Search

Search for words used in entries on this website

Enter the words[s] to search for here:

Sponsors

Removing SUS notifications

There have been a great number of questions inquiring how to go about removing all notifications to users and doing silent installs. Although this functionality doesn't exist in the current version of the Automatic Update client, there is a policy setting that can be used in conjunction with AU/SUS in order to accomplish some of the things that many of you have asked about. There are certain pros and cons to using this policy setting, and I'll try to cover as many as I can. Try this out in a test environment and make sure that you understand the consequences before deploying it to a production environment!

First, there are two things that I need to point out:

1) This policy is only available if you are using a system.adm from Windows XP or above
2) This policy will remove the ability to access the live Windows Update website
3) This is a per-user policy, not a per-machine policy

This policy is located in the User Configuration / Administrative Templates / Windows Components / Windows Update tree. Once it is enabled, a registry key is written to HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Group Policy Objects \ LocalUser \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ WindowsUpdate. The registry key is a DWORD named "DisableWindowsUpdateAccess" and when enabled is set to a value of 0x00000001.

If you apply the user policy of "Remove access to use all Windows Update features" the current user is always treated as a non-administrator, as far as the Automatic Client is concerned. If you set AU configuration to either 2 or 3 in the AU policy, then the local user will never be notified that there are updates available for download or for install. That's not terribly good since the end result is that the updates never get installed. Don't turn this policy unless you configure AU to do scheduled installs!

If you set AU configuration to 4 (scheduled install) in the AU policy, then the scheduled install will occur as intended, but the local user won't ever see the AU tray icon, or be notified that the install is ready to occur and have a 5 minute count-down before the install starts. The local user (admin/non-admin) will be notified that a reboot is needed, and admin users who are governed by the user policy will have the ability to initiate the reboot, but will not be able to postpone the reboot. Essentially, turning on this policy prevents users from seeing any AU notifications or activities, with the exception of the Reboot dialog.

Thanks to Patrick Mandemaker from Microsoft!

Name:			Remember personal info? Yes No
Email:
URL:
Comment:		Emoticons / Textile
Before sending a comment, you have to correctly answer a simple question you know the answer to. This is a countermeasure against automated spam bots. What are the first four letters of Techlog?     ( Register your username / Log in )
Notify:		Yes, send me email when someone replies.
Hide email:		Yes, hide my email address.
Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.