Can the mandatory update policy in windows 10 generate momentum/oportunity risk?

Question

Disclaimer: This is a followup question for Will the mandatory update policy in windows 10 bring security issues?; With the purpose to divide one broad question in two specific one, coincidentally originated due to the same policy. Thus, expecting quite different answers. Please, do read both questions before starting to scream "duplicate".

---

In order to analyse if I'll update all my computers working on windows I came across the the following setback.

I have the home versions of windows and by updating to windows 10, I'll receive the basic version. On which I'll loose total control of the updates that are installed.

The first problem that crosses my mind is "what if an update messes up a third party software program that I need for, i.e. an academic research project?" And "what if a bug is added to the system that messes up the startup and I need it for a meeting, presentation or worst, have an online interview?".

In previous versions of Windows, I removed auto-updates for a reason. To reduce my exposure to these risks. Thus, I currently do not update the PC whenever I know I might need it soon, only in weekends and holidays where I know I have time to fix any bug that might come up.

To sum it up, I fear of momentum/oportunity risk by not having the possibility to manage when it's the best moment to install any patches.

Will there be a way to control the updates anyway with the free basic version, thus reducing such risks? And secondly what is my exposure to these risks? Does Microsoft have strategies to avoid certain big bug releases as happened in the past?

Answer 1

As for strategies from Microsoft's side, they now have the Insider program which allows them to test some patches with a larger audience beforehand. In return, Insiders don't need to buy a Windows license.

Of course there are still many kinds of patches they can't test that way. For example they can't roll out patches of undiscovered critical vulnerabilities to Insiders first, because attackers could thus discover and use the vulnerability before the majority of the non-Insider systems are patched.

Microsoft has frequently broken Windows with updates in the past. Even the update process itself managed to put systems in a broken state. The changes they implemented reduce that risk, but they do not remove it. In short, it's almost guaranteed that some updates will screw up some people's computers, so the risk that you can't access your computer at a critical time due to Windows Update is small but real. Keep in mind in most cases you can just roll back an update, and you will lose no more than 10-30 minutes.

There are 2 ways to look at this:

First, you can put this in the same bucket of risks as a hardware failure (e.g. a HDD dies), in which case you need to adopt a workflow that accepts the temporary or permanent loss of any one device at any point in time. Use a version control server for software development, use shared browser bookmarks, use a cloud based note taking app like OneNote, etc.

Second, you can decide that the risk of a failure due to an update is large enough that it warrants protecting against more so than a hardware failure. In that case you usually want to have a controlled environment where updates install at regular intervals, usually once a week. You also want to be able to prevent the system from updating during some timeframes, e.g. if you do seasonal trading you wouldn't want to install any updates during the trading season. In these cases, the obvious solution is to not use Windows Home Edition. I'm not sure which Windows versions are currently included in MSDNAA, which is free for students, but I'd expect it to have at least the Pro and Server versions.

If you want to know how to prevent Windows Updates in Windows 10 Home Edition, there are a couple questions that attempt to address this question: Stopping all automatic updates windows 10 , How can I defer updates in Windows 10 Home? , Make Windows 10 stop installing driver software automatically Personally I'd just try to firewall wuauclt.exe, or stop the wuauserv service.