Managing windows updates using Configuration Manager and Group policy

When a Configuration Manager client is installed and configured to use the software updates agent, it will automatically configured with a local Group Policy setting that specifies the Configuration Manager software update point. The Group Policy setting used is the intranet Microsoft update service location, specified as a Windows Update computer administrative template.

The following snippet shows the local group policy setting for the client that is enabled with software update agent.

image

GPO:

image

image

In case you have a local Group Policy setting that is configured with Microsoft update service location which will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.

Jason has written 2 blogs on GPO and software update management, please read the following.

https://home.memftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
https://home.memftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

It is always recommended to create GPO to disable automatic updates and let the software update patching happens through ConfigMgr. This will help you to do the windows update patching in a controlled way.

So until now, you have a good understanding of the software update management and group policy.

One of my customer recently reached out to me and asking for help to block users doing manual windows update process on their devices.

The reason they want to block all available windows update options is that recently Microsoft released an update (KB4577586 ) to remove Adobe flash from windows.

Removing of the adobe flash will impact their applications (legacy) that use adobe flash.

When I have asked customer to send a screenshot of the windows update setting, it has the following.

image

As you can see above, 1st option, It already has the automatic updates disabled through GPO so there wont be any automatic windows update process but if you look at the 2nd, user still have option to click on ‘Check online for updates from Microsoft update’ and do windows update.

Configuring the GPO ‘Disable automatic updates’ will only help to disable the automatic update schedule that happens every day night around 3AM or so but it will still leave an option for user to click on ‘Check online for updates from Microsoft update’. This process will initiate the windows update, search, download, install and reboot the device.

image

In the above screenshot, I have a GPO to turn off automatic updates but user can still trigger the windows update using Check online for updates from Microsoft update.

image

How do we disable/hide ‘Check online for updates from Microsoft update’?

Create a GPO and configure the following setting.

Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings

Turn off access to all Windows Update features = Enabled

image

Link the GPO to test OU, test the windows store and update functions before deploying the policy to all production machines.

End-results:

The policy will now hide ‘Check online for updates from Microsoft update’ setting.

image

There is new registry key that gets created with this setting.

Registry Path:
Software\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess

image

Hope it helps!

5 Responses to "Managing windows updates using Configuration Manager and Group policy"

  1. Hello, I know this is over 2 years old topic. I'm on the older version of Windows 10 1903 with Specify Target update so that way Windows 10 remains at final build.
    I want to ask what is the difference between "Turn off access to all Windows Update features" vs "Remove access to use all Windows Update features".

    I'm a little bit confused about this because when I go and compare both of them https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetCommunicationManagement::RemoveWindowsUpdate_ICM and https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::RemoveWindowsUpdate

    They have the exact same description!

    Reply
  2. Hi Eswar,

    Is it possible to configure SCCM/MECM SUP that way, that Windows Updates are downloaded/installed via SUP but general Driver Updates are downloaded from "Windows Update"?

    Best regards,
    Ferdinand

    Reply
    1. Hi,
      No, currently, there are no workloads for drivers specific. If you move the workloads of wufb, the entire windows updates along with drivers will be moved to intune.

      Thanks,
      Eswar

      Reply
  3. Hi Eswar.
    So Installing SCCM client is not going to prevent this link from showing up in Windows Update section? This is an additional step that needs to be taken to remove the link then?
    Thanks, Dave

    Reply
    1. Hi Dave,
      Yes, this is additional step and is more of how you allow the windows device to patch or let users control it.

      Thanks,
      Eswar

      Reply

Post Comment