Windows – Permissions for installing Windows Updates

group-policySecuritywindowswindows-updatewsus

we are administering a set of servers and have a lot of people to accomplish this. In the last months there were accidentally installed updates on our machines by some of our domain admins.

Now we want to disable the ability for admins to install those updates on our servers and allow it for a specific set of users in a group. Does anyone know a method to accomplish this? I've searched through the group policy and security settings but didn't find a possibility for this.

Thanks in advance for all your helpful answers 🙂

Best Answer

Force the update via WSUS and nothing else and secure on the server hosting WSUS the local administrator group and the WSUS administrator's group.

There are two security groups that are set up for WSUS: WSUS Administrators and WSUS Reporters. WSUS Administrators can perform any WSUS task, while WSUS Reporters have read-only access (view server settings, get reports, and so on). Make sure that the only people in the WSUS Administrators group are the ones who need to perform administrative tasks.

If users do not have appropriate permissions for the WSUS console, they receive an "access denied" message when trying to access the WSUS console. You must be a member of the Administrators group or the WSUS Administrators group on the server on which WSUS is installed in order to use the WSUS console.

Be advised if WSUS is installed on a Domain Controller, that tip does not work.

If WSUS is installed on a domain controller, only a member of the Domain Administrator group can use the WSUS console.

Best Answer

Related Solutions

Security – Our security auditor is an idiot. How to give him the information he wants

SHUTDOWN /S /M \\RemoteMachine – Windows Updates Impact

Related Topic