We now know for sure that Windows 10 build 10240 -- and presumably the final version of Windows 10 -- will force updates on Windows 10 Home and Windows 10 Pro PCs that aren't connected to a patching server. That said, Microsoft has provided certain tricks you can use to block specific patches after-the-fact. In my experience, some of the tricks work, others don't.
In the past, Microsoft has drawn a very firm distinction between security patches and other updates of various kinds. For example, the Software Update Services list at KB 894199 puts "security content" and "non-security content" in completely separate sections.
In the final stretches of the build 10240 beta, though, that distinction has been thrown to the wind; the five "Security Updates for Microsoft Windows" all include patches to build 10240 itself. I can't find details about any of the patches in KB 3074663, 3074661, 3074665, 3074667, or 3074674 -- we just have to take Microsoft's word for it.
Whether the melding of security and non-security patches is a permanent fixture or merely a marriage of beta convenience remains to be seen. But the lack of distinction is troubling.
I set out to see how Microsoft's patch blocking program, wushowhide.diagcab, works. You can get your own copy at KB 307930. The description says:
In rare cases, a specific driver or update might temporarily cause issues with your device, and in this case you will need a way to prevent the problematic driver or update from reinstalling automatically the next time Windows Updates are installed… If a driver or update you are being offered is causing system crashes or instability and Windows was operating correctly prior to that update, you can follow these instructions to prevent the unwanted driver or update from being installed.
Using wushowhide is a two-step process. First you have to remove the driver (right-click Start, choose Device Manager, right-click the bad driver, and choose Uninstall) or uninstall the patch (Start > Settings > Update & security > Advanced options > View your update history > Uninstall updates > pick the bad patch and click Uninstall). Second -- before you reboot -- you need to run wushowhide.diagcab and follow the old-fashioned Troubleshooter (Windows 7 veterans will remember it well) to find and check the box next to the driver or patch you just uninstalled, in order to "hide" it.
Once you've removed and hidden the patch or driver, reboot your system, and it shouldn't darken your doorstep again in the future -- at least, that's the theory. The practice is a little different.
I started by removing the oldest security patch on my system, KB 3074663. Before running wushowhide, I rebooted. When Windows 10 came back up for air, KB 3074663 was nowhere to be found -- it didn't appear after clicking on Check for updates, and when I went into Uninstall updates, it wasn't there either. I'm still looking, and can't find KB 3074663 anywhere, except at the bottom of the "View your update history" list.
There's no way I can find to manually install KB 3074663, either. The KB article says:
This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see Get security updates automatically.
Which is wrong in so many different ways that it's hard to list them all.
Goodbye, KB 3074663. We hardly knew ye.
Undaunted, I tried removing the most recent patch, KB 3074674, which came out in the wee hours of this morning. This time, it worked as expected: Uninstall the patch, don't reboot, run wushowhide, hide the patch, and it stays hidden through various attempts to check for updates. Run wushowhide again, uncheck the hidden patch, reboot, and it appears when you click "Check for updates".
This morning I also received a Synaptics driver update for the Synaptics SMBus driver. I went to Device Manager, uninstalled the driver… and never found it again. Running wushowhide doesn't list the driver. Rebooting and clicking "Check for updates" doesn't find it either. Windows 10 isn't like Windows 8 or 7 (or Vista or XP or 98): There's no list of patches to choose from. Like Charlie on the MTA, the Synaptics driver's no doubt riding forever ‘neath the streets of Boston.
Again, there's no way I can find to manually install it.
Moral of the story: Uninstall drivers and patches at your own risk.
Also note that wushowhide only works after the fact: You can't pre-emptively tell wushowhide to block certain patches or certain groups of patches. You have to get stung first, then block a specific patch that has been manually uninstalled.
I'm told there's a way to roll back patches in the Windows 10 boot sequence, but I can't get it to work for specific patches. If any of you has a pointer to the method, hit me in the comments. (t/h YB)
It's unclear how/if wushowhide interacts with Microsoft's old Windows Server Update Services or the new Windows Update for Business (WUB), which nobody I know has seen as yet. Rod Trent at Windows ITPro posted an article about Windows 10 now appearing in the WSUS lists, but there seems to be very little information (as opposed to fancy presentations and contorted descriptions) about Windows 10 patching for the enterprise.
Also worth noting, the five patches to Windows 10 build 10240 are all marked as security patches and thus are supposed to bypass the Fast ring/Slow ring/Home cannon fodder vetting process. It looks like we're going to get security patches immediately, although there's no firm description about how WUB will handle them. Presumably WSUS admins will be able to delay them, as always.
One week to go.