By Susan Bradley, Contributing Writer, Computerworld |
Here’s a dirty little secret network administrators don’t want you to know: When you say “something happened” on your computer, there’s a good chance we don’t believe you. You’ll swear you didn’t click anything, didn’t press a button, or did just this one thing. As jaded admins, we will agree that computers are evil and often do things spontaneously.
But many times, we’re convinced you did click on something and whatever happened was self-inflicted. Sure, we might just blame the issue on something Microsoft did — while thinking to ourselves, ”You really clicked on something.” (Often, it’s only when we can see what you are looking at on your computer system, or review log files, that we can really determine what happened.)
Then there are those times when enough people describe similar behaviors often enough that we really think something’s going on.
Case in point: Microsoft’s update behavior. Let’s start with Microsoft pushing KB5005463 — the PC Health Check Application — onto Windows 10 machines. It’s even being installed on PCs that don’t have the necessary processor to support Windows 11. To add insult to injury, the PC Health tool is not un-installable through the normal update history panel; you have to go through applications and features to find and remove it from your system. This isn’t an update being offered, it’s one that is very obviously being pushed. Given that most users are probably not running PCs that support Windows 11, the addition of the tool just rubs that fact in our face.
It just seems a bit, well, pushy.
Next are the interesting reports I’ve seen about Windows 11 getting installed on systems where a user didn’t approve the installation. (Yes, there have been cases where people signed up for the Microsoft insider program and Windows 11 was installed. It appears the user inadvertently approved the update. But in other cases, the Windows 11 install trigger is much less obvious.
I wrote last week about how you can roll back to Windows 10 if you somehow received Windows 11 and don’t want to keep it. And I urged anyone who had inadvertently received Windows 11 to reach out to me. There have been a number of responses from readers; in one case, the poster said, “Windows 11 does start installing without user input.” Another user said he clicked on the “Check for Updates” button, which triggered the install of Windows 11.
And therein lies my recommendation for those who don’t want updates — and specifically, Windows 11 — disturbing your computing experience. I have a rule in patching: to never, ever click on the “Check for Updates” option in Windows 10. Doing so actually means if there are any updates ready to be installed, go ahead and install them. It can be confusing, especially for those used to Windows 7, where you could scan for updates and simply review patches. In Windows 10, unless you have set deferrals for features, anytime you click on “Check for Updates” you will receive updates Microsoft deems “preview updates” —non-security fixes Microsoft releases ahead of the next month for admins to test. Most times, these preview updates aren’t harmful. But they may not be as tested as you and I would like, which is why I do not recommend installing them.
For IT admins who want to make sure your users can’t bypass your settings and install Windows 11, know that if your machines are managed by Windows Software Update Services, SCCM, or other patch management tools, Windows 11 will not be offered up to your managed systems. You need to make a concerted effort to deploy Windows 11 in those environments. But in this era of work-from-home, where some computers are not managed and instead patched via Windows update, you can make one more adjustment to your remote fleet.
A registry key can remove access to the Check for Updates button.
You can push out a registry key that will remove access to the Check for Updates button so your end users can’t inadvertently click on it:
Registry Hive HKEY_Local_Machine
Registry Path HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate
Value Name SetDisableUXWUAccess
Value Type REG_DWORD
Enabled Value 1
(Note, you will need to add this dword registry key or have it added using your registry deployment tools.)
The Check for Updates button will now be greyed out. Should you wish to re-enable it, merely remove the SetDisableUXWUAccess key and the button will again be accessible.
The Check for Updates button in Windows 10 can be dis-abled.
For business users who do want to install Windows 11, I still strongly recommend you wait at least a few months to let any bugs get worked out. This is a time for testing Windows 11, not deploying it.
Microsoft is hosting its annual Ignite IT Professional conference this week, and many of the sessions focus on using, deploying, and managing Windows 11 systems. Many of the sessions are being recorded and will be on demand for viewing later. This will be a good time to start reviewing all of the sessions on Windows 11 from Ignite to learn more and start testing Windows 11.
If you’re a user that inadvertently received Windows 11 and didn’t click on anything, I again ask you to reach out to me at firstname.lastname@example.org; I’d really like to see what happened. Windows 11 is supposed to be offered — not pushed — to qualifying computers.
Copyright © 2021 IDG Communications, Inc.
Copyright © 2022 IDG Communications, Inc.
By Susan Bradley, Contributing Writer, Computerworld |