Virtual Machine, and cloning both the main PC and VM at very regular intervals…..and using a very well set up hardware and software firewall and running with VPN almost 100% of the time, which offers its’ own integral firewall.
As a result, my installation is truly truly under my control. I don’t need to fear that the bulk 3 intricate months it took to set up everything just as I want it can be ruined or undone at a stroke, by some daft untested change that Microsoft spring on me. “Completely effectively reinstalling” the whole OS twice a year is completely unacceptable to me. You are totally at the mercy of Microsoft’s dreadfully poor testing regime. And for what? Most of what they are doing now is utterly of no interest to me. I put stability way way more important than some pointless new facility that could (and likely would) ruin the many hours spent setting things up just right.
In my view, the worry of hacking etc is very overblown, and the threat of Microsoft stuffing up my system is BY FAR a greater risk than any virus, ransomware….etc.
And even if that did happen, I have three external HDDs which are rotated with up to 30 clones on each HDD. That’s up to 90 separate clone-“restore-points”, at any given time. And spending most time in the Virtual Machine, leaves the core machine strong and robust, with numerous “saved states” within the VM, should something occur there.
In the end, Microsoft lost my trust a long long time ago. Its been a protracted process of loss of trust. The end result is a rock solid Windows 10 system that now stands at around 9 months worth of work and development, that Microsoft cannot touch or harm. I live without the worry that they will damage it, or put things on there out of my control. It’s [my] install and not theirs. I honestly could not care less about what Microsoft are doing now with their Windows-as-a-Service. I just want stability and control, and to know that each day I come to my PC, its going to be just as I left it. Truly locked down, and truly mine.
“..that Microsoft cannot touch or harm…” Wrong !
Microsoft can format your PC, lock your PC… remotely.
You don’t own the copy of Windows you are running, you have just a license to use the OS and it Microsoft’s property to do what ever Microsoft pleases, its all in the EULA you have signed.
I stopped all updates for my Windows 7 SP1 3 years ago.
@ilev – that’s theoretically true, but highly unlikely. i have a hardware firewall well set up, but also a software firewall with a great visual dashboard that tells me just what is going on on my network at any given moment. Very little goes un-noticed!
So while what you say could happen, I seriously don’t think it will.
I get you though…..Microsoft have really damaged themselves, and the mere fact that you write what you have written, demonstrates the mis-trust….and to some extent, the fear.
I myself stopped updates on older Win7 boxes quite a bit longer than three years ago. I was very selective at first, and when I saw those “Compatibility updates” before Win10 came along (the pre-cursor to to the Update to Win10 nag popups), I was highly on guard, and drifted further and further away from almost any update at all…at that time. Trust was ebbing away.
So absolutely, I understand why you take this position.
Main point is that you are comfortable with the result.
1- Intensive tweaking is the only way to get things as we want them, but requires knowledge and includes personal preferences that could make it difficult to be applied on all systems should the “tweaker” share his work. It seems you’ve eyed up and down god himself :) I have as well but certainly far less since the OS is Win7.
2- Blocking Win10 updates is understandable considering the tsunami some (most?) of them provoke. But what about “pure” security patches? I proceed as you but on Win7 and stopped updating starting October 2016, but Win7 is mature when Win10 is still animated by a youth’s eccentricities …
Anyway, nice work! “Do it to them before they do it to you” suffers no debate when it comes to Microsoft and at least a handful of other biiig, huuuge companies!
@Tom, I too, am a privacy nut, and hope and believe that I have this area fairly well considered and mitigated against. So consider then, the possibility that ‘any’ future Win10 update could bring along with it any number of privacy-breaking issues, that are not switchable by radio buttons, and that we’d never know about. Thinking of 3-letter Agencies here of course, and collaborations. Microsoft already bypass the Hosts file, in several places, and being closed source, none of us…really none of us, truly know what is calling the mothership. At least with a fully locked down install (as I first described), one can allow oneself to believe that they have covered all that they can, and that at least the privacy situation is “static”, ie: that updates can’t move the goal posts all over again.
With Linux, I tried it, but like you….Windows since year-Dot…. it just feels “uninviting”. After an old Win7 install started inexplicably blue-screening in August this year, I did install Linux Mint on that SSD – and I felt what I had felt the last time I tried Mint, that I just didn’t feel compelled to keep using it. It seemed odd, and idiosyncratic, but that’s really just me and the old learning curve conundrum.
People often say that when EOL is reached, that they’ll shuffle on to something else. But with wise usage, and proper care and attention to your install, why should anything run out of steam or change? That install will continue working just as it did before…patched or unpatched. Personally, I think people often ‘overthink’ this whole area, and attacks or vulnerabilities….while they certainly exist, are likely rare if you have your bases covered as I hope I do.
You refer to moving to XP from ’95. But that really was a significant and big evolutionary step. The trouble is now, that “maturity” is reached, and what Microsoft are adding to their OS is no longer of any interest to me whatsoever.
And that makes the decision about the “risk” of their updates being far greater than any risk of security vulnerabilities, a much easier decision, in terms of how to proceed for the future.
@Sophie, I must admit that in the ‘possible security enhancement’ verses the “likely destructive patch” I follow the same reasoning as you, I’ve been taking the chance for a year now, that is for what is concerned by ‘Windows Update’ only, remaining attentive as you must be to all advisories which may be followed independently of the MS patches.
Windows 10 here at home? Because I don’t obey to Windows Updates for Win7 I won’t even have the OSs EOL (2020) as a limit for my indecision and things could carry on quietly for years or at least until the home pc is either on its last legs or outdated in terms of power required to embrace the Web’s latest technologies. I certainly should anticipate the laws of nature and start moving before I fall.
I admit I have some hope in a Windows 10 gracefully rendering the issues of youth in order to become in the short term (subjective, I’ll consider 2 years as short) an OS closer to my expectations in terms of privacy. One never knows :) I have in mind an escape, that of Linux, not really an oasis in my perspective given I’ve been fed by Windows ever since I touched a PC together with a more valuable reason which is that Linux seems to be problematic and not issue-free (security included).
The I recall the big step XP seemed to be when I had lived with and loved ’95 for years. I guess we remain adaptable to far more than we’d expect. But I wouldn’t wand this adaptability to understate that I’d forget my privacy concerns, even if I consider that as a possibility should a new era embrace me regarding my very conception of privacy… hard to tell what values are linked to changing references in time and what would be universal and eternal. I’d fear that respect, friendship become outdated references. Life is often odd and never predictable, t least on the long term.
We’ll see. The ‘dolce vita’ combined with another Latin root, ‘carpe diem’ are temptations which may lead to a “later” :) What a sinner I am!
Thanks Tom, I appreciate your observations on my take on it.
With regard to “pure” security patches, I have considered trying to access these in isolation, but you know what…. I largely don’t care, in as much as “I just can’t take the risk”. I know there are bad actors out there, but over the years, I’ve come (sadly) to see Microsoft as a much greater threat than all others, and if that means sacrificing a decent, worthwhile security patch in exchange for peace of mind….. so be it. A lot of security boils down to good common sense. We seem to be taught to update at all costs, but sometimes, if our investment of time [that can never be replaced], can be undone at a stroke, I feel that its not worth the risk.
Perhaps you may try Windows 10 some time, with that kind of approach? Despite what many may write, its a very decent operating system. It’s just that Microsoft’s current update model can break it too easily, and they really don’t seem to much care.
Being forced to accept automatic updates on Windows 10 was one of the aspects which deterred me from upgrading to it in the first place. Placing your trust in Microsoft to get it right has already led to a number of instances whereby users machines have been bricked by an update and this latest example of is yet another manifestation of the flawed concept of Windows as a service which Microsoft has switched to.
Windows 8.1 which I have installed will be supported until January 1, 2023 but I’ll switch to a Linux distro after that unless there’s a change of heart at Microsoft.
I’m running the original Windows 8 RTM with updates from Server 2012, and it makes for a nice, stable and predictable environment. But for Windows 10 users, I feel for the problems they face.
I could see Windows as a Service working, since everything would be up to date – all the time. Everyone should be at the same feature, performance and security levels, so there is less for support teams to diagnose or guess at fixing. And moreover, it seems to work with the Mac environment. Mac OSX has been in existence as a product line since March 2000, yet it’s a VERY DIFFERENT animal today, than it was then. How successful has its evolution been with users?
And why would Microsoft want to make its own situation difficult by bricking PCs with updates, or sending bad patches? Is it that they are updating too often, or is it that they are sending along too many big features at once? I just can’t tell.
@TelV, as for your Linux comment, I am looking at Q4OS with great interest. I’m hoping Wine improves enough over the next while so I can run a couple of applications with it, and then I could switch. But I really do like Windows 8.
Instead of VirtualBox or VMware Player, you should install QEMU if you want near native performance 95-98%.
To install on Linux Mint/Ubuntu:
sudo apt install virt-manager qemu qemu-kvm qemu-system qemu-utils libvirt-bin virt-viewer virtinst gir1.2-spice-client-gtk-3.0
Once it’s done installing, restart PC.
Then open Virtual Machine Manager from Menu to install Windows on it.
@Jim:
Well I’ll be getting updates for Windows 8 for the next six years (basically as long as Windows Server 2012 has support), so I have awhile to decide. But the VM idea could be a good one.
:)
Jody Thornton, have you considered installing Linux as your host OS, and VMWare Workstation Player with Windows 8 RTM as your VM guest OS? In this way, you could bypass Wine altogether, instead having the real thing (Windows) rather than the “patch” (Wine).
This has the added benefit of allowing you to begin your switch to Linux immediately rather than when W8 RTM goes out of support.
@Martin, I made a response to TelV here. Was there an issue with my post? Thanks
:)
@Telv:
This all started because my two Xeon chips have a slight incompatibility with Windows 8.1 x64 (it can only run the x86 versions of Windows 8.1 or 10), so I went with Windows 8 instead (so I could run the x64 build). Besides – consider the following:
* those patches you mention, I get them from Windows Server 2012, so I apply those updates manually on Windows 8. That appears to be continuing until October 2023 by the way, extended from January.
* Just checking, and I think you need to already be running Windows 8.1 to install KB2919355.
* You’re right, Windows 8.1 has the same UI, and most of the improvements to Windows 8.1 and Update 1 have to do with the Metro portion of the product, not the regular Explorer UI.
* As for me missing patches (see my first point), but I also miss out on these goodies: blocked CPUs, telemetry collection, GWX, and the like. Windows 8 is old enough for Microsoft to leave me alone, but new enough to run up to date software.
Here’s the thread on all of this from MSFN:
http://www.msfn.org/board/topic/175105-server-2012-updates-on-windows-8/
@ Jody T
When Nadella took over M$ in 2014, he soon laid off the QC and Testing Dept, thinking that he will always have more than enough unpaid Windows Insiders and Win 10 Beta-testers to fine-tune each new Version of Win 10. He thought wrong.
… I think 1 to 2 years after the launch of Win 10, the novelty of being Windows Insiders had mostly worn-off for the hipsters = OS upgrade instability and buggy updates.
Free Wine has been developed, maintained and sponsored by Codeweavers Inc who also sells the Wine-based Crossover program for Linux and MacOS. Seems, the free Wine for Linux program is not very usable and could not run most modern Windows programs.
@ Jody,
Why don’t you just install KB2919355 which is the 8.1 update? That way, your support package which has already expired on Windows 8 will be extended to January 1, 2023.
You’ll have some work to do of course since you’ll be missing a multitude of patches which have been released since then, but if you like Windows 8, then 8.1 has the same UI. https://support.microsoft.com/en-gb/help/2919355/windows-rt-8-1–windows-8-1–and-windows-server-2012-r2-update-april-2