Most of this is my theory, but I like this solution if it works, because I subjectively feel it has a high level of plausible deniability. So the idea is, you revert/change/override/whatever group policies inherited from the domain controllers, then disable the gpsvc service before another automated gpupdate fires off. I'm not joined to a domain, but the disabled startup type persisted through reboots. It's at this point that c:\gpupdate /force no longer functioned. I then Stopped(if started) and disabled Group Policy Client (service name: gpsvc). The binary I ran with these elevated permissions was 'services.msc'. Domain administrators can disable processing Local Group Policy objects on clients running Windows Vista by enabling the Turn off Local Group Policy objects. Home Edition users can add Group Policy Editor and then disable startup programs using it. If you use the Pro or Enterprise version of Windows 10, you can also remove startup programs with the help of the Group Policy Editor app.
Remove Startup Programs using Group Policy Editor. I used a tool that lets me run binaries with TrustedInstaller/System authority. Of course, one can only Enable or Disable the entries. If I understand the mechanism correctly, I presume this will break a foundation component, and therefore guarantee's the user 100% success rate. I tested it locally, and it prevented c:\gpupdate /force from working entirely. I haven't tested it in a domain environment. A potential solution, using Windows 10 Enterprise.
