Microsoft Automatic Updates - Windows 10

In our environment we primarily use BigFix for patching our endpoints but we also allow users to get updates directly from Windows Update site.

Microsoft recently started to “strongly encourage” Windows 10 to users (even ones on the domain) by making it the main update that you see when going to Windows Update site. Even if you ignore the banner for Windows 10 and look at the additional updates they automatically select the “optional” update for Windows 10 while deselecting all the other updates.

Since we have users that are configured themselves for automatic updates, we found that about 25% of the environment have the two specific KB articles installed (KB 2952664 and KB2976978). The fear is that just uninstalling the KB’s will be useless since the machines are configured for Windows Update (or the users install them again).

Has anyone else seen this and have an approach to handle these machines. The answer of using a GPO to stop users from automatic updates/remove admin access to users is not going to fly in this environment.

You should be able to set a registry key or use a Local GPO to block specific updates from appearing in Windows Update without the need to block Windows Update completely.

From some quick research, it seems like you need to use something to interact with the Windows Update API to hide the updates:


In this KB Microsoft provides details covering registry modification of block windows upgrade and system tray notifications and I suspect a fixlet could be crafted to make these registry modifications.

1 Like