I haven’t run windows since 2019. However I need to boot my old drive to grab some data. I really need to make sure this system doesn’t update any windows components, but I’ll need it to have internet access for a portion of the time.
On a different system, I used to have two reg keys that I would run to disable or enable updates when I found that disabling the services only worked until the watchdog would re enable them. Those resulted in updates saying something was wrong, which is perfect by me.
Now that web searches for stuff like this are all AI-gen’d SEO BS, can anyone tell me or point me to a reliable resource for truly disabling updates on Win 10?
PS - Bonus points if Anyone can link me to the page I used a few years back that had all sorts of privacy enhancing and telemetry disabling option on the left side and would create a reg file for applying those changes on the right. It might have been a purple theme, I forget.
Edit: it may also have been a “services” command that fully disabled services from CLI where the GUI says access denied. I forget.
Edit 2: I got the updates services disabled via registry. Thanks to those who refreshed my old Windows admin memory. I dumped Windows on my personal systems years ago, and haven’t had to think about this for a while. It’s a shame when the operating system changes to this model of SaaS where they call all the shots. I want security updates, but not bleeding edge drivers, candy crush, “feature enhancements”, random unexpected reboots, etc. I miss when the update feature didn’t assume nobody in the world could handle manual updates. You know, like sudo apt-get update
.
Just disable the windows update services.
You could also use a allowlist firewall rule to restrict access to what you need.
Also why the paranoia? What do you have against windows updates?
What do you have against windows updates?
Forced windows 11 upgrades, breaking VPNs, breaking recovery partitions, intentionally targeting and breaking the win10 start menu for win11, installing unwanted software, enabling ads, adding additional telemetry, adding half baked AI nonsense that nobody asked for, restarting without a prompt and losing progress or canceling a running program… Should I keep going?
Win11 isnt forced.
Breaking vpns was a result of security fixes and was addressed. This is normal for all OS’s that get patched.
There’s no restarting without prompting.
Copilot is optional.
I don’t need to go on.
Win11 was forcibly installed on my coworker’s computers. This happened more than once. https://learn.microsoft.com/en-us/answers/questions/1607264/why-is-my-windows-10-pro-system-automatically-forc
What if you needed to use a VPN between May 1 and May 14? https://www.pcworld.com/article/2320535/microsofts-newest-windows-update-breaks-vpns-and-theres-no-fix.html
I guess I hallucinated my computer restarting by itself on multiple occasions due to Microsoft updates, even after I disabled the services, before I nuked every sign of it from the registry and the reboots suddenly stopped. Crazy. https://superuser.com/questions/1277757/windows-updates-forcibly-rebooting-my-pc-at-night
Copilot appeared with regular updates on my sister’s computer, unprompted. https://answers.microsoft.com/en-us/windows/forum/all/why-is-it-that-you-install-software-i-never-asked/a4fce101-b9e8-4d10-9c15-1f8350004e09
There were easy to find examples of everything that I said, some of them happened to myself, my family, or my coworkers. If you’re going to be blatantly wrong and easily disproved then maybe you shouldn’t go on after all.
It was pretty simple to stop windows 11.
Updates will eventually restart but not unprompted. There is a combination of settings you can set that will install updates right away and restart soon after, but it’s not default.
The vpn issue didn’t affect all vpn software and a workaround was available.
MS adds features to their products and are pretty forceful about getting you to use them.
After 30 years of running windows boxes, I’ve never been hacked.
But I’ve lost thousands of hours to update fucking my shit up.
Deleting documents from insider branch users a few years back, forced installation of HP SMART printer utility, constantly switching users’ default browser back to Edge, even bypassing my employer’s GPO to do so at one point in a Teams update
Not to mention their habit of making practically everything opt-in by default. And what is up with the new Aptos “cloud” font that only works if you have an active Office 365 subscription?
I don’t know tbh, Windows just doesn’t cut it for me anymore personally, mainly because of Microsoft. Stuck with it on my desktop though because of sim hardware.
I still have XP on an airgapped old PC for nostalgia ☺️
Is moving the drive to another computer as a secondary drive an option? Or put it in a separate USB enclosure? That way you don’t need to boot it at all, unless it’s encrypted or something.
Would plugging a drive with an OS on it into a running computer just show a list of files like normal?
Yes, unless it is encrypted, in which case you need a way to decode that. You can even boot an OS from a USB thumb drive to recover files from a hard drive.
Disable through gpedit.msc
https://monovm.com/blog/disable-windows-update-from-group-policy/
I’m not sure what the purple app was.
But disabling the relevant services should be enough or modifying your host file to block all the Microsoft domains for it.
I am curious why you need it to go online at all.
If you’re looking to copy files just use your phone or USB drive?
I’m not sure what the purple app was.
It was a website, and after a Lemmy user reminded me of privacy.sexy, I realized it is decidedly un-purple.
Download and install sysinternals suite: https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
then run:
psexec -i -s services.msc
and disable Windows Update, Update Orchestrator, and WaaSmedic if it’s there.
Alternatively, do the same psexec but regedit instead of services, navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services, find those same services I listed above, change the Start value to 4 to disable. I went to the next step and neutered all the registry entries for each of those services to make sure they stayed dead.
WaaSmedic must be that watchdog that kept re-enabling update services after I disabled them years ago. I just remember my OS would start a multi hour encode or compile, and I’d come back hours later to a login screen and update history telling me it rebooted when I didn’t have automatic updates enabled.
Thx for the reply.
Eeyup, same exact situation here. I leave my work computer overnight reencoding video pretty frequently, and would lose so much productivity due to restarts I didn’t ask for.
Its all coming back to me now. Must’ve been repressed memories…
For the record, the service names are: UsoSvc WaaSMedicSvc wuauserv
Why would you need psexec to run services.msc? You can just open the services by running it directly or even from the start menu.
To run as System and prevent permission issues from wagging its finger at you and saying “nuh uh”. Yes obviously you can open Services the normal way if it wasn’t windows update BS
One thing that has worked for over a year on ky backup laptop at least, is to use the only setting Microsoft seems to not be able to take away without being in trouble: Windows Update Setting: Don’t download over metered connections. Then, any network you connect to go into the networks settings and set as a metered network. The only thing that has made it through from updater was a tiny security update that it was able to download cause I was a bit forgetful once, pretty easy if u ask me
There are programs like net limiter that you can use to just block access entirely for windows updates, every time one pops up to use data you can just block it, i think there’s like 6 processes windows will try to use to update various things. It’s not exactly what you are looking for, but it should solve your problem anyway.
Use something like NextDNS and block the update-domains.
O & O Shutup on a thumbdrive
InControl by Steve Gibson allows you to set a specific Windows release version and prevent further feature updates, but does allow security updates:
InControl controls Windows automatic updating/upgrading system by targeting it to a specific major version and feature update release. By default, the current release will be used. So if you “Take Control” with the major version and feature release shown in the boxes in the lower left, Windows will remain right where it is – only installing monthly security updates – until you “Release control”.
Also:
Like all of GRC’s ultra lightweight freeware utilities, no setup or installation is required. Just run the utility with administrative rights. InControl’s operation can be scripted from the command line, and full technical details about the Registry keys it changes is provided.
I was thinking boot from a different media and access the file system. But the moment I saw Steve Gibson had a different way I felt like my option was stupid. That is the power of Steve Gibson.
Steve is one of those guys that has done so much with computers that if you have a problem it’s highly likely that he’s already dealt with that problem too and has a solution or workaround, or knows where to find one.
God bless Steve Gibson! Security Now! I used Spinrite back in 92. I’ve used his other utilities (when they were relevant), and ShieldsUP too. That man is a treasure. Thanks for the link. I know he gets it.
On second thought, while this is great, I need to block all updates in this PC.
Yeah, I started listening to the podcast a couple years ago, and based on that I’d trust Steve’s opinion on basically everything related to computers & networking - largely because I know he’d be able to explain in detail why he has that opinion.
Put it behind a PiHole that drops all traffic to Microsoft servers?
Windows comes with a secret option to turn off updates with group policies, so you don’t need to modify anything or use a script. It works just fine for me. No updates (unless I manually click update).
The option for automatic updates is several layers deep in a nested menu tree, and I don’t fully recall what the path to get there is. But you should be able to find it online.
Chris Titus? https://christitus.com/windows-tool/
That is similar to the web page I was thinking of. Thx. I’ll check it out.
Everyone here is dramatically overcomplicating the solution. Simply:
- Turn on the PC without an Internet connection
- From an elevated cmd, run net stop wuauserv
- Connect the network and copy your files
This stops the update service and will absolutely prevent windows updates from running. BUT it reverts at the next boot, so be careful.
If you want a more permanent solution, you can edit a regkey to trick the system into looking for a local wsus server, which will prevent it from reaching out to the web. Read this for a rundown: https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/21669493
Source: More than a decade as a sysad with a focus on endpoint patching
Hate to be “that guy”, and maybe OP’s no updates since 2019 exempt them from this, but modern 10/11 both immediately auto-restart the Windows update service when it’s manually stopped.
This is not my experience on Windows 10 Pro
Good, it’s been my experience, at least on fully updated 10.
Which flavor? Pro?
Yeah was standard pro I saw it on.
No, you’re absolutely right. That’s what happens when you have the WaaSMedic service running, which cannot be easily disabled in services.msc. I would think I had finally gone the “full-nuclear” option and broken al updates by disabling and stopping the update services (that I knew about), but they would re-enable themselves without fail.
This comment explains where you need to disable it (if you want to go that route).
Very helpful thank you.
I just install DoNotSpy after a fresh install of Windows and have never had an issue with Windows Update ignoring me and doing whatever it wanted.
Obviously the system has to be offline until it is installed and probably restarted, but after that you can plug in a cable and be fine, to my experience. Mind you I am still using an old, old, copy of 10 Pro as the installer, so I am uncertain how newer, fresh installs or home edition will handle it.