How to suppress Windows updates for client machines via GPO?

We have a GPO handling windows updates for domain client machines. Currently, this GPO only disables the user from changing the windows updates settings on their machines and also has a setting that turns off the machine from seeking windows updates on its own.

The second part of that GPO doesn't make much sense to me. (1) I would rather set the GPO to disable / grey out that the user cannot change the setting. (2) Be able to set windows update to 'Never check for updates' within the Windows updates dialog box setting for the client machine.

How do I handle the #2 part of the GPO setting above?

We are running Windows 7 clients and Server 2008 R2 is the O/S where the actual GPO resides on a DC. Thanks.



(1) I would rather set the GPO to disable / grey out that the user cannot change the setting.
(2) Be able to set windows update to 'Never check for updates' within the Windows updates dialog box setting for the client machine.

If you set #1 then you can't change #2

Group policy | computer policy| Windows settings | Windows Updates
Specify Intranet Microsoft Update Service Location | set it to an invalid location
Enable Do not connect to any Windows Update Intranet Locations
Configure Automatic Updates Set to disabled.



(1) I would rather set the GPO to disable / grey out that the user cannot change the setting.
(2) Be able to set windows update to 'Never check for updates' within the Windows updates dialog box setting for the client machine.

If you set #1 then you can't change #2

Group policy | computer policy| Windows settings | Windows Updates
Specify Intranet Microsoft Update Service Location | set it to an invalid location
Enable Do not connect to any Windows Update Intranet Locations
Configure Automatic Updates Set to disabled.



I'm a little puzzled as to what you're trying to accomplish. Do you want to prevent your workstations from ever getting any Windows updates? Why would you want to do that?



Ok, just so I'm clear on what we want to accomplish on point #2, I want the GPO itself to actually set the Windows update setting to 'Never check for updates' (not to be modified by the user). Can a GPO setting handle this part of the setting?



@hypercat We would like to centralize and push out updates to client machines ourselves. By having this setting on, windows applies and restarts PCs at random time to apply updates on its own which we don't want.



If you're using WSUS to push out updates, then you would need to set these GPO options so that the workstations know when to poll WSUS to get approved updates. If you set the workstation never to get updates then it won't get updates from WSUS. Or are you planning to use some other push method of deployment that requires you to turn off the workstation polling?

Share this

Related Posts

There was an error in this gadget