sparky321
asked on
How to suppress Windows updates for client machines via GPO?
We have a GPO handling windows updates for domain client machines. Currently, this GPO only disables the user from changing the windows updates settings on their machines and also has a setting that turns off the machine from seeking windows updates on its own.
The second part of that GPO doesn't make much sense to me. (1) I would rather set the GPO to disable / grey out that the user cannot change the setting. (2) Be able to set windows update to 'Never check for updates' within the Windows updates dialog box setting for the client machine.
How do I handle the #2 part of the GPO setting above?
We are running Windows 7 clients and Server 2008 R2 is the O/S where the actual GPO resides on a DC. Thanks.
The second part of that GPO doesn't make much sense to me. (1) I would rather set the GPO to disable / grey out that the user cannot change the setting. (2) Be able to set windows update to 'Never check for updates' within the Windows updates dialog box setting for the client machine.
How do I handle the #2 part of the GPO setting above?
We are running Windows 7 clients and Server 2008 R2 is the O/S where the actual GPO resides on a DC. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hypercat (Deb)
I'm a little puzzled as to what you're trying to accomplish. Do you want to prevent your workstations from ever getting any Windows updates? Why would you want to do that?
ASKER
Ok, just so I'm clear on what we want to accomplish on point #2, I want the GPO itself to actually set the Windows update setting to 'Never check for updates' (not to be modified by the user). Can a GPO setting handle this part of the setting?
ASKER
@hypercat We would like to centralize and push out updates to client machines ourselves. By having this setting on, windows applies and restarts PCs at random time to apply updates on its own which we don't want.
If you're using WSUS to push out updates, then you would need to set these GPO options so that the workstations know when to poll WSUS to get approved updates. If you set the workstation never to get updates then it won't get updates from WSUS. Or are you planning to use some other push method of deployment that requires you to turn off the workstation polling?
ASKER
Currently not using WSUS. Pushing out centrally from a 3rd party solution.
IOW, what I'm trying to express is that these GPO settings are designed to allow you to control when the workstations poll for updates and when they get restarted, using either an external Windows update server, or an internal WSUS server. So if you're planning to deploy updates with WSUS, you need to learn and understand these GPO settings so that you can configure them to work with WSUS.
OK - gotcha. In that case, I think the best you can do is what was described by David Johnson. By setting the Automatic Updates to disabled in the GPO, you're essentially setting the option to "never check for updates." Whatever settings you make in the GPO will prevent any user from changing those settings, once the GPO is applied to the workstation. (Well, technically an administrative user could change them by going directly into the registry...)
ASKER
Like reiterated earlier, we are not looking to deploy via WSUS. Updates / Critical patches from Windows and other applications are being handled via a 3rd party solution to push out patches as necessary.