Using Legacy Software Safely

[Rich-M]

[Moderator note: discussion split off from: [SOLVED] - MS Office 2007)]

Great end folks. Somehow I wish we could get across the point that the primary reason for updates is security and I think if we could get that point across
to the general user public, the silly automatic reaction to the word update would sooner or later go away.

 

[Digerati]

Somehow I wish we could get across the point that the primary reason for updates is security

I think most people understand that. The problem is, they don't think it will happen to them. Same with keeping current backups. Everyone knows they should have (and use!) a robust backup plan. But many don't - until its too late.

Look at how many disable Windows Update because they heard somebody's cousin's brother-in-law said they heard there is a remote chance it might break Windows! Yes, it might, but the odds are, if people leave the defaults alone, all will be fine. And sadly, many of those people who disable Windows Update don't wait a week or two to listen for fall-out, then install. No, they wait weeks and month or even longer. Then their system gets so far behind, when they finally do install, it really does jam up Windows.

 

[Rich-M]

Well I think you give the average user more credit that I would. And at the moment there really is no way to shut off WU in Windows 10 Home anyway.
I also just checked Pro and it seems you can only pause WU for 35 days now so again that does not seem to really be a problem any more BIll.

 

[Digerati]

Not sure what credit you think I'm giving. Are you suggesting most people don't even know their 10, 15, 20 year old programs and operating systems are outdated? Or that outdated programs should be updated to ensure the most current security? I say the vast majority of user are fully aware of those things - they just don't heed the warnings because it is human nature to resist change. And for some, it is simply because they don't like Microsoft shoving change down our throats.

As far as disabling WU, I was using that to illustrate a point but sure you can disable it. It is just takes a bit more effort - and frankly, I am glad it is harder. I fully understand many want total control over their systems. I certainly was that hands-on back in the day. But W10 is not XP and does not need to be treated like it is. W10 really does work best if users would just leave the defaults alone - or at least do their homework to understand what they are really doing before making any changes.

 

[britechguy]

And one has to look at what sort of updates are being discussed.

I am seeing far less resistance to Windows Updates overall than was seen in the pre- and early Windows 10 era. There are still idiots (and, yes, that is what I think and that won't change) who seem to be under the delusion that they or that "cousin's brother-in-law [who] said they heard there is a remote chance it might break Windows!," know more than Microsoft, the entity that created and maintains the operating system, does. You don't see this sort of inanity in the Apple, Linux, and other OS communities. It's a hold over from the early days of Microsoft Windows that should have died a natural death long ago.

But updates to things like Office are generally resisted by home users because of the expense, which is quite substantial, involved in doing so, particularly for the editions of Office aimed at professionals, but that home users often have. And I can't blame them. I put off updating from Office 2010 for quite a while for just that very reason. If it hadn't been for the fact that Office 2010 was starting to "get creaky" in multiple ways I'd probably still have it since I did not use Outlook and have not had an infected Office file from any source for ages now and am careful to open any office file only if it comes from a source I have every reason to trust.

 

[Rich-M]

Well Bill you said that you think most users know that primary purpose of updates is security and that sure does not describe most
of my clients and as far as I am concerned I am not convinced WU does a very good job as I find way too many pcs not doing feature updates and the majority more than 3-4 versions back. And that includes my emphasizing to them the importance of making sure those are done and providing a Bookmark for them to initiate it if WU fails to do so.

I think the majority of users don't bother upgrading versions is expense coupled with little or no perceived change in the Ms Office programs. And of course if reasons for upgrading were thoroughly explained, more might choose to do the upgrade if they saw a reason. Most of the changes I see just cause inconvenience as steps are added to functions for no apparent reason or things are moved also for no obvious reason.

 

[britechguy]

. . . I am not convinced WU does a very good job as I find way too many pcs not doing feature updates and the majority more than 3-4 versions back. And that includes my emphasizing to them the importance of making sure those are done and providing a Bookmark for them to initiate it if WU fails to do so.

And while I cannot claim that I have never seen a single system on which Windows Update has indeed broken, those are very few and far between relatively speaking. Most where it's not working like it should show signs of someone "trying to turn WU off" by, shall we say, non-standard ways.

It's becoming more and more common to see systems, and particularly Windows 10 Home systems, that are now several Feature Updates behind, but still running version still under support. That is a direct result of Microsoft having responded to a very loud and vocal part of the Windows 10 user community that absolutely did not want full automatic updates, so they turned them off as of Version 1909, and where the end user must go to the Windows Update Pane of settings and activate the Download and install link for a Feature Update when it is presented. You also get no direct notice that this has occurred.

I wish that full automatic updates could have been turned off in favor of this option by opt-in, allowing the many end users (and I was one of them) who preferred the full automatic updating outside of active hours to continue as it always had.

Now, the only time a full automatic update occurs, and we're seeing that with machines that had been on 1809, and some 1903 machines as well, being automatically updated because 1809 is going out of support very shortly and 1903 is not all that far behind. But that still allows users to be multiple Windows 10 versions behind, but at least those versions are under active support while they still have them, getting security patches as well.

Compared to the early years of Windows up through the Windows 7 era, I have had far fewer issues with Windows Update and far, far fewer service calls from clients secondary to a Windows Update having "gone/been bad." Since every type of Windows Update except critical security patches now rolls out in waves/cohorts, with heavy automated monitoring of telemetry as each wave/cohort is updated and where speed of roll out is adjusted based on what's actually detected as happening "in the wild," actual bad updates very seldom occur, and make huge news (see the debut of 1809, as the biggest example) when they do.

 

[Rich-M]

I was not aware of that change in version 1909 but I admit I was puzzled that units behind more than 2 versions seemed to still be doing updates.
That said I have found numerous 1809 versions that did not feature update so WU was already broken obviously. I am also still puzzled why some systems show option of newest feature
update while others do not.

 

[britechguy]

I am also still puzzled why some systems show option of newest feature update while others do not.

Because that's how Feature Updates have worked, automatic or not, since day one. I've posted this, and it's sticky, in a number of places, but here's one: A "Public Service Announcement" Regarding Windows 10 Feature Updates & How They Work

The algorithm that Microsoft uses to determine when a given hardware configuration (AKA machine with that configuration) is ready for the next Feature Update is insanely complex and has clearly been integrating AI components over time. The days of "this gets sent out to everyone over the next few days to weeks" are long, long gone. I know of several machines that entirely skipped 1909 and went from 1903 to 2004 and now a bunch more that skipped 2004 and went straight from 1909 to 20H2. Skipping a given Feature Update entirely is not even close to unheard of.

 

[Rich-M]

Thanks for the above but unfortunately it sort of "muddies" the water for me rather than clearing it up as it sounds then again like the feature update will be offerred
when Windows feels the system is ready which then does not explain why so many of my user systems are multiple versions behind. If the systems I encountered "that were not ready" then how did I manage to update them?
I would love to know what any of us here in the business explains to their clients how to handle feature updates as I am now completely clueless other than to ignore all this and just give them the link to "update now" and tell them it is their responsibility in April or May or October or November. How frightfully unprofessional this answer sounds!

 

[britechguy]

Rich,

Because the number of possible ways anything can go wrong on any system it is impossible to accurate explain, for any given system, why Windows Update has not chosen to do a Feature Update. Sometimes, this is the result of a bug.

Microsoft always "declares" when a given Feature Update is considered to be available for ALL systems and can be safely installed on any that may have not updated, for whatever reason, after that. See the Windows Update Release Dashboard. The last Feature update declared to be "ready for broad deployment," the code phrase for, "ready for anyone and everyone," is Version 1909. See the Known issues and notifications section for any given version.

Any version where that is stated can be safely applied, whether or not Windows Update did it by itself, and when that status is reached if Windows Update hasn't applied it already then there is likely something wrong with Windows Update on the machine in question. If it's not noted as "ready for broad deployment" that means that the roll out is not, as yet, complete. There are plenty of machines still on 1909 that will likely never get 2004, as it's not "ready for broad deployment," and its far more likely to be skipped in favor of 20H2 when the time comes for that 1909 machine to update, as 20H2 is a trivial update on top of 2004.

I don't quite understand why Windows Update answers that cannot be precisely answered strike you as "frightfully unprofessional" when scads of answers in this business are equally or even more vague. "Did you power cycle it?," along with the attendant, "That often fixes it," is a truism of our business.

After being in this business for decades now I care a lot less about having any precise answer about the root cause of any issue, because very often it's impossible to know, period. It's frightfully unprofessional if I cannot come up with a fix, and while I won't say that never happens (for any of us), it seldom happens for me as I try to assess "fixability" before even agreeing to take on a given job.

 

[Rich-M]

I just meant it would be nice not to have multiple answers is all. I mean we don't want our clients ignoring updates, especially feature updates
and since I seem to have no issue updating any system using the media creator update site, I don't get why anyone can't go there and update their system themselves. I guess what I am saying is I want to be able to have every client do the same thing so that we can have one attitude towards the version updates and I have never had any issue updating my own desktops and laptops as well as units for sale so the thing I don't want to have to do answering client questions is "well it depends" so I intend to just tell them to go to the link and do the feature updates themselves rather than wait for WU as a policy. Anything else sounds unprofessional to me so its a personal thing I suppose.

 

[Digerati]

Well Bill you said that you think most users know that primary purpose of updates is security and that sure does not describe most of my clients

I think you are getting a bit too focused on the minutia in the wording.

I am saying, and have for decades, that keeping our computers current is "a" primary step in keeping our computers secure. Perhaps most of your clients don't understand that but "all" of my clients do! And my family and friends who consider me their go-to computer guy fully understand that as well. And why? Because I have been pounding that into their heads for decades too. "Practicing safe computing" is a buzz-term I have used ever since I started supporting computers and networks, and helping users on sites - with keeping systems patched and updated as the first steps. I consider educating those who use the computers and networks I am responsible for is part of my job. In fact, it was in my job description when I was the network manager of a major military network.

While that advice may apply mostly to the operating systems and hardware, it applies to applications too.

 

[britechguy]

. . . so I intend to just tell them to go to the link and do the feature updates themselves rather than wait for WU as a policy. Anything else sounds unprofessional to me so its a personal thing I suppose.

Your choice, and I mean that, but I've encountered several really ugly episodes when updates have been manually forced on hardware where the Windows Update Pane is not presenting the Download and install link for a feature update, and even more so when that pane is presenting the "not quite ready" message.

My advice is the diametrical opposite of what you intend to say. It's always to wait until presented.

It is a very rare occurrence for WU not to eventually present the option to Download and install a feature update on a machine when it's deemed ready by Microsoft, and sometimes that means skipping a Feature Update on certain hardware. If end users are advised to check the Windows Update once per month after the release of any Feature Update and to wait until it's offered, the vast majority will receive that offer at some point during the roll out period. Roll outs always have taken months, and for good reason.

Windows As A Service is an entirely different update delivery paradigm. And since it does involve AI elements and the possibility, in the event of a "late breaking and previously unknown issue," of changing its mind, I'm even more of the wait until presented mind. The mind-changing is rare, but it has been known to occur, but I have no problem with anyone applying an update when their hardware is initially deemed ready. Theirs could be one of the machines that provides telemetry that causes decisions about how WU should proceed to change. That's just the way it works.

 

[Rich-M]

I think you are getting a bit too focused on the minutia in the wording.

I am saying, and have for decades, that keeping our computers current is "a" primary step in keeping our computers secure. Perhaps most of your clients don't understand that but "all" of my clients do! And my family and friends who consider me their go-to computer guy fully understand that as well. And why? Because I have been pounding that into their heads for decades too. "Practicing safe computing" is a buzz-term I have used ever since I started supporting computers and networks, and helping users on sites - with keeping systems patched and updated as the first steps. I consider educating those who use the computers and networks I am responsible for is part of my job. In fact, it was in my job description when I was the network manager of a major military network.

While that advice may apply mostly to the operating systems and hardware, it applies to applications too.

Of course I completely agree which is why I raised the question in the first place is I have always told them to keep current, my problem is how to do that now based on the fact Microsoft may or may not be helping with doing that because all of what you both are saying makes me not sure what accomplished that in this case.

 

[Rich-M]

Your choice, and I mean that, but I've encountered several really ugly episodes when updates have been manually forced on hardware where the Windows Update Pane is not presenting the Download and install link for a feature update, and even more so when that pane is presenting the "not quite ready" message.

My advice is the diametrical opposite of what you intend to say. It's always to wait until presented.

It is a very rare occurrence for WU not to eventually present the option to Download and install a feature update on a machine when it's deemed ready by Microsoft, and sometimes that means skipping a Feature Update on certain hardware. If end users are advised to check the Windows Update once per month after the release of any Feature Update and to wait until it's offered, the vast majority will receive that offer at some point during the roll out period. Roll outs always have taken months, and for good reason.

Windows As A Service is an entirely different update delivery paradigm. And since it does involve AI elements and the possibility, in the event of a "late breaking and previously unknown issue," of changing its mind, I'm even more of the wait until presented mind. The mind-changing is rare, but it has been known to occur, but I have no problem with anyone applying an update when their hardware is initially deemed ready. Theirs could be one of the machines that provides telemetry that causes decisions about how WU should proceed to change. That's just the way it works.

I agree with you as well but my problem is I am now finding the norm is no action taken or offered by Windows in the majority of computers I have revisited in the past year and that is my issue. I have about 450 clients but quite obviously I see a small fraction of those each year but the majority of the units have either never done a feature update or are quite a few
versions behind and offering no new version to clients.

 

[Corday]

I set up a business to have the business package (AR,AP, Payroll, Crystal Reports etc) on a computer not capable of internet or any on-line communication. Things like MS Office 2007 with all the updates are perfectly safe and usable. I would recommend this setup to any small business. Banking info is communicated via flash drive from online computer. Access to the accounting computer only by owner although in a larger organization, probably the comptroller pr in house accountant. I know this wouldn't work for all businesses.

 

[britechguy]

I am not criticizing anyone's setup that "works for them," but the setup you describe, @Corday, would not be workable in a way that's acceptable to a very great many.

The amount of additional time spent in an arrangement such as this involves money, and lots of it. There are costs for modern conveniences, and costs for actively avoiding them.

In the context of most businesses, the costs of additional time, particularly if multiple staff are involved (and they are, even in most small businesses), very quickly outstrips the cost of keeping both hardware and software entirely up to date.

 

[Rich-M]

I would not react so quickly to that Brian, there is a lot of merit in a small business from the standpoint of control
by the owner if you think about it. Not saying I would do it just I need more time to think about it.

 

[Digerati]

I set up a business to have the business package (AR,AP, Payroll, Crystal Reports etc) on a computer not capable of internet or any on-line communication.

I am not criticizing anyone's setup that "works for them," but the setup you describe, @Corday, would not be workable in a way that's acceptable to a very great many.

I'm with Brian on this one. Also not criticizing anyone. If a stand-alone computer works for a company, then great. But every business I support requires LAN and Internet access, not just for their employees, but their customers too. The employees require email and access to shared documents. They fill out their timesheets on line, process customer orders, etc. Customers contact the company and employees via email and via messaging through their websites. This is true for the business accounts where the owner is the only employee too.

As for accounting computer access, none of my clients do their own accounting. They don't have the time to do that and run their business at the same time. They outsource it so again, Internet access would be a requirement.

If employees could only fill out timesheets etc. via a stand-alone computer, then they could not do that remotely - something essential during these trying times. I don't really know how a company today can exist without Internet access - except perhaps with cell phones only and that introduces a whole different bucket of worms.

And, at least IMO, flash drives on company computers are evil - unless access is very tightly controlled. In fact, they are strictly prohibited on many government and corporate networks. It is just too easy to introduce malware on to the host computer or into the local network with a flash drive. So I discourage their use. Not to mention, flash drives are fragile and easily grow legs.