• Donate
    TheWindowsForum.com needs donations to stay online!
    Love TheWindowsForum.com? Then help keep it alive by sending a donation!

Windows Update Service - how to disable?

WELCOME TO THEWINDOWSFORUM COMMUNITY!

Our community has more than 63,000 registered members, and we'd love to have you as a member. Join us and take part in our unbiased discussions among people of all different backgrounds about Windows OS, Software, Hardware and more.

Buster Friendly

Well-Known Member
May 5, 2022
151
44
Hi everyone,

I have a serious problem to solve.

I work in the health sector, embedded software for LTSC machines.

And I try to kill the Windows Update Service completely.

I already wrote a script which deactivates various scripts and tasks.

But still, the UsoSvc gets with some machines back to life.

And I really don't know what or who triggers that service to come back to life for the whole Update thingi.

is there anybody out there with an experience on that ominous Windows Update Service, cause Microsoft itself isn't really helpful and far away from being transparent.
 
Thanks...but:

we don't use tools.
I'm working on LTSC-machines, invitro-diagnostics, we can't just use any tools.
besides, I wrote a PS-script, disabling all those services and I even deleted the corresponding tasks.

But at a client, somehow the Orchestratorservice (UsoSvc) came back to life.
And I can't abstract from the logs HOW that happens.

Microsoft is NOT helpful and lightyears away from being transparent.
I read now in so many forums that Microsoft won't tell sh*t.
Concerning WinUpdates, Microsoft went rogue, telling nothing about it.

sure, they want you to have an updated machine, but for LTSCs there should be a plan to deactivate that nonsense completely. Microsoft knows it, that some of those machines are used in sections like the invitro-diag.

that is so enormously frustrating...
 
UPDATE:

finally.....
I could reproduce the error.

The Service Control Manager brought the services all back to life.

Now it's to find out, how to stop the Service Control Manager from bringing back the selected services.

if anybody has any clue.... I would be enormously grateful.

And please .... don't propose to use any tools. That is not really helpful.
 
UPDATE:

finally.....
I could reproduce the error.

The Service Control Manager brought the services all back to life.

Now it's to find out, how to stop the Service Control Manager from bringing back the selected services.

if anybody has any clue.... I would be enormously grateful.

And please .... don't propose to use any tools. That is not really helpful.
Use my IFEO tool and block the executable from running on the target machine.
 
Use my IFEO tool and block the executable from running on the target machine.
again: NO TOOLS!

please read my opening in this thread, tools are NOT HELPING!

And I really doubt, that your tool blocks the Service Control Manager. :rolleyes:
 
again: NO TOOLS!

please read my opening in this thread, tools are NOT HELPING!

And I really doubt, that your tool blocks the Service Control Manager. :rolleyes:
hi, i'm sorry for my bad english!
i suggest, you try to block it in firewall, by blocking urls below

windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
download.windowsupdate.com
download.microsoft.com
*.download.windowsupdate.com
wustat.windows.com
ntservicepack.microsoft.com
*.ws.microsoft.com
 
hi, i'm sorry for my bad english!
i suggest, you try to block it in firewall, by blocking urls below

windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
download.windowsupdate.com
download.microsoft.com
*.download.windowsupdate.com
wustat.windows.com
ntservicepack.microsoft.com
*.ws.microsoft.com
This won't stop it.
The Service Control Manager will re-initiate the services. I forwarded in the Reg to non existent sites. didn't help.
 
OK I have a couple of questions. In the past I have had to deal with systems that fell under the US HIPA laws.
So I take it that these systems all have Internet access and are stand alone (no one is a remote admin of these machines or those rights are shared and granted to the end user).
Given those two criteria, your group puts systems out in the field which may contain sensitive health care records of individuals? That being the case you should be locking down those systems and only have admin rights granted to members of your deployment group. In addition, it's irresponsible to send out systems that deal with sensitive data that do not receive security updates.
Might i suggest the possibility of deploying thin clients, that would give you the ultimate control of exactly what permissions are given to your end users, complete control of the update cycles and the added security of cloud based records storage including the redundancy offered by a colo server farm. All of the updates can be tested and vetted by your group before they are deployed.
To just "shut off" Windows updates is a rather child-like solution without the considerations of stability and security they offer.
 
OK I have a couple of questions. In the past I have had to deal with systems that fell under the US HIPA laws.
So I take it that these systems all have Internet access and are stand alone (no one is a remote admin of these machines or those rights are shared and granted to the end user).
Given those two criteria, your group puts systems out in the field which may contain sensitive health care records of individuals? That being the case you should be locking down those systems and only have admin rights granted to members of your deployment group. In addition, it's irresponsible to send out systems that deal with sensitive data that do not receive security updates.
Might i suggest the possibility of deploying thin clients, that would give you the ultimate control of exactly what permissions are given to your end users, complete control of the update cycles and the added security of cloud based records storage including the redundancy offered by a colo server farm. All of the updates can be tested and vetted by your group before they are deployed.
To just "shut off" Windows updates is a rather child-like solution without the considerations of stability and security they offer.
As I wrote in the first comment, I work in the health-sector on LTSC-machines, better calling invitro-diagnostics. That has nothing 2 do with health care records.
So, those machines are in no network, neither "in the any field", they are standalone machines for the laboratory.
And when the client wants the Windows Update deactivated, so I have to shut that down completely.
It's really annoying that there is no help at all from Microsoft, and Microsoft is lightyears away from being transparent concerning this case.
in the last 2-3 years, they had different services embedded in this Update machinery, and the Service Control Manager brings 'em back to life, it doesn't matter what you adjust in this computer. And that with a LTSC-license, that's not helping and def. not expedient.

you should think about that.

To just "shut off" Windows updates is a rather child-like solution without the considerations of stability and security they offer.
That's not helping and lightyears away from a professional consult.
 
UPDATE:

finally.....
I could reproduce the error.

The Service Control Manager brought the services all back to life.

Now it's to find out, how to stop the Service Control Manager from bringing back the selected services.

if anybody has any clue.... I would be enormously grateful.

And please .... don't propose to use any tools. That is not really helpful.
FINAL UPDATE:

There is no possibility in a LTSC-machine (embedded software) to deactivate the Windows Update process.
Not even for older builds like 1607 or 1809. Nothing.
Microsoft isn't really transparent and we have to deal with it for ourselves.

Now I have to find a way to write the appropriate script.
I'm not really amused, but this is the only thing to do.
 
again: NO TOOLS!

please read my opening in this thread, tools are NOT HELPING!

And I really doubt, that your tool blocks the Service Control Manager. :rolleyes:
IFEO Tool add registry keys to Image File Execution Options and can disable any executable from running in the computer. If you intentionally block system exes from the system you won't be able to use the computer. Use with caution.
 
hi, i'm sorry for my bad english!
i suggest, you try to block it in firewall, by blocking urls below

windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
download.windowsupdate.com
download.microsoft.com
*.download.windowsupdate.com
wustat.windows.com
ntservicepack.microsoft.com
*.ws.microsoft.com

Buster Friendly

You can add the list above to your hosts file...
 
This won't stop it.
The Service Control Manager will re-initiate the services. I forwarded in the Reg to non existent sites. didn't help.
Sorry about recommending another tool. Use my firewall blocker tool.

Firewall Blocker...
Block any exe from accessing the internet with the Windows Firewall.
 
Sorry about recommending another tool. Use my firewall blocker tool.

Firewall Blocker...
Block any exe from accessing the internet with the Windows Firewall.
again - I can't use dubious tools, that's forbidden.

besides, it's solved.
There is no possibility, even when it's unlogical, why that isn't supported for LTSC machines.
 
Last edited:
again - I can't use dubious tools, that's forbidden.

besides, it's solved.
There is no possibility, even when it's unlogical, why that isn't supported for LTSC machines.
OK, no problem.

The reason for not using the tools is because they are a executable? Not a problem i can send the source as they are batch code (.bat) that i convert to exes.
 
OK, no problem.

The reason for not using the tools is because they are a executable? Not a problem i can send the source as they are batch code (.bat) that i convert to exes.
you can't use any obscure tools on machines which will go to a customer. that is forbidden.
besides the whole license-problem behind everything.
that is not possible, especially when I don't see what the tool really does.
I create my own scripts.
 
you can't use any obscure tools on machines which will go to a customer. that is forbidden.
besides the whole license-problem behind everything.
that is not possible, especially when I don't see what the tool really does.
I create my own scripts.
Ok, to finish if you want the apps in batch (.bat) which reveal the source with notepad pm me. If not nevermind. Also the bat is open source so should have any issues with licensing.
 
Ok, to finish if you want the apps in batch (.bat) which reveal the source with notepad pm me. If not nevermind. Also the bat is open source so should have any issues with licensing.
..and how often and how long have you tested your script on a ltsc-machine, in which cycles? u also did a powercycle every day and you tested your script over what period? a week? 2 weeks? 1 month?

when you tell me that your script will kill the Windows Update Service totally, I don't believe you. ;)
why?
experience.
 
..and how often and how long have you tested your script on a ltsc-machine, in which cycles? u also did a powercycle every day and you tested your script over what period? a week? 2 weeks? 1 month?

when you tell me that your script will kill the Windows Update Service totally, I don't believe you. ;)
why?
experience.
I'm constantly using this tools on my computer and didn't got any major issues. IFEO only adds a registry key that blocks exes...

IFEO Tool - Block Exe
Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Add the value example:
rundll32.exe

Add null example
Debugger
ntsd -d

Firewall Blocker for Windows V3 - ADD Rule
Code:
netsh.exe advfirewall firewall add rule name="rundll32" dir=out action=block protocol=any program="rundll32.exe"

Firewall Blocker for Windows V3 - Remove Rule
Code:
netsh advfirewall firewall delete rule name="rundll32"

With the tools is more easy to add/remove entries...

If you want to block effectively Windows Update i advice to install K9 Web Protector and block ms urls.
 
Back