SOLVED: Easy GPO To Configure Windows Updates

We often take on new clients who do not have Windows update configured with a group policy and while it’s quite simple to set up it’s always nice to have some instructions and screenshots so here they are:



1 – Configure Windows Update to Download but Not Install

  1. Open the Group Policy Management Console (GPMC) on a Domain Controller
  2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update
  3. Find and double-click on Configure Automatic Updates.
  4. Set it to Enabled
  5. In the options, select 3 – Auto download and notify for install
    • Of course you could choose 4 – Download and Install, if want to automate the downloads, installs and reboots, but we just want the files downloaded, not installed
  6. Click Apply and OK

2. Install Other Microsoft Updates

  1. In the Group Policy Management Console (GPMC), navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Update
  2. Find and double-click on Configure Automatic Updates
  3. Set it to Enabled
  4. In the options, check the box for Install updates for other Microsoft products
  5. Click Apply and OK

3. Enable Delivery Optimization from All Machines on the LAN

What is Delivery Optimization?

Delivery Optimization vastly improves the efficiency of downloading updates as it allows your computers to download the files from other machines on your local LAN as well as from Microsoft; it is a peer-to-peer (P2P) system. This dramatically decreases the demand on a WSUS server (if you are using one) or the amount of data being pulled from the internet, while massively increasint the speed of transfer as a server that needs a patch will get a small part of the patch from potentially dozens of other computers on your network without impacting performance on those machines at all.

I am certain there are some placed Delivery Optimization should not be used, but I have never run into an organization that did not benefit from it. It is rock solid and just plain better than trying to pull from the Microsoft Content Delivery Network.

GPO To Enable Delivery Optimization

Note that Windows Server 2016 supports Delivery Optimization but there are no GUI settings that show it. Delivery Optimization is visible in Server 2019 2022 and 2025 as well as Windows 10 and Windows 11.

  1. In the Group Policy Management Console (GPMC), navigate to Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization
  2. Find and double-click on Download Mode
  3. Set it to Enabled
  4. In the options, select LAN (2) to enable Delivery Optimization from all machines on the LAN
  5. Click Apply and OK

These settings will ensure that Windows updates are downloaded but not installed automatically, Delivery Optimization is enabled for all machines on the LAN, and other Microsoft updates are installed.


Published by
Ian Matthews