Steps to disable 'check for updates' and 'automatic updates' through Active Directory GPO policies

Modified on Sun, 16 Mar at 7:47 PM

Overview: 

Sometimes, Microsoft KBs will automatically download and install on client machines. End-users can also download available missing KBs using the 'check for updates' option. This impacts the SanerNow tool's remediation, as it lists these KBs under the installed patch section as installed by the system

Resolution steps:
To avoid the automatic KB downloads on client devices, we can suggest that the customer disable the 'check for updates' and automatic updates rules using GPO policies deployed from Active Directory

The following step-by-step instructions show how to filter the 'Disabled check for updates' policy to apply to target devices, i.e., desktop-1j0rh8j, desktop-5p1ag86, and 'samehostname'.

1. Steps to create the Group on Active Directory Users and Computers console

Right-click on an empty space of the page and select New > Group.
Creating AD group.png

Enter the group name.

In the Global Scope section, select Global.

From the group type section, select Security.

Click OK to save the settings and create a group. As shown below, the group must be displayed in OU.

2. How to add the target computers as group(i.e Disable Winupdates) members

The following window opens. Click Object Types and make sure Computers is checked.


Now enter the names of the target computers mentioned above with a semicolon (;) to separate them. Then click Check Names. If typed correctly, the names will display as shown below with a dash below them.

 


Make sure all target computers are members of the group, then click OK to confirm.

3. Steps to create the GPO policy and update the existing policy on Active Directory.

Log in to the Group Policy console. Select the policy you want to change and then enter the Scope tab.


Right click on the desired GPO to edit the group policy settings. The group policy management console opens. Every GPO has two basic configurations :

Computer configuration (applies to computers)User configuration (applies to user accounts)
Under each of these configurations are:

Policies
Preferences

In the Group Policy Object Editor, expand Computer Configuration > Administrative Templates > Windows Components > Windows Update.

In the right pane, from the list of settings, right click the setting Remove access to use all Windows Update features and select Edit.

 

In the Security Filtering section, select Authenticated Users and click Remove.

 

 


In the same Security Filtering section, click the Add button.

Enter the name of the group that was created in the previous step. Click Check Names to make sure the typed name is correct, then click OK.


Once above steps are completed, Open Group policy Management console and Make sure the group is added to the list.



Steps to enforce the applied policy to the client devices:


Login to client devices and run the command prompt with Administrator rights
execute the gpupdate /force command



Now type rsop.msc to view the applied applies result.


Once above steps are done, Open the check for updates on already open client devices and verify the access status-its should list as grayed out for access.

 


If you want view applied policy on machine, Please check on 'View configured update policies' option.

 

 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article