Blocking Windows Update

Saaglem

Saaglem

Active Member
After all what I have done, this morning on switch on I got the store access icon on my desktop.....meaning crap is still coming in. I have reached the end of my knowledge regarding blocking windows update and has reached out for a corruption trick. It's an old trick but it works. Even the Anti-Virus packages has hidden features to allow windows background updates. Soooo. I have corrupted the wuaueng.dll file with it's proxy stub file to not except updates. Added a schedule to replace the dll at intervals in case it gets replaced and blocked the crap out of windows and almost all of the ports, the firewall ports I now have only 80 and 8080. Nearly broke my foot off in windows ass. Now it is starting to purr like the V12 I know and remember. Will see what new curveball I'm gone get after I through this the box of spanners at it. After that.....I'm using the cutting torch to loosen it up.
 
Last edited:
A couple of years ago you had the a HOSTS file that you could edit to point the host domain into a certain DNS direction. Well MS has changed the game play by adding the editable HOSTS file into an non-editable DLL file, for security reasons
 
I've included the firewall file and the security file into the Group policy and it loads on startup and shutdown. I have already converted them to power shell so if you want to used feel free to do so.

PLEASE NOTE that they run automatically on startup and shutdown so any changes you want to make need to be done and saved in power shell. They are located at c:\windows\system32\GroupPolicy. Look in User and machine, in each is a script folder with startup, logon logoff, etc

Now you don't have to setup scheduler for them. The nic or network takes a little bit longer, maybe 5 seconds to validate but it works really good

IF YOU DO NOT GET NET AND THERE IS A YELLOW FLAG OVER THE NETWORK AT THE BOTTOM, GO TO WINDOWS FIREWALL IN THE CONTROL PANEL AND LOAD DEFAULT FIREWALL SETTINGS THEN RESTART. IT WILL LOAD IT AGAIN ON SHUTDOWN. I have found it lock's op on first use. After restart you should be OK

This supersedes all other files I have already posted. I have removed the other one's

The following rules are active, you can block ALL inbound. You can remove the Home-groups as well, if you remove more in outbound it gives a TCP-IP time out and disconnect the nic. If you continuously ping a site then it stays enabled.

Outbound Allow
Core Networking - DNS (UDP-Out) - NOT Needed for IPv6, But needed for IPv4 if you do not put IP in nic
Core Networking - IPHTTPS (TCP-Out) - Needed for browsing
Core Networking - Ipv6 (IPv6-Out) - Needed if you use IPv6
Homegroup Out - Not needed
Homegroup Out (PNRP) - Not needed
mDNS (UDP-Out) - Needed for IPv4 and Browsing, if using IPv6 then it is not needed

Inbound Allow
Homegroup Out - Needed for sharing
Homegroup Out (PNRP) - Needed for sharing

Everything not listed above gets blocked.

THIS IS INTENDED FOR A FRESH INSTALL, but can be used on other as well. Everything installed after this, will automatically create a rule in the Firewall. On used systems you have to manually add what you use in the Firewall.

This Group Policy has been tested with;
Windows 10 Home x64 (Yes you can enable GPE in Home) - (Windows update CANNOT be forced to stop)
Windows 10 Pro x64 - (Windows update CANNOT be forced to stop)
Windows 10 EDU x64 - (Windows update CANNOT be forced to stop)
Windows Enterprise x64 - (Windows update CANNOT be forced to stop)
Windows Enterprise LTSB x64 2016 (1607) - (Windows update can be forced to stop)
Windows Enterprise LTSC x64 2019 (1809) - (Windows update can be forced to stop)

NOTE; It is NOT necessary to enable file and print sharing. Set your network to private and ONLY ALLOW private options, don't do Domain and Public.

One snag I picked up so far is that you have to use a predefined IP to connect to your router, IE, 192.168.1.20, etc. If not some internet function is not going to work. It will use the DNS of the router to connect to the net. DNS is still needed to pass through the Firewall.

I didn't say it is perfect. Will change stuff as I go along

UPDATE AREA: 07-03-2019
Updated the Group Policy file with new firewall reg file.
DNS is NOT needed if you use IPv4 and add a IP address predefined for the router into your Nic, the router will do the DNS requests and your firewall blocks it.
Fixed the linked shared issue

The added pic show the only Firewall rules needed
 

Attachments

  • GroupPolicy.rar
    41.9 KB
  • Needed Firewall settings.jpg
    Needed Firewall settings.jpg
    167.9 KB
Last edited:
Good....but I was referring to a loaded machine. But thank you very much, I would have never thought of that. Your a Star Clanger
 
So far so good....firewall is holding. Anti Virus is also helping.....not so much activity on it anymore
 

Attachments

  • Services on the net.jpg
    Services on the net.jpg
    105.2 KB
$OEM$ is a great way todo things, im trying to use it a lot more.
Unless i buy a new laptop i wont be using w10 for online work for the foreseeable.
Shame you work isnt in batch/cmd files for people who remove power smell, i dont use it as its too effin complicated.
 
Last edited:
Hi Clanger....I included this for you. But the Group Policy I have not done yet.....still trying to figure out how to put the whole GP in batch. You can use these in the GP and just replace the power shell files with them
 
Aww thanks bub :). I still have 1607 though i dont use it, its there if i have to. :) and i would need it if i go ryzen 3000 using Ryzen Master.
 
Last edited:
You must log in or register to reply here.
Back
Top