I believe that is contingent on which GPO you use, please correct me if you have found otherwise-
My testing has shown that if I use the the "Remove links and access to Windows Update" Group Policy setting[1] (located in User Configuration\Administrative Templates\Start Menu and Taskbar) that any attempt to follow a url from anywhere to WU will result in : Access Denied-Network policy settings prevent you from using Windows Update to download and install updates on your computer.If you believe you have received this message in error, please check with your system administrator. [1]This policy blocks user access to the Windows Update Web site at http://windowsupdate.microsoft.com. Also, the policy removes the Windows Update hyperlink from the Start Menu and from the Tools menu in Internet Explorer. I have found so far that the other policy works as described[2] but is only applicible to AU service and not manually visiting WU- [2]If using the the "Remove access to use all Windows Update features" Group Policy setting (located in User Configuration\Administrative Templates\Windows Components\Windows Update) is enabled, Automatic Updates will not notify that logged-on user. Because this is a user-based value, it makes a local administrator appear as a non-administrator so that user will not be able to install updates. With this policy enabled, the Automatic Updates service still runs, and if configured as such, a scheduled installation can still occur. The "Remove access to use all Windows Update features" setting is available only on Windows XP and is not present or supported on Windows 2000. -----Original Message----- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2003 8:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS failure rate There are still a myriad of ways to get to the Windows Update website. If you venture out to Microsoft.com for very long (or any other technical site), there will be links to Windows Update. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Lynch Sent: Friday, September 26, 2003 11:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS failure rate -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And this is why you should disable all links to Windows Update on your client workstations via a GPO. Chris Lynch Senior Network Engineer Axcent Solutions, Inc. *Opinions expressed here does not necessarily reflect what the company views are.* ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Trent Sent: Friday, September 26, 2003 6:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS failure rate Another issue is if the end-user manually visits the Windows Update website and installs their own updates from there. This can throw SUS for a loop. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of England, Christopher M Sent: Friday, September 26, 2003 9:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS failure rate We have seen this occasionally, but usually it is due to some extenuating circumstance. Like if we had turned off the SUS GPO to do some testing (we only have one SUS server setup right now, with multiple GPOs) the clients revert back to their previous Automatic Update settings. If they have it set to Download but Prompt me, they can ignore those. Therefore SUS will think they are good, but they are really not. Similarly, if they turn their computers off continually during the time you have SUS set to run (like ours is 3 AM every day), they may have downloaded the patches earlier (we find sometime in the afternoon or late evening it prepares this), but if the computer is off, it never runs. And if it prompts them the next morning, they can choose to ignore. Ok, enough rambling. But what it comes down to is a bit of planning on our end (the sysadmins) as well as a bit of user education. The latter is the part that has been most troublesome for us. I guess "leave your computer on (but logged off) all the time" does not mean anything to anyone. :) Chris - --------------------------------------------------------- Christopher England Server Administrator MCSA, Server+, Network+, A+ College Information Technology Office Indiana University ________________________________ From: Greg Felzer [mailto:[EMAIL PROTECTED] Sent: Friday, September 26, 2003 8:08 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] SUS failure rate I was wondering what kind of failure rate you have all been seeing having SUS install patches. We are preparing a lab test to get hard numbers. We have seen failures where SUS repeatedly tries to install the same patch on each connect and where SUS claims the patch is installed but scanning with HFnetCHKPro shows that the patch is not installed. Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQA/AwUBP3RcMm9fg+xq5T3MEQJc6wCg7/feMrBKLPr8CvvLNHU6/fUwgh0AoJD8 aL14bIClFTQahy421exDOxdN =vMf6 -----END PGP SIGNATURE----- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
