Skip to content
Naked Security Naked Security

Windows 10 patches – will you get them no matter what?

What does the wording about updates being "available automatically" in the Windows 10 Specifications really mean?

Ever since the Windows 10 Insider Preview came out, people have been speculating about how Windows Update will work in the new release.

We’ve known for a while that Microsoft is moving away from the “once a month, here’s a tranche of patches” approach that it famously introduced back in 2003.

Patch Tuesday, as it was known for years, quietly became Update Tuesday.

Microsoft’s “advance notification” bulletin, in which the number and nature of (but no detail about) forthcoming patches (ahem, updates) were announced the week before each Update Tuesday, quietly vanished.

And just last week, Sophos Security Chet Chat presenter Chester Wisniewski and I discussed these very developments [at time 6’39”]:

CW: This week was Update Tuesday, and I’m not going to talk about the fixes; I’m just going to say, “Go get them.” And for future Chet Chats, unless there’s something significant that has a reason to call out a particular patch – because of super-high risk, or a big change to the operating environment – I don’t know that there’s really much point in spending eight minutes talking about a SQL privilege escalation bug.

PD: I’ll second that. And, of course, Microsoft is, understandably, trying to soften us all up, ready for the Windows 10 “rolling update” model. […] Why wait a month when you can wait 24 hours?

CW: Exactly! Ask a given user what version of Chrome they have on their desktop, and you’ll be able to answer that question for yourself.

(Audio player above not working? Download MP3 or listen on Soundcloud.)

The blogosphere has been pondering these issues, too, with the consensus being that the entry-level version won’t allow you to delay or defer updates at all.

If you want to be the master of your own destiny in respect of Windows patches, bloggers have been saying, you’ll need the Pro or Enterprise versions instead.

This inference seems mainly to have been based on wording quoted from the official Windows 10 Specifications page:

Windows 10 Home users will have updates from Windows Update automatically available. Windows 10 Pro and Windows 10 Enterprise users will have the ability to defer updates.

Intriguingly, the Specifications page doesn’t include those words any more, because it now says simply:

Windows 10 Home users will have updates from Windows Update automatically available.

That’s listed under Feature deprecation – wording that adds more confusion, because “deprecation” means “still there, but available for use only with disapproval.”

It certainly looks as though Windows 10 updates are automatic-only in the official Windows 10 Insider Preview, as you will see if you search for automatic updates in the Technical Preview (version 9926) and the Insider version (10074):


If Home users will be getting updates no matter what, and if this is, at least in part, a way of shaking out problems for Pro and corporate users (who will, after all, be paying more), is that a bad thing?

To be honest, we’d prefer a world with choice, so our gut reaction is, “Yes, it’s bad.”

But we’d also prefer a world where the majority of computer systems are not days, weeks, months or even years behind fixing holes that crooks already know how to exploit.

So our hearts are saying, “No, it’s not a bad thing.”

As Chester observed in the podcast, when asked, “Why wait a month when you can wait 24 hours,” we already have complex products like Google’s Chrome browser that update without asking, and without even asking if you want to be asked, and the wheels haven’t come off.

Let’s just hope, as we hoped in the podcast, that Windows 10 Pro and corporate users will be willing to take updates sooner rather than later, too.

By all means stage your updates so that you don’t swamp your network or your helpdesk with requests.

But let’s make a collective pledge never to get stuck in the Windows XP situation ever again, where we’re so far behind that we’ve created for ourselves a brand new excuse not to move forward.

Why wait seven years – or, for that matter, a month – when you can wait 24 hours?


with my past experience with updates crippling systems i do not like the automatic update idea. if the wheels come off of chrome-no big deal, if the wheels come off my OS-BIG DEAL.


I’ve had the same experience countless times. I like having the option to not install updates for a short time to see if it is something that causes issues with other people first – as has happened and when it does it is usually a HUGE deal. Updates should be done, yes. Forced and in a way where we are the beta testers, absolutely not!


Too much this. There’s a really big difference between a web browser getting crippled (oh well, I can use Firefox/MS Edge as a backup) and an entire OS getting crippled (which would likely leave the thing unbootable).


Windows updates are notoriously huge and cumbersome! On my Win 8.1 system, the C:\Windows folder is 41 gigabytes in size, of which C:\Windows\Installer takes up 21.3 gigabytes and C:\Windows\WinSxS is 6.1 gigabytes. That’s almost 33% of my C partition. An OS needs to be lean.

My Linux installation is way slimmer. So yes, I’d like to have the option to NOT install updates if I wanted to. Microsoft should respect the fact that quite a few home users are computer savvy and would want to have a say in what their computer does.

I wouldn’t mind Windows Update being set to ‘automatic’ by default but taking away our vote to change that is unacceptable.


I wonder how fast MS will change this policy after it blue screens a few million machines in one night and leaves unsuspecting users scrambling to call their nephew/grandson/son/neighbor kid who fixes their pc.

Yeah, I’m mixed on this too. Machines that never get updated are a problem, but, lately MS has had a habit of releasing patches that break stuff.


I am all for automatic updates, or I should say, continually rolling updates (not waiting until Tuesday, just because) but the time and place of updating needs to be user definable.

For instance I would not want my laptop to decide it’s going to update itself while I am on the train tethered to my mobile, just because it thinks there is internet available. I also hate being forced to reboot when a pc might be in the middle of something – automatic reboots were the worst idea, and I truly hope they are not now to be enforced.


I like the idea of having machines updated automatically as long as there is a simple and easy way of reverting those changes if something goes wrong. It also seems like ‘patch Tuesday’ is going away in preference to ‘patch at any time’, this should (at some level) alleviate the issue where a combination of patches causes major issues. There will always be the danger that something breaks, the question is whether this policy is better or worse than the previous policy. If it stops people from having machines that are completely out of date (read vulnerable) then this is a good thing. Time will tell if this works in Microsoft’s favour.


The last lot of patches that landed automatically on my Windows 7 machine, resulted in my taskbar totally vanishing, never to be seen again, even after reinstalling windows the taskbar is missing most of the time but currently here! I have now banned windows from downloading any updates at all, so I do not want automatic updates either


Good idea. It’s likely that every patch is an attempt by Microsoft to make your taskbar disappear. So, instead of just hitting the windows key on your keyboard and dragging the taskbar back to its normal size (with the option of locking the taskbar under the taskbar properties), disabling Windows update is a much better idea. Never mind that your PC is now susceptible to remote code execution and denial of service attacks… It’s not like those kinds of attacks would ever happen to YOU anyway, amirite?


Whilst I want security updates quickly, I need to be able to choose when they download, due to my slow internet connection, which used to drop to to 0.2 Mbps download and 0.02 upload on occasions before I got satellite. If I switch the computer on to meet a deadline a few minutes away, I would not want the bandwidth to be hijacked by an upgrade that could wait till I’ve finished doing my urgent task.


While I am in favour of automatic updates from a security standpoint, due to some patches that cause unbootable PCs I just hope that the testing of these updates is very thorough before they’re released.

I agree with Anonymous’ comment above that if you can’t access your OS, it’s a big deal. As Paul mentioned at least it will keep people current with patches and will mean that flaws that have been fixed for months or years will no longer affect people. It will be great that situations like Windows XP and Server 2003 (to be retired next month) still being used daily after their support deadline has passed will be a thing of the past.

My only advice is to keep a copy of your essential data in an offline state (i.e. backed up but not connected to your computer) should your computer no longer boot after a bad patch. You could choose to backup to cloud storage too.

Andy (above) makes a good point about those who have to fix relatives computers when unstable patches are installed. Microsoft’s new approach could cause a lot of issues for those unsung heroes who provide IT support outside of their day job.

Time will tell if this new approach works. Thank you.


Let’s not forget that every patch install is preceeded by an automatic recovery point creation.

If the patch is a flaw, it’s always possible to go backward in time, prior to this particular patch-install.



Assuming the patch doesn’t create a boot-loop or some other major issue preventing the ability to uninstall/recover


I have a BIG issue with updates that run when they (Microsoft) want and don’t allow me any say in what or when.
I help teach computing to ‘silver surfers’ and the last thing we want in the middle of a session is some of the PCs updating automatically. When I worked in IT at Network Rail, again we did not want any updating happening during a session – it happened once and screwed up 2 days training!
If a PC is busy doing an important or critical task, then updating would be totally inappropriate and maybe counterproductive.
Let ALL version have the option to choose what time of day (variable) to download updates and when to then install them so it can be done at a less crucial time.


A computer not booting because of a change in software is not a new problem, and not problem that exclusive to Windows update. What we really need are better tools for analyzing these problems and fixing them automatically. Or at least making sure I get back to a computer that works for me with minimal input from myself as a user.

That, and I also need some control over when/where updates download, when they install, and when my computer will be rebooted. Sometimes I’m turning my computer off because I need to take it somewhere, waiting an hour for updates to finish installing is not an option.


Having been running exclusively on the Insider Preview for the last six months or so at home, I do kind of hope they iron out a few more patch/update related details before release. Some of the patches have been quite lengthy to apply, and they almost always reset the default web browser (which earns a “Really!?” from me)…


I think they should have made it an opt out instead of not giving you the choice to have it on or off. That way less tech savvy people get the protection without having to mess with any settings while more advanced users still have the option to turn it off.


Microsoft’s update record over the last couple of years was very bad and getting worse. I’ve been bitten by every bug they’ve introduced recently: battery-killing Surface firmware, disk check on every reboot, an annoying Windows 10 advertisement. Microsoft hasn’t earned the trust to atuomatically apply updates yet.


Automatic updates wouldn’t work for people accessing the internet through the mobile phone system. I know 2 people who do this, and updates would chew through all their data in a very short time. They go to places where they can update from a landline (one comes to my house to do this). They both rely on being able to prevent downloading the updates until they can get to a landline connection.


I have no problem with automatic updates as long as they are relevant, but many of Microsofts updates relate to Internet Explorer which I haven’t used for years, and the optional downloads, will they become automatic? I don’t want microsoft updating my printer drivers, that is none of their business.


You might not use Internet Explorer yourself, but it is still used by Windows internally for things, and also can be used within 3rd party software, so if you’re using it yourself or not I wouldn’t recommend avoiding the updates.


This is no longer strictly speaking true. MS was forced to uncouple IE from Windows explorer back in the anti-trust days. Today, with the new versions like IE11 as optional installs (I’m not exactly sure which version it started, post 8 I think) you can completely uninstall IE and have no problems.

There may be components of the original IE browser that are still part of windows, but they are exactly that – part of windows – therefore receive updates as windows system updates not the optional IE updates.


Being part of a MSP. I wait several weeks before pushing out updates even if it’s critical. I can’t have my clients down. I do proper research before pushing patches. I usually wait 2 weeks to see if other people have issues via google search than once I research each KB than I determine if the patch should be applied or not. Any rollups to servers I wait a month.


To be fair, most MS patches don’t cause problems at all, only very few cause serious problems, and very few of those problems escape notice for very long. Surely by waiting a whole month – always! – you are exposing your clients to a very real risk of being taken down by a crook in return for protecting them from a rather unlikely risk of having them taken down by an outage?

Not saying I’m right, just wondering if you’ve evaluated the economics of a hack versus an outage.

With a one-month lag against Microsoft’s current one-month update cycle, that means you _always_ have some known-but-unpatched holes, even immediately after you do update.


PC on dial up modem, W7, the only thing it ever does is download updates. It’s been 2 years since we got the PC, but we hope to be able to use it in the next 6 months when the updates finish. The phone bill is 5000x what we paid for the PC, but people keep telling us this Internet thing is worth the wait, I’m not sure.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!