articles/
31-12-2024 / How to Disable Updates on Windows 10/11
Today, we'll be having a look at how to effectively disable system updates on Windows 10 and 11.
Introduction
Ah yes, Windows Updates.
If you've been a long-time Windows user, You must know that Microsoft FORCES system updates onto its users, and makes it very difficult to stop them; Short of not connecting Windows machines to the internet at all.
Some people dislike Windows updates due to extremely inopportune timing. Others dislike them because they'd rather stay on one particular version of the software. Not to forget, sometimes a bad update will break a perfectly functional system, Like what happened on the 19th of July, 2024. Those poor airport staffers...
(Okay, TECHNICALLY it wasn't a Windows update, but a bad update to software that ran as a driver in Windows' Kernel ring. A big chunk of public that didn't know exactly what happened blamed it on Windows updates and became a bit skeptical about frequent/automatic software updates, BUT I digress...)
I won't get too deep into the reasons of WHY you would want to disable updates. It's a very controversial topic, sparking lots of heated debates and from what I've seen, annoying many Windows fanboys and power users.
I figure if you've actively SEARCHED for this article, you probably have your reasons for doing so already. Let's get into it.
What works and what doesn't work
I've been looking for a way to properly disable updates on Windows for quite some time. I'll review some of the most popular "fixes" I've found.
Pausing/Deferring updates from Settings - It allows you to temporarily pause updates for a certain period, A maximum of around 35 days. It'll WORK but then you are forced to update once the period ends, and you can't pause again for another few weeks. Most people just settle for this. Also, It only works for normal "Recommended Updates"; It will NOT pause security updates.
Disabling the Windows Update service through services.msc - You go into services.msc and manually stop and disable wuauserv, the Windows Update Service. This is however, NOT a permanent fix. No matter what you do here, It's scheduled to automatically relaunch itself after a system restart. EVEN if you set it to manually start.
Set your internet connection as metered - In this case, you set your internet connection as a metered one, So Windows does not download updates over one of these. Problem is this does NOT work for Ethernet/cable-based connections, Only wireless. Another issue, (Anecdotal/Personal experience) Windows just ignored it completely at one point. It took an update despite the connection being set as metered. Then again, this happened a few years ago, I do not remember the specifics. It might have been a security update.
Using the Group Policy Editor - In this case you open gpedit.msc, Head on over to Computer Configuration\Administrative Templates\Windows Components\Windows Update\ and set "Configure Automatic Updates" to Disabled. This is a more reliable fix; However, The Group Policy Editor is NOT available on Windows Home edition, only Pro and above. (Anecdotal/Personal experience) I found this ineffective on Windows 11.
Using a custom hosts file to block out Microsoft domains - This is a somewhat desperate move, as shown in the above screenshot. Basically you go to C:\Windows\System32\drivers\etc\, You edit the hosts file (It's a file used to map hostnames to IP addresses.) and you redirect a bunch of Microsoft URLs to 0.0.0.0 (Nowhere.) by using a list like this one. In THEORY, This should work. However, It does not stop updates because many Windows services can just bypass the hosts file. In addition to this, Windows can also download updates from nearby computers on a network, Also, blocking some of these domains triggers a HostsFileHijack threat, making Windows Defender go crazy, so it's not very useful. It is, however, good for blocking a lot of TELEMETRY though. Especially for third-party apps/services from Adobe, Autodesk, Facebook/Meta etc.
Eventually, I came to the conclusion that the most effective way to disable updates, short of actually DELETING the update service (Like Ameliorated/AME 10 does, More on that later.), would be to make some Registry edits. So I did a little more research...
Disabling Windows Updates through the Registry
WARNING/DISCLAIMER: MESSING WITH THE REGISTRY CAN POTENTIALLY RESULT IN AN UNUSABLE SYSTEM.
PROCEED AT YOUR OWN RISK.
The Windows Registry is a massive database of configuration options used by the operating system. It can be accessed by running regedit.msc
Now there's a bunch of ways to disable the update service through registry edits, Like setting the pause updates period for 10 years or so. Though I'll be demonstrating a somewhat different approach. This is taken from InControl by Gibson Research Corporation. It's a small software tool that does a few registry edits that trick Windows into thinking it's at the maximum possible version it can update to, and it can't go further.
Sure, you can download the tool, It's freeware. Though I'd recommend making edits manually instead of relying on external software, That way you'll know what you're doing. (This specific tool seems perfectly safe, but there's a lot of malware out there that's disguised as "PC-fixing" software, so it's best to make fixes without using external apps.) So here's what you'll have to do...
1. Open the registry editor. Just execute regedit.msc from the Run dialog box.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ and make the Key "WindowsUpdate". Just navigate to that directory and right click in the tree, Create a new key (If it doesn't already exist.).
3. Under WindowsUpdate, add the following entries... (Add the entries, right click and supply values via the Modify button)
TargetReleaseVersionInfo = "21H1" (Or any other feature release. 21H2, 22H2, so on. This sets the "Target" i.e. Desired Version to stick to. Any older version works. IN QUOTES.)
TargetReleaseVersion = 1 (This instructs Windows to ignore any updates newer than the "Target" version.)
ProductVersion = "10" (This basically tells the updater to stick to this "Major Version" of Windows. i.e. Windows 10 or 11. IN QUOTES.)
DisableOSUpgrade = 1 (This instructs Windows not to update "Major Versions", like 10 to 11.)
4. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore (Create this key if it doesn't exist.)
5. Under WindowsStore, add the following entry... Just one entry under this key.
DisableOSUpgrade = 1 (Same as the DisableOSUpgrade entry in WindowsUpdate. I suppose this one is for redundancy purposes or updates delivered through Windows Store (?).)
6. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeNotification (Create this key if it doesn't exist.)
7. Under UpgradeNotification, add the following entry... Again, just one entry.
UpgradeAvailable = 0 (This disables the Update Notification.)
And that's pretty much it.
As far as I've tested, this method works. At the time of writing, It effectively disables ALL system updates. If you want to re-enable updates, just delete these six registry entries, and updates should work again as before.
Conclusion
So, we've seen a fairly reliable and effective method to disable Windows updates. But what if you wanted to go further and fully DELETE the Windows Update Service? (Because who knows, Microsoft MIGHT just bypass this "fix" in a future version of Windows.)
And while you're at it, why not get rid of a bunch of bloatware and telemetry/monitoring services aswell? That's where The Open-Source tool, Ameliorated comes in. We'll be taking a deeper dive into this another time; What it does, How it works, and so on.
I certainly hope you found this article useful. Credit where it's due. Be sure to check out Gibson Research Corporation, they seem to have a plethora of privacy and security-oriented tools and services.
I wish you all the best, and a Happy New Year!