Something has changed in 1803 and disabling the windows update service in the master image doesn't stick when logging into the linked clone. I've seen the service turn back to Manual (Triggered) and that kind of makes me think eventually Windows Updates will scan. I've gone ahead and added some registry hacks, but has something changed in this version that I am unaware of? Anyone know how to turn it off completely? I only want to enable it when I patch.
One thing you can try is setting the following Services to Disabled aswell
Windows Modules Installer
Background Intelligent Transfer Service
We found with these services set to manual windows would re-enable the Windows Update service just like you are experiencing.
are you windows 10 pro? it seems MS has made it so those settings are worthless now in pro. Been fighting this for months. Working on using sccm to control this now
I am running 1607 LTSB and after one of the security rollup packages was installed I started experiencing this issue as well. I fought it for weeks and the way I finally got it to stick was by creating a group policy that disables the service.
The windows module installer is a big one, set that to disabled, I see the same thing in a versions of windows. If you didable it doesn't mater if the windows update service starts. I did find this tibit the other day
Reduce App Volumes Login Time on Windows 10
It suggests disabling the window module service to improve logon times.
I've used this in the past to ensure Windows updates are disabled on gold images.
sc config wuauserv start= disabled
net stop wuauserv
sc config bits start= disabled
net stop bits
sc config dosvc start= disabled
net stop dosvc
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v AUOptions /t REG_DWORD /d 1 /f
Welcome to Windows 10 - where updates are now forced! I believe Microsoft enabled this “feature“ around end of 2017. Easiest way to stop this is set the service to disabled and set the account to .\guest (use a fake/random password). When it tries to flip it back to manual and start, it fails. An error will get triggered in the event logs, but this is an easy method I found to stop this.
Disable the Windows Update Medic Service like this (run as administrator):
PowerShell
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc -Name Start -Type DWord -Value 4
Command line
reg ADD HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /v Start /t REG_DWORD /d 4 /f
You can't disable it normally through services.msc, but that registry entry works.
Fully disable Windows Update with PowerShell:
Set-Service wuauserv -StartupType Disabled
Stop-Service wuauserv -Force
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc -Name Start -Value 4
Get-ScheduledTask -TaskPath "\Microsoft\Windows\UpdateOrchestrator\" | Disable-ScheduledTask
Get-ScheduledTask -TaskPath "\Microsoft\Windows\WindowsUpdate\" | Disable-ScheduledTask