Prevent users from installing Windows Updates

0

This may belong on ServerFault, but Ill start here and if it gets moved, fine

Im trying to find a solution that prevents users from installing Windows/Automatic Updates on their workstations/laptops. There is a GPO that disables that functionality, however it disables it for everyone, including admins. Many end users are local admins, so even if I could enable it for admins, it wouldnt be an effective solution. Am I missing something, obvious, is their a GPO im missing?

Keltari

Posted 2013-06-13T17:55:31.070

Reputation: 57 019

For this purpose it is possible to use firewall or create a logon script to add the changes to the registry. – STTR – 2013-06-13T19:14:40.873

@Keltari - You should be able to prevent it on the domain level. Even if they are an Administrator they would still prevented from running it. Although this is the point where you run your own server and push the update on the time schedule you want. – Ramhound – 2013-06-13T19:39:01.357

Answers

4

You need to set this setting under User Configuration, then apply the GPO to the appropriate OU and security filter it so that it only targets the users you'd like to disable the policy for.

For instance, create a Disabled Windows Update user group. Assign all of the user accounts you'd like to disable Automatic Updates to this group. Then, when applying the GPO, security filter to this group.

The relevant GPO should be under: User Configuration\Administrative Templates\Start Menu and Taskbar the setting is Remove links and access to Windows Update

Josh

Posted 2013-06-13T17:55:31.070

Reputation: 4 746

Asked: 2013-06-13T17:55:31.070

Viewed: 10 853 times

Active: 2013-06-13T18:23:57.750