We have a Group Policy in place that's intended to keep users from downloading updates except from our WSUS server. The policies include:
- Allow Automatic Updates immediate installation: Disabled
- Allow non-administrators to receive update notifications: Disabled
- Allow signed updates from an intranet Microsoft update service location: Enabled
- Configure Automatic Updates: Enabled
- Configure automatic updating: Auto download and schedule the install
Scheduled install day: 0 - Every day
Scheduled install time: 03:00 - No auto-restart with logged on users for scheduled automatic updates installations: Enabled
- Specify intranet Microsoft update service location: Enabled
Set the intranet update service for detecting updates: https://[WSUSserver]:[port]
Set the intranet statistics server: https://[WSUSserver]:[port] (same as previous) - Turn on recommended updates via Automatic Updates: Enabled
- Turn on Software Notifications: Disabled
These appear to work when the systems are connected to the domain. However, some of these are laptops, and when they are removed from our premises and returned, they come back with updates that aren't approved by our WSUS server. The most blatantly obvious example would be that we are still running Internet Explorer 9 and have not approved updates for later versions (don't ask); however, a user that has just returned from a week-long vacation somehow has Internet Explorer 11 on his system.
Presumably the system forgets this computer-based group policy when it's not connected directly to the domain for whatever reason. Has anyone else had this issue before, and does anyone know how to resolve it?