WSUS Restrictions via a GPO

I have a large AD Domain made up (mostly) of Windows based Workstations and laptops.  The OS's are a mix of Win XP and Win 7 professional editionss.  We manage our windows updates via GPO's - see attached .jpg for example of settings.  

My issue is this: WSUS works fine but I don't seem to be able to restrict users from manually accessing Windows automatic updates.  One of the issues, that I cannot change, is that all staff users (we're a school district) are local Admins on the workstations, so the setting "Allow non-administrators to receive update notifications" doesn't apply.  Is there a way that I can restrict a person's access to manually run Automatic Updates, say for example based on AD group membership, regardless of their status as a local admin?

Thanks,

Noah
WSUSGPO-example.jpg
nkeablesAsked:
Who is Participating?
 
DonNetwork AdministratorCommented:
The policy "Allow non-administrators to receive update notifications" is in order to allow normal users to install updates...disabling will also stop them from getting the "Yellow Shield" notifying that updates are available to install.

The settings you are looking for are below.


http://technet.microsoft.com/en-us/library/bb457141.aspx


Preventing Access to Windows Updates and Automatic Updates

You can use Group Policy settings to disable both Windows Update and Automatic Updates.

    To disable Windows Update and Automatic Updates on a per-computer basis, configure Turn off access to all Windows Update features in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings. See “Turn off access to all Windows Update features,” earlier in this document.

    To disable access to Windows Update and Automatic Updates on a per-user basis, configure Remove links and access to Windows Update in User Configuration\Administrative Templates\Start Menu and Taskbar. Enabling this policy setting removes access to Windows Update features for the specified user, but Automatic Updates still checks for updates for the comp
0
 
nkeablesAuthor Commented:
The article you referenced provided the solution I needed.  I had configured GPO's for updating from our WSUS, but was un-aware of the setting  to turn off all windows update features.  The setting "Turn off access to all Windows Update features" was found at  Computer Configuration\Administrati<wbr />ve Templates\System\Internet Communication Management\Internet Communication settings.  This allows Automatic updates to take place but prohibits all Windows Update  web site interactions.<br /><br />Thank you
0
 
DonNetwork AdministratorCommented:
Glad to help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.