I need to block .NET Framework v2.0

Harrison Midkiff · Nov 9, 2005

Hello:

I need to block .NET Framework v2.0 which is now downloadable via
WindowsUpdate. I am pretty sure I can block this with a gpo. When WinXP
SP2 came out initially you could block that with a gpo.

Does anyone know how I can do that?

Harrison Midkiff

Norbert Fehlauer [MVP] · Nov 9, 2005

Harrison Midkiff wrote:
Hi,

I need to block .NET Framework v2.0 which is now downloadable via
WindowsUpdate.

Yes but its an optional not a critical update. So it won't install with
automatic update. And if your users are no administrators they can't install
it.

I am pretty sure I can block this with a gpo.

I'm not.

When WinXP SP2 came out initially you could block that with a gpo.

I would say XP Sp2 was a little different kind of update then .NET
Framework.

Bye
Norbert

Steven Wang [MSFT] · Nov 10, 2005

Hello Harrison,

Thank you for posting.

From your post, my understanding of this issue is: You would like to know
how to prevent the .NET Framework 2.0 from being downloaded via Windows
Update. If this is not correct, please feel free to let me know.

First I appreciate Norbert for his kind inputs, and I agree with him that
we cannot block it from being downloaded from the Windows Update web site.
In addition, I wonder why you want to block it through GPO. If you can let
me know, we may try to find a workaround for this issue.

Thank you for your patience. If anything is unclear or you have any
concerns, please feel free to post back. I am glad to be of assistance.

Have a nice day!

Steven Wang (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

Harrison Midkiff · Nov 14, 2005

Steve:

Thanks for replying to my post. Our developers have created a lot of stuff
in .NET v1.0. They have told me if the new version gets onto a computer
there code will not work. I did find a config file which allowed you to
tell the code what version of .NET to run, but they claim this would be to
difficult to deploy. If I could easily block it that would probably be the
easiest.

Harrison Midkiff

kj · Nov 14, 2005

If you deployed WSUS and a GPO that directs the clients (xpSP2?) to the WSUS
server you could decline .NET V2.0 from the clients. You'd also have to set
the policy denying them from accessing Windows Update. Kinda a round about
way of doing it, but should work.

Harrison Midkiff · Nov 15, 2005

That would work but we still have the worry about the ones that go to
WindowsUpdate and run the updates from there. Any ideas?

kj · Nov 16, 2005

Remove Access to use all Windows Update features (user configuration,
adminsitrative templates, windows update - GPO)
you may need one of the latest adm files to see this as I recall.
---
This setting allows you to remove access to Windows Update.

If you enable this setting, all Windows Update features are removed. This
includes blocking access to the Windows Update Web site at
http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the
Start menu, and also on the Tools menu in Internet Explorer. Windows
automatic updating is also disabled; you will neither be notified about nor
will you receive critical updates from Windows Update. This setting also
prevents Device Manager from automatically installing driver updates from
the Windows Update Web site.

Steven Wang [MSFT] · Nov 16, 2005

Hi Harrison,

Thanks for your reply and taking time to let me know the additional
information. Also I appreciate KJ's kind inputs and he has provided the
good information for us.

However, it is not recommended to apply the "Remove access to use all
Windows Update features" policy, since the system will no longer get any
updates even from the WSUS server.

I completely understand your frustrations with this issue and I want to
thank you for your feedback on our products. We do appreciate the feedback
we receive from our customers such as yours and your feedback is taken very
seriously. I will forward your comments to the appropriate development and
usability experts for the purpose of improving user experience in the
future.

In addition, regarding the problem with running .NET v1.0 application on
..NET v2.0, you may also post your question on the following newsgroup to
see whether there is any more information:

<http://msdn.microsoft.com/newsgroups/default.asp>

Or, you may want to contact our Develop Support Services by telephone so
that a dedicated support professional can assist you further with your
request. To obtain the phone numbers for specific technology request
please take a look at the web site listed below:

<http://support.microsoft.com/directory/directory/phonepro.asp?sd=msdn>

Thank you for your understanding and it has been a pleasure to work with
you on this service request. If you have any other questions or concerns,
please do not hesitate to contact us. It is always our pleasure to be of
assistance.

Have a nice day!

Steven Wang
Microsoft Online Partner Support

--------------------

From: "kj" <[email protected]>
References: <[email protected]>

<[email protected]>
<[email protected]>
<#[email protected]>

kj · Nov 16, 2005

Whoops, that wasn't the policy I was thinking of, too late at night.
Here's the _right_ one;

computers, administrative templates, start menu and taskbar, - "Remove links
and access to windows update"

I can confirm this will not stop WSUS from updating your computers as I
tested this as part of the WSUS beta program and have used it post RTM. -
Sorry for the previous one and note Steven's concern that some technology be
in place to keep your computers up to date on critical and security updates
(WSUS is ideal for this, SMS for larger environments).

----
Prevents users from connecting to the Windows Update Web site.

This setting blocks user access to the Windows Update Web site at
http://windowsupdate.microsoft.com. Also, the setting removes the Windows
Update hyperlink from the Start menu and from the Tools menu in Internet
Explorer.

Windows Update, the online extension of Windows, offers software updates to
keep a user's system up-to-date. The Windows Update Product Catalog
determines any system files, security fixes, and Microsoft updates that
users need and shows the newest versions available for download.

Also, see the "Hide the "Add programs from Microsoft" option" setting.

Norbert Fehlauer [MVP] · Nov 16, 2005

Steven Wang [MSFT] wrote:
Hi,

However, it is not recommended to apply the "Remove access to use all
Windows Update features" policy, since the system will no longer get
any updates even from the WSUS server.

Thats not right. Actually it does work but just if you'd configured your
automatic update client to automatically install all approved updates.

Bye
Norbert

Steven Wang [MSFT] · Nov 18, 2005

Hi Norbert,

Thanks for your reply.

From the explaination of the policy setting: "Remove access to use all
Windows Update features", we can see:

"If you enable this setting, all Windows Update features are removed. This
includes blocking access to the Windows Update Web site at
http://windowsupdate.microsoft.com, from the Windows Update hyperlink on
the Start menu, and also on the Tools menu in Internet Explorer. Windows
automatic updating is also disabled; you will neither be notified about nor
will you receive critical updates from Windows Update. This setting also
prevents Device Manager from automatically installing driver updates from
the Windows Update Web site."

Should you have any concerns, please feel free to post back. Thank you!

Have a nice day!

Steven Wang
Microsoft CSS Online Newsgroup Support

--------------------

From: "Norbert Fehlauer [MVP]" <[email protected]>
References: <[email protected]>

<[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
<[email protected]>

Subject: Re: I need to block .NET Framework v2.0
Date: Wed, 16 Nov 2005 22:10:15 +0100
Lines: 16
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-15";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.group_policy
NNTP-Posting-Host: p54bf74a4.dip.t-dialin.net 84.191.116.164
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.win2000.group_policy:38343
X-Tomcat-NG: microsoft.public.win2000.group_policy

Steven Wang [MSFT] wrote:
Hi,

However, it is not recommended to apply the "Remove access to use all
Windows Update features" policy, since the system will no longer get
any updates even from the WSUS server.

Click to expand...

Thats not right. Actually it does work but just if you'd configured your
automatic update client to automatically install all approved updates.

Bye
Norbert

Norbert Fehlauer [MVP] · Nov 18, 2005

Steven Wang [MSFT] wrote:
Hi Steven,

Thanks for your reply.

From the explaination of the policy setting: "Remove access to use all
Windows Update features", we can see:

notified about nor will you receive critical updates from Windows
Update.

Yes I can see this. But what I also can see is: My computers still get their
updates from my SUS server. And thats logical to my, because we are talking
about user configuration and automatic updates service is not an user.

Should you have any concerns, please feel free to post back. Thank
you!

Maybe it helps looking into the SUS deployment whitepaper

Interaction with other policies
If the "Remove access to use all Windows Update features" Group Policy
setting (located in User Configuration\Administrative Templates\Windows
Components\Windows Update) is enabled, Automatic Updates will not notify
that logged-on user. Because this is a user-based value, it makes a local
administrator appear as a non-administrator so that user will not be able to
install updates. With this policy enabled, the Automatic Updates service
still runs, and if configured as such, a scheduled installation can still
occur.

Bye

Norbert

Steven Wang [MSFT] · Nov 18, 2005

Hi Norbert,

You are correct! I am sorry for my misunderstand on this policy setting.
I do appreciate your clear clarification. It will benefit many other
users, including me. Thank you!

Have a nice weekend!

Steven Wang

--------------------

From: "Norbert Fehlauer [MVP]" <[email protected]>
References: <[email protected]>

<[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>

Subject: Re: I need to block .NET Framework v2.0
Date: Fri, 18 Nov 2005 11:52:07 +0100
Lines: 35
Organization: privat
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-15";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.group_policy
NNTP-Posting-Host: 84.19.223.254
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.win2000.group_policy:38355
X-Tomcat-NG: microsoft.public.win2000.group_policy

Steven Wang [MSFT] wrote:
Hi Steven,

Thanks for your reply.

From the explaination of the policy setting: "Remove access to use all
Windows Update features", we can see:

Click to expand...

notified about nor will you receive critical updates from Windows
Update.

Click to expand...

Yes I can see this. But what I also can see is: My computers still get their
updates from my SUS server. And thats logical to my, because we are talking
about user configuration and automatic updates service is not an user.

Should you have any concerns, please feel free to post back. Thank
you!

Click to expand...

Maybe it helps looking into the SUS deployment whitepaper
Interaction with other policies
If the "Remove access to use all Windows Update features" Group Policy
setting (located in User Configuration\Administrative Templates\Windows
Components\Windows Update) is enabled, Automatic Updates will not notify
that logged-on user. Because this is a user-based value, it makes a local
administrator appear as a non-administrator so that user will not be able to
install updates. With this policy enabled, the Automatic Updates service
still runs, and if configured as such, a scheduled installation can still
occur.

Bye

Norbert

kj · Nov 18, 2005

Well that was my understanding being a user policy, but I hadn't tested that
one. So, thanks Steven and Norbert for working out the accuracy. OP hasn't
posted back in awhile but it seems he has two options from which to choose.

--
/kj

Steven Wang said:
Hi Norbert,

You are correct! I am sorry for my misunderstand on this policy setting.
I do appreciate your clear clarification. It will benefit many other
users, including me. Thank you!

Have a nice weekend!

Steven Wang

--------------------

From: "Norbert Fehlauer [MVP]" <[email protected]>
References: <[email protected]>

Click to expand...

<[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>

Subject: Re: I need to block .NET Framework v2.0
Date: Fri, 18 Nov 2005 11:52:07 +0100
Lines: 35
Organization: privat
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-15";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.group_policy
NNTP-Posting-Host: 84.19.223.254
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.win2000.group_policy:38355
X-Tomcat-NG: microsoft.public.win2000.group_policy

Steven Wang [MSFT] wrote:
Hi Steven,

Thanks for your reply.

From the explaination of the policy setting: "Remove access to use all
Windows Update features", we can see:

Click to expand...

notified about nor will you receive critical updates from Windows
Update.

Click to expand...

Yes I can see this. But what I also can see is: My computers still get their
updates from my SUS server. And thats logical to my, because we are talking
about user configuration and automatic updates service is not an user.

Should you have any concerns, please feel free to post back. Thank
you!

Click to expand...

Maybe it helps looking into the SUS deployment whitepaper
Interaction with other policies
If the "Remove access to use all Windows Update features" Group Policy
setting (located in User Configuration\Administrative Templates\Windows
Components\Windows Update) is enabled, Automatic Updates will not notify
that logged-on user. Because this is a user-based value, it makes a local
administrator appear as a non-administrator so that user will not be able to
install updates. With this policy enabled, the Automatic Updates service
still runs, and if configured as such, a scheduled installation can still
occur.

Bye

Norbert

Click to expand...

Norbert Fehlauer [MVP] · Nov 18, 2005

Steven Wang [MSFT] wrote:
Hi,

You are correct!

Yep, but I thought about the OP's original request for blocking the
installation of .NET Framework with a group policy. AFAIK theres no such
thing. The only thing that would prevent users to install this software is,
they are no local administrators. Otherwise they could take in the
softwarepackage any way they want (mail, ftp, cdrom etc.).
So the OP has to take care that his users are only "users"

Bye
Norbert

PS: You to have a nice weekend.