Currently I have a two domain enviroment of vista with all machines calling into WSUS. The with the recent advent of IE8 being avaliable through WSUS that's been great. However I want to stop IE8 from being adverstied and for the life of me I can't find it in WSUS. There are plenty of blocker tool kits out there but they are regestry settings on the local machine and sadly my enviorment is large enough that going and touching each machine(darn you UAC!) is unfeasable at best.

Has anyone been able to stop WSUS from advertising IE8 and can point me in the direction of how to do this?

Thank you in advance

  • 434
  • 3
  • 6
  • 15

3 Answers3


If you're running a WSUS update server you can pick and choose what updates are allowed to go out to your clients. I have to okay what groups get what updates within my WSUS server...supposedly the clients don't see those updates that I discard.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • I agree, that's typically what I do too but for the life of me I can't find it and havn't for a couple months now. :/ – Robert Aug 04 '09 at 21:40
  • Finding the settings? On ours I set up a group called "approve_rollout"; in the tree on the left I go to updates list, highlight the new ones in the queue, right click, change group to the one I okayed for rollout and it empties the list. I can check it again tomorrow if you want more exact instructions, if it's similar to yours? – Bart Silverstrim Aug 04 '09 at 22:58
  • I think I am unclear as to what I am referencing. Approving the new updates is easy enough, but what I'm getting at is if it's approved already I can't FIND the update that allows the installation of IE8. http://img12.imageshack.us/img12/9256/ie8search.jpg That's the search results I get when I do a search for our IE8 updates. now the obious selection, the dynamic installer(when reading through it) is for updates and not installation I beleive. That patch is also not approved for download. If I'm unclear or that doesn't make sense let me know so I can clarify. Thanks! – Robert Aug 06 '09 at 15:00

How about rolling those registry settings into an MSI and deploying it via a GPO? Use something like WinInstall LE or Visual Studio to build the MSI; job done.

Maximus Minimus
  • 8,937
  • 1
  • 22
  • 36
  • If MS doesn't come out with anything soon then I may very well do that. I would much rather manage the entire enviroment through wsus as custom configs like that will end up casuing me more work than not. – Robert Aug 04 '09 at 21:41
  • The official MS approach is detailed here: http://technet.microsoft.com/en-us/updatemanagement/dd365125.aspx – Maximus Minimus Aug 04 '09 at 22:50
  • Right, I'm trying to do option 2: WSUS. And so within WSUS I'm trying to stop IE 8; I can't find the update that permits IE8 to install on the client machines. – Robert Aug 06 '09 at 15:01

Part of an auditable WSUS deployment is making sure that your clients don't automatically get their updates from anywhere else. A GPO that directs their Automatic Updates service to your WSUS server is essential.

By default, WSUS will wait for you to approve newly received updates before they're advertised to clients. If you haven't approved the IE8 packages, they won't be advertised.

Based on your problem description, either your clients are getting IE8 from somewhere other than your WSUS server (i.e. Microsoft's Windows Update service) or your WSUS server auto-approved the IE8 deployment package.

  • 1,460
  • 10
  • 11
  • 1
    I agree. I'm sure they are calling into my WSUS server though GPOs and other updates are found, approved and appear like normal for all the servers. I don't explain how the clients see IE8 in their update list when WSUS hasn't approved it yet(assuming it hasn't come down yet) nor can I find it in the approved updates assuming it has been approved. So either my GPOs are damged or the update is approved and I can't find it yet. – Robert Aug 04 '09 at 21:46
  • In my experience the AU clients don't co-mingle downloaded updates they receive from WSUS and WindowsUpdate. At a point in time they're talking to only one update server. Have you reviewed the WindowsUpdate.log file to determine what a problematic AU client is doing? If I'm on the right track, please vote my answer up. – aharden Aug 05 '09 at 14:34
  • And.... I don't have enough reputation (11/15) to vote you up. Ahh, the wonders of the the world. – Robert Aug 06 '09 at 15:08
  • That's a pretty good idea, see which update it's coming from - from the clients' end. I'll see if I can't uninstall it on one of my non-critical servers and go from there. ...*does work*... So I did that and forced it to call into WSUS and it the client clearly wants IE8 but the log only references compatabilty lists. And the WSUS server now says it needs no updates. I'll try blocking all IE8 patches to see if that helps. – Robert Aug 06 '09 at 16:04