PSWindowsUpdate permissions

Question

I have a script that uses PSWindowsUpdate to remotely query Windows Servers to get the number and the names of the available updates to consolidate them into a report. This script is set to run as a service account in a scheduled task. The script works fine if the service account is set as a local admin on each of the remote computers. However, when I remove the service account as a local admin on the remote servers I get an access denied. For security best practice, I want to grant the least amount of privileges as possible. I don't want to grant a service account Administrator privileges if at all possible.

Is there a way to set a service account permissions to use PSWindowsUpdate without granting the service account local administrative privileges?

I tried granting the service account log on as batch and log on as service. Neither successful.

Below is the part of the script that is getting access denied as the service account.

#Check for number of patches  
$UPC = (Get-WindowsUpdate -ComputerName $computer).count  
$UPC | out-file $Logfile -Append   
  
#Updates available  
$UPN = Get-wulist -computer $Computer  
$UPN | out-file $Logfile -Append   

Answer 1

Hi. Thank you for your question and reaching out.

To change the permissions for system services, take the following actions and create a security template:

1. After clicking Start, Run, and then OK, type "mmc" in the Open box.
2. Just choose Add/Remove Snap-in under File menu.
3. To continue, select OK after clicking Close, Add, Security Configuration and Analysis, Add, and Close.
4. Select Open Database from the context menu by right-clicking Security Configuration and Analysis in the console tree.
5. Click "Open" after naming and specifying the database's location.
6. In the Import Template dialog box that displays, click the security template you want to import, then click Open.
7. In the console tree, right-click Security Configuration and Analysis, and then choose Analyze Computer Now.
8. Accept the presented default path for the log file in the Perform Analysis dialog box's Error log file path box, or type the preferred location, and then click OK.
9. After the analysis is complete, configure the service permissions as follows:
   9.1 From the Console Tree, choose System Services.
   9.2 In the right pane, double-click the service whose permissions you want to change.
   9.3 Click Edit Security, then select Define this policy in the database from the drop-down menu.
   9.4 Click Add to set up permissions for a new user or group. Enter the name of the user or group you wish to grant rights to in the Select Users, Computers, or Groups dialog box, then click OK.
   9.5 Assign the user or group the permissions you want in the Permissions for User or Group list. The Allow checkbox is automatically selected next to the Start, Stop, and Pause permissions when you add a new user or group. Using this setting, the user or group can start, stop, or pause the service.
   Just click "OK" twice.
10. In order to immediately update the security settings on the local machine, click Security Configuration and Analysis with the right mouse button, then select Configure Machine Now.

For more information, please see https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/grant-users-rights-manage-services

---

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

Answer 2

I think you're going to have to do this in a round-about way by using a scheduled task on the remote machines.

954498-windows-update-module-for-powershell-access-denied-on-remote-pc-in-workgroup
And: run-remote-powershell-as-administrator

Answer 3

Have you tried setting the task to "Run with highest privileges"?