WSUS do you have to have admin rights on the pc to install updates?

We installed an WSUS server and was pushing out critical updates to automatically install as listed in our group policy set. We just started approving security updates and others and noticed if the user (non-admin) was logged on it was not asking for the updates, but if you logged in with a admin user it was notifying you of the updates to be installed. Do you have to have admin rights tio install these updates via WSUS? We do not want to give users admin rights, so is there a way around this?
LVL 1
mslibrarycommissionAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DonNetwork AdministratorCommented:
Enable the setting "Allow non-admins to receive update notifications"
newmathCommented:
WSUS does not require your users to have local administrative rights. You probably have an issue with your GPO deployment for WSUS. Follow this guide carefully and you should be set: http://technet.microsoft.com/en-us/library/cc720539(v=ws.10).aspx
mslibrarycommissionAuthor Commented:
where is that setting?
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

DonNetwork AdministratorCommented:
The Group policy above does exactly what you want, allow non admins to both see the yellow shield and to install updates without giving them admin rights
DonNetwork AdministratorCommented:
To allow non-administrators to receive update notifications

    In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.

    In the details pane, click Allow non-administrators to receive update notifications, and set the option.

    Click OK.


http://technet.microsoft.com/en-us/library/cc720539%28WS.10%29.aspx
mslibrarycommissionAuthor Commented:
The group policy setting is to to automatically download and install, but it is not for non-admins, nor do I see a setting to let non-admins install updates
DonNetwork AdministratorCommented:
The setting is "Allow non-administrators to receive update notifications"

which allows non-admins the right to install
DonNetwork AdministratorCommented:
as in image
34922.jpg
DonNetwork AdministratorCommented:
Except in your case select "Enabled"
mslibrarycommissionAuthor Commented:
ok I see that, but it says it's just for notification and not actually for install which the GPO is set for auto download and install. This setting gives the right to install?
DonNetwork AdministratorCommented:
If they dont have a notification(Yellow shield) then how can they install?? :)


Have you read



Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy

http://technet.microsoft.com/en-us/library/cc512630.aspx
DonNetwork AdministratorCommented:
And real good explanations of the settings here


http://community.spiceworks.com/how_to/show/1390

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mslibrarycommissionAuthor Commented:
My GPO seetings are:
4 = Automatically download updates and install them on the schedule specified below
at 10pm every night.

which I thought you do not need a notification if it is set like this.  I will try this setting tommorow and see if it works. Thanks!
DonNetwork AdministratorCommented:
"which I thought you do not need a notification if it is set like this."

You dont, but if you want your users be able to install (Say, when updates didnt get installed at scheduled time..because a user didnt logoff or the system was off) then this setting becomes useful.

You never want to rely on your users to install their updates, but it does help the process along the way.
mslibrarycommissionAuthor Commented:
This was in the notes on http://community.spiceworks.com/how_to/show/1390  about the non-admins to receive notifications, I also don't want non-admins controlling reboots of any updated computers. I just want the updates to download and install by themselves without NO intervention.


When enabled, this will allow non-admins to:
* Receive update notifications
* Have the ability to defer reboots (‘Restart later’)
* De-select updates to install (if using option 2,3, or 5 under the ‘Configure Automatic Updates’ setting) updates, thus making them ‘hidden’.

Keep this in mind when applying updates to Terminal/Citrix Servers.

We have our setting disabled for all workstations, as we don’t want non-admins controlling reboots of any updated computers.
DonNetwork AdministratorCommented:
Your question

"We just started approving security updates and others and noticed if the user (non-admin) was logged on it was not asking for the updates, but if you logged in with a admin user it was notifying you of the updates to be installed. Do you have to have admin rights tio install these updates via WSUS? We do not want to give users admin rights, so is there a way around this? "

Yes he was referring to Terminal/Citrix Servers which would affect more than one user at a time if rebooted. The allow admin setting is only a preference(when it comes to workstations). I like to have it enabled so that if I happen walk by....I dont need to log a user off to install a simple update.
 
Scheduling the updates (4) is your best option and will achieve minimalist user interaction...  
DonNetwork AdministratorCommented:
yo_beeDirector of Information TechnologyCommented:
I know there are many replies and very good suggestions. So I am just going to add some points that I think will help also.
The reason you use WSUS and GPO is for the overall managment of your update enviroment.
So you want to limit what the standard users see as much as possible.
So by suppressing the notifcation and setting a scheduled day and time for the install to happen automaticlly from GPO.  Note you do not need a WSUS in your environment to apply the WUS GPO.  The nice thing about WSUS is a single point of download, controlling  what is offered to the clients and the overall reporting to see the status of your enviornment.

I have attached my GPO for the Standard computer in my environment.
   WUAU-Workstations.htm
yo_beeDirector of Information TechnologyCommented:
Please note the User Setting I have applied also.
This setting will restrict the users from trying to download the Updates from Microsoft Update site.
mslibrarycommissionAuthor Commented:
Ok, it just started working??? I did  not need to change anything. I'm going to give the points to dstewartjr for his determenation!!:)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.