How to stop Windows 11 Windows Update service from starting

Question

I am building out a new Windows 11 image and need to stop the computers from doing auto updates with Microsoft. We use a third party tool for patching and do not want computers to do their own auto updating from MS.

I have used these reg keys...

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]

"AUPowerManagement"=dword:00000001

"NoAutoUpdate"=dword:00000001

"NoAUShutdownOption"=dword:00000001

"AUOptions"=dword:00000001

I disabled the Windows Update servers.

I created a local policy that disables windows updates.

There is even a scheduled Windows Update task. I deleted the triggers, changed the startup account to guest and guest is disabled.

Now after doing all of the above, if I boot the computer, the service stays disabled until I plug in a network cable and attach to the internet. As soon as the computer detects the internet, the service changes from disabled to manual and the Windows Update service starts.

I could really use help with disabling this permanently and not allowing it to ever start.

Answer 1

Hi Danny,

You've already done a great job disabling Windows Update through Services, the Registry, and Group Policy — nice work!

If updates are still kicking in when you connect to a network, you can tighten things up even more by combining metered connection settings with some firewall rules.

I'll drop the detailed steps below for you. Feel free to reach out if you have any questions — happy to help!

Step 1: Set Network as Metered (Limits Background Updates)

For Wi-Fi (Easy GUI Method)

Go to Settings → Network & Internet → Wi-Fi.

Click your connected network → Enable "Set as metered connection".

For Ethernet (Requires Registry Edit)

Press Win + R, type regedit, and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\DefaultMediaCost

Find the Ethernet entry (or create a new DWORD (32-bit) Value named Ethernet).

Set its value to 2 (Metered).

Reboot to apply.

Step 2: Block Windows Update via Firewall

Open Windows Defender Firewall (wf.msc).

Go to Outbound Rules → New Rule.

Select Program → Path: %SystemRoot%\System32\svchost.exe

Choose Block the connection → Enable for Domain/Private/Public.

Name: Block Windows Update (wuauserv).

Under Properties → Services, restrict to Windows Update (wuauserv).

To wrap up, you can verify that all the settings are applied correctly by:

• Open wf.msc → Outbound Rules → Ensure both rules are Enabled.
• Go to Settings → Windows Update → Click Check for updates.
• If blocked, you’ll see:
• Error 0x80072efe (No connection)
• "Updates are paused" (Metered network).
• Check Event Logs (For Sneaky Updates)
• Open Event Viewer → Windows Logs → Security.
• Filter for Event ID 5152 (Blocked connections).

Answer 2

Unfortunately this did not work.

You said, Open wf.msc → Outbound Rules → Ensure both rules are Enabled. You only posted one rule to create. Not sure if there is a 2nd rule you wanted me to create or if this is a typo.

I opened the registry, on the ethernet option, I changed the value to 2 after taking ownership of the reg key. I needed this to have permissions to it.

I created the single outbound rule that is limited to wu service and it is set to block.

My updates are still able to download when I check for updates.

Any other thoughts?