Managing windows updates using Configuration Manager and Group policy

When a Configuration Manager client is installed and configured to use the software updates agent, it will automatically configured with a local Group Policy setting that specifies the Configuration Manager software update point. The Group Policy setting used is the intranet Microsoft update service location, specified as a Windows Update computer administrative template.

The following snippet shows the local group policy setting for the client that is enabled with software update agent.

image

GPO:

image

image

In case you have a local Group Policy setting that is configured with Microsoft update service location which will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.

Jason has written 2 blogs on GPO and software update management, please read the following.

https://home.memftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
https://home.memftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

It is always recommended to create GPO to disable automatic updates and let the software update patching happens through ConfigMgr. This will help you to do the windows update patching in a controlled way.

So until now, you have a good understanding of the software update management and group policy.

One of my customer recently reached out to me and asking for help to block users doing manual windows update process on their devices.

The reason they want to block all available windows update options is that recently Microsoft released an update (KB4577586 ) to remove Adobe flash from windows.

Removing of the adobe flash will impact their applications (legacy) that use adobe flash.

When I have asked customer to send a screenshot of the windows update setting, it has the following.

image

As you can see above, 1st option, It already has the automatic updates disabled through GPO so there wont be any automatic windows update process but if you look at the 2nd, user still have option to click on ‘Check online for updates from Microsoft update’ and do windows update.

Configuring the GPO ‘Disable automatic updates’ will only help to disable the automatic update schedule that happens every day night around 3AM or so but it will still leave an option for user to click on ‘Check online for updates from Microsoft update’. This process will initiate the windows update, search, download, install and reboot the device.

image

In the above screenshot, I have a GPO to turn off automatic updates but user can still trigger the windows update using Check online for updates from Microsoft update.

image

How do we disable/hide ‘Check online for updates from Microsoft update’?

Create a GPO and configure the following setting.

Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings

Turn off access to all Windows Update features = Enabled

image

Link the GPO to test OU, test the windows store and update functions before deploying the policy to all production machines.

End-results:

The policy will now hide ‘Check online for updates from Microsoft update’ setting.

image

There is new registry key that gets created with this setting.

Registry Path:
Software\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess

image

Hope it helps!

Leave a Reply