locked
Definition Updates RRS feed

  • Question

  • Hello, we configured our forefront client security to distribute updates using WSUS shared with SCCM according to http://technet.microsoft.com/en-us/library/dd185652.aspx.  we have an issue and am not sure how to resolve it.  The clients are patching their definition updates fine, automatically at the frequency of the policy (6 hours).  However, when WSUS auto approves the definition update, sometimes the Windows Automatic Update client will see it first and pester the users that there is a definition update available (this will stay as a tray icon until the FCS policy tries to check itself for new updates at the end of 6 hours).  We want the definition updates to be completely silent.  We use SCCM for all of our other patching and do not want the automatic update client to be seen on workstations.  Does anyone have any ideas of how to suppress the automatic update client from showing when the forefront definition updates are avialiable?  Thanks!
    Thursday, December 11, 2008 9:52 PM

Answers

  • Create a new GPO assigned to the USERS (not the computers) that has the following set..

    User Configuration>Administrative Templates>Windows Components>Windows Update>"Remove access to use all Windows Update features"

    Be aware though this will stop your users from being able to use Windows Update/Microsoft Update websites (which may not be a problem if you are managing their systems)
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Marked as answer by bcehr Wednesday, December 17, 2008 7:11 PM
    Tuesday, December 16, 2008 3:18 PM

All replies

  • Create a new GPO assigned to the USERS (not the computers) that has the following set..

    User Configuration>Administrative Templates>Windows Components>Windows Update>"Remove access to use all Windows Update features"

    Be aware though this will stop your users from being able to use Windows Update/Microsoft Update websites (which may not be a problem if you are managing their systems)
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Marked as answer by bcehr Wednesday, December 17, 2008 7:11 PM
    Tuesday, December 16, 2008 3:18 PM
  • Thanks for the reply!  That will work for our users, however our administators need to be able to access Windows Update, but no not want to be plagued with the icons.  I have found that disabling automatic updates all together appears to do the trick.  FCS still pulls definition updates from the WSUS server and SCCM can still deploy patches through software updates.  Anything negative about doing this?

    Thanks again!
    Wednesday, December 17, 2008 7:11 PM