Hey all, Just wondering if there is a way to stop Windows 11 Pro (25H2) from auto rebooting my computer after it's done with Windows updates. I've used the "NoAutoRebootWithLoggedOnUsers" registry key, but it seems this no longer works on Windows 11 Pro (25H2) ? Are there any other methods which work properly? Please point me in the right direction if this has been asked/answered before.
This is my full script that I am running, yet it still auto-reboots Code: Function ConfigureWindowsDefender { Write-Host "*** Configuring Windows Defender" # Windows Defender antivirus # MAPS # Join Microsoft MAPS # (0x0) Disabled (default) # (0x1) Basic membership # (0x2) Advanced membership Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /T REG_DWORD /V "SpyNetReporting" /D 0 /F Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /T REG_DWORD /V "LocalSettingOverrideSpynetReporting" /D 0 /F # Disable submitting data samples to Microsoft # (0x0) Always prompt # (0x1) Send safe samples automatically # (0x2) Never send # (0x3) Send all samples automatically Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /T REG_DWORD /V "SubmitSamplesConsent" /D 2 /F # Enable block at first sight # Requires: # MAPS -> The "Join Microsoft MAPS" # MAPS -> The "Send file samples when further analysis is required" should be set to 1 (Send safe samples) # Real-time Protection -> The "Scan all downloaded files and attachments" policy must be enabled # Real-time Protection -> Do not enable the "Turn off real-time protection" policy # DISABLED CAUSE EMAIL ALERT SPAM + REDUNDANT # Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /T REG_DWORD /V "DisableBlockAtFirstSeen" /D 1 /F # MpEngine # Enable extended cloud check # Requires: # Configure the 'Block at First Sight' feature # Join Microsoft MAPS # Send file samples when further analysis is required Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /T REG_DWORD /V "MpBafsExtendedTimeout" /D 0 /F # Set default cloud protection level # (0x0) Default windows defender blocking level # (0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives) # (0x4) High+ blocking level – aggressively block unknowns and apply additional protection measures (may impact client performance) # (0x6) Zero tolerance blocking level – block all unknown executables Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /T REG_DWORD /V "MpCloudBlockLevel" /D 0 /F # Network Inspection System # Enable definition retirement # Helps to improve performance -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /T REG_DWORD /V "DisableSignatureRetirement" /D 0 /F # Enable protocol recognition # Protocol recognition for network protection against exploits of known vulnerabilities -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\NIS" /T REG_DWORD /V "DisableProtocolRecognition" /D 0 /F # Quarantaine # Enable removal of items from quarantine folder after 14 days -> default OFF Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /T REG_DWORD /V "PurgeItemsAfterDelay" /D 14 /F # Real-time Protection # Turn on real-time protection -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /T REG_DWORD /V "DisableRealtimeMonitoring" /D 0 /F # Turn on behavior monitoring -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /T REG_DWORD /V "DisableBehaviorMonitoring" /D 0 /F # Scan all downloaded files and attachments -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /T REG_DWORD /V "DisableIOAVProtection" /D 0 /F # Monitor file and program activity on your computer -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /T REG_DWORD /V "DisableOnAccessProtection" /D 0 /F # Turn on raw volume write notifications -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /T REG_DWORD /V "DisableRawWriteNotification" /D 0 /F # Turn on process scanning whenever real-time protection is enabled -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /T REG_DWORD /V "DisableScanOnRealtimeEnable" /D 0 /F # Define the maximum size of downloaded files and attachments to be scanned -> default 20480 (too low) Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /T REG_DWORD /V "IOAVMaxSize" /D 10000000 /F # Configure monitoring for incoming and outgoing file and program activity -> default ON (0) # 0 = Scan incoming and outgoing files (default) # 1 = Scan incoming files only # 2 = Scan outgoing files only Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /T REG_DWORD /V "RealtimeScanDirection" /D 0 /F # Turn on script scanning -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /T REG_DWORD /V "DisableScriptScanning" /D 0 /F # Remediation # Specify the day of the week to run a scheduled full scan to complete remediation -> default ON # Leave default -> will run at a default frequency. # Specify the time of day to run a scheduled full scan to complete remediation -> default ON # Leave default -> will run at a default frequency. # Reporting # Set Watson Events (telemetry) to 'disabled' Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /T REG_DWORD /V "DisableGenericReports" /D 0 /F # Scan # Disable "allow users to pause scan" -> users will not be able to pause scans Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "AllowPause" /D 1 /F # Check for the latest virus and spyware security definitions before running a scheduled scan Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "CheckForSignaturesBeforeRunningScan" /D 1 /F # Configure low CPU priority for scheduled scans Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "LowCpuPriority" /D 1 /F # Disable "create a daily system restore point" Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "DisableRestorePoint" /D 1 /F # Define the number of days after which a catch-up scan is forced -> Default (2 days) Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "MissedScheduledScanCountBeforeCatchup" /D 2 /F # Disable "run full scan on mapped network drives" -> default OFF Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "DisableScanningMappedNetworkDrivesForFullScan" /D 1 /F # Scan archive files -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "DisableArchiveScanning" /D 0 /F # Disable Scan network files -> default OFF (recommended) Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "DisableScanningNetworkFiles" /D 1 /F # Scan packed executables -> default ON (recommended) Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "DisablePackedExeScanning" /D 0 /F # Scan removable drives -> default OFF Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "DisableRemovableDriveScanning" /D 0 /F # Specify the day of the week to run a scheduled scan # (0x0) Every Day # (0x1) Sunday # (0x2) Monday # (0x3) Tuesday # (0x4) Wednesday # (0x5) Thursday # (0x6) Friday # (0x7) Saturday # (0x8) Never (default) Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "ScheduleDay" /D 3 /F # Specify the time of day to run a scheduled scan # 11:30u -> 690 minutes past 00:00 Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "ScheduleTime" /D 690 /F # Specify the interval to run quick scans per day # Quick scan once a day -> 24 Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "QuickScanInterval" /D 24 /F # Specify the time for a daily quick scan # Quick scan every day at 15:00 Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "ScheduleQuickScanTime" /D 900 /F # Specify the maximum depth to scan archive files (4Gb) -> max Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "ArchiveMaxDepth" /D 4294967295 /F # Specify the maximum percentage of CPU utilization during a scan Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "AvgCPULoadFactor" /D 20 /F # Specify the maximum size of archive files to be scanned (4Gb) -> max Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "ArchiveMaxSize" /D 4294967295 /F # Specify the scan type to use for a scheduled scan # 1 = Quick Scan (default) # 2 = Full Scan Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "ScanParameters" /D 2 /F # Start the scheduled scan only when computer is on but not in use Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "ScanOnlyIfIdle" /D 0 /F # Turn on catch-up full scan -> default OFF Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "DisableCatchupFullScan" /D 0 /F # Turn on catch-up quick scan -> default OFF Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "DisableCatchupQuickScan" /D 0 /F # Turn on e-mail scanning -> default OFF Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "DisableEmailScanning" /D 0 /F # Turn on heuristics -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "DisableHeuristics" /D 0 /F # Turn on removal of items from scan history folder -> default 30 Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "PurgeItemsAfterDelay" /D 14 /F # Turn on reparse point scanning -> default OFF Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /T REG_DWORD /V "DisableReparsePointScanning" /D 0 /F # Signature updates # Allow definition updates from Microsoft Update Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /T REG_DWORD /V "ForceUpdateFromMU" /D 1 /F # Allow definition updates when running on battery power -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /T REG_DWORD /V "DisableScheduledSignatureUpdateOnBattery" /D 0 /F # Allow notifications to disable definitions based reports to Microsoft MAPS" -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /T REG_DWORD /V "SignatureDisableNotification" /D 0 /F # Allow real-time disable definition updates based on reports to Microsoft MAPS" -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /T REG_DWORD /V "RealtimeSignatureDelivery" /D 0 /F # Check for the latest virus and spyware definitions on startup -> default OFF Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /T REG_DWORD /V "UpdateOnStartUp" /D 1 /F # Define file shares for downloading security intelligence updates # N/A # Define the number of days after which a catch-up definition update is required -> default 1 Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /T REG_DWORD /V "SignatureUpdateCatchupInterval" /D 1 /F # Define the number of days before spyware definitions are considered out of date -> default 14 Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /T REG_DWORD /V "ASSignatureDue" /D 1 /F # Define the number of days before virus definitions are considered out of date -> default 14 Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /T REG_DWORD /V "AVSignatureDue" /D 1 /F # Define the order of sources for downloading security intelligence updates # N/A # Initiate definition update on startup -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /T REG_DWORD /V "DisableUpdateOnStartupWithoutEngine" /D 0 /F # Specify the day of the week to check for definition updates #(0x0) Every Day (default) #(0x1) Sunday #(0x2) Monday #(0x3) Tuesday #(0x4) Wednesday #(0x5) Thursday #(0x6) Friday #(0x7) Saturday #(0x8) Never Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /T REG_DWORD /V "ScheduleDay" /D 0 /F # Specify the time to check for definition updates # 11AM = 660 Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /T REG_DWORD /V "ScheduleTime" /D 660 /F # Specify the interval to check for definition updates # Valid values range from 1 (every hour) to 24 (once per day) Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /T REG_DWORD /V "SignatureUpdateInterval" /D 4 /F # Disable "Turn on scan after security intelligence update" -> default ON Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /T REG_DWORD /V "DisableScanOnUpdate" /D 1 /F # Threats # Specify threat alert levels at which default action should not be taken when detected Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats" /T REG_SZ /V "1" /D 2 /F Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats" /T REG_SZ /V "2" /D 2 /F Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats" /T REG_SZ /V "4" /D 2 /F Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats" /T REG_SZ /V "5" /D 3 /F # Specify threats upon which default action should not be taken when detected (whitelist) # N/A # Windows Defender Exploit Guard # Attack Surface Reduction Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR" /T REG_DWORD /V "ExploitGuard_ASR_Rules" /D 1 /F # 1 (Block) # 0 (Off) # 2 (Audit) Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" /D 1 /F # Block executable content from email client and webmail Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" /D 1 /F # Block Office applications from creating child processes Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "3B576869-A4EC-4529-8536-B80A7769E899" /D 2 /F # (Audit) Block Office applications from creating executable content Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84" /D 1 /F # Block Office applications from injecting code into other processes Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "D3E037E1-3EB8-44C8-A917-57927947596D" /D 1 /F # Block JavaScript or VBScript from launching downloaded executable content Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC" /D 1 /F # Block execution of potentially obfuscated scripts Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B" /D 1 /F # Block Win32 API calls from Office macro Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4" /D 1 /F # Block untrusted and unsigned processes that run from USB Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "56a863a9-875e-4185-98a7-b882c64b5ce5" /D 1 /F # Block abuse of exploited vulnerable signed drivers Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "26190899-1602-49e8-8b27-eb1d0a1ce869" /D 1 /F # Block Office communication application from creating child processes Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c" /D 1 /F # Block Adobe Reader from creating child processes Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2" /D 1 /F # Block credential stealing from the Windows local security authority subsystem (lsass.exe) Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "e6db77e5-3df2-4cf1-b95a-636979351e5b" /D 1 /F # Block persistence through WMI event subscription Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "c1db55ab-c21a-4637-bb3f-a12568109d35" /D 1 /F # Use advanced protection against ransomware Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules" /T REG_SZ /V "d1e49aac-8f56-4280-b9ba-130a6d7b1b7c" /D 1 /F # Block process creations originating from PSExec and WMI commands # Controlled Folder Access (Audit Mode: 2 = Audit, 1 = Enable/Block, 0 = Disable) Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /T REG_DWORD /V "EnableControlledFolderAccess" /D 2 /F # Network Protection # Prevent users and apps from accessing dangerous websites Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /T REG_DWORD /V "EnableNetworkProtection" /D 1 /F # Allow antimalware service to remain running always Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /T REG_DWORD /V "ServiceKeepAlive" /D 1 /F # Allow antimalware service to startup with normal priority Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /T REG_DWORD /V "AllowFastServiceStartup" /D 1 /F # Configure detection for potentially unwanted applications Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /T REG_DWORD /V "PUAProtection" /D 1 /F # Windows Defender SmartScreen # Explorer # Configure Windows Defender SmartScreen # Warn Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /T REG_DWORD /V "EnableSmartScreen" /D 1 /F Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /T REG_SZ /V "ShellSmartScreenLevel" /D Warn /F # Enable SmartScreen protection for Windows Store App Runtime Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppRuntime" /T REG_DWORD /V "EnableSmartScreenForAppRuntime" /D 1 /F # Configure App Install Control # Warn me before installing apps from outside the Store Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /T REG_DWORD /V "ConfigureAppInstallControlEnabled" /D 1 /F Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /T REG_SZ /V "ConfigureAppInstallControl" /D PreferStore /F # Telemetry # Disable Malicious Software Reporting tool diagnostic data Reg Add "HKLM\Software\Policies\Microsoft\MRT" /T REG_DWORD /V "DontReportInfectionInformation" /D 1 /F # Windows Defender Sandbox # Enable sandboxing (PowerShell native machine environment variable) [Environment]::SetEnvironmentVariable("MP_FORCE_USE_SANDBOX", "1", "Machine") } Function ConfigureWindowsUpdate { Write-Host "*** Configuring Windows Update" # Turn off auto-restart for updates during active hours (Active Hours is still configured as a fallback) Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /T REG_DWORD /V "SetActiveHours" /D 1 /F # Set active hours to maximum supported window (18 hours): 8AM (8) to 2AM (2) the next day Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /T REG_DWORD /V "ActiveHoursStart" /D 8 /F Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /T REG_DWORD /V "ActiveHoursEnd" /D 2 /F # Delay rebooting (don't auto-restart for Windows Updates) if a user is logged on Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /T REG_DWORD /V "NoAutoRebootWithLoggedOnUsers" /D 1 /F # Configure Automatic Updates: # Set NoAutoUpdate to 0 to enable automatic updates. # Set AUOptions to 3 (Auto download and notify for install) so updates are automatically downloaded in the background during the week, but NEVER installed automatically to protect overnight experiments. Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /T REG_DWORD /V "NoAutoUpdate" /D 0 /F Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /T REG_DWORD /V "AUOptions" /D 3 /F # Configure Shutdown Behavior: # Set NoUpdateWithShutdown to 0 to ensure the "Install Updates and Shut Down" option is always available when updates are pending. # Set NoAUAsDefaultShutdownOption to 0 so that "Update and Shut Down" automatically becomes the default option in the Shut Down menu when updates are downloaded. Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /T REG_DWORD /V "NoUpdateWithShutdown" /D 0 /F Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /T REG_DWORD /V "NoAUAsDefaultShutdownOption" /D 0 /F # Disable automatic reboots before deadlines (ensures system doesn't auto-reboot if an update is somehow staged) Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /T REG_DWORD /V "ConfigureDeadlineNoAutoReboot" /D 1 /F # Ensure Always Auto-Reboot at scheduled time is explicitly disabled (legacy fallback) Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /T REG_DWORD /V "AlwaysAutoRebootAtScheduledTime" /D 0 /F # Disable Windows Update to automatically wake up the system to install scheduled updates Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /T REG_DWORD /V "AUPowerManagement" /D 0 /F # Windows Update Deferring # Disable "Get the latest updates as soon as they're available" (avoid early-access/CFR updates) Reg Add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /T REG_DWORD /V "IsContinuousInnovationOptedIn" /D 0 /F # Disable automatic optional updates and Controlled Feature Rollouts (CFRs) -> Allow users to manually select if needed Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /T REG_DWORD /V "AllowOptionalContent" /D 3 /F # Enable automated Day-Count Feature Update Deferrals Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /T REG_DWORD /V "DeferFeatureUpdates" /D 1 /F # Delay annual feature updates by 240 days (8 months) to ensure stability before upgrading Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /T REG_DWORD /V "DeferFeatureUpdatesPeriodInDays" /D 240 /F # Enable automated Quality Update Deferrals Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /T REG_DWORD /V "DeferQualityUpdates" /D 1 /F # Delay monthly cumulative updates by 20 days to avoid buggy day-one security patches Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /T REG_DWORD /V "DeferQualityUpdatesPeriodInDays" /D 20 /F # Disable downloads from other PC's Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /T REG_DWORD /V "DODownloadMode" /D 0 /F Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /T REG_DWORD /V "DODownloadMode" /D 0 /F Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /T REG_DWORD /V "SystemSettingsDownloadMode" /D 0 /F # Disable the user's ability to pause Windows Updates via Settings UI Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /T REG_DWORD /V "SetDisablePauseUXAccess" /D 1 /F # Windows Update Drivers # Disable automatic downloading manufacturer's apps and icons for devices Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /T REG_DWORD /V "PreventDeviceMetadataFromNetwork" /D 1 /F # Disable automatic driver updates through Windows update Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /T REG_DWORD /V "ExcludeWUDriversInQualityUpdate" /D 1 /F # Windows Update QoL # Turn on "Notify me when a restart is required to finish updating" Reg Add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /T REG_DWORD /V "RestartNotificationsAllowed" /D 1 /F Reg Add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /T REG_DWORD /V "RestartNotificationsAllowed2" /D 1 /F # Disable WSUS Featured Ads Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /T REG_DWORD /V "EnableFeaturedSoftware" /D 0 /F # Enable automatic Windows Store app updates through Windows update Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /T REG_DWORD /V "AutoDownload" /D 4 /F # Enable Microsoft Updates (Office, SQL Server, etc.) Write-Host "*** Enabling Microsoft Update Service" Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /T REG_DWORD /V "AllowMUUpdateService" /D 1 /F Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\7971f918-a847-4430-9279-4a52d1efe18d" /T REG_DWORD /V "RegisteredWithAU" /D 1 /F try { (New-Object -ComObject "Microsoft.Update.ServiceManager").AddService2("7971f918-a847-4430-9279-4a52d1efe18d", 7, "") | Out-Null } catch { Write-Warning "Failed to register Microsoft Update service via COM: $_" } # Disable automatic restart under System failure (BSOD) to prevent reboot loops Reg Add "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /T REG_DWORD /V "AutoReboot" /D 0 /F } ConfigureWindowsDefender ConfigureWindowsUpdate