3

This question is subtly different from other questions I've found on Serverfault about how best to configure Windows Updates by GPO for Win10 machines on an AD Domain.

I'm running Server 2016, domain from scratch (i.e. latest Win10 Admin Templates for GPO), with Windows 10 clients (1703 - creators update).

I'm generally happy with the Windows Updates settings for workstations, aside from the below problem.

Non-administrator users logged onto Win10 PCs are receiving a blue notification on screen "Updates are available", and they are given the option to "View Updates" and nothing else. Users click on this button, it opens Windows Updates settings screen. It says "Updates are ready to install" and there's an "install now" button. Users are able to click this button.

I don't want this to happen, and I don't want users to be interrupted by the intrusive blue bar, which takes focus from the user and forces them to click the "View Updates" button.

I've made the following settings already in Group Policy:

  • Allow automatic updates immediate installation > enabled
  • Allow non-administrators to receive update notifications > disabled
  • Turn off auto-restart during active hours > enabled 8am-5pm

I want to prevent this "View Updates" bar from showing on the screen, as it interrupts non-administrator users. The users on this network should not interact with Windows Update at all, and updates should be seamless.

hazymat
  • 390
  • 1
  • 9
  • 16

2 Answers2

3

Allow automatic updates immediate installation > enabled will bypass Allow non-administrators to receive update notifications > disabled if the system is newer then 2008 from what I have read

If you want Automatic updates enabled then you should put Allow non-administrators to receive update notifications > enabled or not configured

Test this on one of the workstations and see if that helps

The second option is this

User Configuration > Policies > Administrative Templates > Windows Components > Windows Update

Remove access to use all Windows Update features > Enabled: 0 - Do not show any notifications

SpiderIce
  • 561
  • 2
  • 9
  • Re your first 2 paragraphs, I will test this. However it allows normal network users to receive notifications. Are you saying that the user configuration ("remove access to use all windows update features > enabled: 0) will cancel this out, and that means the user won't receive notifications? – hazymat Oct 23 '17 at 13:50
  • Sorry, just to add: I do want windows updates to continue, however I want them to be installed in background and restart only out of hours. If I change the user configuration setting you mentioned above, it appears to prevent windows updates from taking place. This is not the desired option... any idea how I can achieve windows updates, transparent to the user? – hazymat Oct 23 '17 at 13:54
  • @hazymat Remove access to use all Windows Update features > Enabled: 0 = this will block all notifications for users. Sometimes these GPO policies aren't clear and will overwrite each other. – SpiderIce Oct 23 '17 at 14:07
  • Sorry to labour the point, but the help for this user config setting states "If you enable.... Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update." - hence I'm a bit nervous about setting it to Enabled. – hazymat Oct 23 '17 at 14:12
  • 1
    You should always test GPO settings on a test device, never trust MS policies to do what they say. As new OS versions can break or change how they function. https://technet.microsoft.com/en-us/library/cc720539(v=ws.10).aspx https://social.technet.microsoft.com/Forums/windows/en-US/2d3138f7-0b0b-468e-ab65-b12b25c14e03/ts-windows-server-2008-prevent-users-form-seeing-windows-update-popup?forum=winserverTS – SpiderIce Oct 23 '17 at 14:27
0

You can't block the "Install now" button for regular users and leave it enabled for admins.

The closest I got to solving this was to hide Windows Update in the settings app using the following group policy setting:

Administrative Templates > Control Panel > Settings Page Visibility

You can enable it (for non-administrators) and set the value to hide:windowsupdate. That should hide the whole updates page in the settings, along with the "Install now" button.

MarkoD
  • 1
  • 1