Best Practice: Windows Automatic Updates

Version 5



    The purpose of this document is to explain the best practices for Windows Automatic Update configuration in a Shavlik environment.





    When Windows Automatic Update is configured to check for updates, even if it is not configured to download or install them, it can cause slow deployments with Shavlik.





    A. Set Automatic Updates to "Never check for updates".


    a. Configure settings at the local computer level.


    Go to Control Panel > All Control Panel Items > Windows Update > Change settings and choose "Never check for updates (not recommended)" then hit OK.




    b. Disable Automatic Updates through GPO.


    1. Click Start, and then click Run.

    2. Type gpedit.msc, and then click OK.

    3. Expand Computer Configuration > Administrative Templates > Windows Components > Windows Update.

    4. Select Configure Automatic Updates, choose Disabled, and hit Ok.

    5. As GPO updates every 90 minutes, you can force this update to take effect by running the command gpudate /force.


    Windows Update.PNG


    More information on this process can be found in Configure Automatic Updates using Group Policy.


    B. Stop the Windows Update Service and set the service to Manual.  (The service will start as needed)


    C. Make sure you don't have a custom location setting for "Specify intranet Microsoft updater service location".  This is set in in Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update and remove this setting.


    Additional Information


    Methodology has changed in Windows 10 build 1511, 1607, and 1703. To disable Windows Automatic Updates for Windows 10 Build 1607 and 1703 click here.


    Microsoft has reverted back to the methodology in this document with Windows 10 build 1709


    Affected Product(s)


    All Windows OS with the exception of Window 10 build 1511, 1607, and 1703