Permit limited user to run/install Windows updates?

Hi Jonathan,

The manual installation of operating system updates from the Microsoft Update Web site requires the operating system desktop to run with administrative rights, so, to use Microsoft Update, the user must log on with administrative credentials. However, the Automatic Updates service runs under system account credentials and does not experience this restriction.

To answer your question; Yes, it is possible to manual install updates on a limited user account by enabling the policy settings for non-administrative accounts under the group policy settings.

This policy setting allows you to control whether non-administrative users will receive update notifications based on the "Configure Automatic Updates" policy setting.

If you enable this policy setting, Windows Automatic Update and Microsoft Update will include non-administrators when determining which logged-on user should receive update notifications. Non-administrative users will be able to install all optional, recommended, and important content for which they received a notification. Users will not see a User Account Control window and do not need elevated permissions to install these updates, except in the case of updates that containUser Interface, End User License Agreement, or Windows Update setting changes.

There are two situations where the effect of this setting depends on the operating system: Hide/Restore updates, and Cancel an install.

• On Windows XP: If you enable this policy setting, users will not see a User Account Control window and do not need elevated permissions to do either of these update-related tasks.

• On Windows Vista: If you enable this policy setting, users will not see a User Account Control window and do not need elevated permissions to do either of these tasks. If you do not enable this policy setting, then users will always see an Account Control window and require elevated permissions to do either of these tasks.

•On Windows 7: This policy setting has no effect. Users will always see an Account Control window and require elevated permissions to do either of these tasks.

If you disable or do not configure this policy setting, then only administrative users will receive update notifications.

By default, this policy setting is disabled.

If the "Configure Automatic Updates" policy setting is disabled or is not configured, then the Elevate Non-Admin policy setting has no effect.

So, here are the steps that talks about how to apply this setting for a non-administrative users so that they can run and install Windows Updates.

STEP 1. First of all, as an administrator, you need to enable Automatic Updates.

The easiest way in your limited account to enable Automatic Updates without logging off into an admin account is to go into the Control Panel and hold shift, and right click on Automatic Updates and choosing “Run As”. You'll need to run it as an account with admin privileges. Using an admin account without a password will not work!

STEP 2. Next, you need to open the Group Policy editor as an administrator. To do so, click on Start; in the run box (Windows XP) type gpedit.msc and right click to “Run as administrator”. In Windows Vista/7, type gpedit.msc in the start search box and choose “Run as administrator”.

STEP 3. Browse to the following: Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update. In the right pane, open "Allow non-administrators to receive update notifications," and set its property to Enabled. Apply and exit the Group Policy Editor.

Note: The steps mentioned above are not applicable for Windows XP Home Edition users.

Hope I’ve answered your query.

Mouneshwar R – Microsoft Support

Visit our Microsoft Answers Feedback Forum and let us know what you think

[If this post helps to resolve your issue, please click the "Mark as Answer" or "Helpful" button at the top of this message. By marking a post as Answered, or Helpful you help others find the answer faster.]