What you need to disable Windows updates?

[Nekonaro]

Good afternoon, can anyone tell me which services or tasks are related to Windows updates? I.e., what does it take to disable Windows updates?

In my search I came across this (Services):
Delivery Optimisation - \DoSvc
Microsoft Store Installtion Service - \InstallService
Update Orchestrator Service - \UsoSvc
Windows Update - \wuauserv
Windows Update Medic Service - \WaaSMedicSvc
Windows Insider Service - \wisvc
Background Intelligent Transfer Service - \BITS
Updateability from CSM - \upfc
Microsoft Update Health Service - \uhssvc
Orchestrator Service actualization - \ossrs

There is also a "MoUSO Core Worker Process" which cancels all changes related to "windows update" (if any)

But I also found a way to disable updates without resorting to all this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotConnectToWindowsUpdateInternetLocations"=dword:00000001
"DisableWindowsUpdateAccess»=dword:00000001
"WUServer"="localhost"
"WUStatusServer"="localhost"
"UpdateServiceUrlAlternate"="localhost"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001

This method consists of specifying a local non-existent WSUS update server to which the update service will fail to connect. (At least this works on w10 21h1)

 

[nuhi]

Thanks for the feedback.

As far as I know, the existing option in NTLite - load image - Settings - Windows Update, set to Disable should be it on Win11, might also work on Win10.

 

[Павел]

Thanks for the feedback.

As far as I know, the existing option in NTLite - load image - Settings - Windows Update, set to Disable should be it on Win11, might also work on Win10.

Tell me if there is a way to prevent the update service from starting itself, for example, delete the scheduler tasks.

 

[garlin]

Disabling auto-install of updates is not the same as disabling checks for new updates. Checks happen every 17-22 hours (least once per day).
Turning off WU service isn't enough, because other processes can trigger action. This article might help:

https://benignblog.com/disable-windows-10-updates-permanent-method

 

[crypticus]

I use sordum's tool to disable when i need to disable. You may monitor it to catch what reg edits its doing.


Another way is to disable WU by redirecting domain. that way you can also continue to use microsoft store.
METHOD 1 https://www.ntlite.com/community/index.php?threads/windows-11.2235/post-22108
METHOD 2 https://github.com/whatever127/dummywsus

 

[nuhi]

Tell me if there is a way to prevent the update service from starting itself, for example, delete the scheduler tasks.

That would block too many things if done before install and Windows activation.
You can try, make sure to disable/remove the Windows Update Medic service as well.
Potentially skip OOBE in Unattended settings for it to not trigger post-setup forced Windows Update.

Btw also can remove Windows Update component (separate from WU service) and use NTLite to install updates on C:\Windows.
Keep Servicing stack compatibility enabled, and Windows Update service not removed.
That way even if WU service gets enabled somehow, it should not go far without all of its underlying services.

 

[CodeBro]

Thanks for the feedback.

As far as I know, the existing option in NTLite - load image - Settings - Windows Update, set to Disable should be it on Win11, might also work on Win10.

You mean to disable the ENTIRE Section of windows updates? but what if you want just to let security updates install and only deactivate feature-updates, which should be the way , no??

 

[Necrosaro]

You mean to disable the ENTIRE Section of windows updates? but what if you want just to let security updates install, which should be the way , no??

You can actually install windows updates through Ntlite without needing windows updates working.

I removed windows update all together and only go through Ntlite for the installs. Allows me to control which ones I want.

 

[CodeBro]

And then just via "Update" section at the beginning, installing the online updates directly into the .iso?

 

[garlin]

What counts as a "security update"? Are talking about refreshing Defender's platform and definitions, or Security Update as an outdated reference to the Monthly Update cycle?

 

[CodeBro]

You can actually install windows updates through Ntlite without needing windows updates working.

I removed windows update all together and only go through Ntlite for the installs. Allows me to control which ones I want.

But u will still need to let the Windows Update section toggled on inside "Components -> Remoting and Privacy -> Windows Updates" since u wont get the security updates which is not so good i guess.

 

[CodeBro]

What counts as a "security update"? Are talking about refreshing Defender's platform and definitions, or Security Update as an outdated reference to the Monthly Update cycle?

I think both?

 

[CodeBro]

I mean windows defender defs are important (if u use defender, not sure tho if it counts when using custom anti-virus system) but also they release monthly security patches i think.

 

[garlin]

WU pushes Defender definitions at least once per day, and Platform updates every month. If you want to ignore Monthly Updates, but keep Defender refreshed, then pause WU.

Guide: Pause Windows Updates
If I pause Windows Update, does that mean that I cannot trigger a Windows Defender update?

 

[CodeBro]

WU pushes Defender definitions at least once per day, and Platform updates every month. If you want to ignore Monthly Updates, but keep Defender refreshed, then pause WU.

Guide: Pause Windows Updates
If I pause Windows Update, does that mean that I cannot trigger a Windows Defender update?

TBF I only want to pause monthly-FEATURE-updates, not monthly-SECURITY-updates, is that possible to do?

 

[garlin]

W10/11 no longer has defined Monthly Security Updates. The monthly CU is always a quality & security update, and the Monthly Preview doesn't include any security changes. This is a clean servicing model to avoid the Patch Hell of Windows 7, where users could carelessly mix & match quality and security-only updates.

Every month, the CU (or any Out-of-Band Update) is a complete replacement for the previous month's update.

The only exceptions are:
- Security-Only Updates which address Intel or AMD CPU vulnerabilities at a microcode level
- Feature Enhancement Updates, which don't really include new software but switch on hidden code that's been inserted into previous CU's.
- .NET Framework Updates (which are quality & security)
- Defender Platform updates

 

[CodeBro]

W10/11 no longer has defined Monthly Security Updates. The monthly CU is always a quality & security update, and the Monthly Preview doesn't include any security changes. This is a clean servicing model to avoid the Patch Hell of Windows 7, where users could carelessly mix & match quality and security-only updates.

Every month, the CU (or any Out-of-Band Update) is a complete replacement for the previous month's update.

The only exceptions are:
- Security-Only Updates which address Intel or AMD CPU vulnerabilities at a microcode level
- Feature Enhancement Updates, which don't really include new software but switch on hidden code that's been inserted into previous CU's.
- .NET Framework Updates (which are quality & security)
- Defender Platform updates

hmm, what kind of settings change I need to do in order to get ONLY these here:
- Security-Only Updates which address Intel or AMD CPU vulnerabilities at a microcode level
- .NET Framework Updates (which are quality & security)
- Defender Platform updates

 

[CodeBro]

sry If i ask stupid questions, its just this entire Update topic makes me crazy xd

my appologize

 

[Hellbovine]

The Windows Update pausing guide that is linked above will get you as close to your goal as possible. Pausing updates on W10/W11 doesn't disable it entirely, but turns off the primary automated features, and then it continues to run a limited number of components that check for and install things it deems critical, such as certificates and Defender patches.

Using all the tweaks in that guide will:
- Pause updates out of the box on a clean install
- Allow updates to pause forever, rather than the 35 day limit
- Prevent drivers from automatically downloading or installing
- Prevent Microsoft Store apps from automatically updating

Microcode updates aren't going to be affected by anything unless you're deleting the microcode files, and you will know if you are. I don't know how NET updates are handled for sure, since I don't use them, but I'll bet pausing Windows Update will stop those patches from downloading and installing, so if you want those updates they'll need to be done manually.

 

[CodeBro]

The Windows Update pausing guide that is linked above will get you as close to your goal as possible. Pausing updates on W10/W11 doesn't disable it entirely, but turns off the primary automated features, and then it continues to run a limited number of components that check for and install things it deems critical, such as certificates and Defender patches.

Using all the tweaks in that guide will:
- Pause updates out of the box on a clean install
- Allow updates to pause forever, rather than the 35 day limit
- Prevent drivers from automatically downloading or installing
- Prevent Microsoft Store apps from automatically updating

Microcode updates aren't going to be affected by anything unless you're deleting the microcode files, and you will know if you are. I don't know how NET updates are handled for sure, since I don't use them, but I'll bet pausing Windows Update will stop those patches from downloading and installing, so if you want those updates they'll need to be done manually.

Big thank you bro! thanks alot for ur work and effort and be blessed!