WSUS Restrictions via a GPO

I have a large AD Domain made up (mostly) of Windows based Workstations and laptops.  The OS's are a mix of Win XP and Win 7 professional editionss.  We manage our windows updates via GPO's - see attached .jpg for example of settings.  

My issue is this: WSUS works fine but I don't seem to be able to restrict users from manually accessing Windows automatic updates.  One of the issues, that I cannot change, is that all staff users (we're a school district) are local Admins on the workstations, so the setting "Allow non-administrators to receive update notifications" doesn't apply.  Is there a way that I can restrict a person's access to manually run Automatic Updates, say for example based on AD group membership, regardless of their status as a local admin?

Thanks,

Noah
WSUSGPO-example.jpg
nkeablesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DonNetwork AdministratorCommented:
The policy "Allow non-administrators to receive update notifications" is in order to allow normal users to install updates...disabling will also stop them from getting the "Yellow Shield" notifying that updates are available to install.

The settings you are looking for are below.


http://technet.microsoft.com/en-us/library/bb457141.aspx


Preventing Access to Windows Updates and Automatic Updates

You can use Group Policy settings to disable both Windows Update and Automatic Updates.

    To disable Windows Update and Automatic Updates on a per-computer basis, configure Turn off access to all Windows Update features in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings. See “Turn off access to all Windows Update features,” earlier in this document.

    To disable access to Windows Update and Automatic Updates on a per-user basis, configure Remove links and access to Windows Update in User Configuration\Administrative Templates\Start Menu and Taskbar. Enabling this policy setting removes access to Windows Update features for the specified user, but Automatic Updates still checks for updates for the comp
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nkeablesAuthor Commented:
The article you referenced provided the solution I needed.  I had configured GPO's for updating from our WSUS, but was un-aware of the setting  to turn off all windows update features.  The setting "Turn off access to all Windows Update features" was found at  Computer Configuration\Administrati<wbr />ve Templates\System\Internet Communication Management\Internet Communication settings.  This allows Automatic updates to take place but prohibits all Windows Update  web site interactions.<br /><br />Thank you
0
DonNetwork AdministratorCommented:
Glad to help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Applications

From novice to tech pro — start learning today.