Disable 3rd Party Software Updaters with Group Policy: Introduction


Disable 3rd Party Software Updates

Like many IT departments, I push out updates to applications like Adobe Reader, Flash, Java, etc. for a multitude of reasons. First off, it’s the only way to guarantee the updates get installed. Sure, there are end users that will be responsible and make sure the updates get installed. But, if I have control of when things are being update, I know what is updated and when it happens. Second, we have applications that are dependent on 3rd party apps. If updates get installed before we have a chance to test the update, I could have lots of people that need the update removed and the old version installed. Last and certainly not least, the biggest reason I update these apps is because my end users don’t have Admin rights on their computers.

When the majority of users I supported were on Windows XP Professional, this was never a problem. However, the addition of User Account Control (UAC) in Windows Vista and 7, causes many applications to prompt the user to install product updates. With XP, these apps typically didn’t try to run at all. With UAC, the app checks for updates, and as soon as the user clicks through the dialog, they get this:

A big fat UAC prompt for Admin credentials… that they don’t have. On top of that, I usually end up getting a support ticket or Help Desk call that I have to track down.

So, how do we handle this issue? The good news is that most applications have an option to disable updates. This options usually translates into a Registry entry or a file on the filesystem that we can modify with a Group Policy Object (GPO) so that the end user is never prompted to install the update.

DISCLAIMER: Disabling the update notifications or the updater itself doesn’t mean you don’t need to install updates. I can’t stress enough that you need to be updating all of the software on the computers you manage. Third-party apps are updated on a regular basis just like Windows and Office and should be updated in a timely manner. Failure to do so could (and most likely will) open your systems to attack. If you don’t have a system in place for updating third-party applications, it probably isn’t a good idea to disable the updater that is built into the application.

As I encounter apps, I’ll add them to this series. Don’t see one listed here? Comment below and I’ll add it as quickly as possible!

Series NavigationDisable Adobe Reader XI Updates with Group Policy >>

5 thoughts on “Disable 3rd Party Software Updaters with Group Policy: Introduction

  1. Joseph July 26, 2012 / 8:51 AM

    Good article!

    A setting I really like is “User Account Control: Behavior of the elevation prompt for standard users”

    I set this to Automatically deny elevation requests so that standard users never even see a UAC prompt.

  2. kyle July 28, 2012 / 9:11 PM

    Thanks!

    Under certain circumstances, I like that setting. But, I do have three issues with it. First off, if your running your users with standard user accounts (without Admin rights) and give certain users a secondary Admin account, disabling the UAC prompts for their standard account makes it much more difficult for them to use their Admin credentials. Second, it makes my life MUCH easier when I can just remote control the user (or visit their desk), see what’s on their screen, type in my credentials, and resolve their issue. (Especially if they’re trying to get some kind of web meeting client installed and their meeting started 5 minutes earlier!) Third, instead of getting the UAC, the user gets this wonderful “This program is blocked by group policy. For more information, contact your system administrator.” error message that looks very similar to an AppLocker block window. Which, usually generates a support request just as fast as the UAC prompt.

    Your mileage may vary… Like just about every other setting, it is a matter of personal or organizational preference.

  3. chris anzalone October 8, 2012 / 3:02 PM

    I’d love a simple way of disabling Adobe Flash updates.

    I’ve gone through your articles for Adobe Reader X and Java – both work as expected, and easy to implement! Thanks

  4. Kyle Beckman October 27, 2012 / 9:26 PM

    Thanks, Chris! Just posted it!

  5. Scott February 12, 2017 / 2:01 AM

    I like this approach, but think I may be missing something about Reg Keys and GPO. When I go to GPO editor to configure registry keys, say for instance Java, none of the folders are there because the server doesn’t have the software installed. Should we somehow create these folders and registry keys,or import registry keys from a computer that has the software installed. I don’t think we will want to install software on DC’s so the keys are there. Some clarification on this would be really appreciated.

Leave a Reply