From: Darryl J Roberts (DarrylJR_at_SEU.COM)
Date: Thu, 3 Jul 2003 17:40:05 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Thomas Collins mentioned that the easiest way to disable AutoUpdate to a
machine is via "Remove access to use all Windows Update features" group
The description of the "Remove access to use all Windows Update
features" policy is:
"If you enable this setting, all Windows Update features
will be removed. This includes blocking access to the
Windows Update Web site at http://windowsupdate.microsoft.com
and from the Windows Update hyperlink on the Start menu and
also on the Tools menu in Internet Explorer. Windows automatic
updating is also disabled; you will neither be notified about
nor will you receive critical updates from Windows Update.
This policy also prevents Device Manager from automatically
installing driver updates from the Windows Update Web site."
When this policy is enabled, a link to
http://windowsupdate.microsoft.com (and the entry in Internet Explorer's
Tools menu) still goes to the Windows Update site, but the page says,
"Network policy settings prevent you from using Windows Update to
download and install updates on your computer. If you believe you have
received this message in error, please check with your system
(With the "Remove access to use all Windows Update features" policy
enabled, I am still --as I expect-- able to run the Microsoft Baseline
Security Analyzer, which did check for missing security and critical
updates. I am also able to run HfNetChk.)
This policy does *not* stop (disable) the Automatic Updates service. It
seems that SP4 changes this service back to Automatic startup even if it
had been disabled prior to installing SP4. (I am not sure that SP4
enables the service in all cases.) If all Windows Update features have
been blocked, what is the point in using the resources to run the
Automatic Update service? One of the things that I did before SP4 to
stop automatic updates was to disable this service. I would like a
policy that will allow me to disable the service on all the desktops
without having to manually disable the service on every desktop (again),
but so far I have not found such a policy (template).
The policy also seems to block access to Automatic Updates in Control
Panel. Note that I said "blocks access", as in disables changing the
settings. It does *not* disable "Keep my computer up to date"; it is
still checked, but is now not available (gray). Another one of the
things that I did before SP4 to stop automatic updates was to disable
"Keep my computer up to date" for every user on every desktop computer.
(Note: this has to be done before stopping the Automatic Updates service
otherwise, the check box becomes unavailable.)
The description of the policy includes, "... you will neither be
notified about nor will you receive critical updates from Windows
Update." The policy must be doing this below the configuration settings
in Automatic Updates in Control Panel, because those settings are still
As Kevin (knapier@CONNECTURE.NET) previously mentioned, SP4 installs a
new GPO administrative template file (wuau.adm) in %systemroot%\inf
(which has to be added to the GPO management console before it can be
used) for configuring computer settings for Automatic Updates. This
template is really designed for Microsoft SUS. It included the
Configure Automatic Updates settings and three other policy templates
(none of which really disable automatic updates).
The description of the Configure Automatic Updates policy says, "... If
the status is set to Disabled, any updates that are available on the
Windows Update web site must be downloaded and installed manually ..."
This *does* clear "Keep my computer up to date" in Automatic Updates
applet in Control Panel.
Now in addition to these two policy templates, what I really want is a
way to set the Automatic Updates service Startup Type to Disabled (or
Manual), that even installing SP4 will not override. Is there a GPO adm
template that will do this? Is there some other way to disable the
automatic updates service on all the computers on the local network?
-- Darryl J. Roberts Software Engineering Unlimited > -----Original Message----- > From: Windows NTBugtraq Mailing List > [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM]On Behalf Of > Collins, Thomas L > Sent: Wednesday, July 02, 2003 10:20 AM > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > Subject: Re: 2000 SP4 Released - Officially > > > The easiest way to disable AutoUpdate to a machine is via group policy > object(GPO). > > Simply edit either the local policy or use an AD GPO and go to: > > User Configuration > \_Administrative Templates > \_Windows Components > \_Windows Update > > >From here set "Remove access to use all Windows Update features" to = > enabled. > No more windows update, no more toolbar link. > > > Thomas L. Collins, III > PC/LAN Desktop Administrator oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo