Concerns about Windows 10

How is this likely to affect offline users? As I recall at the time of Win10 introduction I did a lot of reading about it and tried it briefly and concluded that Microsoft had such zeal for driving everyone to the cloud that it was practically impossible or at least annoyingly impractical to configure and use an offline Win10 computer. Especially with regard to mandatory updates. Has that changed?

Are there any current offline Win10 users who could share their views and experiences?

I’d suggest posting this tangent to it’s own Topic in the Hardware Category.

Those of us Rhino users still on Win7 are doing so for reasons that make sense to us. If we want to keep up with Rhino improvements it appears we will be forced to upgrade. So I think to that extent it is appropriate here.

It does make sense that discussion of Win10 offline should be a separate thread.
Could you move it? It would save me figuring out how.

Moved

Hi I came across this thread in random research for something else. I do not work with Rhino but I have done hundreds (not exaggerating) deployments of Windows 10 in non internet connected environments (interpret that as very high security isolation environments) all over the world with different company demographics. I have experienced no issues with running Windows 10 in these kind of environments. With regard to updates - there are techniques that can be used to deploy these without Windows 10 being internet connected. We normally use a dedicated server that connects to Windows Update and pulls the updates down to the server. The server distributes the updates to the machines - and gives you a dashboard on compliance of those updates. This service is called Windows Server Update Services (WSUS) and is a server feature of Windows Server 2012 R2/2016 or 2019. You can also download the monthly cumulative update for the OS that is released on the second Tuesday of each month. If you go to the Microsoft Update Catalog https://www.catalog.update.microsoft.com/Home.aspx which is a daunting site when you do your searches and it comes back with so much data. If you search for “Windows 10 1909 cumulative update x64” in it - then in the results click on the “Last updated” column so the latest date is displayed this will give you the latest update to be deployed on an X64 OS (Msft also include ARM,x86 as well which is why I specified x64 in the search) based on Windows 10 version 1909 - if you are using earlier versions of Windows 10 (1809 or 1903) then you can search on those versions as well. The other search you need to do is “windows 10 1909 servicing stack x64” and install the latest version of that as well, as sometimes the cumulative update may not install without it. Latest Windows 10 Defender definition updates are here: https://www.microsoft.com/en-us/wdsi/defenderupdates. If you use WSUS it handles all of these updates automatically. Sorry this is a long reply but I hope it helps in some way. Thanks, Jon

Thanks very much for taking the time to reply. I read it as essentially saying that I can run 10 with the same operational expectations as 7, in other words no annoying update reminders or refusal to run if updates are not installed? With W7 I usually updated once a year or two. Is that fair? In an offline environment with tight control over what gets onto the computer it’s quite reasonable to take an “if it ain’t broke, don’t fix it” approach and I’ve found that actual OS performance and feature improvements don’t come along often enough to update any more frequently.

I assume you are an IT person who does these offline installations often enough that you can remember the ins and outs from one time to the next. :grinning: Do you have any suggestions or links to them for a person who does them every decade or so and the only thing he remembers is how long it took and how easy it is to make mistakes? Given that M/S regards offline installs and operation as far out of the mainstream it seems easy to give the wrong answer to installer questions and find oneself in an undesired configuration nightmare. I realize that once a successful installation is operating OK that subsequent updates would probably go the same way and about as smoothly as W7. I would be using the manual download approach so I appreciate the links and remarks about how it goes for W10.

Again, thanks very much for the reply it was both helpful and reassuring.

You can deactivate the update service of Win 10 and activate it if you like for an update process.
You can google for this way.

Thanks, Micha. I’m still operating with the controversial knowledge that surrounded W10 when it was released. I decided at the time it wasn’t worth the trouble of upgrading and haven’t paid much attention to it since. One of the supposed issues at that time was that there was no way to turn off the update demands and that W10 would “stop working” in some way if it wasn’t updated.

I also went through the agonizing experience a year or so ago of trying to install Visual Studio Pro for offline use. Microsoft makes it nearly impossible to discover how to do it and it’s complicated when you do figure it out. Kind of soured my expectations for W10 offline.

That’s the reason for this thread: I wanted to be brought into the real world by people who have actually used W10 offline. All hints and tips for using it that way are very welcome.

Yes, I am in IT - CyberSecurity. These days the Windows 10 update process is far more stable than Windows 7 days. My advice is keep your system as up to date as possible. The bad guys out there are really sophisticated. Windows 7 technologies can be hacked in seconds, with a fully up to date patched Windows 10 - it’s really really difficult. Msft does not regard offline installs as non mainstream - most Enterprise customers do not allow Updates from the internet and control their deployment using offline mechanisms (WSUS that I described in my first post). If you’re doing updates infrequently - then before you take the updates then I would do a backup of your data and maybe take an image of the workstation. I would then connect to Windows Update do all the updates presented then apply any application updates then test that your application works. As stated earlier - my advice is keep your systems up to date as possible - being up to date mitigates a lot of attack vectors. But yes if you are stringent with tight control on what’s going on to and out of the computer then yes you can do updates less but my advice would be to still do updates. The following articles are very very old but still hold true: https://docs.microsoft.com/en-us/previous-versions/cc722487(v=technet.10) and https://docs.microsoft.com/en-us/previous-versions/cc722488(v=technet.10), thanks, Jon.

1 Like

Yup! My approach to security is based on administrator Law #2: It’s the easiest form of security for me as the administrator and me as the user. Administration takes practically no time at all and it provides me with complete immunity from network attacks and as long as I’m not inadvertently stupid or sloppy, also from any other attack. The administrative tasks that I do perform are few and far between and can be done when I have the time or inclination. I’ve been using it since the days of Win NT and results from the weeks I spent learning how and then recovering from a virus that wiped my hard drive. I decided there were better ways I wanted to spend my time. (I know, as a CyberSecurityPro, you are probably saying to yourself “isn’t that cute! One attack!”). But as a one-man operation I really don’t have a lot of time to devote to security issues and even if I did they wouldn’t occur often enough to keep me proficient without a lot of ongoing study, and I’m not in a position to find a trustworthy pro and pay him/her to stay on top of a network connected system. Therefore: Offline it is!

As you seem very experienced perhaps you would help me with a question that I’ve wondered about ever since MS started doing online updates (a little off topic, but perhaps you will indulge me if you can): Does MS update service take exclusive control of the network connection so that it is not possible for an attack to take place while the update is downloading?

Thanks for all your help. Now i just need to find the time to update to W10. And learn the differences from W7.

No it doesn’t. But with Windows 10 - the firewall is automatically on and I normally set it as block all inbound connections which means no externally initiated connections are allowed. Since the Windows Update Service on Windows is initiated from the client and not Windows Update - the downloads are initiated from the client. The client download is across 443 (I think) as well. Also the updates are signed using a digital signature from the Microsoft Update site - if the signature does not match - the update is not installed - it is redownloaded. Therefore a man-in-the-middle attack is very difficult to do. Over the years I’ve come to really trust this process as even if doing updates across a really old bad corporate proxy service - the updates are still validated in exactly the same way. Bad signature - update rejected and redownloaded. I hope this helps. Thanks, Jon.

Now that’s a valuable tip I never would have discovered on my own. It sounds like it might be pretty safe to put the offline machine online long enough for the update to take place instead of downloading the installer on a separate online machine that’s a more potentially “sacrificial” configuration.

Thanks again for all your help.