Run Windows Update with elevated rights?!?!

[dot19408]

Hello folks!

I have about 250 PCs in a bunch of offices around town that don't seem to be installing critical updates automatically.

Windows update is configured to run daily.

I don't get to visit each office as often as I'd like, and when I do the PCs are months behind in their updates.

nLite has an option to run Windows update as an Administrator, and the system I've rebuilt with my nLited CD all update properly.

How can I make the rest of the systems run the updates without the user being an administrator?

I'd appreciate any help I can get, my google-fu is falling flat, and I've been working day and night lately...

Thanks,

dot19408

[cluberti]

In group policy, under Computer Configuration > Administrative Templates > Windows Components > Windows Update, there is a policy called "Allow non-administrators to receive update notifications". You have to have "Configure Automatic Updates" set to "Enabled" and have a policy set (I like to make sure that "4 - auto download and schedule the installation" is the choice for desktops set to install "0 - Every day" at "03:00"). This can be done via the registry if you don't use AD or have non-domain joined machines. The following registry modifications will configure the above settings:

// Allow non-admins to see and interact with the Windows Update ballon/shield
// notifications in the taskbar:
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
Value: ElevateNonAdmins
Type:  REG_DWORD
Data:  1

// Set to auto-download and install updates automatically if the user does not install
// them manually before the specified time:
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value: AUOptions
Type:  REG_DWORD
Data:  4

// Silently install updates that do not need a reboot without prompting (install as soon
// as patch installer is downloaded):
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value: AutoInstallMinorUpdates
Type:  REG_DWORD
Data:  1

// How frequently to check for updates in hours (the default is to set this to 0, which
// checks every 22 hours):
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value: DetectionFrequency
Type:  REG_DWORD
Data:  1

// Enable usage of DetectionFrequency Value (above) - if set to 0, sets check for
// every 22 hours no matter what DetectionFrequency is configured for:
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value: DetectionFrequencyEnabled
Type:  REG_DWORD
Data:  1

// Logged on user will get prompted to reboot - if set to 0, a 5 minute timer reboots
// the machine once patches are installed:
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value: NoAutoRebootWithLoggedOnUsers
Type:  REG_DWORD
Data:  1

// Set to 1 to disable Automatic Updates
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value: NoAutoUpdate
Type:  REG_DWORD
Data:  0

// Time (in minutes, 1 - 60) AU should wait before installing downloaded updates after a
// missed update schedule (when the machine is off or off of the network, for
// example):
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value: RescheduleWaitTime
Type:  REG_DWORD
Data:  5

// Enable usage of the RescheduleWaitTime reg value (above).  If not configured,
// RescheduleWaitTime is set to 0 no matter what it is configured for:
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value: RescheduleWaitTimeEnabled
Type:  REG_DWORD
Data:  1

// Determines which day of the week to try and download/install automatic updates
// (0 = every day, 1 = Sunday - 7 = Saturday, etc):
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value: ScheduledInstallDay
Type:  REG_DWORD
Data:  0

// Scheduled time of day to install updates if they are not installed manually (in 24
// hour format, 0 - 23):
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value: ScheduledInstallTime
Type:  REG_DWORD
Data:  3

// If UseWUServer is set to 1, the WUServer and WUStatusServer values
// that point to a WSUS server are used.  If set to 0, windowsupdate.microsoft.com
// is used as the autoupdate point:
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Value: UseWUServer
Type:  REG_DWORD
Data:  0

If you do set up your own WSUS server (and I would suggest you consider it), you can use the following two values to use the WSUS server instead of Wndows Update:

// This value contains the http://server.domain.com FQDN for your WSUS
// server:
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
Value: WUServer
Type:  REG_SZ
Data:  http://<fqdn for your WSUS server>

// This value contains the http://server.domain.com FQDN for your WSUS server
// (same as WUServer value):
Key:   HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
Value: WUStatusServer
Type:  REG_SZ
Data:  http://<fqdn for your WSUS server>

[dot19408]

cluberti,

Thank you so much!

At the moment the owners don't want to spend the money to setup a decent network, the offices are only open until mid-April...

Edited January 18, 2008 by cluberti
SPAM for any reason isn't allowed. Post edited to remove advert (covert or otherwise, it's gone).