tis-fix-disable-windows-update
10.0-36
Hard way to prevent Windows Updates from running on Windows 10 over WATP WUA
2089 downloads
Download
See build result See VirusTotal scan
- package : tis-fix-disable-windows-update
- name : Fix Disable Windows Update
- version : 10.0-36
- categories : Configuration,System and network
- maintainer : WAPT Team,Tranquil IT,Simon FONTENEAU
- editor :
- licence :
- locale : all
- target_os : windows
- impacted_process :
- architecture : all
- signature_date : 2023-06-11 15:07
- size : 7.69 Ko
package : tis-fix-disable-windows-update
version : 10.0-36
architecture : all
section : base
priority : optional
name : Fix Disable Windows Update
categories : Configuration,System and network
maintainer : WAPT Team,Tranquil IT,Simon FONTENEAU
description : Hard way to prevent Windows Updates from running on Windows 10 over WATP WUA
depends :
conflicts :
maturity : PROD
locale : all
target_os : windows
min_wapt_version : 1.7
sources :
installed_size :
impacted_process :
description_fr : Moyen difficile d'empêcher l'exécution des mises à jour de Windows sur Windows 10 par WATP WUA
description_pl : Twardy sposób na uniemożliwienie uruchamiania aktualizacji systemu Windows w Windows 10 przez WATP WUA
description_de : Schwierige Methode, die Ausführung von Windows-Updates unter Windows 10 über WATP WUA zu verhindern
description_es : Manera difícil de evitar que las actualizaciones de Windows se ejecuten en Windows 10 a través de WATP WUA
description_pt : Forma difícil de impedir que as actualizações do Windows corram no Windows 10 sobre WATP WUA
description_it : Modo difficile per impedire l'esecuzione degli aggiornamenti di Windows su Windows 10 tramite WATP WUA
description_nl : Moeilijke manier om te voorkomen dat Windows Updates worden uitgevoerd op Windows 10 via WATP WUA
description_ru : Жесткий способ предотвратить запуск обновлений Windows на Windows 10 через WATP WUA
audit_schedule : 3h
editor :
keywords :
licence :
homepage :
package_uuid : 32b69041-718a-4fc4-a4ed-b7347b4e68de
valid_from :
valid_until :
forced_install_on :
changelog :
min_os_version :
max_os_version :
icon_sha256sum : 7891f1ca19ac8a9e41cb2963c0833bb3424a1dcc3f89e6ae484b1841a67063b2
signer : Tranquil IT
signer_fingerprint: 8c5127a75392be9cc9afd0dbae1222a673072c308c14d88ab246e23832e8c6bb
signature : RLeUuruvT6DV29yHA4nKEKcpvzk6+TfwhOYd6WrBxVQ8qomt4owldWOEvkgv2jL9ivg4M9JFoqy5gGLv718CCX+x3UfzAngZT/SQ3mkhd7xOd0GELGJjbcaixVBCSRBGfa3bvC035aVmiXNB2jTAits6PzPYWBq2k5G/BV1/23CabtiJvDHpZHUY08LGuo36HlcSSW2jnHfdaPlEVUXaSDWTYOZGR8Wl9ZOXsAGsTaHoMSsBZsxZLUkdI3YiO1m7dorTQD+OskA1bPW1JP5sp/1hAFBp7jKSCMf9jor/ARKwqmEdOdzek/KzVtYuLegfVMbHWNWgT2p5G1ONe4k1eA==
signature_date : 2023-06-11T15:07:45.420115
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes# -*- coding: utf-8 -*-
from setuphelpers import *
uo_tasks_list = [
"Backup Scan",
"Driver Install",
"Maintenance Install",
"MusUx_UpdateInterval",
"Reboot_AC",
"Reboot_Battery",
"Schedule Scan",
"Schedule Scan Static Task",
"Universal Orchestrator Start",
"UpdateModelTask",
"USO_UxBroker",
"Report policies",
"AC Power Download"
]
wu_list_tasks = ["Scheduled Start", "sihpostreboot"]
def install():
if windows_version() > Version("10"):
for service in ('dosvc','waasmedicsvc','unosvc','UsoSvc','uhssvc'):
print("Checking %s " % service)
if reg_key_exists(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\%s" % service):
if int(registry_readstring(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\%s" % service, "start")) != 4:
print("Disabling Windows Remediation Service (%s)" % service)
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\%s" % service, "start", 4)
try:
service_stop(service)
except:
pass
run_notfatal('taskkill /FI "SERVICES eq %s" /F' % service)
else:
print("no service %s found " % service)
# osrss (Windows 10 Update Facilitation) cannot be shut down with standard way
# https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DoNotConnectToWindowsUpdateInternetLocations&Language=fr-fr
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "DeferUpdatePeriod" , 0, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "SetProxyBehaviorForUpdateDetection" , 0, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "DoNotConnectToWindowsUpdateInternetLocations" , 1, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "DeferUpgrade" , 1, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "DeferUpgradePeriod" , 1, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "ExcludeWUDriversInQualityUpdate" , 1, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "DisableWindowsUpdateAccess" , 1, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection", 1, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "DisableOSUpgrade" , 1, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "FillEmptyContentUrls" , 1, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUServer" , "http://127.0.0.1:8088")
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "WUStatusServer" , "http://127.0.0.1:8088")
registry_set(HKEY_LOCAL_MACHINE, r"SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate", "UpdateServiceUrlAlternate" , "http://127.0.0.1:8088")
# https://github.com/vFense/vFenseAgent-win/wiki/Registry-keys-for-configuring-Automatic-Updates-&-WSUS
registry_set(HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate", "UseWUServer", 1, REG_DWORD)
registry_set(
HKEY_LOCAL_MACHINE, r"Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate", "WUStatusServer", "http://127.0.0.1:8088"
)
registry_set(HKEY_LOCAL_MACHINE, r"Software\Policies\Microsoft\Windows\WindowsUpdate\AU", "AUOptions", 2, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"Software\Policies\Microsoft\Windows\WindowsUpdate\AU", "NoAutoUpdate", 1, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"Software\Policies\Microsoft\Windows\WindowsUpdate\AU", "UseWUServer", 1, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"Software\Policies\Microsoft\Windows\WindowsUpdate\AU", "ScheduledInstallDay" , 0, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"Software\Policies\Microsoft\Windows\WindowsUpdate\AU", "ScheduledInstallTime", 0, REG_DWORD)
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\osrss", "start", 4)
run_notfatal(r"icacls c:\windows\system32\osrss.dll /deny *S-1-1-0:(oi)(ci)(DE,dc)")
run_notfatal('taskkill /FI "SERVICES eq osrss" /F')
# wuauserv is still need for waptwua
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\wuauserv", "start", 4)
for task in uo_tasks_list:
try:
disable_task(r"\Microsoft\Windows\UpdateOrchestrator\%s" % task)
except:
print("Unable to disable %s" % task)
try:
disable_task(r"\Microsoft\Windows\WaaSMedic\PerformRemediation")
except:
print("Unable to disable PerformRemediation")
for task in wu_list_tasks:
try:
disable_task(r"\Microsoft\Windows\WindowsUpdate\%s" % task)
except:
print("Unable to disable %s" % task)
try:
print("Uninstall Microsoft Update Health Tools")
run_notfatal(uninstall_cmd("{BAB9FCC5-1506-4B4F-BFCA-EDE0BDB86C21}"))
except:
print("Microsoft Update Health Tools already uninstalled")
print("Disable SilentInstalledAppsEnabled")
registry_set(HKEY_CURRENT_USER, r"SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager", "SilentInstalledAppsEnabled", 0)
def uninstall():
for service in ("dosvc", "waasmedicsvc", "usosvc"):
print("Checking %s " % service)
if reg_key_exists(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\%s" % service):
if int(registry_readstring(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\%s" % service, "start")) != 2:
print("Enable Windows Remediation Service (%s)" % service)
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\%s" % service, "start", 2)
try:
service_start(service)
except:
pass
else:
print("no service %s found " % service)
# osrss (Windows 10 Update Facilitation) cannot be shut down with standard way
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\osrss", "start", 2)
run_notfatal(r"icacls c:\windows\system32\osrss.dll /Grant *S-1-1-0:(oi)(ci)(DE,dc)")
# wuauserv is still need for waptwua
registry_set(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Services\wuauserv", "start", 2)
for task in uo_tasks_list:
try:
enable_task(r"\Microsoft\Windows\UpdateOrchestrator\%s" % task)
except:
print("Unable to enable %s" % task)
try:
enable_task(r"\Microsoft\Windows\WaaSMedic\PerformRemediation")
except:
print("Unable to enable PerformRemediation")
for task in wu_list_tasks:
try:
enable_task(r"\Microsoft\Windows\WindowsUpdate\%s" % task)
except:
print("Unable to enable %s" % task)
def session_setup():
registry_set(
HKEY_CURRENT_USER,
r"Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy",
"Disabled",
1,
)
registry_set(HKEY_CURRENT_USER, r"Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager", "SubscribedContent-338388Enabled", 0)
# https://github.com/vFense/vFenseAgent-win/wiki/Registry-keys-for-configuring-Automatic-Updates-&-WSUS
registry_set(HKEY_CURRENT_USER, r"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoWindowsUpdate", 1)
#registry_set(HKEY_CURRENT_USER, r"Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate", "DisableWindowsUpdateAccess", 1)
#registry_set(HKEY_CURRENT_USER, r"Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate", "SetDisableUXWUAccess", 1)
def audit():
install()
return "OK"
55ebf0df598e2ef061e4d9a6b16503aa847c68d3d33d371bcd0dc6c7f4ff9a9a : setup.py
7891f1ca19ac8a9e41cb2963c0833bb3424a1dcc3f89e6ae484b1841a67063b2 : WAPT/icon.png
a5a97261381e1d0ad46ee15916abec9c2631d0201f5cc50ceb0197a165a0bbbf : WAPT/certificate.crt
8fe62e919e946510c08c4119941941d9f09158dc792524b212112a05b395c4f0 : luti.json
05b3a6e1874619050d3786777c277051abb95580890dc78f5e1d485d9feb3b9b : WAPT/control