Off topic: Seeking Advice on Installation Backup Strategies & Windows Update Management

vvvv gamma question
1

Hi all,

I’ve been facing a familiar frustration lately - Windows updates breaking otherwise perfectly functional installations. I’m looking to gather some collective wisdom from the community on two related topics:

  1. Backup strategies for projects: What methods are you using to backup your installations? For my part, I’ve been committing source code to repositories and storing media assets in GDrive (sometimes including the .exe files too). While this has worked okay, I suspect there are more robust approaches I’m missing.
  2. Windows update management: How are you handling Windows updates in your installations? I’ve tried a few approaches over the years - using WuMan10, manually changing registry entries, and disabling the Windows Update service. Each has had varying degrees of success (and failure). Are you actively preventing updates, scheduling them, keeping machines offline, or just accepting them as inevitable? Has anyone managed to address this contractually with clients?

Would appreciate hearing about your experiences and solutions. I suspect many of us have faced similar challenges, and I’m hoping we can share some battle-tested approaches.

Thanks in advance!
H

2

Regarding windows updates, I have experienced a few approaches.

  • Years ago, @catweasel suggested using https://winaerotweaker.com/ to disable windows updates, I am using that I have been using that for some years now.
  • One museum I have some installations in isolate all machines very strictly and only open up ports as needed. in order to access the machines remotely I use a VPN to log in to the network and my credentials give me access to “my” machines. This works great but is only possible because they have a skilled and flexible IT department.
  • I guess the second approach could be replicated by making an exhibition network and block the windows update servers or just everything.

The cool IT department make images of all machines in the exhibition and flashes that every morning, I don’t remember what the system they use is called, I can find out if you’d like that.
I guess you can make backups that way, just make images of the machines.

This i also a good start for a discussion about having an exhibition server and what it should include… but I will make a new forum thread for that so I don’t pollute this thread.

Sune

1 Like
3

windows updates are making win10 installs very difficult, the full screen win11 update page that loads before anydesk, or other apps open, so you can only close it manually, and as far as i am aware, you can’t turn off (win pro version may be better) Win 11 just updates itself regularly too, had an artist exhibit a vr piece last week, that win update totally broke. Windows seems to have managed to reach new depths of shitness…

1 Like
4

You might want to look into Windows IoT Enterprise LTSC.

3 Likes
5

@sebescudie I think it is the new name for embedded windows, same trial constraints and it is unobtanium for commercial use unless you throw lots of money after it.

6

@sunep Thanks! I’m considering an external USB drive with a backup script to activate the port and mirror ISOs when needed. Your point about network-level port blocking is valid - many IT teams do this by default. It can be finicky with our MQTT-based remote control system, but ultimately worth it. Hope to share more on this soon.

@catweasel Exactly - reliably stopping Windows 11 updates is challenging (impossible?). Network slowdowns occur when multiple machines download simultaneously, and there’s rarely good downtime as machines are in constant use. Updates sometimes cause BSODs from staff hard-restarting or just random failures.

@sebescudie I immediately searched for pricing (which they don’t share - typical enterprise approach), but it’s exactly what I need. We’ve had good experiences with RPis, replacing only 2 in 5 years. Linux exports for visual patches could work, depending on hardware driver compatibility.

7

I would not underestimate the power of bat script for backing up. Just did a bat that copies videos depending on hostname from network share so you can switch videos on 15 clients with a single PDQ Deploy click… You can do the same other way around.

About problems with windows update, the 2go solution is using Windows Group Policy Editor

The proper windows administration is normally done via using domains, ActiveDirectory, and windows CAL licenses that are purchased separately from windows and cost a lot.

1 Like
8

I would say it depends on your specific case and contractual obligations a lot. Depending on the szenario - running long term vs. running short term for example i’d use different strategies. I prefer to have Windows update off by default and do updates only when i’m there in person on service appointments. If the project consists of more machines, again depending on the specifics, we usually put in an extra machine that acts as exhibition server as sunep mentioned. For example, if we run the same build on every machine we store it at a central place and on restart a powershell script checks if there is a new version avaliable.

But i guess as flexible and as tailored all our solutions made with vvvv are, exactly the same applies to the different deployment strategies people choose.

1 Like
9

I recently stumbled upon a bunch of debloating software (either to be run at install, or after fresh install). Some of them claim to tweak Windows Update settings but I haven’t digged enough yet to see how much control they give; but
they might take care of the registry hacks for the non-savvy.

Posting my bookmarks here in case it might help!

2 Likes
10

+1 for Windows Enterprise IoT. It has a lot of cool options and we have it running for 16 hours every day for the last like 8 months or so without a single hitch.

The computer is hooked up to a huge LED screen and the LED screen is always on. We didn’t want any windows UI to be shown on the screen. It was quite easy to set this up in Windows IoT - just use unbranded boot and custom logon. It means it never shows any login screens, shutdown screens, etc. The only thing you see is the Bios screen and the next thing is the desktop which is set to black and with icons hidden.

Windows IoT pretty much disables any windows updates or any other of the “cool suggestions” that Microsoft thinks we might need.

No issues at all with it…

2 Likes
11

First of all I would always try to make the systems the responsibility of the client / their inhouse IT :) Specify exactly how they are to be set up or set up one test-system for them that they can then replicate.

If they don’t have the expertise inhouse they (or you) should probably hire some dedicated [windows] admin. Some (hacky) debloating scripts or tools are definitely not the way to go imho, they always carry the risk of completely breaking windows and may cause security issues.

In general disabling all updates including security patches is a bad idea if the machine is in some way connected to a network or even “the internet”.

That being said:

Windows IoT Enterprise LTSC

Like @sebescudie already proposed use Windows IoT Enterprise LTSC which doesn’t get any “feature” updates just security patches. From what I’ve read Win 11 even in this version is much more intrusive than Win 10. Win 10 IoT Enterprise LTSC (Version 2021) will be supported till 2032 so if your hardware is supported (there might for example be issues with newer processors and the scheduler) and you can still get your hands on it maybe it’s worth considering using it instead of 11.

How to obtain

For personal experimentation you can get a 90 day trial from MS Evaluation Center. If you want to extend this trial (indefinitely 🏴‍☠️) check out MAS.

Certain smaller manufacturers like shuttle offer their machines with IOT LTSC pre-installed.
Other than that ask your hardware-provider to get it for you.

If you really need to buy it yourself, the easier way is to buy through (CSP) volume licensing, these licenses are more expensive though.
Searching for windows iot enterprise ltsc csp should yield some distributors.

When going the way more involved OEM IOT route licenses should be cheaper.
At least with the later option licenses are priced according to processor type, there are Entry, Value and High-Perfomance, Entry being the cheapest.

Preventing Driver Updates

There is still the issue of windows updating thirdparty drivers, new GPU drivers might brake things for example. The updates can be disabled via group policy (will only work with Windows Pro, Enterprise, and Education).

Blocking Updates for Specific Hardware

To block driver updates for specific hardware, such as a graphics card, follow these steps:

  1. Obtain the Hardware ID:

    • Press Win + R, type devmgmt.msc, and press Enter to open Device Manager.
    • Locate the hardware you want to block (e.g., graphics card), right-click it, and select “Properties.”
    • In the Properties window, go to the “Details” tab and select “Hardware ID” from the dropdown menu.
    • Copy the hardware ID of the device.

  2. Block the Device Driver via Group Policy:

    • Press Win + R, type gpedit.msc and press Enter to open the Group Policy Editor.

    • Navigate to:

      Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions

    • Double-click the policy named “Block installation of devices matching the following device IDs.”

    • Click Apply and then OK to save the changes.

    • Restart your computer.

Moar Info

Disabling all Third-Party Driver Updates

  • Press Win + R, type gpedit.msc and press Enter to open the Group Policy Editor.

  • Navigate to:

    Computer Configuration > Administrative Templates > Windows Components > Windows Update

  • Sort the policies by name if needed.

  • Find and double-click the policy named “Do not include drivers with Windows Updates.”

  • In the policy settings window, select the Enabled option.

  • Click Apply and then OK to save the changes.

  • Restart your computer.

This will prevent Windows Update from installing drivers, including third-party ones, for your devices. However, you can still manually install drivers if needed. If you want to revert these changes, simply set the policy back to Not Configured and restart your computer.

Preventing any persistent changes

If you want to prevent any permanent changes to the system you can look into Window’s Unified Write Filter which intercepts and redirects any writes to the drive (app installations, settings changes, saved data) to a virtual overlay that is cleared during a reboot.
UWF

There are also thirdparty “reboot to restore solutions” like Deep Freeze.

9 Likes
12

Good points by @bjoern. We also simply got the Windows IoT license through the company that built the PC for us (PC Shop: Buy Gaming PCs, Workstations & Gaming Chairs - Joule Performance Switzerland). Any good PC builder will do custom builds and let you choose the windows version.

Again, like Bjoern said, we outsorced the hardware/software responsibility (except of course for our own software exported from vvvv). You really don’t want to have to deal with that stuff, because if it arrives it is almost guaranteed to have unfortunate timing.

What you really want to make sure is that you are logging stuff your own software is doing, monitoring your own software and have some way to check what is happening.

We actually built a small Monitor application (based on a patch by @sebescudie iirc), which watches processes, restarts them if needed and logs everything. It also sends log messages and periodic screenshots to a Telegram Channel. That way you can scroll through the screenshots every now and then an immediately spot if something is wrong:

As for backups: The company in charge of the PC actually has an identical PC as a backup in their storage. Maybe a bit of overkill, but again probably worth it if it ever comes to it.

For having a (bootable) backup of a Windows system I like using Casper | PC Backup Protection Designed for Rapid Recovery | Future Systems Solutions I tried a lot of others, but this was the only one that was easy enough to set up/use, while having enough options if you need it. It was also the only one I tried, which still worked on a partly corrupted SSD.

2 Likes
13

This should always be considered for long term installations.

14

@bjoern Was not aware of UWF at all, looks very interesting, thanks for the hint!

15

Also worth looking into:

3 Likes
16

Really productive convo, thanks everyone!

The IOT stuff is interesting because these systems are bespoke products. I’m a queasy about the idea of using a tool like MAS for a production system.

To a large extent we don’t aren’t responsible for the maintenance of the system, but Windows updates that were not prevented opened up the question of whether we should step in preemptively. Big customer so its not like we can shrug and say ‘you’re on your own,’ even though the contract pretty much does.

I’ll have to take a deeper look at the group policies options suggested here, its a very good pointer.

On some projects the backup PC has been arranged as a fallback which I really liked, and is easier to replace than an image of the hard drive.

In general plenty of very handy nuggets here. I encourage folks to chuck in their two cents when if anything comes to mind. Ill do the same.

H

4 Likes