Microsoft can not conceive of a valid reason for a Windows 10 user not to want the latest bug fixes. Bug fixes good, is their corporate mantra. They are, however, wrong. Not only are there many instances where stability trumps patches, they have shown over and over again that their patches are not to be trusted. Just this week, Windows 10 bug fixes caused the Surface Book 2 to crash.

My recent blog Defending against Windows 10 bug fixes discussed many options for postponing bug fixes but none, other than keeping the computer off-line, are foolproof. The most interesting section of that very long blog is A full frontal attack on Windows Update. This is a simplified, cheat sheet, version of that section.

Back on Windows 7, it was so much easier to disable Windows Update, there was just one service to worry about. Those were the good old days. With Windows 10, there are three aspects to disabling Windows Update: shutting down multiple Services, disabling many Scheduled Tasks and preventing the parts of Windows Update that can not be easily shut down from phoning home. Microsoft has limited the first two options, some services and started tasks can not be disabled, even by Administrative users. And, like the Walking Dead, some services and tasks that we can disable, get re-enabled over time by the ones that can not be disabled. That leaves the Windows Firewall as our biggest hammer.

Every Windows Service and Scheduled Task referred to below is not installed on every Windows 10 machine. This is because Windows Update keeps changing, in large part, to prevent people from doing just this.

Note that this is not well worn territory, and I do not claim to be an expert on Windows Update.

SERVICES

Try to disable all the services involved with Windows Update.

You should be able to disable the legacy Windows Update Service (wuauserv) and the Windows Remediation Service (sedsvc).

My experience with the other two services (Update Orchestrator Service (UsoSvc) and Windows Update Medic Service (WaaSMedicSvc) has been inconsistent.

SCHEDULED TASKS

As with Services, try to disable all the Scheduled Tasks you can. Note that whatever software you use to deal with scheduled tasks, it must run as an Admin user. There are some tasks that restricted/standard users can not even see. (Updated Dec 8, 2018)

1. AC Power Download   can not be disabled
2. Maintenance Install   can be disabled
3. MusUx_UpdateInterval   On one PC I could disable it, on another I could not
4. MusUx_LogonUpdateResults   can not be disabled normally
5. PerformRemediation   can not be disabled
6. Reboot   can not be disabled
7. Scheduled Start   can be disabled
8. Schedule Scan  can not be disabled
9. shell   can be disabled
10. sih   can be disabled
11. sihboot   can be disabled
12. UpdateAssistant   can be disabled
13. UpdateAssistantCalendarRun   not sure
14. UpdateAssistantWakeupRun   not sure
15. USO_Broker_Display   can not be disabled

I have not seen, but have read about other Windows Update related scheduled tasks: USO_UxBroker_Display, USO_UxBroker_ReadyToReboot, Policy Install and Resume On Boot.

For dealing with the Windows Task Scheduler, I suggest TaskSchedulerView by Nir Sofer. It is free, portable and from a trustworthy source.

BLOCK SERVICES WITH THE FIREWALL

While some Services and Started Tasks are off-limits, everything can be blocked in the Windows firewall.

Perhaps my big contribution here is the idea of blocking a Windows service from phoning home. Firewalls traditionally block ports, IP addresses and programs but the Windows firewall can also block a Windows Service. We need this since many services run under the svchost.exe program.

To block a Service

1. Control Panel ->
2. Windows Defender Firewall ->
3. Advanced Settings ->
4. Outbound rules (left side column) ->
5. sort the rules by Group to make the ones you create display at the top
6. New Rule .... (right side column) ->
7. Click the Customize... button near Services ->
8. Apply to this service ->
9. Scroll to the service and click on it to highlight it in blue ->
10. OK -> Next ->
11. Take the default values for protocols or ports, so just click the Next button ->
12. Take the default values for IP addresses so just click the Next button ->
13. Blocking the connection is the default, that is what we want, so just click Next button ->
14. Domain, Private and Public are defaulted on which we want, so just click Next ->
15. Give the rule a name like Block Svc xxxx and Finish

Do this for every Windows Update service on the PC: Windows Update, Windows Update Medic, Windows Remediation, Update Orchestrator and Windows 10 Update Facilitation.

BLOCK PROGRAMS WITH THE FIREWALL

These Windows Update related programs definitely phone home to Microsoft, so they should be blocked too.

• C:\Windows\System32\sihclient.exe
• C:\Windows\System32\WaaSMedic.exe
• C:\Program Files\rempl\sedlauncher.exe

The click stream for blocking a program is a bit different from blocking a service. It is:

1. Control Panel ->
2. Windows Defender Firewall ->
3. Advanced Settings ->
4. Outbound rules (left side column) ->
5. Sort the rules by Group to make the ones you create display at the top
6. New Rule .... (right side column) ->
7. Program is the default so just click Next ->
8. Enter the program path and click Next ->
9. Block the connection is the default so just click Next ->
10. By default, Domain, Public and Private are all checked, so just click Next ->
11. Give the new rule a name like Block Prog xxxx then click Finish

These Windows Update related programs may or may not phone home to Microsoft, I don't know. To be fully protected, they should be blocked with an outbound firewall rule too.

• C:\Windows\system32\sc.exe
• C:\Windows\System32\sihclient.exe
• C:\Windows\system32\usoclient.exe
• C:\Windows\system32\MusNotification.exe
• C:\Windows\UpdateAssistant\UpdateAssistant.exe

In the end, your firewall rules will look something like those below.

Outbound Firewall Rules in Windows 10

The Windows Remediation Service (sedsvc) is C:\Program Files\rempl\sedsvc.exe. Blocking the Service may be sufficient, but to be thorough, you can block it as a program too. According to this article, these other programs are also involved in Windows Update: eosnotify.exe, windows10upgraderapp.exe, remsh.exe (pretty sure this has been retired), dismHost.exe, InstallAgent.exe and Windows10Upgrade.exe. I have not seen them. A user comment to this article also mentions the Windows10UpgraderApp.exe but adds that it is in the C:\Window10Upgrade folder. (Updated Dec 6, 2018)

Outbound firewall rules can also be used to prevent Windows 10 telemetry from phoning home to Microsoft, but that's another whole topic. In the image above, compatTelRunner.exe is telemetry and SearchUI.exe is Cortana.

FINAL THOUGHTS

It would be nice to know the fewest changes needed to block Windows Update on Windows 10 but that is likely to change over time, so it doesn't pay to invest a lot of effort into answering the question.

As thorough as all this may seem, there may well be registry zaps that let you disable the Services and Started Tasks that are normally off-limits. I have not looked into this. If Windows Update can not phone home, then it is not critical to prevent every part of it from executing.

Which begs the question, is Windows Update still phoning home? A great program that helps answer this question is TcpLogView by Nir Softer. It shows every IP address your computer makes an outbound connection to and the process or program that made the connection. Often, it also shows the name of the contacted computer. (Added Dec 7, 2018)

Of course, if you succeed in blocking patches, at some point you will want or need them. To maintain the most control, see the section on Manual Updating in my earlier blog. (Added Dec 5, 2018)

Finally, there are still other ways to attack Windows Update. Reddit user WelshWorker explained his procedure in PERMANENTLY Disabling Windows 10 Upgrade Assistant to stay on one build. His additional steps include blocking 15 domains used by Windows Update, removing all permissions from three Windows Update folders, creating firewall rules to block network communication for the .EXE files in those folders and deleting the contents of the SoftwareDistribution folder. He also has a script to automate some of it.

Makes the stuff above seem not so paranoid.