Confirming the Wushowhide technique for blocking forced Win10 updates

I have a comment from ch100 that I wanted to elevate to its own post. He says:

Woody is right! I did the test in a ‘controlled’ environment using the WSUS approval mechanism and before Windows 10 had a chance to search for updates, I ran wushowhide. When launching the utility, in the background it launches svchost.exe which I am certain is the same svchost.exe process under which Windows Update runs. So this means that Windows Update is launched by wushowhide to scan for potential updates without installing them. This looks more and more like the old (Windows 7) Windows Update in which you could hide or select updates to be installed, although it is likely that it uses a different mechanism in the background.

Now I am questioning the practicality of this finding. It appears that if the Windows 10 OS is shut down, at short time after boot will run Windows Update. There is a built in Scheduled Task for this purpose. If any updates are available at that time, they get automatically installed without any chance to intercept them.

The only working scenario for our purpose is to block the updates during the likely period in which they are released which is the Patch Tuesday and sometimes another round of patches 2 weeks after, run wushowhide and wait for few days until there is enough proof that they are reliable and only after that unhide them and allow Windows Update to complete. The only way this would work is to set the Group Policy or Registry to Never Check for Updates or maybe Notify Only while hiding the updates which are not yet desired to be installed. Disabling the Windows Update service would not work as this would not allow wushowhide to run the update process.

Fascinating finding for understanding how this works, however it is a bit complicated to be put in practice as a regular routine.

I am waiting for other posters here to confirm the same findings maybe using a different method, not via WSUS but Windows Update online site and allow Woody to correlate the findings from all of us to draw the conclusions.

Yep, I’m working on an article for InfoWorld – and welcome any input. (Let me know if I can quote you and, if so, whether I can use your name.)

It looks like Wushowhide does block updates, as long as it is applied before Windows Update gets its jaws on the patch. That’s a revelation to me, but everything I’ve seen points to a resounding success.

The next step in the approach — I’m going to call it the Carboni Technique — involves blocking Windows Update. I’m very, very concerned about stopping Windows Update for a host of reasons, but blocking Windows Update (and running it manually when you need new patches) seems to be doable, and non-destructive.

I’m looking at various ways to block Win10’s Update, and am trying to settle on a way that works for everybody (Win10 Home and Pro alike), without interfering with truly important updates, including Windows Defender, MSRT, and anything else that relies on WU. Noel Carboni recommends using gpedit (which is only available in Win10 Pro) to set the Configure Automatic Updates task to Disabled. There are other ways to turn off Windows Update, and I’m considering them, too.

If you have any specific experience with blocking WU in Windows 10, I’d sure like to hear about it.