Overview:
Sometimes, Microsoft KBs will automatically download and install on client machines. End-users can also download available missing KBs using the 'check for updates' option. This impacts the SanerNow tool's remediation, as it lists these KBs under the installed patch section as installed by the system
Resolution steps:
To avoid the automatic KB downloads on client devices, we can suggest that the customer disable the 'check for updates' and automatic updates rules using GPO policies deployed from Active Directory
The following step-by-step instructions show how to filter the 'Disabled check for updates' policy to apply to target devices, i.e., desktop-1j0rh8j, desktop-5p1ag86, and 'samehostname'.
1. Steps to create the Group on Active Directory Users and Computers console
Right-click on an empty space of the page and select New > Group.
Enter the group name.
In the Global Scope section, select Global.
From the group type section, select Security.
Click OK to save the settings and create a group. As shown below, the group must be displayed in OU.
2. How to add the target computers as group(i.e Disable Winupdates) members
The following window opens. Click Object Types and make sure Computers is checked.
Now enter the names of the target computers mentioned above with a semicolon (;) to separate them. Then click Check Names. If typed correctly, the names will display as shown below with a dash below them.
Make sure all target computers are members of the group, then click OK to confirm.
3. Steps to create the GPO policy and update the existing policy on Active Directory.
Log in to the Group Policy console. Select the policy you want to change and then enter the Scope tab.
Computer configuration (applies to computers)User configuration (applies to user accounts)
Under each of these configurations are:
Policies
Preferences
In the Group Policy Object Editor, expand Computer Configuration > Administrative Templates > Windows Components > Windows Update.
In the right pane, from the list of settings, right click the setting Remove access to use all Windows Update features and select Edit.
In the Security Filtering section, select Authenticated Users and click Remove.
In the same Security Filtering section, click the Add button.
Enter the name of the group that was created in the previous step. Click Check Names to make sure the typed name is correct, then click OK.
Once above steps are completed, Open Group policy Management console and Make sure the group is added to the list.
Steps to enforce the applied policy to the client devices:
Login to client devices and run the command prompt with Administrator rights
execute the gpupdate /force command
Now type rsop.msc to view the applied applies result.
Once above steps are done, Open the check for updates on already open client devices and verify the access status-its should list as grayed out for access.
If you want view applied policy on machine, Please check on 'View configured update policies' option.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article