Disable Windows Update service using Intune

Patrick Mor 46 Reputation points
2022-10-13T14:16:50.82+00:00

Hi all,

I have Windows Update workload enabled in Intune and working in all computers via a Update Ring I create and assigned to all devices group.

Now I want to disable Windows update only for a set of computers.

So, I created this group NO UPDATE DEVICES... I added as Exclude Group option on Update Ring.

But I want to have a more restricted configuration too, like creating a Configuration Profile and assigning it to the NO UPDATE DEVICES group, just as a guarantee.

Pls, how can I create a Configuration Profile to disable Windows Update service? See, I wan to disable the service, not stop.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,477 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Patrick Mor 46 Reputation points
    2022-10-14T10:43:56.35+00:00

    Hi Jason. My requirement is:

    • I am using Intune to install Windows Update in all my Desktops in the company.
    • I have a group of computers that I need to prevent to install any update
    • I create a group in Intune with all these computers (assigned members)

    Now I want to create a Configuration Profile or something like that to prevent this computers to install Updates.

    I don't like to use GPO to control this behavior, I would like to centralize all settings in Intune.

    1 person found this answer helpful.
    0 comments No comments

  2. Patrick Mor 46 Reputation points
    2022-10-14T18:32:37.883+00:00

    Jason, I have a group of computer with, based on my business requirements, I can not update. I need to prevent in any way, using Intune, that this group receive updates from Intune.

    It is a business requirement.

    My intention is, centralize all that I can I Intune... of Intune can be used in some way to avoid this group be update, good.

    If not, I will considere Intune can not do that I keep using AD GPO to do that.

    I just have a technical question:

    Pls, how can I create a Configuration Profile to disable Windows Update service? See, I wan to disable the service, not stop.

    1 person found this answer helpful.
    0 comments No comments

  3. Jason Sandys 31,181 Reputation points Microsoft Employee
    2022-10-13T18:49:29.017+00:00

    There's nothing built in for this. Not having an update ring assigned won't prevent Windows Updates from being automatically installed on a device, the device will simply use default behavior which is to install them as soon as they are released.

    What's the scenario here and what specifically is causing you to not want your devices to be secure?

    0 comments No comments

  4. Jason Sandys 31,181 Reputation points Microsoft Employee
    2022-10-14T15:58:12.7+00:00

    Sorry, going to push back, that's not a/the scenario, that's what you've done to try to address the scenario. A scenario defines or explains why you are performing the actions; i.e., why you need or want to flip these knobs, switches, etc.

    0 comments No comments

  5. Jason Sandys 31,181 Reputation points Microsoft Employee
    2022-10-17T17:34:23.427+00:00

    It is a business requirement.

    Why? That's what I'm getting at. Who in the business is requiring this and why? I'm not in any way questioning whether they should or shouldn't be requesting this of you, just want to know why they are. Knowing the "why", the scenario that is leading you to wanting to make this configuration is valuable.

    As noted above, there is nothing built-in to explicitly disable all updates. The bottom line here is that we don't want you to do this as it introduces risk (a lot of risk) so we don't provide any true controls for this. The most you can do is defer them for a period of time. You can stop feature updates using a feature update policy which sets a maximum level you want the targeted systems to be on, but you can't explicitly do this for quality updates. You could pause updates on these devices repeatedly (for up to 35 days at a time), but without knowing the full story here of why, what the goals are, when you do plan on updating them, etc., I can't say if this would fulfill the requirements.