使用组策略(GPO)禁用检查更新

This article explains how you can disable Check for Updates using Group Policy. To prevent users from manually downloading updates from Microsoft, you can disable the check for updates button.

Most organizations today use Configuration Manager todeploy 华体会体育系列software updatesto computers.为什么?Because SCCM makes it easy to deploy and manage the updates.

With Configuration Manager deploying the 华体会体育系列software updates, you ensure the client computers are patched with the latest updates.

华体会体育系列software update point (SUP)与WSUS服务进行交互,以配置软件更新设置并请求软件更新元数据的同步。华体会体育系列

If you have set up astandalone WSUS serverto deploy Windows Updates to your computers, you ensure only the approved updates are deployed to all computers.

When you are using ConfigMgr/WSUS to manage updates, you basically have a complete control over the updates that you deploy. You don’t want users to manually check updates from Microsoft update and install it.

If you are allowing users to check for updates from微软更新,任何用户都可以下载更新并安装。您不希望用户下载不需要的更新并引起笔记本电脑的问题。

And when WSUS or SCCM attempts to deploy the latest updates, it would detect the client computer already has the updates installed.

Why should you disable Check for Updates?

Here are some reasons why you should prevent domain users from using检查更新option in Windows.

  1. 用户可以手动转到开始>设置>Windows更新and run检查更新。This option should be disabled on domain computers because a user can manually download unapproved updates.Since these updates aren’t tested by admins, it may affect the stability of the computer.
  2. When a user manually downloads and installs the updates from Microsoft update, an operating system upgrade could occur. This has been the case in several organizations where an OS upgrade occurred just because the user wanted newer version of operating system. After the upgrade, some applications may not work properly and some settings may change. Overall, it’s a big challenge for system admins to回滚操作系统。为了防止此类操作,您可以限制用户检查Microsoft的更新。
  3. 允许用户手动检查Microsoft Update的更新,即在设置中使用WSU,配置管理器的目的。当您将资金投入到将更新到域计算机部署更新的工具中时,当用户直接从Microsoft Update下载更新时,这是无用的。

下面的屏幕截图来自计算机joined to the AD domainand managed by Configuration Manager.

请注意,检查更新按钮处于活动状态并启用。此外,还有一个累积更新可供安装。

如果用户单击下载并安装,质量更新将从Microsoft更新中下载并在计算机上安装。

The user may think that the computer requires that optional update whereas it clearly states that it’s an optional quality update.

现在,您是否看到了为什么必须禁用域计算机上的更新检查的原因?

Check for Windows Updates Enabled
Check for Windows Updates Enabled

因此,在大多数组织中,将组策略部署到客户端计算机,以在线禁用Microsoft Update网站的更新。

Thankfully, with “删除访问使用所有Windows更新功能” GPO setting, administrators can disable the “Check for updates” option for users.

The group policy setting essentially blocks the access toWindows更新。If you enable this policy setting, user access to Windows Update scan, download and install is removed.

Any background update scans, downloads and installations will continue to work as configured.

How To Disable Check for Updates using Group Policy

The best way to disable check for updates on computers is by using group policy (GPO). Group Policy can be used to apply security settings to users and computers.

组策略允许管理员为用户和计算机定义安全策略。GPO是一个广泛的话题,您可以开始学习Group Policy from Microsoft Documentation

创建组策略时,要么将其部署到整个广告域,要么选择组织单位。每当您创建新的GPO时,请确保在Pilot计算机上测试它,然后将其部署到更宽的计算机集中。

让我们创建一个新的组策略禁用Microsoft Update的更新检查。启动服务器管理器并单击工具>小组政策管理控制台

In the Group Policy Management console, expand the domain and right-clickGroup Policy Objects and select New.

创建一个新的GPO,以在线禁用使用组策略的更新
Create a new GPO to Disable Check for Updates using Group Policy

将GPO名称指定为“Disable Check for Updates from Microsoft Update”或类似的东西。点击好的

使用组策略禁用检查更新
使用组策略禁用检查更新

After you create the GPO, right click the GPO and select编辑。Edit the GPO and specify the settings to disable check for updates.

Edit the Group Policy
Edit the Group Policy

In the Group Policy Object Editor, expandComputer Configuration>管理模板>Windows Components>Windows更新

在右窗格中,从设置列表中,右键单击设置删除访问使用所有Windows更新功能并选择编辑

删除访问使用所有Windows更新功能
删除访问使用所有Windows更新功能

The GPO setting Remove access to use all Windows Update features removes access to scan for Windows Updates. The check for updates from Microsoft update button will be disabled.

Disable Check Online for Updates using Group Policy
Disable Check Online for Updates using Group Policy

组策略结果检查已禁用更新

After you apply the above group policy, run the commandgpupdate /force在客户端机器上。

读:如何修改Windows计算机的组策略刷新间隔

在Windows 10计算机上,单击开始>设置>Windows更新。请注意,检查更新按钮现在已禁用。从Microsoft Update在线检查更新的选项也已消失。

Instead, you seeThis option is managed by your organization

Check for Windows Updates Disabled
Check for Windows Updates Disabled

让我们检查Windows 11计算机的检查更新按钮是否已禁用。在Windows 11计算机上,单击开始>设置>Windows更新。是的,已禁用检查更新按钮的检查。在线检查以获取Microsoft Update更新的选项。

Disable Check for Updates on Windows 11
Disable Check for Updates on Windows 11

2 thoughts on “Disable Check for Updates using Group Policy (GPO)”

  1. Hi Prajwal,
    今天,当您搜索如何使用Active Directory Group策略以禁用Windows更新本地计算机上时,我发生了您的博客。

    First, I must complement you on how clear and accurate your guides are.
    I have tried to follow many other “how to’s” and usually the guide does not exactly match the screen shots or verbiage.

    我想参考您的博客文章“使用组策略(GPO)禁用更新检查”

    非常清晰,准确且易于遵循。

    但是,在完成最后一步之后,在本地计算机上运行“ gpupdate /force”命令并未发生所需结果。

    The Group Policy Management Editor on the server shows:
    Remove access to use all Windows Update features ENABLED

    The command run on local computers (one WIN10 one WIN11) completed with the message:
    计算机策略更新已成功完成。

    Your help on this will be greatly appreciated.

    谢谢,
    泰德

    回复

发表评论