LionelB 0 Posted July 26, 2014 Report post Posted July 26, 2014 Hi everyone, I have an issue with IE 11, IE blocker and Windows updates. I want to prevent users from installing IE11 from Windows Updates (We have SCCM 2012 R2 and SUP is deployed). I created a software update group that contains all Windows 7 updates but excludes IE11. Our users are local administrators of their computers. I tried to add the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\11.0\ DWORD DoNotAllowIE11 value 1 but it doesn’t seem to work. If a user clicks on Windows updates, he will see the IE11 update available. I attached some screenshots. I also don’t understand why so many updates are available whereas I have not deployed any of them to any collection? Is it because users are administrators and they can see all the updates available on the SUP ? Internet explorer 11 is not available neither in the software group nor in the package. Thank you for your help ! Quote Share this post Link to post Share on other sites
LionelB 0 Posted July 27, 2014 Report post Posted July 27, 2014 Ok, from what I see, it looks like if I click on "Check for updates", it going to send a request directly to the WSUS and don't use the software update point. Moreover if I try to install an update, it is downloaded directly from WSUS and not from the distribution point. I didn't install WSUS and SCCM, do you think SUP/WSUS could have been installed incorrectly or something is missing ? Thanks. Quote Share this post Link to post Share on other sites
anyweb 480 Posted July 27, 2014 Report post Posted July 27, 2014 well it sounds like the clients are using WSUS or the Internet to download their updates, have you verified any of the settings in your Software Update Collections, for example add some virtual machines to those collections and test deploying updates to them, what happens (if anything) Quote Share this post Link to post Share on other sites
LionelB 0 Posted July 27, 2014 Report post Posted July 27, 2014 Hi, You were right, clients were using WSUS directly instead of the SUP. Apparently ,the WSUS role had been configured directly... To make it work properly, I had to uninstall WSUS and SUP and then re-install the role WSUS and SUP. Everything is back to normal now. Thanks Quote Share this post Link to post Share on other sites
anyweb 480 Posted July 28, 2014 Report post Posted July 28, 2014 great stuff Lionel, for the benefit of others coming to this thread, please share with them how you determined the clients were getting their updates from WSUS Quote Share this post Link to post Share on other sites
LionelB 0 Posted July 30, 2014 Report post Posted July 30, 2014 Thanks. In the control panel, when I was clicking on "Check updates", I could see a list of updates whereas I didn't advertise any updates to the collection which the computer belongs to. For testing, I installed one of the updates and ran a network trace with wireshark. I could identify (with the IP address) that the computer was downloading the updates from the WSUS server and not from my local distribution point. Quote Share this post Link to post Share on other sites
HBacon 0 Posted August 1, 2014 Report post Posted August 1, 2014 Hi Lionel, How dit you prevent your users from installng IE11 and do you use an Automatic Deployment Rule (ADR) for you monthly MS updates? Regard, Hans Quote Share this post Link to post Share on other sites
LionelB 0 Posted August 2, 2014 Report post Posted August 2, 2014 Hi, For IE11, I removed it manually from my initial software update group and from my package. You can also use "IE11 blocker" that basically creates a registry key that prevents the automatic installation of IE11 (http://www.microsoft.com/en-us/download/details.aspx?id=40722). Yes I use ADR for the monthy updates. Quote Share this post Link to post Share on other sites