Share via

Windows Update: Control and Isolation

  • Article

Information

*There are two caveat's to this issue. Make sure they apply to you before going further. This workaround is for so far only Windows 10 Enterprise v1607+. This is also only viable if you have implemented a patch disk patching solution independent of a WSUS server in your environment, or you do not want Windows Update going out looking for updates on the Windows Update Server, all while keeping Windows Update service still running. This is also just a template to go off of as well, you may or may not need to use everything in here.

This issue came about while developing a solution for Windows 10 Enterprise SHB client on a stand alone network(off domain). The patching methodology for this stand alone system was a patch disk from a patching team that had fully tested all patches before implementation. We needed to disable Windows Update from downloading and installing any updates from Microsoft. Our Patch disk also piggybacked off the Windows Update service itself so we could not just turn off the service for the fix. I have come up with the following solution that stops Windows Update from going out to the web to look for updates, stops the windows update log from filling up with errors, and eliminates any Windows Update traffic on the network as well, all while keeping Windows Update service on and working properly.
*

How it was accomplished

Since this was a standalone system with no domain, all these settings were done inside (L)GPO or "gpedit" locally on the machine itself.

  1.  Browse to Computer Configuration > Administrative Templates > Windows Components > Windows Update
  2. Locate the key on the right called Configure Automatic Updates, and double click it. Set it to Enabled and in the Configure Automatic Updating drop down box change it to 2 - Notify for Download and Notify for Install. Hit OK to close the window.
  3. Locate the key on the right called Specify Intranet Microsoft Update Service Location, and double click it. In the below boxes input Http://127.0.0.1 in them and then hit OK to close the window.
  4. Locate the key on the right called Remove access to use all Windows Update Features, and double click it. Set it to Enabled and then hit OK to close the window.
  5. Locate the key on the right called Do not connect to any Windows Update Internet locations, and double click it. Set it to Enabled and then hit OK to close the window.
  6. Locate  the key on the right called Allow non-administrators to recieve update notifications, and double click it. Set it to Disabled and then hit OK to close the window.
  7. Browse to Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings.
  8. Locate the key on the right called Turn off Access to All Windows Update Features, and double click it. Set it to Enabled and then click on OK to close the window.

If Windows Update had already tried to update before implementing this and there are pending downloads stuck saying they need to be installed here is how to get rid of them:

  • Open up services and look for both Background Intelligent Transfer Service and Windows Update.
  • Open each service and set them to Disabled under the Startup type, and then stop the service if it is running.
  • Once both services are disabled and off open up file explorer and browse to this location: C:\Windows\SoftwareDistribution\Download
  • If there is anything in that folder go ahead and delete everything.
    1. If you are getting an error or it is saying that it is being used by another program, then you will need to reboot the computer.
    2. If you do not see anything and you think there should be files then, in the top left click on File. Click on Options, and in the new window click on the View tab. About halfway down in the middle choose the option called Show Hidden Files, Folders, and Drives. Close window.
  • Once everything is deleted, go back into services and set Background Intelligent Transfer Service and Windows Update back to startup as Automatic and start both service.
  • To test to make sure it worked, open a command prompt as administrator and type in usoclient.exe startscan. Open up the windows update settings windows and watch it try and scan and tell you it is currently up to date.

Steps 6-8 only block users access to update via Windows Update and are not needed in every situation. Once these steps are done, Windows Update should no longer be going out to the internet to try and find updates from the Windows Update servers and patching can be fully controlled by other means. 

References

A lot of my ideas came from: [Https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/
John Kolecki - Cyber Security Engineer, Cambridge - Loop back IP troubleshooting
Jason Krause - Premier Field Engineer, Microsoft - Bounced most of my ideas off of

](https://blogs.technet.microsoft.com/wsus/2017/05/05/demystifying-dual-scan/)