When Administrators aren't Trusted

Published on Friday 28th September, 2007 (AEST)

I'm a big believer in Software Restriction Policies, particularly for the purposes of preventing malware. Configured wisely, SRPs provide considerable control over which applications may run on your systems. However, sometimes the policies just don't behave as you would expect.

Take, for instance, the Trusted Publishers settings. For whatever reason, configuring this to anything other than End users will prevent administrators from running Microsoft Update. Even when a default-allow (unrestricted) policy is in place, and even when administrators are exempt from the software restrictions, Windows Update will return error number 0x80092026.

Fortunately, this is a simple issue to resolve: set the Allow the following users to select trusted publishers option to End users. (Don't forget to run gpupdate /force afterwards). To get to the Software Restriction Policy settings, edit the applicable GPO and navigate to Software Settings, Windows Settings, Security Settings, Software Restriction Policies in the computer or user configuration.

Alternatively, if you don't wish to change the Trusted Publishers settings, you can apply the SRP Group Policy Object to an OU containing only your non-admin user accounts.

Save to del.icio.us Digg this Submit to StumbleUpon