Disabling Windows Updates: All or just video drivers?

SteveN1

Young grasshopper
Joined
Jun 16, 2019
Messages
39
Reaction score
5
Location
Singapore
The general recommendation when installing Blue Iris seems to be to disable both Windows 10 and Blue Iris automatic updates, and only update when you need a feature. Generally, good advice.

The wiki recommends disabling driver updates, not all updates. Is this still the recommended configuration? I can see how you would not want video drivers to be updated, and I have also found programs that stopped working, like VMWare, when windows tried it's last mega-update, so a case could be made for disabling all of them, especially for a machine that has no Internet access except through a VPN.

Thoughts here? What are most people disabling, all updates or just the video drivers?
 

tahoebigah

n3wb
Joined
Apr 27, 2017
Messages
12
Reaction score
1
I let Windows 10 update automatically and I have never had an issue. If its connected to the network it stays up to date.
 

IAmATeaf

Known around here
Joined
Jan 13, 2019
Messages
3,287
Reaction score
3,252
Location
United Kingdom
I also have mine set to install updates but not automatically restart.

Isn’t disabling windows updates in W10 something that’s quite difficult to do ?
 

SteveN1

Young grasshopper
Joined
Jun 16, 2019
Messages
39
Reaction score
5
Location
Singapore
It used to be difficult, but with one of the recent updates it is easier to disable. I've heard from more than one source that disabling updates is good practice for a Blue Iris machine, and I've had updates break other software over the years too.
 

IAmATeaf

Known around here
Joined
Jan 13, 2019
Messages
3,287
Reaction score
3,252
Location
United Kingdom
Don’t have access to my BI box at the mo but when I looked all I saw were options to delay updates?
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
15,521
Reaction score
22,657
Location
Evansville, In. USA
With all the crap updates Microsoft has been releasing (breaking things) I delay as long as possible.
 

Zanthexter

Getting the hang of it
Joined
Aug 5, 2016
Messages
96
Reaction score
39
Thoughts here? What are most people disabling, all updates or just the video drivers?
I wouldn't be comfortable disabling Windows updates on any system connected to the internet. Most are security related.

Blue Iris and video card drivers are a finicky mix. I erase and install Windows from scratch, update BIOS, etc., than manually update drivers as needed after that. I do not install the manufacturer update software. I disable Windows automatic driver updates: How to Disable Automatic Driver Downloads on Windows 10

Best advice for a reliable Blue Iris system is to dedicate the computer to only running Blue Iris. Don't use it for web browsing, or as your QuickBooks server. Just Blue Iris.

I've seen faaaar more problems caused by 3rd party stuff like printer drivers, antivirus software, and "utilities" than Windows Updates. Of course it does happen, but most of the time it's either a minor problem or only happens with a rare mix of equipment and/or software. The #1 source of problems with Windows is the users.
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
especially for a machine that has no Internet access except through a VPN.
I am just curious how do you set it up to have no internet access except through a VPN? Right now dual NIC I have the second NIC hooked up to internet to connect through app (through VPN in router) but still has general internet access.
 

Mikk36

Getting the hang of it
Joined
Aug 21, 2018
Messages
105
Reaction score
42
Location
Estonia
You can block all requests from the BI IP address in your router firewall.

For example, this is what's allowed for my IP cameras on my network (no rule -> no access, default is to block).
upload_2019-9-16_11-7-11.png
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
If I block BI computer from Internet how do push messages get sent? I do use a VPN on our phones.
yes this was my question. It would be great to block all internet connections and only have BI allow for push notifications.

Port 123 NTP - is that for nettime @Mikk36 - I am not really sure what your pfsense firewall setting means?
 

Mikk36

Getting the hang of it
Joined
Aug 21, 2018
Messages
105
Reaction score
42
Location
Estonia
Port 123 NTP - is that for nettime @Mikk36 - I am not really sure what your pfsense firewall setting means?
Network Time Protocol
My router hosts that service so that my cameras will always have the correct timestamp and they're synced.
upload_2019-9-18_8-56-24.png
If yours can't do NTP, you can always set the cameras to use an NTP service from the internet and only allow access to that specific service, for example. One option is to pick a server (specific IP) from ntppool.org. Or set up an NTP service on the Blue Iris machine.
 

Mikk36

Getting the hang of it
Joined
Aug 21, 2018
Messages
105
Reaction score
42
Location
Estonia
I have an NTP server that’s local.

My question still is if I block BI computer from Internet will push messages work?
From the manual:
As the notification is sent via contact with either an Apple or Google web server, you must
ensure that the BlueIris.exe file has access through any firewall or other security software.
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
Network Time Protocol
My router hosts that service so that my cameras will always have the correct timestamp and they're synced.
View attachment 47476
If yours can't do NTP, you can always set the cameras to use an NTP service from the internet and only allow access to that specific service, for example. One option is to pick a server (specific IP) from ntppool.org. Or set up an NTP service on the Blue Iris machine.
I did this:
Setting up NetTime Time Sync Tool on Windows 10

but had to enable this on windows firewall and wanted to see if it was safe?
Go to Inbound -> New Rule -> Port -> Select UDP -> Port 123 -> Allow the connection -> for Rule applies you can check Domain, Private and Public
 

Mikk36

Getting the hang of it
Joined
Aug 21, 2018
Messages
105
Reaction score
42
Location
Estonia
Yes, NTP uses UDP port 123 for listening to connections and there's no way around it (well, yes, you can usually make it listen on another port instead of 123, but you still need to open that port up in the firewall inbound rule).
 

gawainxx

n3wb
Joined
Mar 7, 2018
Messages
28
Reaction score
2
I use a combination of policies and settings.
GUI Settings
- Receive updates for other products when you receive updates for windows. (mainly so defender gets updates).
- Delivery Optimization off

Policies
- Auto download and Install updates every Saturday at 9 PM
- Do not include drivers with windows updates. (Driver updates usually create more issues for me then they solve)
- Do not adjust option to Install updates and shut down in start menu
- Semi Annual Channel, Defer Upgrade for 128 days. (Gives plenty of time for the bugs to be worked out in feature updates)
- Defer quality updates for 4 days (4 days is about the general time window it takes for MS to yank a problematic update).
 
Top