Disable Windows Update for non-admin end-users

Happens that end-users are able to install Windows Update on our Windows Server 2012 R2 RDS farm.

This can be harmful, especially as the are prompted to do so at login.

How can we remove ability to install Windows Updates for non-admins?

How can we suppress prompt to install updates at login?

Many thanks to help fixing severe problem f

July 17th, 2015 5:57am

setup a group policy and have the following configured:

computer configuration > policies > administrative templates > windows components > windows update

Allow non-administrators to receive update notifications - disable

windows 2008 R2 had an option for this right in the GUI of the WU settings but 2012 R2 does not

you're 100% sure your users do not have any admin privileges? even power user?

Free Windows Admin Tool Kit Click here and download it now
July 17th, 2015 11:24am

setup a group policy and have the following configured:

computer configuration > policies > administrative templates > windows components > windows update

Allow non-administrators to receive update notifications - disable

windows 2008 R2 had an option for this right in the GUI of the WU settings but 2012 R2 does not

you're 100% sure your users do not have any admin privileges? even power user?

July 17th, 2015 3:18pm

Thanks, Group policy set, no more prompts for end-users.

From user account, been unable to install an optional Office 21007 help
To complete this task, you need to sign in with an
administrator account or ask an administrator to
complete the task for you.

However, could install two important updates by hitting "Retry" after initial error as shown by event ID 20; example:
Installation Failure: Windows failed to install the following update with error 0x80246013: Update for Microsoft Office Outlook 2007 Junk Email Filter (KB3054891).

Second attempt was successful.

Example:
Installation Successful: Windows successfully installed the following update: Update for Microsoft Office Outlook 2007 Junk Email Filter (KB3054891)

User is member of

contoso\Domain
Users
Everyone
BUILTIN\Remote Desktop Users
BUILTIN\Users
NT AUTHORITY\REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE NT
AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
LOCAL
contoso\Contoso_users
Authentication authority asserted identity
Mandatory Label\Medium Mandatory Level

contoso\Contoso_users is not member of any other group.

Now thinking of opening a case at Professional Support unless setting is found to really disable non-admins to apply updates.

Free Windows Admin Tool Kit Click here and download it now
July 20th, 2015 1:51am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics