• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 607
  • Last Modified:

Can I allow Windows update to run without giving users admin permissions and not using WSUS

Is it possible to allow users who are not members of the power users or administrators group to automatically download and schedule windows updates.  I cannot use SUS or WSUS as very limited file space on server.  These users are prevented via group policy from installing any software.
0
Jenny Coulthard
Asked:
Jenny Coulthard
  • 7
  • 5
1 Solution
 
frostsystemsCommented:
Short answer, no. They must have at least admin permissions to the local machine in order to perform Windows and Microsoft Updates. Otherwise, what's to prevent a user from installing an update that could potentially "break" something?
0
 
Jenny CoulthardInformation Technology ManagerAuthor Commented:
THanks forstsystems, I thought this would be the case but wanted confirmation.  Very fast response too!!
0
 
cmb991Commented:
Not to reopen the question, but you can use a GPO under the computer configuration to push the updates out and automatically install them at a certain time, then also set the GPO to reset the clients computer as long as a user is not logged in.  That is about as close as you will get.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Jenny CoulthardInformation Technology ManagerAuthor Commented:
cmb991 - If I open a new question about your suggestion can we discuss further?
0
 
cmb991Commented:
You don't need to open a new question, I don't care about the points.  What do you want to know, how to do it?  Or questions about it?
0
 
Jenny CoulthardInformation Technology ManagerAuthor Commented:
THanks cmb991, I am intetested in how to do it, as it takes a long time to do manually.   I can get that you can configure windows updates via group policy but how do you run a GPO at a certain time.  One to turn them on and another to trun them off and how do you change a users permissions or dont permissions come into it if no user is logged on?
0
 
cmb991Commented:
Do you have a GPO in a domain environment or does each station use its individual GPO?  Like how do you manage the GPO, from a server?
0
 
Jenny CoulthardInformation Technology ManagerAuthor Commented:
We have a GPO in a domain environment managed from a sbs2003 server.
0
 
cmb991Commented:
Computer Configuration > Administrative Templates > Windows Components > Windows Update

Select Configure Automatic Updates, and set it to enabled.

Select 'Auto download and schedule the install' if you want to schedule it to install but not reset unless no one is logged in or the user selects to reset (if required)

or

Select 'Auto download and notify for install' if you want them to install them manually and the same thing applies for resetting as above.
-----
Make sure all of your computers are in this policy, enforce the policy also.  
0
 
Jenny CoulthardInformation Technology ManagerAuthor Commented:
I am confused, I know how to force the automatic udpates via group policy but  the users are logged in and dont have permissions to run the windows udpate so I dont see any benefit in setting this.
0
 
cmb991Commented:
It doesn't matter if they do.  In my case, we don't allow users to install updates either, we select the updates by our WSUS and the GPO allows the computers to install the updates at 3am regardless if someone is logged in or not.  Then the GPO resets the computer once the update(s) are finished installed as long as a user isn't logged in.
0
 
Jenny CoulthardInformation Technology ManagerAuthor Commented:
OK, so let me see if I have this correct.  I can use GPO to install updates at 3am and restart the computer as long as the user isnt logged in but obviously the computer has to be turned on.
0
 
Jenny CoulthardInformation Technology ManagerAuthor Commented:
and this is without WSUS simply using the windows update on each pc to download critical updates.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now