Page 5 of 7 FirstFirst ... 34567 LastLast
  1.    10 May 2017 #41
    Join Date : Aug 2015
    Posts : 7
    Windows 7

    No, I was thinking more of a script to enable or disable permissions to the \Windows\SoftwareDistribution directory.
      My ComputerSystem Spec
  2.    15 Oct 2017 #42
    Join Date : Jun 2015
    Phitsanulok, Thailand
    Posts : 5
    Windows 8.1 Enterprise x64

    I've used the registry to stop automatic updates for years, but this appears to no longer work in Windows 10 (Pro). My computer is on an Enterprise network which uses WU Servers, but I have changed the inherited permissions of the registry key for Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate that sets all users except my administrator account to Read. However, frequently I get the restart timer screen with a message that updates are installed and the system needs to be restarted. I can turn off this scheduler but in minutes to hours it pops back up turned on, and if I don't address it within the allotted time my computer WILL reboot and complete installing, quite often, unwanted updates.

    How is it possible that a locked registry key is changed when SYSTEM is set to Read and updates are downloaded and installed, or Restart Scheduler pops back on after I manually turn it off (Group and Registry)?

    Thanks for any help you can offer as this is driving me nuts.
    Cole
      My ComputerSystem Spec
  3.    15 Oct 2017 #43
    Join Date : Sep 2015
    Posts : 268
    Windows 10 Home

    Read post #5 in this thread. It is the only way I found to stop Windows Updates.

    How to prevent downloading updates?
      My ComputerSystem Spec
  4.    16 Oct 2017 #44
    Join Date : Oct 2014
    Trnava
    Posts : 2,863
    Windows 10.4 Home 1709 x64

    Windows Update Blocker v1.0 - run to enable/disable

    Windows 10 Update Disabler - it runs nonstop
      My ComputerSystem Spec
  5.    2 Weeks Ago #45
    Join Date : Jun 2015
    Phitsanulok, Thailand
    Posts : 5
    Windows 8.1 Enterprise x64

    Quote Originally Posted by TairikuOkami View Post
    Windows Update Blocker v1.0 - run to enable/disable

    Windows 10 Update Disabler - it runs nonstop
    Thanks for this information. I've downloaded, installed and started this service. My fingers are crossed this stops auto-updates. As stated in my post above, I have the permissions locked in the registery and yet even as of today when I powered off then restarted the PC to update a USB 3.0 driver, the registery restored default settings to include a WU Server address and set UseWUServer to 1. I'm still confounded how the registery is being modified even with the permissions set to READ Only.

    Anyway, if this doesn't work I'll inform this post thread.

    Regards.
      My ComputerSystem Spec
  6.    2 Weeks Ago #46
    Join Date : Jun 2015
    Phitsanulok, Thailand
    Posts : 5
    Windows 8.1 Enterprise x64

    Sadly, neither the UpdaterDisabler service nor my locked registery settings have stopped my computer from downloading and installing updates. There must be a registry setting somewhere else that is allowing the SYSTEM to rewrite the registry so as to change the READ only settings to FULL. Does anyone have an idea where this might be or how else to stop my computer from getting around my settings?

    Thanks in advance.
    Cole
      My ComputerSystem Spec
  7.    2 Weeks Ago #47
    Join Date : Oct 2014
    Trnava
    Posts : 2,863
    Windows 10.4 Home 1709 x64

    Windows has tasks to maintain WU, they can not be disabled/removed, if you do it, Windows will restore them.

    \Microsoft\Windows\UpdateOrchestrator - Scheduled Start
    This task performs a scheduled Windows Update scan.

    \Microsoft\Windows\WaaSMedic - PerformRemediation
    Helps recover update-related services to supported configuration.

    If you disable network services, on which WU is dependent on, WU will fail to check for updates. Like: Network List Service. I have disabled all services , so mine does not even try to check for updates ever.
    Attached Thumbnails Attached Thumbnails capture_11032017_013413.jpg  
      My ComputerSystem Spec
  8.    2 Weeks Ago #48
    Join Date : Nov 2017
    Posts : 44
    win10

    There are two options how to suppress Windows 10 forced updates; either disable privileged scheduled tasks which run at System account, or block their access to needed services by permissions. Both ways are not so easy:

    1. You can disable/modify privileged scheduled tasks if you act as System account too. To do this, you have to use freeware PsExec utility from Sysinternals (unzip PsUtils tools somewhere in your Path).

    1a) To run Scheduled Tasks snap-in as System account, type at the Elevated Command Prompt:
    psexec -i -d -s mmc taskschd.msc
    and then you can disable following three tasks interactively in GUI

    1b) To disable affected scheduled tasks directly from commandline, type:
    psexec -i -d -s schtasks /change /tn "microsoft\windows\updateorchestrator\schedule scan" /disable
    psexec -i -d -s schtasks /change /tn "microsoft\windows\windowsupdate\scheduled start" /disable
    psexec -i -d -s schtasks /change /tn "microsoft\windows\WaaSMedic\PerformRemediation" /disable


    To revert those scheduled tasks back, type:
    psexec -i -d -s schtasks /change /tn "microsoft\windows\updateorchestrator\schedule scan" /enable
    psexec -i -d -s schtasks /change /tn "microsoft\windows\windowsupdate\scheduled start" /enable
    psexec -i -d -s schtasks /change /tn "microsoft\windows\WaaSMedic\PerformRemediation" /enable


    These commands may be also run from CMD batch file. Kiitos to TairikuOkami for identifying the 3rd service.

    2. Different approach is to block access of System account to underlying services; so the mentioned tasks cannot neither start nor modify them. You may use freeware utilities from Helge Klein.

    2a) To block System account access to services interactively:
    - install SetACL Studio, run it, enter product key from download page, from menu View select Detailed
    - expand Services node, select Windows Update entry
    - to change ownership, in right pane click Select, click Advanced, click Find now, select Administrators, click OK
    - click on Save button
    - in right pane click to Add (it creates new Access Control Entry for service)
    - click Advanced, click Find now, select System, click OK
    - at newly added line, click on Allow symbol in Type column to change type of Access Control Entry from Allow to Deny
    - at the same line, click in Permissions column
    - select the following permissions: Change configuration, Start, Stop, Delete, Change permissions, Take ownership
    - click on Save button again; System account now cannot manipulate this service
    - repeat the same steps as above for Windows Modules Installer service
    - using regular Services snap-in in MMC console, set both mentioned services to Disabled.

    You need to modify two services this way: wuauserv (Windows Update) and TrustedInstaller (Windows Modules Installer, the name depends on language). All three steps are necessary: setting Administrators as service owner, setting six Deny permissions for System, and disabling the service.

    To revert to normal state, in SetACL Studio simply click Deny symbol (it changes to Allow) and Save, then set service start type to Manual in Services snap-in. Do these steps for both services.

    2b) To block System account access to services from elevated command line or from CMD batch file:
    - download SetACL utility from Helge Klein website, place it on your Path
    - test it using commands:
    setacl -on "wuauserv" -ot srv -actn list
    setacl -on "trustedinstaller" -ot srv -actn list


    - change owner using commands:
    setacl -on "wuauserv" -ot srv -actn setowner -ownr "n:Administrators"
    setacl -on "trustedinstaller" -ot srv -actn setowner -ownr "n:Administrators"


    - set blocking ACE entries:
    setacl -on "wuauserv" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
    setacl -on "wuauserv" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
    setacl -on "wuauserv" -ot srv -actn ace -ace "n:system;p:SERVICE_CHANGE_CONFIG,SERVICE_START,SERVICE_STOP,WRITE_OWNER,WRITE_DAC,DELETE;m:deny;w:d acl"
    sc config wuauserv start=disabled
    setacl -on "trustedinstaller" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
    setacl -on "trustedinstaller" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
    setacl -on "trustedinstaller" -ot srv -actn ace -ace "n:system;p:SERVICE_CHANGE_CONFIG,SERVICE_START,SERVICE_STOP,WRITE_OWNER,WRITE_DAC,DELETE;m:deny;w:d acl"
    sc config trustedinstaller start=disabled

    ...please treat two strings "d acl" as "dacl", forum formats long lines erratically

    - delete blocking ACE entries for allowing Windows Update temporarily:
    setacl -on "wuauserv" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
    setacl -on "wuauserv" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
    sc config wuauserv start=demand
    setacl -on "trustedinstaller" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
    setacl -on "trustedinstaller" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
    sc config trustedinstaller start=demand


    3. Recommended workflow, i.e. How to survive periodic patch parties:
    Once a month (probably after Black Tuesday) it is proper to patch Windows systems in a controlled way. It is relatively simple but time consuming activity:
    - image system partition(s) using Macrium Reflect Free, or at least create Restore Point
    - unblock Windows Update mechanism according to blocking method used (enable scheduled tasks, or clear Deny permissions and set services to Manual start)
    - run wushowhide.diagcab immediately to block unwanted patches and drivers
    - run Windows Update
    - revert Windows Update back to blocked state
    - image system partition(s) again.

    That's all, for now. And, of course, many thanks sent to Redmond with love.
    Last edited by muchomurka; 2 Weeks Ago at 02:37.
      My ComputerSystem Spec
  9.    2 Weeks Ago #49
    Join Date : Nov 2017
    Posts : 44
    win10

    Update: first solution from previous post unfortunately no longer works for me (in FCU build), needs more investigations.
      My ComputerSystem Spec
  10.    2 Weeks Ago #50
    Join Date : Nov 2017
    Posts : 44
    win10

    Correction to post #48:

    While the second method how to block updates is safe and universal, the first method works only on computer with special setup, it does not work on "vanilla" (just installed) systems. So I would rather recommend to set Deny permissions on services. But if someone wants to try disabling scheduled tasks, the way to make it functional exists.

    First method will work if - and only if - two Windows Defender services are disabled. User can install other antivirus software (for example Avira Free + BGP Killer), then both Defender engine and its irritating icon are unnecessary; furthermore, Defender cannot resurrect disabled scheduled tasks related to Windows Update.

    The following steps are needed before using the first method:
    - install some antivirus software instead of Windows Defender
    - reboot into Safe Mode
    - create .reg file with following content

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]
    "Start"=dword:00000004
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
    "Start"=dword:00000004
    ; original values were 0x2

    - import the .reg file into registry
    - reboot into normal mode
    - set both wuauserv and trustedinstaller services to Disabled.

    Then you may continue by making steps described in Method 1.

    My apologies, I made first testing on my own highly customized system, but problem exhibited itself later on just installed virtual machine with Defender active. Just another Windows annoyance, nothing more.
      My ComputerSystem Spec

 
Page 5 of 7 FirstFirst ... 34567 LastLast


Similar Threads
Thread Forum
How to Prevent automatic restart in Windows 10 Anniversary Update?
Now that microsoft has removed the ability to force windows 10 to ask to be scheduled and given that "active hours" is a broken concept that doesn't solve any problem, how can I prevent windows from automatically restarting again? Is the only...
Windows Updates and Activation
Solved Does disabling automatic Win Updates include automatic Device Driver?
Hi, all: 1) Does setting Windows Updates to "notify for download and notify for install" via GP edit also disable Device Driver automatic installation? 2) Or does disabling automatic device driver installation need to be configured separately?...
Windows Updates and Activation
Prevent Automatic Upgrade to Windows 10
I support a large community of seniors. Typically I have them running Automatic Updates, because they don't want to do their own maintenance. The most common complaint they come in with is there computers are really slow. It usually turns out...
Windows Updates and Activation
Solved How do I prevent automatic window resizing?
In Windows 7, I knew how to turn off the annoying (to me) feature that windows were automatically maximized when moved to the edge of the screen. This option no longer seems to be present in the 'ease of access' settings. Any idea if it can still be...
General Support
Prevent the automatic downloading of its updates
Hi In Windows 10 build 10130, how do I prevent the automatic downloading of its updates? Thanks Bye
Installation and Upgrade
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 05:11.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums