Blocking windows update?

  • Thread starter Thread starter Philip Nunn
  • Start date Start date
P

Philip Nunn

Question. If i enable the user policy to block access to the Windows Update
features; will that stop SUS from getting updates to the computers? I know
it says it blocks windows updates and automatic updates but what about sus?
Does anybody know? I also have a WUS server and when i run a detect now on
a computer the windows update.log file shows the following error
"WindowsUpdate is disabled because the registry
valueDisableWindowsUpdateAccess is set to 1" so this seems like it does
block wus but im not sure about sus. Please help!

Phil
 
Blocking Windows Update Features only prevents the user from going to
windows update (via links in IE, etc), but it does not interfere with the
functionality of Automatic Updates which SUS. I am not sure if WUS acts
differently.
 
Here is the description from the group policy template...

_____________________________________________________________
This setting allows you to remove access to Windows Update.

If you enable this setting, all Windows Update features are removed. This
includes blocking access to the Windows Update Web site at
http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the
Start menu, and also on the Tools menu in Internet Explorer. Windows
automatic updating is also disabled; you will neither be notified about nor
will you receive critical updates from Windows Update. This setting also
prevents Device Manager from automatically installing driver updates from
the Windows Update Web site.
------------------------------------------------------------------------------------

it sure sounds to me like it block automatic updates.

Phil
 
Philip said:
Here is the description from the group policy template...

_____________________________________________________________
This setting allows you to remove access to Windows Update.

If you enable this setting, all Windows Update features are removed. This
includes blocking access to the Windows Update Web site at
http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the
Start menu, and also on the Tools menu in Internet Explorer. Windows
automatic updating is also disabled; you will neither be notified about nor
will you receive critical updates from Windows Update. This setting also
prevents Device Manager from automatically installing driver updates from
the Windows Update Web site.
Click to expand...
Hi

It does not disable Automatic Updates when it is pointing to a SUS/WUS
server, but it will affect the user experience for users that are local
admins.

More here:

From: "Don Cottam [MS]" <[email protected]>
Subject: How to disable AU pop-ups and tray icon
Date: Mon, 17 Feb 2003 15:15:21 -0800
Newsgroups: microsoft.public.softwareupdatesvcs

found at
http://groups.google.com/[email protected]
 
The description is a little misleading because it doesn't block automatic
updates. The reason why I know for sure is that one of my clients had this
policy enabled but had automatic updates enabled from Microsoft and all
their Windows XP clients inadvertently downloaded and installed XP Service
Pack 2. They are now using SUS (with this policy still enabled) and patching
is now in a controlled state.

--
Steve Seguis - MCSE, MS-MVP, SCJP
SCRIPTMATION
Automating the Enterprise
http://www.scriptmation.com
 
Steve said:
The description is a little misleading because it doesn't block
automatic updates. The reason why I know for sure is that one of my
clients had this policy enabled but had automatic updates enabled
from Microsoft and all their Windows XP clients inadvertently
downloaded and installed XP Service Pack 2. They are now using SUS
(with this policy still enabled) and patching is now in a controlled
state.
Click to expand...

also helpful to use only limited user accounts, as non-admins can't run WU
anyway.
 
ok, thaks for the info. I also noticed that though i have this policy set,
my windows 2000 pc's still get the policy even though it says it only
applies to Windows XP and Windows Server 2003. I just tested this on a W2k
sp4 computer, logged on as a domain account that is a member of the local
admin group and i received a message saying "access to windows update site
was denied due to policy restrictions". Sounds like microsoft needs to get
their descriptions fixed and what stuff applies to and when! ;-)

Phil
 
I think official support for this policy started with Windows 2000 service
pack 3 and Microsoft probably never got around to updating the
documentation.

--
Steve Seguis - MCSE, MS-MVP, SCJP
SCRIPTMATION
Automating the Enterprise
http://www.scriptmation.com
 
Phil's point still holds true...<rant>it's difficult enough managing group
policy, a tool that's supposed to make centralized management easier,
without the documentation being often misleading or inaccurate. With AutoWU
and WUS at their disposal, MS has no excuse for not updating the
documentation. MS's strength at the server level is integration (including
AD [which took the market from NDS...an easier-to-use product]) and support
(vs. open source options); it needs to make sure these stay strong</rant>.
 
Back
Top