Policy to not update

Is there a way to make a Windows update policy that would override other policies and stop a machine from updating? I have a few base policies that include Windows updates that I use for most machines. Once in a while I come across a machine where I want to manage the updates manually.

Currently I have a second copy of each base policy that is the same except for no windows updates. I would like to just have one version of each base policy and then one more Updates policy that overrides any Windows updates settings coming from upstream. I could then put most devices into the base policy with most of the settings and put the device that needs to not have updates in a subfolder with the No Updates policy.

Any way to pull this off?

Windows Updates are an additive policy element, meaning they can be added to but not removed or otherwise overridden.

One thing we could consider doing would be an override like we do for antivirus where there is an option for “Disabled” in the dropdown for Windows Updates. So you’d add the Windows Update section, and then choose “Disabled.”

Would something like this solve your need?

1 Like

Ah, I was afraid of that.

Yes, a Disabled option would solve my need and be much appreciated. Having an option to override inherited settings for a given category with the settings at the current level would be a nice option as well, but I don’t want to get greedy :wink:

Thanks Andy!

1 Like

In some cases that would likely be difficult, like with scripts. But for this section I can definitely see how it would help. I will mention this internally.

1 Like

Yes, please add the disabled option. We could then use a top-level policy to run updates (being this is the norm) and a disabled policy for those rare exceptions that a computer needs to have no updates applied.

I thought I had it working but selecting the option for Windows Update and REJECTING everything but it seems like it still updates