none
How to Disable Windows Update Medic Service RRS feed

  • Question

  • Hi,

    I'm really desperate right now.
    With Windows 1803 Microsoft has integrated a new service "WaaSMedicSvc" which serves as a watchdog for the WindowsUpdate service.

    I have deactivated the Windows Update service in my environments for a good reason, because they are schools that only get updates during the holidays. In addition, all computers are equipped with a guard card - which means that after a restart of the computer, it is reset to its original state. (Only the administrator has the possibility to deactivate the protection of the card).
    That's why it doesn't make sense to update Windows in this environment with guard protection enabled.

    In the past I had two GPOs running, which I activated/deactivated on the maintenance day. One with "enable Windows Updates via WSUS" and another with "disable Windows Updates".
    The latter simply stopped the service and set it to "disabled".

    Now this service "Windows Update Medic Service" is spitting in my soup because my GPO is not working anymore. But I can't deactivate the Medic Service so easily -> access denied.
    In the net there are now some solutions with scripts of third party providers, but these are always related to the individual computer - I simply need a solution for companies!

    Other solutions I have considered, but which are not practical:
    Disable WSUS service -> WSUS does not sync anymore (Notebooks and PCs without guard card don't get updates either) -> nonsense
    Block WSUS port in firewall -> Clients get updates via DeliveryOptimization and play updates to each other - nonsense

    Now I'd like to know what solution Microsoft is proposing.

    I hate it when microsoft with updates takes any control away from the administrator and thinks to be the better one.

    Thursday, November 8, 2018 7:59 AM

Answers

  • Hi,

    Thank you for posting in our forum.

    We could use registry value to disable it and push this registry to other computers by group policy preference.

    Please navigate to: Computer Configuration \ Preferences \ Windows Settings \ Registry.

    Here is the registry path:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc.

    The value name is Start and please set the value to 4.

    We could refer to this following screenshot.

    And here is the screenshot about this services. We could see its name and Disable in startup type is the fourth one.

    Hope above information could help.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by ---Martin--- Friday, November 9, 2018 1:50 PM
    Friday, November 9, 2018 5:51 AM

All replies

  • Hi,

    Thank you for posting in our forum.

    We could use registry value to disable it and push this registry to other computers by group policy preference.

    Please navigate to: Computer Configuration \ Preferences \ Windows Settings \ Registry.

    Here is the registry path:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc.

    The value name is Start and please set the value to 4.

    We could refer to this following screenshot.

    And here is the screenshot about this services. We could see its name and Disable in startup type is the fourth one.

    Hope above information could help.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by ---Martin--- Friday, November 9, 2018 1:50 PM
    Friday, November 9, 2018 5:51 AM
  • hi Kallen,

    the WaaSMedicSvc is already set to service start "Manual", I don't understand how this should help. Manual means that the service can still be started by the system if required.
    The only solution I found so far is a script, which is recognized by many virus scanners as Gen:Trojan.WUDisable.aaW@aaaaa and will be deleted.

    Best regards


    Friday, November 9, 2018 7:20 AM
  • Hi,

    I am sorry for my misrepresentation.

    The screenshot shows manual, but we need to set it to disable.

    And disable is the 4th choice in the list so we set the registry to 4. We also could see the registry name from the screenshot.

    Hope above information could help.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by ---Martin--- Friday, November 9, 2018 1:42 PM
    • Unmarked as answer by ---Martin--- Friday, November 9, 2018 1:50 PM
    Friday, November 9, 2018 7:43 AM
  • Hi Kallen,

    Thank you so much for the information.
    does it make a difference if I deactivate the service via registry (as specified above) or directly via service control?
    I mean: Computer Configuration -> Settings -> Control Panel -> Services

    The result should be the same, or iam wrong?

    Is there any way that you can be made aware of such "great changes" without reading the long changelogs? Maybe a webinar?

    Friday, November 9, 2018 1:42 PM
  • Hi,

    According to my understanding, it should be likely same.

    However, I did not find this service in Services preferences.

    About using this preference, we may read this article for a reference.

    http://www.grouppolicy.biz/2010/08/how-to-use-group-policy-to-control-services/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope above information could help.

    Best Regards,

    Kallen  


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 13, 2018 6:03 AM
  • I have made the registry change many times. The Medic service will show disabled after that.  But the next day the registry entry is changed back to 3 and the Medic service shows manual instead of disabled.  Anyone know what keeps changing the registry entry?
    Wednesday, March 13, 2019 2:28 PM
  • Take an image backup with CloneZilla prior to making this change please ...

    Set the permissions on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc key to "SYSTEM Deny".

    I actually set it to "EVERYONE Deny" but I believe "SYSTEM Deny" would work because SYSTEM logs the error:

    "The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID ..."

    If you set to EVERYONE DENY you can't get back to it without using Component Services Admin Tool.

    Once you do that, the service should no longer be in the list after restart.

    I update my machines regularly. After I take an image backup, I turn Windows Update On and then turn it back off.  I just want to mitigate the risk of the update with a Clonezilla image on my own schedule.  Windows update has broken my machines twice and Windows built-in recovery did not work.  Clonezilla recovery worked perfectly.  Security Updates are important but Microsoft is imposing in its approach and I believe violate CM policies by installing patches without allowing the user to take an image backup.  Windows 7 allowed you to control when the patches were installed.  That was better.  I have complained to Microsoft and received no response.

    Wednesday, March 20, 2019 2:40 AM
  • The registry key "Start" for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc , only takes Hexadecimal numbers, so what is the number for "System Deny"???
    Sunday, March 31, 2019 3:35 PM
  • Please backup your system with CloneZilla or another reliable imaging tool prior to performing this change.

    To set permissions you right click on the key name in the left pane explorer bar, then select SYSTEM, then check the box for Full Control "Deny".  "Everyone" will not be in the list, you would have to add that using the Add button - I did not test SYSTEM Deny but believe that would work and it would be easier to undo if you wanted the service back.

    Friday, April 12, 2019 12:02 PM
  • Just delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc completely and reboot pc. It's safe.
    Tuesday, May 28, 2019 8:11 AM