gedit? Do you mean gpedit.msc? Working options are slowly being removed from that as time goes on as you found out. We already know how to selectively install windows and driver updates and block forced windows and driver updates. We're looking for solutions to bypass protected processes that are threatening our methods of modifying the system by deleting or changing system file permissions and editing the registry. It's time to plan for update control v2.0, which is what this thread is about.
Dude, do not do it, do not fall under the writing of paranoid people who see only conspiracies, Windows has never been better, if you need some help, ask, read here how https://forums.mydigitallife.net/threads/windows-update-minitool.64939/page-47#post-1465177
Off topic post. Spoiler Like i havnt already? Thats why i struck lucky with 8.1 on Coffee Lake. I have 3 systems worth of hardware, 2 boxed up, one in use, 2 w7 capable, 3 w8.1 capable, all have 8.1 drivers, my nvidia gpu has up to date 8.1 drivers. There will be another windows 8.1 capable Coffee Lake system coming in january. Windows 8.1 doesnt get damn silly eye candy upgrades every 6 months, it is stable and works perfectly. @abbodi1406 says its easy to mitigate telemetry on 7 and 8.1, i know his reputation and i trust his word. MS is supporting 8.1 until 2023. Thats 4 years minimum. With the 3 systems worth of hardware i already have plus the new lot coming in january, barring parts failure i should be ok with 8.1 until 2025 at least, 2026/7 possibly. In the meantime i will sit back and smuggly watch the monthly(patch tuesday) or multiple per month(any damn day) windows 10 fun and games. I have judged windows 10 for myself and i have decided to pass.
Using 8.1 is great and all, and no offense, but it won't help bypass protected processes in windows 10 which is what we're trying to accomplish here.
For what it's worth, whenever I need to disable the Protected Process status, I typically use mimikatz. Similar to PPLKiller, mimikatz also uses a kernel-mode driver for the purpose of flipping the bit related to protected processes. Spoiler: My mimikatz PPL testing commands Code: !+ mimidrv !processprotect /process:notepad.exe !processprotect /process:notepad.exe /remove or by PID !processprotect /pid:464 !processprotect /pid:464 /remove However, going forward, I don't think that Microsoft will be having much more use (increased usage, I should say) of protected processes in future iterations of Windows operating systems. Microsoft have decided not to offer bug bounties to security researchers relating to protected processes and really only cherry pick a small percentage of known PPL bypasses to service/patch in OS updates. That, to me, is the indication that protected processes are dying. For the future of protecting critical components on Windows, I believe that quite literally everything will be moving toward Hyper-V and related virtualization techniques. This would require and demand new hardware for the most part, of course. Most of the significant new security features added to Windows in the past 1-2 years have (and going forward) have been VBS (virtualization based security) components. Anyway, in the future, I expect this may be used to protect critical parts of the Windows OS that Microsoft doesn't want users to mess with. I found this topic to be quite interesting and read over all three initial pages before commenting. This was simply my opinion based on current knowledge and curiosity.
Security is not equal security, once security is an others threat. Your security to prevent your favorite PC game from downloading executable code from the internet and running it with administrative privileges is the game studios threat of not being able to prevent you from using cheats and bypassing in game purchases, for example. This example mostly applies to any sort of DRM, including Microsoft attempts to take your right away to update or not and to modify your system. While VBS is great for security from the users perspective its imho not so great from the corporation view of things. Sure having a 4k HDR BD DRM running in a SGX protected enclave might be the industries wet dream but this wont make for a nice wake up. Generally the issue with any VBS is that it protects the host from the guest not vice versa, so whatever M$ packs into a virtualized environment, as long as we have the host kernel/hypervizor compromised we can mess with the VM in any way we want. SGX is a bit more difficult, but it for example can be emulated in QEMU. So while we may have a hard time to extract DRM secrets protected by a TPM only available to authenticated code running under SGX, this subset of technology wont prevent us from controlling the OS and using in what ever way already compromised secrets. What Microsoft wants, what Microsoft needs to realize their closed ecosystem, is to lock down the OS and this is not something to be done with virtualization, quite the contrary the best approaches to thoroughly and reliably take over an OS with a virtualization approach. This line of reasoning depends however on the ability to disable or defeat secure boot, like done on android devices unlocking the boot loader. So if we can not take over the hypervizor we are screwed. But as i wrote earlier its not likely that vendors would be legally able to sell PC's without an option to disable secure boot.
You should differentiate the commercial versions of w10 from corporate versions just like LTSB(C). Also because of the fact that WUs for LTS editions have another purpose than the WUs for the bolatware editions. The very first step to have more control on WU is to switch to a enterprise version and to leave the commercial versions alone. Why should I waste time and energy to bypass processes on the commercial versions when I can install versions which allow more control? I mean corporate admins which have also the claim to have most of own control do surely not install w10 home and then think about the future how to bypass its protected processes in order to have more control on its updates..... This is a senseless approach... Just my two cents.
(Off-Topic) Spoiler Managing a few hundred workstations in a corporate environment (currently using Citrix and in the future using VMware Horizon) I've become used to reducing my department's needs to LTSB/LTSC editions. I don't see a manageable future in any custom solution that does in-memory patching, if you're using anything related to TPM or SGX, including virtualized environments. We do license everything and have rather expensive support agreements with Microsoft and the current trend doesn't allow for much creativity beyond WSUS/MSUS, GPO's and transparent filtering to be truly GDPR-compliant (to filter any telemetry that's not compliant), unfortunately. Maybe using local application proxies that MITM-open-and-inspect the SSL traffic of the outgoing Windows Update traffic may be a workable approach. It won't be trivial to set up, but it might just work. Either that, or: instead of writing a small app that injects itself in the licensing, this time a small app that fakes a WSUS server and controls how many / which updates are to be installed. How about that? That approach might work for all versions except maybe for W10 Home. (I don't think it can join a domain and therefore won't be able to use a local fake WSUS I suppose.)
When I've read the thread the first time a 'fake' WSUS was my first idea, too. But then I ditched the idea focusing on administrating enterprise versions...
Well I would guess that not everyone is in the position to obtain a enterprise version or willing to do whatever is needed to obtain one. The only versions that can be bought individually are Pro and Home, so a solution for these users will benefit many many many people.
Also, many will want to use their correctly and perpetually licensed machines. With a Business SKU, individuals are not correctly licensed anymore.
I agree with that. Anyway my arguments come from another perspective. How many percent of all the w10 home / pro user (commercial editions) have got the awareness that WUs need to be controlled? Think about ALL user (people who have purchased a PC/notebook with preinstalled home/pro editions). Not those on MDL or other PC related forums... Then think about the efforts to be made to bypass protected processes and the dynamic changes via M$ updates in the future AKA cat and mouse game...... -The efforts to create an approach -The efforts to realize it -The efforts to maintenance it. -The fact that you 'break' concepts of Microsoft, the issuer of the licenses. On the other side: The fact that you easily can get an enterprise version and the fact that one can activate it. And the fact that this is proper administrating. The only thing that is 'improper' is the license itself. If I relate now both sides...... There has to be the will and intention to control WUs. To get this awareness one has to have doubts on WUs, how they are released and what they include. I guess 99% do not have this awareness and by that no doubts. They install WUs as they come without any worries... The other one percent is informed and by that has access to enterprise versions and the needed info to administrate it to one's ideas.... Many MDL members use LTSB(C) even because of that. Which approach does violate M$'es licenses more? To use an improper enterprise license where I can make a proper administration without any cat and mouse game OR To try to bypass protected processes by the suggested approaches which includes a bootloader approach with the goal to attack ring-0 processes...or even kernel modifications? This is malware per se from the perspective of Microsoft! They will go against it.
Fair enough. My own perspective: I'm a technician dealing with cheap laptops customers purchase whether for personal use or at the office. Cheap computers come with Home skus. None of my clients purchase, have purchased or ever will an enterprise license. So I say: bypassssss, lol. Spoiler Cheap premise behind my perspective: Microsoft you are mean with your practices, well people out there are much more mean to fight back against yours
@Yen: I didn't state my opinion, only the facts. Telling them to use Enterprise+ and use KMS to activate will unleash a flood of "How can I activate permanently, KMS only provides 180 days, is that an EVAL?" posts. They not only will go against it, they already do. Hint: "Secure Boot". The only real solution would be a "Windows 10 Pro Technician Edition" SKU for Power Users, as a purchasable LTSC Edition with full control and updates not forcefully offered. Once "Patchgate" strikes again, those machines will stay alive to service the victims of MS' clusterf**kery. If I go with your figures, the (highly assumptional) 1% loss in Store purchases could be neglected.
I think important are the personal reasons why one does want to control updates at all. To make an opinion about one needs background knowledge which IMHO should surmount or at least include the knowledge of differentiating KMS from Eval. I am sorry... Consider a 'common' w10 home user which suddenly would be able to have control on any updates. How would he proceed to fulfill his 'goal'? Which WUs would he separate from being installed? To have control on WUs is 'nothing'. You need knowledge for own separation and therefore you need skills or at least you need to inform yourself and by that you can 'learn' to use enterprise. We here are running WSUS. For a corporate admin nothing is as bad as providing a WU that decreases productivity of the clients for whatever technical reasons. Nobody would use WU from M$ as they come. They have to be tested in advance. Relating to what would be practicable and could be provided (at MDL). We do not allow any homebrew versions of windows. Also the ideas from first post are about deep impacts on the system. It could be real malware, we are talking about protected processes to be bypassed. As mentioned already. An approach based on WSUS is the only one (so far) which would make some sense....to use WSUS as an update cache so to say...an approach that uses own means would also survive M$'es dynamic updates.... But actually I just have to say: "You want to have control on WUs?. Use Enterprise! If your will to control WUs is strong enough you can realize it.".... A quite another way is to get aware that M$ has no SKU anymore which can satisfy the personal needs/interest and to go for a completely other OS..... Edit: While we here (at company where I am working) are using WSUS...... at home I have turned off WU on w7 long time ago..... Using LTSB as successor I do not need to prevent WUs to be installed.....besides of that I dual boot Kubuntu
The only correct approach respectively the only possible. How would you separate them, good guys from there bad? If someone tries to switch off over ten services and apps to disable WUs or is not normal (Idiot, better to say) or has a bad intention!! I can not understand what prevents you and others from doing it with all Windows (control WU) starting from Windows 7 all Home/Pro including LTSB/C ?