Local Policy Preventing Non-Administrators to install Windows Updates

We have a Group Policy on a set of Windows 7 x64 computers that are used by public safety dispatchers that basically sets the user environment on the computer. It prevents right click on the desktop and taskbar, specifies their available applications and basically locks down the computer so they can really only do dispatching. These computers receive vendor approved Windows Update via  WSUS server configured to install the approved updates and notify the users to install them. The user should be able to click on the Windows Update Notification icon and choose to reboot to finish installing their newly installed updates, however when they do they receive a message stating " This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator."

I have have narrowed it down to a specific policy, but which setting is preventing use of the applet I have not been able to determine. I tried removing anything to do with notifications but they were not the issue. I have exported the configured settings and have attached them. If anyone has any ideas on how to identify which policy item is causing this I would be very grateful.


Thank you in advance,


David R.

Setting State Comment Path
Enable Active Desktop Disabled No \Desktop\Desktop
Display the menu bar in Windows Explorer  Disabled No \Windows Components\Windows Explorer
Hide the Programs Control Panel Enabled No \Control Panel\Programs
Prohibit access to the Control Panel Enabled No \Control Panel
Disable Active Desktop Enabled No \Desktop\Desktop
Hide Internet Explorer icon on desktop Enabled No \Desktop
Remove My Documents icon on the desktop Enabled No \Desktop
Hide Network Locations icon on desktop Enabled No \Desktop
Remove Properties from the Computer icon context menu Enabled No \Desktop
Prevent adding, dragging, dropping and closing the Taskbar's toolbars Enabled No \Desktop
Prohibit adjusting desktop toolbars Enabled No \Desktop
Clear history of recently opened documents on exit Enabled No \Start Menu and Taskbar
Clear the recent programs list for new users Enabled No \Start Menu and Taskbar
Add Logoff to the Start Menu Enabled No \Start Menu and Taskbar
Turn off personalized menus Enabled No \Start Menu and Taskbar
Lock the Taskbar Enabled No \Start Menu and Taskbar
Remove Balloon Tips on Start Menu items Enabled No \Start Menu and Taskbar
Remove drag-and-drop and context menus on the Start Menu Enabled No \Start Menu and Taskbar
Remove Favorites menu from Start Menu Enabled No \Start Menu and Taskbar
Remove Search link from Start Menu Enabled No \Start Menu and Taskbar
Remove frequent programs list from the Start Menu Enabled No \Start Menu and Taskbar
Remove Help menu from Start Menu Enabled No \Start Menu and Taskbar
Remove Network Connections from Start Menu Enabled No \Start Menu and Taskbar
Remove pinned programs list from the Start Menu Enabled No \Start Menu and Taskbar
Do not keep history of recently opened documents Enabled No \Start Menu and Taskbar
Remove Recent Items menu from Start Menu Enabled No \Start Menu and Taskbar
Remove Run menu from Start Menu Enabled No \Start Menu and Taskbar
Remove Default Programs link from the Start menu. Enabled No \Start Menu and Taskbar
Remove Documents icon from Start Menu Enabled No \Start Menu and Taskbar
Remove Music icon from Start Menu Enabled No \Start Menu and Taskbar
Remove Network icon from Start Menu Enabled No \Start Menu and Taskbar
Remove Pictures icon from Start Menu Enabled No \Start Menu and Taskbar
Do not search communications Enabled No \Start Menu and Taskbar
Remove Search Computer link Enabled No \Start Menu and Taskbar
Remove See More Results / Search Everywhere link Enabled No \Start Menu and Taskbar
Do not search for files Enabled No \Start Menu and Taskbar
Do not search Internet Enabled No \Start Menu and Taskbar
Do not search programs and Control Panel items Enabled No \Start Menu and Taskbar
Remove programs on Settings menu Enabled No \Start Menu and Taskbar
Remove Downloads link from Start Menu Enabled No \Start Menu and Taskbar
Remove Homegroup link from Start Menu Enabled No \Start Menu and Taskbar
Remove Recorded TV link from Start Menu Enabled No \Start Menu and Taskbar
Remove user's folders from the Start Menu Enabled No \Start Menu and Taskbar
Remove Videos link from Start Menu Enabled No \Start Menu and Taskbar
Do not display any custom toolbars in the taskbar Enabled No \Start Menu and Taskbar
Remove user folder link from Start Menu Enabled No \Start Menu and Taskbar
Change Start Menu power button Enabled No \Start Menu and Taskbar
Remove the Action Center icon Enabled No \Start Menu and Taskbar
Remove the networking icon Enabled No \Start Menu and Taskbar
Turn off feature advertisement balloon notifications Enabled No \Start Menu and Taskbar
Prevent users from adding or removing toolbars Enabled No \Start Menu and Taskbar
Prevent users from rearranging toolbars Enabled No \Start Menu and Taskbar
Turn off all balloon notifications Enabled No \Start Menu and Taskbar
Prevent users from moving taskbar to another screen dock location Enabled No \Start Menu and Taskbar
Prevent users from resizing the taskbar Enabled No \Start Menu and Taskbar
Group Policy refresh interval for users Enabled No \System\Group Policy
Prevent access to the command prompt Enabled No \System
Prevent access to registry editing tools Enabled No \System
Configure Delete Browsing History on exit Enabled No \Windows Components\Internet Explorer\Delete Browsing History
Empty Temporary Internet Files folder when browser is closed Enabled No \Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Hide the common dialog back button Enabled No \Windows Components\Windows Explorer\Common Open File Dialog
Hide the dropdown list of recent files Enabled No \Windows Components\Windows Explorer\Common Open File Dialog
Hide the common dialog places bar Enabled No \Windows Components\Windows Explorer\Common Open File Dialog
Turn off Details Pane Enabled No \Windows Components\Windows Explorer\Explorer Frame Pane
Turn off Preview Pane Enabled No \Windows Components\Windows Explorer\Explorer Frame Pane
Turn off Windows Libraries features that rely on indexed file data Enabled No \Windows Components\Windows Explorer
Remove UI to change keyboard navigation indicator setting Enabled No \Windows Components\Windows Explorer
Hide these specified drives in My Computer Enabled No \Windows Components\Windows Explorer
No Entire Network in Network Locations Enabled No \Windows Components\Windows Explorer
Remove File menu from Windows Explorer Enabled No \Windows Components\Windows Explorer
Removes the Folder Options menu item from the Tools menu Enabled No \Windows Components\Windows Explorer
Remove Hardware tab Enabled No \Windows Components\Windows Explorer
Hides the Manage item on the Windows Explorer context menu Enabled No \Windows Components\Windows Explorer
Remove "Map Network Drive" and "Disconnect Network Drive" Enabled No \Windows Components\Windows Explorer
Remove the Search the Internet "Search again" link Enabled No \Windows Components\Windows Explorer
Remove Search button from Windows Explorer Enabled No \Windows Components\Windows Explorer
Remove Windows Explorer's default context menu Enabled No \Windows Components\Windows Explorer
No Computers Near Me in Network Locations Enabled No \Windows Components\Windows Explorer

May 20th, 2015 7:55pm

I figured it out with the help of one my colleagues. The policy setting we changed was in User Configuration\Administrative Templates\Control Panel\Prohibit access to the Control Panel.

I changed it from [Prohibit access to the Control Panel] to [Show only specified Control Panel items]. I then specified the Canonical Name for Window Updates which is :Microsoft.WindowsUpdate.

This allows non-admin users to click on the notification icon in the systray  and run Windows Update but prevents them running any Control Panel applet not specified.

List of Canonical Names for Control Panel items.

https://msdn.microsoft.com/en-us/library/windows/desktop/ee330741(v=vs.85).aspx?f=255&MSPPError=-2147217396


Free Windows Admin Tool Kit Click here and download it now
May 21st, 2015 2:48pm

Hi,

Glad to hear that your issue is resolved and thanks for the sharing!

Your time and efforts is appreciated!

Best Regards.

May 21st, 2015 9:55pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics