Windows 10: How can I prevent automatic updates?

Windows Update Blocker v1.0 - run to enable/disable

Windows 10 Update Disabler - it runs nonstop

 

Thanks for this information. I've downloaded, installed and started this service. My fingers are crossed this stops auto-updates. As stated in my post above, I have the permissions locked in the registery and yet even as of today when I powered off then restarted the PC to update a USB 3.0 driver, the registery restored default settings to include a WU Server address and set UseWUServer to 1. I'm still confounded how the registery is being modified even with the permissions set to READ Only.

Anyway, if this doesn't work I'll inform this post thread.

Regards.

 

Sadly, neither the UpdaterDisabler service nor my locked registery settings have stopped my computer from downloading and installing updates. There must be a registry setting somewhere else that is allowing the SYSTEM to rewrite the registry so as to change the READ only settings to FULL. Does anyone have an idea where this might be or how else to stop my computer from getting around my settings?

Thanks in advance.
Cole

 

Windows has tasks to maintain WU, they can not be disabled/removed, if you do it, Windows will restore them.

\Microsoft\Windows\UpdateOrchestrator - Scheduled Start
This task performs a scheduled Windows Update scan.

\Microsoft\Windows\WaaSMedic - PerformRemediation
Helps recover update-related services to supported configuration.

If you disable network services, on which WU is dependent on, WU will fail to check for updates. Like: Network List Service. I have disabled all services , so mine does not even try to check for updates ever. *Smile

 

There are two options how to suppress Windows 10 forced updates; either disable privileged scheduled tasks which run at System account, or block their access to needed services by permissions. Both ways are not so easy:

1. You can disable/modify privileged scheduled tasks if you act as System account too. To do this, you have to use freeware PsExec utility from Sysinternals (unzip PsUtils tools somewhere in your Path).

1a) To run Scheduled Tasks snap-in as System account, type at the Elevated Command Prompt:
psexec -i -d -s mmc taskschd.msc
and then you can disable following three tasks interactively in GUI

1b) To disable affected scheduled tasks directly from commandline, type:
psexec -i -d -s schtasks /change /tn "microsoft\windows\updateorchestrator\schedule scan" /disable
psexec -i -d -s schtasks /change /tn "microsoft\windows\windowsupdate\scheduled start" /disable
psexec -i -d -s schtasks /change /tn "microsoft\windows\WaaSMedic\PerformRemediation" /disable

To revert those scheduled tasks back, type:
psexec -i -d -s schtasks /change /tn "microsoft\windows\updateorchestrator\schedule scan" /enable
psexec -i -d -s schtasks /change /tn "microsoft\windows\windowsupdate\scheduled start" /enable
psexec -i -d -s schtasks /change /tn "microsoft\windows\WaaSMedic\PerformRemediation" /enable

These commands may be also run from CMD batch file. Kiitos to TairikuOkami for identifying the 3rd service.

2. Different approach is to block access of System account to underlying services; so the mentioned tasks cannot neither start nor modify them. You may use freeware utilities from Helge Klein.

2a) To block System account access to services interactively:
- install SetACL Studio, run it, enter product key from download page, from menu View select Detailed
- expand Services node, select Windows Update entry
- to change ownership, in right pane click Select, click Advanced, click Find now, select Administrators, click OK
- click on Save button
- in right pane click to Add (it creates new Access Control Entry for service)
- click Advanced, click Find now, select System, click OK
- at newly added line, click on Allow symbol in Type column to change type of Access Control Entry from Allow to Deny
- at the same line, click in Permissions column
- select the following permissions: Change configuration, Start, Stop, Delete, Change permissions, Take ownership
- click on Save button again; System account now cannot manipulate this service
- repeat the same steps as above for Windows Modules Installer service
- using regular Services snap-in in MMC console, set both mentioned services to Disabled.

You need to modify two services this way: wuauserv (Windows Update) and TrustedInstaller (Windows Modules Installer, the name depends on language). All three steps are necessary: setting Administrators as service owner, setting six Deny permissions for System, and disabling the service.

To revert to normal state, in SetACL Studio simply click Deny symbol (it changes to Allow) and Save, then set service start type to Manual in Services snap-in. Do these steps for both services.

2b) To block System account access to services from elevated command line or from CMD batch file:
- download SetACL utility from Helge Klein website, place it on your Path
- test it using commands:
setacl -on "wuauserv" -ot srv -actn list
setacl -on "trustedinstaller" -ot srv -actn list

- change owner using commands:
setacl -on "wuauserv" -ot srv -actn setowner -ownr "n:Administrators"
setacl -on "trustedinstaller" -ot srv -actn setowner -ownr "n:Administrators"

- set blocking ACE entries:
setacl -on "wuauserv" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
setacl -on "wuauserv" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
setacl -on "wuauserv" -ot srv -actn ace -ace "n:system;p:SERVICE_CHANGE_CONFIG,SERVICE_START,SERVICE_STOP,WRITE_OWNER,WRITE_DAC,DELETE;m:deny;w:d acl"
sc config wuauserv start=disabled
setacl -on "trustedinstaller" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
setacl -on "trustedinstaller" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
setacl -on "trustedinstaller" -ot srv -actn ace -ace "n:system;p:SERVICE_CHANGE_CONFIG,SERVICE_START,SERVICE_STOP,WRITE_OWNER,WRITE_DAC,DELETE;m:deny;w:d acl"
sc config trustedinstaller start=disabled
...please treat two strings "d acl" as "dacl", forum formats long lines erratically

- delete blocking ACE entries for allowing Windows Update temporarily:
setacl -on "wuauserv" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
setacl -on "wuauserv" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
sc config wuauserv start=demand
setacl -on "trustedinstaller" -ot srv -actn trustee -trst "n1:system;ta:remtrst;w:dacl"
setacl -on "trustedinstaller" -ot srv -actn ace -ace "n:system;p:full;m:grant;w:dacl"
sc config trustedinstaller start=demand

3. Recommended workflow, i.e. How to survive periodic patch parties:
Once a month (probably after Black Tuesday) it is proper to patch Windows systems in a controlled way. It is relatively simple but time consuming activity:
- image system partition(s) using Macrium Reflect Free, or at least create Restore Point
- unblock Windows Update mechanism according to blocking method used (enable scheduled tasks, or clear Deny permissions and set services to Manual start)
- run wushowhide.diagcab immediately to block unwanted patches and drivers
- run Windows Update
- revert Windows Update back to blocked state
- image system partition(s) again.

That's all, for now. And, of course, many thanks sent to Redmond with love.

 

Update: first solution from previous post unfortunately no longer works for me (in FCU build), needs more investigations.

 

Correction to post #48:

While the second method how to block updates is safe and universal, the first method works only on computer with special setup, it does not work on "vanilla" (just installed) systems. So I would rather recommend to set Deny permissions on services. But if someone wants to try disabling scheduled tasks, the way to make it functional exists.

First method will work if - and only if - two Windows Defender services are disabled. User can install other antivirus software (for example Avira Free + BGP Killer), then both Defender engine and its irritating icon are unnecessary; furthermore, Defender cannot resurrect disabled scheduled tasks related to Windows Update.

The following steps are needed before using the first method:
- install some antivirus software instead of Windows Defender
- reboot into Safe Mode
- create .reg file with following content
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
"Start"=dword:00000004
; original values were 0x2
- import the .reg file into registry
- reboot into normal mode
- set both wuauserv and trustedinstaller services to Disabled.
Then you may continue by making steps described in Method 1.

My apologies, I made first testing on my own highly customized system, but problem exhibited itself later on just installed virtual machine with Defender active. Just another Windows annoyance, nothing more.

 

Remember 2 factors:
1. Every major update (such as the recent Fall Creators one) will most likely undo any steps taken.
2. Microsoft forces update vital to system security even with WU disabled.

 

Warning usage of the deny access permissions option either on the file system or registry incorrectly can result in an inoperative system and require a total fresh install to cure

Disabling of the trusted installer or other system user related services will significantly reduce the security of the system

Make sure you have backups of all OS and Personal data BEFORE contemplating this type of action

this CMA info brought to you by Tenforums.com

 

1. Sure, that is why I recommend workflow Allow Updates - WuShowHide - Update System - Block Updates again.
2. Can you be more specific, e.g. how Microsoft can force updates when wuauserv and trustedinstaller services are blocked? It never happened to me.

 

OK. to the second one, yes you're right I'm sure, but doing that, in my opinion, is perhaps not the wisest thing to do surely?

 

Wouldn't it be wiser to point the OP to the Tutorials, when one can return WU to ask always before downloading/installing anything? There is even one to hide updates.
Most people aren't familiar with the registry plus they often very unwisely use registry cleaners, so the above suggestion coupled with that habit could completely wreck a system IMHO.

 

this CMA info brought to you by Tenforums.com
1. In my post, Deny permissions are set correctly to achieve desired result - blocking forced updates. Furthermore, I always write how to revert blocking action back. And btw, in referenced post I never and nowhere recommend usage of the deny access permissions option either on the file system or registry... but only to services.
2. Too vague claim, you completely ignore goal (see above) and context (best practices).
3. I agree and add supplement: and always BEFORE installing updates!

 

Ex_Brit: whether is it the wisest thing - I do not know. No clear answer. It is part of regular maintenance of my home systems. And I only try to answer question in subject of this thread: "How can I prevent automatic updates?"

I think the procedure is difficult for regular users. But not too dangerous: all steps are easily reversible which is documented. None of the commands given can "brick" system. And afaik this is the only way how to re-gain control over update process in Windows 10. For many people, it is essential.

 

Agreed, good luck to all.