December 5th, 2022

Take Control of Windows Updates on your Windows 11 DAW PC

Pete Brown
Principal Software Engineer

Take Control of Windows Updates on your Windows 11 DAW (Digital Audio Workstation) PC

Computers are subject to a lot of dangerous “stuff” ranging from questionable to inconvenient to dangerous. While the Internet is the most common vector for attacks, they can also come from home networks, other computers on your guest network, man-in-the-middle attacks at WiFi hotspots, malicious files on USB thumb drives or USB charging ports in public locations, the files your customer just dropped to you on that external SSD, Thunderbolt-based attacks, your never-updated-and-now-compromised router or internet TV, and more. There are many ways any computer, regardless of operating system, can be compromised.

Many claim to have air-gapped their computers, but outside of defense installations, that’s almost never the case because it’s incredibly inconvenient. There’s always a need to get files to or from the computer, connect to the internet to renew a license, or more. Truly air-gapped computers never have any way of communicating, either through manual insertion of media, or a network, with anything which has been on an unsecured network.

Before joining Microsoft, one of my jobs (for which I had a secret clearance), was on a Department of Defense contract. There were two PCs on my desk there. One PC, the one on the SIPRNet network. had all the connectors expoxied in place, including keyboard, mouse, monitor, network, etc. It had all other USB ports epoxied shut, and the desktop PC itself was bolted and locked to the steel plate desk with the monitor not visible from any window or door. The only way to log into the PC was through my security card which was required to be on my person at all times. The only way to get something new on to that PC was to fill out forms to have something specific pushed down to it (could take weeks, or it not approved, just rejected) or in the case of code, to just type it all in. It was … truly inconvenient.

You need to consider if this is the right thing for you

I’m not a security expert by any stretch. There are many others who know much more about this space than I do, including those who stay up at night, watching trends and reports, and thinking of the next possible exploit or bit of malware they need to protect our computers and our data from. These are the people who helped design the security features in Windows 11 to make it as secure as possible, while retaining the flexibility you’ve come to expect from a Windows PC.

When I talk about features like this, folks tend to want to debate them with me. Just know that my response will be to nod and smile, as this simply isn’t my area. As much as I seem to love a good argument, you’ll need to go elsewhere on this one. I like computers, software, music, and musicians. I don’t like malware and dealing with infected computers. And I really don’t like the idea of any creative person losing work because of a security exploit. But I also know what it’s like to have something interrupt a performance or impact productivity, and I know some folks in this industry are quite tech savvy, so I want to get this information out to you all.

I’m also including some reference links below but they are not exhaustive. There are lots of sources for this data, so I encourage you to seek out your own reliable and factual data sources when making decisions.

These points aren’t meant to scare, but rather to encourage an objective view. My biggest concern with showing how to manage updates here is that it shows up on some tweak app or similar, and uninformed folks check a box which enables it and makes the computer vulnerable, without helping inform first. It would be like having a “performance” button in your care which disabled ABS, air bags, the seatbelt, and the windshield wipers and defrost without any explanation at all of why you may not want to do that. There are lots of “tweak” scripts out there today which already do similar things without any objective explanation.

So before I explain ways to turn off updates, I want you to consider a few important things:

  1. Pausing or turning off updates is not something to do with your general-use PC. This is best reserved for a dedicated DAW PC, which isn’t being used to look at web pages, download files, or other potentially risky activities.
  2. Run Windows 11. There’s a lot more security and protection built in by default.
  3. Your data is more valuable than you think. Your computer is valuable to people building exploit networks. Never think that because you don’t consider yourself a high-value target that you will not be targeted. Individuals deal with ransomware just like corporations do, and $10,000 to get your data back may be far more difficult for you than $1M is to a big corporation.
  4. Turning off updates puts your computer at risk. You have to be extra vigilant, and also be prepared for owning the potential consequences of this decision. Turning off, or even pausing, updates is not something the vast majority of people should do. That’s why outright stopping them is not a simple switch in the settings app in Windows.
  5. Turning off updates should be a temporary action. Leave them off while heads-down in a project for some duration, and then when it’s done and delivered, go ahead and get yourself back up to date.
  6. Top Antivirus software will always help, but it is not going to catch everything itself. Staying up to date is part of a multi-layer strategy to keep your computer safe, including firewall, anti-malware, running as a non-admin lower-privilege account, and more. Antivirus/anti-malware software which isn’t kept up to date is useless for any recent threats.
  7. On a network (studio, office, home), the weakest computer can compromise all the others. Maybe you have really good safe computing practices, but your teenage gamer may not. This is a skill that is learned and built-up. Think about what it takes to locate the correct “download” button on one of those scamtastic download pages for common software. My own son ran into it years ago trying to download a Minecraft mod pack.
  8. Simply browsing an otherwise safe site can result in a drive-by infection. Ad networks have been notorious vector for this in the past. It’s not about “I only stay on respectible sites”, because that’s not always enough.
  9. Your phone can be a vector into the rest of your computers and network. Phones get infected as well.

Some additional advice from Tom’s guide, across all operating systems.

Finally, I should address the myth that Windows PCs are unsafe and vulnerable, where as macOS and Linux are not. Global data shows otherwise. There have been periods in previous years where other operating systems were more vulnerable than Windows. That’s not saying anything bad about those operating systems, just that this is a constant race between operating systems developers and malware/exploit developers. Every operating system has exploits, and every operating system needs to be kept up to date to be secure.

This is not something unique to Windows. All operating systems must be kept up to date, and best practices followed to stay up to date, and secure. Here’s some more information about malware on Linux, macOS, and Windows. Again, this is not to disparage any operating systems. I run several linux boxes here at home and have used them in embedded devices. I also use an iPhone and iPad Pro myself, in addition to Windows PCs. I also have friends at Apple and Google who are, like us, trying to do the right things for their customers, including musicians.

We’re talking about professional-level needs here. Windows 10/11 Home are meant for, well, home use. Some of the things I’m going to show are only available on Windows 10/11 Pro and not on Home. Although I think that professionals and advanced hobbyists should use Pro, that discussion, and the differences between Home/Pro, are both out of scope for this post and its comments.

Levels of control

Goal Consider
Minimize inconvenience during my normal usage hours Set Active Hours
Defer updates until I’ve finished a short project or performance Pause Automatic Updates
Only check for updates when I specifically want to Turn off Automatic Updates

How to set your active hours

Active hours are the times that Windows will stay away from restarts and updates, and any other potentially intrusive activities. One thing musicians and software developers have in common, is that they are not necessarily known for keeping typical working hours. Because of this, the default active hours in Windows may not be what works best for you.

Start > Settings > Windows Update > Advanced Options

You can let Windows work out your active hours based on your usage, or you can set them manually. Here, you see Windows picked 11am to 5am, which isn’t far off the mark. 🙂 You can override that to whatever hours you want, within the constraint that you have to leave time when Windows can update. Windows will let you know if you haven’t left an appropriate window.

Active Hours

This is the best way to stay up to date, but allow Windows to take care of that kind of housekeeping at times when you’re not normally at the PC.

How to pause updates and upgrades

Let’s say you’re traveling to a gig and have your PC all up to date, set up, and ready to go. You know that the performance is on our regular update Tuesday, don’t want any surprises because of updates while rehearsing or performing. The best way to manage this is to simply pause updates

Start > Settings > Windows Update > Pause updates

Pause Updates

The setting isn’t available on the PC in the screenshot due to corporate policy for this PC, but it will be available to you on yours. At Microsoft, we have a lot of policies around updates to ensure only up-to-date PCs have access to our networks We’re serious about how important it is to stay up to date, including with our own developers.

You can re-enable automatic updates after your performance, or let Windows automatically re-enable them when the time period expires.

How to completely turn off automtic updates and upgrades

This final option is a pretty big hammer. Through group policy, you can disable automatic updates completely. At that point, the only time updates will be downloaded and installed is when you go into the settings app and check for updates yourself by clicking “Check for updates”.

Although this is a supported option for disabling automatic updates on Pro SKUs (unlike hacky approaches like marking the connection as metered, or messing around with the services and accounts), staying safe is 100% your responsibility.

Open the group policy editor (gpedit.msc) as Administrator. The Group Policy Editor is an app available on Pro, Enterprise, and Education SKUs. It’s not a tool for a typical end user, so all the documentation you’ll find on it is geared towards enterprise system administrators.

Once in the editor, navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience

The setting you want is “Configure Automatic Updates”. If you read the help on the left, you’ll see there are a number of options. One of them is simply disabling automatic updates. That’s the one you’ll want.

Pause Updates

Double-click the setting and then change it from “not configured” to “disabled”. Hit ok, and then either reboot the PC, or type “gpupdate /force” from an administrative command prompt.

If there were any updates already downloaded and pending, you’ll still need to install those. After that, however, you’ll only get updates when you click the “check for updates” button. When you do that, Windows will behave like it does when updates are automatically downloaded.

There are two other related options of interest in the Group Policy Editor. The first is “Select when Quality Updates are received”. You’ll find that under “Manage updates offered from Windows Update”. This allow deferring updates for up to 30 days from the time specified. This is also where you’ll find the second option of interest: “Do not include drivers with Windows Updates” setting. Drivers should remain current because of the type of access they have to your system, but if you’re having problems with updated drivers causing problems with your music production or performance, you can turn off driver updates here using this setting.

If you skipped my information in the beginning about why this setting shouldn’t be your first option, please go back and read it now.

Finally, note that the same GP settings are available in Windows 10, at least for disabling automatic updates. The path to get to them is slightly different, but in the same Windows Update bucket.

What else?

Windows tries to be the best general-purpose operating system for everyone. I think it does a really good job at that while working well for power users as well. But we know that what is the most appropriate choice for most people is not necessarily the best choice for every person. That’s why we continue to optimize for best practices, but offer knobs to help informed users like you to adjust settings so you can be as productive as possible.

If you are interested in other tips for Windows DAWs, including my Windows 10/11 DAW tweak guide, I encourage you to check out my other posts here.

Author

Pete Brown
Principal Software Engineer

Pete is a Principal Software Engineer in the Windows Developer Platform team Windows at Microsoft. He focuses on client-side dev on Windows, apps and technology for musicians, music app developers, and music hardware developers, and the Windows developer community. Pete is also the current chair of the Executive Board of the MIDI Association. He first got into programming and electronic music by working with sprites and the SID chip using BASIC on the Commodore 64 in 6th and 7th grade, and ...

More about author

0 comments

Discussion are closed.