Windows 10: How can I prevent automatic updates?

Page 5 of 9 FirstFirst ... 34567 ... LastLast

  1. Posts : 7
    Windows 7
       10 May 2017 #41

    No, I was thinking more of a script to enable or disable permissions to the \Windows\SoftwareDistribution directory.
      My ComputerSystem Spec


  2. Posts : 6
    Windows 10 Pro x64 v1703
       15 Oct 2017 #42

    I've used the registry to stop automatic updates for years, but this appears to no longer work in Windows 10 (Pro). My computer is on an Enterprise network which uses WU Servers, but I have changed the inherited permissions of the registry key for Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate that sets all users except my administrator account to Read. However, frequently I get the restart timer screen with a message that updates are installed and the system needs to be restarted. I can turn off this scheduler but in minutes to hours it pops back up turned on, and if I don't address it within the allotted time my computer WILL reboot and complete installing, quite often, unwanted updates.

    How is it possible that a locked registry key is changed when SYSTEM is set to Read and updates are downloaded and installed, or Restart Scheduler pops back on after I manually turn it off (Group and Registry)?

    Thanks for any help you can offer as this is driving me nuts.
    Cole
      My ComputerSystem Spec

  3.    15 Oct 2017 #43

    Read post #5 in this thread. It is the only way I found to stop Windows Updates.

    How to prevent downloading updates?
      My ComputerSystem Spec


  4. Posts : 3,090
    10.4 Home 1709 x64
       16 Oct 2017 #44

    Windows Update Blocker v1.0 - run to enable/disable

    Windows 10 Update Disabler - it runs nonstop
      My ComputerSystem Spec


  5. Posts : 6
    Windows 10 Pro x64 v1703
       01 Nov 2017 #45

    TairikuOkami said: View Post
    Windows Update Blocker v1.0 - run to enable/disable

    Windows 10 Update Disabler - it runs nonstop
    Thanks for this information. I've downloaded, installed and started this service. My fingers are crossed this stops auto-updates. As stated in my post above, I have the permissions locked in the registery and yet even as of today when I powered off then restarted the PC to update a USB 3.0 driver, the registery restored default settings to include a WU Server address and set UseWUServer to 1. I'm still confounded how the registery is being modified even with the permissions set to READ Only.

    Anyway, if this doesn't work I'll inform this post thread.

    Regards.
      My ComputerSystem Spec


  6. Posts : 6
    Windows 10 Pro x64 v1703
       02 Nov 2017 #46

    Sadly, neither the UpdaterDisabler service nor my locked registery settings have stopped my computer from downloading and installing updates. There must be a registry setting somewhere else that is allowing the SYSTEM to rewrite the registry so as to change the READ only settings to FULL. Does anyone have an idea where this might be or how else to stop my computer from getting around my settings?

    Thanks in advance.
    Cole
      My ComputerSystem Spec


  7. Posts : 3,090
    10.4 Home 1709 x64
       02 Nov 2017 #47

    Windows has tasks to maintain WU, they can not be disabled/removed, if you do it, Windows will restore them.

    \Microsoft\Windows\UpdateOrchestrator - Scheduled Start
    This task performs a scheduled Windows Update scan.

    \Microsoft\Windows\WaaSMedic - PerformRemediation
    Helps recover update-related services to supported configuration.

    If you disable network services, on which WU is dependent on, WU will fail to check for updates. Like: Network List Service. I have disabled all services , so mine does not even try to check for updates ever.
    Attached Thumbnails Attached Thumbnails capture_11032017_013413.jpg  
      My ComputerSystem Spec

  8.    03 Nov 2017 #48

    There are two options how to suppress Windows 10 forced updates; either disable privileged scheduled tasks which run at System account, or block their access to needed services by permissions. Both ways are not so easy:

    1. You can disable/modify privileged scheduled tasks if you act as System account too. To do this, you have to use freeware PsExec utility from Sysinternals (unzip PsUtils tools somewhere in your Path).

    1a) To run Scheduled Tasks snap-in as System account, type at the Elevated Command Prompt:
    psexec -i -d -s mmc taskschd.msc
    and then you can disable following three tasks interactively in GUI

    1b) To disable affected scheduled tasks directly from commandline, type:
    psexec -i -d -s schtasks /change /tn "microsoft\windows\updateorchestrator\schedule scan" /disable
    psexec -i -d -s schtasks /change /tn "microsoft\windows\windowsupdate\scheduled start" /disable
    psexec -i -d -s schtasks /change /tn "microsoft\windows\WaaSMedic\PerformRemediation" /disable


    To revert those scheduled tasks back, type:
    psexec -i -d -s schtasks /change /tn "microsoft\windows\updateorchestrator\schedule scan" /enable
    psexec -i -d -s schtasks /change /tn "microsoft\windows\windowsupdate\scheduled start" /enable
    psexec -i -d -s schtasks /change /tn "microsoft\windows\WaaSMedic\PerformRemediation" /enable


    These commands may be also run from CMD batch file. Kiitos to TairikuOkami for identifying the 3rd service.

    2. Different approach is to block access of System account to underlying services; so the mentioned tasks cannot neither start nor modify them. You may use freeware utilities from Helge Klein.

    2a) To block System account access to services interactively:
    - install SetACL Studio, run it, enter product key from download page, from menu View select Detailed
    - expand Services node, select Windows Update entry
    - to change ownership, in right pane click Select, click Advanced, click Find now, select Administrators, click OK
    - click on Save button
    - in right pane click to Add (it creates new Access Control Entry for service)
    - click Advanced, click Find now, select System, click OK
    - at newly added line, click on Allow symbol in Type column to change type of Access Control Entry from Allow to Deny
    - at the same line, click in Permissions column
    - select the following permissions: Change configuration, Start, Stop, Delete, Change permissions, Take ownership
    - click on Save button again; System account now cannot manipulate this service
    - repeat the same steps as above for Windows Modules Installer service
    - using regular Services snap-in in MMC console, set both mentioned services to Disabled.

    You need to modify two services this way: wuauserv (Windows Update) and TrustedInstaller (Windows Modules Installer, the name depends on language). All three steps are necessary: setting Administrators as service owner, setting six Deny permissions for System, and disabling the service.

    To revert to normal state, in SetACL Studio simply click Deny symbol (it changes to Allow) and Save, then set service start type to Manual in Services snap-in. Do these steps for both services.

    2b) To block System account access to services from elevated command line or from CMD batch file:
    - download SetACL utility from Helge Klein website, place it on your Path
    - test it using commands:
    setacl -on "wuauserv" -ot srv -actn list
    setacl -on "trustedinstaller" -ot srv -actn list


    - change owner using commands:
    setacl -on "wuauserv" -ot srv -actn setowner -ownr "n:Administrators"
    setacl -on "trustedinstaller" -ot srv -actn setowner -ownr "n:Administrators"


    - set blocking ACE entries:
    setacl -on "wuauserv" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
    setacl -on "wuauserv" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
    setacl -on "wuauserv" -ot srv -actn ace -ace "n:system;p:SERVICE_CHANGE_CONFIG,SERVICE_START,SERVICE_STOP,WRITE_OWNER,WRITE_DAC,DELETE;m:deny;w:d acl"
    sc config wuauserv start=disabled
    setacl -on "trustedinstaller" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
    setacl -on "trustedinstaller" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
    setacl -on "trustedinstaller" -ot srv -actn ace -ace "n:system;p:SERVICE_CHANGE_CONFIG,SERVICE_START,SERVICE_STOP,WRITE_OWNER,WRITE_DAC,DELETE;m:deny;w:d acl"
    sc config trustedinstaller start=disabled

    ...please treat two strings "d acl" as "dacl", forum formats long lines erratically

    - delete blocking ACE entries for allowing Windows Update temporarily:
    setacl -on "wuauserv" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
    setacl -on "wuauserv" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
    sc config wuauserv start=demand
    setacl -on "trustedinstaller" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
    setacl -on "trustedinstaller" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
    sc config trustedinstaller start=demand


    3. Recommended workflow, i.e. How to survive periodic patch parties:
    Once a month (probably after Black Tuesday) it is proper to patch Windows systems in a controlled way. It is relatively simple but time consuming activity:
    - image system partition(s) using Macrium Reflect Free, or at least create Restore Point
    - unblock Windows Update mechanism according to blocking method used (enable scheduled tasks, or clear Deny permissions and set services to Manual start)
    - run wushowhide.diagcab immediately to block unwanted patches and drivers
    - run Windows Update
    - revert Windows Update back to blocked state
    - image system partition(s) again.

    That's all, for now. And, of course, many thanks sent to Redmond with love.
    Last edited by muchomurka; 03 Nov 2017 at 02:37.
      My ComputerSystem Spec

  9.    03 Nov 2017 #49

    Update: first solution from previous post unfortunately no longer works for me (in FCU build), needs more investigations.
      My ComputerSystem Spec

  10.    03 Nov 2017 #50

    Correction to post #48:

    While the second method how to block updates is safe and universal, the first method works only on computer with special setup, it does not work on "vanilla" (just installed) systems. So I would rather recommend to set Deny permissions on services. But if someone wants to try disabling scheduled tasks, the way to make it functional exists.

    First method will work if - and only if - two Windows Defender services are disabled. User can install other antivirus software (for example Avira Free + BGP Killer), then both Defender engine and its irritating icon are unnecessary; furthermore, Defender cannot resurrect disabled scheduled tasks related to Windows Update.

    The following steps are needed before using the first method:
    - install some antivirus software instead of Windows Defender
    - reboot into Safe Mode
    - create .reg file with following content

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
    "Start"=dword:00000004
    ; original values were 0x2

    - import the .reg file into registry
    - reboot into normal mode
    - set both wuauserv and trustedinstaller services to Disabled.

    Then you may continue by making steps described in Method 1.

    My apologies, I made first testing on my own highly customized system, but problem exhibited itself later on just installed virtual machine with Defender active. Just another Windows annoyance, nothing more.
      My ComputerSystem Spec


 
Page 5 of 9 FirstFirst ... 34567 ... LastLast

Related Threads
Now that microsoft has removed the ability to force windows 10 to ask to be scheduled and given that "active hours" is a broken concept that doesn't solve any problem, how can I prevent windows from automatically restarting again? Is the only...
Hi, all: 1) Does setting Windows Updates to "notify for download and notify for install" via GP edit also disable Device Driver automatic installation? 2) Or does disabling automatic device driver installation need to be configured separately?...
Prevent Automatic Upgrade to Windows 10 in Windows Updates and Activation
I support a large community of seniors. Typically I have them running Automatic Updates, because they don't want to do their own maintenance. The most common complaint they come in with is there computers are really slow. It usually turns out...
In Windows 7, I knew how to turn off the annoying (to me) feature that windows were automatically maximized when moved to the edge of the screen. This option no longer seems to be present in the 'ease of access' settings. Any idea if it can still be...
Hi In Windows 10 build 10130, how do I prevent the automatic downloading of its updates? Thanks Bye
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 14:57.
Find Us