In this tutorial, I will explain how to configure a Group Policy (GPO) to disable updates through Windows Update.
Warning
It is not recommended to disable Windows updates if you do not have a Patch Management solution.
From the Group Policy Management console, right-click on Group Policy Object and click on New 1.
Name the Group Policy 1 and click OK 2 to create the GPO.
We will now edit the group policy that we have just created, right-click on it and click on Modify 1.
Depending on the version of your ADMX files, the setting: Automatic Updates service configuration is not in the same location:
- Computer Configuration / Policies / Administrative Templates / Windows Component / Windows Update
- Computer Configuration / Policies / Administrative Templates / Windows Component / Windows Update / Manage the end user experience
Open the setting: Configuring the Automatic updates service by double-clicking.
To deactivate Windows Update updates, you must change the setting to “Disabled” 1, validate by clicking on Apply 2 then click on the OK button 3.
On many Group Policy settings, Not Configured or Disabled have the same behavior, but not for configuring updates.
The Automatic Updates Service Configuration setting has been changed to Disabled.
Close the Group Policy Editor.
Here is the overview of the GPO which allows you to disable Windows Update updates.
Now we will link the GPO so that it is applied to the computers, right-click where the GPO should be applied and click on Link an existing GPO 1.
Select GPO 1 and click OK 2.
Group Policy is linked to the Organizational Unit: Computers.
Wait while the settings are updated on the different computers in the fleet.
You can check its application on computers by looking at the applied configuration:
- Windows 10: Click on Show configured update policies
- Windows 11: Advanced options / Update policy configured.
Now you know how to disable Windows Update using Group Policy.
In this tutorial, I took Windows 10 and 11 as an example, but this also applies to Windows Server.
On the Internet, you will also find another alternative, which is to configure updates on a “fake” WSUS service, I find this solution less “clean” than this one.
