Block Windows Updates from the Internet in a Domain

Posted on 2011-04-21
Medium Priority
Last Modified: 2012-08-14
Inside my domain I have a WSUS/SCE server that is used to deploy the updates to around 150 stations. At the same time, when I go to a station, I can see that the "Check online for updates from Microsoft Update" option is still enabled.

I know that it should be grayed as I only want to deploy the updates I want, and I dont want any user to be able to update the PC on his own.

I understand that this option is somewhere in Group Policy Options but I am having hard time finding it...

Any help is appreciated!
Question by:WINBRO

Expert Comment

ID: 35439743
Computer configuration >Administrative Templates> Windows Components> Windows Update> Configure Automatic Updates

Ref: http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_23898425.html
LVL 47

Accepted Solution

Donald Stewart earned 1000 total points
ID: 35440952
This is the setting you are looking for


Remove access to use all Windows Update features (Not related directly to WSUS)
This setting allows you to remove access to Windows Update.

If you enable this setting, all Windows Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This setting also prevents Device Manager from automatically installing driver updates from the Windows Update Web site.

Supported on: At least Microsoft Windows XP Professional or Windows Server 2003 family (although this works on 2000 as well – Rob)

***** Rob’s notes: *****

Found under ‘User Configuration’> ‘Administrative Templates’ > ‘Windows Update’

This will block all access to the Windows Update site so the only location you can pull updates from is your WSUS server.

How this relates to WSUS:

This option will cause the option ‘restart later’ to be grayed out even if the user is a local administrator on the PC. The only way to eliminate this message is either to click ‘restart now’, or to stop the ‘Automatic Updates’ service. It is an effective way to remove the ability to defer restarts to all of your users, including administrators!

You may end up annoying a LOT of people with this setting, so be careful!

NOTE: This is a user-based policy.

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
User Beware!  This is a rather permanent solution to removing your email from an exchange server.  The only way to truly go back is to have your exchange administrator restore your mailbox from backups.  This is usually the option of last resort.  A…
The viewer will learn how to use a discrete random variable to simulate the return on an investment over a period of years, create a Monte Carlo simulation using the discrete random variable, and create a graph to represent the possible returns over…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question