Disabling Autoupdate

From: Darryl J Roberts (DarrylJR_at_SEU.COM)
Date: 07/04/03

  • Next message: Russ: "Administrivia: That's it for the weekend..."
    Date:         Thu, 3 Jul 2003 17:40:05 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Thomas Collins mentioned that the easiest way to disable AutoUpdate to a
    machine is via "Remove access to use all Windows Update features" group
    policy.

    The description of the "Remove access to use all Windows Update
    features" policy is:

       "If you enable this setting, all Windows Update features
       will be removed. This includes blocking access to the
       Windows Update Web site at http://windowsupdate.microsoft.com
       and from the Windows Update hyperlink on the Start menu and
       also on the Tools menu in Internet Explorer. Windows automatic
       updating is also disabled; you will neither be notified about
       nor will you receive critical updates from Windows Update.
       This policy also prevents Device Manager from automatically
       installing driver updates from the Windows Update Web site."

    When this policy is enabled, a link to
    http://windowsupdate.microsoft.com (and the entry in Internet Explorer's
    Tools menu) still goes to the Windows Update site, but the page says,
    "Network policy settings prevent you from using Windows Update to
    download and install updates on your computer. If you believe you have
    received this message in error, please check with your system
    administrator."

    (With the "Remove access to use all Windows Update features" policy
    enabled, I am still --as I expect-- able to run the Microsoft Baseline
    Security Analyzer, which did check for missing security and critical
    updates. I am also able to run HfNetChk.)

    This policy does *not* stop (disable) the Automatic Updates service. It
    seems that SP4 changes this service back to Automatic startup even if it
    had been disabled prior to installing SP4. (I am not sure that SP4
    enables the service in all cases.) If all Windows Update features have
    been blocked, what is the point in using the resources to run the
    Automatic Update service? One of the things that I did before SP4 to
    stop automatic updates was to disable this service. I would like a
    policy that will allow me to disable the service on all the desktops
    without having to manually disable the service on every desktop (again),
    but so far I have not found such a policy (template).

    The policy also seems to block access to Automatic Updates in Control
    Panel. Note that I said "blocks access", as in disables changing the
    settings. It does *not* disable "Keep my computer up to date"; it is
    still checked, but is now not available (gray). Another one of the
    things that I did before SP4 to stop automatic updates was to disable
    "Keep my computer up to date" for every user on every desktop computer.
    (Note: this has to be done before stopping the Automatic Updates service
    otherwise, the check box becomes unavailable.)

    The description of the policy includes, "... you will neither be
    notified about nor will you receive critical updates from Windows
    Update." The policy must be doing this below the configuration settings
    in Automatic Updates in Control Panel, because those settings are still
    enabled.

    As Kevin (knapier@CONNECTURE.NET) previously mentioned, SP4 installs a
    new GPO administrative template file (wuau.adm) in %systemroot%\inf
    (which has to be added to the GPO management console before it can be
    used) for configuring computer settings for Automatic Updates. This
    template is really designed for Microsoft SUS. It included the
    Configure Automatic Updates settings and three other policy templates
    (none of which really disable automatic updates).

    The description of the Configure Automatic Updates policy says, "... If
    the status is set to Disabled, any updates that are available on the
    Windows Update web site must be downloaded and installed manually ..."
    This *does* clear "Keep my computer up to date" in Automatic Updates
    applet in Control Panel.

    Now in addition to these two policy templates, what I really want is a
    way to set the Automatic Updates service Startup Type to Disabled (or
    Manual), that even installing SP4 will not override. Is there a GPO adm
    template that will do this? Is there some other way to disable the
    automatic updates service on all the computers on the local network?

    --
    Darryl J. Roberts
    Software Engineering Unlimited
    > -----Original Message-----
    > From: Windows NTBugtraq Mailing List
    > [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of
    > Collins, Thomas L
    > Sent: Wednesday, July 02, 2003 10:20 AM
    > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    > Subject: Re: 2000 SP4 Released - Officially
    >
    >
    > The easiest way to disable AutoUpdate to a machine is via group policy
    > object(GPO).
    >
    > Simply edit either the local policy or use an AD GPO and go to:
    >
    > User Configuration
    >  \_Administrative Templates
    >      \_Windows Components
    >          \_Windows Update
    >
    > >From here set "Remove access to use all Windows Update features" to =
    > enabled.
    > No more windows update, no more toolbar link.
    >
    >
    > Thomas L. Collins, III
    > PC/LAN Desktop Administrator
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available.  And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to
    http://www.trusecure.com/offer/s0100/
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    

  • Next message: Russ: "Administrivia: That's it for the weekend..."

    Relevant Pages

    • Re: Remote Client Configuration
      ... > Thanks for quickly updates. ... > group policy will not be updates, instead it will use the old policy that ... > will be applied after the user logon in order to reduce the logon process. ... > laptop to connect to SBS domain first; currently we have no other better ...
      (microsoft.public.windows.server.sbs)
    • Re: Remote Client Configuration
      ... Thanks for updates. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... |> group policy will not be updates, instead it will use the old policy ...
      (microsoft.public.windows.server.sbs)
    • Re: Remote Client Configuration
      ... Thanks for quickly updates. ... Just as I know, if you only logon the domain with cache credential, the ... group policy will not be updates, instead it will use the old policy that ... dial up VPN connection to logon SBS domain once-in-a-while for the group ...
      (microsoft.public.windows.server.sbs)
    • Re: Event Application Errors related to Group Policy
      ... longer needed the policy so I removed it and the errors went away. ... > It appears that this issue is related to WSUS. ... > | child DC's. ... > | to the Parent DC in my Forest Root to get the updates. ...
      (microsoft.public.windows.server.general)
    • Re: How do I turn off automatic updates on my SBS 2k3 SP-1 Server?
      ... Updates control panel is grayed out, and you would like to know how to ... to check the group policy settings. ... policy setting is configured in which GPO: ... Open Server Management, navigate to Advanced Management, Group Policy ...
      (microsoft.public.windows.server.sbs)