Share via

Microsoft Updates are still installing although GPO has disabled the Automatic updates

myquestforLearning 1 Reputation point
2023-04-22T15:14:07.8566667+00:00

In our environment, we are using Windows 10 20H2/21H2 enterprise. Automatic updates and access to all other Windows updates option is disabled by Group Policy Objects. Updates are deployed via SCCM in our environment. We have noticed that on few machines the Microsoft updates (Feature and Quality) are getting installed (Snapshots of Windows update logs are below). [Image

](https://filestore.community.support.microsoft.com/api/images/fa0fb432-8581-4fd4-817c-60058cd4d55a?upload=true&fud_access=wJJIheezUklbAN2ppeDns8cDNpYs3nCYjgitr%2bfFBh2dqlqMuW7np3F6Utp%2fKMltnRRYFtVjOMO5tpbpW9UyRAwvLeec5emAPixgq9ta07Dgnp2aq5eJbnfd%2fU3qhn540RPETEkVE51Ut6vFT%2fwRhEYOYZ%2fFz1Dke1pWd69q6R%2fzd2ggw%2fq%2bzg7%2fRlIH2f%2ftz1OwxM1PAe2q%2fwZ4hqNn2ZtXyxgSoOa5ke3rhDTv6%2fMLf7d%2b9dx1AXzWKxB%2bQ0vz2OCr%2fHzBXNHJbS5AtRxAMT587%2f%2fZiHcq0MlC4d9f38fhfyTtOIVIgB8NBI%2fADMzpLVEdVlJZtYGFnhmTn%2bpspZEzZvRO5Cu1Qg8D0dGofBn1EMgwitpuENx%2f0dxZgYYhA1O2r3tnY%2fPCzh2GN7B9soJsUnNCWgL2YuQTiWGKtTk%3d) [Image

](https://filestore.community.support.microsoft.com/api/images/e98db25c-58fc-46cf-8f19-21d63fd3c119?upload=true&fud_access=wJJIheezUklbAN2ppeDns8cDNpYs3nCYjgitr%2bfFBh2dqlqMuW7np3F6Utp%2fKMltnRRYFtVjOMO5tpbpW9UyRAwvLeec5emAPixgq9ta07Dgnp2aq5eJbnfd%2fU3qhn540RPETEkVE51Ut6vFT%2fwRhEYOYZ%2fFz1Dke1pWd69q6R%2fzd2ggw%2fq%2bzg7%2fRlIH2f%2ftz1OwxM1PAe2q%2fwZ4hqNn2ZtXyxgSoOa5ke3rhDTv6%2fN%2byWyv4kfGhEf7uJbdKmFaCcb8yUkyc%2fgaO7z9KqpyVdBilVw2awTkGUaAyfOMYsoAXbNZPLr4xk2HDpDOLS%2fkyd89U8KWppq%2fKOtEFUSPFxx2M5oLsmX96hpyVnMZ8x0WvxhikO5ksMnWR5iNbijWTUXL%2butFsGiGiRg1mrINen5PjQ7FUVB8wIaul4%2f3nUo%3d) Verified that GPO is applied correctly on these machines also, SCCM has not pushed the updates on these machines. Came across following scheduled tasks, history shows that they are running.

  • \Microsoft\Windows\WindowsUpdate\Scheduled Start
  • \Microsoft\Windows\UpdateOrchestrator\Schedule Scan
  • \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker Can we disable these scheduled tasks safely to stop the updates installation? Can something else also cause the automatic install? What would be the best method to centrally disable the scheduled tasks?
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,642 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,916 questions
Microsoft Configuration Manager Updates
Microsoft Configuration Manager Updates
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Updates: Broadly released fixes addressing specific issue(s) or related bug(s). Updates may also include new or modified features (i.e. changing default behavior).
1,050 questions
Microsoft Configuration Manager
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,346 Reputation points
    2023-04-24T14:49:44.05+00:00

    Hi, I'd be happy to help you out with your question. Sorry for the inconvenience caused. First, disabling these tasks may have unintended consequences, so it's important to fully understand the risks before proceeding. Second, I recommend testing this on a small group of machines first to make sure it works as expected before rolling it out to the rest of your environment. With that said, here's how you can disable the scheduled tasks:

    1. Open the Task Scheduler on the affected machines.
    2. Navigate to the following paths: \Microsoft\Windows\WindowsUpdate\Scheduled Start \Microsoft\Windows\UpdateOrchestrator\Schedule Scan \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker
    3. Disable each task by right-clicking on it and selecting "Disable".
    4. To centrally disable these tasks, you can create a Group Policy Object (GPO) and apply it to the affected machines. Here's how: a. Open the Group Policy Management Console. b. Create a new GPO and name it. c. Navigate to Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks. d. Right-click on Scheduled Tasks and select "New" > "Scheduled Task (Windows Vista and later)". e. Give the task a name and select the "Run whether user is logged on or not" option. f. Under the "Triggers" tab, create a new trigger for each task you want to disable. g. Under the "Actions" tab, select "Delete" as the action. h. Under the "Settings" tab, select "Run once" and "Stop the task if it runs longer than" options. i. Save the GPO and apply it to the affected machines. If you have any other questions or need assistance with anything, please don't hesitate to let me know. I'm here to help.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

  2. AllenLiu-MSFT 44,981 Reputation points Microsoft Vendor
    2023-04-25T06:44:50.1866667+00:00

    Hi, @myquestforLearning

    Thank you for posting in Microsoft Q&A forum.

    Have we enabled any WUfB policy? If so, the dual scan will be enabled automatically.

    To enable WSUS updates only, make sure that all Windows Update for Business options are set to Not Configured and that the Turn off access to all Windows Update features policy under System > Internet Communication Management > Internet Communication settings is Enabled.

    You may refer to this article for more details:

    https://petri.com/what-is-wsus-dual-scan/

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.