Disable Windows Update while allowing the Windows Store?

New Contributor

 We set up public computers for use in a library while giving patrons access to administrator rights like installing their own programs. Is it possible to disable Windows Update but allow the Windows Store to still function?

6 Replies
Using policies, yes. You need to allow access to the Windows Update servers in order to access the store apps themselves, since the app files are located on WU. But there are separate policies for allowing access to the Windows Store and for allowing (or disabling) access to Windows Update.

A few years ago, the only way to fully disable Windows Update on Windows 10 was to disable the Windows Update Service which stops you from using the Store. The only options available outside of that was for deferring updates. This doesn't work for what we're trying to do.

Is it now or will it soon be possible to allow Delivery Optimization (WUDO) to work for the Windows Store, but not interfere with WSUS/ConfigMgr?

concrete settings (for comination of all three requirements), means "access to windows update servers" AND disable windows update (means disable WUB too) AND "give access to the windows store"?

 

And as I assume, if there are no update mechanism enabled at all, BuiltIn Apps and those downloaded from the Windows Store will still be functional?

 

Out of curiosity, why would you want to give the public admin rights on public devices? How can you possibly secure that?

 

First things first, if you give everyone admin rights, then you can't effectively do anything with policy - the admin can just turn the policy off, since they're the admin. Trying to prevent an admin from doing anything is a losing proposition.

 

Second, blocking updates seems strange - with the recent WannaCrypt attack, we saw the damage that can be done by not running updates. Is the intent instead to gate updates through something like WSUS so you can stage them, or just not update them at all?

 

I'm really confused by the scenario. Normally, for public computers folks are looking for ways to restore to a known state and provide as much security as is reasonable (understanding that physical access trumps all, per the 10 immutable laws of security).

We secure it with Winselect and Deep Freeze. Obviously, this is not completely secure but I just do what my boss tells me.