Share via

Allow user to install security updates and block other actions

P Mowleeswaran 20 Reputation points
2024-07-01T07:42:53.49+00:00

Hello Team,

Is it possible to create a custom group in Active directory and allow permissions to install only security updates (using WSUS and download .msu files manually and install). members of that group can install only security updates using WSUS or download .msu packages manually. it should not allow do other administrative task including installing .exe files on the windows 10 and windows 2019 member servers.

Regards,

Mowlee

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,600 questions
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,155 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jing Zhou 5,135 Reputation points Microsoft Vendor
    2024-07-01T09:15:45.92+00:00

    Hello,

     

    Thank you for posting in Q&A forum.

    Yes, you can create a custom group through Active Directory and configure permissions to allow its members to only install security updates. To achieve this goal, you need to set appropriate permissions in the group policy. You can try the following steps to complete it:

    Firstly, create a new security group in Active Directory, such as "SecurityUpdatesOnlyGroup".

    Then, use the Group Policy Management Console to create a new Group Policy Object (GPO).

    Edit this new GPO, navigate to "Computer Configuration">"Windows Settings">"Security Settings">"Local Policies">"User Rights Allocation".

    Find the "Install and Uninstall Programs" permission in the right pane and configure it to only include the "SecurityUpdatesOnlyGroup" group.

    Ensure that other permissions (such as "change system time", "shut down system", etc.) are not included in this group to restrict the permissions of group members.

    This will ensure that only members of the "Security UpdatesOnlyGroup" group can install security updates and cannot perform other administrator tasks, such as installing. exe files.

    Through this approach, you can achieve the goal of only allowing members of specific groups to install security updates. If you need more detailed guidance or have any other questions, please feel free to raise them.

     

    Best regards,

    Jill Zhou

     

     

    If the Answer is helpful, please click "Accept Answer" and upvote it.

  2. Adam J. Marshall 9,121 Reputation points MVP
    2024-07-03T16:02:11.7833333+00:00

    WSUS is your better path - Administratively approve updates to systems, force the systems to install it daily (only when approved will it download/install so you can delay as much as you want), allow a rolling deadline so that restarts can be adjusted by the user as to not interrupt their work.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-1-choosing-your-server-os/

    Then, don't give anyone Admin rights on machines - they can't install programs to Program Files.

    Downside - they can still install local profile apps - Firefox, Chrome, Zoom, Teams, etc.

    The only way to get around that is to WHITELIST approved programs and implement Applocker (https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)