How to stop Windows Update from applying updates when using SMA for patching
We have a KACE SMA that we use to patch our Windows 10 Pro workstations (mix of VDI and Physical Laptops). We have enabled and deployed the "Windows Update Policy" in scripting that disables the Windows Update service and adjusts a few registry keys to ensure KACE is patching those devices and not Windows.
Over the past 6 months, we've noticed that the Windows Update service continues to be automatically and randomly re-enabled (despite being set to Disabled) on some systems, causing updates to be installed during business hours and affecting our operations. To try and combat this, we've set our Windows Update Policy script to run every day to try and catch those systems that have had their Windows Update service re-enabled before it actually tries to install updates, but even that has not been enough and we've had a number of systems continue to receive and apply updates since doing that.
Has anyone else observed this in their environment? We would appreciate any suggestions or tips that anyone might have to stop Windows Update from applying updates outside of our patching schedule in KACE.
since the systems go back to "enabled", some scripts or GPO seem to run to enable this.
You should check this as first and disable all of these scripts and GPO.
And then run the disable-Script regulary (at best at every check in) just to be sure.