Steps to Disable Check for Updates and Automatic Updates through Active Directory GPO Policies

Product Version: 6.5.0.0

Overview

In some cases, Microsoft KBs automatically download and install on client machines. End-users can also manually download missing KBs using the Check for Updates option. This behavior can impact Saner CVEM remediation, as it lists such KBs under the Installed Patch section, showing them as installed by the system. To avoid these automatic downloads, administrators can disable the Check for Updates and Automatic Updates features using GPO policies deployed from Active Directory.

Resolution Steps

The following steps show how to configure GPO policies to disable update checks and apply them only to specific target devices (e.g., desktop-1j0rh8j, desktop-5p1ag86, and same hostname).

1. Create a Group in Active Directory Users and Computers

1. Open the Active Directory Users and Computers console.

2. Right-click on an empty area, then select New > Group.
   

3. Enter a group name (e.g., Disable WinUpdates).

4. In Group Scope, select Global.

5. In Group Type, select Security.
   

6. Click OK to save.

   • The group will now appear under the OU.
     

2. Add Target Computers as Group Members

1. Open the created group and click Add.
   

2. In the object selection window, click Object Types and ensure Computers is checked.
   

3. Enter the names of target computers separated by a semicolon (;).

4. Click Check Names to validate.

   • Correct names will be underlined.
     

5. Ensure all target computers are listed as members, then click OK.

3. Create and configure the GPO Policy

1. Open the Group Policy Management Console (GPMC).

2. Select the OU where the policy should be applied.
   

3. Right-click the desired GPO and choose Edit.

4. In the Group Policy Object Editor, expand:
   Computer Configuration > Administrative Templates > Windows Components > Windows Update.

5. From the list of settings, right-click Remove access to use all Windows Update features and select Edit.
   

6. Configure as Enabled.

4. Apply Security Filtering

1. In the Security Filtering section, select Authenticated Users and click Remove.
   

2. Click Add, enter the group name created in Step 1, and click Check Names.
   

3. Once validated, click OK.

   • Ensure the group is listed under Security Filtering.

5. Enforce the Policy on Client Devices

1. Log in to each target client device.

2. Open Command Prompt with Administrator rights.
   

3. Run the command:

   gpupdate /force

4. Run rsop.msc to verify that the policy has been applied.
   

5. On the client machine, open Windows Update.

   • The Check for Updates option should now be grayed out.
     

6. To confirm, navigate to View configured update policies on the client to see applied settings.
   

Conclusion

With this setup, Windows Updates will not automatically download or allow manual checks on the specified devices, ensuring that Saner CVEM remediation results remain consistent.