The Microsoft® Office System provides direct access to valuable Microsoft supplied online resources, such as updated Help, new templates, clip art, and training materials. These online resources also include the Microsoft Office Update detection engine, which can be accessed by clicking Check for Updates on the Help menu in any Office application. This is the most reliable and efficient way to keep an Office installation up-to-date.
In many organizations, however, Office administrators manage the update process to retain a consistent configuration across all computers. Blocking users from updating their computers allows administrators the time to test patches or updates before implementation to make sure the updates work in their environment. This usually requires blocking users from accessing and running the Office Update detection engine.
In the past this was accomplished by blocking all access to the Internet from either Office applications or Internet Explorer. Although this step did prevent users from downloading updates, it also stopped them from accessing other useful resources available on Microsoft Office Online. If you prefer to block access completely to the Office Update Web site, but still allow access to other Office Online Web sites, see the article Allowing Internet Access from Office Applications.
A better method of preventing users from downloading Office updates, but still allow them access to other resources on Office Online, is to instruct the Office Update detection engine to not allow downloads to be installed. You can block access to Office updates by setting a single value in the following Windows registry entry:
When you set the BlockUpdates value data field to 1, the following occurs:
- The Check for Updates command on the Help menu is hidden in all Office applications.
- Although users can still go to the Office Update Web site using a Web browser and run the detection engine, they are blocked from downloading any updates.
Note Setting BlockUpdates also prevents Office XP and Office 2000 users from downloading patches from Office Online because the Office Update detection engine is independent of the version of Office you have installed on your computer.
For Office 2000 or Office XP you can disable the Office on the Web command (Help menu) by redirecting it to a local Web site using the "Default User\Microsoft Office XP\Help | Office on the Web" policy, available in the Office9.adm or Office10.adm policy templates.
There are several ways to distribute these policy settings throughout your organization:
- If you have not yet deployed Office 2003, use the Custom Installation Wizard to distribute the registry entries in a transform (MST file). See the reference topic Custom Installation Wizard and search for the Add/Remove Registry Entries section for more information. The Custom Installation Wizard sets user based registry entries, not policy entries and therefore is not as secure as using policies.
- If you have already deployed Office 2003 and prefer not to use Group Policy, you can use the Custom Maintenance Wizard to distribute the settings to users in a configuration maintenance file (CMW file). See the reference topic Custom Maintenance Wizard and search for the Add/Remove Registry Entries section for more information. This also sets user based registry entries and is not as secure as using policies.
- To enforce the BlockUpdates setting using Group Policy, enable and set the policy using the Office administrator policy template Office11.adm using the Group Policy snap-in:
User Configuration\Administrative Templates\Microsoft Office 2003\Miscellaneous\Block updates from the Office Update Web site
Although this policy is only included in the Office 2003 administrator policy template file, the Office Online system respects the policy for Office 2000 and Office XP. If you want to use the policy setting with an older version of Office, you can load the Office11.adm policy template in either the Group Policy snap-in or the System Policy Editor and select to only enable the one policy.
The BlockUpdates registry setting blocks only Windows Installer-based patches (MSP files) designed for use with Office applications. It does not prevent users from downloading and applying updates for other applications, and it does not prevent users from running Windows Installer (Msiexec.exe) manually to apply an MSP file. To prevent users from applying all forms of MSP files, enable and set the DisablePatch policy. The DisablePatch policy is in the Instlr11.adm policy template in the "Computer Configuration\Administrative Templates\Windows Installer\Disable Patching" policy path. This policy is respected by all versions of Windows Installer since version 1.1.
For more information about Windows Installer policies, see the Roadmap to Windows Installer Documentation.
In order to implement Group Policy in your organization, you must have Active Directory® and a Group Policy structure implemented for your domain. For more information about setting Office policies, see Managing Users' Configurations by Policy.