Allow only manual updates on Windows 10
Microsoft removed updating controls when it released the Windows 10 operating systems so that it has become less trivial to set the updating process to manual or disable updates altogether. This is true especially when it comes to Windows 10 Home.
One of the better solutions to regain controls over updates was to disable the Windows Update service, and enable it only when you wanted the system to find and install updates.
Microsoft changed that workaround in the Fall Creators Update version of Windows 10 however closing that loophole effectively.
There is another option that is still available, but it requires changing permissions of the program that is responsible for the update checks. Good news is that this won't affect manual checks for updates, but that it will prevent any automatic checks for updates.
There is also a reset option available, but I recommended that you create a backup of the system partition before you make the changes to the Windows 10 system.
Set Windows 10 updating to manual
Windows 10 has a task that uses the program C:\Windows\System32\UsoClient.exe to check for updates regularly and automatically.
You find the task under Task Scheduler Library > Microsoft > Windows > UpdateOrchestrator > Schedule Scan in the Windows Task Scheduler.
The task has several triggers: one that runs it once per day, one that runs it aver event log id 8202, and the third is a custom trigger.
The following workaround removes all permissions from the file UsoClient.exe. The update check that is triggered by tasks fails because of this.
Note that this won't affect Windows Defender signature updates, as those will still be downloaded and installed automatically.
Disable automatic updates
- Tap on the Windows-key to bring up the Windows Start menu.
- Type cmd.exe, select the result, hold down the Ctrl-key and the Shift-key, and tap on the Enter-key to load an elevated command prompt. You can also right-click on cmd.exe and select "run as administrator if you prefer that.
- Confirm the UAC prompt that is displayed.
- Run the command takeown /f "%WINDIR%\System32\UsoClient.exe" /a
- This takes ownership of the file and assigns it to the administrator group giving you control over the file.
- Now run icacls "%WINDIR%\System32\UsoClient.exe" /inheritance:r /remove "Administrators" "Authenticated Users" "Users" "System"
- This removes permissions for the selected groups of users from the file. Note that you may need to change the English group names if you use a non-English edition of Windows.
You should get success messages, but you can verify that all permissions have been removed by right-clicking on 'C:\Windows\System32\UsoClient.exe, selecting properties from the context menu, and switching to the Security tab when the properties window opens.
Next time when Windows 10 triggers the event, you should get a "access is denied" error message under last run result in the UpdateOrchestrator task listing.
You can still run update scans manually by opening Settings > Update & Security.
Restoring the permissions
You can restore the permissions of the file at any time:
- Open an elevated command prompt as outlined above.
- Run the command icacls "%WINDIR%\System32\UsoClient.exe" /reset
- This command resets all permissions of UsoClient.exe, so that automatic update scans can be run again.
Now You: No, manual or automatic updates? How is your system configured? (Thanks Deskmodder)Advertisement