none
Windows Updates,WSUS and Group Policies

    Question

  • I want to stop all users through a Group Policy from being able to install Windows Updates other than though a WSUS Server, I have configured that Windows Updates will be managed by the WSUS however they can go the the option to 'Check online for updates from Microsoft' where they can pull down updates that we don't want them to do.  I have gone in and turned off this throug a group policy "Remove access to use all Wndows Update features", and it hides the option.   The only thing is as these are remote users which only log in intermittently to do a file download/upload into the network where the WSUS server is I want them to be able to download the updates when they log onto the network as a task rather than letting the updates trickle down - but by setting the 'remove access to all Windows Update features' there is no Window Updates option to do an update.  Any ideas - we want to manage the updates they get.
    Wednesday, July 11, 2012 3:04 PM

Answers

  • Many thanks for your feedback, my main concern is how to block the end-user from being able to do a "Microsoft" Download under Windows Updates - "Check for Windows Update"s and there is an option 'Check online for updates from windows updates' and if they agree to the terms and conditions they get the updates from the Microsoft WebSite as opposed to our internal WSUS server
    That is the purpose of the Turn off access to all Windows Update features setting -- as noted in my previous reply.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Wednesday, July 18, 2012 5:15 PM
  • I want to stop all users through a Group Policy from being able to install Windows Updates other than though a WSUS Server

    On Windows Vista and newer systems, enable the policy setting Turn off access to all Windows Update features which is found in Computer Configuration | Administrative Templates | System | Internet Communication Management | Internet Communication Settings.

    On Windows 2000/XP/2003 systems enable the policy setting Remove access to use all Windows Update features which is found in Computer Configuration | Administrative Templates | Windows Components | Windows Update.

    I want them to be able to download the updates when they log onto the network as a task rather than letting the updates trickle down

    Configure the Windows Update Agent with AUOptions='2' (Notify for Download). If the user has privileges (which you currently have denied), they will go to the WUApp in Control Panel and initiate the download from the WSUS server for previously identified (approved) updates.

    Of course -- the end-user also has to remember to do this or nothing gets patched!

    but by setting the 'remove access to all Windows Update features' there is no Window Updates option to do an update.

    Correct. You cannot have it both ways. Either the end-user has access ... or they don't. If they have access, they can update from wherever they want. From WU/MU they get what Microsoft wants them to install; from WSUS they get what you want them to install.

    I believe what you're looking for is:

    • Centralized control from WSUS
    • Blocking the ability to use Windows Update or Microsoft Update.
    • Updates NOT to download when the client is away from the office.

    So, first thing to note is that a WSUS client away from the office won't download anything unless it has a connection to your WSUS server (typically through a VPN connection), so this really isn't something you have to protect against - provided that you've blocked access to WU/MU.

    Perhaps the key question is whether you want to require the roaming end-user to initiate the download when they arrive on the corporate LAN, or whether you want it to be automatic (which also means "in the background" and "trickling down".)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Thursday, July 12, 2012 1:48 AM

All replies

  • Not sure I'm understanding your issue correctly, if you want to have these pc's managed by WSUS then you should let WSUS do it's job. Just assign these computers you want to manage the updates on into a different group in WSUS and approve your updates accordingly. Why the need to have it run as a task vrs. a WSUS push when you have a WSUS setup that can get the updates where they need to be when you want then to get there?
    • Edited by cfrond Wednesday, July 11, 2012 3:16 PM
    Wednesday, July 11, 2012 3:16 PM
  • I want to stop all users through a Group Policy from being able to install Windows Updates other than though a WSUS Server

    On Windows Vista and newer systems, enable the policy setting Turn off access to all Windows Update features which is found in Computer Configuration | Administrative Templates | System | Internet Communication Management | Internet Communication Settings.

    On Windows 2000/XP/2003 systems enable the policy setting Remove access to use all Windows Update features which is found in Computer Configuration | Administrative Templates | Windows Components | Windows Update.

    I want them to be able to download the updates when they log onto the network as a task rather than letting the updates trickle down

    Configure the Windows Update Agent with AUOptions='2' (Notify for Download). If the user has privileges (which you currently have denied), they will go to the WUApp in Control Panel and initiate the download from the WSUS server for previously identified (approved) updates.

    Of course -- the end-user also has to remember to do this or nothing gets patched!

    but by setting the 'remove access to all Windows Update features' there is no Window Updates option to do an update.

    Correct. You cannot have it both ways. Either the end-user has access ... or they don't. If they have access, they can update from wherever they want. From WU/MU they get what Microsoft wants them to install; from WSUS they get what you want them to install.

    I believe what you're looking for is:

    • Centralized control from WSUS
    • Blocking the ability to use Windows Update or Microsoft Update.
    • Updates NOT to download when the client is away from the office.

    So, first thing to note is that a WSUS client away from the office won't download anything unless it has a connection to your WSUS server (typically through a VPN connection), so this really isn't something you have to protect against - provided that you've blocked access to WU/MU.

    Perhaps the key question is whether you want to require the roaming end-user to initiate the download when they arrive on the corporate LAN, or whether you want it to be automatic (which also means "in the background" and "trickling down".)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Thursday, July 12, 2012 1:48 AM
  • Many thanks for your feedback, my main concern is how to block the end-user from being able to do a "Microsoft" Download under Windows Updates - "Check for Windows Update"s and there is an option 'Check online for updates from windows updates' and if they agree to the terms and conditions they get the updates from the Microsoft WebSite as opposed to our internal WSUS server (we want to block only this option as I don't want them to download unapproved updates) .  While the Group Policy pointing to the WSUS server gives them the Windows Updates as I have approved on the WSUS server if users click on this link and agree to the terms it sends them out to the Microsoft Web site.  Even though they are getting updates for the WSUS internally can I block only the option to stop them going to the Microsoft site and download updtes we don't want. 
    Tuesday, July 17, 2012 12:40 PM
  • Many thanks for your feedback, my main concern is how to block the end-user from being able to do a "Microsoft" Download under Windows Updates - "Check for Windows Update"s and there is an option 'Check online for updates from windows updates' and if they agree to the terms and conditions they get the updates from the Microsoft WebSite as opposed to our internal WSUS server
    That is the purpose of the Turn off access to all Windows Update features setting -- as noted in my previous reply.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Wednesday, July 18, 2012 5:15 PM
  • You may want to leverage another layer to control access to the following hosts from your clients:

    The Microsoft's Windows Update servers are at the following hostnames over ports 80 and 443:

    download.microsoft.com
    ntservicepack.microsoft.com
    stats.microsoft.com
    windowsupdate.microsoft.com
    wustat.windows.com
    *.windowsupdate.microsoft.com
    *.update.microsoft.com
    *.download.windowsupdate.com
    *.windowsupdate.com

    If you block access to these (by DNS lookup on a proxy/firewall for instance or layer 7 packet inspection), it will stop the clients from being able to functionally access the Microsoft update servers.



    • Edited by mbrownnyc Friday, December 28, 2012 4:28 PM
    Friday, December 28, 2012 4:24 PM