Post by Noel on Dec 4, 2015 9:01:42 GMT -6
With Windows 10 Microsoft has decreed, "thou shalt keep up with all updates we choose to push on you, when we want to push them", and "some of our updates are entire operating system reinstallations". That's just stupid.
- Many folks just won't even put Windows 10 on real, critical computers because not controlling what gets put on your system when simply isn't acceptable. Going further, an in-place upgrade every 4 months? Ridiculous.
- If you DO choose to run Windows 10 - even on a non-critical virtual machine just for testing - and you are a more or less normal human, you STILL want to control what updates are installed, and when they are installed.
If you find yourself in the latter category, this thread is for you.
Take heart: There ARE ways to control when you get Windows Updates, and even whether to not install them. Even better, it IS possible to set up a Win 10 system that's totally muzzled - i.e. is blocked from spilling your beans online with all the servers it wants except when you allow communications.
This is a pretty big subject, so I'm going to provide an overview, then the discussion can wind down into various specifics.
An Overview for Muzzling Windows 10
If your IQ is above 60, chances are you are concerned about privacy, because you know that in the information age what someone else knows about you CAN hurt you.
Windows provides a base filtering platform and firewall implementation on top of it, and these really work. There are a number of "privacy" settings, both overt and in the registry, and there is simply a LOT of software running that you may not need nor want running.
What works to really quiet Win 10 down are these things:
- Switch to a deny-by-default outgoing connection strategy. I use Sphinx Windows 10 Firewall Control for this.
- Get to know Microsoft's stance on privacy and review your privacy settings. Start by reading: this
- Once you've tweaked settings, download and run a privacy tool, e.g., O&O ShutUp10 (the one I use)
- Since Win 10 is "cloud-integrated", various components want to talk online. Uninstall the ones you don't need/want.
An Overview for Controlling Windows Updates in Windows 10
Microsoft would like you to believe that Windows Updates are inevitable. In fact that's false; they're just trying to change the culture. They don't WANT you in control of your system. Why? Because their being in control of it is better for them. To be thorough I must note that they have done some things that inevitably lower the level of our control, such as rolling all updates into "cumulative" blobs (recall my note at the start of this post about rejecting Windows 10 for real work).
But we can still choose WHEN to consider installing updates, WHETHER to install particular updates (such as hardware driver updates), and certainly IF you want your computer hosting updates for your neighbors.
What works, in light of the above, to restore some control over updates are these things:
- There is a configuration setting to choose whether to participate in the peer-peer updating process.
- There's a Group Policy setting for informing Windows to await your input before checking for updates.
- The Windows Update service can be Disabled, then temporarily re-enabled and started when checking for updates.
- For some reason the Windows Firewall service must be running to successfully update.
- Your firewall setup can of course be configured/reconfigured to block or allow updates.
Working the System
Recalling that the goals in all this are to have a system that respects your privacy, but which allows you to request a list of available updates on demand, lets you review them to determine whether any may be troublesome, and finally allows you to request their installation - all without excessive ongoing effort, here's an overview of how it actually works in practice.
When I hear of updates from others online, or find time to think about updates and want to check to see what's available, what I do is this:
Start the Windows Firewall service (I keep it on Manual, but it's required to complete an update).
Change the Windows Update service from Disabled to Manual. Normally it cannot run.
Start the Windows Update service.
Set the Windows Update service back to Disabled (so it won't start on next bootup).
Initiate an update check via Microsoft's "WUShowHide" tool (KB3073930).
Review the list of what's available.
If an update worth having shows up, initiate the Windows Update via the Settings panel.
Upon successful update installation and prompt for reboot, do so.
I have experimented with keeping my firewall set to not allow any communications by the various system processes/services, which then requires a firewall reconfiguration for every update attempt, but it actually looks like it is possible to keep it set to where update servers are always whitelisted. Selectively blocking / running the Windows Update service keeps updates from happening when not wanted.
I'll expand on all the above items as I find time, ideally to the point where you can follow in my footsteps as you like.
-Noel