undergroundwires / privacy.sexy

Open-source tool to enforce privacy & security best-practices on Windows, macOS and Linux, because privacy is sexy
https://privacy.sexy
GNU Affero General Public License v3.0
4.13k stars 174 forks source link

[BUG]: Windows automatically re-enables Update after 4-5 days #272

Closed evvlzeiu closed 3 months ago

evvlzeiu commented 1 year ago

After applying the "Disable Windows Update" it successfully disables the windows update and going into the setting app says "Something went wrong, Try to reopen setting later" which is great but after 4 or 5 days Windows automatically re-enabled the windows update.

image

undergroundwires commented 1 year ago

Hi. Which scripts under Disable updates did you execute? Which version of privacy.sexy? Do you have the file? Which Windows 10 version is this?

evvlzeiu commented 1 year ago

I'm using the latest version 0.12.4 and selected all the options in Disabled update

privacy-script.txt

Edition Windows 10 Pro Version 22H2 Installed on ‎13-‎09-‎2023 OS build 19045.3448 Experience Windows Feature Experience Pack 1000.19044.1000.0

undergroundwires commented 1 year ago

Ok thank you. I guess we have all the data we need. I'm adding help-wanted label to see if anyone in community can guide us.

undergroundwires commented 1 year ago

This may be due to scheduled tasks not being disabled by privacy.sexy, that are re-configuring this configuration. I will fix that in next patch.

Could you run the following script and copy/paste its results? This way we can understand what settings are being overriden by the OS.

@echo off
:: Check if services are disabled and registry values are expected
:: Verification Script

:: Ensure admin privileges
fltmc >nul 2>&1 || (
    echo Administrator privileges are required.
    PowerShell Start -Verb RunAs '%0' 2> nul || (
        echo Right-click on the script and select "Run as administrator".
        pause & exit 1
    )
    exit 0
)

:: ----------------------------------------------------------
:: Check "Windows Update" (`wuauserv`) service
:: ----------------------------------------------------------
echo --- Checking "Windows Update" (`wuauserv`) service status
PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'wuauserv'; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if ($service.StartType -eq 'Disabled') { Write-Host "^""$serviceName is Disabled"^"" } else { Write-Host "^""$serviceName is NOT Disabled"^"" }"
:: ----------------------------------------------------------

:: ----------------------------------------------------------
:: Check "Update Orchestrator Service" (`UsoSvc`) service
:: ----------------------------------------------------------
echo --- Checking "Update Orchestrator Service" (`UsoSvc`) service status
PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'UsoSvc'; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if ($service.StartType -eq 'Disabled') { Write-Host "^""$serviceName is Disabled"^"" } else { Write-Host "^""$serviceName is NOT Disabled"^"" }"
:: ----------------------------------------------------------

:: ----------------------------------------------------------
:: Check "Windows Update Medic Service" (`WaaSMedicSvc`) service
:: ----------------------------------------------------------
echo --- Checking "Windows Update Medic Service" (`WaaSMedicSvc`) service status
PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'WaaSMedicSvc'; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if ($service.StartType -eq 'Disabled') { Write-Host "^""$serviceName is Disabled"^"" } else { Write-Host "^""$serviceName is NOT Disabled"^"" }"
:: ----------------------------------------------------------

:: ----------------------------------------------------------
:: Check Automatic Updates (AU) feature
:: ----------------------------------------------------------
echo --- Checking Automatic Updates (AU) feature status
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate"
:: ----------------------------------------------------------

:: ----------------------------------------------------------
:: Check installing Windows updates without user approval
:: ----------------------------------------------------------
echo --- Checking status of installing Windows updates without user approval
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions"
:: ----------------------------------------------------------

:: ----------------------------------------------------------
:: Check automatic daily installation of Windows updates
:: ----------------------------------------------------------
echo --- Checking automatic daily installation of Windows updates status
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay"
:: ----------------------------------------------------------

:: ----------------------------------------------------------
:: Check scheduled automatic updates
:: ----------------------------------------------------------
echo --- Checking scheduled automatic updates status
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime"
:: ----------------------------------------------------------

pause
exit /b 0
evvlzeiu commented 1 year ago

Here is the output I got

--- Checking "Windows Update" (wuauserv) service status wuauserv is NOT Disabled --- Checking "Update Orchestrator Service" (UsoSvc) service status UsoSvc is NOT Disabled --- Checking "Windows Update Medic Service" (WaaSMedicSvc`) service status WaaSMedicSvc is NOT Disabled --- Checking Automatic Updates (AU) feature status

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoUpdate REG_DWORD 0x1

--- Checking status of installing Windows updates without user approval

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions REG_DWORD 0x2

--- Checking automatic daily installation of Windows updates status

ERROR: The system was unable to find the specified registry key or value. --- Checking scheduled automatic updates status

ERROR: The system was unable to find the specified registry key or value. `

TheAndr0id commented 1 year ago

I don't have the command handy, but there is a Scheduled task under Windows Update that starts the wuauserv service. It probably needs to be disabled as well....

I had this issue with Windows 7 restarting the update service when I had disabled it around the whole GWX force install thing.

Just in my looking there were many other scripts in the Task Scheduler that raises some eyebrows.... (Not just Windows Update related)

undergroundwires commented 1 year ago

Thank you. I don't understand why Microsoft wouldn't respect NoAutoUpdate..

However, can we try this script? It runs what privacy.sexy runs today in addition to disabling scheduled tasks. Let's see if it solves the issue:

disable-windows-updates.bat ```batchfile @echo off :: https://privacy.sexy — v0.12.4 — Mon, 16 Oct 2023 17:51:42 GMT :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) :: ---------------------------------------------------------- :: ------Disable "Windows Update" (`wuauserv`) service------- :: ---------------------------------------------------------- echo --- Disable "Windows Update" (`wuauserv`) service PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'wuauserv'; Write-Host "^""Disabling service: `"^""$serviceName`"^""."^""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host "^""Service `"^""$serviceName`"^"" could not be not found, no need to disable it."^""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host "^""`"^""$serviceName`"^"" is running, stopping it."^""; try {; Stop-Service -Name "^""$serviceName"^"" -Force -ErrorAction Stop; Write-Host "^""Stopped `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Warning "^""Could not stop `"^""$serviceName`"^"", it will be stopped after reboot: $_"^""; }; } else {; Write-Host "^""`"^""$serviceName`"^"" is not running, no need to stop."^""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query "^""Select StartMode From Win32_Service Where Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "^""Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host "^""$serviceName is already disabled, no further action is needed"^""; }; <# -- 4. Disable service #>; try {; Set-Service -Name "^""$serviceName"^"" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host "^""Disabled `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Error "^""Could not disable `"^""$serviceName`"^"": $_"^""; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "Update Orchestrator Service" (`UsoSvc`)----- :: ---------------------------------------------------------- echo --- Disable "Update Orchestrator Service" (`UsoSvc`) PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'UsoSvc'; Write-Host "^""Disabling service: `"^""$serviceName`"^""."^""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host "^""Service `"^""$serviceName`"^"" could not be not found, no need to disable it."^""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host "^""`"^""$serviceName`"^"" is running, stopping it."^""; try {; Stop-Service -Name "^""$serviceName"^"" -Force -ErrorAction Stop; Write-Host "^""Stopped `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Warning "^""Could not stop `"^""$serviceName`"^"", it will be stopped after reboot: $_"^""; }; } else {; Write-Host "^""`"^""$serviceName`"^"" is not running, no need to stop."^""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query "^""Select StartMode From Win32_Service Where Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "^""Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host "^""$serviceName is already disabled, no further action is needed"^""; }; <# -- 4. Disable service #>; try {; Set-Service -Name "^""$serviceName"^"" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host "^""Disabled `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Error "^""Could not disable `"^""$serviceName`"^"": $_"^""; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -Disable "Windows Update Medic Service" (`WaaSMedicSvc`)-- :: ---------------------------------------------------------- echo --- Disable "Windows Update Medic Service" (`WaaSMedicSvc`) PowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'WaaSMedicSvc'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host "^""Service query `"^""$serviceQuery`"^"" did not yield any results, no need to disable it."^""; Exit 0; }; $serviceName = $service.Name; Write-Host "^""Disabling service: `"^""$serviceName`"^""."^""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host "^""`"^""$serviceName`"^"" is running, trying to stop it."^""; try {; Stop-Service -Name "^""$serviceName"^"" -Force -ErrorAction Stop; Write-Host "^""Stopped `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Warning "^""Could not stop `"^""$serviceName`"^"", it will be stopped after reboot: $_"^""; }; } else {; Write-Host "^""`"^""$serviceName`"^"" is not running, no need to stop."^""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = "^""HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"^""; if(!(Test-Path $registryKey)) {; Write-Host "^""`"^""$registryKey`"^"" is not found in registry, cannot enable it."^""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path "^""$registryKey"^"").Start -eq 4) {; Write-Host "^""`"^""$serviceName`"^"" is already disabled from start, no further action is needed."^""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host "^""Disabled `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Error "^""Could not disable `"^""$serviceName`"^"": $_"^""; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------------Disable "ScanForUpdates" task--------------- :: ---------------------------------------------------------- echo --- Disable "ScanForUpdates" task schtasks /change /TN "\Microsoft\Windows\InstallService\ScanForUpdates" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----------Disable "ScanForUpdatesAsUser" task------------ :: ---------------------------------------------------------- echo --- Disable "ScanForUpdatesAsUser" task schtasks /change /TN "\Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------------Disable "SmartRetry" task----------------- :: ---------------------------------------------------------- echo --- Disable "SmartRetry" task schtasks /change /TN "\Microsoft\Windows\InstallService\SmartRetry" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "WakeUpAndContinueUpdates" task---------- :: ---------------------------------------------------------- echo --- Disable "WakeUpAndContinueUpdates" task schtasks /change /TN "\Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable "WakeUpAndScanForUpdates" task---------- :: ---------------------------------------------------------- echo --- Disable "WakeUpAndScanForUpdates" task schtasks /change /TN "\Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------------Disable "Scheduled Start" task-------------- :: ---------------------------------------------------------- echo --- Disable "Scheduled Start" task schtasks /change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------------Disable "Report policies" task-------------- :: ---------------------------------------------------------- echo --- Disable "Report policies" task schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Schedule Maintenance Work" task--------- :: ---------------------------------------------------------- echo --- Disable "Schedule Maintenance Work" task schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------------Disable "Schedule Scan" task--------------- :: ---------------------------------------------------------- echo --- Disable "Schedule Scan" task schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Schedule Scan Static Task" task--------- :: ---------------------------------------------------------- echo --- Disable "Schedule Scan Static Task" task schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----------Disable "Schedule Wake To Work" task----------- :: ---------------------------------------------------------- echo --- Disable "Schedule Wake To Work" task schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------------Disable "Schedule Work" task--------------- :: ---------------------------------------------------------- echo --- Disable "Schedule Work" task schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------------Disable "UpdateModelTask" task-------------- :: ---------------------------------------------------------- echo --- Disable "UpdateModelTask" task schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Start Oobe Expedite Work" task---------- :: ---------------------------------------------------------- echo --- Disable "Start Oobe Expedite Work" task schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "StartOobeAppsScan_LicenseAccepted" task----- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScan_LicenseAccepted" task schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------Disable "StartOobeAppsScan_OobeAppReady" task------- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScan_OobeAppReady" task schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_OobeAppReady" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -------Disable "StartOobeAppsScanAfterUpdate" task-------- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScanAfterUpdate" task schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------------Disable "USO_UxBroker" task---------------- :: ---------------------------------------------------------- echo --- Disable "USO_UxBroker" task schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -------------Disable "UUS Failover Task" task------------- :: ---------------------------------------------------------- echo --- Disable "UUS Failover Task" task schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task" /disable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable Automatic Updates (AU) feature---------- :: ---------------------------------------------------------- echo --- Disable Automatic Updates (AU) feature reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f :: ---------------------------------------------------------- :: Disable automatic installation of Windows updates without user consent echo --- Disable automatic installation of Windows updates without user consent reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -Disable automatic daily installation of Windows updates-- :: ---------------------------------------------------------- echo --- Disable automatic daily installation of Windows updates reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----------Disable scheduled automatic updates------------ :: ---------------------------------------------------------- echo --- Disable scheduled automatic updates reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /f 2>nul :: ---------------------------------------------------------- pause exit /b 0 ```

disable-windows-updates.txt

And this is revert code if you want to revert later on:

revert-windows-updates.bat ```batchfile @echo off :: https://privacy.sexy — v0.12.4 — Mon, 16 Oct 2023 17:51:42 GMT :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) :: ---------------------------------------------------------- :: -----Disable Automatic Updates (AU) feature (revert)------ :: ---------------------------------------------------------- echo --- Disable Automatic Updates (AU) feature (revert) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f :: ---------------------------------------------------------- :: Disable automatic installation of Windows updates without user consent (revert) echo --- Disable automatic installation of Windows updates without user consent (revert) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "4" /f :: ---------------------------------------------------------- :: Disable automatic daily installation of Windows updates (revert) echo --- Disable automatic daily installation of Windows updates (revert) :: This key does not exist by default since Windows 10 21H2 and Windows 11 21H2 reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -------Disable scheduled automatic updates (revert)------- :: ---------------------------------------------------------- echo --- Disable scheduled automatic updates (revert) :: This key does not exist by default since Windows 10 21H2 and Windows 11 21H2 reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --Disable "Windows Update" (`wuauserv`) service (revert)-- :: ---------------------------------------------------------- echo --- Disable "Windows Update" (`wuauserv`) service (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'wuauserv'; $defaultStartupMode = 'Manual'; Write-Host "^""Enabling service: `"^""$serviceName`"^"" with `"^""$defaultStartupMode`"^"" start."^""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Warning "^""Service `"^""$serviceName`"^"" could not be not found, cannot enable it."^""; Exit 1; }; <# -- 2. Enable or skip if already enabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query "^""Select StartMode From Win32_Service Where Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "^""Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq "^""$defaultStartupMode"^"") {; Write-Host "^""`"^""$serviceName`"^"" is already enabled with `"^""$defaultStartupMode`"^"" start, no further action is needed."^""; } else {; try {; Set-Service -Name "^""$serviceName"^"" -StartupType "^""$defaultStartupMode"^"" -Confirm:$false -ErrorAction Stop; Write-Host "^""Enabled `"^""$serviceName`"^"" successfully with `"^""$defaultStartupMode`"^"" start, may require restarting your computer."^""; } catch {; Write-Error "^""Could not enable `"^""$serviceName`"^"": $_"^""; Exit 1; }; }; <# -- 4. Start if not running (must be enabled first) #>; if($defaultStartupMode -eq 'Automatic') {; if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host "^""`"^""$serviceName`"^"" is not running, starting it."^""; try {; Start-Service $serviceName -ErrorAction Stop; Write-Host "^""Started `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Warning "^""Could not start `"^""$serviceName`"^"", requires restart, it will be started after reboot.`r`n$_"^""; }; } else {; Write-Host "^""`"^""$serviceName`"^"" is already running, no need to start."^""; }; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: Disable "Update Orchestrator Service" (`UsoSvc`) (revert)- :: ---------------------------------------------------------- echo --- Disable "Update Orchestrator Service" (`UsoSvc`) (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'UsoSvc'; $defaultStartupMode = 'Automatic'; Write-Host "^""Enabling service: `"^""$serviceName`"^"" with `"^""$defaultStartupMode`"^"" start."^""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Warning "^""Service `"^""$serviceName`"^"" could not be not found, cannot enable it."^""; Exit 1; }; <# -- 2. Enable or skip if already enabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query "^""Select StartMode From Win32_Service Where Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "^""Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq "^""$defaultStartupMode"^"") {; Write-Host "^""`"^""$serviceName`"^"" is already enabled with `"^""$defaultStartupMode`"^"" start, no further action is needed."^""; } else {; try {; Set-Service -Name "^""$serviceName"^"" -StartupType "^""$defaultStartupMode"^"" -Confirm:$false -ErrorAction Stop; Write-Host "^""Enabled `"^""$serviceName`"^"" successfully with `"^""$defaultStartupMode`"^"" start, may require restarting your computer."^""; } catch {; Write-Error "^""Could not enable `"^""$serviceName`"^"": $_"^""; Exit 1; }; }; <# -- 4. Start if not running (must be enabled first) #>; if($defaultStartupMode -eq 'Automatic') {; if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host "^""`"^""$serviceName`"^"" is not running, starting it."^""; try {; Start-Service $serviceName -ErrorAction Stop; Write-Host "^""Started `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Warning "^""Could not start `"^""$serviceName`"^"", requires restart, it will be started after reboot.`r`n$_"^""; }; } else {; Write-Host "^""`"^""$serviceName`"^"" is already running, no need to start."^""; }; }" :: ---------------------------------------------------------- :: Disable "Windows Update Medic Service" (`WaaSMedicSvc`) (revert) echo --- Disable "Windows Update Medic Service" (`WaaSMedicSvc`) (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'WaaSMedicSvc'; $defaultStartupMode = 'Manual'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Warning "^""Service query `"^""$serviceQuery`"^"" did not yield and results, cannot enable it."^""; Exit 1; }; $serviceName = $service.Name; Write-Host "^""Enabling service: `"^""$serviceName`"^"" with `"^""$defaultStartupMode`"^"" start."^""; <# -- 2. Skip if service info is not found in registry #>; $registryKey = "^""HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"^""; if(!(Test-Path $registryKey)) {; Write-Warning "^""`"^""$registryKey`"^"" is not found in registry, cannot enable it."^""; Exit 1; }; <# -- 3. Enable if not already enabled #>; $defaultStartupRegValue = if ($defaultStartupMode -eq 'Boot') { '0' } elseif($defaultStartupMode -eq 'System') { '1' } elseif($defaultStartupMode -eq 'Automatic') { '2' } elseif($defaultStartupMode -eq 'Manual') { '3' } else { throw "^""Unknown start mode: $defaultStartupMode"^""}; if( $(Get-ItemProperty -Path "^""$registryKey"^"").Start -eq $defaultStartupRegValue) {; Write-Host "^""`"^""$serviceName`"^"" is already enabled with `"^""$defaultStartupMode`"^"" start."^""; } else {; try {; Set-ItemProperty $registryKey -Name Start -Value $defaultStartupRegValue -Force; Write-Host "^""Enabled `"^""$serviceName`"^"" successfully with `"^""$defaultStartupMode`"^"" start, may require restarting your computer."^""; } catch {; Write-Error "^""Could not enable `"^""$serviceName`"^"": $_"^""; Exit 1; }; }; <# -- 4. Start if not running (must be enabled first) #>; if($defaultStartupMode -eq 'Automatic') {; if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host "^""`"^""$serviceName`"^"" is not running, trying to start it."^""; try {; Start-Service $serviceName -ErrorAction Stop; Write-Host "^""Started `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Warning "^""Could not start `"^""$serviceName`"^"", requires restart, it will be started after reboot.`r`n$_"^""; }; } else {; Write-Host "^""`"^""$serviceName`"^"" is already running, no need to start."^""; }; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable "ScanForUpdates" task (revert)---------- :: ---------------------------------------------------------- echo --- Disable "ScanForUpdates" task (revert) schtasks /change /TN "\Microsoft\Windows\InstallService\ScanForUpdates" /enable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -------Disable "ScanForUpdatesAsUser" task (revert)------- :: ---------------------------------------------------------- echo --- Disable "ScanForUpdatesAsUser" task (revert) schtasks /change /TN "\Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /enable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------------Disable "SmartRetry" task (revert)------------ :: ---------------------------------------------------------- echo --- Disable "SmartRetry" task (revert) schtasks /change /TN "\Microsoft\Windows\InstallService\SmartRetry" /enable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "WakeUpAndContinueUpdates" task (revert)----- :: ---------------------------------------------------------- echo --- Disable "WakeUpAndContinueUpdates" task (revert) schtasks /change /TN "\Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /disable 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "WakeUpAndScanForUpdates" task (revert)------ :: ---------------------------------------------------------- echo --- Disable "WakeUpAndScanForUpdates" task (revert) schtasks /change /TN "\Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /disable 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Scheduled Start" task (revert)---------- :: ---------------------------------------------------------- echo --- Disable "Scheduled Start" task (revert) schtasks /change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /enable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Report policies" task (revert)---------- :: ---------------------------------------------------------- echo --- Disable "Report policies" task (revert) schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" /enable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----Disable "Schedule Maintenance Work" task (revert)----- :: ---------------------------------------------------------- echo --- Disable "Schedule Maintenance Work" task (revert) schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work" /disable 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable "Schedule Scan" task (revert)----------- :: ---------------------------------------------------------- echo --- Disable "Schedule Scan" task (revert) schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /enable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----Disable "Schedule Scan Static Task" task (revert)----- :: ---------------------------------------------------------- echo --- Disable "Schedule Scan Static Task" task (revert) schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /enable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------Disable "Schedule Wake To Work" task (revert)------- :: ---------------------------------------------------------- echo --- Disable "Schedule Wake To Work" task (revert) schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /disable 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable "Schedule Work" task (revert)----------- :: ---------------------------------------------------------- echo --- Disable "Schedule Work" task (revert) schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work" /disable 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "UpdateModelTask" task (revert)---------- :: ---------------------------------------------------------- echo --- Disable "UpdateModelTask" task (revert) schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /disable 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "Start Oobe Expedite Work" task (revert)----- :: ---------------------------------------------------------- echo --- Disable "Start Oobe Expedite Work" task (revert) schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /enable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: Disable "StartOobeAppsScan_LicenseAccepted" task (revert)- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScan_LicenseAccepted" task (revert) schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted" /enable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --Disable "StartOobeAppsScan_OobeAppReady" task (revert)-- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScan_OobeAppReady" task (revert) schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_OobeAppReady" /enable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---Disable "StartOobeAppsScanAfterUpdate" task (revert)--- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScanAfterUpdate" task (revert) schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate" /enable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----------Disable "USO_UxBroker" task (revert)----------- :: ---------------------------------------------------------- echo --- Disable "USO_UxBroker" task (revert) schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /enable :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------Disable "UUS Failover Task" task (revert)--------- :: ---------------------------------------------------------- [revert-windows-updates.txt](https://github.com/undergroundwires/privacy.sexy/files/12920053/revert-windows-updates.txt) echo --- Disable "UUS Failover Task" task (revert) schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task" /enable :: ---------------------------------------------------------- pause exit /b 0 ```

revert-windows-updates.txt

More context

According to my research and tests, these are the update-related tasks. privacy.sexy should ensure that all are disabled in next version if it works for you. The code I shared will disable those for you:

Scheduled Task Windows 10 22H2 Windows 11 22H2 Path
ScanForUpdates 🟢 Enabled 🟢 Enabled \Microsoft\Windows\InstallService\ScanForUpdates
ScanForUpdatesAsUser 🟢 Enabled 🟢 Enabled \Microsoft\Windows\InstallService\ScanForUpdatesAsUser
SmartRetry 🟢 Enabled 🟢 Enabled \Microsoft\Windows\InstallService\SmartRetry
WakeUpAndContinueUpdates 🔴 Disabled 🔴 Disabled \Microsoft\Windows\InstallService\WakeUpAndContinueUpdates
WakeUpAndScanForUpdates 🔴 Disabled 🔴 Disabled \Microsoft\Windows\InstallService\WakeUpAndScanForUpdates
Scheduled Start 🟢 Enabled 🟢 Enabled \Microsoft\Windows\WindowsUpdate\Scheduled Start
Report policies 🟢 Enabled 🟢 Enabled \Microsoft\Windows\UpdateOrchestrator\Report policies
Schedule Maintenance Work 🔴 Disabled 🔴 Disabled \Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
Schedule Scan 🟢 Enabled 🟢 Enabled \Microsoft\Windows\UpdateOrchestrator\Schedule Scan
Schedule Scan Static Task 🟢 Enabled 🟢 Enabled \Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task
Schedule Wake To Work 🔴 Disabled 🔴 Disabled \Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
Schedule Work 🔴 Disabled 🔴 Disabled \Microsoft\Windows\UpdateOrchestrator\Schedule Work
UpdateModelTask 🔴 Disabled N/A (missing) \Microsoft\Windows\UpdateOrchestrator\UpdateModelTask
Start Oobe Expedite Work N/A (missing) 🟢 Enabled \Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work
StartOobeAppsScan_LicenseAccepted N/A (missing) 🟢 Enabled \Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted
StartOobeAppsScan_OobeAppReady N/A (missing) 🟢 Enabled \Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_OobeAppReady
StartOobeAppsScanAfterUpdate N/A (missing) 🟢 Enabled \Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate
USO_UxBroker 🟢 Enabled 🟢 Enabled \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker
UUS Failover Task N/A (missing) 🟢 Enabled \Microsoft\Windows\UpdateOrchestrator\UUS Failover Task
TheAndr0id commented 1 year ago

Why doesn't Microsoft follow their own documentation? That's a really good question, someone should ask them that. 😄

As for your tests, most of them worked just fine except the entries under UpdateOrchestrator. They are all permission locked by TrustedInstaller (I'm guessing).

for example:

schtasks /change /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" /disable
ERROR: Access is denied.

When I have a few moments I'll add the lines to my "Must be in Safe Mode" script.

undergroundwires commented 1 year ago

Thanks for the test and comment @TheAndr0id ♥️.

privacy.sexy has ability to run as trusted installer. This one works, but I want to resort to trusted installer as last step.

I played around with this for a while, and see that all services are saved as files in C:\Windows\System32\Tasks. Changing permissions of these files, allows modifications to the tasks. It took a lot of trial and error to get this working, and I could not find any other reference code/implementation. But it works. So what I implement is:

  1. Give ownership of task to BUILTIN/Administrators.
  2. Give ACL permissions for BUILTIN/Administrators to have full-access.
  3. Modify (disable/enable) the task.
  4. Restore the permissions to original owner/ACL.

It's tested to work on both Windows 10 22H2 and Windows 11 22H2. You need to run this in addition to existing privacy.sexy script that disables services. So generate update disable script first, run it, then run this.

Feel free to give feedback @TheAndr0id and @evvlzeiu , based on this I will change privacy.sexy.


The latest code:

disable-windows-update-tasks.bat ```batchfile @echo off :: https://privacy.sexy — v0.12.5 — Tue, 17 Oct 2023 23:01:47 GMT :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) :: ---------------------------------------------------------- :: --------------Disable "ScanForUpdates" task--------------- :: ---------------------------------------------------------- echo --- Disable "ScanForUpdates" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\InstallService\'; $taskNamePattern='ScanForUpdates'; $grantAccess= $false; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----------Disable "ScanForUpdatesAsUser" task------------ :: ---------------------------------------------------------- echo --- Disable "ScanForUpdatesAsUser" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\InstallService\'; $taskNamePattern='ScanForUpdatesAsUser'; $grantAccess= $false; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------------Disable "SmartRetry" task----------------- :: ---------------------------------------------------------- echo --- Disable "SmartRetry" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\InstallService\'; $taskNamePattern='SmartRetry'; $grantAccess= $false; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "WakeUpAndContinueUpdates" task---------- :: ---------------------------------------------------------- echo --- Disable "WakeUpAndContinueUpdates" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\InstallService\'; $taskNamePattern='WakeUpAndContinueUpdates'; $grantAccess= $false; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable "WakeUpAndScanForUpdates" task---------- :: ---------------------------------------------------------- echo --- Disable "WakeUpAndScanForUpdates" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\InstallService\'; $taskNamePattern='WakeUpAndScanForUpdates'; $grantAccess= $false; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------------Disable "Scheduled Start" task-------------- :: ---------------------------------------------------------- echo --- Disable "Scheduled Start" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='Scheduled Start'; $grantAccess= $false; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------------Disable "Report policies" task-------------- :: ---------------------------------------------------------- echo --- Disable "Report policies" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Report policies'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Schedule Maintenance Work" task--------- :: ---------------------------------------------------------- echo --- Disable "Schedule Maintenance Work" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Maintenance Work'; $grantAccess= $false; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------------Disable "Schedule Scan" task--------------- :: ---------------------------------------------------------- echo --- Disable "Schedule Scan" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Scan'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Schedule Scan Static Task" task--------- :: ---------------------------------------------------------- echo --- Disable "Schedule Scan Static Task" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Scan Static Task'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----------Disable "Schedule Wake To Work" task----------- :: ---------------------------------------------------------- echo --- Disable "Schedule Wake To Work" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Wake To Work'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------------Disable "Schedule Work" task--------------- :: ---------------------------------------------------------- echo --- Disable "Schedule Work" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Work'; $grantAccess= $false; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------------Disable "UpdateModelTask" task-------------- :: ---------------------------------------------------------- echo --- Disable "UpdateModelTask" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UpdateModelTask'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Start Oobe Expedite Work" task---------- :: ---------------------------------------------------------- echo --- Disable "Start Oobe Expedite Work" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Start Oobe Expedite Work'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "StartOobeAppsScan_LicenseAccepted" task----- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScan_LicenseAccepted" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScan_LicenseAccepted'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------Disable "StartOobeAppsScan_OobeAppReady" task------- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScan_OobeAppReady" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScan_OobeAppReady'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -------Disable "StartOobeAppsScanAfterUpdate" task-------- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScanAfterUpdate" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScanAfterUpdate'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------------Disable "USO_UxBroker" task---------------- :: ---------------------------------------------------------- echo --- Disable "USO_UxBroker" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='USO_UxBroker'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -------------Disable "UUS Failover Task" task------------- :: ---------------------------------------------------------- echo --- Disable "UUS Failover Task" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UUS Failover Task'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------------Disable "PerformRemediation" task------------- :: ---------------------------------------------------------- echo --- Disable "PerformRemediation" task PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\WaaSMedic\'; $taskNamePattern='PerformRemediation'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- pause exit /b 0 ```

Revert code:

revert-windows-update-tasks.bat ```batchfile @echo off :: https://privacy.sexy — v0.12.5 — Tue, 17 Oct 2023 23:01:47 GMT :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) :: ---------------------------------------------------------- :: ----------Disable "ScanForUpdates" task (revert)---------- :: ---------------------------------------------------------- echo --- Disable "ScanForUpdates" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\InstallService\'; $taskNamePattern='ScanForUpdates'; $disableOnRevert= $false; $grantAccess= $false; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -------Disable "ScanForUpdatesAsUser" task (revert)------- :: ---------------------------------------------------------- echo --- Disable "ScanForUpdatesAsUser" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\InstallService\'; $taskNamePattern='ScanForUpdatesAsUser'; $disableOnRevert= $false; $grantAccess= $false; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------------Disable "SmartRetry" task (revert)------------ :: ---------------------------------------------------------- echo --- Disable "SmartRetry" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\InstallService\'; $taskNamePattern='SmartRetry'; $disableOnRevert= $false; $grantAccess= $false; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "WakeUpAndContinueUpdates" task (revert)----- :: ---------------------------------------------------------- echo --- Disable "WakeUpAndContinueUpdates" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\InstallService\'; $taskNamePattern='WakeUpAndContinueUpdates'; $disableOnRevert=$true <# $false #>; $grantAccess= $false; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "WakeUpAndScanForUpdates" task (revert)------ :: ---------------------------------------------------------- echo --- Disable "WakeUpAndScanForUpdates" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\InstallService\'; $taskNamePattern='WakeUpAndScanForUpdates'; $disableOnRevert=$true <# $false #>; $grantAccess= $false; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Scheduled Start" task (revert)---------- :: ---------------------------------------------------------- echo --- Disable "Scheduled Start" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='Scheduled Start'; $disableOnRevert= $false; $grantAccess= $false; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Report policies" task (revert)---------- :: ---------------------------------------------------------- echo --- Disable "Report policies" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Report policies'; $disableOnRevert= $false; $grantAccess=$true <# $false #>; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----Disable "Schedule Maintenance Work" task (revert)----- :: ---------------------------------------------------------- echo --- Disable "Schedule Maintenance Work" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Maintenance Work'; $disableOnRevert=$true <# $false #>; $grantAccess= $false; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable "Schedule Scan" task (revert)----------- :: ---------------------------------------------------------- echo --- Disable "Schedule Scan" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Scan'; $disableOnRevert= $false; $grantAccess=$true <# $false #>; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----Disable "Schedule Scan Static Task" task (revert)----- :: ---------------------------------------------------------- echo --- Disable "Schedule Scan Static Task" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Scan Static Task'; $disableOnRevert= $false; $grantAccess=$true <# $false #>; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------Disable "Schedule Wake To Work" task (revert)------- :: ---------------------------------------------------------- echo --- Disable "Schedule Wake To Work" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Wake To Work'; $disableOnRevert=$true <# $false #>; $grantAccess=$true <# $false #>; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable "Schedule Work" task (revert)----------- :: ---------------------------------------------------------- echo --- Disable "Schedule Work" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Work'; $disableOnRevert=$true <# $false #>; $grantAccess= $false; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "UpdateModelTask" task (revert)---------- :: ---------------------------------------------------------- echo --- Disable "UpdateModelTask" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UpdateModelTask'; $disableOnRevert=$true <# $false #>; $grantAccess=$true <# $false #>; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "Start Oobe Expedite Work" task (revert)----- :: ---------------------------------------------------------- echo --- Disable "Start Oobe Expedite Work" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Start Oobe Expedite Work'; $disableOnRevert= $false; $grantAccess=$true <# $false #>; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: Disable "StartOobeAppsScan_LicenseAccepted" task (revert)- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScan_LicenseAccepted" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScan_LicenseAccepted'; $disableOnRevert= $false; $grantAccess=$true <# $false #>; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --Disable "StartOobeAppsScan_OobeAppReady" task (revert)-- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScan_OobeAppReady" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScan_OobeAppReady'; $disableOnRevert= $false; $grantAccess=$true <# $false #>; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---Disable "StartOobeAppsScanAfterUpdate" task (revert)--- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScanAfterUpdate" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScanAfterUpdate'; $disableOnRevert= $false; $grantAccess=$true <# $false #>; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----------Disable "USO_UxBroker" task (revert)----------- :: ---------------------------------------------------------- echo --- Disable "USO_UxBroker" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='USO_UxBroker'; $disableOnRevert= $false; $grantAccess=$true <# $false #>; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------Disable "UUS Failover Task" task (revert)--------- :: ---------------------------------------------------------- echo --- Disable "UUS Failover Task" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UUS Failover Task'; $disableOnRevert= $false; $grantAccess=$true <# $false #>; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------Disable "PerformRemediation" task (revert)-------- :: ---------------------------------------------------------- echo --- Disable "PerformRemediation" task (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\WaaSMedic\'; $taskNamePattern='PerformRemediation'; $disableOnRevert= $false; $grantAccess=$true <# $false #>; Write-Output "^""Reverting tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Warning "^""Cannot revert, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; if ($disableOnRevert) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to revert task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }" :: ---------------------------------------------------------- pause exit /b 0 ```

P.S.: I also worked on disabling scheduled tasks for all privacy.sexy scripts to enable this, so it will no longer be oneliner but a PowerShell sequence that does this job better.

evvlzeiu commented 1 year ago

I run the script and I think I got an error for tasks matching pattern but everything else worked. Here is the full output for you to look at

output.txt

evvlzeiu commented 1 year ago

I restarted my PC and then changed the date to December to trigger the task scheduler and it still re-enabled the Windows Update.

undergroundwires commented 1 year ago

Thank you for sharing the results ♥️. The error is only for "Schedule Scan Static Task" and I fixed that now.

Running this should disable that residual scheduled tasks:

PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Scan Static Task'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }"

I also updated the last comment so it has the fixed version so you can also run that.

Can you try again after re-running, because "Schedule Scan Static Task" that we missed was executing %systemroot%\system32\usoclient.exe. This exe reconfigures everything. If our attempt with scheduled tasks are not working, there are two more workarounds we can try:

1) Postpone Windows Updates to maximum possible using registry settings. 2) Disable all executables related to updates and prevent them from running. This would not disable auto-updates, but ANY updates.

But I guess properly disabling these scheduled tasks should fix the issue though.

evvlzeiu commented 1 year ago

The script disabled Task schedules related to UpdateOrchestrator and WindowsUpdate but it doesn't disable WaaSMedic task which causes the updates to get re-enable

image

image

image

undergroundwires commented 1 year ago

I missed PerformRemediation. Of course, this task reconfigures everything. Great finding, thank you again @evvlzeiu, great teamwork trying to solve this, I will give you cred for this 🎉

I tested this, it exists on both Windows 11 22H2 and Windows 10 22H2. It also requires privileges to disable it.

Script to disable:

PowerShell -ExecutionPolicy Unrestricted -Command "$taskPath='\Microsoft\Windows\WaaSMedic\'; $taskNamePattern='PerformRemediation'; $grantAccess=$true <# $false #>; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskNamePattern -ErrorAction Ignore; if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $isOperationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($grantAccess) {; try {; Write-Output "^""Attempting to grant access to task `"^""$taskName`"^""."^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Output "^""Successfully granted access to task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to grant access to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; continue; }; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $isOperationFailed = $true; }; if ($grantAccess) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore original permissions to task `"^""$taskName`"^"": $($_.Exception.Message)"^""; }; }; }; if ($isOperationFailed) {; exit 1; }"

I added this to my other post with revert code as well. I did also some more research and I guess there's no Scheduled Task left we should disable. If this does not work, we'll need to consider other, uglier workarounds.

TheAndr0id commented 1 year ago

Thank you for all your digging. Sorry, I kind of kicked over an anthill with the whole scheduled task thing.

I've tested your scripts on Win 10 22H2, and they all worked flawless.

Will report if Windows update decides to rear it's ugly head again.

evvlzeiu commented 1 year ago

I don't know how but windows is still somehow enabling update when I tried to change the date in my PC, there is a program that completely blocks Windows Update is by sordum but it is not open source so I don't like using it. Maybe we can look at what it is doing that we have missed? But Microsoft, why must you continue to force updates upon us.

undergroundwires commented 1 year ago

I cannot create test scenario where I can see if updates get triggered. @evvlzeiu, you're the only one among us who can test these properly, sorry for your taking time but could you test one more configuration?

This is maybe what the software you mention is doing. Or I see some software that run in the background and kill the services and disable the tasks as soon as they execute/get enabled. This would also not disable auto-updates but any updates. Disabling any updates is simpler than just auto-updates because we can be more aggressive doing that.

So "disable all kind of updates, manual or automatic" is simpler. We have many tools like using policies, changing update URLs, disallowing network connections, and preventing update processes from running. But this is more intrusive, so if it's fine it would be good to test what I share on this post first, if it does not work, go with snoozing (postponing).

I'm open for any more ideas, love to see the collaboration on this.

Disable all documented auto-update configurations

I've scanned Internet and noted down all configurations regarding disabling auto-updates. Removed the ones that are not officially documented by Microsoft and the ones that may interfere with manual updates, so the documented ones that would only affect auto-updates are added.

@evvlzeiu , could you check whether this can disable auto-updates for you?

disable-auto-updates-through-configs.bat ```batchfile @echo off :: https://privacy.sexy — v0.12.5 — Mon, 23 Oct 2023 20:10:31 GMT :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) :: Disable scanning Microsoft update sources for auto-updates echo --- Disable scanning Microsoft update sources for auto-updates reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\855E8A7C-ECB4-4CA3-B045-1DFA50104289" /v "RegisteredWithAU" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\8B24B027-1DEE-BABB-9A95-3517DFB9C552" /v "RegisteredWithAU" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\7971f918-a847-4430-9279-4a52d1efe18d" /v "RegisteredWithAU" /t REG_DWORD /d "0" /f :: ---------------------------------------------------------- :: Disable automatic download and installation of Microsoft Store apps echo --- Disable automatic download and installation of Microsoft Store apps reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /d "2" /t REG_DWORD /f reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate" /v "AutoDownload" /d "2" /t REG_DWORD /f :: ---------------------------------------------------------- :: Disable the offer to update to the latest version of Windows echo --- Disable the offer to update to the latest version of Windows reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade" /d "1" /t REG_DWORD /f reg add "HKLM\Software\Policies\Microsoft\WindowsStore" /v "DisableOSUpgrade" /d "1" /t REG_DWORD /f :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable Automatic Updates (AU) feature---------- :: ---------------------------------------------------------- echo --- Disable Automatic Updates (AU) feature reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f :: ---------------------------------------------------------- :: Disable automatic installation of Windows updates without user consent echo --- Disable automatic installation of Windows updates without user consent reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -Disable automatic daily installation of Windows updates-- :: ---------------------------------------------------------- echo --- Disable automatic daily installation of Windows updates reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----------Disable scheduled automatic updates------------ :: ---------------------------------------------------------- echo --- Disable scheduled automatic updates reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------Disable automatic updates end user experience------- :: ---------------------------------------------------------- echo --- Disable automatic updates end user experience reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AllowAutoUpdate" /d 0 /t REG_DWORD /f :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable automatic updates immediate installation----- :: ---------------------------------------------------------- echo --- Disable automatic updates immediate installation reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AutoInstallMinorUpdates" /d 0 /t REG_DWORD /f :: ---------------------------------------------------------- :: Disable auto-updates for other Microsoft products through Microsoft Update echo --- Disable auto-updates for other Microsoft products through Microsoft Update reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AllowMUUpdateService" /d 0 /t REG_DWORD /f :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -------------Disable Update Orchestrator scan------------- :: ---------------------------------------------------------- echo --- Disable Update Orchestrator scan reg add "HKLM\SOFTWARE\Microsoft\Microsoft\WindowsUpdate" /v "SupportsUUP" /d "0" /t REG_DWORD /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator" /v "EnableUUPScan" /d "0" /t REG_DWORD /f :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----Disable recommended updates via Automatic Updates----- :: ---------------------------------------------------------- echo --- Disable recommended updates via Automatic Updates reg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "IncludeRecommendedUpdates" /d 0 /t REG_DWORD /f :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------Disable automatic maintenance for auto-updates------ :: ---------------------------------------------------------- echo --- Disable automatic maintenance for auto-updates reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AutomaticMaintenanceEnabled" /d "0" /t REG_DWORD /f :: ---------------------------------------------------------- :: Disable downloading Windows updates automatically over metered connections echo --- Disable downloading Windows updates automatically over metered connections reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "AllowAutoWindowsUpdateDownloadOverMeteredNetwork" /d 0 /t REG_DWORD /f :: ---------------------------------------------------------- :: Disable scanning of both Windows Update and Windows Server Update service echo --- Disable scanning of both Windows Update and Windows Server Update service reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableDualScan" /d 0 /t REG_DWORD /f :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable automatically receiving optional updates----- :: ---------------------------------------------------------- echo --- Disable automatically receiving optional updates reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "AllowOptionalContent" /d "0" /t REG_DWORD /f :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----Disable automatic delivery of Service Pack updates---- :: ---------------------------------------------------------- echo --- Disable automatic delivery of Service Pack updates reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotAllowSP" /d "0" /t REG_DWORD /f :: ---------------------------------------------------------- ```

Revert (restore to default OS state):

revert-disable-auto-updates-through-configs.bat ```batchfile @echo off :: https://privacy.sexy — v0.12.5 — Mon, 23 Oct 2023 20:20:14 GMT :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) :: ---------------------------------------------------------- :: -----Disable Automatic Updates (AU) feature (revert)------ :: ---------------------------------------------------------- echo --- Disable Automatic Updates (AU) feature (revert) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f :: ---------------------------------------------------------- :: Disable automatic installation of Windows updates without user consent (revert) echo --- Disable automatic installation of Windows updates without user consent (revert) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "4" /f :: ---------------------------------------------------------- :: Disable automatic daily installation of Windows updates (revert) echo --- Disable automatic daily installation of Windows updates (revert) :: This key does not exist by default since Windows 10 21H2 and Windows 11 21H2 reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -------Disable scheduled automatic updates (revert)------- :: ---------------------------------------------------------- echo --- Disable scheduled automatic updates (revert) :: This key does not exist by default since Windows 10 21H2 and Windows 11 21H2 reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --Disable automatic updates end user experience (revert)-- :: ---------------------------------------------------------- echo --- Disable automatic updates end user experience (revert) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AllowAutoUpdate" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: Disable automatic updates immediate installation (revert)- :: ---------------------------------------------------------- echo --- Disable automatic updates immediate installation (revert) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AutoInstallMinorUpdates" /f 2>nul :: ---------------------------------------------------------- :: Disable auto-updates for other Microsoft products through Microsoft Update (revert) echo --- Disable auto-updates for other Microsoft products through Microsoft Update (revert) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AllowMUUpdateService" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------Disable Update Orchestrator scan (revert)--------- :: ---------------------------------------------------------- echo --- Disable Update Orchestrator scan (revert) :: This key does not exist by default since Windows 10 22H2 and Windows 11 22H2 reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator" /v "EnableUUPScan" /f 2>nul :: This key exists with value `1` by default since Windows 10 22H2 and Windows 11 22H2 reg add "HKLM\SOFTWARE\Microsoft\Microsoft\WindowsUpdate" /v "SupportsUUP" /d "1" /t REG_DWORD /f :: ---------------------------------------------------------- :: Disable recommended updates via Automatic Updates (revert) echo --- Disable recommended updates via Automatic Updates (revert) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "IncludeRecommendedUpdates" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -Disable automatic maintenance for auto-updates (revert)-- :: ---------------------------------------------------------- echo --- Disable automatic maintenance for auto-updates (revert) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AutomaticMaintenanceEnabled" /f 2>nul :: ---------------------------------------------------------- :: Disable downloading Windows updates automatically over metered connections (revert) echo --- Disable downloading Windows updates automatically over metered connections (revert) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "AllowAutoWindowsUpdateDownloadOverMeteredNetwork" /f 2>nul :: ---------------------------------------------------------- :: Disable scanning of both Windows Update and Windows Server Update service (revert) echo --- Disable scanning of both Windows Update and Windows Server Update service (revert) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableDualScan" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: Disable automatically receiving optional updates (revert)- :: ---------------------------------------------------------- echo --- Disable automatically receiving optional updates (revert) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "AllowOptionalContent" /f 2>nul :: ---------------------------------------------------------- :: Disable automatic delivery of Service Pack updates (revert) echo --- Disable automatic delivery of Service Pack updates (revert) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotAllowSP" /f 2>nul :: ---------------------------------------------------------- :: Disable scanning Microsoft update sources for auto-updates (revert) echo --- Disable scanning Microsoft update sources for auto-updates (revert) reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\855E8A7C-ECB4-4CA3-B045-1DFA50104289" /v "RegisteredWithAU" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\8B24B027-1DEE-BABB-9A95-3517DFB9C552" /v "RegisteredWithAU" /t REG_DWORD /d "0" /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\7971f918-a847-4430-9279-4a52d1efe18d" /v "RegisteredWithAU" /f 2>nul :: ---------------------------------------------------------- :: Disable automatic download and installation of Microsoft Store apps (revert) echo --- Disable automatic download and installation of Microsoft Store apps (revert) reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /f 2>nul reg delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate" /v "AutoDownload" /f 2>nul :: ---------------------------------------------------------- :: Disable the offer to update to the latest version of Windows (revert) echo --- Disable the offer to update to the latest version of Windows (revert) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade" /f 2>nul reg delete "HKLM\Software\Policies\Microsoft\WindowsStore" /v "DisableOSUpgrade" /f 2>nul :: ---------------------------------------------------------- pause exit /b 0 ```

If this doesn't work, I think we must go with the "snoozing" option, where we can postpone updates to maximum possible, hopefully year 2300 or something.


@TheAndr0id, it's been a journey for me to understand how scheduled tasks work, and I'm happy with your report, you've brought a lot of value to this project.

I found that there's Automatic Maintenance Service that runs scheduled tasks, it restarts the tasks that we disable:

image

Windows provides option to disable it through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance. Some scripts in the wild are doing that. We could also do that but I think it reduces Windows security posture and does "too much". You can see what it enables via this PowerShell command: Get-ScheduledTask | ? {$_.Settings.MaintenanceSettings} | Out-GridView. I played around with this and found two good things:

  1. We can actually prevent tasks we disable from re-enabling of "Automatic Maintenance Service", by setting (Get-ScheduledTask ...).Settings.MaintenanceSettings = $null.
  2. There's also Volatile property on every task, when set to $true, it tells Windows to disable the task on every boot. This we could set too.

I will test with these more, and I guess privacy.sexy should configure both of these on every scheduled task it ever disables. Reverting (Get-ScheduledTask ...).Volatile back to $false is easy but need to serialize/store MaintenanceSettings somewhere.

TheAndr0id commented 1 year ago

Same here. Scheduled tasks are back for Windows Update and the "Scheduled Scan" for UpdateOrchestrator.

Both Windows Update and UpdateOrchestrator services were re-enabled.

Off to google, and I found this: (and there's lots of info of "what doesn't work"...)

Windows Update service has a trigger defined that will start it under certain circumstances; remove it with:

sc triggerinfo wuauserv delete start/machinepolicy

Now I ran this and it deleted something because when I run:

sc qtriggerinfo wuauserv start/machinepolicy
[SC] QueryServiceConfig2 SUCCESS

    The service wuauserv has not registered for any start or stop triggers.

Problem is I ran it didn't look first so I have no idea if it did anything.... Doh.

One of the other suggestions I've seen is to change the permissions of the Windows Update service to run as guest. That way it fails because it can't write, but that won't stop the service from being redefined in the future and we're back where we started...

That's also a big hack, much like removing the wuauserv registry tree under currentconfig. That's only asking for future hell IMO.

Just saw your new message (while I was typing this).

BTW, I got the full settings list with this command: (Just putting it here so I don't lose it.... 😄 )

 (Get-ScheduledTask -TaskName "Report policies" -TaskPath "\Microsoft\Windows\UpdateOrchestrator\").Settings

AllowDemandStart                : True
AllowHardTerminate              : True
Compatibility                   :
DeleteExpiredTaskAfter          :
DisallowStartIfOnBatteries      : False
Enabled                         : False
ExecutionTimeLimit              : PT72H
Hidden                          : False
IdleSettings                    : MSFT_TaskIdleSettings
MultipleInstances               : IgnoreNew
NetworkSettings                 : MSFT_TaskNetworkSettings
Priority                        : 7
RestartCount                    : 0
RestartInterval                 :
RunOnlyIfIdle                   : False
RunOnlyIfNetworkAvailable       : False
StartWhenAvailable              : True
StopIfGoingOnBatteries          : False
WakeToRun                       : False
DisallowStartOnRemoteAppSession : False
UseUnifiedSchedulingEngine      : True
MaintenanceSettings             : MSFT_TaskMaintenanceSettings
volatile                        : False
PSComputerName                  :

These settings are described here: https://learn.microsoft.com/en-us/windows/win32/taskschd/taskschedulerschema-settings-tasktype-element

I don't know if the "volatile" setting will do what you think it does. It says it disables the task is disabled at windows startup, but is that before or after the maintenance task is run? I've tried to do some digging into the MSFT_TaskMaintenanceSettings listed above, but it looks like a "constant" of buried values inside of values (inside of values) that are hidden away.

I was going to try setting the MaintenanceSettings value, got headed down the rabbit hole of Set-ScheduledTask and decided I'd rather go watch something on youtube.... If I figure something out later, I'll post back.

Is anyone else getting a real malware vibe out of all of this?

TheAndr0id commented 1 year ago

Just another possible piece to this puzzle. It seems that the whole "Maintenance Task" mechanism can be disabled (which I'm good with since it doesn't abide by the disabled settings of tasks). It seems this is supposed to stop the maintenance tasks from running:

Set/create the following registry DWORD to 1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance\MaintenanceDisabled

Source: https://www.winhelponline.com/blog/automatic-maintenance-disable-schedule-windows-8-10/

This also stops a bunch of other nonsense background tasks (like defrag/chkdsk) that run when the machine is idle. A lot of laptop users are doing this to save battery life. So far the tasks haven't returned...

I still think that disabling the actual maintenance task for the UpdateOrchestrator scheduled task is the right way to go. This might just be a quick work-around to stop Microsoft from borking my machine in the meantime.

I tried to figure this out, but couldn't get Set-ScheduledTask to set the settings. Everything seemed to work, but the MaintenanceSettings are still set to MSFT_TaskMaintenanceSettings.

 $task = Get-ScheduledTask -TaskName "Report policies" -TaskPath "\Microsoft\Windows\UpdateOrchestrator\"
 $task.settings.MaintenanceSettings = $null
 Set-ScheduledTask -TaskName "Report policies" -TaskPath "\Microsoft\Windows\UpdateOrchestrator\" -Settings $task.settings

I'm missing something, but I have no idea what and this crap is SO obscure for no other reason than they don't want anyone doing it.

undergroundwires commented 1 year ago

We could provide a script for MaintenanceDisabled but it seems like overkill for disabling updates, something separate.


New findings about scheduled tasks (I still want to now if policies work in my latest post btw):

ScanForUpdatesAsUser

So it's not only ReportPolicies but \Microsoft\Windows\InstallService\ScanForUpdatesAsUser is also registered as maintenance task, so we need to disable that too. Verify: (Get-ScheduledTask -TaskName "ScanForUpdatesAsUser" -TaskPath "\Microsoft\Windows\InstallService\").Settings.MaintenanceSettings. It runs every day.

MaintenanceSettings and volatile do not work for Report policies

Ah, I was playing around with StartupAppTask, it's possible to disable it like this:

$task = Get-ScheduledTask -TaskName 'StartupAppTask' -TaskPath '\Microsoft\Windows\Application Experience\'
$task.Settings.volatile = $true
$task.Settings.MaintenanceSettings = $null
$task | Set-ScheduledTask

Docs about volatile and MaintenanceSettings: https://learn.microsoft.com/en-us/windows/win32/taskschd/what-s-new-in-task-scheduler, https://learn.microsoft.com/en-us/windows/win32/api/taskschd/nf-taskschd-itasksettings3-put_maintenancesettings.

But our target (as I understand the only task that's part of "maintenance" related to updates) is Report policies. Even the name sounds like spyware.. I can understand that they're doing everything possible to persist Defender, but I don't see this with automatic updates.

So this is working fine because its StartupAppTask not Report policies:

$task = Get-ScheduledTask -TaskName 'StartupAppTask' -TaskPath '\Microsoft\Windows\Application Experience\'
$task.Settings.volatile = $true
$task.Settings.MaintenanceSettings = $null
$task | Set-ScheduledTask

volatile works on some of the tasks but this task seems to not support it, because Report Policies task has version 1.6 which does not support this.

This syntax (instead of piping to Set-ScheduledTask) seems to go further:

$taskName = 'Report policies'
$taskPath = '\Microsoft\Windows\UpdateOrchestrator\'
$task = Get-ScheduledTask -TaskName $taskName -TaskPath $taskPath
$task.Settings.MaintenanceSettings = $null
Set-ScheduledTask -TaskName $taskName -TaskPath $taskPath -Settings $task.Settings

But it results in Set-ScheduledTask : Access is denied. error. It works well after taking ownership:

$taskName = 'Report policies'
$taskPath = '\Microsoft\Windows\UpdateOrchestrator\'
$task = Get-ScheduledTask -TaskName $taskName -TaskPath $taskPath
# Configure task
$task.Settings.MaintenanceSettings = $null
# Take ownership
$adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544' 
$adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount])
$taskFilePath="$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"
$originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop
$modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop
$modifiedAcl.SetOwner($adminAccount)
$taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(    `
$adminAccount,                                                  `
    [System.Security.AccessControl.FileSystemRights]::FullControl,  `
    [System.Security.AccessControl.AccessControlType]::Allow        `
)
$modifiedAcl.SetAccessRule($taskFileAccessRule)
Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop
# Update task
Set-ScheduledTask -TaskName $taskName -TaskPath $taskPath -Settings $task.Settings
# Restore ownership
Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop

It works. But it does not persist, running (Get-ScheduledTask -TaskName 'Report policies' -TaskPath '\Microsoft\Windows\UpdateOrchestrator\').Settings.MaintenanceSettings gives the same value as before. It does not save the desired changes.

So instead of removing the object, I tried setting Period property to different numbers But it does not work. The max value seems to be 14 days, otherwise we get exception.

Conclusion: volatile works on some of the tasks but not on Report Policies. Changing MaintenanceSettings does not work at all.

Manipulating the TaskCache

I see that all maintenance tasks are under this subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Maintenance.

image

But these are just GUID's that does not make any sense. With further inspection I see that what task each GUID corresponds to is defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks:

image

But of course we cannot delete this key:

image

Because only SYSTEM can write to it:

image

Disable task maintenance for ReportPolicies:

But we can delete it using TrustedInstaller. This script that's doing all for ReportPolicies:

PowerShell -ExecutionPolicy Unrestricted -Command "$taskName = 'Report policies'; $taskPath = '\Microsoft\Windows\UpdateOrchestrator\'; <# Find task GUID #>; $regPath = "^""HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks"^""; $tasksKey = Get-Item -LiteralPath $regPath; $taskGuid = $null; foreach ($subKey in $tasksKey.GetSubKeyNames()) {; $fullKeyPath = Join-Path -Path $regPath -ChildPath $subKey; $taskKey = Get-Item -LiteralPath $fullKeyPath; $pathValue = ($taskKey.GetValue("^""Path"^"", $null)); $idValue = ($taskKey.GetValue("^""Id"^"", $null)); if ($pathValue -eq "^""$($taskPath)$($taskName)"^"") {; $taskGuid = $subKey; break; }; }; if(!$taskGuid) {; throw 'Could not locate task GUID'; }; $maintenanceTaskKey="^""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Maintenance\$taskGuid"^""; Write-Output "^""Task GUID: $taskGuid"^""; Write-Output "^""Maintenance task key: $maintenanceTaskKey"^""; $maintenanceTaskKey="^""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Maintenance\$taskGuid"^""; Write-Output "^""Task GUID: $taskGuid"^""; Write-Output "^""Maintenance task key: $maintenanceTaskKey"^""; $command = "^""reg delete `"^""$maintenanceTaskKey`"^"" /f"^""; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile "^""$($batchFile.BaseName).bat"^"" -PassThru; "^""@echo off`r`n$command`r`nexit 0"^"" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn "^""$taskName"^"" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument "^""cmd /c `"^""$batchFile`"^"" > $streamOutFile 2>&1"^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host "^""Running as $trustedInstallerName"^""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning "^""Skipping results, it took so long to execute script."^""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error "^""Failed to execute with exit code: $result."^""; }; } finally {; schtasks.exe /delete /tn "^""$taskName"^"" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"

Disable task maintenance for ScanForUpdatesAsUser:

\Microsoft\Windows\InstallService\ScanForUpdatesAsUser task which is responsible for Windows automatic updates is getting triggered by Maintenance Service so we need to remove it from maintenance cache too:

PowerShell -ExecutionPolicy Unrestricted -Command "$taskName = 'ScanForUpdatesAsUser'; $taskPath = '\Microsoft\Windows\InstallService\'; <# Find task GUID #>; $regPath = "^""HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks"^""; $tasksKey = Get-Item -LiteralPath $regPath; $taskGuid = $null; foreach ($subKey in $tasksKey.GetSubKeyNames()) {; $fullKeyPath = Join-Path -Path $regPath -ChildPath $subKey; $taskKey = Get-Item -LiteralPath $fullKeyPath; $pathValue = ($taskKey.GetValue("^""Path"^"", $null)); $idValue = ($taskKey.GetValue("^""Id"^"", $null)); if ($pathValue -eq "^""$($taskPath)$($taskName)"^"") {; $taskGuid = $subKey; break; }; }; if(!$taskGuid) {; throw 'Could not locate task GUID'; }; $maintenanceTaskKey="^""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Maintenance\$taskGuid"^""; Write-Output "^""Task GUID: $taskGuid"^""; Write-Output "^""Maintenance task key: $maintenanceTaskKey"^""; $maintenanceTaskKey="^""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Maintenance\$taskGuid"^""; Write-Output "^""Task GUID: $taskGuid"^""; Write-Output "^""Maintenance task key: $maintenanceTaskKey"^""; $command = "^""reg delete `"^""$maintenanceTaskKey`"^"" /f"^""; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile "^""$($batchFile.BaseName).bat"^"" -PassThru; "^""@echo off`r`n$command`r`nexit 0"^"" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn "^""$taskName"^"" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument "^""cmd /c `"^""$batchFile`"^"" > $streamOutFile 2>&1"^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host "^""Running as $trustedInstallerName"^""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning "^""Skipping results, it took so long to execute script."^""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error "^""Failed to execute with exit code: $result."^""; }; } finally {; schtasks.exe /delete /tn "^""$taskName"^"" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"

Sorry for the ugly code, I use privacy.sexy functions/compiler which outputs like this. It simply finds the GUID for Report policies and removes the cache entry.

@TheAndr0id, would you mind enabling maintenance (just delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance\MaintenanceDisabled, it does not exist in default state). And giving this last two commands (of course after disabling services/scheduled tasks), and see if this will persist? Let me know if something is unclear.

I see that default period for this is 7 days, so it takes 7 days before automatic maintenance sets back everything by running this task.

BTW, fun to see a Linux admin so deep into this, we're on the deepest seas. Now it's time for me to watch some stuff on youtube 😀

TheAndr0id commented 1 year ago

I'll take a look into this, but I can't right at the moment. I'm in the middle of a family emergency, so messing around on the computer for the 5-7 days is not going to happen.

Yeah, I'll take building kernels and setting semaphore limits any day to this.

TheAndr0id commented 1 year ago

Disabling Maintenance Mode did not work. Windows update came back on today sometime. I've disabled the services again and I'm going to disable the tasks. I'll take a look into the above scripts tomorrow.

TheAndr0id commented 1 year ago

I just tried your script for removing the task for ScanForUpdatesAsUser. It worked and removed the entry from the registry. As soon as I restarted it was back. I also tried removing the section from the task xml under system32/Tasks and it didn't make any difference either, but I'm guessing that's just a datafile and not the actual task that's being run.

I'm going to go do something drastic. I'm going to delete the task. First I'm taking an export of it and I've removed it. It no longer shows in the maintenance task list either. (I had to use a bastardized version of your permission elevation script to remove the "Report policies" task, but it worked.

Windows Update, Update Medic Service and UpdateOrchestrator are all disabled. None are showing in the maintenance task list.

Let's see if it comes back. If it does then it's not the maintenance system that's installing these tasks. (I also enabled file auditing to watch and see who/what writes anything to the UpdateOrchestrator directory)

Current Maintenance Tasks ``` TaskPath TaskName State -------- -------- ----- \Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319 Disabled \Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319 64 Disabled \Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319... Disabled \Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319... Disabled \Microsoft\Windows\Application Experience\ ProgramDataUpdater Disabled \Microsoft\Windows\Application Experience\ StartupAppTask Disabled \Microsoft\Windows\ApplicationData\ appuriverifierdaily Ready \Microsoft\Windows\ApplicationData\ CleanupTemporaryState Ready \Microsoft\Windows\ApplicationData\ DsSvcCleanup Disabled \Microsoft\Windows\AppListBackup\ Backup Ready \Microsoft\Windows\AppxDeploymentClient\ Pre-staged app cleanup Disabled \Microsoft\Windows\BrokerInfrastructure\ BgTaskRegistrationMaintenanceTask Ready \Microsoft\Windows\Chkdsk\ ProactiveScan Disabled \Microsoft\Windows\CloudRestore\ Backup Disabled \Microsoft\Windows\Customer Experience Impr... UsbCeip Disabled \Microsoft\Windows\Defrag\ ScheduledDefrag Disabled \Microsoft\Windows\Device Setup\ Metadata Refresh Ready \Microsoft\Windows\Diagnosis\ Scheduled Disabled \Microsoft\Windows\DiskCleanup\ SilentCleanup Disabled \Microsoft\Windows\DiskDiagnostic\ Microsoft-Windows-DiskDiagnost... Ready \Microsoft\Windows\DiskFootprint\ Diagnostics Ready \Microsoft\Windows\DiskFootprint\ StorageSense Ready \Microsoft\Windows\Feedback\Siuf\ DmClient Disabled \Microsoft\Windows\FileHistory\ File History (maintenance mode) Disabled \Microsoft\Windows\Flighting\FeatureConfig\ UsageDataReporting Ready \Microsoft\Windows\HelloFace\ FODCleanupTask Ready \Microsoft\Windows\LanguageComponentsInstal... Uninstallation Disabled \Microsoft\Windows\License Manager\ TempSignedLicenseExchange Ready \Microsoft\Windows\Maintenance\ WinSAT Disabled \Microsoft\Windows\MemoryDiagnostic\ RunFullMemoryDiagnostic Disabled \Microsoft\Windows\MUI\ LPRemove Ready \Microsoft\Windows\PI\ SecureBootEncodeUEFI Ready \Microsoft\Windows\PI\ Sqm-Tasks Ready \Microsoft\Windows\Power Efficiency Diagnos... AnalyzeSystem Disabled \Microsoft\Windows\RecoveryEnvironment\ VerifyWinRE Disabled \Microsoft\Windows\Registry\ RegIdleBackup Ready \Microsoft\Windows\Servicing\ StartComponentCleanup Ready \Microsoft\Windows\SettingSync\ BackgroundUploadTask Ready \Microsoft\Windows\SharedPC\ Account Cleanup Disabled \Microsoft\Windows\Shell\ ThemesSyncedImageDownload Ready \Microsoft\Windows\StateRepository\ MaintenanceTasks Ready \Microsoft\Windows\Sysmain\ HybridDriveCachePrepopulate Disabled \Microsoft\Windows\Sysmain\ HybridDriveCacheRebalance Disabled \Microsoft\Windows\Sysmain\ ResPriStaticDbSync Ready \Microsoft\Windows\Sysmain\ WsSwapAssessmentTask Ready \Microsoft\Windows\SystemRestore\ SR Disabled \Microsoft\Windows\Time Synchronization\ SynchronizeTime Ready \Microsoft\Windows\Time Zone\ SynchronizeTimeZone Ready \Microsoft\Windows\Windows Defender\ Windows Defender Cache Mainten... Disabled \Microsoft\Windows\Windows Defender\ Windows Defender Cleanup Disabled \Microsoft\Windows\Windows Defender\ Windows Defender Scheduled Scan Disabled \Microsoft\Windows\Windows Defender\ Windows Defender Verification Disabled \Microsoft\Windows\WOF\ WIM-Hash-Validation Disabled ```

This is really starting to piss me off.

j7j2 commented 1 year ago

Hi there, just to say that i'm juping into this conversation and that i'm available to test stuff as i am also tiered of that thing turning itself back on. initially i was using WPD.APP and same thing, various options keep coming back on and when i tell friends around, it seems like i'm the only one carng for them to remain off.

So far I have tried to run the last provided script followed by the "all documented auto-update configurations" script, we'll see how it holds. Thanks for the work!

undergroundwires commented 12 months ago

Thank you for your time and updates @TheAndr0id . Result of your test/research will give us golden information about if this is all about scheduled tasks or not. If the deleting the tasks do not work so this has nothing to with scheduled task and we're on wrong way.

Thank you @j7j2 for testing that one, I did not get any feedback about it and cannot verify whether it works. If they work, they're the cleanest / documented solution without doing any workarounds. I plan to add them anyways in one of the next releases as they're all officially documented by Microsoft. Please do not try any other methods until we see whether that one alone works :)

Postponing updates using undocumented keys works. These keys are created when one pauses the updates on the UI, but the UI does not permit postponing a lot, the following script will postpone the updates to year 9965.

All the keys need to be updated together:

reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseFeatureUpdatesStartTime" /t REG_SZ /d "0000-01-17T00:00:00Z" /f
reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseFeatureUpdatesEndTime" /t REG_SZ /d "9965-01-17T00:00:00Z" /f
reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseQualityUpdatesStartTime" /t REG_SZ /d "0000-01-17T00:00:00Z" /f
reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseQualityUpdatesEndTime" /t REG_SZ /d "9965-01-17T00:00:00Z" /f
reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseUpdatesStartTime" /t REG_SZ /d "0000-01-17T00:00:00Z" /f
reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseUpdatesExpiryTime" /t REG_SZ /d "9965-01-17T00:00:00Z" /f

Windows 10 22H2: image

Windows 11 23H2, it breaks the UI for pausing updates so I'm not sure if it works (it would be nice to verify whether this works on W11):

image

TheAndr0id commented 12 months ago

I've added those registry entries in, but do you really trust those? I don't.

So far the deleted tasks haven't come back, but there was an interesting thing this morning. The Update Medic Service was reset to "Manual" from disabled. Would you happen to know where that would be set (as in file structure?) I was thinking if I could set up another file system audit trace to find out what is doing it.

None of the maintenance tasks have returned.

Update: Answered my own question

First up, to enable Auditing, you can do it through Policy Management (which doesn't help since I'm Windows 10 Home) or through the auditpol command. Basic syntax:

auditpol /set /subcategory:"File System" /success:enable

To check current state: auditpol /get /subcategory:"File System"

To see all audit policies: auditpol /get /category:*

One of the categories is "Registry". Then go in under the security permissions -> Advanced -> Auditing Set up a new item where the principle is Everyone. Check under the security logs under the event viewer for output.

In this case HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc is where the audit needs to go.

When I disabled the Medic service with your above script I got the following message in the logs:

Process Information:
    Process ID:     0xd14
    Process Name:       C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Change Information:
    Old Value Type:     REG_DWORD
    Old Value:      3
    New Value Type:     REG_DWORD
    New Value:      4
undergroundwires commented 12 months ago

4 means disabled. So what we need to do is to track down what's re-enabling this WaaSMedicSvc. I'm not sure if there's any other mechanism than the scheduled tasks that kicks in to do stuff like this. Looking forward to see the audit report for seeing which process changes it to 4 again. Meanwhile, I'll push some updates to handle scheduled tasks better, I plan to add maintenance cache cleanup and volatile setting for all scheduled tasks that privacy.sexy disables.

j7j2 commented 11 months ago

I was away for a few days and yep the thing is back online and TiWorker is loading the hard drive of the machine like hell and the thing is installing an update while i'm trying to use the computer. Last thing I tried was on nov. 2nd.

Let me know what to try next and if some audit need to be turned on manually. Just drop bat files down there and if there is a result to paste back let me know i'll give it a try. WinUpdateBackOn

undergroundwires commented 11 months ago

Thanks for testing those keys @j7j2. These early insights give real value when we can roll a solution out for everyone.

Now that we verify that those do not work, this is the last key series I would want us to check if they work. They're all extracted from official Microsoft docs, instead of disabling they attempt to pause and postpone the updates as much as possible.

Apply:

@echo off
:: https://privacy.sexy — v0.12.6 — Fri, 10 Nov 2023 14:49:06 GMT
:: Ensure admin privileges
fltmc >nul 2>&1 || (
    echo Administrator privileges are required.
    PowerShell Start -Verb RunAs '%0' 2> nul || (
        echo Right-click on the script and select "Run as administrator".
        pause & exit 1
    )
    exit 0
)
:: Initialize environment
setlocal EnableExtensions DisableDelayedExpansion

:: Maximize "feature updates" and "preview builds" auto-update triggers
echo --- Maximize "feature updates" and "preview builds" auto-update triggers
PowerShell -ExecutionPolicy Unrestricted -Command "$currentTime = (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ'); <# GPO #>; reg add "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""PauseFeatureUpdatesStartTime"^"" /t "^""REG_SZ"^"" /d "^""$currentTime"^"" /f; reg add "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""PauseFeatureUpdates"^"" /t "^""REG_DWORD"^"" /d 1 /f; reg add "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""DeferFeatureUpdates"^"" /t "^""REG_DWORD"^"" /d 1 /f; reg add "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""DeferFeatureUpdatesPeriodInDays"^"" /d "^""365"^"" /t "^""REG_DWORD"^"" /f; reg add "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""Pause"^"" /t "^""REG_DWORD"^"" /d "^""1"^"" /f; <# State #>; reg add "^""HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings"^"" /v "^""PausedFeatureStatus"^"" /t "^""REG_DWORD"^"" /d "^""1"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings"^"" /v "^""PausedFeatureDate"^"" /t "^""REG_SZ"^"" /d "^""$currentTime"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState"^"" /v "^""DeferFeatureUpdates"^"" /d "^""1"^"" /t "^""REG_DWORD"^"" /f; <# MDM (PolicyManager) #>; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""1"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdates"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""1"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime"^"" /v "^""value"^"" /t "^""REG_SZ"^"" /d "^""$currentTime"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""365"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForFeatureUpdates"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""30"^"" /f"
:: ----------------------------------------------------------

:: ----------------------------------------------------------
:: -----Maximize "quality updates" auto-update triggers------
:: ----------------------------------------------------------
echo --- Maximize "quality updates" auto-update triggers
PowerShell -ExecutionPolicy Unrestricted -Command "$currentTime = (Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ'); <# GPO #>; reg add "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""Pause"^"" /t "^""REG_DWORD"^"" /d "^""1"^"" /f; reg add "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""PauseQualityUpdates"^"" /t "^""REG_DWORD"^"" /d "^""1"^"" /f; reg add "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""PauseQualityUpdatesStartTime"^"" /t "^""REG_SZ"^"" /d "^""$currentTime"^"" /f; reg add "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""DeferQualityUpdates"^"" /t "^""REG_DWORD"^"" /d 1 /f; reg add "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""DeferQualityUpdatesPeriodInDays"^"" /d "^""35"^"" /t "^""REG_DWORD"^"" /f; <# State #>; reg add "^""HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings"^"" /v "^""PausedQualityStatus"^"" /t "^""REG_DWORD"^"" /d "^""1"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings"^"" /v "^""PausedQualityDate"^"" /t "^""REG_SZ"^"" /d "^""$currentTime"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState"^"" /v "^""DeferQualityUpdates"^"" /d "^""1"^"" /t "^""REG_DWORD"^"" /f; <# MDM (PolicyManager) #>; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""1"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdates"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""1"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime"^"" /v "^""value"^"" /t "^""REG_SZ"^"" /d "^""$currentTime"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""35"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForQualityUpdates"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""30"^"" /f"
:: ----------------------------------------------------------

:: ----------------------------------------------------------
:: ------------Maximize update and upgrade delays------------
:: ----------------------------------------------------------
echo --- Maximize update and upgrade delays
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdate" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "4" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "8" /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseDeferrals" /t REG_DWORD /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade" /v "value" /t "REG_DWORD" /d "1" /f
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpdate" /v "value" /t "REG_DWORD" /d "1" /f
:: ----------------------------------------------------------

:: Pause the script to view the final state
pause
:: Restore previous environment settings
endlocal
:: Exit the script successfully
exit /b 0

Could you apply the script above and let us know later if updates come back again?

If you want to restore OS default state (and enable updates again) later:

enable-updates.bat ```batchfile @echo off :: https://privacy.sexy — v0.12.6 — Fri, 10 Nov 2023 14:49:06 GMT :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) :: Initialize environment setlocal EnableExtensions DisableDelayedExpansion :: ---------------------------------------------------------- :: -------Maximize update and upgrade delays (revert)-------- :: ---------------------------------------------------------- echo --- Maximize update and upgrade delays (revert) reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdate" /f 2>null reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /f 2>null reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /f 2>null reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /f 2>null reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseDeferrals" /f 2>null reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpgrade" /v "value" /t "REG_DWORD" /d "0" /f reg delete "HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\RequireDeferUpdate" /v "value" /f 2>null :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -Maximize "quality updates" auto-update triggers (revert)- :: ---------------------------------------------------------- echo --- Maximize "quality updates" auto-update triggers (revert) PowerShell -ExecutionPolicy Unrestricted -Command "<# GPO #>; reg delete "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""Pause"^"" /f 2>$null; reg delete "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""PauseQualityUpdates"^"" /f 2>$null; reg delete "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""PauseQualityUpdatesStartTime"^"" /f 2>$null; reg delete "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""DeferQualityUpdates"^"" /f 2>$null; reg delete "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""DeferQualityUpdatesPeriodInDays"^"" /f 2>$null; <# State #>; reg add "^""HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings"^"" /v "^""PausedQualityStatus"^"" /t "^""REG_DWORD"^"" /d "^""0"^"" /f; reg delete "^""HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings"^"" /v "^""PausedQualityDate"^"" /f 2>$null; reg add "^""HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState"^"" /v "^""DeferQualityUpdates"^"" /t "^""REG_DWORD"^"" /d "^""0"^"" /f; <# MDM (PolicyManager) #>; reg delete "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause"^"" /v "^""value"^"" /f 2>$null; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdates"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""0"^"" /f; reg delete "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime"^"" /v "^""value"^"" /f 2>$null; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""0"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForQualityUpdates"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""7"^"" /f" :: ---------------------------------------------------------- :: Maximize "feature updates" and "preview builds" auto-update triggers (revert) echo --- Maximize "feature updates" and "preview builds" auto-update triggers (revert) PowerShell -ExecutionPolicy Unrestricted -Command "<# GPO #>; reg delete "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""PauseFeatureUpdatesStartTime"^"" /f 2>$null; reg delete "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""PauseFeatureUpdates"^"" /f 2>$null; reg delete "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""DeferFeatureUpdates"^"" /f 2>$null; reg delete "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""DeferFeatureUpdatesPeriodInDays"^"" /f 2>$null; reg delete "^""HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"^"" /v "^""Pause"^"" /f 2>$null; <# State #>; reg add "^""HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings"^"" /v "^""PausedFeatureStatus"^"" /t "^""REG_DWORD"^"" /d "^""0"^"" /f; reg delete "^""HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings"^"" /v "^""PausedFeatureDate"^"" /f 2>$null; reg add "^""HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState"^"" /v "^""DeferFeatureUpdates"^"" /d "^""0"^"" /t "^""REG_DWORD"^"" /f; <# MDM (PolicyManager) #>; reg delete "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\Pause"^"" /v "^""value"^"" /f 2>$null; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdates"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""0"^"" /f; reg delete "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime"^"" /v "^""value"^"" /f 2>$null; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""0"^"" /f; reg add "^""HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update\ConfigureDeadlineForFeatureUpdates"^"" /v "^""value"^"" /t "^""REG_DWORD"^"" /d "^""7"^"" /f" :: ---------------------------------------------------------- :: Pause the script to view the final state pause :: Restore previous environment settings endlocal :: Exit the script successfully exit /b 0 ```
j7j2 commented 11 months ago

Well, @undergroundwires I did run that script but i was a bit confused as if something else must be run before it as... is that last script just an add on to the regular one for disabling everything? I am noticing that services are still running and i'm not sure if we have a more up to date script to disable it first than the one on your post 3 weeks ago on the 17th of october?

j7j2 commented 11 months ago

@undergroundwires Well, I went ahead and ran first the script from the oct 17 and then that last one and windows update service and the medic one is till up? i'm confused.

undergroundwires commented 11 months ago

Hi @j7j2, it's all good. Sorry for the confusion. I'm trying to solve this using Microsoft documented solutions with you, so that's why I asked you to run the latest script instead of disabling services/tasks. If Microsoft acts like it documents, the last script only should disable or at least cripple all auto updates for a long period.

For your context, disabling services/scheduled tasks is the resort 2, if these keys do not work, and we're not able to disable those as we want due to Automatic maintenance keeps re-enabling some scheduled tasks. We know that disabling whole automatic maintenance solve this, but it's doing too much and disabling bunch of other stuff as side-effect. I tried to solve this through two scripts in https://github.com/undergroundwires/privacy.sexy/issues/272#issuecomment-1780318682

Deleting the scheduled tasks may have solved it (giving some time to see fruit of @TheAndr0id's latest test), if that one works I will add a logic to soft-delete these tasks and then re-enable those. But as I said, let's give the keys a last try because we go harder with disabling these tasks.

Btw, it's very useful if you can share link to my comments, I have hard time finding out which comments you mean by date in GitHub's UI.

undergroundwires commented 11 months ago

Btw, I figured out how to remove tasks from maintenance list properly instead of deleting the tasks completely. I will test this and prepare a script in following weeks.

undergroundwires commented 11 months ago

Is there anyone running Windows on a laptop? I wonder if there any scheduled tasks we're missing? I don't have opportunity to test this on laptops.

I'm particularly interested in existence of these tasks:

To easily list all update-related tasks you can use following:

@('\Microsoft\Windows\UpdateOrchestrator\*', '\Microsoft\Windows\WindowsUpdate\*', '\Microsoft\Windows\WaaSMedic\*', '\Microsoft\Windows\InstallService\*') `
    | ForEach-Object { Get-ScheduledTask -TaskName '*' -TaskPath $_ -ErrorAction SilentlyContinue } `
    | ForEach-Object { Write-Host "$($_.TaskPath)$($_.TaskName)" }
j7j2 commented 11 months ago

@undergroundwires I'm on a laptop but to ease things off, I can offer you a remote access to my machine at the time of your choice. AnyDesk is easy to use. I'm sending you an email right away.

atomGit commented 11 months ago

...but the UI does not permit postponing a lot,...

ha! that reminds me (NSFW)

rant coming - don't say i didn't warn ya...

i genuinely feel sorry for those that are forced to use winBlows by their employer, but those of you that do have a choice need to accept the fact that you cannot have any reasonable expectation of privacy with with a black-box OS regardless of how much or how hard you tweak it, especially with the later editions - you do not use windows, it uses you

that said, there is no magic bullet, but you'd be significantly better off with any popular unix derivative IMO (BSD, Linux)

why use an OS that does what IT wants instead of what YOU want?

i dropped windoze years ago, got my feet wet with linux mint and never looked back - mint makes switching about as easy as it can be, and prepares you for the next step if you want more, and all this nonsense of reg tweaks and privacy tweaks (OS i mean, not the web browser), firewall rules, anti-virus (which is a total joke), worrying about spyware and all the rest of the headaches ... gone! ("gone"=99% gone)

"free" software in the wintendo world is software you don't have to pay for - free software in the *nix world is free, not necessarily in cost, though most of it doesn't cost a dime, but rather as in freedom and this extends well beyond any computer code - it's an ethic - it's a life choice

does switching to *nix solve all your privacy/security problems? NO! there's a lot more nefarious crap going on with proprietary firmware and chip architecture, but at least it's a step in the right direction

if anyone would like help shit-canning winblows, i'll be happy to do what i can - you can grab me at 12bytes.org

TheAndr0id commented 11 months ago

So first, @atomGit I agree totally. I'd dump this in a heartbeat if I didn't have $1000s in Steam product that doesn't run under anything but Windows. I was good running Win 7 until the end of time, but the end of time is now. If someone came up with a Windows binary compatible OS, I'd dump this Microsoft crap as fast as fast can be.

Now, back on topic, IT'S BAAAAAACK!

Yup, all the usual candidates were reenabled and services restarted. Here's my findings, and it doesn't look good... These are ordered in the order they show up in the logs - timestamps are only different by milliseconds. I've also stripped system names out of the logs to protect the innocent.

WaaSMedicSvc Log 1 ``` Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc Handle ID: 0x554 Resource Attributes: - Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Access Request Information: Accesses: Set key value Access Mask: 0x2 Details: ObjectServer Security ObjectType Key ObjectName \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc HandleId 0x554 AccessList %%4433 AccessMask 0x2 ProcessId 0x34c ProcessName C:\Windows\System32\services.exe ResourceAttributes - ```
WaaSMedicSvc Log 2 ``` Object: Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc Object Value Name: Start Handle ID: 0x554 Operation Type: Existing registry value modified Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Change Information: Old Value Type: REG_DWORD Old Value: 4 New Value Type: REG_DWORD New Value: 3 Details: ObjectName \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc ObjectValueName Start HandleId 0x554 OperationType %%1905 OldValueType %%1876 OldValue 4 NewValueType %%1876 NewValue 3 ProcessId 0x34c ProcessName C:\Windows\System32\services.exe ```
WaaSMedicSvc Log 3 ``` Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc Handle ID: 0x554 Resource Attributes: - Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Access Request Information: Accesses: Set key value Access Mask: 0x2 Details: ObjectServer Security ObjectType Key ObjectName \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc HandleId 0x554 AccessList %%4433 AccessMask 0x2 ProcessId 0x34c ProcessName C:\Windows\System32\services.exe ResourceAttributes - ```
WaaSMedicSvc Log 4 ``` Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc Handle ID: 0x554 Resource Attributes: - Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Access Request Information: Accesses: Set key value Access Mask: 0x2 Details: ObjectServer Security ObjectType Key ObjectName \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc HandleId 0x554 AccessList %%4433 AccessMask 0x2 ProcessId 0x34c ProcessName C:\Windows\System32\services.exe ResourceAttributes - ```
WaaSMedicSvc Log 5 ``` Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc Handle ID: 0x558 Resource Attributes: - Process Information: Process ID: 0x34c Process Name: C:\Windows\System32\services.exe Access Request Information: Accesses: Set key value Access Mask: 0x2 Details: ObjectServer Security ObjectType Key ObjectName \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc HandleId 0x558 AccessList %%4433 AccessMask 0x2 ProcessId 0x34c ProcessName C:\Windows\System32\services.exe ResourceAttributes - ```
WaaSMedicSvc Log 6 ``` Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc\Parameters Handle ID: 0x18c Resource Attributes: - Process Information: Process ID: 0x66c Process Name: C:\Windows\System32\upfc.exe Access Request Information: Accesses: Set key value Access Mask: 0x2 Details: ObjectServer Security ObjectType Key ObjectName \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc\Parameters HandleId 0x18c AccessList %%4433 AccessMask 0x2 ProcessId 0x66c ProcessName C:\Windows\System32\upfc.exe ResourceAttributes - ```
WaaSMedicSvc Log 7 ``` Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc\Parameters Handle ID: 0x18c Resource Attributes: - Process Information: Process ID: 0x66c Process Name: C:\Windows\System32\upfc.exe Access Request Information: Accesses: Set key value Access Mask: 0x2 Details: ObjectServer Security ObjectType Key ObjectName \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WaaSMedicSvc\Parameters HandleId 0x18c AccessList %%4433 AccessMask 0x2 ProcessId 0x66c ProcessName C:\Windows\System32\upfc.exe ResourceAttributes - ```

Then the rest of the services are enabled starting with wuauserv and then UsoSvc all throught the C:\Windows\System32\services.exe process (I'm guessing by WaaSMedicSvc requesting it). I can include those logs if needed, but it's kind of ugly to get them copy-n-pasted in a format that's manageable. (and it's just more of the same as above)

The bad part I see is C:\Windows\System32\services.exe doing most of the work. That tells me this process may be baked into the service manager (from my understanding this starts all system processes under Windows). The one thing that's interesting is the C:\Windows\System32\upfc.exe process near the end that looks to be setting permissions. Maybe it is initiating the services calls to set up the registry entries. I found a page describing this process (the guy fed it through a disassembler) and there's some interesting reading here: What the bleep is UPFC.exe?

I'm beginning to wonder how deep this rabbit hole goes?

TheAndr0id commented 11 months ago

From the above link on UPFC, I did some looking into my system here, and under the registry HKLM\SYSTEM\WaaS\Upfc there is a NextHealthCheckTime entry that was set for 2 days from now. So, I went under Windows/WaaS and moved all the of the files under services and tasks into another directory. (So I can put it back if bad things happen).

This of course is all under Trusted Installer. I broke down and downloaded nsudo to get the job done.

There's a couple of extra items of note under that registry entry for upfc, the above NextHealthCheckTime, and a InstanceInProgress which if set causes upfc.exe to just exit. Setting the check time to year 9999 might work (if upfc doesn't check) or telling upfc that it's already running ALWAYS once again as long as upfc.exe is stoopid....

My NextHealthCheckTime is Nov 18th, so we'll see if things come back or not.

undergroundwires commented 11 months ago

I created a discord channel at https://discord.gg/aYevx2N8a3, feel free to join @j7j2 so we can take a closer look at the scheduled services. I will add disabling these scheduling tasks in next patch, so would be nice to verify if there's differences with laptop users.

Thank you for all of your research and reports @TheAndr0id. Your work does not only contribute to this tool for whole humanity 🙂. I scanned almost all related projects, and there's no one who figured out the process yet.

Let me know if you need revert data for anything to restore tasks etc.

So know we know that there's something else triggering these rather than scheduled tasks. C:\Windows\System32\services.exe might be there because someone is starting this service through sc start. I verify that this key exists on both W10 22H2 and W11 23H2. HKLM\SYSTEM\WaaS looks interesting, HKLM\SYSTEM\WaaS\WaaSMedic\State\ has BlockUntilTimeStatus key (and all the subkeys have this). We could play around with changing these values, or even removing read access of TrustedInstaller from HKLM\SYSTEM\WaaS keys.

But there can be a cleaner way: As we identify upfc.exe as a service overriding the user-consent, we can focus on stopping it once tasks/services are disabled. One way would be to attach a debugger process as soon as it's executed, and tell the debugger process to kill the process:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upfc.exe" /v "Debugger" /t REG_SZ /d "%WINDIR%\System32\taskkill.exe" /f
TheAndr0id commented 11 months ago

Professor Hubert J. Farnsworth

Good news everyone! We might just have a chance to stop this nonsense - rejoice!

None of the services or scheduled jobs have re-enabled on my system. HKLM\SYSTEM\WaaS\Upfc\NextHealthCheckTime updated to the 25th of November for it's next check time.

The only thing of concern (and I'm not sure if it is new or not) a new registry item showed up -> RemediationFailureCounter which for me is now 1.

I'll watch to see if it increases on the 25th, but I'm concerned that it might force something else to step in if it reaches a threshold So far Windows/WaaS/Services and Windows/WaaS/Tasks both remain empty. Clearing these directories (or backing them up) might be a way to shut this problem down - or to modify them to do what we want:

Contents of one of the files (the file names seem to be randomish in my case ceb497ee0184aaa4681d2fb2ef242a5b8551eea8.xml):

<?xml version="1.0" encoding="utf-16"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" manifestVersion="1.0">
  <memberships>
    <categoryMembership>
      <id name="Microsoft.Windows.Categories.Services" typeName="Service" version="10.0.19041.3570" publicKeyToken="31bf3856ad364e35" />
      <categoryInstance subcategory="WaaSMedicSvc">
        <serviceData dependOnService="rpcss" description="@WaaSMedicSvc.dll,-101" displayName="@WaaSMedicSvc.dll,-100" errorControl="normal" imagePath="%systemroot%\system32\svchost.exe -k wusvcs -p" launchProtected="windowsLight" name="WaaSMedicSvc" objectName="LocalSystem" requiredPrivileges="SeTcbPrivilege,SeChangeNotifyPrivilege,SeImpersonatePrivilege,SeTakeOwnershipPrivilege,SeSecurityPrivilege,SeRestorePrivilege" sidType="unrestricted" start="demand" startAfterInstall="none" type="win32ShareProcess">
          <securityDescriptor name="WAASMEDIC_SERVICE_SDDL" />
          <failureActions resetPeriod="900">
            <actions>
              <action delay="120000" type="restartService" />
              <action delay="300000" type="restartService" />
              <action delay="0" type="none" />
            </actions>
          </failureActions>
        </serviceData>
      </categoryInstance>
    </categoryMembership>
  </memberships>
  <trustInfo>
    <security>
      <accessControl>
        <securityDescriptorDefinitions>
          <securityDescriptorDefinition name="WAASMEDIC_SERVICE_SDDL" sddl="D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOSDRCWDWO;;;WD)" />
        </securityDescriptorDefinitions>
      </accessControl>
    </security>
  </trustInfo>
</assembly>

As you can see there is a start="demand" in there for the WaaSMedicSvc service. Maybe changing that to disabled(?) or something would do the same without incrementing the RemediationFailureCounter.

These directories are all owned by TrustedInstaller so a wrapper will be needed.

There is one other thing to note that's more on point for privacy.sexy. It also seems that upfc.exe reports back to Microsoft every time it fails or succeeds in fixing Windows Update. It's another telemetry item to add to the todo list.

If you would like a new issue opened for that, I can do it, I have no idea where to start to address that one....

undergroundwires commented 11 months ago

@TheAndr0id, what did you to disable those?

I went under Windows/WaaS and moved all the of the files under services and tasks into another directory

Was it your last action? What folder exactly was moved? Only Windows/WaaS/Services and Windows/WaaS/Tasks or something else?

To summarize findings:

  1. We figured out that disabling scheduled tasks are not enough. Maintenance service restarts those. We tried different techniques like deleting the services, renaming service files, clearing task maintenance cache etc. We need to find a way a clear and reversible way to do this. I will do more tests when I have the time and share.
  2. @TheAndr0id's research and findings point to upfc.exe that also needs to be taken care of. This seems to be executed outside of scheduled tasks from another process within Windows. This seems to call sc start to start WaaS service.

We also play around postponing the updates, those options are not as deep in terms of stopping data collection and optimizing the system. Using UX settings breaks update UI on Windows 11, and I don't know if using policies work (@j7j2 did the updates come back for you?), but if we can get this "real" way working, it will be more viable solution.

About getting rid of upfc.exe, should we have this as option under "Disable automatic updates" or "Disable OS data collection" 🤔? If it's under "Disable automatic updates", I can justify this as patch release that is trying to get an existing functionality working properly, or if it's under "Disable OS data collection" then we should create a new issue. We don't seem to know much about this, turning it off may break automatic updates as side-effect, in this case "Disable automatic updates" seems to be the right category. I'm open for any suggestions.

I just added (dee3279f85c99a9c62201a093b1afa41ec2412ec) disabling of update scheduled tasks as first step that will be released this week,

TheAndr0id commented 11 months ago

Basically I used nsudo to run as TrustedInstaller (started a cmd). Did the following steps

cd \Windows\WaaS
mkdir services.old
mkdir tasks.old
move services\*.* services.old\
move tasks\*.* tasks.old\

I wouldn't recommending just running the above and expecting it to work. There's no error checking or confirmation going on.

upfc.exe is a single pass run on system start. There's no services to start or keys to update.

As for the maintenance services, it seems like they haven't returned even though the tasks were (for a short period of time) enabled. Maybe I got to them before they were able to reinstall the maintenance tasks.

Current Maintenance Tasks

``` TaskPath TaskName State -------- -------- ----- \Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319 Disabled \Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319 64 Disabled \Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319... Disabled \Microsoft\Windows\.NET Framework\ .NET Framework NGEN v4.0.30319... Disabled \Microsoft\Windows\Application Experience\ ProgramDataUpdater Disabled \Microsoft\Windows\Application Experience\ StartupAppTask Disabled \Microsoft\Windows\ApplicationData\ appuriverifierdaily Ready \Microsoft\Windows\ApplicationData\ CleanupTemporaryState Ready \Microsoft\Windows\ApplicationData\ DsSvcCleanup Disabled \Microsoft\Windows\AppListBackup\ Backup Ready \Microsoft\Windows\AppxDeploymentClient\ Pre-staged app cleanup Disabled \Microsoft\Windows\BrokerInfrastructure\ BgTaskRegistrationMaintenanceTask Ready \Microsoft\Windows\Chkdsk\ ProactiveScan Disabled \Microsoft\Windows\CloudRestore\ Backup Disabled \Microsoft\Windows\Customer Experience Impr... UsbCeip Disabled \Microsoft\Windows\Defrag\ ScheduledDefrag Disabled \Microsoft\Windows\Device Setup\ Metadata Refresh Ready \Microsoft\Windows\Diagnosis\ Scheduled Disabled \Microsoft\Windows\DiskCleanup\ SilentCleanup Disabled \Microsoft\Windows\DiskDiagnostic\ Microsoft-Windows-DiskDiagnost... Disabled \Microsoft\Windows\DiskFootprint\ Diagnostics Ready \Microsoft\Windows\DiskFootprint\ StorageSense Ready \Microsoft\Windows\Feedback\Siuf\ DmClient Disabled \Microsoft\Windows\FileHistory\ File History (maintenance mode) Disabled \Microsoft\Windows\Flighting\FeatureConfig\ UsageDataReporting Ready \Microsoft\Windows\HelloFace\ FODCleanupTask Ready \Microsoft\Windows\LanguageComponentsInstal... Uninstallation Disabled \Microsoft\Windows\License Manager\ TempSignedLicenseExchange Ready \Microsoft\Windows\Maintenance\ WinSAT Disabled \Microsoft\Windows\MemoryDiagnostic\ RunFullMemoryDiagnostic Disabled \Microsoft\Windows\MUI\ LPRemove Ready \Microsoft\Windows\PI\ SecureBootEncodeUEFI Ready \Microsoft\Windows\PI\ Sqm-Tasks Ready \Microsoft\Windows\Power Efficiency Diagnos... AnalyzeSystem Disabled \Microsoft\Windows\RecoveryEnvironment\ VerifyWinRE Disabled \Microsoft\Windows\Registry\ RegIdleBackup Ready \Microsoft\Windows\Servicing\ StartComponentCleanup Ready \Microsoft\Windows\SettingSync\ BackgroundUploadTask Ready \Microsoft\Windows\SharedPC\ Account Cleanup Disabled \Microsoft\Windows\Shell\ ThemesSyncedImageDownload Ready \Microsoft\Windows\StateRepository\ MaintenanceTasks Ready \Microsoft\Windows\Sysmain\ HybridDriveCachePrepopulate Disabled \Microsoft\Windows\Sysmain\ HybridDriveCacheRebalance Disabled \Microsoft\Windows\Sysmain\ ResPriStaticDbSync Ready \Microsoft\Windows\Sysmain\ WsSwapAssessmentTask Ready \Microsoft\Windows\SystemRestore\ SR Disabled \Microsoft\Windows\Time Synchronization\ SynchronizeTime Ready \Microsoft\Windows\Time Zone\ SynchronizeTimeZone Ready \Microsoft\Windows\Windows Defender\ Windows Defender Cache Mainten... Disabled \Microsoft\Windows\Windows Defender\ Windows Defender Cleanup Disabled \Microsoft\Windows\Windows Defender\ Windows Defender Scheduled Scan Disabled \Microsoft\Windows\Windows Defender\ Windows Defender Verification Disabled \Microsoft\Windows\WOF\ WIM-Hash-Validation Disabled ```

My concern with playing with the update delay settings is Microsoft having a "sanity" check in the update process that overrides the settings and "corrects" the values. Personally I only see the process not running as the only solution.

upfc.exe's primary purpose is to fix the update process. It's reporting to Microsoft that it did is just icing on this turd. I would place it firmly under "Disable automatic updates". From the findings of What the bleep is UPFC.exe? it seems upfc.exe only reports to Microsoft if it had to fix the update process, not every time it runs. The big question is running no scripts a successful run?

Maybe instead of trying to block upfc.exe's reporting, make it believe everything is fine and it doesn't need to fix anything and thus there's nothing to report.

undergroundwires commented 11 months ago

Ok then the decision is made, we'll add upfc.exe disabling under "Disable automatic updates", and we can also recommend it on "Strict".

I agree with lack of sustainability with configurations. Microsoft does not seem to respect them at all.

So I'm these additions may do the trick:

  1. Soft-delete WaasMedicSvc.dll.
  2. Soft-delete WaaS remediation definition files at C:\Windows\WaaS.
  3. Soft-delete upfc.exe.
  4. Terminate upfc.exe on start.

That way we'll attack the problem at its heart based on your findings.

The code would look like this (using privacy.sexy's functions, pretty simple and readable):

      function: SoftDeleteFiles
      parameters:
          fileGlob: '%WINDIR%\WaaS\*'
          grantPermissions: true
          recurse: true
  -
     function: SoftDeleteFiles
      parameters:
          fileGlob: '%SYSTEMROOT%\System32\WaaSMedicSvc.dll'
          grantPermissions: true
   -
      function: SoftDeleteFiles
      parameters:
          fileGlob: '%SYSTEMROOT%\System32\upfc.exe'
          grantPermissions: true
  -
      function: TerminateExecutableOnLaunch
      parameters:
          executableNameWithExtension: upfc.exe

I understand that this may feel so complex and exhausting for our testers to test what's going on in this thread. But this is what I believe will do the trick and we can consider it as last test.

The following script includes disabling of services, scheduled task (to be released in a few days) and the points above.

You can run this on top what you already executed, and I will provide the revert script to completely roll back to the default OS state.

I'd be happy if someone can run the following and provide feedback before release. If this does not work (which should work according to our findings), then I think we can consider soft-deleting service/scheduled task files as you do, this will also fix maintenance service stuff as it will break their ability to start completely, but this requires comprehensive testing and some changes for disabling services/tasks so I would not want to go that road.

Disable updates:

disable-windows-update-with-tasks-services-and-processes.bat ```batchfile @echo off :: https://privacy.sexy — v0.12.7 — Sat, 25 Nov 2023 19:05:03 GMT :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) :: Initialize environment setlocal EnableExtensions DisableDelayedExpansion :: ---------------------------------------------------------- :: ------Disable "Windows Update" (`wuauserv`) service------- :: ---------------------------------------------------------- echo --- Disable "Windows Update" (`wuauserv`) service PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'wuauserv'; Write-Host "^""Disabling service: `"^""$serviceName`"^""."^""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host "^""Service `"^""$serviceName`"^"" could not be not found, no need to disable it."^""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host "^""`"^""$serviceName`"^"" is running, stopping it."^""; try {; Stop-Service -Name "^""$serviceName"^"" -Force -ErrorAction Stop; Write-Host "^""Stopped `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Warning "^""Could not stop `"^""$serviceName`"^"", it will be stopped after reboot: $_"^""; }; } else {; Write-Host "^""`"^""$serviceName`"^"" is not running, no need to stop."^""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query "^""Select StartMode From Win32_Service Where Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "^""Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host "^""$serviceName is already disabled, no further action is needed"^""; }; <# -- 4. Disable service #>; try {; Set-Service -Name "^""$serviceName"^"" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host "^""Disabled `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Error "^""Could not disable `"^""$serviceName`"^"": $_"^""; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "Update Orchestrator Service" (`UsoSvc`)----- :: ---------------------------------------------------------- echo --- Disable "Update Orchestrator Service" (`UsoSvc`) PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'UsoSvc'; Write-Host "^""Disabling service: `"^""$serviceName`"^""."^""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host "^""Service `"^""$serviceName`"^"" could not be not found, no need to disable it."^""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host "^""`"^""$serviceName`"^"" is running, stopping it."^""; try {; Stop-Service -Name "^""$serviceName"^"" -Force -ErrorAction Stop; Write-Host "^""Stopped `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Warning "^""Could not stop `"^""$serviceName`"^"", it will be stopped after reboot: $_"^""; }; } else {; Write-Host "^""`"^""$serviceName`"^"" is not running, no need to stop."^""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query "^""Select StartMode From Win32_Service Where Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "^""Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host "^""$serviceName is already disabled, no further action is needed"^""; }; <# -- 4. Disable service #>; try {; Set-Service -Name "^""$serviceName"^"" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host "^""Disabled `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Error "^""Could not disable `"^""$serviceName`"^"": $_"^""; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -Disable "Windows Update Medic Service" (`WaaSMedicSvc`)-- :: ---------------------------------------------------------- echo --- Disable "Windows Update Medic Service" (`WaaSMedicSvc`) PowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'WaaSMedicSvc'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host "^""Service query `"^""$serviceQuery`"^"" did not yield any results, no need to disable it."^""; Exit 0; }; $serviceName = $service.Name; Write-Host "^""Disabling service: `"^""$serviceName`"^""."^""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host "^""`"^""$serviceName`"^"" is running, trying to stop it."^""; try {; Stop-Service -Name "^""$serviceName"^"" -Force -ErrorAction Stop; Write-Host "^""Stopped `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Warning "^""Could not stop `"^""$serviceName`"^"", it will be stopped after reboot: $_"^""; }; } else {; Write-Host "^""`"^""$serviceName`"^"" is not running, no need to stop."^""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = "^""HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"^""; if(!(Test-Path $registryKey)) {; Write-Host "^""`"^""$registryKey`"^"" is not found in registry, cannot enable it."^""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path "^""$registryKey"^"").Start -eq 4) {; Write-Host "^""`"^""$serviceName`"^"" is already disabled from start, no further action is needed."^""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host "^""Disabled `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Error "^""Could not disable `"^""$serviceName`"^"": $_"^""; }" :: Soft delete files matching pattern (with additional permissions) : "%SYSTEMROOT%\System32\WaaSMedicSvc.dll" PowerShell -ExecutionPolicy Unrestricted -Command "$pathGlobPattern = "^""%SYSTEMROOT%\System32\WaaSMedicSvc.dll"^""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host "^""Searching for items matching pattern: `"^""$($expandedPath)`"^""."^""; $renamedCount = 0; $skippedCount = 0; $failedCount = 0; Add-Type -TypeDefinition "^""using System;`r`nusing System.Runtime.InteropServices;`r`npublic class Privileges {`r`n [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,`r`n ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);`r`n [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);`r`n [DllImport(`"^""advapi32.dll`"^"", SetLastError = true)]`r`n internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);`r`n [StructLayout(LayoutKind.Sequential, Pack = 1)]`r`n internal struct TokPriv1Luid {`r`n public int Count;`r`n public long Luid;`r`n public int Attr;`r`n }`r`n internal const int SE_PRIVILEGE_ENABLED = 0x00000002;`r`n internal const int TOKEN_QUERY = 0x00000008;`r`n internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;`r`n public static bool AddPrivilege(string privilege) {`r`n try {`r`n bool retVal;`r`n TokPriv1Luid tp;`r`n IntPtr hproc = GetCurrentProcess();`r`n IntPtr htok = IntPtr.Zero;`r`n retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n tp.Count = 1;`r`n tp.Luid = 0;`r`n tp.Attr = SE_PRIVILEGE_ENABLED;`r`n retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n return retVal;`r`n } catch (Exception ex) {`r`n throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n }`r`n }`r`n public static bool RemovePrivilege(string privilege) {`r`n try {`r`n bool retVal;`r`n TokPriv1Luid tp;`r`n IntPtr hproc = GetCurrentProcess();`r`n IntPtr htok = IntPtr.Zero;`r`n retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n tp.Count = 1;`r`n tp.Luid = 0;`r`n tp.Attr = 0; // This line is changed to revoke the privilege`r`n retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n return retVal;`r`n } catch (Exception ex) {`r`n throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n }`r`n }`r`n [DllImport(`"^""kernel32.dll`"^"", CharSet = CharSet.Auto)]`r`n public static extern IntPtr GetCurrentProcess();`r`n}"^""; [Privileges]::AddPrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::AddPrivilege('SeTakeOwnershipPrivilege') | Out-Null; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $adminFullControlAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $foundAbsolutePaths = @(); try {; $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) {; Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host "^""Initiating processing of $($foundAbsolutePaths.Count) items from `"^""$expandedPath`"^""."^""; foreach ($path in $foundAbsolutePaths) {; if (Test-Path -Path $path -PathType Container) {; Write-Host "^""Skipping folder (not its contents): `"^""$path`"^""."^""; $skippedCount++; continue; }; if($revert -eq $true) {; if (-not $path.EndsWith('.OLD')) {; Write-Host "^""Skipping non-backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; } else {; if ($path.EndsWith('.OLD')) {; Write-Host "^""Skipping backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; }; $originalFilePath = $path; Write-Host "^""Processing file: `"^""$originalFilePath`"^""."^""; if (-Not (Test-Path $originalFilePath)) {; Write-Host "^""Skipping, file `"^""$originalFilePath`"^"" not found."^""; $skippedCount++; exit 0; }; $originalAcl = Get-Acl -Path "^""$originalFilePath"^""; $accessGranted = $false; try {; $acl = Get-Acl -Path "^""$originalFilePath"^""; $acl.SetOwner($adminAccount) <# Take Ownership (because file is owned by TrustedInstaller) #>; $acl.AddAccessRule($adminFullControlAccessRule) <# Grant rights to be able to move the file #>; Set-Acl -Path $originalFilePath -AclObject $acl -ErrorAction Stop; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; if ($revert -eq $true) {; $newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4); } else {; $newFilePath = "^""$($originalFilePath).OLD"^""; }; try {; Move-Item -LiteralPath "^""$($originalFilePath)"^"" -Destination "^""$newFilePath"^"" -Force -ErrorAction Stop; Write-Host "^""Successfully processed `"^""$originalFilePath`"^""."^""; $renamedCount++; if ($accessGranted) {; try {; Set-Acl -Path $newFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore access on `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; }; }; } catch {; Write-Error "^""Failed to rename `"^""$originalFilePath`"^"" to `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; $failedCount++; if ($accessGranted) {; try {; Set-Acl -Path $originalFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore access on `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; }; if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) {; Write-Host "^""Successfully processed $renamedCount items and skipped $skippedCount items."^""; }; if ($failedCount -gt 0) {; Write-Warning "^""Failed to processed $($failedCount) items."^""; }; [Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::RemovePrivilege('SeTakeOwnershipPrivilege') | Out-Null" :: Soft delete files matching pattern (with additional permissions) : "%WINDIR%\WaaS\*" PowerShell -ExecutionPolicy Unrestricted -Command "$pathGlobPattern = "^""%WINDIR%\WaaS\*"^""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host "^""Searching for items matching pattern: `"^""$($expandedPath)`"^""."^""; $renamedCount = 0; $skippedCount = 0; $failedCount = 0; Add-Type -TypeDefinition "^""using System;`r`nusing System.Runtime.InteropServices;`r`npublic class Privileges {`r`n [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,`r`n ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);`r`n [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);`r`n [DllImport(`"^""advapi32.dll`"^"", SetLastError = true)]`r`n internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);`r`n [StructLayout(LayoutKind.Sequential, Pack = 1)]`r`n internal struct TokPriv1Luid {`r`n public int Count;`r`n public long Luid;`r`n public int Attr;`r`n }`r`n internal const int SE_PRIVILEGE_ENABLED = 0x00000002;`r`n internal const int TOKEN_QUERY = 0x00000008;`r`n internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;`r`n public static bool AddPrivilege(string privilege) {`r`n try {`r`n bool retVal;`r`n TokPriv1Luid tp;`r`n IntPtr hproc = GetCurrentProcess();`r`n IntPtr htok = IntPtr.Zero;`r`n retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n tp.Count = 1;`r`n tp.Luid = 0;`r`n tp.Attr = SE_PRIVILEGE_ENABLED;`r`n retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n return retVal;`r`n } catch (Exception ex) {`r`n throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n }`r`n }`r`n public static bool RemovePrivilege(string privilege) {`r`n try {`r`n bool retVal;`r`n TokPriv1Luid tp;`r`n IntPtr hproc = GetCurrentProcess();`r`n IntPtr htok = IntPtr.Zero;`r`n retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n tp.Count = 1;`r`n tp.Luid = 0;`r`n tp.Attr = 0; // This line is changed to revoke the privilege`r`n retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n return retVal;`r`n } catch (Exception ex) {`r`n throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n }`r`n }`r`n [DllImport(`"^""kernel32.dll`"^"", CharSet = CharSet.Auto)]`r`n public static extern IntPtr GetCurrentProcess();`r`n}"^""; [Privileges]::AddPrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::AddPrivilege('SeTakeOwnershipPrivilege') | Out-Null; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $adminFullControlAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $foundAbsolutePaths = @(); Write-Host 'Iterating files and directories recursively.'; try {; $foundAbsolutePaths += @(; Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; try {; $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) {; Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host "^""Initiating processing of $($foundAbsolutePaths.Count) items from `"^""$expandedPath`"^""."^""; foreach ($path in $foundAbsolutePaths) {; if (Test-Path -Path $path -PathType Container) {; Write-Host "^""Skipping folder (not its contents): `"^""$path`"^""."^""; $skippedCount++; continue; }; if($revert -eq $true) {; if (-not $path.EndsWith('.OLD')) {; Write-Host "^""Skipping non-backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; } else {; if ($path.EndsWith('.OLD')) {; Write-Host "^""Skipping backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; }; $originalFilePath = $path; Write-Host "^""Processing file: `"^""$originalFilePath`"^""."^""; if (-Not (Test-Path $originalFilePath)) {; Write-Host "^""Skipping, file `"^""$originalFilePath`"^"" not found."^""; $skippedCount++; exit 0; }; $originalAcl = Get-Acl -Path "^""$originalFilePath"^""; $accessGranted = $false; try {; $acl = Get-Acl -Path "^""$originalFilePath"^""; $acl.SetOwner($adminAccount) <# Take Ownership (because file is owned by TrustedInstaller) #>; $acl.AddAccessRule($adminFullControlAccessRule) <# Grant rights to be able to move the file #>; Set-Acl -Path $originalFilePath -AclObject $acl -ErrorAction Stop; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; if ($revert -eq $true) {; $newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4); } else {; $newFilePath = "^""$($originalFilePath).OLD"^""; }; try {; Move-Item -LiteralPath "^""$($originalFilePath)"^"" -Destination "^""$newFilePath"^"" -Force -ErrorAction Stop; Write-Host "^""Successfully processed `"^""$originalFilePath`"^""."^""; $renamedCount++; if ($accessGranted) {; try {; Set-Acl -Path $newFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore access on `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; }; }; } catch {; Write-Error "^""Failed to rename `"^""$originalFilePath`"^"" to `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; $failedCount++; if ($accessGranted) {; try {; Set-Acl -Path $originalFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore access on `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; }; if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) {; Write-Host "^""Successfully processed $renamedCount items and skipped $skippedCount items."^""; }; if ($failedCount -gt 0) {; Write-Warning "^""Failed to processed $($failedCount) items."^""; }; [Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::RemovePrivilege('SeTakeOwnershipPrivilege') | Out-Null" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------------Disable "RestoreDevice" task--------------- :: ---------------------------------------------------------- echo --- Disable "RestoreDevice" task :: Disable scheduled task(s): `\Microsoft\Windows\InstallService\RestoreDevice` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\InstallService\'; $taskNamePattern='RestoreDevice'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------------Disable "ScanForUpdates" task--------------- :: ---------------------------------------------------------- echo --- Disable "ScanForUpdates" task :: Disable scheduled task(s): `\Microsoft\Windows\InstallService\ScanForUpdates` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\InstallService\'; $taskNamePattern='ScanForUpdates'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----------Disable "ScanForUpdatesAsUser" task------------ :: ---------------------------------------------------------- echo --- Disable "ScanForUpdatesAsUser" task :: Disable scheduled task(s): `\Microsoft\Windows\InstallService\ScanForUpdatesAsUser` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\InstallService\'; $taskNamePattern='ScanForUpdatesAsUser'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------------Disable "SmartRetry" task----------------- :: ---------------------------------------------------------- echo --- Disable "SmartRetry" task :: Disable scheduled task(s): `\Microsoft\Windows\InstallService\SmartRetry` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\InstallService\'; $taskNamePattern='SmartRetry'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "WakeUpAndContinueUpdates" task---------- :: ---------------------------------------------------------- echo --- Disable "WakeUpAndContinueUpdates" task :: Disable scheduled task(s): `\Microsoft\Windows\InstallService\WakeUpAndContinueUpdates` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\InstallService\'; $taskNamePattern='WakeUpAndContinueUpdates'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable "WakeUpAndScanForUpdates" task---------- :: ---------------------------------------------------------- echo --- Disable "WakeUpAndScanForUpdates" task :: Disable scheduled task(s): `\Microsoft\Windows\InstallService\WakeUpAndScanForUpdates` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\InstallService\'; $taskNamePattern='WakeUpAndScanForUpdates'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------------Disable "Scheduled Start" task-------------- :: ---------------------------------------------------------- echo --- Disable "Scheduled Start" task :: Disable scheduled task(s): `\Microsoft\Windows\WindowsUpdate\Scheduled Start` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='Scheduled Start'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------------Disable "Report policies" task-------------- :: ---------------------------------------------------------- echo --- Disable "Report policies" task :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Report policies` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Report policies'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Schedule Maintenance Work" task--------- :: ---------------------------------------------------------- echo --- Disable "Schedule Maintenance Work" task :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Maintenance Work'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------------Disable "Schedule Scan" task--------------- :: ---------------------------------------------------------- echo --- Disable "Schedule Scan" task :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Schedule Scan` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Scan'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Schedule Scan Static Task" task--------- :: ---------------------------------------------------------- echo --- Disable "Schedule Scan Static Task" task :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Scan Static Task'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----------Disable "Schedule Wake To Work" task----------- :: ---------------------------------------------------------- echo --- Disable "Schedule Wake To Work" task :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Wake To Work'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------------Disable "Schedule Work" task--------------- :: ---------------------------------------------------------- echo --- Disable "Schedule Work" task :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Schedule Work` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Work'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------------Disable "UpdateModelTask" task-------------- :: ---------------------------------------------------------- echo --- Disable "UpdateModelTask" task :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UpdateModelTask'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Start Oobe Expedite Work" task---------- :: ---------------------------------------------------------- echo --- Disable "Start Oobe Expedite Work" task :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Start Oobe Expedite Work'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "StartOobeAppsScan_LicenseAccepted" task----- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScan_LicenseAccepted" task :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScan_LicenseAccepted'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------Disable "StartOobeAppsScan_OobeAppReady" task------- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScan_OobeAppReady" task :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_OobeAppReady` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScan_OobeAppReady'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -------Disable "StartOobeAppsScanAfterUpdate" task-------- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScanAfterUpdate" task :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScanAfterUpdate'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------------Disable "USO_UxBroker" task---------------- :: ---------------------------------------------------------- echo --- Disable "USO_UxBroker" task :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='USO_UxBroker'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -------------Disable "UUS Failover Task" task------------- :: ---------------------------------------------------------- echo --- Disable "UUS Failover Task" task :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UUS Failover Task'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------------Disable "PerformRemediation" task------------- :: ---------------------------------------------------------- echo --- Disable "PerformRemediation" task :: Disable scheduled task(s): `\Microsoft\Windows\WaaSMedic\PerformRemediation` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WaaSMedic\'; $taskNamePattern='PerformRemediation'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable outdated Windows Update tasks----------- :: ---------------------------------------------------------- echo --- Disable outdated Windows Update tasks :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\AC Power Download` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='AC Power Download'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\AC Power Install` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='AC Power Install'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Backup Scan` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Backup Scan'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Battery Saver Deferred Install` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Battery Saver Deferred Install'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Driver Install` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Driver Install'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Maintenance Install` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Maintenance Install'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='MusUx_LogonUpdateResults'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='MusUx_UpdateInterval'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Policy Install` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Policy Install'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Reboot` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Reboot'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Reboot_AC` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Reboot_AC'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Reboot_Battery'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Refresh Settings` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Refresh Settings'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Resume On Boot` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Resume On Boot'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Schedule Retry Scan` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Retry Scan'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScan'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\USO_Broker_Display` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='USO_Broker_Display'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='USO_UxBroker_Display'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='USO_UxBroker_ReadyToReboot'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Start` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Universal Orchestrator Start'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Idle Start` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Universal Orchestrator Idle Start'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UpdateAssistant'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantAllUsersRun` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UpdateAssistantAllUsersRun'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UpdateAssistantCalendarRun'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UpdateAssistantWakeupRun'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\WindowsUpdate\AUScheduledInstall` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='AUScheduledInstall'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\WindowsUpdate\AUSessionConnect` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='AUSessionConnect'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\WindowsUpdate\Automatic App Update` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='Automatic App Update'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\RUXIM\'; $taskNamePattern='PLUGScheduler'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\WindowsUpdate\Scheduled Start With Network` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='Scheduled Start With Network'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\WindowsUpdate\sih` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='sih'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\WindowsUpdate\sihboot` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='sihboot'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: Disable scheduled task(s): `\Microsoft\Windows\WindowsUpdate\sihpostreboot` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='sihpostreboot'; Write-Output "^""Disabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output "^""Skipping, no tasks matching pattern `"^""$taskNamePattern`"^"" found, no action needed."^""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } catch {; Write-Error "^""Failed to disable task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable Automatic Updates (AU) feature---------- :: ---------------------------------------------------------- echo --- Disable Automatic Updates (AU) feature reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "1" /f :: ---------------------------------------------------------- :: Disable automatic installation of Windows updates without user consent echo --- Disable automatic installation of Windows updates without user consent reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -Disable automatic daily installation of Windows updates-- :: ---------------------------------------------------------- echo --- Disable automatic daily installation of Windows updates reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----------Disable scheduled automatic updates------------ :: ---------------------------------------------------------- echo --- Disable scheduled automatic updates reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Updateability From SCM" process--------- :: ---------------------------------------------------------- echo --- Disable "Updateability From SCM" process :: Soft delete files matching pattern (with additional permissions) : "%SYSTEMROOT%\System32\upfc.exe" PowerShell -ExecutionPolicy Unrestricted -Command "$pathGlobPattern = "^""%SYSTEMROOT%\System32\upfc.exe"^""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host "^""Searching for items matching pattern: `"^""$($expandedPath)`"^""."^""; $renamedCount = 0; $skippedCount = 0; $failedCount = 0; Add-Type -TypeDefinition "^""using System;`r`nusing System.Runtime.InteropServices;`r`npublic class Privileges {`r`n [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,`r`n ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);`r`n [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);`r`n [DllImport(`"^""advapi32.dll`"^"", SetLastError = true)]`r`n internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);`r`n [StructLayout(LayoutKind.Sequential, Pack = 1)]`r`n internal struct TokPriv1Luid {`r`n public int Count;`r`n public long Luid;`r`n public int Attr;`r`n }`r`n internal const int SE_PRIVILEGE_ENABLED = 0x00000002;`r`n internal const int TOKEN_QUERY = 0x00000008;`r`n internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;`r`n public static bool AddPrivilege(string privilege) {`r`n try {`r`n bool retVal;`r`n TokPriv1Luid tp;`r`n IntPtr hproc = GetCurrentProcess();`r`n IntPtr htok = IntPtr.Zero;`r`n retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n tp.Count = 1;`r`n tp.Luid = 0;`r`n tp.Attr = SE_PRIVILEGE_ENABLED;`r`n retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n return retVal;`r`n } catch (Exception ex) {`r`n throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n }`r`n }`r`n public static bool RemovePrivilege(string privilege) {`r`n try {`r`n bool retVal;`r`n TokPriv1Luid tp;`r`n IntPtr hproc = GetCurrentProcess();`r`n IntPtr htok = IntPtr.Zero;`r`n retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n tp.Count = 1;`r`n tp.Luid = 0;`r`n tp.Attr = 0; // This line is changed to revoke the privilege`r`n retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n return retVal;`r`n } catch (Exception ex) {`r`n throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n }`r`n }`r`n [DllImport(`"^""kernel32.dll`"^"", CharSet = CharSet.Auto)]`r`n public static extern IntPtr GetCurrentProcess();`r`n}"^""; [Privileges]::AddPrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::AddPrivilege('SeTakeOwnershipPrivilege') | Out-Null; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $adminFullControlAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $foundAbsolutePaths = @(); try {; $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) {; Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host "^""Initiating processing of $($foundAbsolutePaths.Count) items from `"^""$expandedPath`"^""."^""; foreach ($path in $foundAbsolutePaths) {; if (Test-Path -Path $path -PathType Container) {; Write-Host "^""Skipping folder (not its contents): `"^""$path`"^""."^""; $skippedCount++; continue; }; if($revert -eq $true) {; if (-not $path.EndsWith('.OLD')) {; Write-Host "^""Skipping non-backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; } else {; if ($path.EndsWith('.OLD')) {; Write-Host "^""Skipping backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; }; $originalFilePath = $path; Write-Host "^""Processing file: `"^""$originalFilePath`"^""."^""; if (-Not (Test-Path $originalFilePath)) {; Write-Host "^""Skipping, file `"^""$originalFilePath`"^"" not found."^""; $skippedCount++; exit 0; }; $originalAcl = Get-Acl -Path "^""$originalFilePath"^""; $accessGranted = $false; try {; $acl = Get-Acl -Path "^""$originalFilePath"^""; $acl.SetOwner($adminAccount) <# Take Ownership (because file is owned by TrustedInstaller) #>; $acl.AddAccessRule($adminFullControlAccessRule) <# Grant rights to be able to move the file #>; Set-Acl -Path $originalFilePath -AclObject $acl -ErrorAction Stop; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; if ($revert -eq $true) {; $newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4); } else {; $newFilePath = "^""$($originalFilePath).OLD"^""; }; try {; Move-Item -LiteralPath "^""$($originalFilePath)"^"" -Destination "^""$newFilePath"^"" -Force -ErrorAction Stop; Write-Host "^""Successfully processed `"^""$originalFilePath`"^""."^""; $renamedCount++; if ($accessGranted) {; try {; Set-Acl -Path $newFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore access on `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; }; }; } catch {; Write-Error "^""Failed to rename `"^""$originalFilePath`"^"" to `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; $failedCount++; if ($accessGranted) {; try {; Set-Acl -Path $originalFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore access on `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; }; if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) {; Write-Host "^""Successfully processed $renamedCount items and skipped $skippedCount items."^""; }; if ($failedCount -gt 0) {; Write-Warning "^""Failed to processed $($failedCount) items."^""; }; [Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::RemovePrivilege('SeTakeOwnershipPrivilege') | Out-Null" :: Terminate "upfc.exe" process if it's running tasklist /fi "ImageName eq upfc.exe" /fo csv 2>NUL | find /i "upfc.exe">NUL && ( echo upfc.exe is running and will be killed. taskkill /f /im upfc.exe ) || ( echo Skipping, upfc.exe is not running. ) :: Configure termination of "upfc.exe" immediately upon its startup reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upfc.exe" /v "Debugger" /t REG_SZ /d "%WINDIR%\System32\taskkill.exe" /f :: ---------------------------------------------------------- :: Pause the script to view the final state pause :: Restore previous environment settings endlocal :: Exit the script successfully exit /b 0 ```

Edited: I added soft delete of WaaS\services, WaaS\tasks

undergroundwires commented 11 months ago

I could not paste the revert code on post above, GitHub has some character limitation per post. This is the revert script that will restore back to default OS state for above changes:

Restore to default OS state:

revert-windows-update-with-tasks-services-and-processes.bat ```batchfile @echo off :: https://privacy.sexy — v0.12.5 — Sat, 25 Nov 2023 19:23:36 GMT :: Ensure admin privileges fltmc >nul 2>&1 || ( echo Administrator privileges are required. PowerShell Start -Verb RunAs '%0' 2> nul || ( echo Right-click on the script and select "Run as administrator". pause & exit 1 ) exit 0 ) :: Initialize environment setlocal EnableExtensions DisableDelayedExpansion :: ---------------------------------------------------------- :: -----Disable Automatic Updates (AU) feature (revert)------ :: ---------------------------------------------------------- echo --- Disable Automatic Updates (AU) feature (revert) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f :: ---------------------------------------------------------- :: Disable automatic installation of Windows updates without user consent (revert) echo --- Disable automatic installation of Windows updates without user consent (revert) reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "4" /f :: ---------------------------------------------------------- :: Disable automatic daily installation of Windows updates (revert) echo --- Disable automatic daily installation of Windows updates (revert) :: This key does not exist by default since Windows 10 21H2 and Windows 11 21H2 reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -------Disable scheduled automatic updates (revert)------- :: ---------------------------------------------------------- echo --- Disable scheduled automatic updates (revert) :: This key does not exist by default since Windows 10 21H2 and Windows 11 21H2 reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----Disable "Updateability From SCM" process (revert)----- :: ---------------------------------------------------------- echo --- Disable "Updateability From SCM" process (revert) :: Restore files matching pattern (with additional permissions) : "%SYSTEMROOT%\System32\upfc.exe" PowerShell -ExecutionPolicy Unrestricted -Command "$revert = $true; $pathGlobPattern = "^""%SYSTEMROOT%\System32\upfc.exe.OLD"^""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host "^""Searching for items matching pattern: `"^""$($expandedPath)`"^""."^""; $renamedCount = 0; $skippedCount = 0; $failedCount = 0; Add-Type -TypeDefinition "^""using System;`r`nusing System.Runtime.InteropServices;`r`npublic class Privileges {`r`n [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,`r`n ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);`r`n [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);`r`n [DllImport(`"^""advapi32.dll`"^"", SetLastError = true)]`r`n internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);`r`n [StructLayout(LayoutKind.Sequential, Pack = 1)]`r`n internal struct TokPriv1Luid {`r`n public int Count;`r`n public long Luid;`r`n public int Attr;`r`n }`r`n internal const int SE_PRIVILEGE_ENABLED = 0x00000002;`r`n internal const int TOKEN_QUERY = 0x00000008;`r`n internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;`r`n public static bool AddPrivilege(string privilege) {`r`n try {`r`n bool retVal;`r`n TokPriv1Luid tp;`r`n IntPtr hproc = GetCurrentProcess();`r`n IntPtr htok = IntPtr.Zero;`r`n retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n tp.Count = 1;`r`n tp.Luid = 0;`r`n tp.Attr = SE_PRIVILEGE_ENABLED;`r`n retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n return retVal;`r`n } catch (Exception ex) {`r`n throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n }`r`n }`r`n public static bool RemovePrivilege(string privilege) {`r`n try {`r`n bool retVal;`r`n TokPriv1Luid tp;`r`n IntPtr hproc = GetCurrentProcess();`r`n IntPtr htok = IntPtr.Zero;`r`n retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n tp.Count = 1;`r`n tp.Luid = 0;`r`n tp.Attr = 0; // This line is changed to revoke the privilege`r`n retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n return retVal;`r`n } catch (Exception ex) {`r`n throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n }`r`n }`r`n [DllImport(`"^""kernel32.dll`"^"", CharSet = CharSet.Auto)]`r`n public static extern IntPtr GetCurrentProcess();`r`n}"^""; [Privileges]::AddPrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::AddPrivilege('SeTakeOwnershipPrivilege') | Out-Null; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $adminFullControlAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $foundAbsolutePaths = @(); try {; $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) {; Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host "^""Initiating processing of $($foundAbsolutePaths.Count) items from `"^""$expandedPath`"^""."^""; foreach ($path in $foundAbsolutePaths) {; if (Test-Path -Path $path -PathType Container) {; Write-Host "^""Skipping folder (not its contents): `"^""$path`"^""."^""; $skippedCount++; continue; }; if($revert -eq $true) {; if (-not $path.EndsWith('.OLD')) {; Write-Host "^""Skipping non-backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; } else {; if ($path.EndsWith('.OLD')) {; Write-Host "^""Skipping backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; }; $originalFilePath = $path; Write-Host "^""Processing file: `"^""$originalFilePath`"^""."^""; if (-Not (Test-Path $originalFilePath)) {; Write-Host "^""Skipping, file `"^""$originalFilePath`"^"" not found."^""; $skippedCount++; exit 0; }; $originalAcl = Get-Acl -Path "^""$originalFilePath"^""; $accessGranted = $false; try {; $acl = Get-Acl -Path "^""$originalFilePath"^""; $acl.SetOwner($adminAccount) <# Take Ownership (because file is owned by TrustedInstaller) #>; $acl.AddAccessRule($adminFullControlAccessRule) <# Grant rights to be able to move the file #>; Set-Acl -Path $originalFilePath -AclObject $acl -ErrorAction Stop; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; if ($revert -eq $true) {; $newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4); } else {; $newFilePath = "^""$($originalFilePath).OLD"^""; }; try {; Move-Item -LiteralPath "^""$($originalFilePath)"^"" -Destination "^""$newFilePath"^"" -Force -ErrorAction Stop; Write-Host "^""Successfully processed `"^""$originalFilePath`"^""."^""; $renamedCount++; if ($accessGranted) {; try {; Set-Acl -Path $newFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore access on `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; }; }; } catch {; Write-Error "^""Failed to rename `"^""$originalFilePath`"^"" to `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; $failedCount++; if ($accessGranted) {; try {; Set-Acl -Path $originalFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore access on `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; }; if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) {; Write-Host "^""Successfully processed $renamedCount items and skipped $skippedCount items."^""; }; if ($failedCount -gt 0) {; Write-Warning "^""Failed to processed $($failedCount) items."^""; }; [Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::RemovePrivilege('SeTakeOwnershipPrivilege') | Out-Null" :: Remove configuration preventing "upfc.exe" from starting reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upfc.exe" /v "Debugger" /f 2>nul :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --Disable "Windows Update" (`wuauserv`) service (revert)-- :: ---------------------------------------------------------- echo --- Disable "Windows Update" (`wuauserv`) service (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'wuauserv'; $defaultStartupMode = 'Manual'; Write-Host "^""Enabling service: `"^""$serviceName`"^"" with `"^""$defaultStartupMode`"^"" start."^""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Warning "^""Service `"^""$serviceName`"^"" could not be not found, cannot enable it."^""; Exit 1; }; <# -- 2. Enable or skip if already enabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query "^""Select StartMode From Win32_Service Where Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "^""Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq "^""$defaultStartupMode"^"") {; Write-Host "^""`"^""$serviceName`"^"" is already enabled with `"^""$defaultStartupMode`"^"" start, no further action is needed."^""; } else {; try {; Set-Service -Name "^""$serviceName"^"" -StartupType "^""$defaultStartupMode"^"" -Confirm:$false -ErrorAction Stop; Write-Host "^""Enabled `"^""$serviceName`"^"" successfully with `"^""$defaultStartupMode`"^"" start, may require restarting your computer."^""; } catch {; Write-Error "^""Could not enable `"^""$serviceName`"^"": $_"^""; Exit 1; }; }; <# -- 4. Start if not running (must be enabled first) #>; if($defaultStartupMode -eq 'Automatic') {; if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host "^""`"^""$serviceName`"^"" is not running, starting it."^""; try {; Start-Service $serviceName -ErrorAction Stop; Write-Host "^""Started `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Warning "^""Could not start `"^""$serviceName`"^"", requires restart, it will be started after reboot.`r`n$_"^""; }; } else {; Write-Host "^""`"^""$serviceName`"^"" is already running, no need to start."^""; }; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: Disable "Update Orchestrator Service" (`UsoSvc`) (revert)- :: ---------------------------------------------------------- echo --- Disable "Update Orchestrator Service" (`UsoSvc`) (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'UsoSvc'; $defaultStartupMode = 'Automatic'; Write-Host "^""Enabling service: `"^""$serviceName`"^"" with `"^""$defaultStartupMode`"^"" start."^""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Warning "^""Service `"^""$serviceName`"^"" could not be not found, cannot enable it."^""; Exit 1; }; <# -- 2. Enable or skip if already enabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query "^""Select StartMode From Win32_Service Where Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter "^""Name='$serviceName'"^"" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq "^""$defaultStartupMode"^"") {; Write-Host "^""`"^""$serviceName`"^"" is already enabled with `"^""$defaultStartupMode`"^"" start, no further action is needed."^""; } else {; try {; Set-Service -Name "^""$serviceName"^"" -StartupType "^""$defaultStartupMode"^"" -Confirm:$false -ErrorAction Stop; Write-Host "^""Enabled `"^""$serviceName`"^"" successfully with `"^""$defaultStartupMode`"^"" start, may require restarting your computer."^""; } catch {; Write-Error "^""Could not enable `"^""$serviceName`"^"": $_"^""; Exit 1; }; }; <# -- 4. Start if not running (must be enabled first) #>; if($defaultStartupMode -eq 'Automatic') {; if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host "^""`"^""$serviceName`"^"" is not running, starting it."^""; try {; Start-Service $serviceName -ErrorAction Stop; Write-Host "^""Started `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Warning "^""Could not start `"^""$serviceName`"^"", requires restart, it will be started after reboot.`r`n$_"^""; }; } else {; Write-Host "^""`"^""$serviceName`"^"" is already running, no need to start."^""; }; }" :: ---------------------------------------------------------- :: Disable "Windows Update Medic Service" (`WaaSMedicSvc`) (revert) echo --- Disable "Windows Update Medic Service" (`WaaSMedicSvc`) (revert) PowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'WaaSMedicSvc'; $defaultStartupMode = 'Manual'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Warning "^""Service query `"^""$serviceQuery`"^"" did not yield and results, cannot enable it."^""; Exit 1; }; $serviceName = $service.Name; Write-Host "^""Enabling service: `"^""$serviceName`"^"" with `"^""$defaultStartupMode`"^"" start."^""; <# -- 2. Skip if service info is not found in registry #>; $registryKey = "^""HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"^""; if(!(Test-Path $registryKey)) {; Write-Warning "^""`"^""$registryKey`"^"" is not found in registry, cannot enable it."^""; Exit 1; }; <# -- 3. Enable if not already enabled #>; $defaultStartupRegValue = if ($defaultStartupMode -eq 'Boot') { '0' } elseif($defaultStartupMode -eq 'System') { '1' } elseif($defaultStartupMode -eq 'Automatic') { '2' } elseif($defaultStartupMode -eq 'Manual') { '3' } else { throw "^""Unknown start mode: $defaultStartupMode"^""}; if( $(Get-ItemProperty -Path "^""$registryKey"^"").Start -eq $defaultStartupRegValue) {; Write-Host "^""`"^""$serviceName`"^"" is already enabled with `"^""$defaultStartupMode`"^"" start."^""; } else {; try {; Set-ItemProperty $registryKey -Name Start -Value $defaultStartupRegValue -Force; Write-Host "^""Enabled `"^""$serviceName`"^"" successfully with `"^""$defaultStartupMode`"^"" start, may require restarting your computer."^""; } catch {; Write-Error "^""Could not enable `"^""$serviceName`"^"": $_"^""; Exit 1; }; }; <# -- 4. Start if not running (must be enabled first) #>; if($defaultStartupMode -eq 'Automatic') {; if ($service.Status -ne [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host "^""`"^""$serviceName`"^"" is not running, trying to start it."^""; try {; Start-Service $serviceName -ErrorAction Stop; Write-Host "^""Started `"^""$serviceName`"^"" successfully."^""; } catch {; Write-Warning "^""Could not start `"^""$serviceName`"^"", requires restart, it will be started after reboot.`r`n$_"^""; }; } else {; Write-Host "^""`"^""$serviceName`"^"" is already running, no need to start."^""; }; }" :: Restore files matching pattern (with additional permissions) : "%SYSTEMROOT%\System32\WaaSMedicSvc.dll" PowerShell -ExecutionPolicy Unrestricted -Command "$revert = $true; $pathGlobPattern = "^""%SYSTEMROOT%\System32\WaaSMedicSvc.dll.OLD"^""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host "^""Searching for items matching pattern: `"^""$($expandedPath)`"^""."^""; $renamedCount = 0; $skippedCount = 0; $failedCount = 0; Add-Type -TypeDefinition "^""using System;`r`nusing System.Runtime.InteropServices;`r`npublic class Privileges {`r`n [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,`r`n ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);`r`n [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);`r`n [DllImport(`"^""advapi32.dll`"^"", SetLastError = true)]`r`n internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);`r`n [StructLayout(LayoutKind.Sequential, Pack = 1)]`r`n internal struct TokPriv1Luid {`r`n public int Count;`r`n public long Luid;`r`n public int Attr;`r`n }`r`n internal const int SE_PRIVILEGE_ENABLED = 0x00000002;`r`n internal const int TOKEN_QUERY = 0x00000008;`r`n internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;`r`n public static bool AddPrivilege(string privilege) {`r`n try {`r`n bool retVal;`r`n TokPriv1Luid tp;`r`n IntPtr hproc = GetCurrentProcess();`r`n IntPtr htok = IntPtr.Zero;`r`n retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n tp.Count = 1;`r`n tp.Luid = 0;`r`n tp.Attr = SE_PRIVILEGE_ENABLED;`r`n retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n return retVal;`r`n } catch (Exception ex) {`r`n throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n }`r`n }`r`n public static bool RemovePrivilege(string privilege) {`r`n try {`r`n bool retVal;`r`n TokPriv1Luid tp;`r`n IntPtr hproc = GetCurrentProcess();`r`n IntPtr htok = IntPtr.Zero;`r`n retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n tp.Count = 1;`r`n tp.Luid = 0;`r`n tp.Attr = 0; // This line is changed to revoke the privilege`r`n retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n return retVal;`r`n } catch (Exception ex) {`r`n throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n }`r`n }`r`n [DllImport(`"^""kernel32.dll`"^"", CharSet = CharSet.Auto)]`r`n public static extern IntPtr GetCurrentProcess();`r`n}"^""; [Privileges]::AddPrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::AddPrivilege('SeTakeOwnershipPrivilege') | Out-Null; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $adminFullControlAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $foundAbsolutePaths = @(); try {; $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) {; Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host "^""Initiating processing of $($foundAbsolutePaths.Count) items from `"^""$expandedPath`"^""."^""; foreach ($path in $foundAbsolutePaths) {; if (Test-Path -Path $path -PathType Container) {; Write-Host "^""Skipping folder (not its contents): `"^""$path`"^""."^""; $skippedCount++; continue; }; if($revert -eq $true) {; if (-not $path.EndsWith('.OLD')) {; Write-Host "^""Skipping non-backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; } else {; if ($path.EndsWith('.OLD')) {; Write-Host "^""Skipping backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; }; $originalFilePath = $path; Write-Host "^""Processing file: `"^""$originalFilePath`"^""."^""; if (-Not (Test-Path $originalFilePath)) {; Write-Host "^""Skipping, file `"^""$originalFilePath`"^"" not found."^""; $skippedCount++; exit 0; }; $originalAcl = Get-Acl -Path "^""$originalFilePath"^""; $accessGranted = $false; try {; $acl = Get-Acl -Path "^""$originalFilePath"^""; $acl.SetOwner($adminAccount) <# Take Ownership (because file is owned by TrustedInstaller) #>; $acl.AddAccessRule($adminFullControlAccessRule) <# Grant rights to be able to move the file #>; Set-Acl -Path $originalFilePath -AclObject $acl -ErrorAction Stop; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; if ($revert -eq $true) {; $newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4); } else {; $newFilePath = "^""$($originalFilePath).OLD"^""; }; try {; Move-Item -LiteralPath "^""$($originalFilePath)"^"" -Destination "^""$newFilePath"^"" -Force -ErrorAction Stop; Write-Host "^""Successfully processed `"^""$originalFilePath`"^""."^""; $renamedCount++; if ($accessGranted) {; try {; Set-Acl -Path $newFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore access on `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; }; }; } catch {; Write-Error "^""Failed to rename `"^""$originalFilePath`"^"" to `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; $failedCount++; if ($accessGranted) {; try {; Set-Acl -Path $originalFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore access on `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; }; if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) {; Write-Host "^""Successfully processed $renamedCount items and skipped $skippedCount items."^""; }; if ($failedCount -gt 0) {; Write-Warning "^""Failed to processed $($failedCount) items."^""; }; [Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::RemovePrivilege('SeTakeOwnershipPrivilege') | Out-Null" :: Restore files matching pattern (with additional permissions) : "%WINDIR%\WaaS\*" PowerShell -ExecutionPolicy Unrestricted -Command "$revert = $true; $pathGlobPattern = "^""%WINDIR%\WaaS\*.OLD"^""; $expandedPath = [System.Environment]::ExpandEnvironmentVariables($pathGlobPattern); Write-Host "^""Searching for items matching pattern: `"^""$($expandedPath)`"^""."^""; $renamedCount = 0; $skippedCount = 0; $failedCount = 0; Add-Type -TypeDefinition "^""using System;`r`nusing System.Runtime.InteropServices;`r`npublic class Privileges {`r`n [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,`r`n ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);`r`n [DllImport(`"^""advapi32.dll`"^"", ExactSpelling = true, SetLastError = true)]`r`n internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);`r`n [DllImport(`"^""advapi32.dll`"^"", SetLastError = true)]`r`n internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);`r`n [StructLayout(LayoutKind.Sequential, Pack = 1)]`r`n internal struct TokPriv1Luid {`r`n public int Count;`r`n public long Luid;`r`n public int Attr;`r`n }`r`n internal const int SE_PRIVILEGE_ENABLED = 0x00000002;`r`n internal const int TOKEN_QUERY = 0x00000008;`r`n internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;`r`n public static bool AddPrivilege(string privilege) {`r`n try {`r`n bool retVal;`r`n TokPriv1Luid tp;`r`n IntPtr hproc = GetCurrentProcess();`r`n IntPtr htok = IntPtr.Zero;`r`n retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n tp.Count = 1;`r`n tp.Luid = 0;`r`n tp.Attr = SE_PRIVILEGE_ENABLED;`r`n retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n return retVal;`r`n } catch (Exception ex) {`r`n throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n }`r`n }`r`n public static bool RemovePrivilege(string privilege) {`r`n try {`r`n bool retVal;`r`n TokPriv1Luid tp;`r`n IntPtr hproc = GetCurrentProcess();`r`n IntPtr htok = IntPtr.Zero;`r`n retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);`r`n tp.Count = 1;`r`n tp.Luid = 0;`r`n tp.Attr = 0; // This line is changed to revoke the privilege`r`n retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);`r`n retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);`r`n return retVal;`r`n } catch (Exception ex) {`r`n throw new Exception(`"^""Failed to adjust token privileges`"^"", ex);`r`n }`r`n }`r`n [DllImport(`"^""kernel32.dll`"^"", CharSet = CharSet.Auto)]`r`n public static extern IntPtr GetCurrentProcess();`r`n}"^""; [Privileges]::AddPrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::AddPrivilege('SeTakeOwnershipPrivilege') | Out-Null; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $adminFullControlAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $foundAbsolutePaths = @(); Write-Host 'Iterating files and directories recursively.'; try {; $foundAbsolutePaths += @(; Get-ChildItem -Path $expandedPath -Force -Recurse -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; try {; $foundAbsolutePaths += @(; Get-Item -Path $expandedPath -ErrorAction Stop | Select-Object -ExpandProperty FullName; ); } catch [System.Management.Automation.ItemNotFoundException] {; <# Swallow, do not run `Test-Path` before, it's unreliable for globs requiring extra permissions #>; }; $foundAbsolutePaths = $foundAbsolutePaths | Select-Object -Unique | Sort-Object -Property { $_.Length } -Descending; if (!$foundAbsolutePaths) {; Write-Host 'Skipping, no items available.'; exit 0; }; Write-Host "^""Initiating processing of $($foundAbsolutePaths.Count) items from `"^""$expandedPath`"^""."^""; foreach ($path in $foundAbsolutePaths) {; if (Test-Path -Path $path -PathType Container) {; Write-Host "^""Skipping folder (not its contents): `"^""$path`"^""."^""; $skippedCount++; continue; }; if($revert -eq $true) {; if (-not $path.EndsWith('.OLD')) {; Write-Host "^""Skipping non-backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; } else {; if ($path.EndsWith('.OLD')) {; Write-Host "^""Skipping backup file: `"^""$path`"^""."^""; $skippedCount++; continue; }; }; $originalFilePath = $path; Write-Host "^""Processing file: `"^""$originalFilePath`"^""."^""; if (-Not (Test-Path $originalFilePath)) {; Write-Host "^""Skipping, file `"^""$originalFilePath`"^"" not found."^""; $skippedCount++; exit 0; }; $originalAcl = Get-Acl -Path "^""$originalFilePath"^""; $accessGranted = $false; try {; $acl = Get-Acl -Path "^""$originalFilePath"^""; $acl.SetOwner($adminAccount) <# Take Ownership (because file is owned by TrustedInstaller) #>; $acl.AddAccessRule($adminFullControlAccessRule) <# Grant rights to be able to move the file #>; Set-Acl -Path $originalFilePath -AclObject $acl -ErrorAction Stop; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; if ($revert -eq $true) {; $newFilePath = $originalFilePath.Substring(0, $originalFilePath.Length - 4); } else {; $newFilePath = "^""$($originalFilePath).OLD"^""; }; try {; Move-Item -LiteralPath "^""$($originalFilePath)"^"" -Destination "^""$newFilePath"^"" -Force -ErrorAction Stop; Write-Host "^""Successfully processed `"^""$originalFilePath`"^""."^""; $renamedCount++; if ($accessGranted) {; try {; Set-Acl -Path $newFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore access on `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; }; }; } catch {; Write-Error "^""Failed to rename `"^""$originalFilePath`"^"" to `"^""$newFilePath`"^"": $($_.Exception.Message)"^""; $failedCount++; if ($accessGranted) {; try {; Set-Acl -Path $originalFilePath -AclObject $originalAcl -ErrorAction Stop; } catch {; Write-Warning "^""Failed to restore access on `"^""$originalFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; }; if (($renamedCount -gt 0) -or ($skippedCount -gt 0)) {; Write-Host "^""Successfully processed $renamedCount items and skipped $skippedCount items."^""; }; if ($failedCount -gt 0) {; Write-Warning "^""Failed to processed $($failedCount) items."^""; }; [Privileges]::RemovePrivilege('SeRestorePrivilege') | Out-Null; [Privileges]::RemovePrivilege('SeTakeOwnershipPrivilege') | Out-Null" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable "RestoreDevice" task (revert)----------- :: ---------------------------------------------------------- echo --- Disable "RestoreDevice" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\InstallService\RestoreDevice` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\InstallService\'; $taskNamePattern='RestoreDevice'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable "ScanForUpdates" task (revert)---------- :: ---------------------------------------------------------- echo --- Disable "ScanForUpdates" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\InstallService\ScanForUpdates` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\InstallService\'; $taskNamePattern='ScanForUpdates'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -------Disable "ScanForUpdatesAsUser" task (revert)------- :: ---------------------------------------------------------- echo --- Disable "ScanForUpdatesAsUser" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\InstallService\ScanForUpdatesAsUser` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\InstallService\'; $taskNamePattern='ScanForUpdatesAsUser'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------------Disable "SmartRetry" task (revert)------------ :: ---------------------------------------------------------- echo --- Disable "SmartRetry" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\InstallService\SmartRetry` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\InstallService\'; $taskNamePattern='SmartRetry'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "WakeUpAndContinueUpdates" task (revert)----- :: ---------------------------------------------------------- echo --- Disable "WakeUpAndContinueUpdates" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\InstallService\WakeUpAndContinueUpdates` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\InstallService\'; $taskNamePattern='WakeUpAndContinueUpdates'; $shouldDisable = $true <# $false #>; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "WakeUpAndScanForUpdates" task (revert)------ :: ---------------------------------------------------------- echo --- Disable "WakeUpAndScanForUpdates" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\InstallService\WakeUpAndScanForUpdates` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\InstallService\'; $taskNamePattern='WakeUpAndScanForUpdates'; $shouldDisable = $true <# $false #>; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Scheduled Start" task (revert)---------- :: ---------------------------------------------------------- echo --- Disable "Scheduled Start" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\WindowsUpdate\Scheduled Start` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='Scheduled Start'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "Report policies" task (revert)---------- :: ---------------------------------------------------------- echo --- Disable "Report policies" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Report policies` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Report policies'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----Disable "Schedule Maintenance Work" task (revert)----- :: ---------------------------------------------------------- echo --- Disable "Schedule Maintenance Work" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Maintenance Work'; $shouldDisable = $true <# $false #>; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable "Schedule Scan" task (revert)----------- :: ---------------------------------------------------------- echo --- Disable "Schedule Scan" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Schedule Scan` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Scan'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----Disable "Schedule Scan Static Task" task (revert)----- :: ---------------------------------------------------------- echo --- Disable "Schedule Scan Static Task" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Scan Static Task'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------Disable "Schedule Wake To Work" task (revert)------- :: ---------------------------------------------------------- echo --- Disable "Schedule Wake To Work" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Wake To Work'; $shouldDisable = $true <# $false #>; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ----------Disable "Schedule Work" task (revert)----------- :: ---------------------------------------------------------- echo --- Disable "Schedule Work" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Schedule Work` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Work'; $shouldDisable = $true <# $false #>; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---------Disable "UpdateModelTask" task (revert)---------- :: ---------------------------------------------------------- echo --- Disable "UpdateModelTask" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\UpdateModelTask` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UpdateModelTask'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----Disable "Start Oobe Expedite Work" task (revert)----- :: ---------------------------------------------------------- echo --- Disable "Start Oobe Expedite Work" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Start Oobe Expedite Work'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: Disable "StartOobeAppsScan_LicenseAccepted" task (revert)- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScan_LicenseAccepted" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScan_LicenseAccepted'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --Disable "StartOobeAppsScan_OobeAppReady" task (revert)-- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScan_OobeAppReady" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_OobeAppReady` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScan_OobeAppReady'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ---Disable "StartOobeAppsScanAfterUpdate" task (revert)--- :: ---------------------------------------------------------- echo --- Disable "StartOobeAppsScanAfterUpdate" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScanAfterUpdate'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: -----------Disable "USO_UxBroker" task (revert)----------- :: ---------------------------------------------------------- echo --- Disable "USO_UxBroker" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='USO_UxBroker'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------Disable "UUS Failover Task" task (revert)--------- :: ---------------------------------------------------------- echo --- Disable "UUS Failover Task" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UUS Failover Task'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: --------Disable "PerformRemediation" task (revert)-------- :: ---------------------------------------------------------- echo --- Disable "PerformRemediation" task (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\WaaSMedic\PerformRemediation` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WaaSMedic\'; $taskNamePattern='PerformRemediation'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; $taskFullPath = "^""$($task.TaskPath)$($task.TaskName)"^""; $adminSid = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544'; $adminAccount = $adminSid.Translate([System.Security.Principal.NTAccount]); $taskFilePath="^""$($env:WINDIR)\System32\Tasks$($task.TaskPath)$($task.TaskName)"^""; $accessGranted = $false; try {; $originalAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl= Get-Acl -Path $taskFilePath -ErrorAction Stop; $modifiedAcl.SetOwner($adminAccount); $taskFileAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule( $adminAccount, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.AccessControlType]::Allow ); $modifiedAcl.SetAccessRule($taskFileAccessRule); Set-Acl -Path $taskFilePath -AclObject $modifiedAcl -ErrorAction Stop; Write-Host "^""Successfully granted permissions for `"^""$taskFullPath`"^"" ."^""; $accessGranted = $true; } catch {; Write-Warning "^""Failed to grant access to `"^""$taskFullPath`"^"": $($_.Exception.Message)"^""; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; if ($accessGranted) {; try {; Set-Acl -Path $taskFilePath -AclObject $originalAcl -ErrorAction Stop; Write-Host "^""Successfully restored permissions for `"^""$taskFullPath`"^"" ."^""; } catch {; Write-Warning "^""Failed to restore access on `"^""$taskFilePath`"^"": $($_.Exception.Message)"^""; }; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: ---------------------------------------------------------- :: ------Disable outdated Windows Update tasks (revert)------ :: ---------------------------------------------------------- echo --- Disable outdated Windows Update tasks (revert) :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\AC Power Download` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='AC Power Download'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\AC Power Install` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='AC Power Install'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Backup Scan` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Backup Scan'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Battery Saver Deferred Install` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Battery Saver Deferred Install'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Driver Install` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Driver Install'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Maintenance Install` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Maintenance Install'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\MusUx_LogonUpdateResults` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='MusUx_LogonUpdateResults'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='MusUx_UpdateInterval'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Policy Install` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Policy Install'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Reboot` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Reboot'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Reboot_AC` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Reboot_AC'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Reboot_Battery'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Refresh Settings` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Refresh Settings'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Resume On Boot` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Resume On Boot'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Schedule Retry Scan` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Schedule Retry Scan'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='StartOobeAppsScan'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\USO_Broker_Display` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='USO_Broker_Display'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='USO_UxBroker_Display'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='USO_UxBroker_ReadyToReboot'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Start` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Universal Orchestrator Start'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\Universal Orchestrator Idle Start` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='Universal Orchestrator Idle Start'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UpdateAssistant'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantAllUsersRun` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UpdateAssistantAllUsersRun'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UpdateAssistantCalendarRun'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\UpdateOrchestrator\'; $taskNamePattern='UpdateAssistantWakeupRun'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\WindowsUpdate\AUScheduledInstall` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='AUScheduledInstall'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\WindowsUpdate\AUSessionConnect` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='AUSessionConnect'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\WindowsUpdate\Automatic App Update` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='Automatic App Update'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\RUXIM\'; $taskNamePattern='PLUGScheduler'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\WindowsUpdate\Scheduled Start With Network` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='Scheduled Start With Network'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\WindowsUpdate\sih` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='sih'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\WindowsUpdate\sihboot` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='sihboot'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: Restore scheduled task(s) to default state: `\Microsoft\Windows\WindowsUpdate\sihpostreboot` PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Windows\WindowsUpdate\'; $taskNamePattern='sihpostreboot'; $shouldDisable = $false; Write-Output "^""Enabling tasks matching pattern `"^""$taskNamePattern`"^""."^""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Warning ( "^""Missing task: Cannot enable, no tasks matching pattern `"^""$taskNamePattern`"^"" found."^"" + "^"" This task appears to be not included in this version of Windows."^"" ); exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($shouldDisable) {; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already disabled, no action needed."^""; continue; }; } else {; if (($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) -and ($task.State -ne [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Unknown)) {; Write-Output "^""Skipping, task `"^""$taskName`"^"" is already enabled, no action needed."^""; continue; }; }; try {; if ($shouldDisable) {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully disabled task `"^""$taskName`"^""."^""; } else {; $task | Enable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output "^""Successfully enabled task `"^""$taskName`"^""."^""; }; } catch {; Write-Error "^""Failed to restore task `"^""$taskName`"^"": $($_.Exception.Message)"^""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to restore some tasks. Check error messages above.'; exit 1; }" :: ---------------------------------------------------------- :: Pause the script to view the final state pause :: Restore previous environment settings endlocal :: Exit the script successfully exit /b 0 ```
j7j2 commented 11 months ago

Just as an note, I often noticed that after waking up from hibernate on my laptop as well, tasks were back on despite no proper reboot. Could be an idea to monitor this behaviour as well.

Sent from my iPhone

On Nov 24, 2023, at 7:57 PM, undergroundwires @.***> wrote:

 Ok then the decision is made, we'll add upfc.exe disabling under "Disable automatic updates", and we can also recommend it on "Strict".

I agree with lack of sustainability with configurations. Microsoft does not seem to respect them at all.

Disabling all of the services and tasks is good for experiment but is too much for general users. So I'm thinking like three simple additions may do the trick:

Soft-delete WaasMedicSvc.dll. Soft-delete upfc.exe. Terminate upfc.exe on start. That way we'll attack the problem at its heart based on your findings.

The code would look like this (using privacy.sexy's functions, pretty simple and readable):

  function: SoftDeleteFiles
  parameters:
      fileGlob: '%SYSTEMROOT%\System32\WaaSMedicSvc.dll'

- function: SoftDeleteFiles parameters: fileGlob: '%SYSTEMROOT%\System32\upfc.exe'

  function: TerminateExecutableOnLaunch
  parameters:
      executableNameWithExtension: upfc.exe

I understand that this may feel so complex and exhausting for our testers to test what's going on in this thread. But this is what I believe will do the trick and we can consider it as last test.

The following script includes disabling of services, scheduled task (to be released in a few days) and the points above.

You can run this on top what you already executed, and I will provide the revert script to completely roll back to the default OS state.

I'd be happy if someone can run the following and provide feedback before release. If this does not work (which should work according to our findings), then I think we can consider soft-deleting service/scheduled task files as you do, this will also fix maintenance service stuff as it will break their ability to start completely, but this requires comprehensive testing and some changes for disabling services/tasks so I would not want to go that road.

Disable updates:

disable-windows-update-with-tasks-services-and-processes.bat Restore to default OS state:

revert-windows-update-with-tasks-services-and-processes.bat — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

TheAndr0id commented 11 months ago

So the 25th came and went and the services and tasks are all still disabled. The RemediationFailureCounter registry entry did increment to 2, so that is something I'm going to look into fixing as I'm afraid that if it hits some magic value something bad is going to happen.

As you know from "that other issue" (#236) I'm not a fan of renaming binaries to disable services. Having the program exit via the debugger is a "good hack" that works until Microsoft disables that feature of the debugger. I'm going to take a run at configuring upfc.exe to do what we want it to do - disable the update process.

From my thoughts, upfc is short for update fix and correct. I'm going to make it do just that, fix the update system to off and make sure it stays that way. I'll post what I figure out here.

In any case I think you forgot to look at UpdateOrchistrator tasks/binaries in your soft delete as they can also enable Windows Update. (I might be wrong here, and it might not be needed, but I didn't see any reference in it to your soft delete code)

There is one other gotcha that might be worth thinking about. It has been documented that previous versions of Windows 10 would blue screen if upfc.exe didn't run at startup. Since this is all working on the state of Win 10 22H2 at the update level I'm at, are we sure that this will still work with future updates? Just thinking about future tickets on this topic and people claiming "privacy.sexy broke my machine"...

undergroundwires commented 11 months ago

Again, thank you for feedback @TheAndr0id for saving many users :).

I'm unsure if debugger works on boot-level execution. As this upfc.exe call seems to be hardcoded in services.exe and is executed early on startup.

I also get feelings of malware now. This way of overriding consent persistently creates a serious vulnerabilities, like where malware can register its services as part of WaaSMedicSvc remediation process, keeping it hidden and persistent.

Btw the registry key above seems to work in Windows Pro and Enterprise versions according to the documentation, they seem to only fail on Windows Home versions, but I'm not sure if I should trust the documentation.

It would make sense to skip renaming this file completely on versions older than Windows 10 22H2, as the UX registry settings to year 9999 fixes this for Windows 10 anyways. I agree that renaming files are not the best solution, but from sustainability and maintainability perspective, it gives more confidence than registry keys that are changing all the time. We could skip removal of the file on versions older than W10 22H2 with something like:

image

I tested this on Windows 11 23H2 pro and Windows 11 22H2 pro and they boot fine without any errors. The only source I could found about blue screen was this tenforums.com page, not a reputable source really, so let me know if you read it from a better place.

The documentation I gathered and prepared so far ![image](https://github.com/undergroundwires/privacy.sexy/assets/15555035/2b0963a0-fe87-4709-8bf0-d8d4ea9181d4)

Update: Disabling scheduled tasks is released since 0.12.8 🚀

TheAndr0id commented 11 months ago

Here's MORE information about the upfc.exe process. Here's how it looks on my machine and what I'm trying now. (The damn RemediationFailureCounter counter climbed again, dunno why - maybe because the tasks directory is empty...)

Here's the contents of the two directories (with filenames to compare). I've also noted the service involved, what the state of the file is doing and what we want upfc.exe to do.

C:\Windows\Waas\services:

14a3f9e824793931d34f7f786a538bbc9ef1f0d6.xml - wuauserv (demand -> disabled) ``` ```
20bbcadaff3e0543ef358ba4dd8b74bfe8e747c8.xml - TrustedInstaller (demand -> No change) ``` ```
2213703c9c64cc61ba900531652e23c84728d2a2.xml - dosvc (demand -> No change) ``` ```
315818c03ccc2b10070df2d4ebd09eb6c4c66e58.xml - bits (demand -> No Change ) ``` ```

My system has BITS set to Automatic and is running. If Windows Update isn't, is BITS needed any longer?

43ee7b2a373632f9a701249fd96d0edec2ff1279.xml - UsoSvc (delayedAuto -> disabled) ``` ```
ceb497ee0184aaa4681d2fb2ef242a5b8551eea8.xml - WaaSMedicSvc (demand -> disabled) ``` ```

C:\Windows\Waas\tasks:

17499b8d805e9480903b0df0326a3d231841049e.xml - USO: UpdateModelTask (enabled -> disabled) ``` $(@%systemRoot%\system32\usosvc.dll,-103) $(@%systemRoot%\system32\usosvc.dll,-104) $(@%systemRoot%\system32\usosvc.dll,-108) \Microsoft\Windows\UpdateOrchestrator\UpdateModelTask D:P(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FRFX;;;BA) 1.0 7510bca33a019502 true true true false false true PT72H false IgnoreNew 7 true false true false true false S-1-5-18 LeastPrivilege %systemroot%\system32\usoclient.exe StartModelUpdates ```
5ffea6126f02e78b9099eb4614d2d339f03ca5a8.xml - USO: Schedule Scan Static Task (enabled -> disabled) ``` $(@%systemRoot%\system32\usosvc.dll,-103) $(@%systemRoot%\system32\usosvc.dll,-104) $(@%systemRoot%\system32\usosvc.dll,-105) \Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task D:P(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FRFX;;;BA) 1.0 7524bca33e06830d true PT2H5M 01 0 750cbca3290b9641 true PT2H5M 01 0 7550bca322028f02 true 7508bca32e07c641 true true <QueryList><Query Id="0" Path="System"><Select Path="System">*[System[EventID=8202]]</Select></Query></QueryList> true true false false true PT72H false IgnoreNew 7 true false false false true false true false S-1-5-18 LeastPrivilege %systemroot%\system32\usoclient.exe StartScan ```

Whew. Here's my plan. I've already restored the service xmls for TrustedInstaller, dosvc and bits since they are not being changed. I'm going to place in the WaaSMedicSvc xml file with it's start="demand" changed to start="disabled" and then force upfc.exe to run and see what happens.

I'm also going to put one of the tasks back with the Enabled setting set to false to see if it changes the scheduled task.

I'll report back with my findings.

Update: I tried to change the run time value in the registry for upfc.exe, but I'm just getting permission errors. I've tried TrustedIntaller, Administrator and SYSTEM with no progress. Unless someone has a way to set the date in the registry, I have to wait until December 11th for the next pass of upfc.exe...

I'm getting so VERY tired of all this "you can't do that because we hard coded it into the kernel" bullsh!t....

undergroundwires commented 10 months ago

Update:

With these two changes, we'll be able to properly disable all automatic updates, meanwhile retaining functionality to conduct manual updates and full reversibility to roll-back/restore changes.

I will do a few more improvements later to update disabling adding more configurations and categorization existing scripts better (for example disabling driver updates should be under this category). Regarding BITS and DoSvc services, community has reported that this also disables Windows store updates, and it even breaks manual updates, see exclusion rationale. I plan to add "disabling all updates (manual and automatic)" category later on, and BITS/DoSvc should be moved there, it is too intrusive to stop for only disabling automatic updates. Thank you for sharing your findings @TheAndr0id, I'll incorporate them into future changes if you find a way to do this with registry configurations. It would take effort to implement and maintain these XML files, I would appreciate PR for that.

TheAndr0id commented 10 months ago

Thank you for sharing your findings @TheAndr0id, I'll incorporate them into future changes if you find a way to do this with registry configurations. It would take effort to implement and maintain these XML files, I would appreciate PR for that.

I'll throw one together once I get my latest findings (tomorrow). I'll reference this ticket in the new issue. If this was Unix, I'd just throw together a regular expression to make the changes to the xml files in place, but alas.... :)