Help me test a method for blocking Windows 10 forced updates

Topic

New Reply

Check InfoWorld Woody on Windows for details. If you’d like to join in, here’s what to do: Step 1: Go to KB 3073930 and download Microsoft’s Wushowhid
[See the full post at: Help me test a method for blocking Windows 10 forced updates]

Reply | Quote

Replies

Woody
Is there something wrong with that update ?
P.S. I’m a reader of yours from the Windows Secrets Newsletter, too.
I also follow your Ask Woody feed in Feed Demon (even though it’s a dead program, it still works in Windows 10).

Reply | Quote

Nope. Nothing wrong at all (as far as I know) with the Cumulative Update that I expect to land today.

The last Cumulative Update had problems – I’ll be working on a more detailed post shortly.

Reply | Quote

Very true that the last CU had problems. This was the first time I got a delayed and non-notified failure to install since upgrading to Windows 10. I am not interested in seeing anything like that happen again this month, so I’ll take a pass on your experiment, Woody.

Reply | Quote

Ah, but if today’s CU has the same problems as the last CU, KB 3140743, by following this trick you could wait for Microsoft to fix it.

FWIW, I expect that today MS will fix the many problems in KB 3140743. There are many more problems with it than just the lousy Xbox One Controller driver problem I talked about.

Reply | Quote

Will attempt to try (redundancy) it next build on Tech Preview – at least put it off a couple of days. I have Pro, so I really have a way to delay already.

Reply | Quote

OK, I’m happy using the metered connection trick, so it’s not that I don’t want to help, it’s just that, at my age, a sure thing is better than a gamble.

Reply | Quote

Got it set up, turned off metered connection. Let u know tomorrow. Fingers crossed

Reply | Quote

I hid KB 3140768 but later when I needed to restart, it installed. No longer showing as hidden

Reply | Quote

@woody, I will do the test in few days on Pro. Like other users here, I can delay indefinitely via Group Policy, so no patch will get applied unless I will allow it. While at first thought I assumed that only the Home Edition users will be assisted by this method if it works, in fact all users can be assisted by selectively approving or better said blocking updates. The Group Policy by itself, unless it works with something like WSUS, cannot selectively apply patches, only blocking either all or none.

Reply | Quote

Precisely.

Reply | Quote

I may not know how to use wsusonhide correctly. Here is what I get. With the Win 10 Pro computer pointing to WSUS and no March 2016 update approved, when running wsusonhide it shows that there is nothing to block. I think the intended use is to first install the undesired patch, uninstall and block or block and uninstall. Can someone clarify please?

Reply | Quote

Sorry, I got the name of the utility wrong, it is obviously about wushowhide.diagcab.

Reply | Quote

That’s what I originally saw – I could only block an update in this order:

1. The update gets installed
2. I manually uninstalled the update
3. Before rebooting, I used wushowhide to hide the update

It’s looking more and more like wushowhide will work without Steps 1 and 2 above – as long as you get the timing right.

You say “no March 2016 update approved” – and I’m curious how you’d approve a Win10 update…

Reply | Quote

I have mode “2” set via Group Policy on Pro, notify-only. This at least works sometimes: I get a list of available updates and a button to download and install. Sometimes it appears not to work. I currently believe it works when Windows Update checks automatically, but if I check for updates manually and any are found, WU will proceed to download and install them. It will take some trial and error to nail that behavior down, though.

By the time I got home, WU was already listing the “Patch Tuesday” updates. I used wushowhide to hide the cumulative update and that seemed to operate as expected, showing the CU on the hidden list. However, this did not remove it from WU’s list of waiting updates, and when I clicked the button to download and install, the CU install still happened. It seems that once WU has checked for and seen an update, it’s past the point of checking the hidden list.

Automatic Forced Updates are my #1 Windows 10 dissatisfier by a wide margin. I don’t particularly mind automatic notification but actually have a slight bias toward checking manually. Then I want to be able to manually select what to download and start the downloading manually. I additionally want to be able to start the subsequent installation manually as a separate step. (WU has always mashed the download/install steps together.) The reason is that I’m a fairly-active manager of the computer and know when is a good time to have things downloading and when is a good time to have things installing to minimize possible disruptions to those times.

Reply | Quote

@woody Thank you for confirming the procedure. I will try to approve the March 2016 Windows 10 CU and either beat it on timings or uninstall and use the standard procedure for hiding. The advantage to using the WSUS approval process is that I can accurately predict when the patch will be pushed to my test computer.
To answer the other part of your reply.
In WSUS which is a kind of Microsoft Update offline only the WSUS administrator approved updates are presented to Windows Update applet/app either while scanning manually or when installed automatically. The updates can be in one of those states: Not approved which is default, Approved for Install or Declined. Declined is something that is happening for example for pulled updates, but it is possible, not advisable to decline updates manually. Otherwise updates get declined by a WSUS built-in cleanup process which needs to be run manually and more recently can be scheduled through PowerShell, although this not widely known or publicised.
There is no difference in WSUS between Windows 7, other Operating Systems or Windows 10. I don’t really know if Home Editions can be managed by WSUS as it is not intended, but by configuring the relevant Registry keys I assume that is possible.
Generally speaking WSUS comes as part of one of the Server Operating Systems and the configuration to point to the WSUS server instead of Microsoft/Windows Update is done in Group Policy, either in a domain or can be done for standalone small test environments without a domain in Local Group Policy. There are evaluation versions of the current server operating systems for download from the Microsoft web sites.

Reply | Quote

@dwh ‘but if I check for updates manually and any are found, WU will proceed to download and install them’

Unfortunately the behaviour just described is correct in Windows 10. Not much can be done at this stage unfortunately, other that either hiding updates with wushowhide or using a fully managed server which is overkill for most end users. Or using the same Group Policy and entirely disable Windows Update which has as side effect disabling the Defender updates which is not recommended for obvious reasons, unless for a very limited period.

Reply | Quote

Woody is right! I did the test in a ‘controlled’ environment using the WSUS approval mechanism and before Windows 10 had a chance to search for updates, I ran wushowhide. When launching the utility, in the background it launches svchost.exe which I am certain is the same svchost.exe process under which Windows Update runs. So this means that Windows Update is launched by wushowhide to scan for potential updates without installing them. This looks more and more like the old (Windows 7) Windows Update in which you could hide or select updates to be installed, although it is likely that it uses a different mechanism in the background.
Now I am questioning the practicality of this finding. It appears that if the Windows 10 OS is shut down, at short time after boot will run Windows Update. There is a built in Scheduled Task for this purpose. If any updates are available at that time, they get automatically installed without any chance to intercept them.
The only working scenario for our purpose is to block the updates during the likely period in which they are released which is the Patch Tuesday and sometimes another round of patches 2 weeks after, run wushowhide and wait for few days until there is enough proof that they are reliable and only after that unhide them and allow Windows Update to complete. The only way this would work is to set the Group Policy or Registry to Never Check for Updates or maybe Notify Only while hiding the updates which are not yet desired to be installed. Disabling the Windows Update service would not work as this would not allow wushowhide to run the update process.
Fascinating finding for understanding how this works, however it is a bit complicated to be put in practice as a regular routine.
I am waiting for other posters here to confirm the same findings maybe using a different method, not via WSUS but Windows Update online site and allow Woody to correlate the findings from all of us to draw the conclusions.

Reply | Quote

All that means is that I can’t check for available updates which WU’s scheduled scanning hasn’t noticed yet. On reflection, wushowhide might be another way to check (run its hide-updates function far enough to get its list of candidates then cancel), rather than by clicking WU’s check-for-updates button.

Ah, but I have Defender disabled via Group Policy because I run a different AV and don’t think it’s a great idea to have multiples running. In fact, it’s my hypothesis that the “real” reason for W10’s forced updates came from MS’s decision to force Defender and realizing Defender’s dependence on WU to deliver its updates meant allowing customers a way to delay them was to allow customers to let Defender’s virus data to get correspondingly stale, making for a compromise of security. (BTW, I think forcing Defender is going to kill off the perfectly viable third-party AV business, directly analogously to the way bundling IE into Windows so damaged the Netscape browser business. With things like the W10 Store, I think customer choice could be preserved instead these days.)

Reply | Quote

Wow, that’s pretty low. KB3139929 wrapping WIn10 ads into IE. If Microsoft does this what else are they doing? At what point is trust completely eroded? Where do you draw the line? I may consider just not apply updates any longer and no longer letting my machine access the internet except for services I may require on the last windows box I have.

Reply | Quote

You don’t have to cancel as wushowhide does not install anything, just does scanning and allows you to hide according to preference.
WU instead starts installing immediately after scanning if any updates are found.
In regards to Defender, it is a bit weird that it does not have its own mechanism to update decoupled from updating of the OS. There may be a case for forced updates only for Defender but nothing else.

Reply | Quote

Actually, the February CUs were at least two in number. One never installed in either of my devices. It looks like that one was replaced with a different KB Number late in february, and this was the Feb 2016 CU version which finally installed — after a Paltform Stability Update — in my pre-March-Patch Tuesday updating exercises on both devices.

I can email exact details from the Updates Histories of both devices as to just what happened and when. I think you have my email address on file.

This was positively weird, as you say.

But with a Flash Player update for eDge and IE 11 on the way, I want that without the March Win 10 CU patch.

I may try wushowhide pre-emptively and see if that works, if there is further confirmation that this method (along with Metered Connection) actually works to selectively download and install just one desired patch without downloading and installing a big, untested CU along with it.

Reply | Quote

That’s the problem. There is no “one desired patch.” With rare exception, Win10 patches come in huge gobs. Many moons ago, Win10 had a few small patches (primarily drivers). In recent history, it’s all been jumbled together – security, non-security, bug fixes.

http://www.infoworld.com/article/3032186/microsoft-windows/why-windows-10-users-should-care-about-the-azerbaijani-manat.html

Reply | Quote