Windows update is an essential service from Microsoft to ensure that all Windows devices will be updated with latest updates. These updates include feature enhancements, driver updates, service packs, security updates, critical updates and other updates. Disabling windows update is not recommended. But because of specific business requirement you may need to disable the windows updates. For example some companies might use 3rd party products for managing and rolling out Windows Updates. This article shows how to disable windows update using group policy.
How to Disable Windows Update using Group Policy
In this example, Windows client MBG-CL2 is already joined to the Active Directory domain called mustbegeek.local. The domain controller is running on Windows Server 2008 R2. The client machine MBG-CL2 where windows updates needs to be disabled is under the OU “mustbegeek.local\Prod\Billing”.
Step 1. Create a Group Policy Object
Logon to Domain Controller server and open Group Policy Management snap-in from Start â†’ Administrative tools â†’ Group Policy Management. Now expand forest â†’ Domains â†’ mustbegeek.local and select on the OU Group Policy Objects as shown below.
You can create a new GPO from here and then link it to any OU. Create new Group Policy Object by right-clicking on the empty space at the right panel and click New.
Now specify the GPO name as required and click OK as shown below.
After that, right click on “Disable_Windows_Updates” GPO and click on edit. This will open the Group Policy Management Editor, navigate under Computer Configuration. â†’ Policies â†’ Administrative Templates â†’ Windows Components â†’ Windows Update and double click on Configure Automatic Updates policy as shown below.
This will bring up the configuration window of this policy. Here, select Disabled radio button to disable the Windows updates and click OK.
This will save the configuration settings to the newly created GPO, now exit the Group Policy Management Editor.
Step 2. Apply the Group Policy Object
To apply the GPO we must link the policy to a the OU named Billing. In the Group Policy Management snap-in, navigate and right-click on the Billing OU and click on “Link an existing GPO”
Select the GPO “Disable_Windows_Updates” and click OK as shown below.
Step 3. Update and Verify GPO on Client Machine
Now log on to the client machine MBG-CL1 and open up command prompt. Type Gpupdate /force on the client computer to update the GPO settings on the machine. To verify if the GPO settings got applied correctly, type gpresult /r in the command prompt (Run as Admin) as shown below. The policy name will be appear under “Applied Group Policy Objects” under Computer Settings as shown below.
After applying the policy successfully, the ability to configure or schedule the windows update will be disabled. But users can still check for new updates.
The GPO can also be linked using a WMI Query or Security filtering. Refer the article How to Apply GPO to Computer Group in Active Directory to learn about applying group policy using security filtering.