Prior to my career in information security, I was a stage lighting designer. I still own a small production company, and I’m fairly active in a few AV forums. One common area where my two interests clash is updates. Almost anyone working in infosec will tell you that updates are important. The problem is that they can be devastating in a production environment if not managed properly, and especially forced updates in Windows 10 can cause problems. While in general the best practice would be to install the updates shortly after they become available, that may not be possible in some production environments. This led me to try and find a solution that would allow AV production users to reliably use their Windows 10 computers without worrying about updates during their events, yet still keep their computers secure by installing updates on a regular basis.
My solution was a program called “Production Ready”. This software prevents Windows Updates from running on specific days of the week (up to 3 in order to prevent abuse of the software). In addition, it also offers shortcuts to commonly used “Production Tweaks”. Note, this software is still in beta, so test it on a non-critical system before you install it on a production system.
A pre-compiled installer is available here: https://bscc.support/files/misc/ProductionReadySetup.exe
This software is distributed under the GNU 3.0 license. It contains two modules – the GUI which adjusts the settings and performs the “Production Tweaks”, and the service which does the legwork in running interference against Windows Updates during your scheduled production days.
Main GUI source code: https://github.com/thegeekkid/ProductionReady-main
Service source code: https://github.com/thegeekkid/ProductionReady-service
- Q: Why can’t I select more than 3 days?
- A: Windows updates are extremely important – you still need to be doing them even in a production environment. I will not help someone bypass them completely.
- Q: This is cool – should I trust my absolutely critical system with it without testing it?
- A: Probably not. It’s still fairly new and in beta, so test it out on a non-critical system first. Let me know if you find that you run into issues with it.
- Q: I’m not going to be doing productions for awhile… can I temporarily disable this?
- A: Yep! Startup the GUI and click “Disable Production Mode”.
- Q: Is it really free?
- A: Yep… in more than one way. The software is free to use for personal and commercial use, and the source code is freely available (with the exception of the installer which was built with a proprietary install framework). That being said, if you like it and want to support the development, check out https://semsec.net/donations/.
- Q: What systems has this been tested on?
- A: Windows 10. It should work fine on Windows 7 or later though.
- Q: What about macs?
- A: They suck.
- Q: Is there any time when this will not work?
- A: Yes. If updates are already in the process of being installed, Windows Update will not be disabled until the updates have completed installing. The Production Ready service evaluates the computer state every hour though, so as long as you have your production days set properly, by the time your production starts, updates should be disabled.
- Q: Do I need to keep the GUI running throughout my entire production?
- A: No. Just save your settings, enable production mode, and then close out.
- Q: My AntiVirus detects your application as malware… what’s up?
- A: Good… that probably means that you have an AntiVirus with a good heuristics engine/behavior blocker. This application interferes with critical system processes (updates) and modifies system settings (production tweaks per your selection on the GUI), so this should seem suspicious to an AntiVirus. The good news is that the source code is open source, so if in doubt, you can simply compile it yourself. Also, if it makes you feel any better, there are 3 main executables you would need to worry about – the main GUI, the service, and the installer. Click the link for each of those to see the VirusTotal score – as of this writing, no AntiVirus on VirusTotal detects these executables as malware.