We help IT Professionals succeed at work.

Disable Windows Update forever..

687 Views
1 Endorsement
Last Modified: 2018-11-20
is there a way to disable Windows Update on Windows 10? I have mini-pc that has 16G hard drive, only serves run one slide of powerpoint, nothing else. Every so often, the Windows Update ran and trying to install but fail due to the no storage available.  Whenever it failed, the windows screen filled with asking for troubleshooting.  I googled and tried many things differently, but all failed. Any idea?
Comment
Watch Question

MichelangeloSystem Administrator / Postmaster
CERTIFIED EXPERT

Commented:
disable the Windows Update Service. Via Control Panel > Administrative Tools, you can access Windows Services Manager. In the Services window, scroll down to Windows Update and turn off the Service
timgreen7077Exchange Engineer
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Agree with @Michelangelo, but also once you turn off the service be sure to set start up to manual so that it doesn't start running again upon reboot of the computer.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
There is no safe supported way to disable windows 10 updates. And nor should you. Even a dedicated kiosk-type device needs to be maintained if it has any access to the internet and NUC devices still need to have adequate resoirces to do their job.

Disabling services can have bad side effects. And is insecure as well. It's doubling down on a bad idea.

The fix here is more space, not bad security.

Author

Commented:
That is one of the first things I did and it keeps coming back.  I tried the following: https://www.easeus.com/todo-backup-resource/how-to-stop-windows-10-from-automatically-update.html. it is still trying to update the Windows.
Owen RubinConsultant

Commented:
Even if you disable it, Microsoft has the ability to push security updates it feels are mandatory to your system. We had build servers that used to do full builds every night, and often we would come to work to find them sitting in a restart state not doing anything. They had received some "critical update" that MSFT pushed even though we had all updates off.  The only way we were able to stop this was to add firewall rules to block all Microsoft traffic from reaching the servers. We would manually update them when they were not busy doing full builds.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Is there way to disable forever?   NO not in a million years. Forget that and fix your application to work going forward. You cannot do what you want.
Seth SimmonsLead Systems Administrator
CERTIFIED EXPERT

Commented:
is there a way to disable Windows Update on Windows 10?

not with the current build
if you change the service start to disabled, windows will now change it back

I have mini-pc that has 16G hard drive, only serves run one slide of powerpoint, nothing else.

switch to linux
Owen RubinConsultant

Commented:
Well, I guess switching the machine to Linux would stop the Windows updates, that much is sure!  :-)
Andrew LeniartIT Professional | Freelance Journalist
CERTIFIED EXPERT
Author of the Year 2019
Distinguished Expert 2018

Commented:
is there a way to disable Windows Update on Windows 10?

Yes. Use a firewall rule to block the service from accessing the Internet so that when it tries to update, it will consider itself offline. This may or may not work with Microsoft's built-in firewall as Windows could reverse the rule, but worth a shot. If that fails, any third party firewall should do the trick.

You could block access to the service itself, and/or the entire Microsoft Update server.

Note: Almost anything is possible, but I'd highly recommend you resolve your issues and stay up to date instead.

I hope that's helpful.

Regards, Andrew
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
It is interesting to see how people insist on "if you change the service start to disabled, windows will now change it back" but never have any proof for that. I started a question lately:
"Does Windows reset the startup type of its internal services at will? I am seeking hard evidence." - no one could prove his claims although it would be so easy by monitoring the registry key of the services. See for yourself: https://www.experts-exchange.com/questions/29092480/Does-Windows-reset-the-startup-type-of-its-internal-services-at-will.html
Mike SunSenior Systems Engineer (IBM - retired)
CERTIFIED EXPERT

Commented:
Perhaps the simplest solution is to remove the internet connection if it's not required?
MichelangeloSystem Administrator / Postmaster
CERTIFIED EXPERT

Commented:
@timgreen
Agree with @Michelangelo, but also once you turn off the service be sure to set start up to manual so that it doesn't start running again upon reboot of the computer.
Nope, I stay with my solution: DISABLE the service means set startup to DISABLED. Setting it to MANUAL would allow it to be started again from whatever software is on the computer
@McKnife
Ahah you took it personally ! I like it !
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I don't think blocking internet will help a lot of people. I just use software that adapts to new updates. That works better for me.
Mike SunSenior Systems Engineer (IBM - retired)
CERTIFIED EXPERT

Commented:
I was just thinking that if security updates are to be disabled, it is safer to keep the machine off the internet and guarantee no software changes in that manner.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I understand what you are saying and don't disagree with the thinking. It just seems easier to use software that can adapt to updates
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
@McKnife: I have also never seen a Disabled Windows Update service enable again. The only time I would expect that is if Windows Malicious Software Removal Tool (MSRT) is executed and it has instructions to enable service based on a malware in the fix list.

Disable the service. If that fails, change the permission in Registry to deny everyone write access, add a dependency service

Author

Commented:
Thanks for all of your comments! I checked Windows Update this morning and sure enough, the Windows Update service changed to MANUAL.
I guess this means that the update will run it again. Many of this type of computer doesn't need Internet access, but I or staff need to access to make the change. Change it to Linux is an option, but I am not a Linux guy. It was 10 years ago that I install my first Fedora on PC and I haven't touched. Is it easy to install it?  The installer has to be from USB.  Another option is to use my switch or firewall to block the pc run Windows Update.  

I just can't believe that I can't simply disable the update!!  Security, yes I understand the risks of not updating and danger of the PC when you don't have update running.  I don't need to update many of the PC that serves as a kiosk-type purpose. Even if I want to update, I would like to manually.
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
If you change the permission after setting it to DISABLED/MANUAL it won't be able to change
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I just can't believe that I can't simply disable the updates

Microsoft has finally told the non-updaters (who get their machines wrecked by malware and blame Microsoft) that updates are now going to happen. Yes, I have attended the Microsoft Global Summits.

So you must accept it and move on.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
"sure enough, the Windows Update service changed to MANUAL". You need to share details. What was it set to before?
Two occasions modify this startup type:
A you do an inplace upgrade of windows manually
B you have an SCCM agent running

By the way, what windows edition (home, pro,...) and build (output of the command winver) is this?
Mike SunSenior Systems Engineer (IBM - retired)
CERTIFIED EXPERT

Commented:
On the other hand, the simple act of disconnecting the machine from the Internet not only stops Microsoft's ability to update but also any other 3rd party software from making changes via the Internet connection. Staying off-line makes security less of an issue.

Author

Commented:
John, I understand that there are lots of blamers. I love Microsoft products! But I don't like to be "mandated" or "no option."  It is like Apple product that they give you whatever they think the best and we have to stick with it. I hope MSFT is not leading that way. I am an adult and I fully understand my action and love to take care of it if there is an issue arisen based on my action.  MFST, please don't take away that privilege.  Maybe, it is time learn to Linux world again.  John, I will move on, but I can't accept it.

Author

Commented:
This is stick PC that comes with Windows 10 Home Edition. It installed back side of the TV. The service was disabled yesterday and it changed to the manual this morning.

Author

Commented:
I am not sure if this only me stressing out or not. I have a client who as a desktop PC with Windows 10 Pro that has Windows Update issue too. This pc has a video card with two monitors. Every time, the Windows Update ran, it reset the driver.  As of this result, the second monitor is not working.  I have to reload the driver that manufacture recommended, it works fine, but it will continue doing it last few weeks. I don't want to disable Windows update on this computer, so how do I let windows update not to update the driver? Any idea?
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
Just hide the update
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
I hope MSFT is not leading that way. I am an adult and I fully understand my action and love to take care of it if there is an issue arisen based on my action.

1) Microsoft is definitely not the only one moving this direction.  So I don't know if I'd call it "leading the way" but it is a trend.

2) The bigger issue and one I happen to agree with is that malware often no longer hurts the person who was irresponsible and didn't stay up to date.  In the era of Slammer, that was true.  You don't update, oh well, you pay the price.  But now we live in an era where your infected machine is part of a botnet that can be sent to attack Amazon or Akamai, and that impacts *EVERYONE* who isn't infected.  That whole "I am an adult" only goes so far.  It is the same reason the U.S. has speed-limits on the road and drinking-and-driving laws.  If the only people who died in car crashes were the drunk people, I'd say (callously) that they were adults and made their choice. But we live in a world where innocent bystanders are victimized by irresponsible actions.  That extends to malware.  So yes, companies have a *RESPONSIBILITY* to keep their products secure, and if they feel mandatory updates are the best way, so be it.


Specific thoughts:

1) Unplugging the network cable is an option. IF there is *zero* network access then security is mitigated.  I'd be comfortable with this solution.  Servicing is a pain though. Want to upload a new powerpoint?  Gotta do so at the device.  Plugging it back in, even temporarily, is not a good option if you choose to have it be unpatched.  Infections can happen in an instant. So you *have* to weigh the cost of servicing into the plan of running windows unpatched.  In most cases I think patching wins out.

2) Disabling Windows Update.  Yes there are multiple ways this can be re-enabled. I respect the other experts that make this suggestion, but I disagree. I've had this debate with them before, so I won't rehash it here.  Short version is, I've seen it get re-enabled.  Some of the maintenance tasks that can re-enable it run as system, so changing permissions doesn't fix it.  These are my observations, as has been with other experts and Microsoft MVPs I respect. And while I also respect the experts who have never seen this, I just fundamentally disagree with them on this point.  Unfortunately in a he said/she said (or he said/he said, or she said/she said), you have to decide for yourself which expert to believe.  Once you have to decide, I'd still say err on the side of caution.

3) Blocking updates at the network edge.  Tough to do with windows 10.  You actually have to do several things.  You have to block access to Windows Update servers by IP, and as Microsoft builds new Azure datacenters, that IP list is a moving target.  Microsoft also partners with a couple of content-distribution-network (CDN) providers.  You'd have to block them.  You'd have to actively choose to disable the peer-to-peer updating/Delivery Optimization that Windows 10 updates support, or it'll happily update from another machine on the network. *And* you have to maintain all of that, or risk an update when you least expect it.


4) Upgrade the machine to have the resources to update properly on its own.  The cost is minimal for peace of mind.  This would be my recommended option.  In a world where labor has a cost as well, this is likely the best TCO/return on investment.

5) Linux. Probably the second-best option.  But Linux *also* needs to be kept up to date, or kept off the network. Or the same "I'm an adult" argument applies.  All you have to do is look at the Linux-based IoT devices that were used as a botnet to take down Krebs' security website to see the problem with running Linux unpatched.  So "Linux" isn't a silver bullet and most of the same concerns still apply.


YMMV.

-Cliff
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
"This is stick PC that comes with Windows 10 Home Edition." - that answers the first of my 2 questions. And what build = what's the output of the command
winver

Open in new window

That would be really interesting to know. if it is 1709 or 1803, there's an interesting link for you: https://www.deskmodder.de/wiki/index.php?title=Automatische_Updates_deaktivieren_oder_auf_manuell_setzen_Windows_10 it's in german, but browsers have translation features.
It says, that Microsoft has changed the game for win10 home starting with 1709 and has shifted from update service to usoclient.exe - maybe an interesting read.

I would never recommend to disable updating unless you have good reasons for it. Having not enough space, is not really a good reason - a good reason would rather be "I don't need updates, since I don't need to be or remain in a supported state and since I don't need security updates anyway as I don't get in touch with dangers the way I use it". Just saying so others don't think "why on earth would he recommend to turn it off".

Share your version, please (I am looking for motivation to use and try with the home edition and see that usoclient magic for myself).

Author

Commented:
McKnif, it is 10.0.16299.371, and I will definitely try out what you suggested. Since this PC doesn't need internet, I set the DNS address with a bogus number that won't resolve the name. I can't pull out network cable since it has to be on the network. I will see how it goes.

Cliff, very good comments.  Thanks

I will monitor and update this post once I figured out what will for this.
Mike SunSenior Systems Engineer (IBM - retired)
CERTIFIED EXPERT

Commented:
So just unplug it from the Internet and bypass all those complex issues and if-buts. As stated at the start , it is just a single task PC not in want of any changes.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
10.0.16299.x is v1709, so it would match.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Just to be clear, as long as the computer is on the network, it is a real risk.  Many many types of malware target vulnerabilities in the system stack itself.  An exploit that Microsoft patches, but that you don't install, can be an easy target from another machine that changing to a bogus DNS entry doesn't fix.

And once infected, there is a fair number of standard malware packages that *don't* use the systems' DNS settings to connect to their command-and-control systems.  With services like OpenDNS, or many UTMs that filter DNS, it has increasingly become standard practice for malware to use their own embedded DNS query system to bypass any service-level filters.  So, again, a bogus DNS entry blocks legitimate access, but not malware access.

As long as a network cable is plugged into that device, not being up to date is a big risk.  Not just to you, but to *everyone.*  It is just not an act of good net-citizenship.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
And to be clear, a wi-fi connection doesn't bypass my "network cable plugged in" caveat. That'd be a semantic difference at best.
Owen RubinConsultant

Commented:
I still stick with my original suggestion a long way back: Use your internet edge router to simply block Microsoft traffic.  Here is the list to block:

  • crl.microsoft.com
  • download.microsoft.com
  • download.windowsupdate.com
  • ntservicepack.microsoft.com
  • office.microsoft.com
  • officeupdate.microsoft.com
  • stats.microsoft.com
  • update.microsoft.com
  • v4.windowsupdate
  • windowsupdate.com
  • windowsupdate.microsoft.com
  • wustat.windows.com

(Anyone know if I missed any?)

I did read an article that also suggested you switch your networking on the device to "metered", which is supposed to stop Microsoft from downloading updates, because the PC assumes you pay a lot to use your network, so it stops downloading of updates. I am not sure this will stop the critical updates through. I have not tried this.

Author

Commented:
Cliff, once again, you nailed it. I won't worry about this one for being infected, I am 99.9% sure. For sake of being good net-citizenship, I will block this pc from the rest of our network except one VLAN for management access.  By the way, I like the word net-citizenship. it should be in the dictionary now on.

Author

Commented:
Owen, I didn't know what "metered" meant was. Good to know. This pc has metered on, so we will see the next few days.  Thanks
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You can manage updates:  Metered, Active Hours, Defer. Easy to do this.

But permanently:  No.
Owen RubinConsultant

Commented:
Yep. I think that was added for cell networks so you wouldn't get large downloads on a paid network.
Owen RubinConsultant

Commented:
John. Does that mean it turns itself off after some time?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You can hold off, but after some time (even if some months), Updates will turn back on.

Author

Commented:
Update, DNS trick seems worked for this PC; however, the Windows Update service back to Manual from disabled. Thanks for all. I believe I will create VLAN for just for those pc.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
By the way: I am testing with 1809 home. Update service disabled and it does not reset itself to manual no matter what I do. I rebooted and script started all tasks that there are - no change. Will leave it running while auditing changes to the service config in the registry. Will share results in a month or so. Maybe someone else should do the same in a vm.
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
I can also test if you like
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Of course that would be good. Thanks.

Author

Commented:
McKnife, my Windows 10 did change to manual from disabled.  Proof? not sure how to prove it to other than my word.
I changed when I made the last comment here and I checked this morning and it is changed back to manual (trigger start)
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You can shut updates off for a while (easy to do with time of day, deferrals, and scheduling). But forever is not doable.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
:-)
I can tell you how to make out the culprit. Let me express how glad I am that you have a reproducible state!

1 Please open regedit and navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
Rightclick it (wuauserv) and select "permissions", go to "advanced" and there to auditing. Click on "Add", then click on "Select a principal" and type "everyone" ->everyone should now be the selected principal. Next click on "show advanced permissions" and make it so that the only checked box is "set value" and close everything with ok.
2 open secpol.msc and go to advanced audit policy configuration -> syst, audit pol. ->object access ->Audit registry and set it to "configure the following audit events: success"

Now whenever the startup type is changed, there will be an eventlog entry in the security eventlog.
Be so kind to test that (change the startup type manually after configuring 1) and 2))  and see if an entry gets created.

->What is this good for? It is done to be able to identify which process does that unwanted change back to "manual". The process gets recorded in the security log entry as well.

Please share your findings.

PS: after doing so and finishing the identification, please undo 1 & 2, because those affect performance slightly.

Author

Commented:
McKnife, as I was testing as your modification on this, I noticed that there were other event ids 7040 on event view generated. I started to look further down of the event entry. I found 7040 with Windows update service without your modifications.  see the attachments.  I disabled 10/6/18 3PM and it got enabled on 10/6/18 8PM. I wasn't working and none worked at the time.  What trigger this? I don't know.
wuservice1.PNG
wuservice2.PNG
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Could you simply copy and paste the rest of the event details? You should see a process in there.
Do you use SCCM (=is an sccm agent installed on that machine?)?

Author

Commented:
This is Windows 10 Home (version 1709) OS Build 16299.371. Not even on a domain joined. No, we don't have SCCM. We had one time but I am not using it anymore. I attached full system log in here.
minipc-system-log.evtx
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Home forces you to update at some point.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
John, leave that up to us who analyse.
MoonLive, could you follow the steps I gave you? Because what you uploaded is not the security event log and does not help here.
Let's wait for the next time it occurs, then you can upload the security event log.

Author

Commented:
Yes. that is in place. We will see in the next few days.  Thanks
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
This is already in place? And you did exactly as I described those two steps on windows 10 1709 home?

Author

Commented:
Yes.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hm, this was a test question… secpol.msc is not available on windows home. So how did you fulfill 2)?

Author

Commented:
It is available. simply type in.  see picture. BTW, I am not making this up.
minipc-secpol.PNG
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
So how do you happen to have secpol.msc on your win10 home installation when the rest of the world doesn't have it? Is this some kind of modded installation? Are you sure it is win10 home? This is important.

Author

Commented:
Yes. it is is Home edition. all of MiniPC that I know doesn't come with pro edition.  See the picture.
minipc-about.PNG
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Look, it takes this code:
---
@echo off
pushd "%~dp0"

dir /b %SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~3*.mum >List.txt
dir /b %SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~3*.mum >>List.txt

for /f %%i in ('findstr /i . List.txt 2^>nul') do dism /online /norestart /add-package:"%SystemRoot%\servicing\Packages\%%i"
pause
---
If you have used that, fine. But we need to know. Because out of the box, there is no secpol.msc on wind 10 home.

What I wanted to test is if we have a "normal" win10 home in front of us - and that test failed. Nothing against you :-)

Author

Commented:
You are right, I used that command once before to enabled gpedit. Once I saw that command, I know I used that command to install package. it was back in April 2018.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Ah, ok. And now you did a test run to see if the (manual) change to the service's startup type gets logged?

Author

Commented:
system log, yes. not on Security log.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Correct! It does not work with a modded installation!
So please use the elevated command line to enable auditing, instead:
auditpol /set /subkey:Registry /success:enable

Open in new window

Afterwards, it will take note of changes. Please verify.

Author

Commented:
It gives an error "Error 0x00000057 occurred: The parameter is incorrect.

Author

Commented:
auditpol /set /subcategory:Registery /Success:enable ?

above command seems worked. I see security audit show some event.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Fine. Yep, that was a typo. Couldn't copy and paste from that vm, sorry :-)

Author

Commented:
Sure enough, the Windows Update service is enabled back. Event log shows 8PM when the service changed to manual.  I am attaching the security log. there is special login shown up at the same time.
An account was successfully logged on.

Subject:
      Security ID:            SYSTEM
      Account Name:            MINIPC8$
      Account Domain:            WORKGROUP
      Logon ID:            0x3E7

Logon Information:
      Logon Type:            5
      Restricted Admin Mode:      -
      Virtual Account:            No
      Elevated Token:            Yes

Impersonation Level:            Impersonation

New Logon:
      Security ID:            SYSTEM
      Account Name:            SYSTEM
      Account Domain:            NT AUTHORITY
      Logon ID:            0x3E7
      Linked Logon ID:            0x0
      Network Account Name:      -
      Network Account Domain:      -
      Logon GUID:            {00000000-0000-0000-0000-000000000000}

Process Information:
      Process ID:            0x2fc
      Process Name:            C:\Windows\System32\services.exe

Network Information:
      Workstation Name:      -
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
      - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
minipc-security-log.evtx
Andrew LeniartIT Professional | Freelance Journalist
CERTIFIED EXPERT
Author of the Year 2019
Distinguished Expert 2018

Commented:
Sure enough, the Windows Update service is enabled back.
Pardon my lack of surprise :) Blocking the update service (or Microsoft update servers) from being able to access the Internet with Firewall rules is the way to go here. Then, regardless of what the update service is set to, it can't connect to the Internet or update servers so will assume its offline.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Sorry, what should I do with that log?
You wrote "Event log shows 8PM when the service changed to manual." But what does the security event log say at 20:07:21 (8:07 PM)?
"The audit log was cleared."

Why did you clear it? Thanks for destroying the evidence... :-|

Author

Commented:
Andrew, that is not working for every PCs. I would like to find a root of the cause so I can control the situation.  I am with McKnife on this.

Author

Commented:
McKnife, The evenlog was clear before I made a change it was around 2:07PM. Is your time set correctly. Mind shows 10/8/2018 8:00:44PM to 8:04:10PM.

Author

Commented:
let me attach the image of what I see.
evenlog.PNG
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
So it was time zones, ok...
Well, your event log did not record that change. I asked you to test if the registry auditing works and you replied " I see security audit show some event." Well, the event it should be showing would look like this:
 Capture1.PNG
Andrew LeniartIT Professional | Freelance Journalist
CERTIFIED EXPERT
Author of the Year 2019
Distinguished Expert 2018

Commented:
I would like to find a root of the cause so I can control the situation.  I am with McKnife on this.
Ah ok. If that's the purpose of this exercise then I'm with you both 100% and will be highly interested to find out exactly what causes it to revert to manual from disabled myself. I suspect it will be another service that changes the setting, but have never gone through an exercise like this to confirm, always opting for denying online access to the wua service via firewall rules instead.

I recall participating in another similar question here on experts exchange some time back (sorry, can't find the link right now but will post again when I do if you want) and another idea I had at the time was to create a batch file that runs in the background every few minutes, that checks if the Windows Update service was enabled again and if so, disable it with the batch file. If not, just end the batch file until the next scheduled run. Not being a coder myself, I couldn't offer a working script example, but I'm almost certain it should be possible to do and shouldn't affect performance to any noticeable degree.

Will keep monitoring this question. Interesting exercise.

Author

Commented:
I didn't know what I was looking for. What went wrong? Is command possibly not the right one?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
"Is command possibly not the right one?"
auditpol /set /subcategory:Registry /Success:enable

Open in new window

is the right command and I confirmed it to work on win10 home.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Another thing: could you please dump all scheduled tasks to a file for me?
On an elevated powershell prompt, launch
get-scheduledtask | Get-ScheduledTaskInfo | select taskname, lastRunTime | sort -property lastruntime | out-file c:\somefolder\tasks.txt

Open in new window

then upload c:\somefolder\tasks.txt

Author

Commented:
I was looking at the task as well. and there is one running for 3AM time. I attached file.
tasks.txt
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Gotcha!
"PerformRemediation                                                             10/8/2018 8:00:00 PM"
And what is behind that task? See the description:
"Helps recover update-related services to the supported configuration."
Executor: system.

Funny thing is: if i disable windows Update on my machine (Win10 pro) and run that task manually, it does not reset the startup type. But it seems to do it for you on 10 home. Will retry on a home VM tonight.

Author

Commented:
You did such a good job, but I can't locate this schedule. is there a hidden task? PerformRemediation can't be found.

Author

Commented:
I found it. it is under WaaSMedic. I also find an article about this.
http://binarytome.com/how-to-completely-disable-windows-update-fall-creators-update-1709/

I enabled back my DNS setting so it can reach back to the Internet and see if resolve the issue for updating Windows. Thanks for all! Espcially McKnife! I will keep upate this here.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Right. To locate a task next time, simply go
Get-ScheduledTask| sls taskname

Open in new window

get-scheduledtask | sls PerformRemediation
gives you the path:
MSFT_ScheduledTask (TaskName = "PerformRemediation", TaskPath = "\Microsoft\Windows\WaaSMedic\")

So to bring this to an end: on my 1809 home system, that task was disabled. I didn't, no. It was disabled for whatever reason. So when I started all tasks by script, I did not pay attention to all error messages (why should I). The error was: this task could not run, because it is disabled,
Only the system account may enable it. I did. Then I started it and *tada* the service wuauserv came back to life.

So go figure…
1 why would that task be disabled for 1809 home but not for you on 1709 home?
2 why would it be enabled but without effect on win10 1803 enterprise (my office machine)?

That's still open. I could install 1709, I think I'll do that now.

Fact is: if that task is disabled, wuauserv will not be re-enabled. Whoever doubts that should show and present "the guards guarding the guards of wuauserv".
Andrew LeniartIT Professional | Freelance Journalist
CERTIFIED EXPERT
Author of the Year 2019
Distinguished Expert 2018

Commented:
Fact is: if that task is disabled, wuauserv will not be re-enabled. Whoever doubts that should show and present "the guards guarding the guards of wuauserv".
Great find. For the sake of completeness, what's the command one would need to run in order to disable that (PerformRemediation) task?

This question has now earned a spot in my personal knowledge base!

An excellent process of elimination and so much for the notion that it's not possible to disable Windows 10 updates. Very well done McKnife.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
psexec -i -d -s schtasks /change /tn "microsoft\windows\WaaSMedic\PerformRemediation" /disable

Open in new window

That's from the author's own link and it#s correct. To be performed on an elevated command prompt with a downloaded psexec.

note: I am not recommending this :-)
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
This is so funny...
I installed 1709 Home clean to a VM.
Set the startup type of wuauserv to disabled and stopped the service.
Opened task scheduler as system account - the task "PerformRemediation" is enabled!
But: starting it (after setting it to allow demand-start), does exactly nothing to the state of the update service. It stays disabled.

Go figure :-)

Author

Commented:
Thanks, McKnife, I checked this morning and the Windows Update service is not changed to manual!
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
For months, there were people who insisted that disabling the service was good enough and worked and would never get reenabled. And those of us who saw otherwise were openly criticized. I, for one, never felt motivated to find out WHY this happens. So props to the persevere few to find the task (and finally vindicate those of us that found this to be true.)

But I'd be cautious about proclaiming that THIS is now the final fix. The final fix WAS  "disable the service" right up until it wasn't.

Short version is I found this information interesting and valueable from an academic standpoint but I'd be cautious about proclaiming it as a real solution in production. Supported? No. Unintended consequences of disabling a recurring task? Possibly, probably. What other healthy maintenance routines does it do that now will not be done? Who knows. Undocumented.

Tread cautiously.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Hm.

As for "finally vindicate those of us that found this to be true" - that's the funny part: both parties were right. Disabling the service was good enough for me where ever I decided or was told to use use it, from Windows 2000 until Win10 1809 (I used any and all versions in between regularly) - no matter where I did it and for how long. It never re-enabled. I had opened a thread here about services in general and no one was ever interested in presenting proof (done by auditing) that system services re-enable at will. User MASQ tested with several VMs for 30 days or so (he disabled the update service) - it never came back.

But after we had the author here who had this re-occuring, finally reproducible, it was not hard to find out.
Now for the part why in my opinion both were right (or wrong, as anyone may decide for himself): that maintenance task simply does not work under most conditions. As you could see, I analyzed this with clean VMs. To repeat it:

1709 Home: Task active but disfunctional
1809 Pro: Task active, disfunctional as well.
1803 enterprise: Task enabled, disfunctional
1809 home: Task functional, but disabled by default…
Where's the logic? Ans for the author here, it seems the task on his machine worked differently
1709 Home: active AND functional.

There is no logic to this. So I don't feel that having faith in "just disable the service, it will never come back" back then was a statement without reason behind it (no, I don't take your comment to imply that, don't worry).

But it feels good to finally find what's behind that claim that it reactivates and I feel relief.

I strongly agree with "What other healthy maintenance routines does it do that now will not be done? Who knows", because it's indeed a task with a custom action that we cannot look into. Export the task, have a look at the action and investigate. Let's see who finds out what's behind it. Whatever you find out, you have left the supported path way before, so that should be clear.

Also, I would be sure this task is what's behind reactivation and don't see why there should be another thing behind it, but we'll see, the author will keep us posted, I hope.
Andrew LeniartIT Professional | Freelance Journalist
CERTIFIED EXPERT
Author of the Year 2019
Distinguished Expert 2018

Commented:
@Cliff,
And those of us who saw otherwise were openly criticized
Totally agree with that sentiment.
The final fix WAS  "disable the service" right up until it wasn't.
Here I'd have to disagree.

If the question was "How could I temporarily disable Windows Updates" then your thinking makes sense.

To a question like "Disable Windows Update forever.." such as asked here, then simply disabling the Windows update service does not apply and is only half an answer. A more complete answer would be to block the WUA service from online access, or block Windows being able to access Microsoft Update servers at all and not even bother with disabling the service. In either case, problem solved :)

Supported? No
Neither is intentionally blocking an update service from doing what its designed to do. No solution which could be offered will be "supported"  so that doesn't really enter into the equation to my mind.

No. Unintended consequences of disabling a recurring task? Possibly, probably. What other healthy maintenance routines does it do that now will not be done? Who knows. Undocumented.
Yep, that's why such advice should always be given with a disclaimer, such as the one McKnife gave in a recent comment.
note: I am not recommending this
Any unsupported way to block Windows from updating is unlikely to ever be documented by Microsoft and can be fraught with dangers. Even using a third party tool to block updates can also be a dangerous thing to do for obvious reasons.

What I personally found so satisfying about following this thread though, is that as you yourself mentioned, it proves once and for all to all of the naysayers out there that a claim of "It can't be done!" is totally wrong. Seeing experts make comments like that ever since the release of Windows 10 has been a source of frustration for me for a long time now.

What has been proven here is that (at least with current Windows versions) it can so be done, without the need of any third party tools. For that reason alone, the revelations made in this question deserve a spot in some type of Hall of Fame imo ;)

An excellent example of a process of elimination detective type exercise that fully supports a statement that I recently made in an interview here;

"Just because you can't solve something doesn't mean it can't be solved."

Tread cautiously.
Indeed. Good advice.

Regards, Andrew

Author

Commented:
After all this, Windows Update Service came back to Manual from Disabled.  When I checked the PerformRemediation schedule, this schedule also has shown "Ready". Moreover, I can't disable this schedule regardless of command I ran yesterday.  It asking for System account password.
psexec -i -d -s schtasks /change /tn "microsoft\windows\WaaSMedic\PerformRemediation" /disable

I am sure the schedule was disabled at the time when I ran the first time.

So it becomes a question to how to disable this PerformRemediation disabled?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
LOL! This is wonderful.
Will look at it, although I doubt I can reproduce it.

The fake WSUS idea seems better for you. Set a fake wsus address and disallow internet updates at the same time. To do so, look up the corresponding registry values inside the gpo reference excelsheet. I could help you if you need more help with it.

Author

Commented:
So I found an article regards to WasSMedic.
https://answers.microsoft.com/en-us/windows/forum/windows_10-security/what-is-this-waasmedic-and-why-it-required-to/e5e55a95-d5bb-4bf4-a7ce-4783df371de4?page=2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment
DISABLEASSESSMENT  to 1 (0) was default.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaasMedic
TaskDisableMaker to 1 (0) was default.

Those registries have much interesting value for the update. this may be the one that handles Windows update.

I don't know what this will do, but l would like to see what happen tomorrow morning.
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
So it becomes a question to how to disable this PerformRemediation disabled?
If you remove rights as per my previous comment, it won't be able to change the status
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
"Moreover, I can't disable this schedule regardless of command I ran yesterday.  It asking for System account password. " - where does it ask? Not reproducible here, can switch it from enabled to disabled back and forth (on an elevated command prompt)

Luckily, there is a log for task changes. Look at eventvwr - application and services logs - Microsoft-Windows-TaskScheduler_Operational. Was it really left in the disabled state? And what happened after that (according to the logs)?

Author

Commented:
When I ran the command with elevated privilege, it doesn't give me any error, and task scheduler shows that the status was disabled. Least, I remember that it shown "Disabled."  This morning also I ran the same command which it doesn't give me an error but task scheduler doesn't change to Disabled.  The permission dialog popup when I tried to disable the PerformRemediation schedule on from GUI.  It seems it requires System authentication to disable.

TaskShedular log shows the PerformRemediation started at 8PM and completed at 8:00:05.  At the time the Windows Update Service is changed to manual.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Yes. it showed that it was disabled.  see the attachment.
PerformRemediation---Disabled.PNG
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
That was 9th of october. And later?

Author

Commented:
another one was shown in for today 9:22Am but 10/10/18 doesn't have an indication of disabled, but it is updated see the picture.
BTW, the schedule showed it is disabled now.
sched-disabled.PNG
PerformRemediation---updated.PNG
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Ok, that log entry is expected when a task is enabled. So at 10:10:28 AM yesterday it was re-enabled. Not by you?

Author

Commented:
No, certainly not. But funny thing is that the log shows that it was disabled 9th but enabled 10th. I didn't run the command on 9th. Am I missing out something?  As of now, Schedule showing Disabled for sure and registery key is changed as above and wus service is disabled.  We will see tomorrow.

Author

Commented:
Everything seems to stay as it was yesterday.  PerformRemediation schedule is disabled and Windows Update Service is disabled.  No log shows any enable or disable the task.  I will keep eye on for the next few days.

Author

Commented:
I am happy to report that the WUS and PerformRemediation are still disabled. This is maybe the way to disabled WUS when I need to.  Thank for all of you!
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
So you possibly enabled the task yourself during testing and left it that way. Is it that what you think was happening?

Author

Commented:
I think so.  But I am wondering if registries did something. I am going to test out modify the register back to the way it was and see.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment
DISABLEASSESSMENT  to 0 (0) was default.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaasMedic
TaskDisableMaker to 0 (0) was default.

and WUS and PerformRemediation leave disabled.  I will let you in the next few days.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Your registry editing - why do you even do it? You read it somewhere and now you mix it with suggestions here while giving feedback on those.
You need to share what you did and why.

Author

Commented:
So the even if command we ran for disabled PerformRemediation, it is not working.  This morning, the WUS is changed back to manual and it was running. (see attachment). And PerformRemediation on the schedule is changed to ready.  Last time I changed the registry key and command at the same time, but this time I only change the registry key to 1 as the previous comment.
wus-manual-running.PNG
PerformRemediation---Ready.PNG
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
Have you removed permissions on Registry as per my suggestion? Guess not. Anyway, good luck

Author

Commented:
Shaun, what registry was it? I was looking at your comment but I don't see the registry you were mentioned.  Service permission? I wasn't able to change permission. It won't let me.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
And when did the status of the task change and re-enable itself? Is that the same time of day, or is it right after a restart, or...? Look it up in the logs, please.

Author

Commented:
No, PerformRemediation shown started at 8PM on 10/15 and didn't report anything else. This morning the status of WUS and PerformRemediation taskschedule remain disabled. As for now, I can conclude that the below key makes different.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaaSAssessment
DISABLEASSESSMENT  to 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WaasMedic
TaskDisableMaker to 1

I made the computer restart every time when I changed the key.

I am going to test out on another machine if I get a time today, and I will update on here.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Maybe it is hard to sort things, but what I asked for was the event log entries. Did the event log show that the task was re-enabled. If so, when did that happen and what else happened at that very time (system reboot, or maybe was it the smae time as the last time it was re-enabled)?

Can you follow?

Author

Commented:
Sorry, it took a while to get this.  McKnife, it is not re-enabled by itself, least it doesn't show it was re-enabled.  The computer seems not enable back the WUS and PerformanceRemediation schedule.  It seems it is that WUS is disabled.

Fix? Registery Key and command "psexec -i -d -s schtasks /change /tn "Microsoft\windows\WassSmedic\PerformRemediation" /disable"  and disable WUS service and restart the computer.  That seems disabled WUS service.

Tested PC is 1709 Home.

Author

Commented:
I just want to report here that the WUS can be disabled. I tested Windows 10 Ent. Microsoft Windows [Version 10.0.16299.192].
With same command and register key, I can delete the PerformRemediation schedule.  So far, the WUS is not changing back to manual. I also tested that I can run WUS manually once I enabled the WUS service changed to manual.  Now, I can create a simple batch file to run this job as turn on/off switch. Now, I can control the update! Thanks for all of you who contributed here.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You should draw a conclusion and include in it whether your registry editing was even needed.

Author

Commented:
Yes. you need registry editing is needed. Without that line, the schedule comes back.