let non administrators install windows updates
Posted on 2009-12-21
We are currently have an all laptop user install base who due to a company policy are required to take their laptop home every night. We are using windows vista sp2 on all computers and none of the users have local administrator privileges. We are using WSUS via System Center Essentials to push out patches and applications. In order to limit the disruption of the user start-up experience and still ensure that patches are getting installed we were installing patches at 2pm in the afternoon. This helped to ensure people were still in the office when the updates installed and not start installing updates shortly after morning logon (when they would be starting all of their programs at once). Recently, we have some new programs that rely on the SQL engine and other MS processes to run. If an update runs that has a component that the program needs, the program will usually break at worst and most of the time won't work properly until the machine is restarted.
I have thought about changing my WSUS policy to download and notify for install and notify non-administrator users about update notifications. I would then just require the users to run updates once a week or month (for example) and use WSUS/SCE reporting to catch my stragglers. However based on my initial testing, running windows updates will still require administrator permissions. I also thought about telling people to select install updates and shutdown but I'm sure they will not enjoy waiting for their machine to patch and reboot when they are leaving the office.
Has anyone run into a situation like this before and if so how did you go about solving it?