locked
Unable to install updates on Windows 7 client RRS feed

  • Question

  • We have 2 new client latops with Windows 7 in our domain. We have configured a Windows Server 2003 with WSUS 3.0 SP2.
    All our XP laptops can download the download the updates and install them.
    However, on the 2 laptops with windows 7, the updates are downloaded, and the user gets a notification that new updates are available.
    But he can not install the updates.
    There is an information bar saying "Soms settings are managed by your system administrator".
    There is no option to install the updates.
    How can we solve this problem?
    Monday, February 22, 2010 7:54 AM

Answers

  • Putting the following value HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer: NoWindowsUpdate to "0" solves the problem, thank you very much!!!

    You'll want to find the *POLICY* that caused that value to be enabled.

    You'll be looking for \User Configuration\Administrative Templates\Start Menu and Taskbar : Remove links and access to Windows Update
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    • Proposed as answer by ITBeast Tuesday, May 14, 2013 11:15 PM
    • Marked as answer by Lawrence Garvin Wednesday, May 29, 2013 10:17 PM
    Wednesday, February 24, 2010 3:41 PM
  • I found this entry in the logfile:
    "Success Content Install Installation Ready: The following updates are downloaded and ready for installation.
    To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions:  - Security Update for Microsoft Office Word 2007 (KB969604)"

    I'm logged in as administrator (my user is a domain administrator, and I added my domain user to the local administrator group). I added the group policy so non administrators can install updates, but still nothing. The WUAgent UI shows no option to install the updates.
    That behavior continues to confirm that a policy has been implemented that is blocking access to use the WUAgent UI.

    Please inspect the registry for these three values and report what they are, or if they do or do not exist:

    HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate: DisableWindowsUpdateAccess

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer: NoWindowsUpdate

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate: DisableWindowsUpdateAccess




    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    • Marked as answer by Sven77 Wednesday, February 24, 2010 5:25 AM
    Tuesday, February 23, 2010 6:09 PM

All replies

  • Hi,

    Could you please post the latest messages in %windir%\windowsupdate.log?

    Also, did you use group policy to configure the Windows Update setting for your clients?

    If so, did you put these two Windows 7 laptops in the same OU with other Windows XP clients?
    Monday, February 22, 2010 9:41 AM
  • First of all, we use group policy to configur the settings. We have put all laptops in the same OU.

    Here is an extract of the log-file.

    2010-02-22 10:04:13:609  832 714 Report CWERReporter finishing event handling. (00000000)
    2010-02-22 10:04:20:531  832 714 Report CWERReporter finishing event handling. (00000000)
    2010-02-22 10:04:25:065  832 ba8 AU AU received handle event
    2010-02-22 10:04:25:081  832 ba8 AU AU setting pending client directive to 'Install Approval'
    2010-02-22 10:04:28:783  832 714 Report CWERReporter finishing event handling. (00000000)
    2010-02-22 10:04:29:734  832 ba8 Shutdwn user declined update at shutdown
    2010-02-22 10:04:29:734  832 ba8 AU Successfully wrote event for AU health state:0
    2010-02-22 10:04:29:734  832 ba8 AU AU initiates service shutdown
    2010-02-22 10:04:29:750  832 ba8 AU ###########  AU: Uninitializing Automatic Updates  ###########
    2010-02-22 10:04:30:265  832 ba8 Report CWERReporter finishing event handling. (00000000)
    2010-02-22 10:04:30:530  832 ba8 Service *********
    2010-02-22 10:04:30:530  832 ba8 Service **  END  **  Service: Service exit [Exit code = 0x240001]
    2010-02-22 10:04:30:530  832 ba8 Service *************
    2010-02-22 10:07:54:373  844 c08 Misc ===========  Logging initialized (build: 7.4.7600.226, tz: +0100)  ===========
    2010-02-22 10:07:54:373  844 c08 Misc   = Process: C:\Windows\system32\svchost.exe
    2010-02-22 10:07:54:373  844 c08 Misc   = Module: c:\windows\system32\wuaueng.dll
    2010-02-22 10:07:54:373  844 c08 Service *************
    2010-02-22 10:07:54:389  844 c08 Service ** START **  Service: Service startup
    2010-02-22 10:07:54:389  844 c08 Service *********
    2010-02-22 10:07:54:545  844 c08 Agent   * WU client version 7.4.7600.226
    2010-02-22 10:07:54:545  844 c08 Agent   * Base directory: C:\Windows\SoftwareDistribution
    2010-02-22 10:07:54:545  844 c08 Agent   * Access type: No proxy
    2010-02-22 10:07:54:685  844 c08 Agent   * Network state: Connected
    2010-02-22 10:08:40:723  844 c08 Report CWERReporter::Init succeeded
    2010-02-22 10:08:40:723  844 c08 Agent ***********  Agent: Initializing Windows Update Agent  ***********
    2010-02-22 10:08:40:723  844 c08 Agent ***********  Agent: Initializing global settings cache  ***********
    2010-02-22 10:08:40:723  844 c08 Agent   * WSUS server: http://is001s001.ilias.local:8530
    2010-02-22 10:08:40:723  844 c08 Agent   * WSUS status server: http://is001s001.ilias.local:8530
    2010-02-22 10:08:40:723  844 c08 Agent   * Target group: Clients
    2010-02-22 10:08:40:723  844 c08 Agent   * Windows Update access disabled: No
    2010-02-22 10:08:40:738  844 c08 DnldMgr Download manager restoring 0 downloads
    2010-02-22 10:08:40:769  844 c08 AU ###########  AU: Initializing Automatic Updates  ###########
    2010-02-22 10:08:40:769  844 c08 AU   # WSUS server: http://is001s001.ilias.local:8530
    2010-02-22 10:08:40:769  844 c08 AU   # Detection frequency: 22
    2010-02-22 10:08:40:769  844 c08 AU   # Target group: Clients
    2010-02-22 10:08:40:769  844 c08 AU   # Approval type: Pre-install notify (Policy)
    2010-02-22 10:08:40:769  844 c08 AU   # Auto-install minor updates: No (User preference)
    2010-02-22 10:08:40:769  844 c08 AU   # Will interact with non-admins (Non-admins are elevated (User preference))
    2010-02-22 10:08:40:769  844 c08 AU   # Will display featured software notifications (User preference)
    2010-02-22 10:08:41:658  844 c08 Report ***********  Report: Initializing static reporting data  ***********
    2010-02-22 10:08:41:658  844 c08 Report   * OS Version = 6.1.7600.0.0.65792
    2010-02-22 10:08:41:658  844 c08 Report   * OS Product Type = 0x00000030
    2010-02-22 10:08:41:705  844 c08 Report   * Computer Brand = Dell Inc.
    2010-02-22 10:08:41:705  844 c08 Report   * Computer Model = Latitude E6500                 
    2010-02-22 10:08:41:721  844 c08 Report   * Bios Revision = A13
    2010-02-22 10:08:41:721  844 c08 Report   * Bios Name = Phoenix ROM BIOS PLUS Version 1.10 A13
    2010-02-22 10:08:41:721  844 c08 Report   * Bios Release Date = 2009-05-08T00:00:00
    2010-02-22 10:08:41:721  844 c08 Report   * Locale ID = 2067
    2010-02-22 10:08:41:767  844 c08 AU Successfully wrote event for AU health state:0
    2010-02-22 10:08:41:767  844 c08 AU Initializing featured updates
    2010-02-22 10:08:41:767  844 c08 AU Found 0 cached featured updates
    2010-02-22 10:08:41:767  844 c08 AU Successfully wrote event for AU health state:0
    2010-02-22 10:08:41:767  844 c08 AU Obtained Post reboot hr from Agent:8024000c
    2010-02-22 10:08:41:767  844 c08 AU AU setting pending client directive to 'Forced Reboot'
    2010-02-22 10:08:41:767  844 c08 AU Successfully wrote event for AU health state:0
    2010-02-22 10:08:41:767  844 c08 AU Triggering Offline detection (non-interactive)
    2010-02-22 10:08:41:783  844 c08 AU Successfully wrote event for AU health state:0
    2010-02-22 10:08:41:783  844 c08 AU AU finished delayed initialization
    2010-02-22 10:08:41:783  844 c08 AU #############
    2010-02-22 10:08:41:783  844 c08 AU ## START ##  AU: Search for updates
    2010-02-22 10:08:41:783  844 c08 AU #########
    2010-02-22 10:08:41:830  844 c08 AU <<## SUBMITTED ## AU: Search for updates [CallId = {7FBCE4EB-54FB-4A4B-8042-7C363E6D3FEB}]
    2010-02-22 10:08:41:892  844 cc0 Agent *************
    2010-02-22 10:08:41:892  844 cc0 Agent ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2010-02-22 10:08:41:892  844 cc0 Agent *********
    2010-02-22 10:08:41:892  844 cc0 Agent   * Online = No; Ignore download priority = No
    2010-02-22 10:08:41:892  844 cc0 Agent   * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
    2010-02-22 10:08:41:892  844 cc0 Agent   * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
    2010-02-22 10:08:41:892  844 cc0 Agent   * Search Scope = {Machine}
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {0D9F9D74-6C5F-4457-ACB2-FD457886FE5C}.100 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent Update {ED0D80A2-7BFA-42F8-969C-095AAB76165C}.101 is pruned out due to potential supersedence
    2010-02-22 10:08:53:667  844 cc0 Agent Update {98A22AEF-1FD9-4047-86BB-328AA18D039E}.101 is pruned out due to potential supersedence
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {BBF29408-FE2D-4ADB-B9DA-AF6245B16E42}.101 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {8DFF5C4D-49B4-4082-871D-9DE75A8CE693}.101 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent Update {57ADACC9-C673-40B7-A946-6671AB71AD23}.101 is pruned out due to potential supersedence
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {1623B5B1-C485-4360-B79F-0D1AFFB0FFB2}.102 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {7FEFA893-2E73-4ABC-B5FF-9AE61EB851EC}.106 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {E00B2634-BEF9-4C32-B2BF-DEAF7D7221E4}.101 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {BA8DEE6F-5B12-4AF9-96F5-2744DC9B786A}.102 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {40256B75-9C7B-458C-9055-F331318B15D3}.100 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {4DF9E362-290E-43A3-8FEA-387632D1E2B3}.100 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {00BAC3AA-01E9-4CED-B248-91FAD56485CE}.100 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {FF02D7A6-9A8A-4073-8235-E27FBA4F44F2}.102 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {C903F14B-CB70-4458-A8BD-022FFFD0C598}.105 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {9AF2C708-E83D-45C3-9210-4FB42631A361}.102 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent   * Added update {9452E2DD-399E-430C-A7F6-81065B8BD447}.105 to search result
    2010-02-22 10:08:53:667  844 cc0 Agent   * Found 14 updates and 53 categories in search; evaluated appl. rules of 372 out of 929 deployed entities
    2010-02-22 10:08:53:682  844 cc0 Agent *********
    2010-02-22 10:08:53:682  844 cc0 Agent **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2010-02-22 10:08:53:682  844 cc0 Agent *************
    2010-02-22 10:08:53:682  844 cf0 AU >>##  RESUMED  ## AU: Search for updates [CallId = {7FBCE4EB-54FB-4A4B-8042-7C363E6D3FEB}]
    2010-02-22 10:08:53:682  844 cf0 AU   # 14 updates detected
    2010-02-22 10:08:53:698  844 cf0 AU #########
    2010-02-22 10:08:53:698  844 cf0 AU ##  END  ##  AU: Search for updates [CallId = {7FBCE4EB-54FB-4A4B-8042-7C363E6D3FEB}]
    2010-02-22 10:08:53:698  844 cf0 AU #############
    2010-02-22 10:08:53:698  844 cf0 AU Featured notifications is disabled.
    2010-02-22 10:08:53:698  844 cf0 AU Successfully wrote event for AU health state:0
    2010-02-22 10:08:53:698  844 cf0 AU Successfully wrote event for AU health state:0
    2010-02-22 10:08:53:745  844 cc0 Report CWERReporter finishing event handling. (00000000)
    2010-02-22 10:08:56:770  844 c08 AU WARNING: AU found no suitable session to launch client in
    2010-02-22 10:08:58:704  844 cc0 Report CWERReporter finishing event handling. (00000000)
    2010-02-22 10:42:26:593  844 cc0 Report CWERReporter finishing event handling. (00000000)
    2010-02-22 10:42:34:222  844 cc0 Report CWERReporter finishing event handling. (00000000)
    2010-02-22 10:42:42:717  844 cc0 Report CWERReporter finishing event handling. (00000000)
    2010-02-22 10:42:52:253  844 c08 AU Launched new AU client for directive 'Forced Reboot', session id = 0x1
    Monday, February 22, 2010 9:45 AM
  • However, on the 2 laptops with windows 7, the updates are downloaded, and the user gets a notification that new updates are available.
    But he can not install the updates.
    There is an information bar saying "Soms settings are managed by your system administrator".
    There is no option to install the updates.
    How can we solve this problem?
    The most likely cause is that you've enabled one of the policies that restricts access to the WUAgent UI.

    See the end of the section Configuring Clients Using Group Policy in the WSUS Deployment Guide to confirm you have not configured any restrictive policies.

    Second, please post the relevant entries from the ReportingEvents.log and/or the WindowsUpdate.log that show updates have actually been downloaded to one of these Windows 7 clients.

    Third, please post the relevant entries from the WindowsUpdate.log showing the updates are available for installation.


    Note: The log segment provided earlier today shows the updates being DETECTED . . . but that is all that is demonstrated in this log segment.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Monday, February 22, 2010 9:17 PM
  • I don't see any policy that restricts access to the WUAgent UI.
    However, I found this entry in the logfile:
    "Success Content Install Installation Ready: The following updates are downloaded and ready for installation.
    To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions:  - Security Update for Microsoft Office Word 2007 (KB969604)"

    I'm logged in as administrator (my user is a domain administrator, and I added my domain user to the local administrator group). I added the group policy so non administrators can install updates, but still nothing. The WUAgent UI shows no option to install the updates.

    You mentioned the ReportingEvents.log, where can I find this logfile?
    Tuesday, February 23, 2010 5:40 AM
  • I found this entry in the logfile:
    "Success Content Install Installation Ready: The following updates are downloaded and ready for installation.
    To install the updates, an administrator should log on to this computer and Windows will prompt with further instructions:  - Security Update for Microsoft Office Word 2007 (KB969604)"

    I'm logged in as administrator (my user is a domain administrator, and I added my domain user to the local administrator group). I added the group policy so non administrators can install updates, but still nothing. The WUAgent UI shows no option to install the updates.
    That behavior continues to confirm that a policy has been implemented that is blocking access to use the WUAgent UI.

    Please inspect the registry for these three values and report what they are, or if they do or do not exist:

    HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate: DisableWindowsUpdateAccess

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer: NoWindowsUpdate

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate: DisableWindowsUpdateAccess




    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    • Marked as answer by Sven77 Wednesday, February 24, 2010 5:25 AM
    Tuesday, February 23, 2010 6:09 PM
  • HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate: DisableWindowsUpdateAccess
    --> not present
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer: NoWindowsUpdate
    --> 1
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate: DisableWindowsUpdateAccess
    --> not present

    Wednesday, February 24, 2010 5:11 AM
  • Putting the following value HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer: NoWindowsUpdate to "0" solves the problem, thank you very much!!!
    Wednesday, February 24, 2010 5:25 AM
  • Putting the following value HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer: NoWindowsUpdate to "0" solves the problem, thank you very much!!!

    You'll want to find the *POLICY* that caused that value to be enabled.

    You'll be looking for \User Configuration\Administrative Templates\Start Menu and Taskbar : Remove links and access to Windows Update
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    • Proposed as answer by ITBeast Tuesday, May 14, 2013 11:15 PM
    • Marked as answer by Lawrence Garvin Wednesday, May 29, 2013 10:17 PM
    Wednesday, February 24, 2010 3:41 PM
  • This is not the policy I'm looking for. If I enable this, the user can search for updates on the internet.
    Any other suggestions?
    Thursday, February 25, 2010 4:58 AM
  • This is not the policy I'm looking for.
    Okay, some clarification seems in order here.

    You reported in your post yesterday that
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer: NoWindowsUpdate
    --> 1
    and
    Putting the following value HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer: NoWindowsUpdate to "0" solves the problem, thank you very much!!!
    And I'm pointing out that this registry value existed in the first place because of the policy setting in ~\Start Menu and Taskbar, and you'll want to find that policy and remove that configuration, or your registry value will revert to TRUE at the next policy refresh. (Which it, no doubt, has already done.)
    If I enable this, the user can search for updates on the internet.
    Absolutely! That policy only does what it says it does -- removes links and access to Windows Update -- it does not block Internet access, and this is how that policy has behaved since it was created with the original release of AD/GP with Windows 2000 ten years ago.

    If you want to completely block the user's ability to install updates, then you need to use a different policy -- but the point here is that if you block the user's ability to install updates, then the user cannot install updates -- which was, as I recall, your original complaint -- that the user could not install updates!

    If you want to block a user's ability to download update content from Microsoft.com, and exclusively obtain content from the WSUS Server, but still be able to install those updates interactively, then you'll need to implement web content filtering in your proxy/firewall. Frankly, I'd say that if you can't trust users not to go to the web to obtain content, then it's questionable as to whether they should be interactively involved in the installation process at all. Such users can still have access to "Install Updates and Shutdown", and that's the facility that should be implemented for non-trusted/non-admin users if you wish users to have control over when updates are installed.

    Any other suggestions?
    Not really, you seem to be wanting dichotomous behaviors in this matter, and I'm a bit confuzed as to what it is you want, or do not want.

    So, now that we've identified the cause of your original complaint:
    on the 2 laptops with windows 7, the updates are downloaded, and the user gets a notification that new updates are available.
    But he can not install the updates.
    There is an information bar saying "Soms settings are managed by your system administrator".
    There is no option to install the updates.
    If you want other suggestions, perhaps we need to identify exactly what behavior it is you expect the user to have and not have, and then we can proceed from there.
    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Thursday, February 25, 2010 6:54 PM
  • Thank you for the explanation!

    I'll explain my problem a bit further:

    we currently have only computers with windows XP.
    These computers download there updates from our WSUS server. These updates are downloaded automatically. The user gets the warning that new updates are ready for installation, and it is up to the user to install them. But we, the administrators, decide which updates are downloaded via our WSUS server.
    If the user wants to download updates via the internet, following error is shown : "Network policy settings prevent you from using this website to get updates for your computer"

    On the new computers with windows 7 we want the same behaviour. So we (the administrators) decide which updates to download, they are downloaded to the computer, the user gets the notification that new updates are available, but he can not install them.
    When changing the registry setting, this works, but it is indeed better to push this via group policies.

    I hope I clarified the problem, and I hope even more that you can help me :-)
    Friday, February 26, 2010 5:10 AM
  • Thank you for the explanation!

    I'll explain my problem a bit further:

    we currently have only computers with windows XP.
    These computers download there updates from our WSUS server. These updates are downloaded automatically. The user gets the warning that new updates are ready for installation, and it is up to the user to install them. But we, the administrators, decide which updates are downloaded via our WSUS server.
    If the user wants to download updates via the internet, following error is shown : "Network policy settings prevent you from using this website to get updates for your computer"

    On the new computers with windows 7 we want the same behaviour.
    I don't think you can have the same behavior.

    For starters, on WinXP the user has to go to Windows Update WEBSITE to get updates, and you've effectively blocked this with the "Remove links..." policy.

    However, the methodology for obtaining/installing updates on Windows Vista, Windows 7, and Window Server 2008 has significantly changed. There is, no longer, the concept of browsing to the WU WEBSITE, rather the user uses the local WUApp (contained in Control Panel), and directly connects to the WU/MU webservices. However, the policy "Remove links..." now has the added impact of blocking this functionality -- thus also restricting the user's ability to install updates from a WSUS server -- because it is access to the =WUApp= that is now being blocked, not access to the WU WEBSITE.

    If you want to restrict a user's ability to get updates directly from microsoft.com, then the way to do that is to block access to those URLs in your firewall. The URLs are documented in the Deployment Guide.

    As for policies .. there are three policies now available for Vista/Win7/Win2008 systems... and I covered these in my recent webcast on Group Policy and WSUS.

    Remove links and access to Windows Update
    Policy: User Configuration \ Administrative Templates \ Start Menu and Taskbar
    Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

    This was the original policy that predates the creation of MU, SUS, and WSUS. When the only way for a user to get updates was Automatic Updates (with scheduled installations) or browsing to Windows Update, this policy was intended to block the abililty to use the build-in Start Menu and Taskbar links to browse to Windows Update. (It never prevented the user from entering the actual WU URL into the Internet Explorer browser . . so really it only protected the neophytes from themselves, as knowledgable Power Users could easily work around this policy -- and still can!)

    In fact, one of the "feature advantages" of the WUApp is that it plugged this hole that allowed users to type the URL of the Windows Update WEBSITE into the browser.


    Remove access to use all Windows Update features
    Policy: User Configuration \ Administrative Templates \ Windows Components \ Windows Update
    Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate

    This policy was introduced with the Windows Update Agent and primarily designed to allow WSUS administrators to keep local Admins (who needed to be local Admins for reasons of other-app-compatibility) from messing with the update deployment process. It must be used in conjunction with AUOptions=4 and scheduled installations. This policy also blocks access to use the WU/MU websites, because it blocks all UI functionality of the WUAgent (which WU/MU are dependent on).

    This policy has a suboption which allows notifications to be enabled so the user can see what is happening, albeit cannot interact or control those happenings.


    Turn off access to all Windows Update features
    Policy: Computer Configuration \ System \ Internet Communication Management \ Internet Communication Settings
    Registry: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate :: DisableWindowsUpdateAccess

    This is a computer-specific policy, new with Vista/Win7 (and unlike the previous policies that were *USER* policies) that blocks all ability to interact with any WUAgent UI functionality. It should only be used in conjunction with AUOptions=4 and Scheduled Installations.


    None of these policies will achieve the stated objective of restricting Windows 7 users from being able to search online (WU/MU) for available updates. The only way to do that, and retain the ability to interactively install WSUS-approved updates, is to block the *workstations* from accessing those URLs using firewall/proxy rules.




    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, February 26, 2010 5:01 PM
  • Quest makes pretty good GPO tools check it out

     

     

     

     

     

     

     

     Windows 7 Tutorials

    Friday, February 11, 2011 1:55 AM
  • Quest makes pretty good GPO tools check it out

    Are you aware that you've posted to a thread that is almost a YEAR old? -- and already ANSWERED?

    Not to mention that reply is off-topic. :-//


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2011)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Sunday, February 13, 2011 11:10 PM
  • Hi Lawrence,

    Just wanted to pass on that even through this post is over 3 years old it finally helped me find out why my Windows 7 Clients were unable to be self updated by my users, In my GPO I had that "Remove Links and access to Windows Update" policy enabled. Thanks again for the Info.


    John M. Keller MCP (XP & 2003) | Security + E-Mail : itbeast@msn.com

    Tuesday, May 14, 2013 11:19 PM
  • In my GPO I had that "Remove Links and access to Windows Update" policy enabled.

    Thank you for taking the time to post back the results.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Wednesday, May 29, 2013 10:17 PM