Any membre of local administrator group is able and uninstall or install an update and a software in a member machine. So to block this permission , you have to remove Domain users from local administrators group on target machines.
You can using Group Policy Preference to control the membre of local administrators group on target machines as mentioned in the link below :
Using Group Policy Preferences to Manage the Local Administrator Group
Please don't forget to accept helpful answer