一鍵停用（Disable-WindowsUpdate-Hard.ps1）

# Disable-WindowsUpdate ``` # Requires: Windows PowerShell 5.1+ (Run as Administrator) $ErrorActionPreference = 'Stop' # 0) Admin check $admin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent() ).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) if (-not $admin) { throw "Please run this script as Administrator." } Write-Host "=== DISABLE Windows Update: services, scheduled tasks, and policy ===" # 1) Optional: create a system restore point (may fail on server SKUs or if disabled) try { Checkpoint-Computer -Description "Before_Disable_WU" -RestorePointType "MODIFY_SETTINGS" Write-Host "Restore point created (if supported)." } catch { Write-Host "Skip restore point: $($_.Exception.Message)" } # 2) Stop services $svcToStop = @('wuauserv','UsoSvc','BITS','DoSvc') foreach ($s in $svcToStop) { try { Stop-Service -Name $s -Force -ErrorAction Stop; Write-Host "Stopped: $s" } catch { Write-Host "Stop failed: $s ($($_.Exception.Message))" } } # 3) Disable services $svcToDisable = @('wuauserv','UsoSvc','BITS','DoSvc') foreach ($s in $svcToDisable) { try { Set-Service -Name $s -StartupType Disabled; Write-Host "Disabled: $s" } catch { Write-Host "Disable failed: $s ($($_.Exception.Message))" } } # 4) Disable Windows Update related scheduled tasks $taskList = @( '\Microsoft\Windows\WindowsUpdate\Scheduled Start', '\Microsoft\Windows\WindowsUpdate\AUScheduledInstall', '\Microsoft\Windows\WindowsUpdate\Automatic App Update', '\Microsoft\Windows\WindowsUpdate\sih', '\Microsoft\Windows\WindowsUpdate\sihboot', '\Microsoft\Windows\UpdateOrchestrator\Schedule Scan', '\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task', '\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot', '\Microsoft\Windows\UpdateOrchestrator\Reboot', '\Microsoft\Windows\UpdateOrchestrator\Report policies', '\Microsoft\Windows\UpdateOrchestrator\Resume On Boot', '\Microsoft\Windows\UpdateOrchestrator\Scan', '\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan', '\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work', '\Microsoft\Windows\InstallService\ScanForUpdates', '\Microsoft\Windows\WaaSMedic\PerformRemediation' ) foreach ($t in $taskList) { $taskPath = ($t -replace '[^\\]+$','') # keep trailing backslash $taskName = (Split-Path $t -Leaf) try { Get-ScheduledTask -TaskPath $taskPath -TaskName $taskName -ErrorAction Stop | Disable-ScheduledTask | Out-Null Write-Host "Disabled task: $t" } catch { Write-Host "Disable task failed: $t ($($_.Exception.Message))" } } # 5) Apply policies (equivalent to GPO) to block WU $wuRoot = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' $auRoot = Join-Path $wuRoot 'AU' $doRoot = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' New-Item -Path $wuRoot -Force | Out-Null New-Item -Path $auRoot -Force | Out-Null New-Item -Path $doRoot -Force | Out-Null # No auto update and remove access New-ItemProperty -Path $auRoot -Name 'NoAutoUpdate' -Value 1 -PropertyType DWord -Force | Out-Null New-ItemProperty -Path $wuRoot -Name 'DisableWindowsUpdateAccess' -Value 1 -PropertyType DWord -Force | Out-Null # Do not connect to Microsoft update internet locations New-ItemProperty -Path $wuRoot -Name 'DoNotConnectToWindowsUpdateInternetLocations' -Value 1 -PropertyType DWord -Force | Out-Null # Block OS upgrade New-ItemProperty -Path $wuRoot -Name 'DisableOSUpgrade' -Value 1 -PropertyType DWord -Force | Out-Null # Point to a dummy WSUS (UseWUServer = 1) to block scans New-ItemProperty -Path $wuRoot -Name 'WUServer' -Value 'http://127.0.0.1:8530' -PropertyType String -Force | Out-Null New-ItemProperty -Path $wuRoot -Name 'WUStatusServer' -Value 'http://127.0.0.1:8530' -PropertyType String -Force | Out-Null New-ItemProperty -Path $auRoot -Name 'UseWUServer' -Value 1 -PropertyType DWord -Force | Out-Null # Delivery Optimization to simple (bypass DO) New-ItemProperty -Path $doRoot -Name 'DODownloadMode' -Value 99 -PropertyType DWord -Force | Out-Null # 6) Enforce policy right away try { gpupdate /target:computer /force | Out-Null } catch { Write-Host "gpupdate failed: $($_.Exception.Message)" } Write-Host "`nAll done. Reboot is recommended." ```