question

Gaven-7685 avatar image
0 Votes"
Gaven-7685 asked Oscar-2974 answered

Block users from installing updates on Server 2019

I have a Windows Server 2019 providing RDS for users on thin clients. I recently discovered that any user (even without admin rights) can click Start - Settings - Update & Security and trigger download and install of updates. To make matters worse, the Event Log doesn't even appear to record which user triggered the update process. How do I restrict this to administrators only.

remote-desktop-serviceswindows-server-2019
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

You can follow along here.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/deployment/block-user-access-windows-update

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Gaven-7685 avatar image
0 Votes"
Gaven-7685 answered

Thank you for the quick reply DSPatrick but unfortunately that will not work for my situation. The GP setting referenced in the article disables Windows Update for all users - including administrators. Please let me know if you have any other thoughts.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

It really should not be an issue since any background update scans, downloads and installations will continue to work as configured.

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Gaven-7685 avatar image
0 Votes"
Gaven-7685 answered

Thanks again for the quick reply. Unfortunately this server is so delicate we have to patch it manually. As an example, the 2021-09 CU broke about half the web apps but had no impact on any of our other servers. Sounds like I'll have to use that GP settings to disable WU and then temporarily disable it when I need to do manual patching. Again, thank you for all your help.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

A couple of other option are to stand up your own WSUS for complete control of what updates and when they get applied. You could also disable the Windows Update service which users would have no control over, then just Enable it again when you wanted to patch.








5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Oscar-2974 avatar image
0 Votes"
Oscar-2974 answered

How does an admin have full control over installing wich updates on server 2019? So no wsus, but just a plane 2019 server. I want to be able to download a single update and then select if i want to install that. Is that possible? Because currently there is an update for my server and as soon as i install it the server crashes, preventing me to install any other critical update.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.