# wsus updates in client



## parvez9988 (Sep 19, 2008)

hi every one.I have a 100 pc's network and it's an heck of work to update all the pc's one by one,to over come this problem I configured WSUS and forced client pc's to update form the WSUS server.But,how to give permission to non-administrative users to update there system ????????......I have given some group policy were non-admins can also install updates,here I have a conflict...non-admins can install the updates as well as other softwares also.How can I set permissions that users can install updates but not install softwares.gpsettings:computer configuration/administrative templates/windows component/windows update/enable:allow non-administrative users to receive update notifications.Thx in advance


----------



## dadams982 (Aug 6, 2009)

Hmmm.. auto update should run as the local system, at the time specified in the GPO. Your users dont need to touch anything for the patches to install.


----------



## parvez9988 (Sep 19, 2008)

yup I have specified the time in GPO.what if I have 200 systems.I should go to each system log in as administrator and install the updates.


----------



## wedor (Nov 7, 1999)

I have much smaller networks but I also have clients PCs with no admin permissions and they all update correctly with WSUS.


----------



## montreyj (Aug 9, 2009)

Is your WSUS configured to install updates on client machines too? WSUS should do all the work for you. Users will have to leave their computers on and logged off (not on standby or hiberate) in order to receive updates pushed from the WSUS.


----------



## parvez9988 (Sep 19, 2008)

hi mintreyj thx for the reply.when u create a user in your domain he dont have permission to install softwares.but when u build a wsus and give permission to that user to have updates(by creation gpo)he can install updates and softwares.i need tht user to install updates only not softwares.


----------



## montreyj (Aug 9, 2009)

Hi parvez9988 is there a specific reason why you want to give non-admin users the ability to install updates instead of configuring a group policy to have WSUS automatically download and install updates? I don't know of any way of giving a user the ability to just install updates without giving them some type of power user or administrator privileges. You may just want to keep WSUS to manage downloading and installing updates to client PCs.


----------



## wedor (Nov 7, 1999)

parvez9988 said:


> hi mintreyj thx for the reply.when u create a user in your domain he dont have permission to install softwares.but when u build a wsus and give permission to that user to have updates(by creation gpo)he can install updates and softwares.i need tht user to install updates only not softwares.


This is not how it works in my experience, the systems with non-admin permissions can install updates but have no permissions to install software.


----------



## parvez9988 (Sep 19, 2008)

ok then if user have a update like install ie8.If the user can upgrade from ie7 to ie8 then he can install softwares also.


----------



## wedor (Nov 7, 1999)

Well you can disallow any update including IE from within WSUS.

With WSUS you pick what is updated on which systems and when.

I don't know what exactly your point is with this thread or what exactly you are trying to prevent.


----------



## parvez9988 (Sep 19, 2008)

sorry let me make it more clear

i have a 100 pc's domain.I dont wanna go to every system and update.so,I build a wsus server .were can I deploy all the updates.
its working fine from the server side.
Just I want to check it from client side that client's are receiving the updates or not .First I logged in as administrator from one of the client pc.voila the client is receiving the updates form the wsus server.
from the other client system I logged In as a non-admin user, oops I dont receive any updates.From the same system again I logged in as admin, voila I receive the updates and I can install them.
In this case wsus do not work for me because,instead of having wsus server again I should go to every system logged in as admin and let the system install the updates.
so,what I did is in wsus I made a gpo (gpsettings:computer configuration/administrative templates/windows component/windows update/enable:allow non-administrative users to receive update notifications) 
were non admin users will receive the update notification.
then after I logged into client as a non-admn user,voila... I receive the updates and I can install them.
here the problem is.in my wsus server I picked a update for client(ie8),
from the client as non admin I receive the update(ie8) and I can install it.Here I got a dought.non-admin like user created in domain by default dont have rights to install softwares then how come I install ie8.


----------



## wedor (Nov 7, 1999)

I have never needed to create a separate GPO for WSUS to have the systems get and install updates so I can't relate to that part of this.

I have networks where the users are not admins yet they have all the updates installed and I never log in to the workstations as admin to accomplish this.

As far as IE 8 being a "software" rather than an update I think you are playing with semantics here, MS considers it an update and not a "software" so you would need to take up the discussion with them.

Here is a quote from MS "Microsoft will release the Windows Internet Explorer 8 Installation and Availability update to Windows Server Update Services (WSUS) marked as an Update Rollup package"

And here is the source article, http://technet.microsoft.com/en-us/updatemanagement/dd365125.aspx

It does state that IE8 is an admin only install by default.


----------



## wedor (Nov 7, 1999)

More info on IE8, "For Internet Explorer 8, there are a few additional considerations for installation on Windows Vista. WSUS administrators should allow all prerequisites for Internet Explorer 8, as Dynamic Updates does not function on WSUS installations of Internet Explorer 8. Specifically, make sure to allow KB957388. All other Cumulative Updates and Security Updates for Internet Explorer 8 should be approved as appropriate for your organization at this time as well."

And "If you plan to distribute Internet Explorer 8 through the Group Policy software installation, you must use a Windows Installer package (.msi file). These packages can be created using IEAK 8."

Source article, http://technet.microsoft.com/en-us/library/cc985359.aspx


----------



## wedor (Nov 7, 1999)

Interestingly enough according to this artcile IE8 is not even available via WSUS now,

http://blogs.msdn.com/ie/archive/20...rver-update-services-wsus-in-august-2009.aspx


----------



## parvez9988 (Sep 19, 2008)

ohhh its taking a wrong turn.its not about ie8 or any updates.normally in any domain users cant install updates nor softwares.up to here I think iam right....
give me one day I will give attachments.......


----------

