Disable Check for Updates using Group Policy (GPO)

This article explains how you can disable Check for Updates using Group Policy. To prevent users from manually downloading updates from Microsoft, you can disable the check for updates button.

Most organizations today use Configuration Manager to deploy software updates to computers. Why? Because SCCM makes it easy to deploy and manage the updates.

With Configuration Manager deploying the software updates, you ensure the client computers are patched with the latest updates.

The software update point (SUP) interacts with the WSUS services to configure the software update settings and to request synchronization of software updates metadata.

If you have set up a standalone WSUS server to deploy Windows Updates to your computers, you ensure only the approved updates are deployed to all computers.

When you are using ConfigMgr/WSUS to manage updates, you basically have a complete control over the updates that you deploy. You don’t want users to manually check updates from Microsoft update and install it.

If you are allowing users to check for updates from Microsoft update, any user can download the updates and install. You don’t want users to download unwanted updates and cause issues with the laptop.

And when WSUS or SCCM attempts to deploy the latest updates, it would detect the client computer already has the updates installed.

Why should you disable Check for Updates?

Here are some reasons why you should prevent domain users from using Check for Updates option in Windows.

  1. A user can manually go to Start > Settings > Windows Update and run check for updates. This option should be disabled on domain computers because a user can manually download unapproved updates. Since these updates aren’t tested by admins, it may affect the stability of the computer.
  2. When a user manually downloads and installs the updates from Microsoft update, an operating system upgrade could occur. This has been the case in several organizations where an OS upgrade occurred just because the user wanted newer version of operating system. After the upgrade, some applications may not work properly and some settings may change. Overall, it’s a big challenge for system admins to roll back the operating system. To prevent such things, you can restrict users checking updates from Microsoft.
  3. Allowing users to manually check for updates from Microsoft update defeats the purpose of having WSUS, Configuration Manager in the setup. When you have invested money in a tool that deploys updates to your domain computers, it’s of no use when users download the updates directly from Microsoft update.

The below screenshot is from a computer that is just joined to the AD domain and managed by Configuration Manager.

Notice that check for updates button is active and enabled. In addition, there is a cumulative update available for installation.

If the user clicks download and install, the quality update will download from Microsoft update and install on the computer.

The user may think that the computer requires that optional update whereas it clearly states that it’s an optional quality update.

Now, do you see a reason why you must disable check for updates on domain computers?

Check for Windows Updates Enabled
Check for Windows Updates Enabled

Therefore, in most organizations, a group policy is deployed to the client computers to disable check online for updates from Microsoft update site.

Thankfully, with “Remove access to use all Windows Update features” GPO setting, administrators can disable the “Check for updates” option for users.

The group policy setting essentially blocks the access to Windows update. If you enable this policy setting, user access to Windows Update scan, download and install is removed.

Any background update scans, downloads and installations will continue to work as configured.

How To Disable Check for Updates using Group Policy

The best way to disable check for updates on computers is by using group policy (GPO). Group Policy can be used to apply security settings to users and computers.

The Group Policy allows administrators to define security policies for users and for computers. The GPO is a vast topic, and you can start learning about Group Policy from Microsoft Documentation.

When you create a group policy, you either deploy it to the entire AD domain or select Organizational Units. Whenever you create a new GPO, ensure you test it on pilot computers and then deploy it to wider set of computers.

Let’s create a new group policy disable check for updates from Microsoft Update. Launch the Server Manager and click Tools > Group Policy Management console.

In the Group Policy Management console, expand the domain and right-click Group Policy Objects and select New.

Create a new GPO to Disable Check Online for Updates using Group Policy
Create a new GPO to Disable Check for Updates using Group Policy

Specify the GPO name as “Disable Check for Updates from Microsoft Update” or something similar. Click OK.

Disable Check for Updates using Group Policy
Disable Check for Updates using Group Policy

After you create the GPO, right click the GPO and select Edit. Edit the GPO and specify the settings to disable check for updates.

Edit the Group Policy
Edit the Group Policy

In the Group Policy Object Editor, expand Computer Configuration > Administrative Templates > Windows Components > Windows Update.

In the right pane, from the list of settings, right click the setting Remove access to use all Windows Update features and select Edit.

Remove access to use all Windows Update features
Remove access to use all Windows Update features

The GPO setting Remove access to use all Windows Update features removes access to scan for Windows Updates. The check for updates from Microsoft update button will be disabled.

Disable Check Online for Updates using Group Policy
Disable Check Online for Updates using Group Policy

Group Policy Result – Check for Updates Disabled

After you apply the above group policy, run the command gpupdate /force on the client machines.

Read: How to Modify Group Policy Refresh Interval for Windows computers.

On the Windows 10 computer, click Start > Settings > Windows Update. Notice that Check for updates button is now disabled. The option to check online for updates from Microsoft update is also gone.

Instead, you see This option is managed by your organization.

Check for Windows Updates Disabled
Check for Windows Updates Disabled

Let’s check if the check for updates button is disabled for Windows 11 computer. On the Windows 11 computer, click Start > Settings > Windows Update. Yes, the check for updates button is disabled. The option to check online for updates from Microsoft update is not available.

Disable Check for Updates on Windows 11
Disable Check for Updates on Windows 11

6 Comments

  1. Does this GPO only live on the local GPO editor? I do not see it on my DC using the GPO mgr.

      1. I don’t see it on domain level. Do i need a specific ADMX template or something else? I have 21h2, 21h1 and 22h2 clients I am trying to disable windows updates for.

  2. Avatar photo Ted Bruning says:

    Hi Prajwal,
    Today I happened across your blog when searching for how to use active directory group policy to disable windows update on local computers.

    First, I must complement you on how clear and accurate your guides are.
    I have tried to follow many other “how to’s” and usually the guide does not exactly match the screen shots or verbiage.

    I would like to refer to your blog post “Disable Check for Updates using Group Policy (GPO)”

    Very clear, accurate, and easy to follow.

    However, after completing the final step, running the “gpupdate /force” command on the local computer the desired result did not occur.

    The Group Policy Management Editor on the server shows:
    Remove access to use all Windows Update features ENABLED

    The command run on local computers (one WIN10 one WIN11) completed with the message:
    Computer Policy update has been completed successfully.

    Your help on this will be greatly appreciated.

    Thank you,
    Ted

    1. Can you tell me what do you see when you run gpupdate /force on the client computer?. Where have you deployed the GPO, at domain level or OU?.

      1. I have the same issue; the GPO is deployed in the OU.

        When running gpupdate /force on the client, the messages I get are:

        Computer Policy update has been completed successfully.
        User Policy update has been completed successfully.

Leave a Reply

Your email address will not be published. Required fields are marked *