Why not Disable Windows Update?

Topic

New Reply

I’ve just finished upgrading a Dell Latitude e5450 from Win 8.1 pro to Win 10 pro. It works fine except that it doesn’t seem to know whether or not it’s connected to the internet even though it definitely is, and Windows Update can’t check for or download updates.

I’ve easily overcome this by simply determining what updates/patches I need, going to the MS Catalog, downloading them and installing them manually one at a time.

So my question is why not go to Services, choose Windows Update, and Disable the service. Then I don’t have to worry about pausing, deferring, etc, or having a handful of updates all getting installed at the same time, effectively shutting my computer down for 20 to 30 minutes. Regardless of any messages to the effect that I can keep using my computer while the installation occurs, the installation does in fact bog down the system (and it does for all 3 of the Win 10 computers I maintain, all of which have SSDs and have 4GB, 8GB, and 32GB RAM). This was the least stressful updating experience I’ve had with Win 10.

So my question is why not Disable the Windows Update service and update as I’ve outlined above? Am I missing some significant drawback or pitfall or … whatever?

Reply | Quote

Replies

If you disable Windows Update Service can you still use Windows Update Service to install updates manually?

1 user thanked author for this post.

DrBonzo

Reply | Quote

PKCano wrote:

If you disable Windows Update Service can you still use Windows Update Service to install updates manually?

Well, not by using a disabled Windows Update service… but you can by using DISM in an elevated console (CMD or PowerShell).

To test this I clean installed Windows 10 Pro 21H2 (19044.1766) from a ‘Media Creation Tool’-created USB stick, disabled the Windows Update service then tried to manually install the CAB file for a Windows Update I knew was missing, i.e. 2022-03 Dynamic Update for Windows 10 Version 21H2 for x64-based Systems (KB5011577).

Worked perfectly.

Hope this helps…

3 users thanked author for this post.

Kirsty, DrBonzo, PKCano

Reply | Quote

DrBonzo wrote:

I’ve easily overcome this by simply determining what updates/patches I need, going to the MS Catalog, downloading them and installing them manually one at a time.

I asked that question because the OP was using this method to update manually. Point being that the methodology for updating must change in that case.
Thanks for providing the alternative.

1 user thanked author for this post.

DrBonzo

Reply | Quote

How is Microsoft Defender affected if Windows Updates are disabled?

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

DrBonzo

Reply | Quote

geekdom wrote:

How is Microsoft Defender affected if Windows Updates are disabled?

You would probably need to manually update the Defender service/engine but malware definitions should failback to downloading via BITS rather than Update Orchestrator (which requires the Windows Update service). (Works for me…)

Don’t forget that disabling the Windows Update service will invariably invoke the Windows Update Medic Service which will attempt (and keep on attempting) to reset Windows Update service settings back to their untampered defaults.

DrBonzo wrote:

So my question is why not Disable the Windows Update service and update as I’ve outlined above? Am I missing some significant drawback or pitfall or … whatever?

The significant drawback IMO is the time spent researching, manually downloading CAB files from the Microsoft Update Catalog and manually installing them.

The potentially huge pitfall IMO is that you’ll be losing the automation of Update Orchestrator‘s arbiter to manage the most effective order in which to install them (and whether to install them or pause them until a fix comes along).

Hope this helps…

1 user thanked author for this post.

DrBonzo

Reply | Quote

Rick Corbett wrote:

You would probably need to manually update the Defender service/engine but malware definitions should failback to downloading via BITS rather than Update Orchestrator (which requires the Windows Update service). (Works for me…)

I download Defender DEFINITIONS each day when I first get on my Windows 10 Pro computer. I don’t have this problem on my Windows 8.0 Pro machine which has the SAME setting for Windows Updates used in Sergei’s WinAero Tweaker on both machines. Microsoft has tried to thwart Tweaker for many years (I’ve had it since 2012 on two different versions of Windows – 8 Pro and 10 Pro) and partially succeeded a couple of years ago on the version of Windows 10 I had at the time. On Windows 8, disabling Windows Updates in WinAero Tweaker does NOT stop the daily auto updates but I think upgrading to 8.1 Pro does and was one reason I never upgraded that computer. (Of course, it may not be Microsoft still trying to mess with Tweaker on Windows 10 that has caused disabling Windows Updates in Tweaker to stop Defender new definitions from downloading and installing automatically as this started about two years ago immediately AFTER a Windows 10 big update and could be something did not go quite as intended on my computer which was about three years old at the time).

So, I have to bring up Tweaker from the taskbar each morning and scroll down to Disable Windows Updates and UNcheck the box to disable. Then I go to Virus Protection in Windows Security and manually have Windows Update check for new Defender definitions and install them. When I decide it is time to do other Windows updates on the Windows 10 Pro computer, I do the same action. After the updates are installed, I recheck the box in Tweaker to disable Windows Updates.

Reply | Quote

Thanks everyone for your input, especially @Rick Corbett whose test was way more than I had any right to hope for. As I suspected things are more complicated than I was aware of. I don’t mind tracking down updates and installing them from the MS Catalog using Powershell.

Just to be clear, I haven’t disabled WU Service on any Win 10 computer. The one I just upgraded to Win 10 from Win 8.1 has something wrong with WU – can’t connect is the message I get and I also get that when trying to update Defender definitions. But with WU broken in that way I am still able to install updates from the Catalog without using Powershell commands and I can also install virus definitions without Powershell.

Years ago I had a Vista laptop with a broken – not disabled – WU. It would search and never return a list of required updates. Rather than try to fix it, I just manually downloaded from the Catalog and installed. This was before the days of Rollups so there would sometimes be as many as 20 updates (including MS Office). It really wasn’t that bad.

Reply | Quote

PKCano wrote:

I asked that question because the OP was using this method to update manually. Point being that the methodology for updating must change in that case.

Sorry, I got the wrong end of the stick.

IMO the answer to your question is no… not so much because Windows Update is disabled but (from what I read and understand of the MS How Windows Update works doc – PDF here) more because Update Orchestrator is dependent on it being available.

Hence the need for an alternative method.

2 users thanked author for this post.

windbg, DrBonzo

Reply | Quote

DrBonzo wrote:

The one I just upgraded to Win 10 from Win 8.1 has something wrong with WU – can’t connect is the message I get and I also get that when trying to update Defender definitions.

Have a look at the Windows Update and Windows Update Medic Service log files (C:\Windows\Logs\WindowsUpdate and C:\Windows\Logs\waasmedic respectively).

The logs are in ETL format so you’ll need to convert them to text. Have a look at this MS Q&A – Convert .etl trace log file into readable txt file – for more info.

Hope this helps…

PS – This is one of the many reasons why I always clean install rather than upgrade… but I know many other people’s opinions differ.

5 users thanked author for this post.

Kirsty, geekdom, windbg, DrBonzo, Microfix

Reply | Quote

I forgot another significant drawback… Server Initiated Healing (SIH).

(History – The Windows Update Medic Service was apparently introduced in Windows 10 v1803. I seem to remember initially it was only installed if telemetry (i.e. the default-enabled Connected User Experiences and Telemetry service – DiagTrack) determined that the Windows Update service had been disabled. However, the Windows Update Medic Service now appears to be installed by default. There was also a Windows Remediation service – SedSvc – that did a similar job… but that seems to have disappeared since v1803.)

If you disable the Windows Update service but don’t *disable* the Windows Update Medic Service AND *disable* a scheduled SIH task (under WindowsUpdate) then every 20 hours Task Scheduler will fire the SIH client which, in turn, invokes the Windows Update Medic Service… which reverts Windows Update service/components to their default settings.

The SIH client also phones home.

“This daily task launches the SIH client (server-initiated healing) to detect and fix system components that are vital to automatic updating of Windows and Microsoft software installed on the machine. This task can go online, evaluate applicability of healing actions, download necessary payloads to execute the actions, and execute healing actions.”

(I have no idea whether the SIH client also reports the machine GUID of devices which have the Windows Update Medic Service disabled.)

This means that to *properly’ disable Windows Update you would also have to create/enable outbound Windows Firewall rules related to all Windows Update related components.

This has been discussed here on AskWoody many, many times and, IMO, the general consensus is that disabling Windows Update manually is too much like ‘whack-a-mole’… much more trouble than it’s worth.

If you *really* want to disable Windows Update (which is not advisable) then better to use a third-party tool that does the job for you then use the tool to re-enable Windows Update briefly at a time which is convenient for your own workflow or when Susan raises the MS-DEFCON level to 4 and/or 5.

Oh, and for a chuckle, always remember the first part of the first sentence of this 2018 statement from the MS Windows Platform Security Team:

“At Microsoft, we want users to be in control of their devices…”

That’s why we now have to use third-party tools… ROFL.

(Note: For those that use it, the original Windows 10 Decrapifier script does *not* disable the scheduled SIH task by default.)

Hope this helps…

3 users thanked author for this post.

Coldheart9020, windbg, DrBonzo

Reply | Quote

I’m convinced – it’s a crummy idea!

I wonder, though, if I disable Windows Update Service and then let the computer sit for about a day, whether the Medic Service would kick in and actually fix the error I get whenever I check for updates, namely that it can’t connect (doesn’t say what it can’t connect to)?

@Rick Corbett, thanks for your clear explanations. I’ve learned a lot.

Reply | Quote

DrBonzo wrote:

I wonder, though, if I disable Windows Update Service and then let the computer sit for about a day, whether the Medic Service would kick in and actually fix the error I get whenever I check for updates, namely that it can’t connect (doesn’t say what it can’t connect to)?

You don’t need to disable the Windows Update service. Just open an *elevated* console (CMD or PowerShell, copy/paste the following then press RETURN/ENTER:

schtasks /run /tn "Microsoft\Windows\waasmedic\performremediation"

This will run the Windows Update Medic Service manually. Hopefully it will report it completed successfully.

Next, copy/paste the following then press RETURN/ENTER:

DISM /Online /Cleanup-Image /RestoreHealth

This runs a scan for corruption and repairs problems that it finds with the operating system. It may take some time to run to completion.

If all goes well you should see the following 2 success notifications:

If you see them, try Windows Update again.

Note: That Windows Update issues are notorious for being many, frequent and difficult to troubleshoot.

Hope this helps…

(Note: I’ve made a mistake in my earlier post. The SIH task appears to have been deprecated in favour of a PerformRemediation task in the WaaSMedic folder. It’s been quite some time since I’ve used Task Scheduler manually so I don’t know when this was changed.)

[Note to Mods: I had to re-edit this post as the backslashes were stripped from:

Microsoft\Windows\waasmedic\performremediation

…despite me having an exception.]

1 user thanked author for this post.

DrBonzo

Reply | Quote

@Rick-Corbett
We have since found that the disappearance of the “\” are related to the insertation of a graphic in the post, i.e. if you do both before submitting, the “\” are removed.
Another quirk: if you use “\\” instead of “\”, it seems to stick as a single “\” (who knows!!!)

Susan is pursuing.

2 users thanked author for this post.

Rick Corbett, DrBonzo

Reply | Quote