Microsoft

Control user access to Windows Update with Windows Server 2003 Group Policy

Windows Windows Update is a wonderfully useful application that allows central management and automatic installation of updates for Windows Server 2003. There are other solutions that do this, but Windows Update and Windows Server Update Services Server are cost-effective solutions that work well in many cases.

However, there may be times when you don't want a balloon to pop up notifying users of the updates. Configuring a few Group Policy settings will allow you to control the update process in your environment and ensure that users cannot load updates using Windows Update.

Administrators should be the only ones who can load updates using Windows Update. You can prevent users from accessing Windows Update by managing the Windows Update Access settings; this does require you to configure Group Policy. If you want to give some users access to Windows Update, you can manage who gets access through these settings.

You can remove access to the Windows Update features in separate steps — one which prevents updates using Windows Update, another which removes links to Windows Update items, and another which disables or configures automatic updates. Using the Group Policy configurations discussed here will disable Automatic Updates for the users or computers to which the modified Group Policy objects apply. Keep this in mind when configuring these items.

To prevent Windows Update from updating the operating aystem, complete the following steps:

  1. Open the Group Policy Editor.
  2. Create a new Group Policy object, for example, NoUpdates.
  3. Select the User configuration.
  4. Click Administrative Templates.
  5. Click System.
  6. Click Internet Communication Management.
  7. Select Internet Communication Settings.
  8. In the right pane of the Group Policy Editor, double-click Turn Off Access To All Windows Update Features, select the Enabled radio button, and click OK.

To disable access to Windows Update commands, such as links in the Start menu or Internet Explorer, complete the following steps:

  1. Click User Configuration.
  2. Click Administrative Templates.
  3. Click the Start Menu and Task Bar.
  4. In the right pane of the Group Policy Editor, double-click Remove Links And Access To Windows Update.
  5. Set the policy to Enabled and click OK.

To prevent the use of Windows Update entirely, complete the following steps:

  1. Open the Group Policy Editor.
  2. Select Computer Configuration.
  3. Click Administrative Templates.
  4. Click Windows Components.
  5. Click Windows Update.
  6. Double-click Configure Automatic Updates.
  7. Select the Disabled radio button and click OK.

Miss a Windows Server 2003 tip?

Check out the Windows Server 2003 archive, and catch up on the most recent tips from this newsletter.

Stay on top of the latest Windows Server 2003 tips and tricks with our free Windows Server 2003 newsletter, delivered each Wednesday. Automatically sign up today!

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

Editor's Picks