How to stop Windows from restoring removed things
- Thread starter Senkanoko
- Start date
NTLite can remove components from an offline image. But it cannot block a Monthly Update CU from restoring a component, because the CU is trying to patch that specific Windows feature.
You have two options:
1. Block Windows Updates, because once the CU includes a restored component, it will always restore the same component. Monthly updates are cumulative, so each update includes the same previously restored components.
2. Run a licensed copy of NTLite in "Remove reinstalls" mode. This compares the live system with a preset, and removes any restored components. But it must be repeated after any update has been applied.
The reason you can't block components in the CU, is the update cannot be edited before it is applied to an image. For an offline image, NTLite always applies all updates first, and then removes components. For a live system, NTLite has to wait until the update is applied before it can remove them again.
You have two options:
1. Block Windows Updates, because once the CU includes a restored component, it will always restore the same component. Monthly updates are cumulative, so each update includes the same previously restored components.
2. Run a licensed copy of NTLite in "Remove reinstalls" mode. This compares the live system with a preset, and removes any restored components. But it must be repeated after any update has been applied.
The reason you can't block components in the CU, is the update cannot be edited before it is applied to an image. For an offline image, NTLite always applies all updates first, and then removes components. For a live system, NTLite has to wait until the update is applied before it can remove them again.
Anonymous Internet User
Active Member
- Messages
- 181
- Reaction score
- 30
Unless you reign WU in this is gonna be a never-ending struggle to fight against it to prevent it from reinstalling all the crap over and over.
Two options I am aware of.
I blocked WU and I use WAUManager to run updates manually every week. WAUM lets you selectively install the updates you want and block/hide those you don't. You can block UW with NTLite, a REG entry or with WAUM.
Another option is to use Chris Titus Utility post-install to postpone feature updates for two years and this way you will only get security updates in the Windows Update settings.
Two options I am aware of.
I blocked WU and I use WAUManager to run updates manually every week. WAUM lets you selectively install the updates you want and block/hide those you don't. You can block UW with NTLite, a REG entry or with WAUM.
Another option is to use Chris Titus Utility post-install to postpone feature updates for two years and this way you will only get security updates in the Windows Update settings.
Last edited:
TairikuOkami
New Member
- Messages
- 12
- Reaction score
- 10
I apply my tweaks at shutdown and startup, because 11 fights back, hard.
OS is never done. MS keeps stirring the pot. You have to flavor it constantly.
OS is never done. MS keeps stirring the pot. You have to flavor it constantly.
Necrosaro
Well-Known Member
- Messages
- 693
- Reaction score
- 275
I believe Ntlite has the option to disable certain updates from coming in and just keep the ones you want such as defender updates and the such.
Selim GURSU
Member
- Messages
- 35
- Reaction score
- 0
There's no point in shutting down Wu; we're obligated to update.
Anonymous Internet User
Active Member
- Messages
- 181
- Reaction score
- 30
What? Where did you get that idea from? I've disabled feature updates and automatic updates on all my PCs. I only get notifications and then I use WAUManager to install only the updates I want to install, like security updates, Defender definitions and sometimes drivers, and when I want to install them. There is absolutely no "obligation" to run Windows Updates.
There is a critical security feature that WU provides, the weekly update of the Certificate Revocation List (CRL). The CRL informs you whether a Certificate Authority or major signing cert has been revoked, and you shouldn't trust it any longer.
If you're browsing the web, any time you reach a secure site then the browser triggers a cert check reaching back to the CA. Any revoked CA cert will be detected in the process. But it's only done while you're browsing, and only checks for the sites you're visiting.
The WU background task downloads the CRL, so it can find revocations regardless of your browser traffic. This might be useful if a compromised driver or app has their certs externally revoked as a security measure.
If you completely remove or disable WU, then you should run a task to pull the CRL. A good tool for this is asheroto's Update Certificates (Root Certificate Updater)
If you're browsing the web, any time you reach a secure site then the browser triggers a cert check reaching back to the CA. Any revoked CA cert will be detected in the process. But it's only done while you're browsing, and only checks for the sites you're visiting.
The WU background task downloads the CRL, so it can find revocations regardless of your browser traffic. This might be useful if a compromised driver or app has their certs externally revoked as a security measure.
If you completely remove or disable WU, then you should run a task to pull the CRL. A good tool for this is asheroto's Update Certificates (Root Certificate Updater)
thedogsdinner
Member
- Messages
- 39
- Reaction score
- 15
garlin Hope this diesnt hijack this thread, but am asking around the same topic i think. Wondering if I could ask your advice in this space. I am mostly running my machine for audio production, and also hate it when windows updates, adds things back in etc. basically all i want is the security updates and to know I'm covered. Ive disabled WU, and have just been grabbing the monthly CU packages from the microsoft.catalogue and installing them manually (admittedly realistically every 2-3 months). Keeps the rig free from them MS changing stuff on me everytime. Do you see any issues with this method I should be aware of? Thankyou
Necrosaro
Well-Known Member
- Messages
- 693
- Reaction score
- 275
You can update through Ntlite and select what you want once instead of using windows update. You can also use Ntlite to just allow you to install only what you want when you want as well.
I don't update very often if at all. If my machine is working I feel no need too.
The problem is your strategy isn't going to work, for two reasons:
1. W10/11 updates are cumulative. Once a component is patched, then it's always included in every subsequent cumulative update. That is the definition of cumulative: every update includes everything from the previous updates. So once the update restores something you removed before, every time you install a future update for this Windows release, then you will always need to remove it again.
2. There are no more "security only" updates. Windows has a dual track cycle where every month gets two patches: Monthly CU and Monthly Preview CU. The preview is next month's expected CU released two weeks early so IT admins and QA teams can check if installing the update will break important software apps.
Because of rules over responsible disclosure of security vulnerabilities, security fixes are FIRST RELEASED in the Monthly CU. The Preview, because it's released 2-3 weeks after the Monthly, will inherit the same security fixes since they were already made public.
The rules exist so that someone who installs the Preview doesn't get any early peek at security fixes, since not everyone installs the Previews. So everyone in the world (at the same time) doesn't get an advantage on security issues. The earliest you will see a security fix is Patch Tuesday. Why? Because as soon as a fix ships, the security researchers will reveal details about the vulnerability.
Since both the fact that updates are cumulative, and security fixes can only be revealed on Patch Tuesday, there is no "security only" updates. You have a simple choice between Monthly and the Preview CU's to install.
If you only have a few PC's, then some users just accept the chore of running NTLite in Remove reinstall mode every time they finish installing the Monthly CU. It's a bit of work, but when you have the old preset, the process is much smoother. Or you end up never applying future patches.
When a machine is used for "production", maybe you should consider Windows LTSC since the point of LTSC is you get monthly security fixes but no feature changes to the base Windows.
1. W10/11 updates are cumulative. Once a component is patched, then it's always included in every subsequent cumulative update. That is the definition of cumulative: every update includes everything from the previous updates. So once the update restores something you removed before, every time you install a future update for this Windows release, then you will always need to remove it again.
2. There are no more "security only" updates. Windows has a dual track cycle where every month gets two patches: Monthly CU and Monthly Preview CU. The preview is next month's expected CU released two weeks early so IT admins and QA teams can check if installing the update will break important software apps.
Because of rules over responsible disclosure of security vulnerabilities, security fixes are FIRST RELEASED in the Monthly CU. The Preview, because it's released 2-3 weeks after the Monthly, will inherit the same security fixes since they were already made public.
The rules exist so that someone who installs the Preview doesn't get any early peek at security fixes, since not everyone installs the Previews. So everyone in the world (at the same time) doesn't get an advantage on security issues. The earliest you will see a security fix is Patch Tuesday. Why? Because as soon as a fix ships, the security researchers will reveal details about the vulnerability.
Since both the fact that updates are cumulative, and security fixes can only be revealed on Patch Tuesday, there is no "security only" updates. You have a simple choice between Monthly and the Preview CU's to install.
If you only have a few PC's, then some users just accept the chore of running NTLite in Remove reinstall mode every time they finish installing the Monthly CU. It's a bit of work, but when you have the old preset, the process is much smoother. Or you end up never applying future patches.
When a machine is used for "production", maybe you should consider Windows LTSC since the point of LTSC is you get monthly security fixes but no feature changes to the base Windows.
Selim GURSU
Member
- Messages
- 35
- Reaction score
- 0
It's clear the problem isn't NTLite, the problem is with Microsoft.