• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 316
  • Last Modified:

WSUS Restrictions via a GPO

I have a large AD Domain made up (mostly) of Windows based Workstations and laptops.  The OS's are a mix of Win XP and Win 7 professional editionss.  We manage our windows updates via GPO's - see attached .jpg for example of settings.  

My issue is this: WSUS works fine but I don't seem to be able to restrict users from manually accessing Windows automatic updates.  One of the issues, that I cannot change, is that all staff users (we're a school district) are local Admins on the workstations, so the setting "Allow non-administrators to receive update notifications" doesn't apply.  Is there a way that I can restrict a person's access to manually run Automatic Updates, say for example based on AD group membership, regardless of their status as a local admin?

Thanks,

Noah
WSUSGPO-example.jpg
0
nkeables
Asked:
nkeables
  • 2
1 Solution
 
Donald StewartNetwork AdministratorCommented:
The policy "Allow non-administrators to receive update notifications" is in order to allow normal users to install updates...disabling will also stop them from getting the "Yellow Shield" notifying that updates are available to install.

The settings you are looking for are below.


http://technet.microsoft.com/en-us/library/bb457141.aspx


Preventing Access to Windows Updates and Automatic Updates

You can use Group Policy settings to disable both Windows Update and Automatic Updates.

    To disable Windows Update and Automatic Updates on a per-computer basis, configure Turn off access to all Windows Update features in Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings. See “Turn off access to all Windows Update features,” earlier in this document.

    To disable access to Windows Update and Automatic Updates on a per-user basis, configure Remove links and access to Windows Update in User Configuration\Administrative Templates\Start Menu and Taskbar. Enabling this policy setting removes access to Windows Update features for the specified user, but Automatic Updates still checks for updates for the comp
0
 
nkeablesAuthor Commented:
The article you referenced provided the solution I needed.  I had configured GPO's for updating from our WSUS, but was un-aware of the setting  to turn off all windows update features.  The setting "Turn off access to all Windows Update features" was found at  Computer Configuration\Administrati<wbr />ve Templates\System\Internet Communication Management\Internet Communication settings.  This allows Automatic updates to take place but prohibits all Windows Update  web site interactions.<br /><br />Thank you
0
 
Donald StewartNetwork AdministratorCommented:
Glad to help
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now