Disable windows updates (wufb) on selected devices using Intune

Wufb (windows update for business) is feature in Microsoft Intune that allows organizations to manage and control the deployment of Windows updates across their devices.

With WUfB, Intune administrators can define update ring policies and settings to ensure that devices within their organization receive the necessary updates in a controlled manner.

This helps organizations maintain security and compliance by ensuring that devices are up to date with the latest patches and fixes.

For more information about wufb deployments, please refer  https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-for-business-configure

After you create the wufb ring policies and deployed, devices will receive the settings and start reporting to wufb DS and continue from there on.

Recently i had a scenario where you need to disable automatic updates on specific devices that are managed by wufb.

considering the requirement, i cannot use the Pause option that is available in the wufb ring policy. Pause option will pause the updates for upto 35 days on all devices where the ring is targeted.

In this blog post, we will explore how to achieve this using Intune Catalogue Settings.

1. To begin, we need to create an Azure AD group that will contain the devices for which we want to disable automatic updates

Create Azure AD group with name: Intune - windows computers - Disable Windows updates


2. Next, we will configure the Intune Catalogue Settings to disable automatic updates for the devices in the Azure AD group we created.

Go to intune, devices, configuration profiles and select create New Devices - Microsoft Intune admin center


Give it Name and description


In the add settings, Search for Allow Auto Update and choose Windows update for business


From the drop down, choose Turn off automatic updates. This will prevent the selected devices from automatically downloading and installing updates.


Click Next, Next and in the assignment section, add the group that we have created earlier


Review and create the policy.


3. Exclude the Azure AD group from all of your wufb ring policies. This make sure no conflicts otherwise the device will have conflicts with updates enabled vs disabled.


With this, we have completed all the required configurations. Now adding the device to the security group will ensure the automatic updates are disabled.

In the next client sync policy, the automatic updates will be disabled.

If you want to resume the patching, all you need is remove the devices from the group and the device will pick up the wufb ring policies automatically.

Now, let see the end-user experience. After client receive the updated policies, you will see the following message.


In conclusion, by leveraging Intune Catalogue Settings, we can easily disable automatic updates on selected devices. This provides a flexible approach to manage Windows updates based on specific organizational requirements.

However, it's important to strike a balance between customization and maintaining the overall security and compliance of your device fleet.

In the next blog, we will see how to disable the automatic updates for Microsoft 365 apps using Intune.

3 Responses to "Disable windows updates (wufb) on selected devices using Intune"

  1. Pls, how can I I need to configure an Update ring to allow only manual Microsoft Updates.

    Is that possible using Intune? If yes, please how can I do that? Can you detail how the Update Ring need to be configured to have this behavior?


Leave a Reply