none
Disable Windows Update via Powershell

    Question

  • Hey everyone,

     

    Is it possible to simply disable windows update, via powershell?  I'm working on a script that would assign a list of servers to a "Servers" variable, then run a for loop to hopefully disable WU, as we use a third party product to manage patching, and there are often conflicts between the automatic updates and the third party patches

     

    Thanks in advance!

    Tuesday, September 13, 2011 4:38 PM

Answers

  • Get-Content C:\servers.txt | ForEach-Object {
        $service = Get-WmiObject Win32_Service -Filter 'Name="wuauserv"' -ComputerName $_ -Ea 0
    	if ($service)
    	{
    		if ($service.StartMode -ne "Disabled")
    		{
    			$result = $service.ChangeStartMode("Disabled").ReturnValue
    			if($result)
    			{
    				"Failed to disable the 'wuauserv' service on $_. The return value was $result."
    			}
    			else {"Success to disable the 'wuauserv' service on $_."}
    			
    			if ($service.State -eq "Running")
    			{
    				$result = $service.StopService().ReturnValue
    				if ($result)
    				{
    					"Failed to stop the 'wuauserv' service on $_. The return value was $result."
    				}
    				else {"Success to stop the 'wuauserv' service on $_."}
    			}
    		}
    		else {"The 'wuauserv' service on $_ is already disabled."}
    	}
    	else {"Failed to retrieve the service 'wuauserv' from $_."}
    }
    
    

    Thursday, September 15, 2011 9:15 PM

All replies

  • For local using:

     

    # http://support.microsoft.com/kb/328010
    
    New-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows -Name WindowsUpdate
    New-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Name AU
    New-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name NoAutoUpdate -Value 1
    

    For remote change settings you may using module PSRemoteRegistry - http://archive.msdn.microsoft.com/PSRemoteRegistry

     

    PS: Best Practices is using Group Policy.
    • Edited by KazunMVP Tuesday, September 13, 2011 4:47 PM
    • Proposed as answer by Rich Prescott Tuesday, September 13, 2011 8:17 PM
    • Unproposed as answer by NashvilleSchoolsIT Wednesday, September 14, 2011 1:43 PM
    Tuesday, September 13, 2011 4:45 PM
  • Check out James O'Neill's blog:

    http://blogs.technet.com/b/jamesone/archive/2009/01/27/managing-windows-update-with-powershell.aspx

    Karl


    My Blog: http://unlockpowershell.wordpress.com
    My Book: Windows PowerShell 2.0 Bible
    My E-mail: -join ("6B61726C6D69747363686B65406D742E6E6574"-split"(?<=\G.{2})",19|%{[char][int]"0x$_"})
    Tuesday, September 13, 2011 4:49 PM
  • I would just like to toss in that while this is very much doable in PowerShell, the better approach (in my opinion) would be to control this using a GPO. (You can of course create this GPO using PowerShell if you so wish!)

     

    Import-Module GroupPolicy
    $GPO = "Disable Windows Updates"
    New-GPO -Name $GPO | Set-GPRegistryValue -Key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" -ValueName "NoAutoUpdate" -Value 1 -Type "DWord" | Out-Null
    (Get-GPO -Name $GPO).User.Enabled=$False
    Get-GPO -Name $GPO
    
    


    I just put this together. It will create a GPO named "Disable Windows Updates" and configure it to do just that. It will also disable the user configuration settings of the GPO. If you have a security group and/or OU prepared for the servers you wish to exclude, you can also use Set-GPLink and Set-GPPermissions to configure the scope and security filtering. 

    All in PowerShell of course! 

     

     


    Andreas Hultgren
    MCTS, MCITP
    http://ahultgren.blogspot.com/
    • Edited by A.Hultgren Wednesday, September 14, 2011 10:43 AM
    Wednesday, September 14, 2011 10:43 AM
  • Without getting into a rather lengthy bit of politics and background, I will say that obviously our preference would be to do this via GPO, but we can't due to "split control" of our active directory environment.

     

    The remote registry module looks to be the ticket, but can someone make some recommendations as to how to accomplish this?  I'm a bit of a PS newbie, outside of Exchange\Sharepoint\Lync stuff, and this one has me stumped.

    Wednesday, September 14, 2011 1:42 PM
  • With PsRemoteRegistry:

    Get-Content servers.txt | New-RegKey -Key "SOFTWARE\Policies\Microsoft\Windows" -Name "WindowsUpdate\AU" -PassThru | Set-RegString -Value NoAutoUpdate -Data 1 -Force -PassThru
    


    Wednesday, September 14, 2011 1:59 PM
  • what format should the text file be in?  Comma delimited? Space?

     

    Also, is this script agnostic to windows version? We have a mixture of 2003 and 2008.

     

    Thanks for your help!

    Wednesday, September 14, 2011 2:16 PM
  • what format should the text file be in?  Comma delimited? Space?

     

    Also, is this script agnostic to windows version? We have a mixture of 2003 and 2008.

     

    Thanks for your help!

    Column,works on both version windows.
    Wednesday, September 14, 2011 2:33 PM
  • so if i dump the contents of a dsquery into a text file that looks like this:

    "server1"

    "server2"

    "server3"

     

    It should work?

    Wednesday, September 14, 2011 2:50 PM
  • Skip the empty lines (unless it's just formatted weird in the post): 

    server1
    server2
    server3

    You shouldn't need the double-quotes either, but I don't think they'll hurt. 


    Andreas Hultgren
    MCTS, MCITP
    http://ahultgren.blogspot.com/
    Wednesday, September 14, 2011 2:52 PM
  • so if i dump the contents of a dsquery into a text file that looks like this:

    "server1"

    "server2"

    "server3"

     

    It should work?

    Remove double quotes.
    Wednesday, September 14, 2011 2:54 PM
  • I did need to remove the double quotes to get it to work properly, but it did the trick with Kazun's advice!

     

    Thank you so much!!

    Wednesday, September 14, 2011 3:31 PM
  • okay, spoke too soon...

     

    IT does add that key to the registry, but automatic updates remains enabled.  Perhaps we need to disable the service?  I wrote this script using the get-wmiobject , but it doesn't seem to work...any ideas?

     

    Get-Content c:\servers.txt | ForEach-Object {
        $service = Get-WmiObject Win32_Service -Filter 'Name="wuauserv"' -ComputerName $_ -ErrorAction SilentlyContinue
        if (-not $?) {
            "Failed to retrieve the service 'wuauserv' from $_."
        } elseif (-not $service) {
            "There is no 'wuauserv' service on $_."
        } else {
            if ($service.StartMode -ne 'Disabled') {
                $result = $service.ChangeStartMode("Disabled")
                if ($result.ReturnValue -ne 0) {
                    "Failed to disable the 'wuauserv' service on $_. The return value was $($result.ReturnValue)."
                }
            } else {
                "The 'wuauserv' service on $_ is already disabled."
            }
            if ($service.State -ne 'Stopped') {
                $result = $service.StopService()
                if ($result.ReturnValue -ne 0) {
                    "Failed to stop the 'wuauserv' service on $_. The return value was $($result.ReturnValue)."
                }
            } else {
                "The 'wuauserv' service on $_ is already stopped."
            }
        }
    }
    Thursday, September 15, 2011 5:42 PM
  • Get-Content C:\servers.txt | ForEach-Object {
        $service = Get-WmiObject Win32_Service -Filter 'Name="wuauserv"' -ComputerName $_ -Ea 0
    	if ($service)
    	{
    		if ($service.StartMode -ne "Disabled")
    		{
    			$result = $service.ChangeStartMode("Disabled").ReturnValue
    			if($result)
    			{
    				"Failed to disable the 'wuauserv' service on $_. The return value was $result."
    			}
    			else {"Success to disable the 'wuauserv' service on $_."}
    			
    			if ($service.State -eq "Running")
    			{
    				$result = $service.StopService().ReturnValue
    				if ($result)
    				{
    					"Failed to stop the 'wuauserv' service on $_. The return value was $result."
    				}
    				else {"Success to stop the 'wuauserv' service on $_."}
    			}
    		}
    		else {"The 'wuauserv' service on $_ is already disabled."}
    	}
    	else {"Failed to retrieve the service 'wuauserv' from $_."}
    }
    
    

    Thursday, September 15, 2011 9:15 PM