VMware Horizon Community
Hoodsie2018
Enthusiast
Enthusiast
‎12-01-2021 09:49 AM

Can't disable Windows Updates anymore on floating instant clones. KB can't be removed?

We can't disable windows updates anymore?

Recently we updated our win10 image and it pushed down Servicing Stack 10.0.18362.1790. This contains multiple KBs including KB4023057. When it was outside the servicing stack you could uninstall a KB. But Servicing Stacks cannot be uninstalled from what I've read and tried. 

The problem with KB4023057 is that this enables Windows to re-enable windows updates when desired among other things. So now every VDI VM we have is re-enabling the wuauserv service despite the GPO and then downloading and installing patches every rebuild of the VDI VM which is atrocious. We want to update the base image per our schedule and prevent all VDI vms from auto-patching over and over all day as users log off and it rebuilds the VMs. 

Any ideas how to accomplish this now? Thoughts are figuring out which firewall ports to disable to block updates? or DNS entries to zero out with a hosts file to deny updates? or change permissions somewhere? Problem is need it to not be undone by this KB. And needs to be easily undone when we manually want to update the base image. 

Thanks!

Reply
0 Kudos
7 Replies
jmacdaddy
Enthusiast
Enthusiast
‎12-01-2021 06:47 PM

Just curious, what happens if you apply a GPO to the virtual desktops' OU that points Windows Update to a non-existent WSUS server?

Reply
0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot
‎02-21-2023 09:30 AM

HEllo,

We are running into exactly the same problem and just wanted to see if you might have found a workaround. We are making sure that Module Installer and Windows Update services are disabled on the Master Image before shutting down the image and snapping it. On top of that we push GPO to all instant clones disabling automatic updates and aslo using services policies to keep those services disabled (Module Installer, Update Medic and Windows Update) but unfortunately they keep getting turned on and set to Manual and then running. Users are getting them downloaded and installed in their session.

 

Is there any way to prevent that from happening? 

Reply
0 Kudos
Hoodsie2018
Enthusiast
Enthusiast
‎02-21-2023 10:17 AM

@LukaszDziwisz  - This is what has worked for us on the base image:

1. Set Windows Updates service to disabled. 

2. Run this regex to disable updates plus some other settings and trick it to use a non-existent local WSUS if it gets enabled: 

 

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="https://donotinstallupdates.notHere"
"WUStatusServer"="https://donotinstallupdates.notHere"
"UpdateServiceUrlAlternate"=""
"SetProxyBehaviorForUpdateDetection"=dword:00000000
"DoNotConnectToWindowsUpdateInternetLocations"=dword:00000001
"SetComplianceDeadline"=dword:00000001
"ConfigureDeadlineForQualityUpdates"=dword:0000001e
"ConfigureDeadlineGracePeriod"=dword:00000007
"ConfigureDeadlineForFeatureUpdates"=dword:0000001e
"ConfigureDeadlineGracePeriodForFeatureUpdates"=dword:00000007
"SetActiveHours"=dword:00000001
"ActiveHoursStart"=dword:00000007
"ActiveHoursEnd"=dword:00000013
"SetAutoRestartNotificationDisable"=dword:00000001
"SetUpdateNotificationLevel"=dword:00000001
"UpdateNotificationLevel"=dword:00000002
"ElevateNonAdmins"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc]
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000
"UseWUServer"=dword:00000001
"AUOptions"=dword:00000005
"ScheduledInstallDay"=dword:00000007
"ScheduledInstallTime"=dword:00000003
"ScheduledInstallFourthWeek"=dword:00000001
"UseWUServer"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
"RescheduleWaitTimeEnabled"=dword:00000000
"RebootRelaunchTimeoutEnabled"=dword:00000000

 

 


3. Use this reg file when wanting to re-enable it:

 

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotConnectToWindowsUpdateInternetLocations"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000001
"UseWUServer"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc]
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc]
"Start"=dword:00000004

 

 


4. Reboot after each one potentially. 

Reply
0 Kudos
Jubish-Jose
Hot Shot
Hot Shot
‎02-21-2023 08:34 PM

We use VMware OS Optimization tool to disable Windows updates and also make sure that the service is disabled and this has worked so far. 


-- If you find this reply helpful, please consider accepting it as a solution.
Reply
0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot
‎03-16-2023 02:44 PM

Thank you  we will look into trying that as nothing else seemed to help. I'm also thinking of maybe just using an actual WSUS for Master images and then doing a dummy OU in it for clones and not allowing any updates

Reply
0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot
‎03-16-2023 02:44 PM

We tried that and it appears that eventually Windows Update service is running along with Module installer and updates are getting applied on user sessions

Reply
0 Kudos
FredericLOUKA
Contributor
Contributor
‎12-15-2023 02:17 AM

Hello,

Same problem for us with windows 10 22H2. The Windows Service Updates start under the users sessions.....

Does anyone found something that really works ?

Thank you,

Fred

Reply
0 Kudos