Disabling Windows Update

Using a graphical user interface

  1. Open the Group Policy Management Console.
  2. In the left pane, navigate to the GPO you want to modify.
  3. Right-click the target GPO and select Edit.
  4. In the left pane of the Group Policy Object Editor, expand User Configuration Administrative Templates Start menu and Taskbar.
  5. In the right pane, double-click Remove links and access to Windows Update (for Windows Server 2003) or Disable and Remove Links to Windows Update (for Windows 2000).
  6. Select Enable and click OK.


Using a command-line interface

To disable Windows Update for all users who haven’t logged in previously, run the following command:

> reg add HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /t

REG_DWORD /v NoWindowsUpdate /d 1

To disable Windows Update for the user who is currently logged on, run the following command:

> reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /t REG_

DWORD /v NoWindowsUpdate /d 1

Using VBScript

' This code disables Windows Update in the .Default profile.

' ------ SCRIPT CONFIGURATION ------

strComputer = "."

' ------ END CONFIGURATION ---------

const HKEY_USERS = &H80000003

strKey = ".DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"

set objReg=GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")

objReg.SetDwordValue HKEY_USERS, strKey, "NoWindowsUpdate", 1

WScript.Echo "Windows Update disabled in .Default profile"

If you are using SUS or some other patch management system to distribute updates to your client-base, you may not want your clients accessing the Microsoft Windows Update site (http://windowsupdate.microsoft.com/). One of the reasons to use something like SUS is so your users don’t have to download the same updates over the Internet from Microsoft. If you leave Windows Update turned on, there is nothing to prevent them from doing it.

Fortunately, there is an easy way to disable it. You can use Group Policy to force the change to apply across a group of users (the Windows Update disablement settings are available only in the User Configuration section of a GPO). Or you can use the command-line or VBScript solutions to disable it via a login script or manually if need be.

Once this setting is in effect, a user will not see the Windows Update link in the Start Menu or Internet Explorer, and if the user attempts to access the Windows Update site, he will get a message indicating that Windows Update has been disabled for his computer.