LICOMPGUY
asked on
Disable automatic updates Windows 10, third party tools?
Hi all
After Microsoft's reoccurring problems with their automatic updates, I was wondering if anyone has stumbled across any means to disable automatic updates, whether it be a third party tool - free would be nice. Microsoft has not done a great job and we need to do what we can UNLESS there are zero-day exploits to delay updates for a set period of time, in a controlled manner not how it is currently being done.
Anyone? Business owners have had enough, and I just haven't come across anything solid.
I think it is time to look at WSUS if I can delay UNTIL systems are tested, IE a key system that represents a build of each department. Do we have that kind of control with WSUS?
What about the small companies - 3-8 Win10, P2P no server OS.
Thanks so much guys!
Be well.
After Microsoft's reoccurring problems with their automatic updates, I was wondering if anyone has stumbled across any means to disable automatic updates, whether it be a third party tool - free would be nice. Microsoft has not done a great job and we need to do what we can UNLESS there are zero-day exploits to delay updates for a set period of time, in a controlled manner not how it is currently being done.
Anyone? Business owners have had enough, and I just haven't come across anything solid.
I think it is time to look at WSUS if I can delay UNTIL systems are tested, IE a key system that represents a build of each department. Do we have that kind of control with WSUS?
What about the small companies - 3-8 Win10, P2P no server OS.
Thanks so much guys!
Be well.
ASKER
Hey Bembi
How are you? Do you know what specific policy settings would work to prevent them, when WSUS is not an option?
I imagine home edition such as MS Surfaces - you have no control.
Does WSUS allow you to delay UNTIL you decide when to deploy? I def will get reacquainted with it.
Thanks for your help
How are you? Do you know what specific policy settings would work to prevent them, when WSUS is not an option?
I imagine home edition such as MS Surfaces - you have no control.
Does WSUS allow you to delay UNTIL you decide when to deploy? I def will get reacquainted with it.
Thanks for your help
Wsus is more or less only something like a proxy. So the client do not fetch the updates by Windows update but from WSUS, and inside WSUS you cann approve the updates, and no client sees a non approved update.
The settings for the clients, even the fact, that the clients should use WSUS are all applied by group policies.You will find them under Computer - Administrative Template - Windows Components - Windows updates.
You can also set the settings on each local machine, using the mmc you can add the snap in "Group Policy Object Editor" and if you open it, you can select the local policy.
The local policy you can edit and set the same settings you would usually set via GPO.
As most of the policies are just registry keys, you can use one computer as a template, set the settings a you like and export the relevant part of the registry to a file. This regfile you can apply directly on all other machines.
At least this way, you can limit them down.
A.) Policies are usually written to
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
B.) The Microsoft default settings you find under
HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate
If policies are present, the default machine settings are overwritten.
Policies are easier to handle as you have a GUI to set them. The default settings are partly encoded, and there are a lot of additional settings. Also windows has hard coded defaults, so they do not need neccessarily be written to the registry.
One example.
You find in the path B.) the value AUOption there, which is set to 4 and means automatic install.
To overwrite them, you can place unter
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions Reg_DWORD = 3
This overwrites the default with "offer, but do not install"
The settings for the clients, even the fact, that the clients should use WSUS are all applied by group policies.You will find them under Computer - Administrative Template - Windows Components - Windows updates.
You can also set the settings on each local machine, using the mmc you can add the snap in "Group Policy Object Editor" and if you open it, you can select the local policy.
The local policy you can edit and set the same settings you would usually set via GPO.
As most of the policies are just registry keys, you can use one computer as a template, set the settings a you like and export the relevant part of the registry to a file. This regfile you can apply directly on all other machines.
At least this way, you can limit them down.
A.) Policies are usually written to
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
B.) The Microsoft default settings you find under
HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate
If policies are present, the default machine settings are overwritten.
Policies are easier to handle as you have a GUI to set them. The default settings are partly encoded, and there are a lot of additional settings. Also windows has hard coded defaults, so they do not need neccessarily be written to the registry.
One example.
You find in the path B.) the value AUOption there, which is set to 4 and means automatic install.
To overwrite them, you can place unter
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions Reg_DWORD = 3
This overwrites the default with "offer, but do not install"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also found this tool that claims it provides you with total control.
Regards, Andrew
https://www.winupdatestop.com/
Disable Windows 10 UpdatesHope that's helpful.
This application allows you to manually disable or enable automatic Windows Updates.
Sometimes you may want to stop Windows Updates so you can choose when to download and install new Windows Updates. As you know, Windows Updates are very important but they are also known to occasionally create some incompatibilities or problems with the Operating System and the applications installed. Use this utility to block Windows Updates and re-enable them when you desire.Stop Windows Updates
Gain control of automatic Windows Updates and decide when your Operating System should be updated. With this program you can permanently stop Windows Updates with ease. Our tool keeps Windows Updates disabled until you re-enable them.
Regards, Andrew
@Andrew
As the question came up several times in the past days, maybe you just take your comment and create an EE-article out of this.
@LICOMPGUY
Andrew took the time and collect it together.
I guess the way is to use one computer as a template, set it up manually as needed and then export the parts from the registry (policy hive) to apply it on several machines in the same way.
I would assume, that the OS GUI writes the values directly while the policy editor writes into the policy hive.
For other clients I would take the policy hive (as you can take it as it is, and you even can delete it later) and leave the original values as they are.
Only values, which you cannot catch via the policy editor you may write directly.
As the question came up several times in the past days, maybe you just take your comment and create an EE-article out of this.
@LICOMPGUY
Andrew took the time and collect it together.
I guess the way is to use one computer as a template, set it up manually as needed and then export the parts from the registry (policy hive) to apply it on several machines in the same way.
I would assume, that the OS GUI writes the values directly while the policy editor writes into the policy hive.
For other clients I would take the policy hive (as you can take it as it is, and you even can delete it later) and leave the original values as they are.
Only values, which you cannot catch via the policy editor you may write directly.
@Bembi
It's been on my list for a while actually. I just need to personally verify the suggested solutions are as reliable as they claim before writing an article about it myself. I won't put my name to any article unless I've personally tested any solution or suggestion I'm writing about. Not enough hours in the days lol. Thanks for the suggestion though.
Regards, Andrew
As the question came up several times in the past days, maybe you just take your comment and create an EE-article out of this.
It's been on my list for a while actually. I just need to personally verify the suggested solutions are as reliable as they claim before writing an article about it myself. I won't put my name to any article unless I've personally tested any solution or suggestion I'm writing about. Not enough hours in the days lol. Thanks for the suggestion though.
Regards, Andrew
ASKER
Bembi
Are you saying under winduwsupdate/auto update - do I create a key or?
"One example.
You find in the path B.) the value AUOption there, which is set to 4 and means automatic install.
To overwrite them, you can place unter
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions Reg_DWORD = 3
This overwrites the default with "offer, but do not install"
Andrew - going through what you sent me step by step to see if I missed anything. I have tried this in the past from that article and it did not work so I am thinking it was me! Just didn't have a chance to breathe to test it, BUT IT IS TOOOO important not to.
Thank you for the info
Are you saying under winduwsupdate/auto update - do I create a key or?
"One example.
You find in the path B.) the value AUOption there, which is set to 4 and means automatic install.
To overwrite them, you can place unter
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions Reg_DWORD = 3
This overwrites the default with "offer, but do not install"
Andrew - going through what you sent me step by step to see if I missed anything. I have tried this in the past from that article and it did not work so I am thinking it was me! Just didn't have a chance to breathe to test it, BUT IT IS TOOOO important not to.
Thank you for the info
Here is a list with all Windows Update related values.
https://docs.microsoft.com/de-de/security-updates/WindowsUpdateServices/18127499
AUOption control how the client handles windows updates.
The NoAutoUpdate switches the Windows Update on or off
So if NoAUtoUpdate = 0 then AUOptions doesnt play a role.
https://docs.microsoft.com/de-de/security-updates/WindowsUpdateServices/18127499
AUOption control how the client handles windows updates.
The NoAutoUpdate switches the Windows Update on or off
So if NoAUtoUpdate = 0 then AUOptions doesnt play a role.
ASKER
Hey Bembi!
I went through the manual process of
Option I
I didn't do this - is this better?
"HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions Reg_DWORD = 3
This overwrites the default with "offer, but do not install"
Option II
I went with this - but my question is, why would some computers already have this entry - because of the GPO settings?
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate dword set to 1?
So have you found this to work every time? What's the diff pros/cons of Option 1 vs 2? Are they both pretty solid - then it allows the admin to gain control again and do manual or WSUS (where they have a server).
Thanks SOOO VERY MUCH
Licompguy
I went through the manual process of
Option I
I didn't do this - is this better?
"HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions Reg_DWORD = 3
This overwrites the default with "offer, but do not install"
Option II
I went with this - but my question is, why would some computers already have this entry - because of the GPO settings?
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate dword set to 1?
So have you found this to work every time? What's the diff pros/cons of Option 1 vs 2? Are they both pretty solid - then it allows the admin to gain control again and do manual or WSUS (where they have a server).
Thanks SOOO VERY MUCH
Licompguy
ASKER
Hey Bembi
What would be the easiest/safest way to export this and then import it to all other win10 machines.
I could be wrong but some may or many not have the windowsupdate/au keys already.
Secondly - on some computers I see under AU I see several Reg_DWORD entries and I wouldn't want to touch them.
Does it work like this - if you export AU - and WindowsUpdate does not exist it will create it?
Secondly - if AU does in fact exist and there are other DWORDS/values, would it only add the one specific "NoAutoUpdate"=dword:00000001"
Thanks again!!!!
What would be the easiest/safest way to export this and then import it to all other win10 machines.
I could be wrong but some may or many not have the windowsupdate/au keys already.
Secondly - on some computers I see under AU I see several Reg_DWORD entries and I wouldn't want to touch them.
Does it work like this - if you export AU - and WindowsUpdate does not exist it will create it?
Secondly - if AU does in fact exist and there are other DWORDS/values, would it only add the one specific "NoAutoUpdate"=dword:00000001"
Thanks again!!!!
NoAutoUpdate = 0 is the windows default.
If you do not see it, you can add it....
Setting to 1 means, WindowsUpdate is switches off.
You do do not get any info, message or whatever .
AUOptions
work, if NoAutoUdate = 0
This is the contoll how windows act...
2 = inform, 3 = download + inform, 4 = download + install
A.) If you leave it enabled, and AUOption = 3 the user is informed, but updates are installed, if the user decides to install them. With a little bit explanation, that users should not install on the first day, but possibly 3-4 days later it is fine, as long as they follow your advices.
B.) If the users do not follow your advices, then the more save option is to switch it off, and when you want to install updates, you have to switch it on again. AUOption can stay at 3. If you are ready you switch it off.
Option A is the zero administration solution. But needs the patience of the users.
Option B is the absilute save option for users, but much more work for the administrator, as you have to enbable, sync, download, install, disable, and you have to stay beside the devices to trigger all actions. So you need about an hour for each computer.
Ich you have set a template PC with the settings you need, you can export the folder to a reg file. The regfile is just a text file with all options of the exported folder. To limit it to your settings, delete everything what is not needed and save the file. On another machine just doubleclick...
If you do not see it, you can add it....
Setting to 1 means, WindowsUpdate is switches off.
You do do not get any info, message or whatever .
AUOptions
work, if NoAutoUdate = 0
This is the contoll how windows act...
2 = inform, 3 = download + inform, 4 = download + install
A.) If you leave it enabled, and AUOption = 3 the user is informed, but updates are installed, if the user decides to install them. With a little bit explanation, that users should not install on the first day, but possibly 3-4 days later it is fine, as long as they follow your advices.
B.) If the users do not follow your advices, then the more save option is to switch it off, and when you want to install updates, you have to switch it on again. AUOption can stay at 3. If you are ready you switch it off.
Option A is the zero administration solution. But needs the patience of the users.
Option B is the absilute save option for users, but much more work for the administrator, as you have to enbable, sync, download, install, disable, and you have to stay beside the devices to trigger all actions. So you need about an hour for each computer.
Ich you have set a template PC with the settings you need, you can export the folder to a reg file. The regfile is just a text file with all options of the exported folder. To limit it to your settings, delete everything what is not needed and save the file. On another machine just doubleclick...
If you do not have a central server for WSUS and / or domain controller for the conected policies, the only option is to set the settings on each single machine. The policy does excactly the same, but centralized for all connected computers.
A first protection is to advice windows not to install them automatically. This gives at least some time to inform a few users not to install them. Switching off is also not the best solution because you have even to enable it back manually.
But even this meachnism doesn't really work for Click and Run applications (i.e Office 2019). as they don't use WSUS / Windows Updates. This has additionally to be set for the Office applications.