How to fully disable automatic windows updates
Posted by ITStril@reddit | sysadmin | View on Reddit | 12 comments
Hi!
I want to fully disable any kind of automatic updates. What are your thoughts about which option is 100% safe:
- Disable Wuauserv service
- install „dummy-wsus“ without any approved updates
I also found a script, that does a lot more:
https://github.com/tsgrgo/windows-update-disabler
What do you think?
Best wishes ITStril
Valdaraak@reddit
Neither option is safe, nor recommended in a professional environment. You need to use update management software to control updates.
ITStril@reddit (OP)
I do not want to stop installing updates - I want to stop windows trying to decide on how to update
fieroloki@reddit
Get a patch management system. Check action1
GeneMoody-Action1@reddit
Thank you for the shout out there u/fieroloki, we are indeed a patch management and vulnerability management solution, and the key I suggested above is exactly how we do it. Its not magic, it is just a registry key Microsoft put there to be honored for just such purposes.
We are free for the first 100 endpoints, fully featured, and not time limited, as well Action1 allows assessment of the unlimited number of endpoints for software vulnerabilities by simply adding these endpoints to Action1. As soon as an Action1 agent is installed, it performs a full analysis, sends all vulnerability data to Action1, and then becomes inactive. This enables you to perform an initial assessment of your endpoint security posture without paying anything.
OP (or anyone else) if you would like to know anything about Action1 just let me know.
Valdaraak@reddit
ITStril@reddit (OP)
That’s clear, but how does the patch management software avoid, that anything gets updates “directly”?
SilentSamurai@reddit
You've described the purpose of patch management software, congratulations. Please see the top comment again.
lilhotdog@reddit
This is not the way to do it.
GeneMoody-Action1@reddit
You are looking for the NoAutoUpdate registry key...
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::AutoUpdateCfg
Although I wholeheartedly advise proceed with caution, if you are setting this value without a governing system such as patch management or RMM you are setting up a potential over site that could be disastrous. I can conceive of reasons to do this without such a system, on specific systems, just make sure you document and audit!
BlackV@reddit
/r/shittysysadmin
agressiv@reddit
Just use Windows Update group policy to "Automatically download and notify for install".
We have some servers set this way and they'll manually kick them off as well as doing a bit of other administrative tasks that they don't want to automate.
If they don't take any action, the security team starts to nag them.
Capable_Tea_001@reddit
Depends on your environment. Test? Production?
If it's production, you need some solution to allow you to patch machines as you want... Be that a wsus server or something else.
You can set all this via a gpo or in the registry.