Is there a way to disable "check online for updates from windows update" in windows update settings?

windows-server-2003 windows-7 group-policy rdp wsus
39,592

There are settings in the Server 2008/2012 policies that aren't accessible on your 2003 server I believe, such as "Do not connect to any Windows Update Internet locations" under the Computer settings you show above.

I believe the settings you are looking for in a 2003 environment are:

Disable access to Windows Update

The correct policy for v6 operating systems to achieve the desired objective is: Turn off access to all Windows Update features

and is located in Administrative Templates | System | Internet Communication Management | Internet Communication Settings

If this policy setting is enabled, all Windows Update features are removed. It blocks access to the Microsoft Update and Windows Update Web sites, and in Windows Vista will gray out the Check for updates option in the Windows Update application. The machine will not get automatic updates directly from Windows Update or Microsoft Update, but it can still get updates from a WSUS server. This setting overrides the user settings Remove links and access to Windows Update and Remove access to use all Windows Update features. To disable access to Windows Update
1.In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.

2.In the details pane, click Turn off access to all Windows Update features, and click Enabled.

3.Click OK.

Share:
39,592

Related videos on Youtube

Aravinda
Author by

Aravinda

Updated on September 18, 2022

Comments

  • Aravinda
    Aravinda over 1 year

    I have configured WSUS server in order to preserve bandwith in the network wile keeping essential updates turned on using that WSUS.

    Intranet WSUS server pointing to client pc and other settings are pushed via group policies in Domain controller 2003.

    Following policies are configured in the domain..

    Computer configuration section

    enter image description here

    User configuration section

    enter image description here

    and its correctly configured in the clients in this manner..

    enter image description here

    yet I wish to disable/remove ,

    (1) Ability for users to check the updates (since its automatically scheduled to install at friday 4 pm)

    (2) Ability for users to install the updates

    (3) ability to check online for updates from windows (Only i want wsus to be the source of download)

    If I out line above 3 facts, in the windows 7 client settings its below what i Wish to disable

    enter image description here

    Is this possible using existing Server 2003 Group policies ? To achieve above 3 requirements? As clients we do have windows xp,7,8,8.1 that needs above 3 requirements.

    Any help would be greatly appreciated.

    • Andy
      Andy about 9 years
      Except for the ability to "Check online from Windows update", why would you remove the other two options?
    • Aravinda
      Aravinda about 9 years
      I don't want user to have any control over updates .. At least "Check online from Windows update" is disabled , is fine if other two are not possible via group policy or similar
    • joeqwerty
      joeqwerty about 9 years
      You can prevent users from accessing Windows Updates and from checking for updates with Group Policy, found under the Windows Updates settings under User Configuration Settings.
    • Aravinda
      Aravinda about 9 years
      Not sure what im missing here, i have edited and added user configuration section .. i.stack.imgur.com/zj2C5.png What im missing? may be 2003 group policies are not compatible with latest clients such as 7/8 etc ?
    • raja
      raja about 9 years
      it's possible but why would you want your users to not be able to install updates whenever they need to? I see this somewhat often and am often puzzled since when I do security reviews this setting is a fail. It's a guarantee that an application or system can get exploited. By default since you've configured WU to use WSUS the only reason a user would use WU is because they are away from the WSUS server or you haven't put the update in WSUS yet.
    • Aravinda
      Aravinda about 9 years
      I have everything in my hand now.. Thanks for everyone
    • David C.
      David C. about 8 years
      @JimB: I also see this, especially at companies with large IT departments. They want to make sure updates have been reviewed and tested before they are deployed to users (we all are familiar with broken updates that happen from time to time). They also want to avoid the support problems that can result from a large user-base (hundreds or even thousands) all updated to different pach-levels.
    • raja
      raja about 8 years
      @DavidC. if a company is willing to say that preventing security breaches is less important than having to uninstall the occasional bad patch, that's their call and its quite literally the most effective way to get breached. You can avoid the multi patch level issue by making the patches mandatory after t time period, so that the patch differences are minimal. The other types of windows patches are bug fixes. Those should also be applied but can certainly wait for a short time unless the user has an issue. EG, a DirectX patch may seem unimportant, but when outlook is slow, guess why...
    • David C.
      David C. about 8 years
      @JimB: You seem to think these companies never distribute updates. That's not the case. They typically hold them for a few days for review and then push them out afterward. But that's not their entire security model (if it was, it would be useless.) They typically also restrict arbitrary software installations, have draconian firewall rules, etc. It's very very rare that some patch needs to be installed IMMEDIATELY without any chance to test it first.
    • raja
      raja about 8 years
      @DavidC. the companies that remove that ability for end users to get the updates on demand aren't usually waiting a couple days (and if it was only a couple days why would they care if a few users went ahead and installed them? I seen companies spend far too much money trying to resolve problems that an uninstalled patch fixed than were caused by bad patches. Keep in mind we're not talking servers (I'm a little more lenient on patch frequency there) these are end users devices.
  • Aravinda
    Aravinda about 9 years
    That is awesome.. “check online for updates from windows update” gone by enabling that group policy.. Just wondering now when a user click on check for update , will this be checking updates from my internal wsus ? not any place ?
  • kralyk
    kralyk about 9 years
    Correct, from your WSUS server.
  • Aravinda
    Aravinda about 9 years
    so that is awesome.. So that is everything i really want.. Thank you very much for sharing this great nugget!!
  • Alex S
    Alex S over 8 years
    @TheCleaner - I just posted this - serverfault.com/questions/718232/… - I think some similar steps may help - What if the WSUS server downloads the not wanted telemetry updates, then all clients will get it as well?
  • Alex S
    Alex S over 8 years
    @Aravinda - Any thoughts on my question?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Windows 7 Cached Credentials - No Logon Server. Can't Log In
Sometimes do not get network drive maps in Windows 7 Enterprise
Can I disable sticky keys through a Group Policy for all users?
Enabling SSL for Remote Desktop
Force windows 2003 session to log off (RDP)
Is there an RDP client that can work with a dual monitor setup?
Can I transfer files alo copy paste in Remmina (or another RDP client) on 13.04 while connected to a Windows 7?
Folder Redirection GPO setting desktop but not showing it
"Temporarily" disable group policy?
GPO Denied (Security Filter) not applying