"Prior to Satya Nadella’s tenure as Microsoft’s CEO, the firm employed extensive QA testers and used them for all of its Windows patch testing. Not long after Nadella came aboard, he reorganized the company, fired a large number of employees in the testing group, and began requiring OS developers to do their own QA. Windows 10 builds are now rolled out to external testers as part of the Windows Insider program, and those beta testers are specifically advised not to deploy new OS builds on their daily driver systems, due to the risk that an update will break something.
We can’t speak to how Microsoft feels about these changes internally, but they haven’t been positive from where we sit. In theory, pivoting to a six-month cadence allows for rapid feature updates and quicker problem resolution. In practice, it means an entire class of hardware issues no longer get picked up or resolved due to changes in testing procedure. And some of Microsoft’s issues these past few years don’t even map well to that explanation, like the repeated bugs and errors the company pushed out into Office last month. Windows users still on v. 1607 got hit with patches on up to 14 days of August 2017, when MS used to consolidate these pushes into 1-2 “Patch Tuesdays” per month
The sheer volume of patches, and the frequent need to roll back those patches when they turned out to be buggy, has so frustrated Woody Leonhard at CNET, he’s now suggesting Windows power users (that’s an important distinction) turn off Windows Update altogether, to avoid the constant headaches that Microsoft has been dishing out. Given how bad things have gotten lately, he’s got a point.
Let me be clear: It is generally a bad idea to turn off security updates. For all the problems I had with Windows 10‘s update model, automatic security updates wasn’t one of them. The benefits of rapidly deploying security fixes vastly outweigh the risks in most cases. But Microsoft doesn’t just push security fixes, it pushes other changes through the same model. This has always been problematic, and it’s only gotten worse over time. In late August, MS pushed a Word 2016 patch that broke merged cell functionality, KB 3213656. Two weeks later, it pushed a new Word 2016 patch that contained the same bug, KB 4011039. If you use Office, your only option to manually uninstall these KBs, at least if you also use documents with merged cells."
"The biggest risk to turning Windows Update off is forgetting that you’ve done so and missing a genuinely important patch because you thought it had automatically been applied. But if you update on a semi-regular basis already and can trust yourself to keep to such a schedule, you’re engaging in a bit of practical risk-shifting, under the assumption that you can spare yourself some headaches now and that doing so is worth the potential risk of being more exposed to infection."
I hate how Microsoft makes all non Pro users essentially beta testers. Pro users can at least defer updates for 30 days, usually long enough for Microsoft to pull their garbage which causes issues, but Home users don't get that option, and they are the people who need to not experience problems the most (unless you're Geek Squad in which case you love it when Microsoft pushes out garbage that borks machines). Honestly I've been tempted to block it at the router level...but I'm lazy.
These days vulnerabilities outside of the OS are the most dangerous. Flash (thankfully soon to be dead), Java, Subtitles Open You Up to Hackers When Using Popular Media Players, BlueBorne Attack Impacts Billions Of Bluetooth Devices, or even cryptoviruses or ransomware which can attack even a fully patched system. These days the first real line of defense is to use a restricted user account instead of an administrator account (you can always use your administrator credentials if you need to install or change things on demand.) Secondly using NoScript or another browser extension which blocks everything you don't need, including all those flash and java ads and insets takes care of drive by downloads and other dirty tricks. Thirdly is the EMET. Fourthly is your antimalware systems of choice.