Highlighted
Virtuoso
Virtuoso

Disable Windows 10 upgrade

Hey guys,

I hope you can help us with an issue with W10 and the inevitable update to 1709 they are trying to force down our throats.

We are using the W10 1703 version CB in our VDI enviornment but dont want to upgrade to version 1709. We did a few things to stop the update from happening.

We disabled the Windows Update and Windows Modules Installers service, removed all tasks related to update (which basically means everything in UpdateOrchestrator and Windows Update) but apparently Windows still wants to bypass that option. The Task Scheduler service has a self healing mechanism in which it recreates the entire tasks and starts the Windows Update service again. With writables and VDI this not really what we are aiming for..

So we went on our way to get around this virus called the Windows update and created a batch file that instantly removed the tasks and disabled the above services when an event is written that the update service is started. This seemed to work quiet well.

Now Microsoft ended up with yet another feature to shove 1709 down our throats. They designed the Update Assistent. This tool is being installed by Tasks that are created (my guess is the Task Scheduler itself does this) and it completely bypasses the Windows Update, better yet, the Windows Update service is disabled and off course the update fails. But we do have users with Windows Update Assistent installed on their machines

I saw some suggestions on the internet to just rename the installer but my guess is that I could use UEM (you see, I was getting somwhere) to just block this heavily annoying application.

Anyone else has had the same issue with updates and do you happen to know if this indeed does the trick??

If so, what do we need to set it up like exactly??

10 Replies
Highlighted
VMware Employee
VMware Employee

Hi Ray,

I haven't tried it, but the Windows 10 Version 1703 ADMX templates contain a "Select when Feature Updates are received" policy setting in the Windows Update section, where "[Y]ou can defer receiving feature updates for up to 365 days."

Maybe worth a try?

0 Kudos
Highlighted
Virtuoso
Virtuoso

Hey UEMDev,

Thank you for the reply..

Yes we did try this in the policy of the local machine (gpedit.msc) but my guess is that it is more than 365 days ago that 1703 has been released en thus can't be deferred anymore.

The way Microsoft is pushing updates has a lot of similarities with how spyware and addware works. It just bypasses all policies and services and just installs itself.

I did found out that it also creates 2 folders in c:\Windows which is called UpdateAssistent (and UpdateAssistentV2) which holds the XML files for the task and the actual executable that is being executed.

We have now removed both folders and hopefully they won't come back again but to be honest my gut feeling says they will return.

Because we do have UEM running and I have heard about white and black listing I thought this might just be an option.

Maybe something to implement as a default option?? If you look at the internet about the aggressive way of Microsoft updating this might well be a definitive solution to stop it.

The worst thing is that when you look at the page (https://support.microsoft.com/nl-nl/help/3159635/windows-10-update-assistant ) it actually states that (I know you are Dutch Smiley Happy) Opmerking Dit hulpprogramma ondersteunt geen Enterprise-edities. and yes, we do run enterprise edition.

We can't be the only one struggling with this right? We also have quite some physical machines that have the exact same issue..

And just upgrading to 1709 isn't an option for us with over 1500 VDI machines.....

Really appreciate the help as this is not a UEM issue but we are seriously looking at just blocking it using UEM!

0 Kudos
Highlighted
VMware Employee
VMware Employee

Hi Ray,

Sorry to hear that did not work.

If you can identify the executable that's responsible for this, and if that executable runs as the logged-on user, you might give UEM's application blocking a try. However, depending on how that executable is launched, that might result in some error dialogs ("This program is blocked by group policy. For more information, contact your system administrator.", or something along those lines) that might be confusing to your users.

I know you are Dutch

Shhhhh, don't tell anybody!  🙂

Highlighted
Enthusiast
Enthusiast

If you are Dutch then you must be from the old Immidio Team i quess, cool !

Highlighted
VMware Employee
VMware Employee

Thanks, Ray_handels, you've blown my cover 🙂

Indeed, Dominik, I'm from the original Immidio team.

0 Kudos
Highlighted
Virtuoso
Virtuoso

Woops sorry.. Smiley Happy..

Looking at the guys responding here we could start our own Dutch forum Smiley Happy...

If you can identify the executable that's responsible for this, and if that executable runs as the logged-on user, you might give UEM's application blocking a try. However, depending on how that executable is launched, that might result in some error dialogs ("This program is blocked by group policy. For more information, contact your system administrator.", or something along those lines) that might be confusing to your users.

The executable runs as system, I would be able to explain the dialogs to the user but I didn't know that UEM could only block executables executed by the user (or at least under the users access token).We were eventually able to remove the entire folder but my guess is that it will eventually pop up again because Microsoft really really really wants you to upgrade to 1709 (or whatever verison is coming next). I do hope they will change this behaviour. Looking at VDI in combination with W10 it is starting to become more and more complicated to get this working..

0 Kudos
Highlighted
VMware Employee
VMware Employee

Hi Ray,

Basically everything UEM does, it does in the user context.

Looks like Version 1803 will be out any day now, so I wonder what that will do those upgrade attempts...

0 Kudos
Highlighted
Contributor
Contributor

I use a tool from MS to block the 1709 upgrade. It's originally used to block drivers, but it can also be used as a way to block 1709 upgrades from happening.

https://support.microsoft.com/en-gb/help/3073930/how-to-temporarily-prevent-a-driver-update-from-rei...

Don't know how long this tool keeps functioning, but for us it's functioning just fine for the moment...

0 Kudos
Highlighted
Virtuoso
Virtuoso

Thanks for the info but I did use that tool already. The thing is that the wushowhide tool only blocks the update from being installed through Windows Update. We already disable and block that service but apparently according to Microsoft this isn't even enough to block the Windows Update Assistent.

I removed the application, the tasks and the folders in Windows and for as far as I can see know at least it stopped forming me to upgrade to 1709 but to be honest I have no idea if we can block it from still coming in.

Hence the idea to just block it with UEM. My guess is that using Windows GPO's won't do the trick in blocking this application..

Even though it seems to be "fixed" for now I am still very interested in tips and trics how others try to block these updates.. Linux is more and more becoming a viable solution Smiley Happy...

0 Kudos
Highlighted
Hot Shot
Hot Shot

FYI, to those dealing with "self-healing" Windows Update service and the Windows Update scheduled tasks, you need to uninstall the patch KB4023057.

https://support.microsoft.com/en-us/help/4023057/update-to-windows-10-versions-1507-1511-1607-and-17...

This update was pushed out, reportedly even for machines with Windows Update service disabled, and even for Windows 10 builds (i.e. LTSB) that weren't supposed to receive it, that regularly checks for "error" state that prevents Windows Update from working and "fixes" it by re-enabling all Windows Update related services. (ex. Windows Module Installer, Windows Update, BITS).

The update is not listed normally under Programs & Features -> View Installed updates, but under part of the regular installed app lists within the Programs & Features. It should be labeled as "Updates for Windows 10 (KB4023057)".

Once you uninstall the KB4023057, open the Scheduled Tasks MMC and browse to Microsoft/Windows/Update Orchestrator and Microsoft/Windows/WindowsUpdate and disable all the tasks listed there. Then you can use the wushowhide tool to block KB4023057 patch and Feature upgrade for Windows 10 build 1709.

BTW, if for whatever reason, you can't uninstall the patch, Microsoft has a workaround to prevent the tool from firing altogether:

https://support.microsoft.com/en-us/help/4098563/usb-device-drivers-are-removed-unexpectedly-after-w...

Basically, it modifies the ACL of the directory C:\Program Files\rempl to yank out permissions for SYSTEM account, which is what the tool uses to fire the "fix" tool.

Trust Microsoft for their infinite wisdom, eh?

Fun fact: the patch gets regularly updated too without warning, so it's possible that once the updated revision of the patch gets pushed out, you'll need to use the wushowhide tool again to block it from installing. Get used to keeping that wushowhide diagnostic tool on your image.

0 Kudos