How to suppress Windows updates for client machines via GPO?

We have a GPO handling windows updates for domain client machines.  Currently, this GPO only disables the user from changing the windows updates settings on their machines and also has a setting that turns off the machine from seeking windows updates on its own.

The second part of that GPO doesn't make much sense to me. (1) I would rather set the GPO to disable / grey out that the user cannot change the setting.  (2) Be able to set windows update to 'Never check for updates' within the Windows updates dialog box setting for the client machine.  

How do I handle the #2 part of the GPO setting above?  

We are running Windows 7 clients and Server 2008 R2 is the O/S where the actual GPO resides on a DC.  Thanks.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
(1) I would rather set the GPO to disable / grey out that the user cannot change the setting.  
(2) Be able to set windows update to 'Never check for updates' within the Windows updates dialog box setting for the client machine.  

If you set #1 then you can't change #2

Group policy | computer policy| Windows settings  | Windows Updates
Specify Intranet Microsoft Update Service Location | set it to an invalid location
Enable Do not connect to any Windows Update Intranet Locations
Configure Automatic Updates Set to disabled.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hypercat (Deb)Commented:
I'm a little puzzled as to what you're trying to accomplish.  Do you want to prevent your workstations from ever getting any Windows updates? Why would you want to do that?
sparky321Author Commented:
Ok, just so I'm clear on what we want to accomplish on point #2, I want the GPO itself to actually set the Windows update setting to 'Never check for updates' (not to be modified by the user).    Can a GPO setting handle this part of the setting?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

sparky321Author Commented:
@hypercat We would like to centralize and push out updates to client machines ourselves.  By having this setting on, windows applies and restarts PCs at random time to apply updates on its own which we don't want.
Hypercat (Deb)Commented:
If you're using WSUS to push out updates, then you would need to set these GPO options so that the workstations know when to poll WSUS to get approved updates. If you set the workstation never to get updates then it won't get updates from WSUS. Or are you planning to use some other push method of deployment that requires you to turn off the workstation polling?
sparky321Author Commented:
Currently not using WSUS.  Pushing out centrally from a 3rd party solution.
Hypercat (Deb)Commented:
IOW, what I'm trying to express is that these GPO settings are designed to allow you to control when the workstations poll for updates and when they get restarted, using either an external Windows update server, or an internal WSUS server.  So if you're planning to deploy updates with WSUS, you need to learn and understand these GPO settings so that you can configure them to work with WSUS.
Hypercat (Deb)Commented:
OK - gotcha.  In that case, I think the best you can do is what was described by David Johnson.  By setting the Automatic Updates to disabled in the GPO, you're essentially setting the option to "never check for updates."  Whatever settings you make in the GPO will prevent any user from changing those settings, once the GPO is applied to the workstation. (Well, technically an administrative user could change them by going directly into the registry...)
sparky321Author Commented:
Like reiterated earlier, we are not looking to deploy via WSUS.  Updates / Critical patches from Windows and other applications are being handled via a 3rd party solution to push out patches as necessary.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.