Share via

Windows Update ignoring Group Policy

Plichta, Mike 86 Reputation points
2022-05-26T21:13:34.393+00:00

Hi fellow techs,

We have Group Policy configured with automatic updates set to "disabled". Despite that, our machines are randomly installing cumulative updates, devices drivers, and even upgrading to Windows 11 without consent. Every machine we check post-update has a gpresult that confirms that WU is disabled. The Machines are Windows 10 21H2 after our recent in-place upgrade from 1909.

After opening a case with Microsoft, they say our GP looks solid but won't do any additional troubleshooting with 3rd party patch utilities installed. The 3rd party utility insists that they do not leverage WU components.

Windows update logs described here:

https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-logs

Don't seem to have human readable information, at least as to why they are ignoring GP.

Does anyone know how to capture the source of the update trigger or when GP glitches out for a brief window?

Windows for business | Windows Client for IT Pros | User experience | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,776 Reputation points
    2022-05-30T07:48:05.787+00:00

    Hello

    Thank you for your question and reaching out. I can understand you are having issues with Windows updates.

    1 .Please try to run below command to check How Windows updates are configured using GPO.

    C:\ gpresult /h C:\temp/gpresult.html

    1. Please check Windows event logs about Reboot events
    2. Please try to Disable or Uninstall Third party patch if its installed.
    3. Please adjust from GPO Reboot time and Active hours after patch is installed.

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments
  2. Plichta, Mike 86 Reputation points
    2023-06-13T17:14:07.4033333+00:00

    After months working with Microsoft, it seems like group policy blanks out the "Windows Updates disabled" registry key during a background GP refresh and Windows Update may choose to check for updates during that short interval. This can be up to a minute for VPN connected devices.

    The best work-around we have found is to delay all updates 30 days so only machines that aren't patched by the 3rd party software have a chance to get these updates. We've considered taking this out of Group Policy and setting it using SCCM with a configuration baseline policy to ensure it's never blank.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.