WSUS for end users without administrative privilege ?

Discussion in 'Update Services' started by Patrick, Aug 4, 2008.

  1. Patrick

    Patrick Guest

    We are testing to use WSUS Server to roll out MS patches to workstations.
    As we are not using MS Active Directory as our NOS, users don't have local
    administrative privilege of their workstations. They usually start working
    at 9:00am and will shutdown the workstation after work.

    A fellow has suggested to set up WSUS client on workstations as follow:

    1) Option 4 - Auto Download and schedule for install @ 10:00am
    2) Enable "No auto-restart for scheduled Automatic Update Installation".

    In this way, the patches will be installed automatically at 10:00am and it
    may take some time to install patches (Like Service Pack). After
    installation of patches are finished, the system will not restart by itself
    & will notify end user to restart the workstation. If they don't restart,
    when they shutdown the machine, the patches installation is completed.

    Is this the best way to handle our workstations ? Is there any potential
    problem ?

    Thanks
     
    Patrick, Aug 4, 2008
    #1
    1. Advertisements

  2. Just because we others use MS AD doesn't mean our users are local
    administrators either.

    I am pretty sure the option (available from MS Group Policy) is also
    available from the registry: Allow non-admin to apply updates.

    I 'download and prompt' most of the time. I also tell users 'if you get that
    "updates have been downloaded and are waiting for install" it means I have
    released the update to your network, I would like you to install it, I am
    allowing you the choice of when to do so' (doesn't work _all the time_).
     
    SuperGumby [SBS MVP], Aug 4, 2008
    #2
    1. Advertisements

  3. Perhaps the setting you are referring to is "Allow non-administrators to
    receive update notifications". If this is set to Enabled,
    non-administrators will receive the Windows Update notifications and can
    initiate the update installation, when one of the "notify" settings is set
    for Confgure Automatic Updates.

    The registry entry for this is:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
    "ElevateNonAdmins"=dword:00000001

    However, if the Configure Automatic Updates is set to "4 - Auto download and
    schedule the install", this setting is essentially ignored because there
    will not be any notifications to users.

    --
    Bruce Sanderson
    http://members.shaw.ca/bsanders

    It is perfectly useless to know the right answer to the wrong question.
     
    Bruce Sanderson, Aug 4, 2008
    #3
  4. Having updates applied while working can be disruptive - users often don't
    react well to it! You might want to consider scheduling the updates for the
    lunch hour.

    Keep in mind that the installation of some updates is actually completed
    during system startup, not shutdown, so your users may experience delays or
    even restarts when they start up their workstations in the morning.
     
    Bruce Sanderson, Aug 4, 2008
    #4
  5. This statement is a non-sequiter.

    Whether users have local administrative privileges is simply a matter of
    whether their logon account is a member of the BUILTIN\Administrators group
    on the PC to which they have logged on.
    All this will do is annoy your users.
    And all day they get to work on a potentially unstable machine.
    The potential problem of working on an unstable machine all day.

    I would suggest

    1) Option 4 - Auto Download and schedule for install @ 6:00pm
    2) Disable "No auto-restart for scheduled Automatic Update Installation".
    3) And make use of "Install Updates and Shutdown", which seems to be the
    natural behavior of your organization.



    --
    Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
    Senior Data Architect, APQC, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2008)

    MS WSUS Website: http://www.microsoft.com/wsus
    My Websites: http://www.onsitechsolutions.com;
    http://wsusinfo.onsitechsolutions.com
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
     
    Lawrence Garvin, Aug 5, 2008
    #5
  6. Patrick

    Patrick Guest

    Dear all,

    Thank you for your advice.

    Regards,
    Patrick

     
    Patrick, Aug 5, 2008
    #6
  7. No, even if there is a schedule defined the update agent still notifies the
    users when updates are ready and allow them to install them ahead of schedule.

    Harry.
     
    Harry Johnston [MVP], Aug 5, 2008
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.