Solved

Can I allow Windows update to run without giving users admin permissions and not using WSUS

Posted on 2010-11-10
13
589 Views
Last Modified: 2012-05-10
Is it possible to allow users who are not members of the power users or administrators group to automatically download and schedule windows updates.  I cannot use SUS or WSUS as very limited file space on server.  These users are prevented via group policy from installing any software.
0
Comment
Question by:purbrick
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 5

Accepted Solution

by:
frostsystems earned 500 total points
ID: 34107989
Short answer, no. They must have at least admin permissions to the local machine in order to perform Windows and Microsoft Updates. Otherwise, what's to prevent a user from installing an update that could potentially "break" something?
0
 

Author Comment

by:purbrick
ID: 34108000
THanks forstsystems, I thought this would be the case but wanted confirmation.  Very fast response too!!
0
 
LVL 1

Expert Comment

by:cmb991
ID: 34108016
Not to reopen the question, but you can use a GPO under the computer configuration to push the updates out and automatically install them at a certain time, then also set the GPO to reset the clients computer as long as a user is not logged in.  That is about as close as you will get.
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 

Author Comment

by:purbrick
ID: 34109039
cmb991 - If I open a new question about your suggestion can we discuss further?
0
 
LVL 1

Expert Comment

by:cmb991
ID: 34109206
You don't need to open a new question, I don't care about the points.  What do you want to know, how to do it?  Or questions about it?
0
 

Author Comment

by:purbrick
ID: 34117606
THanks cmb991, I am intetested in how to do it, as it takes a long time to do manually.   I can get that you can configure windows updates via group policy but how do you run a GPO at a certain time.  One to turn them on and another to trun them off and how do you change a users permissions or dont permissions come into it if no user is logged on?
0
 
LVL 1

Expert Comment

by:cmb991
ID: 34123282
Do you have a GPO in a domain environment or does each station use its individual GPO?  Like how do you manage the GPO, from a server?
0
 

Author Comment

by:purbrick
ID: 34132752
We have a GPO in a domain environment managed from a sbs2003 server.
0
 
LVL 1

Expert Comment

by:cmb991
ID: 34152281
Computer Configuration > Administrative Templates > Windows Components > Windows Update

Select Configure Automatic Updates, and set it to enabled.

Select 'Auto download and schedule the install' if you want to schedule it to install but not reset unless no one is logged in or the user selects to reset (if required)

or

Select 'Auto download and notify for install' if you want them to install them manually and the same thing applies for resetting as above.
-----
Make sure all of your computers are in this policy, enforce the policy also.  
0
 

Author Comment

by:purbrick
ID: 34152302
I am confused, I know how to force the automatic udpates via group policy but  the users are logged in and dont have permissions to run the windows udpate so I dont see any benefit in setting this.
0
 
LVL 1

Expert Comment

by:cmb991
ID: 34152321
It doesn't matter if they do.  In my case, we don't allow users to install updates either, we select the updates by our WSUS and the GPO allows the computers to install the updates at 3am regardless if someone is logged in or not.  Then the GPO resets the computer once the update(s) are finished installed as long as a user isn't logged in.
0
 

Author Comment

by:purbrick
ID: 34152338
OK, so let me see if I have this correct.  I can use GPO to install updates at 3am and restart the computer as long as the user isnt logged in but obviously the computer has to be turned on.
0
 

Author Comment

by:purbrick
ID: 34152340
and this is without WSUS simply using the windows update on each pc to download critical updates.
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Do we do penetration & VA scans against SOC EVM event collector 5 122
ticket bloat 3 76
Drive mapping problem 7 54
Promote Server 2012 R2 on Server 2003 domain 13 67
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

742 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question