For Patch Tuesday, verify you have 'Pause Updates' enabled

Credit to Author: Woody Leonhard| Date: Mon, 10 Feb 2020 12:13:00 -0800

Remember the frenzy after last month’s Patch Tuesday? How everybody and his twice-removed cousin — even the N forkin’ SA — told you to get patched immediately because of this big, spooky Crypto API security hole that was supposed to bring down  Windows As We Know It, like, right now?

Guess what. It never materialized.

To its credit, Microsoft never said the Chain of Fools/CurveBall CVE-2020-0601 fix was a “Critical” patch. That didn’t keep most of the increasingly echo-like Windows blogosphere from crying, “Fire!”

If you prefer to wait and see if the latest Windows patches turn to dreck, there are a few simple steps to take right now.

The last free, pushed Win7 patches arrived a month ago.

If you paid for Win7 Extended Security Updates — yes, even a business of one can get them — you’re due a patch tomorrow. One little problem: We haven’t seen the patch and don’t know absolutely, for sure, how it’ll arrive.

If you haven’t paid for Win7 Extended Security Updates, we also don’t know what the morrow will bring. Windows 7 already has one manually downloadable patch to fix the bad patch last month (which introduced the “Stretch” black wallpaper bug) and I expect we’ll see a patch at some point to fix the “You don’t have permission to shut down this computer” bug. For now, there’s nothing pressing. See Patch Lady Susan Bradley’s Feb. 9 podcast for more details. 

I suggest you keep your powder dry by following the usual steps: Click Start > Control Panel > System and Security. Under Windows Update, click the “Turn automatic updating on or off” link. Click the “Change Settings” link on the left. Verify that you have Important Updates set to “Never check for updates (not recommended)” and click OK.

We’ll watch for any goofiness and alert you, as usual.

If you’re using Windows 8.1 (believed by many to be the most stable version of Windows currently on offer), click Start > Control Panel > System and Security. Under Windows Update, click the “Turn automatic updating on or off” link. Click the “Change Settings” link on the left. Verify that you have Important Updates set to “Never check for updates (not recommended)” and click OK.

Not sure which version of Win10 you’re running? Down in the Search box, near the Start button, type About, then click About your PC. The version number appears on the right under Windows specifications.

If you’re using Win10 1803 or 1809, I strongly urge you to move on to Win10 version 1903. Microsoft released it (to some consternation) in May of last year. It had a shaky start before plunging into a four-patch debacle in September/October, but now appears to be relatively stable. There are detailed step-by-step instructions for moving to Win10 1903 in “Why — and how — I’m moving Win10 production machines to version 1903.”

If you insist on sticking with Win10 1809 (thrice bitten, thrice shy, eh?), you can block updates by following the steps in December’s Patch Tuesday warning. Be acutely aware of the fact that Microsoft won’t be handing out any more security patches for 1809 Home or Pro after the May Patch Tuesday.

In version 1903 or 1909 (either Home, Pro, Education or Enterprise, unless you’re attached up an update server), if you followed my instructions last month, you already have “Pause Updates” set so patching resumes near the end of February (screenshot). 

Not sure if you’re sufficiently paused? To check, using an administrator account, click Start > Settings > Update & Security. If you’re paused until the end of the month or so, you don’t need to do anything. That’ll give you three weeks after Patch Tuesday to see if there are any bad bugs.

On the other hand, if pause is set to expire before the end of February, or if you don’t have a pause in effect, you should set up a patching defense perimeter that keeps patches off your machine for the rest of this month. Using that administrators account, click the “Pause updates for 7 days” button, then click it again and again, if necessary, until you’re paused out into March. (If you have a partial pause already in effect, you may need to click “Resume updates,” then reboot.)

For those of you who have been wondering about the “optional, non-security, C/D Week” KB 4532695 patch for Win10 1903 and 1909, it’s there, but you shouldn’t install it. For weeks I’ve been wondering why I didn’t see KB 4532695 offered on my 1903 machines as an additional update to “Download and install now.” @abbodi86 on AskWoody.com finally figured it out: If you’re running Win10 1909, you’ll see KB 4532695 offered as an additional update, as one would expect. But if you’re running Win10 1903, you have to have a specific combination of hidden and blocked patches before the optional KB 4532695 is offered.

Don’t be spooked. Don’t be stampeded. And don’t install any patches that require you to click “Download and install now.” They’ll be minimally tested and available soon enough.

If there are any immediate widespread problems protected by this month’s Patch Tuesday — a rare occurrence, but it does happen — we’ll let you know here, and at AskWoody.com, in very short order.

We’re at MS-DEFCON 2 on AskWoody.

http://www.computerworld.com/category/security/index.rss