How To Use Local Group Policies to Prevent Users Turning Off Automatic Updates

Critical updates for Windows XP are important and should be installed as soon as they become available. Unfortunately some people think of them as a nuisance and turn them off, but there is a way to stop them and enforce updates, just follow this simple procedure...

Windows XP Pro

1. Click Start and Run or hold down the Windows key and press R.
2. Type 'gpedit.msc' and click 'OK' to start the Group Policy console.
3. Double click 'Administrative Templates'.
4. Double click 'Windows Components'.
5. Click 'Windows Update'.
6. Double click 'Configure Automatic Updates'.
7. Click the 'Enabled' radio button.
8. Select which automatic update method you would like to use, (click the 'Explain' tab or see below for more information on each option).
9. Click 'OK' and close the group policy console.

If you now open the Automatic Updates control panel you will see that all the available options for users are grayed out and can not be changed.

Windows XP Home

Users of Windows XP Home do not have access to the Local Group Policy console so the Automatic Update policy has to be created using the registry editor. Always back up your registry first and only proceed if you are confident about editing it.

To add the relevant entries to your registry you can either go through the following procedure step by step or, to save you time, download this autoupdates.zip file and run the autoupdates.reg file contained within. Please see the disclaimer below.

1. Click Start and Run or hold down the Windows key and press R
2. Type 'regedit' and click 'OK'.
3. Find the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\.
4. Right click the 'Windows' key, click 'New' and 'Key'.
5. Type 'WindowsUpdate' to rename the new key.
6. Right click the new WindowsUpdate key, click 'New' and 'Key'.
7. Type 'AU' to rename the new key.
8. Create a new DWORD Value using the following method:
   • Right click the new AU key, click 'New' and 'DWORD Value'.
   • Type 'AUOptions' to rename the new DWORD Value.
   • Right click the new AUOptions DWORD Value and click 'Modify'.
   • Change the value to '4' (Or see 'Explain Tab' below for other options) and click 'OK'.
9. Create three more DWORD Values using the same method but with the following values:
   • Name: NoAutoUpdate, Value: 0.
   • Name: ScheduledInstallDay, Value: 0.
   • Name: ScheduledInstallTime, Value: 3.
10. Exit the registry editor.

If you now open the Automatic Updates control panel you will see that all the available options for users are grayed out and can not be changed.

Explain Tab

The following is copied from the Explain tab and gives an overview of the options available when setting the automatic update method.

Specifies whether this computer will receive security updates and other
important downloads through the Windows automatic updating service.

This setting lets you specify if automatic updates are enabled on this
computer. If the service is enabled, you must select one of the four
options in the Group Policy Setting:

2 = Notify before downloading any updates and notify again before
installing them.

When Windows finds updates that apply to this computer, an icon appears in
the status area with a message that updates are ready to be downloaded.
Clicking the icon or message provides the option to select the specific
updates to download. Windows then downloads the selected updates in the
background. When the download is complete, the icon appears in the status
area again, with notification that the updates are ready to be installed.
Clicking the icon or message provides the option to select which updates to
install.

3 = (Default setting) Download the updates automatically and notify when
they are ready to be installed

Windows finds updates that apply to your computer and downloads these
updates in the background (the user is not notified or interrupted during
this process). When the download is complete, the icon appears in the
status area, with notification that the updates are ready to be installed.
Clicking the icon or message provides the option to select which updates to
install.

4 = Automatically download updates and install them on the schedule
specified below

Specify the schedule using the options in the Group Policy Setting. If no
schedule is specified, the default schedule for all installations will be
everyday at 3:00 AM. If any of the updates require a restart to complete
the installation, Windows will restart the computer automatically. (If a
user is logged on to the computer when Windows is ready to restart, the
user will be notified and given the option to delay the restart.)

5 = Allow local administrators to select the configuration mode that
Automatic Updates should notify and install updates

With this option, the local administrators will be allowed to use the
Automatic Updates control panel to select a configuration option of their
choice. For example they can choose their own scheduled installation time.
Local administrators will not be allowed to disable Automatic Updates'
configuration.

To use this setting, click Enabled, and then select one of the options (2,
3, 4 or 5). If you select 4, you can set a recurring schedule (if no
schedule is specified, all installations will occur everyday at 3:00 AM).

If the status is set to Enabled, Windows recognizes when this computer is
online and uses its Internet connection to search the Windows Update Web
site for updates that apply to this computer.

If the status is set to Disabled, any updates that are available on the
Windows Update Web site must be downloaded and installed manually by going
to http://windowsupdate.microsoft.com.

If the status is set to Not Configured, use of Automatic Updates is not
specified at the Group Policy level. However, an administrator can still
configure Automatic Updates through Control Panel.

Disclaimer

The autoupdates.reg file provided here was created by me and has been tested and proved to work but you use it at your own risk and take full responsibility for your own actions.