We help IT Professionals succeed at work.

Preventing MS Office updates in Win 10/S2016 environment

What would be the best way of making sure that Microsoft Office clients do not update themselves? I am running a Windows 10/Server 2016 environment, Office is a combination of 2016 and 2019 Click to Run. I do not use WSUS or anything similar.

Is there a registry key that can be applied to all machines via a logon script for example?

Many thanks :)
Watch Question

Hi Tarius

You only want to block Microsoft Office Updates, but Windows updates should be installed as usual?

Windows 10 Updates:
Uncheck the check box next to "Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows" to stop Microsoft Office updates.

But I would NOT do that, because Microsoft Office security holes are severe as well. Viruses come by email into the company, mostly.

This would help if you are still sure with that: https://support.microsoft.com/en-us/help/2753538/automatic-updating-for-office-2013-and-office-2016-click-to-run-is-not


Hi Thomas, thanks for commenting :) I wasn't being very descriptive in the initial post, my apologies. But yes, in a nutshell what I want is for Windows updates to happen as normal while Office doesn't do updates at all.

I'm actually looking for a way to do this on 300+ machines all at once. I'll try to provide a bit more context:

A recent Office update has caused a lot of my machines to throw an error when an Outlook client attempts to send an e-mail that contains images. Microsoft has confirmed the issue (according to a colleague) and are looking at releasing a fix soon, however, until that comes I need to find a way to alleviate the symptoms. So far, the only thing I've been able to come up with is:

1. Run a script that forces Office version to rollback.
2. Manually disable updates via any Office app.

The plan is to wait until MS release a new update that doesn't break Outlook and then retrace my steps and go back to each machine to re-enable updates. The issue is that all of my machines seem to be updating faster than I can disable updates on them, there's about 300 in total and any of of them may get an update at any time. For all I know there could be 50 more users with the same issue tomorrow morning.

So I'm looking for a way to tackle this head on and disable all machines from being able to update Office until I can confirm that a newer update won't cause the same issue.

I think there might be a way to do this via a logon script that can be deployed to all machines, however, I'm not too sure on how exactly this can be done.As far as I can see, there's 2 things that need to be achieved here:

1. Rollback office en-masse (logon script, GPO etc - i'm really not sure)
2. Disable updates (force a registry key via GPO - again, not entirely sure).

As you pointed out, this isn't great in terms of security but we have a pretty decent 3rd party email security system and filtering so we should be ok with doing this as a temporary workaround.
Ahh I see. Do with Group Policy on the domaincontroller for your clients.
I mean you can do it with a logonscript as well, but....

Do you need an exact explanation how to do it in GPO's?
you can alter client registry via GPO's.


I'm just trying to figure out the best way to do it really. Most of the team seems to think that this isn't possible via a GPO but I can't understand their logic. As far as I'm concerned it should be a matter of:

1. Logon script runs on all machines to rollback.
2. Registry keys from the article you linked above are applied via GPO.

This should do it in theory, but other (more senior) people in the team don't think this will work so I'm just trying to get some second opinions. Thanks for your input, I will play around with this tomorrow and report back on what progress I manage to make.
Since I do not have full knowledge of your enviroment, I cant give a direct solution.
But I am 100% sure that it is possible to disable Office Updates systemwide. (GPO template, Loginscript, etc)

This for volume licensing: At the end are templates

The registry keys in the above thread should work for older installations and single installations.

For the rollback, even that can be done via GPO's and KB uninstall scripts, as you know which KB is the culprit.
wusa.exe /uninstall /kb:2823324 /quiet /norestart

Open in new window