
Introducing Unified Update Platform - nikbackm
https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/
======
gwbas1c
This is what I want to read:

"Microsoft finally realized that the point of a computer is to run the user's
applications without interruption or long boot times. Therefore, we are
rolling out an update system that is transparent to the user and has no forced
reboots and long wait times."

~~~
Nition
What I was _really_ hoping to read with a title like "Introducing Unified
Update Platform" is that Microsoft had provided some sort of API for _any_
program to use the same unified update system to check for and install
updates, instead of having a million random updaters checking things in Task
Scheduler.

They already do it for graphics drivers and so on. Linux does it of course.

But then I guess the problem is Microsoft would need to check everything in
case users started blaming Microsoft for "sending them a virus through Windows
Update" when RandomDodgyApp got a bad update.

~~~
Kipters
They already did, it's the Windows Store

~~~
flukus
And what about all the real apps and not the toy phone apps?

~~~
Kipters
You can distribute bog-standard desktop software through the store:
[https://msdn.microsoft.com/en-
us/windows/uwp/porting/desktop...](https://msdn.microsoft.com/en-
us/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter)

~~~
flukus
Last time I looked into it you had to to some porting too, it didn't really
work with "bog-standard" as claimed.

~~~
Kipters
No, they work as-is most of the time. You just have to make sure you're not
writing to your install folder or try to install services or something like
that. The use of UWP APIs instead of/along classic desktop APIs is completely
optional (and most of them are supported out of the box even without the
bridge, the exception being the APIs that require app identity, like Tiles or
supporting a Share Target contract, at least not in a easy way)

------
mtgx
I recommend using a traffic analysis tool for Windows 10 (GlassWire is a nice
and easy to use one). I think I must've blocked like 15 different connections
to Microsoft.

Beyond all the new "expected" (yet still annoying) Windows 10 telemetry,
feedback, etc server connections, you get to see stuff that will piss you off
- like Windows Explorer connecting to Microsoft's servers, or Web Search and
Cortana connecting to its servers, even though I disabled both of them (first
thing I do when installing Windows 10).

Oh, and all of that with all the options in the Privacy settings being
disabled. I like Windows 10 as an OS, but it's ridiculous how much tracking
and data sharing Microsoft does behind the scenes. It also makes using your
phone as mobile data hotspot useless, because it's going to use a ton of your
data quickly.

If I couldn't block most of this stuff I wouldn't touch Windows 10.

[https://www.glasswire.com/](https://www.glasswire.com/)

~~~
vezycash
I use Glasswire as well but it's not enough because of Svchost. Whenever I
block it, I'm unable to browse the internet. So, I use Netlimiter to throttle
the process to 2KB/s.

~~~
voltagex_
You may want to use Process Explorer to check what's actually running under
svchost - that's a catxh all for services, I think

------
freehunter
Literally the only thing I want from Windows Updates is the option "do not
reboot without asking me first" back. That's it.

~~~
gecko
I also would like that back, but I'd also pose to you this question:

Windows historically has been heavily used in botnets, in part because people
do not apply updates to known (and fixed) vulnerabilities. Microsoft removing
the "fuck off" button was a response to that, and I'd assert it's made the
Internet in general safer. Yet it's also unquestionably had the side-effect of
making Windows dramatically less pleasant to use.

What's the best solution here? iOS just reboots in the middle of the night,
which would likely work well for Windows tablets, but might have issues with
traditional desktops, since Windows doesn't have the freedom iOS does to just
shut down apps. Linux leaves you to fend for yourself, which I think has
mostly worked okay thus far because Linux users tend to be more technically
sophisticated. macOS is a bit in-between, attempting to do the midnight reboot
dance, but aborting if docs are open.

~~~
dantiberian
iOS doesn't install updates without you giving it permission. It pops up a
dialog and lets you choose to install it now, overnight while plugged in, or
to cancel, but it doesn't do it without your permission. macOS has an
automatically install updates option which you can uncheck if you don't want
them.

~~~
gruez
iOS: everything's sandobxed

macOS: not the most popular consumer operating system

~~~
dom0
your post: no point

------
overgard
The bullshit corporate speak is astounding: "In the Windows 10 Anniversary
Update, we added active hours and improved the control capabilities for our
customers"

So you relinquished partial control of our computers. GOOD JOB. Maybe you
shouldn't have assigned that right to yourself in the first place. Maybe just
fuck off and let us decide when and if we're going to install these things.
Like, how it used to work.

I would be running linux right now if I could get it to boot.

~~~
blahi
Ah the good old days when you were complaining about not patched security
issues and machines who haven't been update since... ever.

------
gwbas1c
Can you make it so that updates run fast? On every other device that I own, an
update is a download and then a very fast reboot.

On Windows, an update is a long download, then lots of reboots where the
computer is busy doing who knows what.

What's even worse is that "update and shut down" can lead to a 10-20 minute
wait the next time I turn on my computer.

~~~
wvenable
My wife was working from home last month for the first time in forever and
that's when Windows 10 Home decided to upgrade to the Anniversary update. Try
and I might, I could not seem to find a way to stop this. It took well over an
hour, in the middle of the day, to install Windows and kept her from working.

That's one of the most user hostile things I've ever seen in a software
product.

Ironically, after the Anniversary update we could at least set the working
hours but it's still limited to a 12 hour block. Is it really too much to ask
to only allow updates/reboots from 1:00am to 6:00am?!?

I'd like to think if any of this happened to the CEO of Microsoft, this crap
would get fixed right away.

~~~
existencebox
Here's some irony for you: I'm a Microsoft Employee and the update was force-
installed midday during a WFH day, just before a critical demo, necessitating
that I work over the weekend because my wife had taken the car + busses I
needed didn't run midday. (there had been popup warnings for ~week but they...
lied? Kept saying it would happen, it didn't, kept moving back, then all of a
sudden happened with no warnings at the most inopportune time)

Another peer of mine lost his networking stack functionality when his update
pushed through.

The update/telemetry/user friendliness situation has not been fantastic, even
for some of us internal engs.

------
daveloyall
Did they just advertise features that were present in update.microsoft.com 16
years ago as new?

(Pardon me if I got the hostname or start of service date wrong! It's been a
while...)

------
mdip
From the perspective of a long-time Windows user who at one point managed the
services my former employer used to keep hosts up to date, this is an
excellent development.

Execution will be important here and IMHO, and it has been done pretty poorly
with the past versions of Windows Update/WSUS -- there's a lot of room for
improvement. A lot of the benefit will center around how Differential Update
is performed. Is this purely at the file level or are they actually delivering
the differences in the files (similar to how I read Chrome updates were
delivered). The latter would likely involve a lot more processing on the
MS/WSUS side, but could dramatically lower bandwidth requirements.

The next piece centers around the WSUS component itself. I found it
interesting that they've specifically used the word "Unified". Could there be
a future where I, as an ISV, can publish an update/update repository for my
application and have patches to my software delivered via update services? It
always puzzled me that while I can create an MSI/MSP file for deployment, I
could not similarly produce an MSU file for updating. Third-party software has
eclipsed the core OS software as far as vulnerability threats and patching it
in an enterprise is a _nightmare_. Most large Windows enterprises use System
Center Configuration Manager which is best described as a swiss-army knife for
software delivery and at its worst, described as a bunch of unrelated tools
that are used to deploy software with different rules depending on what the
software is. Standardizing patch delivery, or even simply _allowing_ a third-
party to install a patch via WSUS would have made patching browser plug-ins,
Adobe Reader and other common software (some of which provide more attack
vectors than features) a lot less painful. We maintained a 99.5% patch target
with varying range requirements and while we nearly always hit those targets
with OS patches, we almost never hit them with these third-party applications.
They didn't mention this as a specific feature, and the naming could simply be
the marketing department picking a new buzz-word, but I'm hoping this is a
future path they're planning on taking.

Personally, I'd like to see updating that's as easy on Windows as it is on my
openSuse or Ubunto hosts. Repositories are used to manage the various vendors,
updates are packaged the same, standardized and "It Just Works" for the most
part.

~~~
JBiserkov
I completely agree. I just want to point out that Windows Update _can_ deliver
application updates and has done so for Office, Silverlight, Defender, Bing
something and possibly others. So the capability is there, they "just" need to
enable it for 3rd parties. Oops, I used a 4-letter word. I'm sure it's more
complicated than that.

They sorta did it for Store/UWP apps, but Win32 applications aren't going
anywhere anytime soon (I hope!).

~~~
mdip
I forgot about the Store apps and I remember when that came out, I thought
"They got that mostly right". "Mostly Right" from the perspective that there
is a standardized software install/repository for applications that also
updates them. "Wrong" in that it's following the iOS App Store model rather
than the Linux model, has no (real) ability to add third-party, software that
hasn't undergone the "Microsoft Stamp of Approval"[0]. And I'll admit that my
first thought was that it was the end of any dream that MSUs would be opened
up to third-parties.

And the Office/Silverlight mix always drove me crazy - it's something you have
to separately turn on (and depending on the OS version/kind, you have to click
through an additional EULA to activate), so they _already had the plumbing in
place to accept non-OS update_ complete with an EULA page and "activation" of
that feature. I know there are a _lot_ of issues that have to be addressed to
successfully implement this. There are those legal ones -- like the ones they
encountered that caused them to differentiate "Windows Update" and "Microsoft
Update", as well as adding another attack vector (now the drive-by installs
only need to install a new repository and they can _deploy malware through
updates_ )[1], as well as probably tens or so that I am not clever enough to
think of.

[0] Though a quick search for just about anything in the WinStore indicates
that Microsoft's standards are _really_ low -- the spam disguised as software
in the is a _big_ problem.

[1] There's ways around this, though, with existing features already built
into Windows. Using a model similar to Intellicode with an internet connection
required to verify trust and CRL (you need it to download the update, any way,
after all), backed up by a bit more hands-on verification on Microsoft's side
(along with a higher fee to pay for that) would cover third-party repositories
and for "Internal Enterprise" MSUs -- built by IT staff and deployed via SCCM
-- the requirements could be "accept only if it originates from the enterprise
CA that the domain trusts" (not other, external, CAs).

------
arkitaip
Maybe one day we will get a truly unified update platform thru which we can
update all our software, not just Windows. It's crazy that every single app
has its own update mechanism in 2016.

~~~
cyphar
That world exists in free software OSes like *BSD, GNU/Linux, illumos, etc.

------
jpeg_hero
I don't have great internet at home and a couple of times a week it crawls to
a stop. It's kind of funny there is some app on my home network that is auto
updating.. windows10, steam, Apple TV, iPhone, iPad it could literally be
anything, and I don't know which one it is.

------
ocdtrekkie
Honestly, I don't need a faster update, I don't need a lower bandwidth update.
I don't even care that much that it's automatic. All I want is the updates to
be more stable/reliable going forward than the last couple months have been.

