Post by Gene Wirchenko
The forced "upgrades" of Windows 7 systems to Windows 10 has me
concerned. I have not installed Windows upgrades for months now.
I am still concerned that Microsoft is going to try another
forcing. What I read in trade articles is not clear.
There are products to thwart GWX, like GWX Control Panel (the one that I
use but there are others, like Never 10 but that one only performs one
of GWX Control Panel's options). Those monitor for updates that you
attempt to install that include GWX (Get Windows 10). Another method,
if you have a non-Home edition of Windows so you have the policy editor
(unless you're willing to directly edit the registry since all policies
are registry entries), if to define a SRP (Software Restriction Policy)
that bars the execution of gwx.exe. Find where it got deposited and
create a Path rule for it. Disallow it. Now Windows will prevent GWX
from loading. Alternatively, you can create a registry entry to block
gwx.exe from loading (but that means you are allowing its install but
then neutering it). Of course, you are telling asking the burgler to
not burgle your home; i.e., you rely on a policy in Microsoft's Windows
to effect control over Microsoft's GWX. The following blog touches on
some in-built methods to block GWX:
You are the one doing the updating so you should be reviewing each
update that isn't obvious what it does (which is a lot of them). Don't
just swallow what Microsoft shoves into your mouth. Take little bites.
Decide which updates to allow by looking at them. If allocate the role
of admin to yourself then you get the joy of doing the admin's duties.
You can be sloppy or you can be tight in regulating what updates get
installed in Windows 7. Not so with Windows 10 where the best you get
is to delay all of them or not accept some which means not getting any
If the Microsoft KB article linked to an update is missing or too vague,
you can often search on the KBxxxxxx number to see what others have
found. There is also the http://www.askwoody.com/ site that reviews or
exposes what many updates will do. However, the guy isn't infallible.
Just now he is guessing why nothing showed up on Patch Tuesday. What
I've heard is that Microsoft is delaying the updates for some critical
ones they want to include (see http://preview.tinyurl.com/jjyuxjv), like
an in-the-wild vulnerability with SMB. May not affect you but it is
used (see http://preview.tinyurl.com/zemvdz3).
I turn off Windows Updates until I am prepared for them (have the time
to install and possibly have to reboot, have image backups, and simply
feel like I want to do them). No, I don't just disable auto updates in
the WU client because that has been shown to still allow updates. I
disable the BITS and WU services. Not until *I* am ready do I reenable
those service and then use the WU client to determine if new updates for
my Windows instance are available and then I review each one. Often I
end up hiding an update, like those regarding the Experience telemetrics
crap to give Microsoft info about your deployment of Windows.
You do save image backups and have them scheduled (not just manually
instigated) at periodic intervals, right? While I use GWX Control Panel
and review each update, something might slip by. The easy to back out
of an unwanted change is to restore from a backup. Not, I'm not talking
about System Restore but real backups.