We can't disable windows updates anymore?
Recently we updated our win10 image and it pushed down Servicing Stack 10.0.18362.1790. This contains multiple KBs including KB4023057. When it was outside the servicing stack you could uninstall a KB. But Servicing Stacks cannot be uninstalled from what I've read and tried.
The problem with KB4023057 is that this enables Windows to re-enable windows updates when desired among other things. So now every VDI VM we have is re-enabling the wuauserv service despite the GPO and then downloading and installing patches every rebuild of the VDI VM which is atrocious. We want to update the base image per our schedule and prevent all VDI vms from auto-patching over and over all day as users log off and it rebuilds the VMs.
Any ideas how to accomplish this now? Thoughts are figuring out which firewall ports to disable to block updates? or DNS entries to zero out with a hosts file to deny updates? or change permissions somewhere? Problem is need it to not be undone by this KB. And needs to be easily undone when we manually want to update the base image.
Thanks!
Just curious, what happens if you apply a GPO to the virtual desktops' OU that points Windows Update to a non-existent WSUS server?
HEllo,
We are running into exactly the same problem and just wanted to see if you might have found a workaround. We are making sure that Module Installer and Windows Update services are disabled on the Master Image before shutting down the image and snapping it. On top of that we push GPO to all instant clones disabling automatic updates and aslo using services policies to keep those services disabled (Module Installer, Update Medic and Windows Update) but unfortunately they keep getting turned on and set to Manual and then running. Users are getting them downloaded and installed in their session.
Is there any way to prevent that from happening?
@LukaszDziwisz - This is what has worked for us on the base image:
1. Set Windows Updates service to disabled.
2. Run this regex to disable updates plus some other settings and trick it to use a non-existent local WSUS if it gets enabled:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="https://donotinstallupdates.notHere"
"WUStatusServer"="https://donotinstallupdates.notHere"
"UpdateServiceUrlAlternate"=""
"SetProxyBehaviorForUpdateDetection"=dword:00000000
"DoNotConnectToWindowsUpdateInternetLocations"=dword:00000001
"SetComplianceDeadline"=dword:00000001
"ConfigureDeadlineForQualityUpdates"=dword:0000001e
"ConfigureDeadlineGracePeriod"=dword:00000007
"ConfigureDeadlineForFeatureUpdates"=dword:0000001e
"ConfigureDeadlineGracePeriodForFeatureUpdates"=dword:00000007
"SetActiveHours"=dword:00000001
"ActiveHoursStart"=dword:00000007
"ActiveHoursEnd"=dword:00000013
"SetAutoRestartNotificationDisable"=dword:00000001
"SetUpdateNotificationLevel"=dword:00000001
"UpdateNotificationLevel"=dword:00000002
"ElevateNonAdmins"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000
"UseWUServer"=dword:00000001
"AUOptions"=dword:00000005
"ScheduledInstallDay"=dword:00000007
"ScheduledInstallTime"=dword:00000003
"ScheduledInstallFourthWeek"=dword:00000001
"UseWUServer"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"RescheduleWaitTimeEnabled"=dword:00000000
"RebootRelaunchTimeoutEnabled"=dword:00000000
3. Use this reg file when wanting to re-enable it:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotConnectToWindowsUpdateInternetLocations"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000001
"UseWUServer"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc]
"Start"=dword:00000004
4. Reboot after each one potentially.
We use VMware OS Optimization tool to disable Windows updates and also make sure that the service is disabled and this has worked so far.
Thank you we will look into trying that as nothing else seemed to help. I'm also thinking of maybe just using an actual WSUS for Master images and then doing a dummy OU in it for clones and not allowing any updates
We tried that and it appears that eventually Windows Update service is running along with Module installer and updates are getting applied on user sessions
Hello,
Same problem for us with windows 10 22H2. The Windows Service Updates start under the users sessions.....
Does anyone found something that really works ?
Thank you,
Fred