none
TS - Windows Server 2008 - Prevent users form seeing Windows Update popup RRS feed

Answers

  • Hi,

    In the Group Policy Object that is applicable to your non-admin users, enable the following setting:

    User Configuration\Policies\Administrative Templates\Windows Components\Windows Update

    Remove access to use all Windows Update features

    Enabled: 0 - Do not show any notifications

    If you applied an update that requires a restart, this setting will remove the pointless reminder messages that standard users receive regarding the restart requirement (they have no ability to restart).  In general, I recommend you apply updates in a controlled manner during off hours.  That way you can test, restart, etc., and you know exactly when updates are installed.

    Thanks.

    -TP

    Wednesday, September 23, 2009 1:00 AM
    Moderator
  • Hello,

     

    Thanks for your post in our forum, Teenzbutler.

     

    In Windows Server 2008, the non-administrator users will receive the Windows Update notifications in two situations:

     

    ·          In local level, Automatic Updates is configured in

    Control Panel – Windows Update – Change Settings (Automatically or scheduled)

    or

    Local Group Policy Editor - Computer Configuration – Policies – Administrative Template –Windows Components – Windows Update: Configure Automatic Update (Enabled or Not Configured)

    Resolution
    : set the following local policy

    Local Group Policy Editor - Computer Configuration – Policies – Administrative Template –Windows Components – Windows Update: Allow non-administrators to receive update notifications

    to be Disabled.

     

    ·          In Group Policy settings, the settings under Computer Configuration – Policies – Administrative Template –Windows Components – Windows Update are settings as below:

    Configure Automatic Updates: Enabled;

    Allow non-administrators to receive update notifications: Enabled;


    Resolution: In such a case, please set the second setting to be Disabled or Not Configured.

    Please give it a try and let us know the result. Feel free to let me know if you need any further assistance. Thanks and have a nice day.

     

     

    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

    • Marked as answer by teenzbutler Wednesday, September 23, 2009 4:40 PM
    Wednesday, September 23, 2009 10:05 AM
  • It appears to be working now.  I have never done this before so I am not sure if I did anything wrong.  Could you please let me know if the steps I performed are correct.  This is what I did:

    1.  Opened Active Directory and accessed the Global Policy Mangement console
    2.  Created a new policy under the "Global Policy Objects" section called "Prevent Windows Notification"
    3.  Right-clicked on the newly created GPO and selected Edit
    4.  Enabled the "Remove access to use all Windows Update features"
    5.  Under the "Security Filtering", I removed "Authenticated User" and added all the necessary distribution lists, as well as the Terminal Server computers I wanted this policy to affect
    6.  I right-clicked on the "Terminal Servers" in the left pane and selected "Link an existing GPO..."
    7.  I selected the "Prevent Windows Notification" GPO within the Global Policy Objects list
    8.  I logged on as administrator as well as a non-admin user

    I had to play with a lot of the settings to get it just right.  When the "Authenticated Users" was added to the Security Filtering list, then the Administrator was blocked from the Windows Update.  Once I removed it, it seemed to work.

    Thanks

    Teenzbutler
    Wednesday, September 30, 2009 11:34 PM
  • Hello Teenzbutler,

    The answer depends on whether the GPO is linked to the new OU. If it doesn't, the group policies won't apply to the servers.

    Please follow up here to let us know the status of the issue now. If you have further questions on group policy, please consider to use our forum focusing on Group Policy:

    TechNet Forum: Group Policy
    http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads

    Thanks for your patience again.

     

    ·         Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Wednesday, November 11, 2009 6:23 AM

All replies

  • Hello,

    By using GPO's.

    Good luck

    Robert

    Tuesday, September 22, 2009 10:14 PM
  • Hi,

    In the Group Policy Object that is applicable to your non-admin users, enable the following setting:

    User Configuration\Policies\Administrative Templates\Windows Components\Windows Update

    Remove access to use all Windows Update features

    Enabled: 0 - Do not show any notifications

    If you applied an update that requires a restart, this setting will remove the pointless reminder messages that standard users receive regarding the restart requirement (they have no ability to restart).  In general, I recommend you apply updates in a controlled manner during off hours.  That way you can test, restart, etc., and you know exactly when updates are installed.

    Thanks.

    -TP

    Wednesday, September 23, 2009 1:00 AM
    Moderator
  • Hello,

     

    Thanks for your post in our forum, Teenzbutler.

     

    In Windows Server 2008, the non-administrator users will receive the Windows Update notifications in two situations:

     

    ·          In local level, Automatic Updates is configured in

    Control Panel – Windows Update – Change Settings (Automatically or scheduled)

    or

    Local Group Policy Editor - Computer Configuration – Policies – Administrative Template –Windows Components – Windows Update: Configure Automatic Update (Enabled or Not Configured)

    Resolution
    : set the following local policy

    Local Group Policy Editor - Computer Configuration – Policies – Administrative Template –Windows Components – Windows Update: Allow non-administrators to receive update notifications

    to be Disabled.

     

    ·          In Group Policy settings, the settings under Computer Configuration – Policies – Administrative Template –Windows Components – Windows Update are settings as below:

    Configure Automatic Updates: Enabled;

    Allow non-administrators to receive update notifications: Enabled;


    Resolution: In such a case, please set the second setting to be Disabled or Not Configured.

    Please give it a try and let us know the result. Feel free to let me know if you need any further assistance. Thanks and have a nice day.

     

     

    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

    • Marked as answer by teenzbutler Wednesday, September 23, 2009 4:40 PM
    Wednesday, September 23, 2009 10:05 AM
  • Thanks Lionel.  I appreciate your response and your step-by-step instructions. 
    Wednesday, September 23, 2009 4:41 PM
  • Hi Lionel,

    The GP setting you reference will not stop all Windows Update notifications for non-admin users.  If an update is applied that requires a restart, ALL users (including non-admins) will receive a Windows Update notification with bright yellow header asking the user to Restart.  If the user does not change it, this popup will continue every 10 minutes.

    The setting I recommended will eliminate all notifications for non-admins.

    By default if automatic update is enabled on Server 2008, non-admins will not receive notifications, except for the one case I mentioned above.  This has been the behavior in 2003 as well.

    Thanks.

    -TP
    Wednesday, September 23, 2009 7:54 PM
    Moderator
  • Hello,

     

    Thanks a lot for the feedback from Teenzbutler and the great information from TP[].

     

    Teenzbutler, please choose the workaround based on your business requirement. If you meet any issue or difficulties in applying the methods, please don’t hesitate to post back here. We’re glad to help you.

     

    Thanks again and wish you have a nice day.

     

     

    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

    Thursday, September 24, 2009 12:51 PM
  • Lionel's instructions didn't work.  Non-admin users are still receiving popups.  I tried TP's instruction, but that completely removed the ability to update the server, even while logged on as an administrator.  I copied the details of the setting:
    ________


    This setting allows you to remove access to Windows Update.

    If you enable this setting, all Windows Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This setting also prevents Device Manager from automatically installing driver updates from the Windows Update Web site.

    If enabled you can configure one of the following notification options:

    0 = Do not show any notifications

    This setting will remove all access to Windows Update features and no notifications will be shown.

    1 = Show restart required notifications

    This setting will show notifications about restarts that are required to complete an installation.

    _______

    As a side note, I restarted the servers after making these changes. 

    Wednesday, September 30, 2009 8:29 PM
  • Hi,

    You must set this on a group policy object that is applicable to your non-admin users, but does not apply to administrators.  Once properly configured your admins will be able to use windows update whereas non-admins will not receive any notifications, including the restart required popups.

    Thanks.

    -TP
    Wednesday, September 30, 2009 8:54 PM
    Moderator
  • It appears to be working now.  I have never done this before so I am not sure if I did anything wrong.  Could you please let me know if the steps I performed are correct.  This is what I did:

    1.  Opened Active Directory and accessed the Global Policy Mangement console
    2.  Created a new policy under the "Global Policy Objects" section called "Prevent Windows Notification"
    3.  Right-clicked on the newly created GPO and selected Edit
    4.  Enabled the "Remove access to use all Windows Update features"
    5.  Under the "Security Filtering", I removed "Authenticated User" and added all the necessary distribution lists, as well as the Terminal Server computers I wanted this policy to affect
    6.  I right-clicked on the "Terminal Servers" in the left pane and selected "Link an existing GPO..."
    7.  I selected the "Prevent Windows Notification" GPO within the Global Policy Objects list
    8.  I logged on as administrator as well as a non-admin user

    I had to play with a lot of the settings to get it just right.  When the "Authenticated Users" was added to the Security Filtering list, then the Administrator was blocked from the Windows Update.  Once I removed it, it seemed to work.

    Thanks

    Teenzbutler
    Wednesday, September 30, 2009 11:34 PM
  • Hello Teenzbutler,

    I'm happy to hear that you've resolved the issue with TP's suggestions.

    I hope to see you again and we will always try our best to assist you.

    Thanks for your sharing and wish you a nice day.

     

    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact EMAIL REMOVED

    Friday, October 2, 2009 2:14 AM
  • Hi TP,

    You are of course absolutely correct about this.

    However, the problem with this gpo is that it hits users regardless if they are logged on a workstation or a TS. I want the users to get the messages (and install the updates/reboot) at the local workstation, but I do not want it when they are in a ts-session. So I'd really like a policy like that for the computer-policy....how can this be accomplished ..??

    Any ideas ?


    Thanks

    - KH
    Thursday, October 22, 2009 10:28 PM
  • Hi,

    Place your TS in a separate OU and use loopback processing so that the policies will only apply when users logon to the TS, and not when they logon to their workstation.  This is a common scenario because normally a TS has more restrictive policy settings than what is desired for workstations.

    Thanks.

    -TP

    Friday, October 23, 2009 12:35 AM
    Moderator
  • TP,

    I set this up as a group policy and made it applicable to non-admin users.  However, I don't know how to NOT apply this group setting to the administrators.  Can you please let me know how to do that. 

    Wednesday, October 28, 2009 11:43 PM
  • Hello Teenzbutler,

    Open the GPO and go to tab "Delegation" click on "Advanced", select you admins group and set the option "Apply Group Policy" to deny.

    Regards Robert 
    Thursday, October 29, 2009 8:49 AM
  • How do you accomplish that? How do you do "Loopback processing" ?

    Tanks again !

    Kenneth
    Thursday, October 29, 2009 11:49 AM
  • Hi Kenneth,

    I assume a) you already have created a separate OU and moved the computer account for your TS inside of it, b) your TS is a member server (not a DC), and c) you create a GPO using gpmc.msc and linked it to the above OU.  To enable Loopback, edit the above GPO using gpedit and configure the following setting:

    Computer Configuration\Policies\Administrative Templates\System\Group Policy

    User Group Policy loopback processing mode     Enabled

    Mode:     Replace

    Thanks.

    -TP

    Thursday, October 29, 2009 5:15 PM
    Moderator
  • Well things have gotten really weird now.  I decided to start over and deleted the group policy I created.  The administrator cannot access the Windows Update AT ALL now.  Even after deleting the group policy.   I logged off and logged back on, but I am denied access.  Why would that be?  I checked the servers for any local policy and none are configured under the Computer Configuration > Administrative Template > Windows Components > Windows Update or User Configuration > Administrative Template > Windows Components > Windows Update.  I appreciate any assistance.

    BTW:  I deleted the global policy because nothing was working.  I am getting either all or nothing when it comes to accessing the windows update regardless of the settings I put in place.  I have tried the following:

    Created Global Policy:
     Computer Configuration – Administrative Template –Windows Components – Windows Update

    Configure Automatic Updates = Enabled

    Allow non-administrators to receive update notifications = Disabled


    Added Authenticated Users as well as non-admin users (these are contained in groups).  I added Administrator and checked the "Deny" setting under "Apply global policy". 

    Thursday, October 29, 2009 11:44 PM
  • I was doing some further research and some recommended deleting the following key in the registry:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\DisableWindowsUpdateAccess

    I have this key.  Do you think this could be the reason why I am blocked from accessing the windows update while logged on as the user?  Is it safe to delete?
    Friday, October 30, 2009 9:34 PM
  • Thanks again TP, learned something new :)

    I'm almost there but ....

    The setting "Remove access to use all Windows Update features" is a user setting. So how can I make this setting a computer-setting and apply it to all users logging on to the TS-computer? I get the loopback-setting - genius setting that I didn't know about, but then you're limited to the computer-settings only I'm guessing ?

    Kenneth

    Monday, November 2, 2009 1:30 PM
  • Hi Kenneth,

    It works for User settings as well.  After applying loopback restart your server for the change to take effect (this is just for loopback, no need to restart for the other setting).

    Set a Deny Apply Group Policy for Domain Admins on the GPO so that the setting will not apply to admins.

    I am going to type up the basic steps for all of this later today in order to help teenzbutler, so if you have any problems please check back and read that.

    Thanks.

    -TP
    Monday, November 2, 2009 2:02 PM
    Moderator
  • Hi teenzbutler,

    I will type up the basic steps to make this work for you to reference later today.  If possible please wait for that, and then follow up with any questions you may have.

    Thanks.

    -TP
    Monday, November 2, 2009 2:05 PM
    Moderator
  • Hi teenzbutler,

    Below are the basic steps for setting this up so that non-admins do not see windows update popups, while still allowing domain admins to see them/access windows update.  The example is for using loopback mode--if you would like yours to be configured differently please let me know (it is only minor changes to do it non-loopback).

    The instructions assume that your server is part of a domain, and is a member server (not a DC).

    Dedicate Organizational Unit to your Terminal Servers

    1. Open Active Directory Users and Computers (dsa.msc)
    2. Create a new Organization Unit named Remote Desktop Servers
    3. Navigate to the Computers OU (or wherever your TS server account is located)
    4. Right-click on the TS server account object, choose Move, Select Remote Desktop Servers, and click OK

    Create Group Policy Object and set Security

    1. Open Group Policy Management Console (gpmc.msc)
    2. In the left pane, expand Forests, Domains, <yourdomain> so that you can work with your domain's objects
    3. In the left pane right-click on Remote Desktop Servers--Create a GPO in this domain, and link it here
    4. Name the new GPO Remote Desktop Servers, and click OK
    5. In the left pane, Expand Group Policy Objects so that you can see your GPOs on the left
    6. In the left pane, Select the Remote Desktop Servers GPO
    7. In the right pane, on the Delegation tab, click the Advanced button in the lower right
    8. Select Domain Admins in the top section of the Security dialog
    9. In the bottom section scroll down to Apply Group Policy and Select Deny
    10. Click OK and Yes to confirm that you are creating a Deny entry

    Edit Group Policy Object

    1. Group Policy Management Console should still be open from above
    2. In the left pane, right-click on the Remote Desktop Servers GPO and choose Edit
    3. In the left pane of Group Policy Management Editor, navigate to following location and configure the setting below:

    Computer Configuration\Policies\Administrative Templates\System\Group Policy

    User Group Policy loopback processing mode     Enabled

    Mode:     Replace

    4. In the left pane of GPME, navigate to the following location and configure the setting below:

    User Configuration\Policies\Administrative Templates\Windows Components\Windows Update

    Remove access to use all Windows Update features     Enabled

    Configure Notifications:     0 - Do not show any notifications

    Restart your Terminal Server and Test

    1. Restart your Terminal Server so that the loopback mode will take effect
    2. Logon to the TS as a normal user, open Windows Update from the control panel, and check that it says Some settings are managed by your system administrator or similar
    3. Logon to the TS as a domain admin, open Windows Update from the control panel, and check that you have full access to windows update features.

    Thanks.

    -TP

    Tuesday, November 3, 2009 5:19 PM
    Moderator
  • Thanks TP.  I have a question regarding the creation of a new OU and moving the Terminal Server computers over to the new OU "Remote Desktop Servers".  Just to be clear, I have 4 terminal servers, two running 2003 and 2 running 2008.  If I move the 4 terminal servers over from my Terminal Server OU into the Remote Desktop Servers, what would happen to the global policies, if any, that were configured on the terminal servers contained in the Terminal Server OU?  Would those policies remain in affect?

    I am not too familiar with this so I am learning as I go.

    Thanks for all you help and instruction.
    Tuesday, November 3, 2009 10:06 PM
  • Hello Teenzbutler,

    The answer depends on whether the GPO is linked to the new OU. If it doesn't, the group policies won't apply to the servers.

    Please follow up here to let us know the status of the issue now. If you have further questions on group policy, please consider to use our forum focusing on Group Policy:

    TechNet Forum: Group Policy
    http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads

    Thanks for your patience again.

     

    ·         Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Wednesday, November 11, 2009 6:23 AM
  • Hello Teenzbutler,

    How are you? Do you need any further helps from us? Thanks.

    ·         Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Friday, November 13, 2009 5:47 AM
  • Thats really helpful
    Friday, January 22, 2016 10:02 AM