Disable the group policy allowing the notification to non-admins:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Allow non-administrators to receive update notifications
But, this behavior is the default - so either someone's specifically enabled this policy in the past, or the users are admins?
Yes, absolutely, this is the very foundation of Group Policy hierarchy. Group Policies are applied in the following order:
- Local Group Policy (Based on the client machine - this is not connected to your AD Group Policy)
- Site Level Policies
- Domain Level Policies
- OU Level Policies
Within each of the latter 3, each 'level' can have multiple GPO's and their order is decided by the system administrator. This is called the "link order" and the lowest number is processed last, which means that policy has the final say.
OU policies are applied starting at the "root", and then downwards, if that makes sense.
Here is some good reading on the subject:
http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
With regards as to what to actually do with the individual GPO, well that kind of depends on the policy itself, but generally, they have the following three options:
- Enabled
- Disabled
- Not Configured
And all that happens is that the very last policy to execute will have the final 'say' on what the final setting with. With the exception of 'Not Configured' where no changes are made. 'Not configured' is the default for all options within Group Policy when you create a new GPO.
So, if your current policy has a setting that is "Enabled", you need to create a GPO with the same setting "Disabled".
Best Answer
The documentation says that the program is installed when the computer starts.
Deploying a software via GPO (especially if you need to update it on a regular basis) is not a best practice.
You should consider using something like SCCM. However, if you have very few applications to deploy, you can still use GPO, in that case you can create a scheduled task and start you own powershell to perform the upgrade.
Here is a walkthrough that can help you creating a scheduled task via GPO: https://blogs.technet.microsoft.com/kaushika/2015/04/26/the-startup-script-is-dead/
based on you needs, you can create an Immediate Task instead (it's a scheduled task that will run as soon as possible on client computers) and check "Apply once and do not reapply" (available in the "Common" tab).