Can't hide NVIDIA driver update in Windows Update

On Windows 10 Pro, Version 1511, Build 10586, I've hidden troublesome Nvidia driver updates, using the wushowhide troubleshooter package for Windows 10.



Even with the updates hidden, the next time an update check/cycle is triggered, the Nvidia driver updates are detected and installed. Upon rebooting normally after the driver updates are installed, I see a Windows STOP error (blue screen of death) shortly after signing on Windows.



I can remove the driver updates by uninstalling the associated applications/packages through the Programs and Features control panel. I've also tried to first remove the display adapter in Device Manager, selecting the option to Delete the driver software for this device then removing the associated applications/packages in Programs and Features. As long as I do this before rebooting (after the driver updates are installed), I don't see STOP errors and I can then install an older Nvidia driver that works without STOP errors. If the driver update happens to slip in unnoticed, I can reboot in Safe Mode, sign on and proceed with driver application/package removal, then reboot normally.

The latest (but older) Nvidia driver published by Dell for this laptop apparently works fine (no STOP errors):



But the latest "compatible" Nvidia driver from Windows Update produces frustrating STOP errors, resulting in a largely unusable system:



I've also tried this method to blocking/hiding the Nvidia driver updates, but the result is the same: Windows Update detects/installs Nvidia driver updates upon the next Windows Update detection cycle.

I've also configured Device installation settings to not "automatically download manufacturers' apps and icons..."



The only semi-satisfactory solution I've found is to disable the Windows Update service and re-enable the service only/specifically when I want to check for Windows updates.

Any suggestions or better ideas?

I'm cautiously optimistic I found a reasonable workaround (requires the Pro edition of Windows), by using AppLocker to disallow executables signed by Nvidia to run. This way I can leave the Windows Update service enabled and don't need to constantly fight the Nvidia driver updates that I supposedly "hid" using the wushowhide troubleshooter. For anyone else in this or a similar predicament:

1. Right-click the Start button and click Run, or use the + R keyboard shortcut to open the Run command dialog.
   
   
   
2. In the Open text box, type gpedit and click OK.
   
   
   
3. Expand Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules. Right-click in the pane on the right and click Create New Rule... In my case, I created a Publisher rule with action Deny for Everyone, and used an Nvidia driver installer file as the reference file to capture the Publisher information.
   
   
   
4. Create exceptions as necessary. Since I want the older (already installed) Nvidia driver of my choice to function, I created a wildcard Path exception for the Nvidia Program Files folder.
   
   

Hope this is helpful...

Not sure how my workaround is working, but it does seem to be preventing Nvidia driver updates at the moment. A bit more research, and I found that AppLocker is supposed to be reserved for Windows Enterprise (in 8/8.1, at least; I'm assuming the same is true for 10). Sure enough, when I look in (Event Viewer) Applications and Services Logs > Microsoft > Windows > AppLocker > MSI and Script, I see a bunch of these events:

srpapi.dll: AppLocker component not available on this SKU.

So the AppLocker attempt didn't work. Shortly after rebooting, Nvidia driver updates were installed. I also tried Software Restriction Policies, but it didn't work satisfactorily. Group Policy - Device Installation Restrictions does seem to work as desired.

In device manager, access the properties for the device for which you don't want driver updates. On the Details tab, in the Property drop-down, choose Hardware Ids. Right-click a hardware ID and click Copy or simply use the Ctrl+C keyboard shortcut. Now open the Group Policy editor: right-click the Start button, click Run, in the Open text box, type 'gpedit' and click OK. Expand Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions. In the right-hand pane, double-click Prevent installation of devices that match any of these device IDs. Select the Enabled radio button and click the Show button. Double-click in a line of the table and paste a hardware ID. Alt+Tab back to the device Properties dialog and copy each hardware ID and paste it into another row in the Group Policy - Device Installation Restriction editor. When finished, close the device Properties dialog and click OK twice to close open Group Policy dialog boxes, then close the Group Policy editor. Do not select the option to Also apply to matching devices that are already installed or it will remove already-installed drivers for devices with the specified IDs.





This is working well for me as evidenced in the Device Setup Manager event log (Applications and Services Logs > Microsoft > Windows > Device Setup Manager > Admin):