I need to disable the ability for our users/admins to run automatic updates on Server 2008 R2. We use another tool to do updates. Use to we could just disabled the Windows update service but with the use of more and more .msu files for update it needs that service running. So I just need to prevent anyone from running the "check for updates" so that they will use our other program for the company approved updates. So how can I take away that option with out disabling the Windows Update service?

Review these articles: http://technet.microsoft.com/en-us/library/bb457141.aspx http://support.microsoft.com/kb/328010 http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX Blogs - http://blogs.sivarajan.com/ This posting is provided AS IS with no warranties,and confers no rights.

Thanks but unfortunately even if I disable "Configure Automatic Updates" it still allows you to "Check for update" which then it goes out the MS site to search for updates. Unless I missed something this all talks about how to configure Windows Update options. Really I just don't use the update option except now with the .msu file time it must have the Windows Update service running which opens up all the options for windows update that I don't want to be available. That's what I want to restrict.

Hi, You may consider using WSUS. With WSUS, you can control what updates will be deployed to users. Even users can still check for updates, they can only get updates you deployed to them. Windows Server Update Services http://technet.microsoft.com/en-us/windowsserver/bb332157 Hope it helps. Regards, Bruce

Bruce, Thanks for you suggestion but we already have a corp standard on patching software. Bought and payed for and works fine among other things it can do. I'm not going to be able to rip it out and install something else. So all I need to do is stop users/admin from trying to use the windows update. Just like disabling the windows update service but NOW MS is using these .MSU files that require that service. So I'm looking for a solution on the server end on how to stop the availability of "Check for update" and it going out to MS site and trying to download updates.

Ah found exactly what I was looking for. http://social.technet.microsoft.com/Forums/en-US/winserverwsus/thread/30079d3f-eead-495d-b02d-2ff9390f783b/ Disable access to Windows Update If this policy setting is enabled, all Windows Update features are removed. It blocks access to the Microsoft Update and Windows Update Web sites, and in Windows Vista will gray out the Check for updates option in the Windows Update application. The machine will not get automatic updates directly from Windows Update or Microsoft Update, but it can still get updates from a WSUS server. This setting overrides the user settings Remove links and access to Windows Update and Remove access to use all Windows Update features. To disable access to Windows Update In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings. In the details pane, click Turn off access to all Windows Update features, and click Enabled. Click OK.

Thanks for your feedback. Have nice day! Regards, Bruce

Put a firewall rule in that blocks the ability to access from inside. the service can be left alone.