update_policy_changer_pro.ps1

Source: update_policy_changer_pro.ps1

Overview

This PowerShell script configures Windows Update policies on Pro (and above) editions to apply only security updates, block driver installations and feature updates, and notify the user before installing.

Purpose & Use Cases

Enforce a security-only update policy across managed Windows Pro/Enterprise systems.

Prevent unwanted feature updates, drivers, and extra applications from being installed automatically.

Dependencies

Windows PowerShell (5.1 or later) with administrative privileges.

Access to modify the HKLM registry hive and restart the Windows Update service.

Configuration & Parameters

Parameter	Type	Description	Default
$registryPath	string	Registry key path for Windows Update policy settings	"HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
$excludedClassifications	string[]	List of update classification GUIDs to exclude from updates	{ "{e6cf1350-c01b-414d-a61f-263d3d4dd9f9}", "{e0789628-ce08-4437-be74-2495b842f43b}", "{b54e7d24-7add-49f4-88bb-9837d47477fb}", "{68c5b0a3-d1a6-4553-ae49-01d3a7827828}", "{b4832bd8-e735-4766-9727-7d0ffa644277}", "{28bc8804-5382-4bae-93aa-13c905f28542}", "{cd5ffd1e-e257-4a05-9d88-c83a7125d4c9}", "{0f1afbec-90ef-4651-9e37-030fedc944c8}", "{ebfc1fc5-71a4-4f7b-9aca-3b9a503104a0}", "{9920c092-3d99-4a1b-865a-673135c5a4fc}" }

Usage Example

powershell -ExecutionPolicy Bypass -File update_policy_changer_pro.ps1

Behavior & Implementation

The script:

• Defines $registryPath and an array of GUIDs ($excludedClassifications) for non-security updates.
• Creates the registry key if it does not exist.
• Sets the ExcludeUpdateClassifications value to the semicolon-delimited GUID string.
• Sets ExcludeWUDriversInQualityUpdate to 1 to block drivers.
• Sets AUOptions to 2 (Notify before install).
• Restarts the wuauserv (Windows Update) service.
• Outputs a confirmation message via Write-Host.

Error Handling

Uses -Force on registry and service commands to suppress non-critical errors. Does not implement explicit try/catch blocks; PowerShell will display terminating errors by default.

Security Considerations

Must be run with administrative privileges. Direct registry modifications and service restarts can impact system stability; ensure script integrity and run in controlled environments.

Logging

Displays progress and final status with Write-Host. Does not log to external files or Windows Event Log by default.

Testing & Validation

Verify on a test machine by running the script and using Get-ItemProperty to confirm registry values:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"

Check Windows Update UI to ensure only security updates are listed.

Author

Author: Raven Development Team