Wsus disable online check gpo and prevent from updates

Question

Hi Everyone

How to do that:

All our computers (windows 10) uses WSUS as a default update server and that is ok for us.
To prevent users from checking online updates when they are outside the company we set gpo :

• Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings
  Turn off access to all Windows Update features = Enabled

But crucial for us is to how modify wsus gpo to achieve:

when user is outside the company then can check updates, download and install(security, important) but not to get and install "big" updates like version updates (1903>recent 20H2)

thx

Answer 1

Hi GracjanPodcki-6418,

Thanks fr your posting on Q&A.

It is recommended to apply the below policy to see whether this issue will be resolved or not:
[Select when Preview Builds and Feature Updates are received]
Path: Computer Configuration\Administrative Templates\Windows Components\Windows update\Windows Update for business

Reference picture:

We could test it on a tested computer first. If the policy work normally, we could apply on the all domain.

If there are any feedbacks about this solution, please keep us in touch.

Regards,
Rita

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi

Thx for advice but one question
If i exclude machine from wsus company policy and add machine to this policy above
Does my computer would be allowed to download and install other updates automatically?