Hiep Nguyen
asked on
GPO server 2016
How do I use GPO to control Windows Updates with the following specs?
Download only and allow administrator install manually. No user allows to install.
My current config. showed below. But when login as administrator, "Install Now" button is grayed out. What policy I need to change so that only admin. can install updates?
Thank you
Download only and allow administrator install manually. No user allows to install.
My current config. showed below. But when login as administrator, "Install Now" button is grayed out. What policy I need to change so that only admin. can install updates?
Thank you
ASKER
"Install Now" button grayed out for both local & domain\administrator.
If you deny read for dom. admins, the policy will no longer be configurable by domain admins. Don't!
If you wanted to exclude someone, just remove the "apply GPo" permission.
It's worth noting, that "Domain Administrators are NOT generally immune to Group Policies." - Paul, where did that idea come from?
If you wanted to exclude someone, just remove the "apply GPo" permission.
It's worth noting, that "Domain Administrators are NOT generally immune to Group Policies." - Paul, where did that idea come from?
ASKER
Thanks. I don't plan to do that. I'm looking for a policy that allows only administrator to install updates, not user. There must be a way to accomplish this goal.
"where did that idea come from"
I was a Microsoft Certified Trainer.
Users in the Domain Admins can be restricted by membership in other groups (like Domain Users), but a user whose group membership is only Domain Admins will be largely unfettered by Group Policies.
You're right that they've added the "Apply GPO" permission, which I'd forgotten. I've not tested it, but I would be surprised if it were possible for a Domain Admin to lock themselves out of a Group Policy, regardless of what permissions are set on the object.
I was a Microsoft Certified Trainer.
Users in the Domain Admins can be restricted by membership in other groups (like Domain Users), but a user whose group membership is only Domain Admins will be largely unfettered by Group Policies.
You're right that they've added the "Apply GPO" permission, which I'd forgotten. I've not tested it, but I would be surprised if it were possible for a Domain Admin to lock themselves out of a Group Policy, regardless of what permissions are set on the object.
ASKER
In RDS environment, how do you limit Windows Updates only to local/server administrator? I'm trying to prevent users from install Windows updates. Is that possible?
You should remember that Computer Configuration GPOs just as the one you display, are not caring who is logged on, so "Remove access to all windows update features" will apply to administrators as well. Remove that setting.
ASKER
I removed it, but now everyone can install Windows updates and that's a problem.
Tell me why that is a problem and I'll tell you what to do.
ASKER
Because Windows updates broke our application sometimes so I need to test first before roll out Windows updates.
Is a wsus available?
ASKER
No.
You may configure settings that disallow updating and change those settings when you have finished testing, install the updates and afterwards again disallow updating. That is all you can do unless you change your mind and setup a WSUS server. Disallowing updates can be done either by pointing windows to use a non-existent wsus server or by setting https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsUpdate::DoNotConnectToWindowsUpdateInternetLocations
How to block user access to Windows Update on Windows Server: The default settings in Windows Server allow user who are not an administrator to scan for and apply Windows Updates. Administrators may want to change this setting to limit access to Windows Updates, especially in Remote Desktop Services Host deployments. To change this setting, use the Group Policy "Remove access to use all Windows update features." The full path to this Group Policy is: Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features
https://support.microsoft.com/en-us/help/4014345/how-to-block-user-access-to-windows-update-on-windows-server-2016Another solution might be to enable User Configuration\Administrative Templates\Start Menu and Taskbar\Remove links and access to Windows Update, and use Security Filtering. (https://superuser.com/questions/607311/prevent-users-from-installing-windows-updates). I haven't tried it but it might work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The author had that policy in his screenshot already.
Please note that this is a computer policy and excluding users is not possible, so it's not solved.
Come back any time.
Please note that this is a computer policy and excluding users is not possible, so it's not solved.
Come back any time.
ASKER
Basically, I moved "Remove access to use all Windows update features" policy into a separate GPO (luckily I already a GPO for this purpose so I don't have to create a new one), then exclude admin from applying it.
Thank you everyone!
Thank you everyone!
You don't seem to understand. Computer policies apply to computers, not users. Thus, you cannot exclude users.
ASKER
You're right. It's not working. Forget it. I'm going to enable it until I want to install Windows updates then just disable it.
Local Administrator or Domain Administrator? Because Domain Administrators are generally immune to Group Policies.
Regardless, just add Domain Admins to the policy and explicitly deny them permission to read the policy, that will block it from applying to them.