Windows Updates on Domains and WSUS

Lately I have been dealing with some individual computer issues that were related to a lack of Windows updates. Originally making end users in a domain act as Power Users of the equivalent was a good security idea, however, over the last couple of years it has been an issue because updates would not occur without an Admin login.

This tip only applies to Windows updates, updating Adobe products (Reader, shockwave, flash player…) and JAVA are another matter entirely. If you have tips on updating them, feel free to chime in.

One of the problems with receiving updates from a WSUS (Windows Server Update Services) server is that users are not allowed to approve or disapprove of updates unless they are a member of the local administrators group. This gives the IT department complete control of what updates are installed.

For those who do not know, a WSUS is when you have a Windows server get all Windows updates and then they are distributed from there to the end users computers. This saves bandwidth by preventing a large number of computers from going out on their own and getting the updates one computer at a time. It also allows someone (in the IT department) to check the updates for conflicts on your specific domain before end users end up with locked up or computers that will not operate correctly due to a conflict between an update and another program.

Not that I am a big fan of giving the end user a choice of updates, that is why companies hire computer companies or have on site IT folks. It is not the end users fault, it is the IT department that should know what is needed and what could cause issues. Regardless, there are times you must allow the end users the ability to make the update installation decision.

You (the Domain Administrator) can use the registry to give users an elevation of privileges that will allow them to approve or disapprove of updates regardless of whether or not they are a local administrator. On the flip side, you could also deny end users the ability to approve updates, reserving that right for Admins to log in and install the updates.

The registry key that controls this behavior is: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ElevateNonAdmins

The “ElevateNonAdmins” key has two possible values. The default value of 1 (one) allows non administrators to approve or deny updates. If you change this value to 0 (zero), then only administrators will be allowed to approve or deny updates. If you want the end users to install updates then make sure that they know they should approve them every time.

Until we meet again, have a virus free week!

Leave a Reply

Your email address will not be published. Required fields are marked *