How to disable Windows Update completely

• Firstly do what every user would do, go to Control Panel, Automatic Updates (This service is introduced in Windows 2000 Service Pack 3, Windows XP Service Pack 1) and uncheck the "Keep my computer up to date...".


• Disable Automatic Updates Service. To disable it, run services.msc. Find Automatic Updates service (wuauserv), and change startup type to disabled. You might also want to disable the service "Background Intelligent Transfer Service" (BITS); which is needed to transfer files in the background. Note: This will also disable some features of MSN Explorer, like downloading programs and other information (who uses MSN Explorer anyway?).


• Remove the services. To go a little further than disabling the service, you can completely remove them. There are 2 ways to do this:
  1. Using instsrv.exe found in the Windows 2000 Resource Kit. These are the commands:

     net stop wuauserv
     net stop BITS
     instsrv wuauserv REMOVE
     instsrv BITS REMOVE
     

  2. With the Add/Remove Hardware in Control Panel
     1. Go to Add/Remove Hardware in Control Panel
     2. Select Uninstall/Unplug a device and click Next
     3. Select Uninstall device and click Next
     4. Click Show hidden devices
     5. Now you can remove "Automatic Updates"
     6. Do these steps again for removing the "Background Intelligent Transfer Service"


• Disable access to the Windows Update website for your users (this will block automatic & manual updating) . To do this run gpedit.msc, the group policy editor. Go to User Configuration, Administrative Templates, Windows Components, Windows Update. To remove access to Windows Update, enable the item "Remove access to use all Windows Update features". You could do this at the default domain policy or a policy on your OU (Organizational Unit).


• Remove links to Windows Update. You can remove shortcuts and links to Windows Update manually or by group policy setting: run gpedit.msc. Go to User Configuration, Administrative Templates, Start Menu & Taskbar. Enable the setting "Disable and remove links to Windows Update". Again you can do this at the domain level or OU.


• If you have site and content filtering technology in place, you might want to block access to the Windows Update website at the Internet border. These are the sites to block:

  windowsupdate.microsoft.com
  *.windowsupdate.microsoft.com
  windowsupdate.com
  *.windowsupdate.com
  windowsupdate.microsoft.nsatc.net
  *.windowsupdate.microsoft.nsatc.net
  v4windowsupdate.microsoft.nsatc.net
  wustat.windows.com
  

  For a single machine you can achieve the same by editing the hosts file (\WINNT\System32\Drivers\etc\hosts). Add the entries below to your hosts file. This way the actual websites cannot be accessed.
  

  # windowsupdate.microsoft.com
  127.0.0.1      windowsupdate.microsoft.com
  127.0.0.1      www.windowsupdate.microsoft.com
  127.0.0.1      v4.windowsupdate.microsoft.com
  127.0.0.1      www.v4.windowsupdate.microsoft.com
  # windowsupdate.com
  127.0.0.1      windowsupdate.com
  127.0.0.1      www.windowsupdate.com
  127.0.0.1      download.windowsupdate.com
  127.0.0.1      www.download.windowsupdate.com
  127.0.0.1      v4.windowsupdate.com
  127.0.0.1      www.v4.windowsupdate.com
  # windowsupdate.microsoft.nsatc.net
  127.0.0.1      windowsupdate.microsoft.nsatc.net
  127.0.0.1      v4windowsupdate.microsoft.nsatc.net
  # wustat.windows.com
  127.0.0.1      wustat.windows.com
  

• Finally, delete the "\Program Files\WindowsUpdate" folder if it exists (Note: it is a hidden directory). This directory is used by both the Windows Update website and the Automatic Update client. Also delete any "\WUTemp" folders you might find in the root of your drives. (This folder is also hidden).


• You could, but not necessary, unregister the dll files and delete all windows update files (remember to delete them first from the windows file protection cache and the %WINDIR%\ServicePackFiles\i386 folder):
  
  
  • Windows Update AutoUpdate
    

    wuauhelp.chm (Windows Update AutoUpdate Help File)     %WINDIR%\Help
    wuau.adm     (Very interesting)                        %WINDIR%\Inf
    wuauclt.exe  (Windows Update AutoUpdate Client)        %WINDIR%\System32
    wuaucpl.cpl  (Windows Update AutoUpdate Control Panel) %WINDIR%\System32
    wuaueng.dll  (Windows Update AutoUpdate Engine)        %WINDIR%\System32
    wuauserv.dll (Windows Update AutoUpdate Service)       %WINDIR%\System32
    qmgr.dll     (BITS)                                    %WINDIR%\System32
    

  • Windows Update (the web site extension)
    

    wupdinfo.dll (Windows Update Info for NT)              %WINDIR%\System32
    wupdmgr.exe  (Windows Update Manager for NT)           %WINDIR%\System32
    wuv3is.dll   (Windows Update-engine)                   %WINDIR%\System32
    



• If you are slipstreaming Windows or doing a network/RIS installation of Windows (or Service Pack) you could use this little trick to disable Windows AutoUpdate during install: comment out this entry in i386\au.inf

  [AU_regsvr_rule]
  ;11,,wuaueng.dll, 1       ; 1 means call DLLRegisterServer
  ; Commented out to not install autoupdate service
  

[top]