Manual-ising Windows Update

[linkprogrami]

I found a tons of instructions on how to disable windows automatic updates, but not a lot on how to make them work similar to how XP and Windows 7 "Manual update" option.

Ideally no service or function would be disabled (as Store apps and Driver installation depend on Windows Update services), but Windows would not check for updates unless the "check for updates" was not pressed.

The parts I use so far in my preset look like this:

<Tweak name="WindowsUpdate\AllowTemporaryEnterpriseFeatureControl">1</Tweak>
            <TweakGroup name="WindowsUpdateTasks">
                <Tweak name="DevHomeUpdate\DevHomeUpdate">0</Tweak>
                <Tweak name="EdgeUpdate\EdgeUpdate">0</Tweak>
                <Tweak name="IA\IA">0</Tweak>
                <Tweak name="LXP\LXP">0</Tweak>
                <Tweak name="MACUpdate\MACUpdate">0</Tweak>
                <Tweak name="OutlookUpdate\OutlookUpdate">0</Tweak>
                <Tweak name="TFLUpdate\TFLUpdate">0</Tweak>
            </TweakGroup>

            <TweakGroup name="WindowsUpdate">
                <Tweak name="DriverSearching\SearchOrderConfig">2</Tweak>
                <Tweak name="Preferences\ModelDownloadAllowed">0</Tweak>
                <Tweak name="DeliveryOptimization\DODownloadMode">100</Tweak>
                <Tweak name="Settings\IsContinuousInnovationOptedIn">0</Tweak>
                <Tweak name="7971f918-a847-4430-9279-4a52d1efe18d\RegisterWithAU">1</Tweak>
                <Tweak name="MRT\DontOfferThroughWUAU">1</Tweak>
                <Tweak name="Settings\HideMCTLink">1</Tweak>
                <Tweak name="Settings\IsExpedited">0</Tweak>
                <Tweak name="Settings\RestartNotificationsAllowed2">0</Tweak>
                <Tweak name="WindowsUpdate\TargetReleaseVersionInfo">23H2</Tweak>
                <Tweak name="AU\AUOptions">2</Tweak>
            </TweakGroup>

            <TweakGroup name="services">
                <Tweak name="tzautoupdate\tzautoupdate">3</Tweak>
                <Tweak name="edgeupdate\edgeupdate">3</Tweak>
                <Tweak name="UsoSvc\UsoSvc">3</Tweak>
                <Tweak name="webthreatdefusersvc\webthreatdefusersvc">3</Tweak>
           </TweakGroup>

            <TweakGroup name="Tree\Microsoft\Windows\UNP">
                <Tweak name="RunUpdateNotificationMgr\RunUpdateNotificationMgr">remove</Tweak>
            </TweakGroup>

            <TweakGroup name="Tree\Microsoft\Windows\UpdateOrchestrator">
                <Tweak name="Schedule Scan Static Task\Schedule Scan Static Task">remove</Tweak>
                <Tweak name="Start Oobe Expedite Work\Start Oobe Expedite Work">remove</Tweak>
                <Tweak name="StartOobeAppsScanAfterUpdate\StartOobeAppsScanAfterUpdate">remove</Tweak>
                <Tweak name="UpdateModelTask\UpdateModelTask">remove</Tweak>
            </TweakGroup>

            <TweakGroup name="Tree\Microsoft\Windows\WindowsUpdate">
                <Tweak name="Automatic App Update\Automatic App Update">remove</Tweak>
                <Tweak name="Scheduled Start\Scheduled Start">remove</Tweak>
            </TweakGroup>

Additionally, I load a few registry entries just for good mesure:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"TargetReleaseVersion"=dword:00000001
"DisableOSUpgrade"=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"TargetReleaseVersion"=dword:00000001
"DisableOSUpgrade"=dword:00000001


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade]
"AllowOSUpgrade"=dword:00000000


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore]
"DisableOSUpgrade"=dword:00000001


[HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeNotification]
"UpgradeAvailable"=dword:00000000

For now this confuguration seems not to be updating anything automatically, unles there is a driver missing (it updates it automatically) or if additional feature is installed. I find this to work both on Win10 and Win11 (as NTLite just ommits the incompatible strings).


If anyone has additonal suggestions or have use of the one above, they are more than welcome.

 

[garlin]

This is an interesting proposal, you want to disable all WU scans for updates, but allow the USO services to keep running in case you want to install driver and Store app updates. The part that confuses me: How do you know when a driver or Store app needs updating?

I don't know how you only scan for certain update types, but skip others, using the default WU infrastructure.

Most users need a 3rd-party like WUMT, which can query and then block specific updates. You can't block a specific update, unless you know its name. So you could block all updates, or scan & block updates as they become available. If this can be possible without outside tools, it would require a lot of careful testing on how WU actually behaves.

 

[linkprogrami]

This is an interesting proposal, you want to disable all WU scans for updates, but allow the USO services to keep running in case you want to install driver and Store app updates. The part that confuses me: How do you know when a driver or Store app needs updating?

I don't know how you only scan for certain update types, but skip others, using the default WU infrastructure.

Most users need a 3rd-party like WUMT, which can query and then block specific updates. You can't block a specific update, unless you know its name. So you could block all updates, or scan & block updates as they become available. If this can be possible without outside tools, it would require a lot of careful testing on how WU actually behaves.

Thats the neat part: You dont xD

You use driver update when the driver is missing (which is basically initial installation, or like when a new office printer gets connected), and apps you update when it will not work unless you update it. And NTLite offers you to set driver update "Only if driver is missing".

Reason for my dislike of autoupdates is they sometimes break something and it becomes a real issue troubleshotting, especially if you work with computers that have (older) industrial machines connected.

Sometimes some app needs to be installed from store and that requires USO service, but I just do not want Windows to update automatically. Its easy with store apps (You just turn off automatic app update in settings), but Windows Updates is a bit more tricky. In my testing on virtual machines even best settings fail after some time, and something just triggers autoupdate to download latest service stack and break something.

When I have to install one of business-critical computers I usually completely kill the Windows update, but was wondering if this can be just set to manual and not having to worry about it.

 

[Hellbovine]

I'm not trying to be critical, but this thread is reinventing the wheel in a way that's not as streamlined as this guide (link), which stops auto-update of Microsoft Store apps, Windows Updates, and drivers, by pausing it forever (or until any date), but still allowing the user to unpause at will and also allowing critical parts of the update features to continue working properly for stability.

The other guide achieves that with the minimum tweaks possible too, so it's much cleaner and safer. If you do want drivers to automatically update, you would remove that specific tweak from the guide or otherwise modify the tweaks as needed. If there's a tweak you know about that is good and the other guide doesn't have it, please let me know and I'll update things accordingly.

 

[linkprogrami]

I'm not trying to be critical, but this thread is reinventing the wheel in a way that's not as streamlined as this guide (link), which stops auto-update of Microsoft Store apps, Windows Updates, and drivers, by pausing it forever (or until any date), but still allowing the user to unpause at will and also allowing critical parts of the update features to continue working properly for stability.

The other guide achieves that with the minimum tweaks possible too, so it's much cleaner and safer. If you do want drivers to automatically update, you would remove that specific tweak from the guide or otherwise modify the tweaks as needed. If there's a tweak you know about that is good and the other guide doesn't have it, please let me know and I'll update things accordingly.

Always feel free to be critical

I saw your original post but did not understand it initially (as I just quickly glanced it). But you are right, your thread contains everything I need. Thank you for sharing.

 

[garlin]

I wanted to see if it was possible to Pause Updates, but continue to separately download driver and Appx updates.

Well, you have to cheat. When Updates are paused, there's no UI to manually kick off driver scans and you don't want to keep opening the Store App to force new versions. I managed to find two unrelated scripts to manually force Windows into updating itself:

1. Roger Zander's Script to install or update drivers directly from Microsoft Catalog

This script is straightforward, it searches for any newer 3rd-party drivers. But I would use this cleaner version, which has better error handling: PowerShell script to update drivers on Windows devices

2. I wrote a short script to force background App updates, but it doesn't work if you have already disabled Store apps with:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate]
"AutoDownload"=dword:00000002

If you paused WU, Windows has about 40 different default Apps it needs to update (on first install). What I did notice is broken behavior with most of the pending downloads timing out, and you needed to run the script multiple times to get all updates to finish. I re-ran the script about 4 times in a row.

Unfortunately there is no status provided while downloading, since it's a background update. What you can do is open the Store app, and watch the progress of marked updates.

My impression to make life easier by just opening the Store App right after installing Windows, and ask it to update everything in one pass to catch up, before switching to the update script.

3. None of this supported, don't ask me to fix anything. I'm just providing some suggested workarounds.

 

[linkprogrami]

IDK, I used Hellbovine reg thing and it seems to be working well for now.

Since Windows changed the way drivers are searched in Win11, no way to do it in a way like in Win10 anyway, but changing "SearchOrderConfig" to 1 seems to be automatically dowloading drivers online even if update is paused (IF the driver is missing),

Lastly, windows store is a separate entity from Windows Update (despite using same service), so I do not use scripts or registry key, and just change it in app settings.

 

[linkprogrami]

If you paused WU, Windows has about 40 different default Apps it needs to update (on first install). What I did notice is broken behavior with most of the pending downloads timing out, and you needed to run the script multiple times to get all updates to finish. I re-ran the script about 4 times in a row.

Are you sure this is related to WU reg pause thingy, and not something else? NLite is really finicky with some changes, like disabling UAC that causes a lot of the similar failiures for some reason. Also it can be because Store app needs to be updated first (Cos automatic update order in Store apps does not put it on top, for some silly Microsoft reason).

After figuring the Hellbovine reg thingy, I restored some settings of NLite to default (UAC, and most things related to Windows Update). and had no issue so far.

 

[Hellbovine]

Maybe there are differences between W10 and W11 or perhaps this is being made more complicated than it needs to be, like the Defender topics. I'll explain what I see on my machine, and if anyone is experiencing something different we can hopefully find the problem easier this way.

Spoiler: click here to reveal text

1) On a non-VM, Windows 10 Home 21H2, using only my tweaks, Windows Update will be paused out of the box on a clean install. It can be manually resumed at will, similar to how Windows XP and 7 work, but without the ability to deselect individual updates (not innately possible anymore). My guide also makes it so that users can pause for any amount of time, rather than the 35 days that Microsoft limits us to.

2) As soon as a new install detects internet connection for the first time at the desktop, it will automatically download any drivers it thinks it needs. That is, if a user deleted the "SearchOrderConfig" key from my tweaks before integrating the file into the image, because then Windows will use the default setting of automatically downloading drivers without consent.

3) If "SearchOrderConfig" is not disabled, a user can manually force Windows to download drivers by running task scheduler. I'm sure a simple method that only causes the task responsible for this to run exists, but the easiest way I know to force this and all other pending tasks is with the following command: rundll32.exe advapi32.dll,ProcessIdleTasks & pause (remove " & pause" if you want it to be unattended).

4) Pausing Windows Update doesn't stop apps from updating, as that is handled by the Microsoft Store's "AutoDownload" setting. If a user launches the store and navigates through the menu on the top right, they will find a page that allows them to manually update apps one at a time, as well as a button that can update all apps at once. By disabling "AutoDownload" it still allows manual app updating, it only disables the automated updating that happens without consent. The command mentioned in #3 will also cause the Store apps to update, unless "AutoDownload" is disabled.

I think I've answered all the main points from this thread, and if it doesn't work this way for someone then it may mean something has changed in Windows, or the problem is operator error while a user installs them. I could be making a mistake in my guide, but I'll need to see some pretty great evidence, as it has been thoroughly vetted by many users over a long time now, and I use it on all my installs. It took weeks of researching and testing to settle on that approach, and it does everything that this thread wants, but with minimal tweaks, no hacky methods, and no post-install.