How to stop Windows Update from applying updates when using SMA for patching

We have a KACE SMA that we use to patch our Windows 10 Pro workstations (mix of VDI and Physical Laptops). We have enabled and deployed the "Windows Update Policy" in scripting that disables the Windows Update service and adjusts a few registry keys to ensure KACE is patching those devices and not Windows.

Over the past 6 months, we've noticed that the Windows Update service continues to be automatically and randomly re-enabled (despite being set to Disabled) on some systems, causing updates to be installed during business hours and affecting our operations. To try and combat this, we've set our Windows Update Policy script to run every day to try and catch those systems that have had their Windows Update service re-enabled before it actually tries to install updates, but even that has not been enough and we've had a number of systems continue to receive and apply updates since doing that. 

Has anyone else observed this in their environment? We would appreciate any suggestions or tips that anyone might have to stop Windows Update from applying updates outside of our patching schedule in KACE. 

0 Comments   [ + ] Show comments

Answers (1)

Posted by: Nico_K 3 years ago
Red Belt

since the systems go back to "enabled", some scripts or GPO seem to run to enable this.
You should check this as first and disable all of these scripts and GPO.
And then run the disable-Script regulary (at best at every check in) just to be sure.

This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ