Configuring who can install MS Updates

sedberg1
sedberg1 used Ask the Experts™
on
Our domain has about 30 servers used for hosting LOB applications.  We do updates only quarterly but unfortunately we've situations where local admins have installed MS updates and rebooted servers when they should not have, disrupting service.  So, I wanted to see:

1. How to disable to pop-up that appears in the notification area that tells users there are MS updates ready to install.  I'm looking through Group Policy but can only find a setting to disable the pop up for non-admins.  And I can't remove certain domain users from the local admins group, however, those particular users are not domain admins.
2. How to restrict the MS updates so only domain administrators can install MS updates.  Can't find this setting and have looked online.

We're running purely 2008.  The DCs are both 2008 R2.  Forest and domain functional levels are 2008 R2.  All servers are part of the domain.  

Any suggestions?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
All local administrators have possibility to do that, so you cannot restrict these users from installing MS updates.

The only one option is to restrict number of administrators on servers.

Regards,
Krzysztof

Author

Commented:
What about the popups?

Commented:
I am unsure of any GPO that will remove the pop notification for Windows Updates. I have all my servers set to not install updates. This way there is no notification.  We have our Change Windows every 3 Saturday of the Month. We review which patches need to be installed prior to the change window. Day of Change Window a email is sent to our Administrators to apply the certain patch which at that time they will download and install, while hiding the unwanted patches. These are for our critical servers. Everything else we use WSUS.
Commented:
For anyone who's interested...

User Configuration > Policies > Administrative Templates > Windows Components > Windows Updates > Remove Access to Use All Windows Update features

Then filter it using security groups.

Author

Commented:
This is the right answer.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial