Install Windows Update Blocker (#3577)

* block updates forever

* remove admin checks for updates

Author: ChrisTitusTech

functions/public/Invoke-WPFUpdatesdefault.ps1

@@ -5,6 +5,9 @@ function Invoke-WPFUpdatesdefault {
         Resets Windows Update settings to default
 
     #>
+    
+    Write-Host "Restoring Windows Update registry settings..." -ForegroundColor Yellow
+    
     If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU")) {
         New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Force | Out-Null
     }
@@ -15,17 +18,99 @@ function Invoke-WPFUpdatesdefault {
     }
     Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" -Type DWord -Value 1
 
+    # Reset WaaSMedicSvc registry settings to defaults
+    Write-Host "Restoring WaaSMedicSvc settings..." -ForegroundColor Yellow
+    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" -Name "Start" -Type DWord -Value 3 -ErrorAction SilentlyContinue
+    Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" -Name "FailureActions" -ErrorAction SilentlyContinue
+
+    # Restore update services to their default state
+    Write-Host "Restoring update services..." -ForegroundColor Yellow
+    
     $services = @(
-        "BITS"
-        "wuauserv"
+        @{Name = "BITS"; StartupType = "Manual"},
+        @{Name = "wuauserv"; StartupType = "Manual"},
+        @{Name = "UsoSvc"; StartupType = "Automatic"},
+        @{Name = "uhssvc"; StartupType = "Disabled"},
+        @{Name = "WaaSMedicSvc"; StartupType = "Manual"}
     )
 
     foreach ($service in $services) {
-        # -ErrorAction SilentlyContinue is so it doesn't write an error to stdout if a service doesn't exist
+        try {
+            Write-Host "Restoring $($service.Name) to $($service.StartupType)..."
+            $serviceObj = Get-Service -Name $service.Name -ErrorAction SilentlyContinue
+            if ($serviceObj) {
+                Set-Service -Name $service.Name -StartupType $service.StartupType -ErrorAction SilentlyContinue
+                
+                # Reset failure actions to default using sc command
+                Start-Process -FilePath "sc.exe" -ArgumentList "failure `"$($service.Name)`" reset= 86400 actions= restart/60000/restart/60000/restart/60000" -Wait -WindowStyle Hidden -ErrorAction SilentlyContinue
+                
+                # Start the service if it should be running
+                if ($service.StartupType -eq "Automatic") {
+                    Start-Service -Name $service.Name -ErrorAction SilentlyContinue
+                }
+            }
+        }
+        catch {
+            Write-Host "Warning: Could not restore service $($service.Name) - $($_.Exception.Message)" -ForegroundColor Yellow
+        }
+    }
 
-        Write-Host "Setting $service StartupType to Automatic"
-        Get-Service -Name $service -ErrorAction SilentlyContinue | Set-Service -StartupType Automatic
+    # Restore renamed DLLs if they exist
+    Write-Host "Restoring renamed update service DLLs..." -ForegroundColor Yellow
+    
+    $dlls = @("WaaSMedicSvc", "wuaueng")
+    
+    foreach ($dll in $dlls) {
+        $dllPath = "C:\Windows\System32\$dll.dll"
+        $backupPath = "C:\Windows\System32\${dll}_BAK.dll"
+        
+        if ((Test-Path $backupPath) -and !(Test-Path $dllPath)) {
+            try {
+                # Take ownership of backup file
+                Start-Process -FilePath "takeown.exe" -ArgumentList "/f `"$backupPath`"" -Wait -WindowStyle Hidden -ErrorAction SilentlyContinue
+                
+                # Grant full control to everyone
+                Start-Process -FilePath "icacls.exe" -ArgumentList "`"$backupPath`" /grant *S-1-1-0:F" -Wait -WindowStyle Hidden -ErrorAction SilentlyContinue
+                
+                # Rename back to original
+                Rename-Item -Path $backupPath -NewName "$dll.dll" -ErrorAction SilentlyContinue
+                Write-Host "Restored ${dll}_BAK.dll to $dll.dll"
+                
+                # Restore ownership to TrustedInstaller
+                Start-Process -FilePath "icacls.exe" -ArgumentList "`"$dllPath`" /setowner `"NT SERVICE\TrustedInstaller`"" -Wait -WindowStyle Hidden -ErrorAction SilentlyContinue
+                Start-Process -FilePath "icacls.exe" -ArgumentList "`"$dllPath`" /remove *S-1-1-0" -Wait -WindowStyle Hidden -ErrorAction SilentlyContinue
+            }
+            catch {
+                Write-Host "Warning: Could not restore $dll.dll - $($_.Exception.Message)" -ForegroundColor Yellow
+            }
+        }
     }
+
+    # Enable update related scheduled tasks
+    Write-Host "Enabling update related scheduled tasks..." -ForegroundColor Yellow
+    
+    $taskPaths = @(
+        '\Microsoft\Windows\InstallService\*'
+        '\Microsoft\Windows\UpdateOrchestrator\*'
+        '\Microsoft\Windows\UpdateAssistant\*'
+        '\Microsoft\Windows\WaaSMedic\*'
+        '\Microsoft\Windows\WindowsUpdate\*'
+        '\Microsoft\WindowsUpdate\*'
+    )
+
+    foreach ($taskPath in $taskPaths) {
+        try {
+            $tasks = Get-ScheduledTask -TaskPath $taskPath -ErrorAction SilentlyContinue
+            foreach ($task in $tasks) {
+                Enable-ScheduledTask -TaskName $task.TaskName -TaskPath $task.TaskPath -ErrorAction SilentlyContinue
+                Write-Host "Enabled task: $($task.TaskName)"
+            }
+        }
+        catch {
+            Write-Host "Warning: Could not enable tasks in path $taskPath - $($_.Exception.Message)" -ForegroundColor Yellow
+        }
+    }
+
     Write-Host "Enabling driver offering through Windows Update..."
     Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" -Name "PreventDeviceMetadataFromNetwork" -ErrorAction SilentlyContinue
     Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DriverSearching" -Name "DontPromptForWindowsUpdate" -ErrorAction SilentlyContinue
@@ -39,6 +124,7 @@ function Invoke-WPFUpdatesdefault {
     Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -Name "BranchReadinessLevel" -ErrorAction SilentlyContinue
     Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -Name "DeferFeatureUpdatesPeriodInDays" -ErrorAction SilentlyContinue
     Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" -Name "DeferQualityUpdatesPeriodInDays" -ErrorAction SilentlyContinue
+    
     Write-Host "==================================================="
     Write-Host "---  Windows Update Settings Reset to Default   ---"
     Write-Host "==================================================="
@@ -62,4 +148,6 @@ function Invoke-WPFUpdatesdefault {
     Write-Host "==================================================="
     Write-Host "---  Windows Local Policies Reset to Default   ---"
     Write-Host "==================================================="
+    
+    Write-Host "Note: A system restart may be required for all changes to take full effect." -ForegroundColor Yellow
 }

functions/public/Invoke-WPFUpdatesdisable.ps1

@@ -6,30 +6,130 @@ function Invoke-WPFUpdatesdisable {
 
     .NOTES
         Disabling Windows Update is not recommended. This is only for advanced users who know what they are doing.
+        This function requires administrator privileges and will attempt to run as SYSTEM for certain operations.
 
     #>
+    
+    Write-Host "Configuring registry settings..." -ForegroundColor Yellow
+    
     If (!(Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU")) {
         New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Force | Out-Null
     }
     Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -Type DWord -Value 1
     Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "AUOptions" -Type DWord -Value 1
+    
     If (!(Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config")) {
         New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Force | Out-Null
     }
     Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" -Name "DODownloadMode" -Type DWord -Value 0
+    
+    # Additional registry settings
+    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" -Name "Start" -Type DWord -Value 4 -ErrorAction SilentlyContinue
+    $failureActions = [byte[]](0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x14,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0xd4,0x01,0x00,0x00,0x00,0x00,0x00,0xe0,0x93,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)
+    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" -Name "FailureActions" -Type Binary -Value $failureActions -ErrorAction SilentlyContinue
 
+    # Disable and stop update related services
+    Write-Host "Disabling update services..." -ForegroundColor Yellow
+    
     $services = @(
         "BITS"
         "wuauserv"
+        "UsoSvc"
+        "uhssvc"
+        "WaaSMedicSvc"
     )
 
     foreach ($service in $services) {
-        # -ErrorAction SilentlyContinue is so it doesn't write an error to stdout if a service doesn't exist
+        try {
+            Write-Host "Stopping and disabling $service..."
+            $serviceObj = Get-Service -Name $service -ErrorAction SilentlyContinue
+            if ($serviceObj) {
+                Stop-Service -Name $service -Force -ErrorAction SilentlyContinue
+                Set-Service -Name $service -StartupType Disabled -ErrorAction SilentlyContinue
+                
+                # Set failure actions to nothing using sc command
+                Start-Process -FilePath "sc.exe" -ArgumentList "failure `"$service`" reset= 0 actions= `"`"" -Wait -WindowStyle Hidden -ErrorAction SilentlyContinue
+            }
+        }
+        catch {
+            Write-Host "Warning: Could not process service $service - $($_.Exception.Message)" -ForegroundColor Yellow
+        }
+    }
+
+    # Rename critical update service DLLs (requires SYSTEM privileges)
+    Write-Host "Attempting to rename critical update service DLLs..." -ForegroundColor Yellow
+    
+    $dlls = @("WaaSMedicSvc", "wuaueng")
+    
+    foreach ($dll in $dlls) {
+        $dllPath = "C:\Windows\System32\$dll.dll"
+        $backupPath = "C:\Windows\System32\${dll}_BAK.dll"
+        
+        if (Test-Path $dllPath) {
+            try {
+                # Take ownership
+                Start-Process -FilePath "takeown.exe" -ArgumentList "/f `"$dllPath`"" -Wait -WindowStyle Hidden -ErrorAction SilentlyContinue
+                
+                # Grant full control to everyone
+                Start-Process -FilePath "icacls.exe" -ArgumentList "`"$dllPath`" /grant *S-1-1-0:F" -Wait -WindowStyle Hidden -ErrorAction SilentlyContinue
+                
+                # Rename file
+                if (!(Test-Path $backupPath)) {
+                    Rename-Item -Path $dllPath -NewName "${dll}_BAK.dll" -ErrorAction SilentlyContinue
+                    Write-Host "Renamed $dll.dll to ${dll}_BAK.dll"
+                    
+                    # Restore ownership to TrustedInstaller
+                    Start-Process -FilePath "icacls.exe" -ArgumentList "`"$backupPath`" /setowner `"NT SERVICE\TrustedInstaller`"" -Wait -WindowStyle Hidden -ErrorAction SilentlyContinue
+                    Start-Process -FilePath "icacls.exe" -ArgumentList "`"$backupPath`" /remove *S-1-1-0" -Wait -WindowStyle Hidden -ErrorAction SilentlyContinue
+                }
+            }
+            catch {
+                Write-Host "Warning: Could not rename $dll.dll - $($_.Exception.Message)" -ForegroundColor Yellow
+            }
+        }
+    }
 
-        Write-Host "Setting $service StartupType to Disabled"
-        Get-Service -Name $service -ErrorAction SilentlyContinue | Set-Service -StartupType Disabled
+    # Delete downloaded update files
+    Write-Host "Cleaning up downloaded update files..." -ForegroundColor Yellow
+    
+    try {
+        $softwareDistPath = "C:\Windows\SoftwareDistribution"
+        if (Test-Path $softwareDistPath) {
+            Get-ChildItem -Path $softwareDistPath -Recurse -Force | Remove-Item -Force -Recurse -ErrorAction SilentlyContinue
+            Write-Host "Cleared SoftwareDistribution folder"
+        }
     }
-    Write-Host "================================="
-    Write-Host "---   Updates ARE DISABLED    ---"
-    Write-Host "================================="
+    catch {
+        Write-Host "Warning: Could not fully clear SoftwareDistribution folder - $($_.Exception.Message)" -ForegroundColor Yellow
+    }
+
+    # Disable update related scheduled tasks
+    Write-Host "Disabling update related scheduled tasks..." -ForegroundColor Yellow
+    
+    $taskPaths = @(
+        '\Microsoft\Windows\InstallService\*'
+        '\Microsoft\Windows\UpdateOrchestrator\*'
+        '\Microsoft\Windows\UpdateAssistant\*'
+        '\Microsoft\Windows\WaaSMedic\*'
+        '\Microsoft\Windows\WindowsUpdate\*'
+        '\Microsoft\WindowsUpdate\*'
+    )
+
+    foreach ($taskPath in $taskPaths) {
+        try {
+            $tasks = Get-ScheduledTask -TaskPath $taskPath -ErrorAction SilentlyContinue
+            foreach ($task in $tasks) {
+                Disable-ScheduledTask -TaskName $task.TaskName -TaskPath $task.TaskPath -ErrorAction SilentlyContinue
+                Write-Host "Disabled task: $($task.TaskName)"
+            }
+        }
+        catch {
+            Write-Host "Warning: Could not disable tasks in path $taskPath - $($_.Exception.Message)" -ForegroundColor Yellow
+        }
+    }
+
+    Write-Host "=================================" -ForegroundColor Green
+    Write-Host "---   Updates ARE DISABLED    ---" -ForegroundColor Green  
+    Write-Host "===================================" -ForegroundColor Green
+    Write-Host "Note: Some operations may require a system restart to take full effect." -ForegroundColor Yellow
 }