New
#41
I've used the registry to stop automatic updates for years, but this appears to no longer work in Windows 10 (Pro). My computer is on an Enterprise network which uses WU Servers, but I have changed the inherited permissions of the registry key for Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate that sets all users except my administrator account to Read. However, frequently I get the restart timer screen with a message that updates are installed and the system needs to be restarted. I can turn off this scheduler but in minutes to hours it pops back up turned on, and if I don't address it within the allotted time my computer WILL reboot and complete installing, quite often, unwanted updates.
How is it possible that a locked registry key is changed when SYSTEM is set to Read and updates are downloaded and installed, or Restart Scheduler pops back on after I manually turn it off (Group and Registry)?
Thanks for any help you can offer as this is driving me nuts.
Cole
Read post #5 in this thread. It is the only way I found to stop Windows Updates.
How to prevent downloading updates?
Windows Update Blocker v1.0 - run to enable/disable
Windows 10 Update Disabler - it runs nonstop
Thanks for this information. I've downloaded, installed and started this service. My fingers are crossed this stops auto-updates. As stated in my post above, I have the permissions locked in the registery and yet even as of today when I powered off then restarted the PC to update a USB 3.0 driver, the registery restored default settings to include a WU Server address and set UseWUServer to 1. I'm still confounded how the registery is being modified even with the permissions set to READ Only.
Anyway, if this doesn't work I'll inform this post thread.
Regards.
Sadly, neither the UpdaterDisabler service nor my locked registery settings have stopped my computer from downloading and installing updates. There must be a registry setting somewhere else that is allowing the SYSTEM to rewrite the registry so as to change the READ only settings to FULL. Does anyone have an idea where this might be or how else to stop my computer from getting around my settings?
Thanks in advance.
Cole
Windows has tasks to maintain WU, they can not be disabled/removed, if you do it, Windows will restore them.
\Microsoft\Windows\UpdateOrchestrator - Scheduled Start
This task performs a scheduled Windows Update scan.
\Microsoft\Windows\WaaSMedic - PerformRemediation
Helps recover update-related services to supported configuration.
If you disable network services, on which WU is dependent on, WU will fail to check for updates. Like: Network List Service. I have disabled all services , so mine does not even try to check for updates ever. :)
There are two options how to suppress Windows 10 forced updates; either disable privileged scheduled tasks which run at System account, or block their access to needed services by permissions. Both ways are not so easy:
1. You can disable/modify privileged scheduled tasks if you act as System account too. To do this, you have to use freeware PsExec utility from Sysinternals (unzip PsUtils tools somewhere in your Path).
1a) To run Scheduled Tasks snap-in as System account, type at the Elevated Command Prompt:
psexec -i -d -s mmc taskschd.msc
and then you can disable following three tasks interactively in GUI
1b) To disable affected scheduled tasks directly from commandline, type:
psexec -i -d -s schtasks /change /tn "microsoft\windows\updateorchestrator\schedule scan" /disable
psexec -i -d -s schtasks /change /tn "microsoft\windows\windowsupdate\scheduled start" /disable
psexec -i -d -s schtasks /change /tn "microsoft\windows\WaaSMedic\PerformRemediation" /disable
To revert those scheduled tasks back, type:
psexec -i -d -s schtasks /change /tn "microsoft\windows\updateorchestrator\schedule scan" /enable
psexec -i -d -s schtasks /change /tn "microsoft\windows\windowsupdate\scheduled start" /enable
psexec -i -d -s schtasks /change /tn "microsoft\windows\WaaSMedic\PerformRemediation" /enable
These commands may be also run from CMD batch file. Kiitos to TairikuOkami for identifying the 3rd service.
2. Different approach is to block access of System account to underlying services; so the mentioned tasks cannot neither start nor modify them. You may use freeware utilities from Helge Klein.
2a) To block System account access to services interactively:
- install SetACL Studio, run it, enter product key from download page, from menu View select Detailed
- expand Services node, select Windows Update entry
- to change ownership, in right pane click Select, click Advanced, click Find now, select Administrators, click OK
- click on Save button
- in right pane click to Add (it creates new Access Control Entry for service)
- click Advanced, click Find now, select System, click OK
- at newly added line, click on Allow symbol in Type column to change type of Access Control Entry from Allow to Deny
- at the same line, click in Permissions column
- select the following permissions: Change configuration, Start, Stop, Delete, Change permissions, Take ownership
- click on Save button again; System account now cannot manipulate this service
- repeat the same steps as above for Windows Modules Installer service
- using regular Services snap-in in MMC console, set both mentioned services to Disabled.
You need to modify two services this way: wuauserv (Windows Update) and TrustedInstaller (Windows Modules Installer, the name depends on language). All three steps are necessary: setting Administrators as service owner, setting six Deny permissions for System, and disabling the service.
To revert to normal state, in SetACL Studio simply click Deny symbol (it changes to Allow) and Save, then set service start type to Manual in Services snap-in. Do these steps for both services.
2b) To block System account access to services from elevated command line or from CMD batch file:
- download SetACL utility from Helge Klein website, place it on your Path
- test it using commands:
setacl -on "wuauserv" -ot srv -actn list
setacl -on "trustedinstaller" -ot srv -actn list
- change owner using commands:
setacl -on "wuauserv" -ot srv -actn setowner -ownr "n:Administrators"
setacl -on "trustedinstaller" -ot srv -actn setowner -ownr "n:Administrators"
- set blocking ACE entries:
setacl -on "wuauserv" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
setacl -on "wuauserv" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
setacl -on "wuauserv" -ot srv -actn ace -ace "n:system;p:SERVICE_CHANGE_CONFIG,SERVICE_START,SERVICE_STOP,WRITE_OWNER,WRITE_DAC,DELETE;m:deny;w:d acl"
sc config wuauserv start=disabled
setacl -on "trustedinstaller" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
setacl -on "trustedinstaller" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
setacl -on "trustedinstaller" -ot srv -actn ace -ace "n:system;p:SERVICE_CHANGE_CONFIG,SERVICE_START,SERVICE_STOP,WRITE_OWNER,WRITE_DAC,DELETE;m:deny;w:d acl"
sc config trustedinstaller start=disabled
...please treat two strings "d acl" as "dacl", forum formats long lines erratically
- delete blocking ACE entries for allowing Windows Update temporarily:
setacl -on "wuauserv" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
setacl -on "wuauserv" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
sc config wuauserv start=demand
setacl -on "trustedinstaller" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
setacl -on "trustedinstaller" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
sc config trustedinstaller start=demand
3. Recommended workflow, i.e. How to survive periodic patch parties:
Once a month (probably after Black Tuesday) it is proper to patch Windows systems in a controlled way. It is relatively simple but time consuming activity:
- image system partition(s) using Macrium Reflect Free, or at least create Restore Point
- unblock Windows Update mechanism according to blocking method used (enable scheduled tasks, or clear Deny permissions and set services to Manual start)
- run wushowhide.diagcab immediately to block unwanted patches and drivers
- run Windows Update
- revert Windows Update back to blocked state
- image system partition(s) again.
That's all, for now. And, of course, many thanks sent to Redmond with love.
Last edited by muchomurka; 03 Nov 2017 at 02:37.
Update: first solution from previous post unfortunately no longer works for me (in FCU build), needs more investigations.
Correction to post #48:
While the second method how to block updates is safe and universal, the first method works only on computer with special setup, it does not work on "vanilla" (just installed) systems. So I would rather recommend to set Deny permissions on services. But if someone wants to try disabling scheduled tasks, the way to make it functional exists.
First method will work if - and only if - two Windows Defender services are disabled. User can install other antivirus software (for example Avira Free + BGP Killer), then both Defender engine and its irritating icon are unnecessary; furthermore, Defender cannot resurrect disabled scheduled tasks related to Windows Update.
The following steps are needed before using the first method:
- install some antivirus software instead of Windows Defender
- reboot into Safe Mode
- create .reg file with following content
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004
; original values were 0x2
- import the .reg file into registry
- reboot into normal mode
- set both wuauserv and trustedinstaller services to Disabled.
Then you may continue by making steps described in Method 1.
My apologies, I made first testing on my own highly customized system, but problem exhibited itself later on just installed virtual machine with Defender active. Just another Windows annoyance, nothing more.