Disable Automatic Updates?

[Walt McKinney]

Question:
Is there a way to disable a users ability to do automatic updates? We are
looking into purchasing a software application to assist us in rolling out
updates that we specify, but we want to be able to disallow standard users
from being able to do this.

Also, if a user is defined as a local machine administrator, is there a
'back door' method for network administrators to turn this ability off?

Thanks,
Walt
(e-mail address removed)

 

[Mario MCSEMCSA]

you can do everything you want from the following link.
and its all free.

http://www.microsoft.com/windowsserversystem/sus/default.ms
px

let me know how you make out
(e-mail address removed)

 

[Walt McKinney]

Oops. The link takes me to a page that says:

We're sorry, but there is no Microsoft.com Web page matching your entry. It
is possible that you typed the address incorrectly, or that the page no
longer exists. You may wish to try another entry or to use the links below,
which we hope will help provide you with the information you need.

Walt

 

[Roger Abell]

That link was broken by line-wrapping. Try
http://www.microsoft.com/windowsserversystem/sus
It has been announced that Sus v2, projected for later this
year, will be able to update more than just the OS (i.e. Office)

If you allow someone to be a local admin then they will be
able to do whatever they wish as long as it is within the
limits imposed by Active Directory group policy.

The Windows Update client, called Automatic Update service
in the services listing, can be disabled using GPO, and there are
other policies available that impact the scheduled use of Windows
Update. However, other than control at your proxy, there is nothing
that prevents a user from opening a browser and going to the Windows
Update site.

 

[Walt McKinney]

Thanks for the info!

Walt

That link was broken by line-wrapping. Try
http://www.microsoft.com/windowsserversystem/sus
It has been announced that Sus v2, projected for later this
year, will be able to update more than just the OS (i.e. Office)

If you allow someone to be a local admin then they will be
able to do whatever they wish as long as it is within the
limits imposed by Active Directory group policy.

The Windows Update client, called Automatic Update service
in the services listing, can be disabled using GPO, and there are
other policies available that impact the scheduled use of Windows
Update. However, other than control at your proxy, there is nothing
that prevents a user from opening a browser and going to the Windows
Update site.

 

[Torgeir Bakken (MVP)]

That link was broken by line-wrapping. Try
http://www.microsoft.com/windowsserversystem/sus
It has been announced that Sus v2, projected for later this
year, will be able to update more than just the OS (i.e. Office)

SUS v2 is going to be called WUS. More about WUS in the
"Windows Update Services Data Sheet" document found here:

http://www.microsoft.com/windowsserversystem/sus/wusbeta.mspx

[snip]
However, other than control at your proxy, there is nothing
that prevents a user from opening a browser and going to the Windows
Update site.

Actually, there is a GPO/registry setting that will disable the
functionality at the Windows Update site (but SUS/Automatic Update
will still work):


Group Policy:
"Disable and remove links to Windows Update" under
User Configuration\AdministrativeTemplates\Start Menu & Taskbar

In registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000001


After setting this, links to Windows Update in the menu will disappear,
and if you manually browse to the Windows Update site, the Web page
will display something like this:

"Access Denied...Network Policy Settings prevent you from using Windows
Update to download and install updates on your computer."

 

[Walt McKinney]

Perfect! Thank you.

Walt

That link was broken by line-wrapping. Try
http://www.microsoft.com/windowsserversystem/sus
It has been announced that Sus v2, projected for later this
year, will be able to update more than just the OS (i.e. Office)

SUS v2 is going to be called WUS. More about WUS in the
"Windows Update Services Data Sheet" document found here:

http://www.microsoft.com/windowsserversystem/sus/wusbeta.mspx

[snip]
However, other than control at your proxy, there is nothing
that prevents a user from opening a browser and going to the Windows
Update site.

Actually, there is a GPO/registry setting that will disable the
functionality at the Windows Update site (but SUS/Automatic Update
will still work):


Group Policy:
"Disable and remove links to Windows Update" under
User Configuration\AdministrativeTemplates\Start Menu & Taskbar

In registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explor
er]
"NoWindowsUpdate"=dword:00000001


After setting this, links to Windows Update in the menu will disappear,
and if you manually browse to the Windows Update site, the Web page
will display something like this:

"Access Denied...Network Policy Settings prevent you from using Windows
Update to download and install updates on your computer."


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/community/scriptcenter/default.mspx