Block users from installing updates on Server 2019

Gaven 51 Reputation points
2021-09-21T21:36:55.997+00:00

I have a Windows Server 2019 providing RDS for users on thin clients. I recently discovered that any user (even without admin rights) can click Start - Settings - Update & Security and trigger download and install of updates. To make matters worse, the Event Log doesn't even appear to record which user triggered the update process. How do I restrict this to administrators only.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,799 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,606 questions
0 comments No comments
{count} vote

Accepted answer
  1. Anonymous
    2021-09-21T22:02:35.677+00:00

    You can follow along here.
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/deployment/block-user-access-windows-update

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.

5 additional answers

Sort by: Most helpful
  1. Gaven 51 Reputation points
    2021-09-21T22:10:48.967+00:00

    Thank you for the quick reply DSPatrick but unfortunately that will not work for my situation. The GP setting referenced in the article disables Windows Update for all users - including administrators. Please let me know if you have any other thoughts.

    1 person found this answer helpful.
    0 comments No comments

  2. Anonymous
    2021-09-21T22:17:31.187+00:00

    It really should not be an issue since any background update scans, downloads and installations will continue to work as configured.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments No comments

  3. Gaven 51 Reputation points
    2021-09-21T22:53:37.123+00:00

    Thanks again for the quick reply. Unfortunately this server is so delicate we have to patch it manually. As an example, the 2021-09 CU broke about half the web apps but had no impact on any of our other servers. Sounds like I'll have to use that GP settings to disable WU and then temporarily disable it when I need to do manual patching. Again, thank you for all your help.

    0 comments No comments

  4. Anonymous
    2021-09-21T22:59:08.817+00:00

    A couple of other option are to stand up your own WSUS for complete control of what updates and when they get applied. You could also disable the Windows Update service which users would have no control over, then just Enable it again when you wanted to patch.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.