-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathWinUpdateBlocker-disable.ps1
More file actions
190 lines (160 loc) · 9.34 KB
/
WinUpdateBlocker-disable.ps1
File metadata and controls
190 lines (160 loc) · 9.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
# Check for admin rights at the start
$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
Write-Host "This script requires administrative privileges. Please run as Administrator." -ForegroundColor Red
exit
}
# Logging
$logFile = "BlockWindowsUpdate.log"
function Write-Log {
param($Message, $Color = "White")
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
"$timestamp - $Message" | Out-File -FilePath $logFile -Append
Write-Host "$timestamp - $Message" -ForegroundColor $Color
}
# 1. Change wuauserv (Windows Update) to be on demand, to try to prevent Windows from re-enabling it to automatic
Set-Service wuauserv -StartupType Manual -ErrorAction SilentlyContinue
Stop-Service wuauserv -Force
# 2. List of additional services to disable
$services = @(
"WaasMedicSvc", # WaaS Medic Service
"UsoSvc", # Update Session Orchestrator
"PushToInstall", # Push to Install
"BITS", # Background Intelligent Transfer Service
"DoSvc" # Delivery Optimization
)
foreach ($service in $services) {
Set-Service $service -StartupType Manual -ErrorAction SilentlyContinue
}
# Optionally, stop the services if they're currently running
foreach ($service in $services) {
Stop-Service -Name $service -Force -ErrorAction SilentlyContinue
}
# 3. Disable update related scheduled tasks A. (specific ones here)
$tasks = @(
"\Microsoft\Windows\InstallService\RestoreDevice",
"\Microsoft\Windows\InstallService\ScanForUpdates",
"\Microsoft\Windows\InstallService\ScanForUpdatesAsUser",
"\Microsoft\Windows\InstallService\SmartRetry",
"\Microsoft\Windows\InstallService\WakeUpAndContinueUpdates",
"\Microsoft\Windows\InstallService\WakeUpAndScanForUpdates"
)
foreach ($task in $tasks) {
schtasks /Change /TN $task /Disable
}
# 4. Disable update related scheduled tasks B. (wildcards)
$taskPatterns = @(
"Microsoft\Windows\WindowsUpdate\*",
"Microsoft\Windows\UpdateOrchestrator\*",
"Microsoft\Windows\WaaSMedic\*"
)
foreach ($pattern in $taskPatterns) {
# Get all matching tasks
$tasks = Get-ScheduledTask | Where-Object { $_.TaskPath -like "\$pattern" }
foreach ($task in $tasks) {
try {
$taskFullPath = "$($task.TaskPath.TrimStart("\"))$($task.TaskName)"
schtasks /Change /TN "$taskFullPath" /Disable
Write-Log "Disabled scheduled task: $taskFullPath" -ForegroundColor Green
} catch {
Write-Log "Failed to disable task: $taskFullPath" -ForegroundColor Red
}
}
}
# 5. Registry key changes
# Check managed environments (group policy may override these registry settings)
$gpoSettings = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -ErrorAction SilentlyContinue
if ($gpoSettings -and $gpoSettings.NoAutoUpdate -eq 0) {
Write-Host "Group Policy may override Windows Update settings. Check with your administrator." -ForegroundColor Yellow
}
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "AU" -Force
# Disable automatic updates
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -Value 1 -Type DWord
# Disable automatic installation of Windows updates without user consent
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "AUOptions" -Value 2 -Type DWord
# Prevent Windows Update from restarting the PC
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoRebootWithLoggedOnUsers" -Value 1 -Type DWord
# Remove the ScheduledInstallDay and ScheduledInstallTime registry values
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "ScheduledInstallDay" -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "ScheduledInstallTime" -ErrorAction SilentlyContinue
# Allow Windows Defender updates
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 0 -Type DWord
# Allow Microsoft Store App updates
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows" -Name "WindowsUpdate" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DoNotConnectToWindowsUpdateInternetLocations" -Value 0 -Type DWord
# Disable automatic driver updates in Windows Update
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion" -Name "Device Metadata" -Force
$regKeyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata"
Set-ItemProperty -Path $regKeyPath -Name "PreventDeviceMetadataFromNetwork" -Value 1 -Type DWord
# Prevent Windows to not continually search for updates
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion" -Name "DriverSearching" -Force
$regKeyPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching"
Set-ItemProperty -Path $regKeyPath -Name "SearchOrderConfig" -Value 0 -Type DWord
Set-ItemProperty -Path $regKeyPath -Name "DontSearchWindowsUpdate" -Value 1 -Type DWord
# Turn off automatic Microsoft Store updates
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft" -Name "WindowsStore" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore" -Name "AutoDownload" -Value 2 -Type DWord
# Disable Windows Insider program
#New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows" -Name "PreviewBuilds" -Force
#Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds" -Name "AllowBuildPreview" -Value 0 -Type DWord
# 6. Block processes in registry
# Note: Verify this process list for new Windows versions/updates
$processes = @(
"EOSnotify.exe",
"SipNotify.exe",
"GWX.exe",
"GWXUX.exe",
"UsoClient.exe",
"MusNotifyIcon.exe",
"MusNotification.exe",
"MusNotificationUx.exe",
"Windows10UpgraderApp.exe",
"Windows10Upgrade.exe",
"UpdateAssistant.exe",
"remsh.exe",
#"dismHost.exe",
"SIHClient.exe",
"InstallAgent.exe",
"WaaSMedic.exe",
"WaasMedicAgent.exe",
"upfc.exe"
)
foreach ($process in $processes) {
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$process" -Name "Debugger" -Value "*" -ErrorAction SilentlyContinue
}
# 7. Prevent Windows Defender from undoing these changes
Add-MpPreference -ExclusionPath "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks\Microsoft\Windows\InstallService"
Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate"
Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator"
Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks\Microsoft\Windows\WaaSMedic"
# 8. Limit Windows 10 from Windows 11 upgrade by forcing it to stay on the current version/edition
$osCaption = (Get-CimInstance -ClassName Win32_OperatingSystem).Caption
if ($osCaption -like "*Windows 10*") {
$releaseVer = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name DisplayVersion -ErrorAction SilentlyContinue).DisplayVersion
if (-not $releaseVer) {
$releaseVer = "22H2" # Fallback version if DisplayVersion is missing
}
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "ProductVersion" -Value "Windows 10" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "TargetReleaseVersion" -Value 1 -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "TargetReleaseVersionInfo" -Value $releaseVer -Force
# Disable Windows 11 upgrade in the Microsoft Store
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft" -Name "WindowsStore" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore" -Name "DisableOSUpgrade" -Value 1 -Force
# Disable OS update to Windows 11 with other methods
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows" -Name "WindowsUpdate" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name "DisableOSUpgrade" -Value 1 -Force
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" -Name "OSUpgrade" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade" -Name "AllowOSUpgrade" -Value 0 -Force
New-Item -Path "HKLM:\SYSTEM\Setup" -Name "UpgradeNotification" -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\Setup\UpgradeNotification" -Name "UpgradeAvailable" -Value 0 -Force
Write-Log "Windows 10 detected. Applied settings to prevent Windows 11 upgrade." -ForegroundColor Green
} elseif ($osCaption -like "*Windows 11*") {
Write-Log "Windows 11 detected. Skipping Windows 10-specific upgrade prevention." -ForegroundColor Yellow
} else {
Write-Log "Unable to determine OS version. Skipping Windows 11 upgrade prevention." -ForegroundColor Red
}
# 9. Block Windows Update via firewall (if needed)
#New-NetFirewallRule -DisplayName "Block Windows Update" -Direction Outbound -Action Block -Program "%SystemRoot%\System32\svchost.exe" -Service "wuauserv"
#Remove the block:
#Remove-NetFirewallRule -DisplayName "Block Windows Update"