| # Disable Windows Update feature updates, Windows Defender, and disk indexing. |
| - hosts: all |
| tasks: |
| - name: Enable deferring feature updates in Windows Update |
| win_regedit: |
| path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState |
| name: "DeferFeatureUpdates" |
| data: 1 |
| type: dword |
| - name: Set deferral period for feature updates to 365 in Windows Update UpdatePolicy |
| win_regedit: |
| path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState |
| name: "FeatureUpdatesDeferralInDays" |
| data: 365 |
| type: dword |
| - name: Set deferral period for feature updates to 365 in Windows Update UX Settings |
| win_regedit: |
| path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings |
| name: "DeferFeatureUpdatesPeriodInDays" |
| data: 365 |
| type: dword |
| # We do not defer quality updates because they rarely cause problems. |
| - name: Disable deferring quality updates in Windows Update |
| win_regedit: |
| path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState |
| name: "DeferQualityUpdates" |
| data: 0 |
| type: dword |
| - name: Set deferral period for quality updates to 0 in Windows Update UpdatePolicy |
| win_regedit: |
| path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState |
| name: "QualityUpdatesDeferralInDays" |
| data: 0 |
| type: dword |
| - name: Set deferral period for quality updates to 0 in Windows Update UX Settings |
| win_regedit: |
| path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings |
| name: "DeferQualityUpdatesPeriodInDays" |
| data: 0 |
| type: dword |
| # Unlike Windows Server, Windows Defender can not be uninstalled on Windows 10. Windows also |
| # tends to re-enable it if it's disabled. Instead we exclude the entire drive from scanning and |
| # disable specific features. Docs here: |
| # https://docs.microsoft.com/en-us/powershell/module/defender/Set-MpPreference?view=win10-ps |
| - name: Disable Windows Defender |
| win_shell: "Set-MpPreference -ExclusionPath C:\\ -DisableBehaviorMonitoring $True |
| -DisableBlockAtFirstSeen $True -DisableIOAVProtection $True |
| -DisableIntrusionPreventionSystem $True -DisableRealtimeMonitoring $True |
| -MAPSReporting Disabled -PUAProtection Disabled" |
| - name: Disable disk indexing |
| win_service: |
| name: WSearch |
| start_mode: disabled |
| state: stopped |
| # Exclude driver updates. None of these are guaranteed to work, westont@ |
| # currently testing on half the machines. |
| - name: Exclude driver updates in Windows Update 0 |
| win_regedit: |
| path: HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Update |
| name: "ExcludeWUDriversInQualityUpdate" |
| data: 1 |
| type: dword |
| - name: Exclude driver updates in Windows Update 1 |
| win_regedit: |
| path: HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Update |
| name: "ExcludeWUDriversInQualityUpdate" |
| data: 1 |
| type: dword |
| - name: Exclude driver updates in Windows Update 2 |
| win_regedit: |
| path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings |
| name: "ExcludeWUDriversInQualityUpdate" |
| data: 1 |
| type: dword |
| - name: Exclude driver updates in Windows Update 3 |
| win_regedit: |
| path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate |
| name: "ExcludeWUDriversInQualityUpdate" |
| data: 1 |
| type: dword |
| - name: Exclude driver updates in Windows Update 4 |
| win_regedit: |
| path: HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
| name: "value" |
| data: 1 |
| type: dword |
| |