none
Official method to Disable Auto Update on LTSB on Windows 10 RRS feed

  • Question

  • We want to turn off all Auto updating on Windows 10 LTSB. We are a medical device manufacter and the product is Windows based. We absolutley can't have any updates that are not qualified and tested so we are forced into a manual update scheme. I have read lots of ways to do this including registry hacks, policy changes, dummy WSUS servers etc. What I am looking for is the Official Microsoft solution to stop LTSB from updating. Given the criticality of the product (it directly touches patients), we need to have a solution that is supported and won't break in the future.

    On Windows Server 2016 it seems that you can simply do it by changing HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\Au\NoAutoUpdate to 1 (Manual). This seems to work and I found this when I traced what Sconfig does but there is no Sconfig for W10. I also noticed that this same setting was set if you Disable the Local GPO Admin Templates\Windows Components\Windows Update\Configure Automatic Updates.

    Right now the only thing official I can find is in the text of the GPO is says "If the status of this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually. To do this, search for Windows Update using Start". That sounds pretty definitive. Am I missing something or is really that simple? If this is the settings it would be nice if MS would update the text and say which versions this applies to. My understanding is that non-LTSB W10 does not honor this setting (If it did you would be able to easily bypass updating).

    Thanks


    Roger

    Tuesday, February 28, 2017 7:54 PM

Answers

  • Hi WaukeshaGeek,

    Try the following gpo:
    Administrative Templates | System | Internet Communication Management | Internet Communication Settings|Turn off access to all Windows Update features

    The security updates will fix the potential security leaks. To ensure the safety of the system, it is not recommended to disable the updates.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by WaukeshaGeek Friday, March 3, 2017 7:26 PM
    Friday, March 3, 2017 9:00 AM
    Moderator

All replies

  • Log a support case. Get an official support statement.

    if you are manufacturing a product, particularly a health/medical product, using LTSB, you don't want to be relying on us non-official non-MSFT community people, methinks.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, February 28, 2017 8:14 PM
  • Hi WaukeshaGeek,

    Do you have a WSUS server?

    For Windows 10 LTSB version, it will only get security updates and the functional updates won`t be available for this version. The security updates will fix the potential security leaks. To ensure the safety of the system, it is not recommended to disable the updates.

    If you are using WSUS server, we could control the updates from the WSUS server. We could test those updates before we deployed them.

    For Windows 10, the updates are forced and this is a new rule for Windows 10. But Windows Update won`t be downloaded from a metered network. We could configure the network as "metered" network as a workaround to disable updates.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 1, 2017 1:30 AM
    Moderator
  • No WSUS server. This is a product we sell so it will be in a customer location. You can't guarantee all customers will have WSUS. The only thing you can guarantee is that they will (likely) be all different. Also we can't allow even untested security updates. The customer cannot apply fixes of any sort before they are validated as the device is FDA certified.

    As an aside I did some testing and it appears that you can simply stop the updates by configuring the group policy:  

      Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates  Disabled

    It even says this when you read the text. This is turns the Updates to Manual and it appears that it honors it -- even on W10 Pro!!

    Try this experiment. Build 2 test machines off the network. Set the policy on one of the machines. Put them on the network. Leave them sit for a day. The next day the one without the policy set will have updates. The other one won't.

    This does not prevent you from requesting updates. The Check for Updates button is still there but you have to click on it to get the updates.


    Roger


    Thursday, March 2, 2017 8:49 PM
  • Hi WaukeshaGeek,

    Try the following gpo:
    Administrative Templates | System | Internet Communication Management | Internet Communication Settings|Turn off access to all Windows Update features

    The security updates will fix the potential security leaks. To ensure the safety of the system, it is not recommended to disable the updates.

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by WaukeshaGeek Friday, March 3, 2017 7:26 PM
    Friday, March 3, 2017 9:00 AM
    Moderator
  • Can the product not be disconnected from the network? This sounds like a use case for a Linux-based system, where you could easily disable all updates, even mount the OS partition as read-only, automatically restore to a snapshot, etc. However it is usually more work to reach the same end-user quality in Linux.
    Monday, April 2, 2018 12:49 PM