How to disable AU pop-ups and tray icon
![Don Cottam [MS]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Don Cottam [MS]
There have been a great number of posts inquiring how to go about removing
all notifications to users and doing silent installs. Although this
functionality doesn't exist in the current version of the Automatic Update
client, there is a policy setting that can be used in conjunction with
AU/SUS in order to accomplish some of the things that many of you have asked
about. There are certain pros and cons to using this policy setting, and
I'll try to cover as many as I can. Try this out in a test environment and
make sure that you understand the consequences before deploying it to a
production environment!
First, there are two things that I need to point out:
1) This policy is only available if you are using a system.adm from Windows
XP or above
2) This policy will remove the ability to access the live Windows Update
website
3) This is a per-user policy, not a per-machine policy
This policy is located in the User Configuration / Administrative Templates
/ Windows Components / Windows Update tree. Once it is enabled, a registry
key is written to HKCU\Software\Microsoft\Windows\CurrentVersion\Group
Policy
Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\Windows
Update. The registry key is a DWORD named "DisableWindowsUpdateAccess" and
when enabled is set to a value of 0x00000001.
If you apply the user policy of "Remove access to use all Windows Update
features" the current user is always treated as a non-administrator, as far
as the Automatic Client is concerned. If you set AU configuration to either
2 or 3 in the AU policy, then the local user will never be notified that
there are updates available for download or for install. That's not
terribly good since the end result is that the updates never get installed.
Don't turn this policy unless you configure AU to do scheduled installs!!
If you set AU configuration to 4 (scheduled install) in the AU policy, then
the scheduled install will occur as intended, but the local user won't ever
see the AU tray icon, or be notified that the install is ready to occur and
have a 5 minute count-down before the install starts. The local user
(admin/non-admin) will be notified that a reboot is needed, and admin users
who are governed by the user policy will have the ability to initiate the
reboot, but will not be able to postpone the reboot. Essentially, turning
on this policy prevents users from seeing any AU notifications or
activities, with the exception of the Reboot dialog.
Here is a listing of the different behaviors when you set this user policy
versus not setting it, assuming that the logged on user is a local
administrator and scheduled installs have been set through policy.
+++++++++
No User Policy (default behavior of AU)
============================
AU is ready to install updates:
User gets AU tray icon notification. They can click on the icon and install
the updates prior to the set schedule if they so desire.
Scheduled install time:
User is notified via UI that updates will be installed in 5 minutes, with a
countdown timer. User can click "Yes" button to initiate the install, or
"No" button to postpone it. If the installs are scheduled for 4pm, the user
is notified at 4pm and the install actually starts at 4:05pm. If the user
clicks the "No" button, the install is postponed until the next scheduled
day/time.
Install requires a reboot:
User is notified that a reboot is needed, and is able to either click "Yes"
to initiate the reboot, or "No" to postpone the reboot.
User Policy (Remove WU Access)
========================
AU is ready to install updates:
User gets no AU tray icon and is not aware that updates are ready to
install.
Scheduled install time:
User is not notified that the installs are ready to occur. If the install
is scheduled at 4pm then installation starts at 4pm instead of 4:05 since
there is no 5 minute countdown dialog.
Install requires a reboot:
User is notified that reboot is needed, and can click "Yes" to initiate the
reboot, but is not able to postpone the reboot (the "No" button is grayed
out).
++++++++++
Essentially, when the user policy is set to remove access to WU, even if the
local user is an administrator they are (a) not notified of pending installs
via the tray icon, (b) they cannot postpone the scheduled installs, and (c)
they cannot defer the reboot if one is required after an install has
occurred. The one caveat is that if this policy is in place, then there may
be issues with not allowing the user to postpone the reboot.
BTW - if you do enforce this policy, you may also want to consider enforcing
the user policy "Remove links and access to Windows Update" located in User
Configuration / Administrative Templates / Start Menu and Taskbar. This
policy will remove the WU link on the Start Menu which.
Using the "Remove access to use all Windows Update features" policy may not
work for everyone, so please test it to see how it works before you deploy
it. Perhaps some of you who have asked how to prevent users from seeing the
AU tray icon or notifications might find this policy usable.
Don [MS]