Windows Update service re-enabling itself?

[bcredeur97]

Hello,

 

At work we typically go about disabling Windows Update via disabling the service so our WAN bandwidth doesn't get nuked (we don't have a ton of bandwidth, and we prefer to push updates to devices with a Dell KACE appliance). We aren't sure why... but it mysteriously re-enables itself eventually on some of our user's devices. 

 

Our network is pretty simple.. no Active Directory or anything, so in general we setup devices manually.

 

Is there a way we can ensure windows update stays disabled on these machines? is there something we can block at the network level to resolve this? I found this: https://superuser.com/questions/363120/block-access-to-windows-update
 

But im not 100% sure that will work, the post is a little old anyway.

[GoodBytes]

If I recall correctly (something to look into is what I am saying as it has been a very long time since I worked in IT), you need to have your system on a domain, and then Windows Server will handle the updates (download once and deploy to all systems). You can delay/validate updates.

 

Alternatively, you can setup your enterprise Firewall to blog the IPs of Windows Update and Microsoft servers. But you'll need to re-enable them to allow updates to pass.

 

I don't think there is any other way. You can try to setup software that loops in checking Windows Update service and kill it the moment it starts up, but now you are starting to affect your system performance, and you have to go to each system to disable it to allow updates.

 

 

[bcredeur97]

1 hour ago, GoodBytes said:

If I recall correctly (something to look into is what I am saying as it has been a very long time since I worked in IT), you need to have your system on a domain, and then Windows Server will handle the updates (download once and deploy to all systems). You can delay/validate updates.

 

Alternatively, you can setup your enterprise Firewall to blog the IPs of Windows Update and Microsoft servers. But you'll need to re-enable them to allow updates to pass.

 

I don't think there is any other way. You can try to setup software that loops in checking Windows Update service and kill it the moment it starts up, but now you are starting to affect your system performance, and you have to go to each system to disable it to allow updates.

 

 

hmmm... if we point all the pc's to use a "WSUS" server that ISN'T there with local group policies.. would that effectively prevent the PC's from checking for/downloading updates through Microsoft? i mean it would of course fail to connect to the wsus server, but would it just keep trying there instead of connecting to Microsoft in the case of the service being re-enabled somehow? 

 

I'm still confused as to why it's re-enabling itself in the first place... from what i read online that shouldn't happen if it is appropriately stopped and marked as "disabled" from the services menu within windows.

 

kind of not the best workaround but we don't have a WSUS server at the moment (we will eventually).. just an idea.

 

 

edit: apparently you can just delete the .dll that windows update runs on? seems a little sketchy... but if it works lol? https://superuser.com/questions/1058487/permanantly-delete-bits-annd-windows-update-services-in-windows-10

[MxZeal]

This happened to me today! I had everything off for months now I login to my PC today and it saids I have updates waiting to install? I had to manually re-disable everything from event logs to regedit... fucking pathetic nice going microsoft.

[GoodBytes]

1 minute ago, MxZeal said:

This happened to me today! I had everything off for months now I login to my PC today and it saids I have updates waiting to install? I had to manually re-disable everything from event logs to regedit... fucking pathetic nice going microsoft.

Well, it is because people block updates when they should not. So, now, they are forced. A safer web experience for everyone is welcome.

[bcredeur97]

2 minutes ago, GoodBytes said:

Well, it is because people block updates when they should not. So, now, they are forced. A safer web experience for everyone is welcome.

guess this means they are basically forcing businesses to buy windows server and use WSUS huh?

 

[GoodBytes]

31 minutes ago, bcredeur97 said:

guess this means they are basically forcing businesses to buy windows server and use WSUS huh?
 

Beside if you are a small company (startup - type of size), where you have a few computers, you should have a Windows Server, domain joined system, and a server that backups all company servers, and maybe, depending on the number of systems, look into Volume Licensing. This is really because, well beside controlling updates including certifying them, you can run enterprise solution A/V which tend to be better than consumer ones, and provide full reports (if you care), manage backups, as mentioned, and also allows employees to take any system, login, and resume their work. This is great if a system is down or the employee goes in a board room where is a central/podium PC there (which is a possible setup if the company doesn't work with laptops but instead desktops), etc.

 

All I am saying, is that you should start looking into all this, even if Windows Update service would have remained disabled. I mean it is not realistic (in my opinion) that you need to go to all your computers and start enabling Windows Update, update them, restart check for more updates, and then when all is done, now disable again. I think you can put your resources (basically, your time) to better use (training, support, etc.)

[GoodBytes]

What you can do, is that in Windows 10, you can set a bandwidth limit for Windows Update, reducing the load of your network.

Go to Settings > Update & Security > Windows Update > Advanced Options > Delivery Optimizations > Advanced Options:

 

 

Don't forget also to setup the Active Hours (Settings > Update & Security > Windows Update > Change active hours), so that updates don't trigger at the worst time possible.

 

You can also turn on an option to show a warning before the system restart, giving the user to delay the installation of an update or restart now, so that they do it when their day is over, or lunch or whatever they want, and not while they work (see "Advanced options")