How to allow updates but restricting software installation

[Tony2025]

Hello everyone

I hope someone will know the answer.

Domain controller is MS Windows 2003 Server.

MS Office 2003 and Norton Antivirus is installed on workstations.

In user mode, how can I setup a laptop so no one can install any extra software but can get updates for already installed software?

Thank you for your knowledge

[Zartach]

Hi, with WSUS you can centralise the windows updates and force installation, while restricting users from installing anything else via the usual restrictions and GPO's.

But i do not know of any software that will install updates for 3rd party applications that does the same, you might want to research how to use packaging in combination with GPO's but it is highly technical and a pain if you have not used it before. especialy if you have to repackage the updates yourself.

[cluberti]

Protection Manager from www.winternals.com does allow this sort of thing, but it's about the only product I'm aware of that does. And it isn't cheap .

You'd be better off using a solution such as SMS to push out updates, since you need to do more than Windows updates. SMS (or other non-Microsoft patching solution) allows you to package things up and install them in the same manner Windows updates get installed, and the users will not need administrative privileges if the SMS client is on the machine.

[Tony2025]

Thank you for your reply, I thought there was a way with software restriction and adding reg keys to allow none MS software to be updated, am I wrong?

[cluberti]

Using software restriction policies will restrict software installation for everyone that GPO applies to for the most part, and as such shouldn't be used unless you have specific packages or executables that you want to make users not run.

Also, relaxing security in the registry is dangerous, as it potentially opens up a machine to unnecessary security risks that it would otherwise not display.

Can installing updates be done by regular users? Probably. Can you relax file and registry permissions to allow this? Also probable. Is doing this a good idea in the long run? I don't know about you, but I would say that doing something that makes systems vulnerable unnecessarily is probably not a wise choice (nor will it be easy to manage). This is the exact reason programs such as SMS, LanDesk, Tivoli, etc. exist - there's not a really good way to do this otherwise without opening up your environment to potential security risks.