Should I turn on Windows Updates in W7?

Chat with other TGB members about whatever is on your mind.

Should I turn on Windows Updates in W7?

Post#1 » Sat May 13, 2017 12:38 pm

So my W7 HTPC has been running rock stable for at least three years. It is mainly used as the HTPC but I also have several home pcs using it as network storage so everyone has access to it on my network. We don't surf with it, but it is connected to the internet for EPG and virus updates. BUT, I have had Windows update turned off for years since I got it stable to keep it from being messed up by Microsoft. With this new ransomware thing, I think I should turn it back on. Do you think this will kill my setup?
soccerdad
 
Posts: 159
Joined: 5 October 2011

Post#2 » Sat May 13, 2017 3:06 pm

There are two different schools of thought here.

#1 No updates - Leave it alone, if it ain't broke don't fix it, I don't trust Microsoft, etc

#2 Updates are necessary for security and stability, even if the device is an appliance (HTPC). Apply all updates as released, roll back if something breaks

I subscribed to #2. I install all Windows Updates and never had a problem.
User avatar
Scallica
 
Posts: 2343
Joined: 6 June 2011
Location: USA!
HTPC Specs: Show details
5+ YrsTGB VeteranStaff
HTPC Enthusiast / Forum Moderator - TGB.tv Code of Conduct

Post#3 » Sat May 13, 2017 4:29 pm

I subscribe to #1.

The fact is, I can think of at least two instances where a Windows update completely borked the system and required futzing with it over a couple of days after MS realized what they had done.

Note that the updates in question didn't simply break WMC; they broke other things, and WMC was caught in the crossfire. That was fortunate, because MS was forced to back off and fix things, and WMC users benefited as a result.

But imagine they put out an update that borked ONLY the WMC component; they would NEVER fix it. Instead, they would say that it wasn't broken in the first place--because they've abandoned WMC completely.

I subscribe to #1.
adam1991
 
Posts: 2390
Joined: 11 June 2011

Post#4 » Sat May 13, 2017 4:32 pm

adam1991
 
Posts: 2390
Joined: 11 June 2011

Post#5 » Sun May 14, 2017 6:11 am

Updates are risky, especially now that MS has officially dropped WMC. Seemingly harmless updates for Win7 may knock out WMC. The only way I know of to prevent WU, is to disable the service in Services. If you just turn off updates, you will get Critical Updates, check yours.....you have been getting updates you don't even know about. Check Programs and Features/Installed Updates.

Windows Update does do a System Restore Backup prior to many updates, the problem with this is the amount of disk reserved for System Restore...Next thing you know, your Restore Points are all from Updates. The restore point you want is wiped out. Increase the amount of disk reserved for Restore.

Another thing is set your main backup to run a few days before the monthly cumulative.
User avatar
Crash2009
 
Posts: 3876
Joined: 17 May 2012
Location: Ann Arbor, Michigan
HTPC Specs: Show details
5+ YrsTGB Veteran

Post#6 » Sun May 14, 2017 7:46 pm

I have also subscribed to #1. But these new threats have me worried. No user interaction is needed for them to screw you. What is your recommendation for protecting against something like this if not taking the updates?
thorhtpc
 
Posts: 24
Joined: 20 January 2012

Post#7 » Mon May 15, 2017 4:15 am

If you have a proper firewall in place then by all means, go with #1

I ran 6 servers on Windows 2000 with no anti-virus installed from implementation to de-comission. No issue. I ran XP with no anti-virus for it's entire lifespan - no issue. I'm currently running Windows 7 on my workstation - no antivirus.

I have 14 virtual machines running WIndows 2008 R2 Enterprise - no anti-virus on a Windows 2008 R2 Datacenter machine - no anti-virus.

If you take the proper precautions, and the machine is limited in it's operation, there is no reason why you can't run without WIndows Updates or anti-virus installed.

Having said that, our mail server VM has more then 4 million spam/virus signatures loaded into memory and our firewall actively scans for virus/malware. It's all in how you approach the problem but if your Media Center machine is only a Media Center machine, then I see no reason to have Windows Updates or anti-virus on it - provided you use a NAT-based firewall with no openings forwarded to it.
marvin-miller
 
Posts: 197
Joined: 18 September 2012
HTPC Specs: Show details

Post#8 » Mon May 15, 2017 12:09 pm

marvin-miller wrote:If you take the proper precautions, and the machine is limited in it's operation, there is no reason why you can't run without WIndows Updates or anti-virus installed.

I can think of one reason, worms. Although less of a threat on a residential network, you could potentially have a guest with a infected laptop join your home wifi network. The best approach is to setup a guest wifi network with its own subnet.
User avatar
Scallica
 
Posts: 2343
Joined: 6 June 2011
Location: USA!
HTPC Specs: Show details
5+ YrsTGB VeteranStaff
HTPC Enthusiast / Forum Moderator - TGB.tv Code of Conduct

Post#9 » Mon May 15, 2017 3:29 pm

Scallica wrote:
marvin-miller wrote:If you take the proper precautions, and the machine is limited in it's operation, there is no reason why you can't run without WIndows Updates or anti-virus installed.

I can think of one reason, worms. Although less of a threat on a residential network, you could potentially have a guest with a infected laptop join your home wifi network. The best approach is to setup a guest wifi network with its own subnet.


Good point. In the network I mentioned above no-one can get onto the internal network. There is an open access point for guests that anyone can get on. However, it's routed through the same firewall but on an isolated network. The only place a user that is connected to the open AP can go is external, to the WAN. That's it. They can't access the internal network at all.

Interestingly enough, if they are connected to the open AP and surfing the net, and then try to access our public web site - they can't reach it. literally, they are not able to go from the AP to the internal network, even if the internal network is publishing on the WAN.
marvin-miller
 
Posts: 197
Joined: 18 September 2012
HTPC Specs: Show details

Post#10 » Mon May 15, 2017 3:34 pm

marvin-miller wrote: even if the internal network is publishing on the WAN.

That sounds like the AP is using the same DNS server as the LAN. Do a DNSlookup on the site from the AP and see if you return the local IP vs WAN IP. You can make a hardcoded entry to fix it or tell the AP to use googles DNS servers or someone else besides your local one. That is if it is a problem for you.
IownFIVEechos
 
Posts: 694
Joined: 12 July 2013
2+ YrsTGB Veteran

Post#11 » Mon May 15, 2017 4:41 pm

IownFIVEechos wrote:
marvin-miller wrote: even if the internal network is publishing on the WAN.

That sounds like the AP is using the same DNS server as the LAN. Do a DNSlookup on the site from the AP and see if you return the local IP vs WAN IP. You can make a hardcoded entry to fix it or tell the AP to use googles DNS servers or someone else besides your local one. That is if it is a problem for you.


It's by design. No traffic originating from the AP's network is allowed into the internal network. The firewall sees the origin of the traffic as the AP's network and will only allow traffic from the AP to go to the WAN.
marvin-miller
 
Posts: 197
Joined: 18 September 2012
HTPC Specs: Show details

Post#12 » Wed May 17, 2017 9:57 pm

I also subscribe now to number one. Having been borked a few times already with Windows updates in media center and Emby. Additionally, you can't roll back any longer with the new roll ups. It's an all-or-nothing thing now. Not like when you could back out the individual updates that caused a problem. I am done with Microsoft updates.

Sent from my SM-N910T using Tapatalk
cvguy
 
Posts: 9
Joined: 12 October 2012

Post#13 » Fri May 26, 2017 2:00 pm

I've been one who always subscribed to #1, disabling updates completely. When it AINT broke, dont fix it. When I rebuilt my W7 WMC machine (every few years if I find an issue that is bothering me), I normally find a slipstreamed Win7 ISO with all current updates and build my system with that. Then I do a 3 day test (after settting up the basics), to make sure it's going good.

I also have gone the route to install a NON-stlipstreamed Windows 7 (RTM version, no updates) and tried to plug in just the WMC udpates, but, that would fail as a lot of them REQUIRE SP1. Even with this route. you do get some good performance but, other 'WIndows bugs" show up that causes problems.

With the new Mailware/ransomware people are scared, I can see why this subject comes up. I could see this, I have 450 movies each ripped with their HD-Audo tracks, if I got the ransomware, chances are I would lose all this, I did put some thought into it.

I even found the "Patch" for WIndows 7 and manually installed it. Truth be told MOST virus and malware need to be activated in some way, meaning someone NEEDS to click on something that kicks it off or clicks on an AD on webpage. MOST virus wont even hit your machine if your behind a decent firewall.

Anyway about it, Microsoft does not care about WMC any more, so when new patches come out, very limited testing is done with WMC. So when it's out in the wild and an issue does come up, it will take a while to fix, even if Microsoft will. So they can BREAK things.

SO, if your looking for a ROCK solid WMC machine, disabiling updates is on the list. Do weekly backups (I do a 4 backup rotation, OS drive only) and dont do web browsing/checking email on that machine and you should not have any issues.
DavidinCT
 
Posts: 983
Joined: 13 February 2012
5+ YrsTGB VeteranMicrosoft MVP


Return to The Green Button Lounge



Who is online

Users browsing this forum: No registered users and 2 guests

cron