![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 31%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
For an isolated, no‑internet environment that must preserve a specific Windows 11 build and use only local accounts, the solution is to control Windows Update behavior via Group Policy and/or registry, and to manage updates offline on your own schedule.
Key points from the available guidance:
- Disable end‑user access to Windows Update UI
- Use Group Policy so users cannot manually trigger feature updates:
- On Windows 11: open
gpedit.mscand configureComputer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > Remove access to use all Windows update features - Set this policy to Enabled.
- On Windows 11: open
- This blocks the Settings UI (“Check for updates”), but background scans/installations still follow whatever servicing policy is configured.
- Use Group Policy so users cannot manually trigger feature updates:
- Completely turn off Windows Update (if required by configuration management)
- If the servicing strategy is to freeze a specific build, Windows Update can be disabled entirely:
- Either via Group Policy as described in the IoT/locked‑down guidance, or
- Via the documented registry approach for “Completely Turn Off Windows Updates”.
- When this is done, the device will not receive updates from Microsoft or from other machines on the local network. This is appropriate only if there is a separate, well‑designed servicing strategy (for example, capturing and re‑deploying a known‑good image of the build environment when needed).
- The documentation explicitly warns that disabling Windows Update leaves devices vulnerable if they are not updated in another way, but in a physically isolated skiff with no internet and tightly controlled media, this risk is mitigated by physical and procedural controls.
- If the servicing strategy is to freeze a specific build, Windows Update can be disabled entirely:
- Use local accounts securely in the skiff
- Local accounts are fully supported and are the correct model for a disconnected environment. They are defined and scoped to the device only and do not provide network resource access by default.
- For administrative local accounts, apply the recommended hardening:
- Enforce UAC and Admin Approval Mode for the built‑in Administrator account:
-
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options- User Account Control: Admin Approval Mode for the Built-in Administrator account = Enabled
- User Account Control: Run all administrators in Admin Approval Mode = Enabled
-
- Ensure the default remote‑access restriction for local accounts is enforced:
- Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System-
LocalAccountTokenFilterPolicy(DWORD) =0
-
- Registry key:
- These settings ensure local admin credentials are not silently reused for remote administration and that elevation is explicit, which is important even on an internal, air‑gapped network.
- Enforce UAC and Admin Approval Mode for the built‑in Administrator account:
- Plan a servicing strategy that preserves the build
- For configuration management, treat the Windows build as part of the product baseline:
- Capture and store a reference image of the exact Windows 11 version and configuration used to build the deliverables.
- When the environment must be recreated, deploy that image to hardware in the skiff instead of allowing the machine to update in place.
- The IoT/locked‑down guidance explicitly supports scenarios where all Windows Update features are disabled, provided there is a separate servicing strategy. That model aligns with a controlled build environment where reproducibility is more important than automatic patching, and where physical isolation mitigates internet‑borne threats.
- For configuration management, treat the Windows build as part of the product baseline:
In combination, these measures prevent forced feature upgrades, keep the system on the required Windows 11 build, and allow secure use of local accounts in a no‑internet skiff, while still following Microsoft’s documented methods for disabling or tightly controlling updates.
References: