Link to home
Start Free TrialLog in
Avatar of sedberg1

asked on

Configuring who can install MS Updates

Our domain has about 30 servers used for hosting LOB applications.  We do updates only quarterly but unfortunately we've situations where local admins have installed MS updates and rebooted servers when they should not have, disrupting service.  So, I wanted to see:

1. How to disable to pop-up that appears in the notification area that tells users there are MS updates ready to install.  I'm looking through Group Policy but can only find a setting to disable the pop up for non-admins.  And I can't remove certain domain users from the local admins group, however, those particular users are not domain admins.
2. How to restrict the MS updates so only domain administrators can install MS updates.  Can't find this setting and have looked online.

We're running purely 2008.  The DCs are both 2008 R2.  Forest and domain functional levels are 2008 R2.  All servers are part of the domain.  

Any suggestions?
Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

All local administrators have possibility to do that, so you cannot restrict these users from installing MS updates.

The only one option is to restrict number of administrators on servers.

Avatar of sedberg1


What about the popups?
I am unsure of any GPO that will remove the pop notification for Windows Updates. I have all my servers set to not install updates. This way there is no notification.  We have our Change Windows every 3 Saturday of the Month. We review which patches need to be installed prior to the change window. Day of Change Window a email is sent to our Administrators to apply the certain patch which at that time they will download and install, while hiding the unwanted patches. These are for our critical servers. Everything else we use WSUS.
Avatar of sedberg1

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This is the right answer.