locked
Local Policy Preventing Non-Administrators to install Windows Updates RRS feed

  • Question

  • We have a Group Policy on a set of Windows 7 x64 computers that are used by public safety dispatchers that basically sets the user environment on the computer. It prevents right click on the desktop and taskbar, specifies their available applications and basically locks down the computer so they can really only do dispatching. These computers receive vendor approved Windows Update via  WSUS server configured to install the approved updates and notify the users to install them. The user should be able to click on the Windows Update Notification icon and choose to reboot to finish installing their newly installed updates, however when they do they receive a message stating " This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator."

    I have have narrowed it down to a specific policy, but which setting is preventing use of the applet I have not been able to determine. I tried removing anything to do with notifications but they were not the issue. I have exported the configured settings and have attached them. If anyone has any ideas on how to identify which policy item is causing this I would be very grateful.


    Thank you in advance,


    David R.

    Setting State Comment Path
    Enable Active Desktop Disabled No \Desktop\Desktop
    Display the menu bar in Windows Explorer  Disabled No \Windows Components\Windows Explorer
    Hide the Programs Control Panel Enabled No \Control Panel\Programs
    Prohibit access to the Control Panel Enabled No \Control Panel
    Disable Active Desktop Enabled No \Desktop\Desktop
    Hide Internet Explorer icon on desktop Enabled No \Desktop
    Remove My Documents icon on the desktop Enabled No \Desktop
    Hide Network Locations icon on desktop Enabled No \Desktop
    Remove Properties from the Computer icon context menu Enabled No \Desktop
    Prevent adding, dragging, dropping and closing the Taskbar's toolbars Enabled No \Desktop
    Prohibit adjusting desktop toolbars Enabled No \Desktop
    Clear history of recently opened documents on exit Enabled No \Start Menu and Taskbar
    Clear the recent programs list for new users Enabled No \Start Menu and Taskbar
    Add Logoff to the Start Menu Enabled No \Start Menu and Taskbar
    Turn off personalized menus Enabled No \Start Menu and Taskbar
    Lock the Taskbar Enabled No \Start Menu and Taskbar
    Remove Balloon Tips on Start Menu items Enabled No \Start Menu and Taskbar
    Remove drag-and-drop and context menus on the Start Menu Enabled No \Start Menu and Taskbar
    Remove Favorites menu from Start Menu Enabled No \Start Menu and Taskbar
    Remove Search link from Start Menu Enabled No \Start Menu and Taskbar
    Remove frequent programs list from the Start Menu Enabled No \Start Menu and Taskbar
    Remove Help menu from Start Menu Enabled No \Start Menu and Taskbar
    Remove Network Connections from Start Menu Enabled No \Start Menu and Taskbar
    Remove pinned programs list from the Start Menu Enabled No \Start Menu and Taskbar
    Do not keep history of recently opened documents Enabled No \Start Menu and Taskbar
    Remove Recent Items menu from Start Menu Enabled No \Start Menu and Taskbar
    Remove Run menu from Start Menu Enabled No \Start Menu and Taskbar
    Remove Default Programs link from the Start menu. Enabled No \Start Menu and Taskbar
    Remove Documents icon from Start Menu Enabled No \Start Menu and Taskbar
    Remove Music icon from Start Menu Enabled No \Start Menu and Taskbar
    Remove Network icon from Start Menu Enabled No \Start Menu and Taskbar
    Remove Pictures icon from Start Menu Enabled No \Start Menu and Taskbar
    Do not search communications Enabled No \Start Menu and Taskbar
    Remove Search Computer link Enabled No \Start Menu and Taskbar
    Remove See More Results / Search Everywhere link Enabled No \Start Menu and Taskbar
    Do not search for files Enabled No \Start Menu and Taskbar
    Do not search Internet Enabled No \Start Menu and Taskbar
    Do not search programs and Control Panel items Enabled No \Start Menu and Taskbar
    Remove programs on Settings menu Enabled No \Start Menu and Taskbar
    Remove Downloads link from Start Menu Enabled No \Start Menu and Taskbar
    Remove Homegroup link from Start Menu Enabled No \Start Menu and Taskbar
    Remove Recorded TV link from Start Menu Enabled No \Start Menu and Taskbar
    Remove user's folders from the Start Menu Enabled No \Start Menu and Taskbar
    Remove Videos link from Start Menu Enabled No \Start Menu and Taskbar
    Do not display any custom toolbars in the taskbar Enabled No \Start Menu and Taskbar
    Remove user folder link from Start Menu Enabled No \Start Menu and Taskbar
    Change Start Menu power button Enabled No \Start Menu and Taskbar
    Remove the Action Center icon Enabled No \Start Menu and Taskbar
    Remove the networking icon Enabled No \Start Menu and Taskbar
    Turn off feature advertisement balloon notifications Enabled No \Start Menu and Taskbar
    Prevent users from adding or removing toolbars Enabled No \Start Menu and Taskbar
    Prevent users from rearranging toolbars Enabled No \Start Menu and Taskbar
    Turn off all balloon notifications Enabled No \Start Menu and Taskbar
    Prevent users from moving taskbar to another screen dock location Enabled No \Start Menu and Taskbar
    Prevent users from resizing the taskbar Enabled No \Start Menu and Taskbar
    Group Policy refresh interval for users Enabled No \System\Group Policy
    Prevent access to the command prompt Enabled No \System
    Prevent access to registry editing tools Enabled No \System
    Configure Delete Browsing History on exit Enabled No \Windows Components\Internet Explorer\Delete Browsing History
    Empty Temporary Internet Files folder when browser is closed Enabled No \Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
    Hide the common dialog back button Enabled No \Windows Components\Windows Explorer\Common Open File Dialog
    Hide the dropdown list of recent files Enabled No \Windows Components\Windows Explorer\Common Open File Dialog
    Hide the common dialog places bar Enabled No \Windows Components\Windows Explorer\Common Open File Dialog
    Turn off Details Pane Enabled No \Windows Components\Windows Explorer\Explorer Frame Pane
    Turn off Preview Pane Enabled No \Windows Components\Windows Explorer\Explorer Frame Pane
    Turn off Windows Libraries features that rely on indexed file data Enabled No \Windows Components\Windows Explorer
    Remove UI to change keyboard navigation indicator setting Enabled No \Windows Components\Windows Explorer
    Hide these specified drives in My Computer Enabled No \Windows Components\Windows Explorer
    No Entire Network in Network Locations Enabled No \Windows Components\Windows Explorer
    Remove File menu from Windows Explorer Enabled No \Windows Components\Windows Explorer
    Removes the Folder Options menu item from the Tools menu Enabled No \Windows Components\Windows Explorer
    Remove Hardware tab Enabled No \Windows Components\Windows Explorer
    Hides the Manage item on the Windows Explorer context menu Enabled No \Windows Components\Windows Explorer
    Remove "Map Network Drive" and "Disconnect Network Drive" Enabled No \Windows Components\Windows Explorer
    Remove the Search the Internet "Search again" link Enabled No \Windows Components\Windows Explorer
    Remove Search button from Windows Explorer Enabled No \Windows Components\Windows Explorer
    Remove Windows Explorer's default context menu Enabled No \Windows Components\Windows Explorer
    No Computers Near Me in Network Locations Enabled No \Windows Components\Windows Explorer

    Wednesday, May 20, 2015 7:55 PM

Answers

  • I figured it out with the help of one my colleagues. The policy setting we changed was in User Configuration\Administrative Templates\Control Panel\Prohibit access to the Control Panel.

    I changed it from [Prohibit access to the Control Panel] to [Show only specified Control Panel items]. I then specified the Canonical Name for Window Updates which is :Microsoft.WindowsUpdate.

    This allows non-admin users to click on the notification icon in the systray  and run Windows Update but prevents them running any Control Panel applet not specified.

    List of Canonical Names for Control Panel items.

    https://msdn.microsoft.com/en-us/library/windows/desktop/ee330741(v=vs.85).aspx?f=255&MSPPError=-2147217396


    Thursday, May 21, 2015 6:44 PM

All replies

  • I figured it out with the help of one my colleagues. The policy setting we changed was in User Configuration\Administrative Templates\Control Panel\Prohibit access to the Control Panel.

    I changed it from [Prohibit access to the Control Panel] to [Show only specified Control Panel items]. I then specified the Canonical Name for Window Updates which is :Microsoft.WindowsUpdate.

    This allows non-admin users to click on the notification icon in the systray  and run Windows Update but prevents them running any Control Panel applet not specified.

    List of Canonical Names for Control Panel items.

    https://msdn.microsoft.com/en-us/library/windows/desktop/ee330741(v=vs.85).aspx?f=255&MSPPError=-2147217396


    Thursday, May 21, 2015 6:44 PM
  • Hi,

    Glad to hear that your issue is resolved and thanks for the sharing!

    Your time and efforts is appreciated!

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, May 22, 2015 1:51 AM