27 November 2019

My users rebooted the RDSH!

So when using RDS in Windows Server 2016 there is a funny issue that arises… Users can actually reboot your Remote Desktop Session Host (RDSH). Yes, you read that right! Your users have the rights/permissions to reboot your host. If your like the dozens of forum posts i discovered, they will probably/definitely do it during production hours.

I know what you’re probably thinking… I had set up my GPOs and it was working before when we were on Windows Server 2012 or 2012 R2.

Well folks, 2012 R2 is where the support for that GPO ended. It is not supported on 2016 or higher. Stupid, right?!? Why would they take away that setting? Or better yet, why would users need to restart a server, that’s an administrator’s role? To be honest I don’t know.

The setting you used to use was “Allow non-administrators to receive update notifications”. It is found under “Computer Configuration\Administrative Templates\Windows Components\Windows Update\”. (Full description here – https://gpsearch.azurewebsites.net/#2794)

It seems like the only viable, and IMHO equally dumb option, to prevent users from applying updates and restarting your server is to completely disable windows updates.

That setting, if you choose to go that route, is “Turn off access to all Windows Update features”. It is found under “Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\”. (Full description here – https://gpsearch.azurewebsites.net/#4728)

Hopefully Microsoft fixes this and administrators are again able to take control back and stop our users applying windows updates and rebooting our machines.