Windows 10 Opinion: The first Patch Tuesday of '21; time to delay updates

Gandalf_The_Grey

Level 42
Verified
Trusted
Content Creator
Apr 24, 2016
3,090
It’s Patch Tuesday time — that exciting second Tuesday of each month when we turn towards Redmond, WA, hoping for quality updates — and my advice is to not install updates tomorrow. To be fair, the vast majority of Microsoft users should be fine with whatever patches and fixes arrive. But, personally, I push off updates and delay installations on the systems I care about; you should do the same.

With that piece of advice out of the way, I have some suggestions for 2021 for a healthy patching year.

Susan’s first recommendation of ‘21: Use Windows 10 Pro, not Home.
I recommend several things when dealing with updates: First and foremost, make sure you are on Windows 10 professional, not Windows 10 Home.

By design, Windows 10 Home doesn’t expose as many settings to defer and push off updates. If you are running either Windows 10 Home or Windows 10 Home S, I recommend upgrading to Pro. To do this, click on Start>Settings, then on System and scroll down to About. If it says Home under “Edition,” whip out your credit card and click on “change product key or upgrade your edition of Windows.” The upgrade process to purchase Windows 10 Professional takes a few minutes. You will be prompted to reboot and your machine will then be running the Pro version.

If you purchase a machine with Windows 10 S mode, this specific platform only allows installations of software from the Microsoft store. I have had the fun job of having to upgrade a Windows 10 Home S mode Surface device to Windows 10 Pro. I was surprised to find it’s a two-step process. First, I followed the same process outlined above: You go into the About screen and purchase a product key online to move the machine to Pro. I thought that would be enough to flip the machine out of S mode. It was not. I had to enter the Microsoft Store and search for a link to do so. Once I did, the Surface was finally on Windows 10 Professional.

In truth, I think S mode is ultimately where enterprises might end up: It’s a locked-down version of Windows 10 that only allows Microsoft store apps to be installed. Similar to an iPhone, where you can only install updates from the Apple store, it keeps the system better protected from ransomware and other malware. But if you are an everyday Windows user like me, you need to be able to download and install software from sources other than the Microsoft store.

While you are in the About section, see what feature release version you’re running. For consumers and small businesses (anyone without an Enterprise or Education license) you need to at LEAST be on version 1909, 2004 or 20H2. If you are not on any of these versions, you’ll not get security updates this month.

Susan’s second recommendation of ‘21: Set updates to install later in the month (and set targetedreleaseversion to 2004 or 20H2).
On Windows 10 Pro, there are a couple of settings I always check. First, I always go into Start>Settings, Update & Security, Windows Update; click on Advanced options, scroll down and choose “Pause until …”and select a date later in the month. I prefer setting a specific date as I feel this process works better than using pause. Then I set the targetedreleaseversion for the feature release version I’m comfortable with. (I don’t install feature releases right away; this setting lets me push it off and only install the release I want. I’m now comfortable recommending the 2004 feature release if you haven’t already moved to it. Microsoft finally fixed one of the lagging bugs in 2004 and 20H2, a crash issue that was triggering reboots on Jan. 7 among users renaming the Administrator account.

For business users, I’m comfortable with (and personally run) 2004 in my business. Don’t worry if you are already on 20H2; I’m running that version at home and have not seen major issues. I prefer to stay one version behind and recommend that you set the targetedreleaseversion at 20H2; doing so means that once the NEXT feature release comes out, you won’t be first in line.

If you are unlucky to have a computer with a Conexant audio driver, you may still be blocked from upgrading to 2004 or 20H2. Many users report that they’ve worked around the issue by manually uninstalling the Conexant driver in the driver settings to revert to a generic Microsoft audio driver. They then trigger the installation of 2004. Once it’s installed, the driver will automatically get updated to the Conexant driver. You can scroll down to “DaleHuhtala’s” Dec. 2 post in the answers forum for details on the process. I’m still hoping Microsoft will provide a better update process for these machines.

Prepare to say goodbye to Flash
Last but not least, we can start saying goodbye to Adobe flash. Microsoft will be releasing a Windows update, KB4577586, to remove Flash, but you can take action now. You can check whether Flash is installed by going to the Adobe Flash web page and clicking on check now. You will need to check each browser you have on your computer to test whether it’s still enabled. You can manually download KB4577586 from the catalog site, by matching up the version you have. Remember X86 means a 32-bit operating system, and X64 means 64-bit operating system. I’ve provided a step by step video on the AskWoody Youtube page for more details.

As always, if you have any questions please let us know on Askwoody.com.
 
Last edited by a moderator:

Gandalf_The_Grey

Level 42
Verified
Trusted
Content Creator
Apr 24, 2016
3,090
Can we expect issues?
You never know beforehand.
I install the patches when they arrive and never had serious issues.
My work laptop normally gets the Januari patches at the end of Januari like it should be for a work-related machine.
They have been tested and most bugs have been noticed and hopefully resolved by then.
In the past it took months before a consumer Windows 10 release was declared ready for business by Microsoft.
 
Last edited:

amirr

Level 10
Jan 26, 2020
454
You never know beforehand.
I install the patches when they arrive and never had serious issues.
My work laptop normally gets the Januari patches at the end of Januari like it should be for a work-related machine.
They have been tested and most bugs have been noticed and hopefully resolved by then.
In the past it took months before a consumer Windows 10 release was declared ready for business by Microsoft.
I agree with you.
I remember my friend telling me this:
Regarding the optional, or even recommended updates in general: It’s not because I don’t have problems that you won’t, or vice versa. It depends on what hardware, drivers, and software you have on your machine, so it’s really not predictable.

If you do use standard and recent components, recent windows install, and up-to-date drivers, most probably you’ll be OK, but it’s not a given.
 

Gandalf_The_Grey

Level 42
Verified
Trusted
Content Creator
Apr 24, 2016
3,090
The updates are live:
 
Last edited:

Gandalf_The_Grey

Level 42
Verified
Trusted
Content Creator
Apr 24, 2016
3,090
Interesting blogpost from Zero Day Initiative:
CVETitleSeverityPublicExploitedType
CVE-2021-1647Microsoft Defender Remote Code Execution VulnerabilityCriticalNoYesRCE
CVE-2021-1648Microsoft splwow64 Elevation of Privilege VulnerabilityImportantYesNoEoP
 

Cortex

Level 25
Verified
Aug 4, 2016
1,409
I laugh in the face of MS Update issues, maybe a small problem but nothing of significance?

Fire.jpg
 
Last edited:

Gandalf_The_Grey

Level 42
Verified
Trusted
Content Creator
Apr 24, 2016
3,090
The first Patch Tuesday security bulletin for 2021 from Microsoft includes fixes for one bug under active attack, possibly linked to the massive SolarWinds hacks.
Microsoft addressed 10 critical bugs, one under active exploit and another publicly known, in its January Patch Tuesday roundup of fixes. In total it patched 83 vulnerabilities.
The most serious bug is a flaw in Microsoft’s Defender anti-malware software that allows remote attackers to infect targeted systems with executable code. Security experts are warning that Windows users who have not connected to internet recently and received an auto-update, should patch now.
“This bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed. However, if your systems are not connected to the internet, you’ll need to manually apply the patch,” wrote Dustin Childs, Trend Micro’s Zero Day Initiative (ZDI) security manager.
 
Top