This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 13%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
I have a Windows Server 2019 providing RDS for users on thin clients. I recently discovered that any user (even without admin rights) can click Start - Settings - Update & Security and trigger download and install of updates. To make matters worse, the Event Log doesn't even appear to record which user triggered the update process. How do I restrict this to administrators only.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
You can follow along here.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/deployment/block-user-access-windows-update
--please don't forget to upvote and Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 37%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBA%3C/text%3E%3C/svg%3E)
I was mad at this answer but the truth is it's very easy to put just the users you want for a GPO with this in it :)
Thank you.
Thank you for the quick reply DSPatrick but unfortunately that will not work for my situation. The GP setting referenced in the article disables Windows Update for all users - including administrators. Please let me know if you have any other thoughts.
It really should not be an issue since any background update scans, downloads and installations will continue to work as configured.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Thanks again for the quick reply. Unfortunately this server is so delicate we have to patch it manually. As an example, the 2021-09 CU broke about half the web apps but had no impact on any of our other servers. Sounds like I'll have to use that GP settings to disable WU and then temporarily disable it when I need to do manual patching. Again, thank you for all your help.
A couple of other option are to stand up your own WSUS for complete control of what updates and when they get applied. You could also disable the Windows Update service which users would have no control over, then just Enable it again when you wanted to patch.