Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How do I Make Sure Windows is Up to Date?

//
How do I make sure Windows is up-to-date? And … should I?

The last question is easy to answer: yes. Yes, you absolutely should keep Windows as up-to-date as possible.

The good news is that in most recent versions of Windows, you need do nothing. Windows will update itself regularly.

The not-so-good-news? In Windows 10, it’ll do so whether you want it to, or not.

Let’s look at how we got here, what “here” really looks like, what control you do or do not have, and what I believe you should do.

Become a Patron of Ask Leo! and go ad-free!

Vulnerabilities & updates

The issue is common to all software: no one is perfect. All software has bugs, period, no exceptions.1

While many bugs are minor and inconsequential, some make the software vulnerable to exploitation by people trying to do something bad – like hack into your system, steal your data, use your computer to send spam or worse. These bugs are often referred to as “vulnerabilities“, and the software that takes advantage of them is termed “malicious software”, or simply “malware“.

When vulnerabilities are found, manufacturers release updates to their software that fix (or “patch”) the bug.

It’s important, then, that the users of affected software actually take the steps to install those updates when they’re made available.

Unfortunately, particularly early in Windows history, individuals often did not install updates, for a variety of reasons. This left their computers vulnerable to more and more malware, even though those bugs had been fixed in subsequent updates.

Automating updates

Windows Update is Microsoft’s solution to the update distribution and installation problem.

It’s a service that runs in the background, periodically checking for updates to Windows2 that apply to your machine’s particular configuration. When available updates are found, Windows Update can do several different things, depending on how it’s configured.

Updating

  • It can simply notify you that updates are available. You are still responsible for taking the next step: downloading and installing them.
  • It can download the updates that apply to your computer and notify you they’re ready to be installed. You are still responsible for taking the next step: actually installing them.
  • It can download the updates that apply to your computer and install them automatically, according to a schedule that you specify.

The reason that schedule is important is that it’s not at all uncommon for updates to require your machine be rebooted. Software cannot be updated if it’s actually in use. That means in order to update core components of Windows itself, Windows needs to shut down briefly for the update to be possible. That’s a reboot.

Updates & failures

Earlier, I said: “The issue is common to all software: no one is perfect. All software has bugs, period, no exceptions.”

Updates themselves are software, and in turn could have bugs. The update process itself could have bugs.

The net result is that for a time, Windows Updates themselves were considered “risky”. There was a perception that with any given update, your machine could become less stable. In the worst cases, there were Windows updates that actually completely crashed the machine on which they’d been installed. That bad reputation – whether warranted or not – has had some serious and long-term consequences.

Failures to update

Because of that bad reputation, some computer users would delay their updates to what they considered to be a safe time – after some period of time had passed that allowed them to feel confident that the update would not harm their machine.

Others stopped taking updates altogether.

Needless to say, the authors of malware approve. To them, delaying or skipping updates means that once a vulnerability is discovered, they can continue to write and circulate malware to exploit it, because they know that not everyone will take the update that fixes it.

Applying updates regularly remains the best approach to keeping your system secure and up-to-date. I continue to recommend that you let Windows update itself automatically, so you don’t have to take any action at all. As we’ll see in a moment, Microsoft agrees – strongly.

Perhaps a bit too strongly.

Windows 10 and forced automated updates

When Windows 10 was released, the options to delay updates were removed from the consumer editions of the operating system. Updates are downloaded automatically and installed automatically.

In a perfect world, this would be a perfect solution.

Unfortunately, all software has bugs, and the result is there have been two major issues:

  • While the stability of Windows updates had been improving over time – fewer and fewer updates actually cause any significant problem – some Windows 10 updates, at least initially, seemed a step backwards. Reports of people having problems after an update seemed to increase.
  • Updates that required a reboot would indeed reboot, often at an inconvenient time.

The stability of updates appears to be improving once again, but Microsoft has also made additional options available.

Windows 10 Windows Update Settings

In Settings, Windows Update, Advanced Options, you’ll find the following:

  • An option to “Notify to schedule restart”. While the alternative “Automatic” remains Microsoft’s recommended setting, “Notify…” allows you to control when your machine will reboot, and thus allows you to save your work and make sure that nothing will be negatively impacted by the reboot.
  • An option to “Defer upgrades”. Note that an upgrade is not the same as an update. Deferring upgrades will delay the arrival of new features and functionality in Windows, but it will not delay the download and installation of bug fixes and security updates.

But the bottom line is that Microsoft really, really, REALLY wants you to keep your machine as up-to-date as possible.

And I agree.

Recommendation: managing risk

Honestly, it’s all about risk management, trading off the risk of a misbehaving update compared to the risk of having an unpatched vulnerability exploited by malware.

The good news is, we know how to manage risk.

For all versions of Windows, my recommendation remains:

  1. Back up regularly. Ideally, perform system image backups as I’ve outlined in several articles. Then, no matter what, you’re protected from any kind of failure, be it hardware failure, a crashed disk, malware, or even a troublesome Windows update.
  2. If it’s an option, configure Windows to automatically download all updates, both for Windows and other Microsoft products.
  3. If it’s an option, configure Windows to notify you when updates are ready to install. If it’s not an option, then at least configure Windows to notify you to schedule any restart required after automatically installing updates.
  4. Regardless of what notification you get, act on it as soon as is convenient. Install the updates and reboot as needed.

In my opinion, this is the safest approach to managing a wide variety of risks related to using your computer – not just the risks of a failed update.

Podcast audio

Play

Footnotes & references

1: If someone claims that a particular bit of software has no bugs, then either they simply haven’t yet found the bugs that actually are there anyway, or they’ve dismissed some erroneous or unexpected behavior (aka a bug) as not rising to the level of being called a bug. It’s still a bug.

2: And optionally, other Microsoft software.

50 comments on “How do I Make Sure Windows is Up to Date?”

  1. Hello Leo Nootenboom,

    I have clicked the Windows Update notification in Lockergnome’s NewsLetter.
    A fast running menu showed up and a bar was filled up.
    Should this program be downloaded and used in stead of WINDOWS UPDATE ?
    Have things been changed in my WIN98SE after
    I ran the program from Lockergnome ?
    I have seen the word SETTING passing by, however
    within the second another menu appeared.

    Where can I find more details about what to do ?

    Best regards,
    Adriaan Ruiter
    NL

    Reply
  2. That video requires Macromedia Flash in order to be viewed, and it sounds like you have things set to automatically isntall without prompting. It simply means you should now be able to view the video.

    Reply
  3. My question is simply this. When I scan Windows XP (home edition) with Spybot SSD, I get a report indicating that a threat “Windows Security Center.AntiVirusDisableNotify” has been detected and fixed. Would this problem prevent me from getting the most recent Windows updates?
    When trying to get updates I always get zero found .
    Thank you,
    Ted …

    Reply
  4. I’ve been reading through the INTERNET trying to find a solution to this problem – “Could not start the Automatic Updates service on Local Computer. Error 1058: The service cannot be started, either because it is disabled or has no enabled devices associated with it.” I’m running Windows XP Professional with SP2 – I had SP3 when this started and removed it. I’ve been all over the web and tried all the re-start solutions I could find. I am at my witt’s end. Please help.

    Steve

    smajero@msn.com

    Reply
  5. My driver update service I noticed that drivers were also compatable for vista and i am using xp pro i updated all drivers except a few w/o problems and am wondering why Microsoft didn’t include this in their automatic update process, i use driver agent with no problems

    Reply
  6. > Microsoft on occasion automatically downloads AND installs updates even with this setting

    IIRC, this is true, but limited to security problems *with Windows Update itself*, in which case a lot of normal mechanisms are bypassed.

    IMO this is understandable, and in context, perfectly acceptable.

    Why? Well, if you have a problem with as OS vendor doing things to your computer that you don’t explicitly know about, then to be honest you have way bigger problems than an occasional mandatory update — you’re using a proprietary OS, it’s doing things you don’t know about all the time. If you consider that unacceptable, then Windows is not the OS for you; use an open source one. On the other hand if you do consider it acceptable, mandatory updates don’t really change anything.

    But choosing to run a proprietary OS and then being paranoid about the OS vendor updating it is just silly.

    Reply
  7. On my XP I have Windows Update turned off.
    I understand that Microsoft releases updates on Tuesday.
    By Friday Microsoft has fixed all the bugs in the updates that third party testers have reported.
    On Friday afternoon I go to Windows Update and only download the high priority updates.

    Reply
  8. Windows update is only the appetizer. Avoiding updates to other popular applications is just as dangerous as not having anti-virus software.

    Secunia’s PSI is very complete, but its also complex and wants to run constantly in the background.

    They also offer a simpler online product, one that doesn’t have to be installed at all – the OSI or Online Software Inspector. For an intro to that service see

    Free, Comprehensive Windows Patch Notification: Secunia

    It requires Java and it doesn’t check as many applications as PSI. But, with the 80/20 rule, its probably good enough. My experience has been that it’s hard enough to get a clean bill of health from OSI.

    The Windows 7 option about allowing all users to install bug fixes (excuse me, “changes”) means that a standard/restricted Windows 7 user can install patches without any UAC interruption. If this is off, then a standard user needs to supply an admin password to install patches.

    Reply
  9. Windows Update, in Automatic Mode, does not always load all of the critical updates.

    It seems that some of the Updates require a more recent Windows Genuine Authorization check before they will download & install. Also, Service Packs will not install automatically.

    A recent laptop with Vista did not have any SPs installed. It took about four hours to download and install these over a wireless cable-based ISP connection.

    Personally, I turn Windows (Microsoft) Update off, and run it manually. Otherwise, it runs automatically at bootup – and hogs resources – and I’d rather have a working PC faster. I don’t mind being out of date for a week or two if I get lazy with these updates.

    Now my antivirus – that is the only program I allow for automatic updates.

    Great website Leo – thanks as always!

    Reply
  10. Automatic updates reserve 10% of internet bandwidth.

    My college teacher informed me Microsoft reserves 10% of your bandwith and it is better to use the Windows update from all programs once a week on Thursday. Windows releases proper updates weekly and you do not get hot fixes. The weekly updates are full update and not hot fixes. A pc with hotfixes is not all that good, the fixes are often not correct and you are sent another hot fix to any errors. We were advised to turn off automatic updates and to ensure you manually install all updates either from Windows Update link or search Microsoft and download and install manually from the downloads.

    Hope I was informed correctly and this helps to clear the pros and cons of automatic updates

    Automatic updates does not reserve 10% of your bandwidth.

    Leo
    17-Dec-2009
    Reply
  11. There is an argument to update vulnerable software QUICKLY which Leo didn’t stress particularly but which is very important. I want to give it here, because for years, I did fall myself in the trap because I didn’t know it.

    Indeed, an argument *not* to be in a hurry to update, is the following (and it is a fallacy but it is not evident): “given that I have been running this piece of vulnerable software/system now for 2 years without any problems, what’s the hurry now to do it right away ? If I do an update every 6 months or so, that will be good enough, right ? I’m not more vulnerable today than I was 6 months ago, right ?”

    In fact, you soon will be. The argument above sounds good but is flawed, for the following reason. Once a vulnerability is known, it is made public 45 days after it has been reported, usually with “demonstration software” that shows how to abuse the vulnerability to hack the computer that is vulnerable. So from the moment that someone (honest) found the vulnerability (and in order to demonstrate that it IS a vulnerability, one has to use it to demonstrate the problem of course) and informs the software distributor of it, the counter is set in: 45 days and ALL BAD GUYS will learn about it, and most often, exactly how to use it. One can be surprised by such a ‘ criminal policy ‘ but in fact, there are strong arguments that this is indeed the safest way to report vulnerabilities, no matter how strange it may sound that one sets free code of how to attack systems.

    But this means that a vulnerability that has been dormant in code, eventually for years, is hopefully not, and in the worst case, known only to a handful of hackers ; however, from the moment that it is “officially discovered and reported”, a counter starts, and 45 days later, ALL HACKERS IN THE WORLD are informed how to abuse it. So the software distributor should fix it within 45 days, and you should install it within 45 days, to be safe.

    Reply
    • Vulnerabilities aren’t necessarily disclosed after 45 days, or even at all. Each company has its own disclosure policy. Additionally CERT will extend – or sometimes shorten – the 45-day window in the case of vulnerabilities that are serious or being actively exploited.

      Reply
      • I was talking of course about “officially announced” vulnerabilities (mainly by security researchers) to instances like CERT. The disclosure policy is meant to find a compromise between leaving some time to patch it, and “putting the cards on the table”, so that 1) yes, hackers know about it, but 2) also all people that might be exposed to the vulnerability know exactly what risk they are exposed to (and can eventually decide to stop running the vulnerable software until patched), and 3) put software writers under pressure to *really* patch it.
        History has shown that “secretly informing the software provider” – especially if it is propriety software – has often led to no action at all, pretending there’s no problem (preserving “good name”) or giving out an ineffective patch. Now that’s of course worse.

        Reply
      • Next, a funny comment to wrap your mind around:
        as zero-day vulnerabilities (they are called zero-day because the 45-day counter has not been set in: in other words, “not yet officially announced vulnerabilities”), which are the juice of hacking:
        1) cost a lot of effort and work to find
        2) are very valuable to people wanting to hack into systems (mostly state-sponsored intelligence agencies and law enforcement, next to organised hacker crime)

        it is somewhat silly to put out for free those vulnerabilities, while rich entities are willing to pay you a lot of money to get them exclusively so that they can exploit them without people knowing or the software provider patching it. There is already a market for vulnerabilities. Now, in order to protect the economic activity of vulnerability searchers, one could do something similar as what one does to protect the economic activity of software writers.

        In the same spirit as the laws that protect intellectual property, in fact, there should be a kind of Digital Millennium Vulnerability Act that grants the right to knowledge of vulnerabilities to those finding and/or buying them, and nobody should have the right to tell it to others, or to spread the word, or to install patches that are not licensed for good money to the hacker that bought the intellectual rights to them. Only the owner of the vulnerability right has the right to inform people about the patch. Anybody getting a licence of a “vulnerability information” agrees on a VEULA (Vulnerability End User License Agreement) not to disclose this information to anyone (not even to his family members).

        In other words, in order to obtain the right to install a patch against a propriety vulnerability bought by a hacker, you should first buy a license from that hacker 🙂 But even to *learn* about their existence in some detail from any other person but the license holder would by “vulnerability piracy”. It should then be totally illegal to *inform* people of vulnerabilities, as this knowledge is intellectual property. There should be institutions who analyse internet traffic and try to find out who is guilty of the act of piracy of informing others about a vulnerability that is licensed.

        This is nothing else but applying the logic of intellectual property rights consistently into the domain of vulnerabilities, and illustrates the sickness of the principle in my eyes.

        Reply
        • That’s a stretch. It’s akin to suggesting that an author needs to pay the person who discovered a typo in their book in order to be able to correct it.

          Reply
  12. “Honestly, it’s all about risk management, trading off the risk of a misbehaving update compared to the risk of having an unpatched vulnerability exploited by malware.” – Agreed. The bottom line is that the changes Microsoft has made to WU will result in more PCs being more secure – and that’s good news for everybody.

    Reply
    • Let us say that this is a nice side effect of Microsoft using most free (beer) users of Win-10 as guinea pigs / beta testers for the paying customers with enterprise licenses 🙂
      Otherwise there would be no reason to allow enterprise licenses to be more “insecure” than free (beer) licenses.

      Reply
      • That’s a very cynical viewpoint 😛 The simply fact is that Microsoft either force updates on people, or we have bigger and bigger botnets – consisting of unpatched consumer systems – pushing out spam and other unpleasant stuff in a bigger and bigger quantities. And, of course, there are very good practical reasons why the update process needs to be handled in the enterprise space – and having us act as beta testers for them isn’t one of those reasons!

        Reply
  13. Updates can be delayed in win 10 by selecting “metered connection”. Updates will be automatically downloaded and installed next time an unmetered connection is available.

    Reply
  14. I guess I’m an exception, but automatic updates became a nightmare on Windows 7, and I just do not do them any more. I’m not unaware of security; I have a paid subscription to ESET NOD32 antivirus and frequently run Malwarebytes and Spybot S&D. Microsoft has to show me that they are not doing more harm than good.

    Reply
  15. Back again Leo, with an update observation/ question regarding Windows 10 updates. I have a group of seven seniors using new Windows 10 laptops (out of the box with W10). Three have been stymied by an update removing their task bar, including the menu icon. For your average user this is dead end. Using shortcut keys I’ve been able to get to system restore and start the process. None has run to completion, but upon subsequent power off/on cycle, they came back in some form off usability, from which we could recover. This has occurred over a three week window, yet I’m not finding much online help. Were these folks not in this group, this would be a $100 repair action at the local merchant providing service. So the question part is: How do you keep these folks running when Microsoft keeps breaking their machines? Sure back-ups are nice, but most users are not gurus, but rather ordinary people trying to use a tool. Roger

    Reply
    • “Sure back-ups are nice, but most users are not gurus, but rather ordinary people trying to use a tool.” – Many seniors are, of course, able to deal with backups perfectly well – Leo, for example 😛 Like anybody else, the seniors may need some help with the initial setup, but managing things on an ongoing basis likely isn’t be beyond their capabilities.

      That said, in a situation such as this, I’d have probably opted for Chromebooks (unless there was a specific need for Windows-based systems, of course). Chromebooks are just as easy to use as Windows PCs, considerably cheaper, less susceptible to user-caused or update-related problems and, because they’re designed to be used with Google’s cloud services, you don’t need to worry about backing ’em up.

      Reply
      • Wait … did I just get called a “senior”? 🙂 Not that I mind, it’s just that I suspect most people’s definition of “senior” changes as they get … um … older. I’m 58, fwiw.

        That being said, I know a ton of seniors (let’s say 80’s and above) who are quite adept with their technology and backing up. I bristle (to steal someone else’s term) when people try to use age as an excuse.

        Reply
        • OK…I am eligible to respond to these remarks :-)….I will be 81 on Saturday…fit and well, play Picleball 3 x’s a week for about 4 hours and never get tired. Healthy diet most of my life, and don’t know what I would do without the internet.

          I also want to add how grateful I am to you and this site, because one does not have to be computer savvy to understand your writings, which really helps those of us who are self taught. When I think I need to contact the Geeks…I check here first. I love the challenge of trying by myself first though till I get frustrated, and then things change.

          Blessing to you all
          Gloria

          Reply
  16. The big snag with Windows 10 forced updates is that even if you can identify an update that causes a problem, yes, you can uninstall it but … whilst the problem may go away short-term, with the next update check, Windows discovers that you don’t have that update and puts it back again.

    Reply
  17. I will stick with Woody’s MS-DEFCON system.

    Micrososft has gone rogue lately, trying to force Windows 10 down the throat of reluctant Windows 7 users, therefore many of their “updates” are more like malware, as is their general behaviour.

    They are not alone in this, mind you. Antivirus publishers have begun to act like malware peddlers themselves. I had to restore an older image of my system in order to undo an “upgrade” of Avast Free Antivirus, which sticks a perfectly unwanted anti-spam toolbar in my Outlook. They don’t ask you about it, there’s no built-in way to undo the change, and a previously published register hack does not work anymore.

    Now Avast regularly howls at me : you’re at risk !, to which I answer : get lost.

    Reply
    • I’ve seen mention of Woody’s so-called MS-DEFCON system before and consider it completely idiotic – and I suspect that anybody who, unlike Woody, actually has real-world security industry experience would feel the exact same way. He seems to be under the impression that it’s okay not to install updates so long as your antivirus program is up-to-date and your firewall is switched on. But that’s not the case at all. Unpatched vulnerabilities can be exploited in ways that an antivirus program or firewall would do nothing – absolutely nothing – to prevent. It simply doesn’t make sense to delay applying security updates. Ever.

      At the end of the day, it comes down this: 1) you install updates and accept the risk that they may cause problems (which are usually very easy to fix); or 2) you don’t install updates and accept the risk that your computer may be compromised, your passwords and logins stolen, your personal and financial information stolen, your keystrokes logged, etc., etc., etc. I know which option I prefer – and it ain’t #2!

      Reply
  18. You are right about Microsoft Updates. With Windows 7 winding down it’s extended support from Microsoft, there is no incentive for Microsoft to distiguish between Windows 10, 8.1, 8, 7 updates when they download updates. Your machine might not have any reason to apply the updates they suggest, thus making your machine run more sluggishly. I click the “more information” link and review the update they suggest, then decide if I want to download it. It saves a lot of aggravation. For example, “kb/3035583-Update installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1” and who needs that if they’re happy with Windows 7? I do try to keep Windows Defender up to date even though I run stronger Security programs. Thank you for your articles.

    Reply
  19. W10 shut down my computer as part of an update.

    It was not a good time as i was fighting for my life in Dying Light.

    Zombies attacking me and more coming as i fought, ran, climbed for my life.

    I was NOT happy.

    Got W8 and W7 set to update normaly on a shut down and they are no bother.

    Reply
  20. I never get any updates applied because, I guess, I am on a metered connection with Hughes Net satellite internet. So I can run my Windows 10 computer with all vulnerabilities just waiting for a hacker to use. I never use more than 10-20 % of my allocated service so I would like to tell MS that I am metered but install the updates anyway. Any way to do this???? Because of this I never bring my W10 machine up. What a waste. On my Vista machine, which I use for everything, every time I bring it up I update my AV, and if MS updates are flagged I install them. All done over my metered connection with never a problem. It’s a screwed up mess. Any suggestions will be appreciated.

    Reply
  21. I recently fixed my old Samsung laptop and I have been trying to update windows 7, however it continuously says to shutdown in order to install updates. I do this, but when i log back on it states the same thing with no update. I would really love to get this old laptop running again. any info would be a great help

    Reply
  22. Although I always keep Windows Update active, from time to time I still find Updates that haven’t installed or failed to install on my three machines and find the same on some of my friends’ PCs that I give help from time to time. Therefore, I do a manual Update from time to time just to be sure.

    Reply
  23. {email removed}@gmail.com I have tried to keep this email to stay on but I keep having to change password so I am completely at a loss to do this any more if there is no way to keep my stuff in order I would just like to remove {email removed}@gmail.com and the e-mail {email remmoved}@hotmail.com is good and my outlook live is good so I would like to just these emails if this can be fixed I would like help to do this.

    Reply
    • 1) Don’t post email addresses in public places — it’s like asking the world to send you more spam.

      2) Not sure what you’re trying to accomplish. If you want to start using your hotmail address everywhere, then … just start using your hotmail address everywhere. What SPECIFICALLY are you having trouble with?

      Reply
  24. Two Windows updates have blocked access to all my Word and Excel files: KB4462223 and KB2553332. Luckily I kept a record of the numbers of all the files that were to be downloaded and installed so that i could identify the culprit among the group in “Add/Remove Programs” and delete it. I now download each update file individually and test the results to insure that it is not malevolent. Of course, “update” keeps trying to download the malefactors. If I allow the computer to download and install the entire group at once and there is one malefactor, I have no way of knowing which one it is. I am still running XP; could this be the problem?

    Reply
  25. I just ask how can I know if the notification (at the bottom right hand corner of Windows 10) is genuinely from Microsoft? Reading through this page, just waste my time! Microsoft is really getting idiotic these days!

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.