Block Windows 10 forced updates without breaking your machine, part 2

If you’re using Windows 10, you’re well aware that your PC gets security and nonsecurity updates pushed by Microsoft. (Systems sitting behind Update servers such as WSUS and SCCM aren’t as exposed.) While there haven’t been any major problems with Windows 10 cumulative updates breaking large numbers of PCs, I believe we’re living on borrowed time. PC Armageddon will come, and I’m convinced it’ll have “Win10 Cumulative Update” written all over it.

A month ago, I asked for volunteers to test whether Microsoft’s Wushowhide utility works to block specific updates. The experiment was a resounding success. It led to my recommendation last month that Windows 10 customers employ a combination of the metered connection trick and Microsoft’s Wushowhide utility to control precisely which Windows 10 updates are applied and when. I also showed how metered connections can stall the updates temporarily, while Wushowhide lets you then take full control.

Now I’d like to invite you to participate in part 2 of this experiment. 

This time the objective is to come up with a simple procedure that any Windows 10 customer can use to block updates until the owner’s darn good ‘n ready to let ’em rip. So far, knock on wood, Microsoft hasn’t had any horrible Windows 10 cumulative updates. But if the history of Window, and Microsoft’s increasing problems with Office Click-to-Run are any indication, it’s only a matter of time before really bad things happen.

There are tricks for making Win10 think your Ethernet connection is Wi-Fi and to using metered connection throttling on PCs hardwired to the Internet. There also are ways to turn off Windows Update completely. But I’m not comfortable recommending either approach. There’s a better way.

Noel Carboni, a frequent contributor on AskWoody.com and longtime Windows guru, has put together a method that very specifically blocks automatic installations of updates by flipping a couple of entries in the registry or, equivalently, making one change in group policy. With “Configure Automatic Updates” disabled, Win10 will continue to see updates as they’re made available, but it won’t install them automatically. You’ll have to install them manually.

I’m guessing that Microsoft will release another cumulative update for Windows 10 next Tuesday. In preparation for that event, I’d like you to join me in this experiment:

Step 1: Go to KB 3073930 and download Microsoft’s Wushowhide tool. (Click the link marked “Download the ‘Show or hide updates’ troubleshooter package now.”) Drag the downloaded file, Wushowhide.diagcab, to any convenient location. If you participated in the earlier crowdsourced experiment, you’ve already done that.

Step 2A: If you’re running Win10 Pro, run the Group Policy editor. In the Cortana search box type

gpedit.msc

Then press Enter. If you get bogus warnings about duplicate Namespaces, click OK. On the left, under Computer Configuration, click Administrative Templates > Windows Components > Windows Update. On the right, double-click Configure Automatic Updates. At the top, choose Disabled, click OK, and close out of the Group Policy editor. Reboot to make sure the new setting took.

Step 2B: If you’re running Win10 Home, you don’t have gpedit.msc. Not to worry — you can accomplish the same thing by editing the Registry or, much easier, by downloading and running Noel Carboni’s ConfigureAutomaticUpdates tool. You may get a warning that the tool “is not commonly downloaded” (it’s a brand-new tool). If so, choose to Keep it. Run the tool and switch Configure Automatic Updates to disabled.

In either case, your computer should now have these two registry settings:

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU] “NoAutoUpdate”=dword:00000001

 [HKEY_LOCAL_MACHINESOFTWAREWOW6432NodePoliciesMicrosoftWindowsWindowsUpdateAU] “NoAutoUpdate”=dword:00000001

If you’d rather fiddle with the registry yourself, go right ahead — both Gpedit and ConfigureAutomaticUpdates only exist to make the change easier for you.

Step 3: When the cumulative update comes out (presumably on Tuesday afternoon or evening), double-click on Wushowhide.diagcab to run it. Click the link marked Advanced. Uncheck the box marked “Apply repairs automatically.” Click Next.

Step 4: Wait for Wushowhide to look for all of the pending updates on your system. When it comes up for air, click Hide Updates. There should be a box marked “Cumulative Update for Windows 10 Version 1511 for x64-based Systems (KB xxxxxxx)” or something similar. Check that box, click Next, and close out of Wushowhide.

At this point, the cumulative update should not be visible to Windows Update: If you click Start > Settings > Update & security, then Check for Updates, that cumulative update should not appear on the updates list and should not be installed on your system.

More than that, Windows Update should continue to do its thing with Windows Defender patches (which don’t require your manual approval). I’m not aware of any side effects to disabling “Configure Automatic Updates,” other than blocking updates that deserve further scrutiny.

Step 5: Please post your results here in the comments, or on AskWoody.com.

If at any point you want to apply the cumulative update, here’s how.

Step 1: Run Wushowhide. Click the link marked Advanced. Uncheck the box marked “Apply repairs automatically.” Click Next. Win10 goes out and looks for available patches, as well as hidden patches.

Step 2: Click Show Hidden Updates. You should see the April 12 cumulative update in the list.

Step 3: Check the box marked “Cumulative Update for Windows 10 Version 1511 for x64-based Systems (KB3140768)” and click Next. Wushowhide will tell you that it “Fixed” the “Problems found” — which means the KB has been unhidden. Click Close.

Step 4: Go back into Windows Update (Start > Settings > Update & security, then Check for Updates). Windows will find the Cumulative Update and install it for you.

If you want to turn Automatic Update back on, that’s easy too.

Step 1A: If you’re running Win10 Pro, run the Group Policy editor. In the Cortana search box type

gpedit.msc

Then press Enter. If you get bogus warnings about duplicate Namespaces, click OK. On the left, under Computer Configuration, click Administrative Templates > Windows Components > Windows Update. On the right, double-click Configure Automatic Updates. At the top, choose Not Configured, click OK and close out of the Group Policy editor.

Step 1B: If you’re running Win10 Home, run Noel Carboni’s ConfigureAutomaticUpdates tool. You may get a warning that the tool “is not commonly downloaded” — it’s a brand-new tool. If so, choose to Keep it. Run the tool and switch Configure Automatic Updates to Not Configured, click OK.

Step 1C: If you want to tackle it by hand, you can delete the NoAutoUpdate Registry settings:

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU] “NoAutoUpdate”

 [HKEY_LOCAL_MACHINESOFTWAREWOW6432NodePoliciesMicrosoftWindowsWindowsUpdateAU] “NoAutoUpdate”

In either case, reboot and Win10 should go back to its forced-updating ways.

I’ve been running this combination for several weeks — through the release of build 10586.164 last month — and it works. I haven’t seen any side effects, and the rollback steps work without a hitch.

It’s time to take it up a notch. Let’s see if we can safely throttle Windows 10’s updating ways on a large scale using Microsoft’s own tools.