With the introduction of Windows 10 Microsoft changed the way major updates are delivered. Security updates continue to be delivered on regular basis on Tuesday every two weeks (on what has became known as Patch Tuesday), but new major versions of the operating system — i.e. upgrades — are no longer provided as a completely new version every three years on average (Windows 95, Windows 98, Windows XP, Windows Vista, Windows 7, Windows 8/8.1). Windows 10 updates are more subtle and essentially follow a Software as a Service (SaaS) updating scheme. Major (and minor) feature updates and are delivered in the background and are more transparent to users.
As of October 2018, Windows 10 receives a major update twice a year, once in the Spring (April) and a second time in the Autumn (October) and unlike previous versions updates are mandatory.
There are benefits to this update scheme, namely the mandatory installation of security updates in an era when even individual home users are at great risk to security threats. Unfortunately however, things don’t always go as smooth as they should. By default Windows 10 treats security updates and feature upgrades the same way and they both get installed as soon as they are released (give or take a couple of days). While this is generally a good approach from a security standpoint, the inclusion major upgrades creates a concern as they have the potential of introducing instability in the early days and they often.
This is an even more of a concern in a production environment as any type of downtime or disruption of functionality could become a serious problem and not just an inconvenience. Especially for micro and small businesses without a dedicated IT team.
Therefore, in a production environment I recommend running one version behind the cutting edge. For example: Windows 10 version 1809 was released on October 2018 (the time if this writing), which means that business users could now safely update to the the previous version–Windows 10 version 1803 from April 2018. When the next version of Windows will be realeased in April 2019, users could consider upgrading to version 1809 (October 2018).
This approach minimizes stability issues, while still keeping users current with newer features and hardware support.
To make things more complicated, outside of large organizations (i.e. Enterprise) Windows comes in two versions: Home and Pro. While the Pro version does offer some control over how updates are delivered, the Home version does not.
In this post I’ll list all the methods Windows Home (sort of) and Windows Pro users could use to keep the system up-to-date with security patches but defer the automatic installation of newer versions of the operating system.
Windows 10 Pro
Through the Settings app
Windows 10 Pro offers controls over how updates will be delivered.
To access the relevant settings, click Start > Settings > Update & Security > Windows Update (from the left pane) > Advanced Options.
There are three relevant settings here:
The branch readiness level
Determines which of the two release branches the system follows. The options are Semi-Annual Channel (Targeted) and Semi-Annual Channel. Set this to Semi-Annual Channel, which basically means the system will switch to the Stable/Business release branch.
A feature update includes new capabilities and improvements. It can be deferred for this many days
This setting allows to delays non-security updates for up to 365 days. I have it set to 200 days because this is roughly the time interval between two consecutive major updates, which is consistent with my recommendation to always run one version behind the most current one.
In fact, I typically schedule a dedicated down time to install major updates manually. I take a current disk image of my system drive and then proceed with the updates. This gives me time to respond better to any issue and ensures I won’t be surprised by an update at the most inconvenient timing, but if I don’t get around to it having automatic updates set up this way is the next best thing.
A quality update includes security improvements. It can be deferred for this many days
As the title suggests, this gives control over how security updates are installed. Deferring them for two long beats their purpose, and while they pose lesser stability risk, I believe it is still a good idea not to install them immediately after they are released. Deferring them for 2-7 days seems like a balanced approach to me.
Change activity hours
To minimize the risk of having a major update sneak up on one in the middle of the work day, it’s recommend to set the activity hours for the computer. Windows will not automatically restart the computer during those hours.
Go to Start > Settings > Update & Security > Windows Update (from the left pane) > Change activity hours and set your business hours.
Through the Group Policy Editor
While the above method is more straightforward, those settings could also be set through the Group Policy Editor.
Click Start, type ‘edit group policy’ and press the Enter key to launch the first search result. Alternatively, press Windows key + R, type ‘gpedit.msc’ into the Run box and press the Enter key.
In the Group Policy Editor, go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business, where you’ll find the same settings as above.
The Group Policy Editor also offers an option that doesn’t exist in the Settings menu: the ability to get notified before any update is being downloaded and installed.
In the Group Policy Editor, go to Computer Configuration > Administrative Templates > Windows Components > Windows Update and double-click on Configure automatic updates in the right pane.
Click on ‘Enable‘ and then select option ‘2 – Auto download and notify for install‘ from the Configure automatic updating drop-down list. With this setting the user is notified when new updates are available and will have to go to Windows Update to select which one to install. This might sound like a good idea because it provides as close to a full control over the updates, which could result in updates not being installed at all. I therefore don’t find this the best approach for separating security from feature updates.
Using the Registry Editor
Please note: Editing the Registry is a little risky and is not recommended by me for anyone who is not familiar and comfortable with Registry editing. The above two methods are safer and easier, I think. For this reason I won’t give the instructions here but they could be found on this TenForums tutorial on deferring Windows updates.
Windows 10 Home
Windows 10 Home users have only one true viable option and this is to turn off updates completely: Start > type Services > scroll down and double-click on Windows Update > Click on Stop and then change the Startup type to Disabled.
While this method not recommend because it also disables security updates, given no other choice it might be the lesser of two evils when used strategically. One must be mindful of when a new major update is about to be released and consider disabling the updating service for a month or so starting that date/manually start the service once a month to check and install updates.
That said, the better option for production machines running Windows Home is to upgrade to Windows Pro.