News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Best Update Option for Win10 setting – No Access to PC – No remote Access

    Posted on Sproots Comment on the AskWoody Lounge

    Home Forums AskWoody support Windows Windows 10 Questions: Win10 Best Update Option for Win10 setting – No Access to PC – No remote Access

    Tagged: ,

    This topic contains 14 replies, has 5 voices, and was last updated by  Sproots 2 months, 3 weeks ago.

    • Author
      Posts
    • #1904745 Reply

      Sproots
      AskWoody Plus

      Hello All,

      I am finishing up a new PC for my very elderly mother across the country.

      I will have no routine access to it after I ship it and cannot trust remote access to it.

      I am giving her a limited user account and locking down as much as I can with Group Policy, Start10 and O&O Shutup.

      For Win10 Updates what is my best option with no ready access to her PC?

      Should I defer as much as possible and hope for the best when it does rollover, or just set it all to auto from the start and try to handle any errors as they arrive if possible by my long-distance tech support?

      Hoping to remove as much as possible from her need to get into system settings etc.

      Will Windows Update even run in auto from only a user account? Or will it require Admin account (admin account access prompts) everytime for completion or just not activate w/o being logged in on admin account?

    • #1904754 Reply

      cyberSAR
      AskWoody Plus

      I feel your pain. What I have chosen to do is set quality updates to 15 days in the hope that bad ones will be pulled before then and yet not have them exposed to a legit threat for too long. I put feature updates to 365 days.

      I do usually set up remote access with AnyDesk on these. Although I pay for it, they do offer free for personal use and I don’t see any difference in it. If setup properly, there is no action needed on the remote side so it works well for my elderly clients. All they have to do is turn on the machine. https://anydesk.com/

      2 users thanked author for this post.
    • #1904759 Reply

      Sproots
      AskWoody Plus

      Thanks I may look into that, I just don’t want to expose too much of her computer, she also has a roommate that I do not know.

    • #1904822 Reply

      cmptrgy
      AskWoody Plus

      First of all I would follow cyberSAR’s recommendation to use AnyDesk.
      — I suspect you will be able to “trust remote access to it.”

      Setting up “quality updates to 15 days in the hope that bad ones will be pulled before then and yet not have them exposed to a legit threat for too long. I put feature updates to 365 days.” makes sense to me.

      She has a limited user account.
      — That means you have an Local Administrator Account also. is that correct?
      — On your Local Administrator Account password, consider adding a PIN.
      — I don’t like assuming things, but if you are using a Microsoft account, the same recommendation applies.
      — If someone else wants to use the computer, assign only a limited user account.

      On accessing system settings, I don’t know if this will apply for all settings, but she’ll need your Local Administrator Account password on at least some of them.
      — I suspect that includes Windows Updates.
      — This coming Tuesday Aug 13, this months Cumulative Updates will be due.
      — Try them on Tuesday night or on Wednesday from her limited user account and see what happens.

      Since you mention Group Policy, I imagine it’s a Windows 10 Pro laptop: is that correct?

      Once you are ready to ship the PC, create a system image backup: also a USB Recovery drive: both of which you keep.
      — Even though you are far apart, you never know if something like that will become useful especially if the unit will need to be returned to you.

      With all of that said, check the condition of the PC during the week before the 2nd Tuesday (Patch Tuesday) of each month.

      BTW, I can relate to what you are doing. I wish you well as technical support for your elderly mom.

      HP EliteBook 8540w laptop Windows 10 Pro (x64)

    • #1904852 Reply

      DriftyDonN
      AskWoody Plus

      Considering the massive headache win10 has become, I would consider searching for reliable (?) tech support business in your Mom’s area. Also, if you do not know who has access, I would advise nothing personal on the PC…period. This sounds to me like a hack/id theft just waiting to happen. I used to help family long distance back in the mid to late 90’s but that was with someone on the phone(Dad, Sister etc) who had the same OS I did and we could work in tandem. THIS site is a godsend for those who have a modicum of experience with pc’s thank you woody! BUT I would not trust M$ft update to be on auto pilot EVER. I’m assuming your Mother wouldn’t be too savvy…if I am assuming too much, apologies.

      BEST of LUCK if you go thru with this.

      PS. Of you do use a remote program to access her PC, what happens when you make a change and have to reboot? Can she follow thru with any exchanges that require input? Just random thoughts on issues I used to have with long distance tech support….

    • #1904878 Reply

      Sproots
      AskWoody Plus

      Thanks for more info all.

      With that a few more questions arise:

      Do I need an additional VPN service to use EasyDesk over? or is it served on the company VPN already.

      Yes Admin Level user account for me, with password.  She will have limited user account with password.  Both Local accounts, do you mean adding a 2-factor authenticate? Is that possible with local Win10 accounts?

      This is an ITX desktop, all new parts and case, hoping it lasts quite a while.  Not sure if I can keep it as long as the 13th or after but prob for the best that I do.  Do you mean that normal Win10 auto updates will not run in auto from a limited user account? (I won’t block access to them in Grp Policy).  She can re-start as needed and I’ll be sending her another personal user manual as well.

      She is still capable of doing most tasks, unfortunately she will follow whatever the PC tells her even if it isn’t what I want her to do.  So I’m trying to make it a fairly dumb client machine for just web and solitaire with not much else.  She is still capable of going anywhere she wants on web so I can only lock down FF and add paid AV with full settings for protection.  She went through Win7-Win10 upgrade a couple years ago without issue until she prob tried to install something  a web site told her (going to lock installations down as much as I can).

      I will be making a USB system restore/image for her that I can talk her through when needed.  I have already moved her file folders to a second internal SSD so I can clear the boot drive w/o issue if needed.  I’ll keep a backup here as well.

    • #1904895 Reply

      cmptrgy
      AskWoody Plus

      On your password protected Local Administrator account, you can add a PIN.
      — It can contain both numbers and characters and isn’t limited to only 4 of them.

      I just created a password protected local account and there is an option to also create a PIN.

      “Do you mean that normal Win10 auto updates will not run in auto from a limited user account?”
      — It looks like it will run in auto from a password protected local account.
      — On the password protected local account I checked for Windows Update and it wanted to download Feature version 1903.
      — Instead of waiting to do so automatically like I usually do, I allowed it to start downloading and it’s in the process of doing so w/o requesting the password from my Local Admin account.
      — With that said, I need to bring it to completion before providing a definitive answer.
      — But before actually installing it, I usually create a system image backup before doing so.
      — Maybe someone else can provide a definitive answer for you before I can as I won’t know until later on tomorrow night.

      HP EliteBook 8540w laptop Windows 10 Pro (x64)

    • #1905138 Reply

      cmptrgy
      AskWoody Plus

      On your password protected Local Administrator account, you can add a PIN.
      — It can contain both numbers and characters and isn’t limited to only 4 of them.

      I just created a password protected local account and there is an option to also create a PIN.

      “Do you mean that normal Win10 auto updates will not run in auto from a limited user account?”
      — It looks like it will run in auto from a password protected local account.
      — On the password protected local account I checked for Windows Update and it wanted to download Feature version 1903.
      — Instead of waiting to do so automatically like I usually do, I allowed it to start downloading and it’s in the process of doing so w/o requesting the password from my Local Admin account.
      — With that said, I need to bring it to completion before providing a definitive answer.
      — But before actually installing it, I usually create a system image backup before doing so.
      — Maybe someone else can provide a definitive answer for you before I can as I won’t know until later on tomorrow night.

      Feature version 1903 Download and install completed w/o having to enter an admin password.

      I do have to make a correction though: I did not create a password, I guess I became overtired while researching the subject at hand w/o any definitive leads but the final result is successful on my test computer.
      EDIT: I forgot to mention I’ve been using the computer for 90 minutes w/o any problems.

      Have a great time being your MOM’s technician.

      I would note that if some of the concerns DriftyDonN mentions, you might have some difficult decisions to address but know that your MOM comes first.

      HP EliteBook 8540w laptop Windows 10 Pro (x64)

      • This reply was modified 3 months, 1 week ago by  cmptrgy.
    • #1905151 Reply

      cyberSAR
      AskWoody Plus

      As luck would have it I had an elderly client call with issues today. No anydesk installed and it was an ordeal trying to work him through his issues. Finally talked him through downloading anydesk and getting it installed (not an easy task when he doesn’t know what an address bar is and has trouble hearing) which allowed me to access his machine and see what was happening. Over 25 chrome extensions for advertising/shopping and such 🙁

      With AnyDesk no other vpn, port forwarding or such is needed. I install it on the client’s machine, set up remote with a very strong password and I am able to access the machine as long as it’s powered on. I can perform remote reboots, even into safe mode.

      It can also be run as a portable app (that’s how I use it on my machine) without install but that requires interaction on the remote side. Not something my older clients are good at.

      I highly suggest you give it a spin. I can almost guarantee you’ll be needing remote access down the road. While you have her machine you can see how it looks from both sides.

      1 user thanked author for this post.
    • #1905179 Reply

      bbearren
      AskWoody MVP

      Will Windows Update even run in auto from only a user account? Or will it require Admin account (admin account access prompts) everytime for completion or just not activate w/o being logged in on admin account?

      Indeed it will.  I routinely run as a Standard user, and have never had any issues with Windows Update.  My understanding (could very well be wrong) is that updates are actually handled by TrustedInstaller, not the user that is signed in.  This seems to be verified by the fact that Windows Update still works with the PC online, but no user signed in.

      The only time one needs to be signed in as a member of the Administrators group is to perform an inplace upgrade/repair re-install.

      That being said, UAC can rear its ugly head, requiring an Administrators password to run certain software, unless UAC is disabled.

      Create a fresh drive image before making system changes, in case you need to start over!
      "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Jack Sparrow
      "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
      "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      1 user thanked author for this post.
    • #1912686 Reply

      Sproots
      AskWoody Plus

      Hello All,

      Setup has gone well and I have taught myself a lot about Win10, Decrapifier, Classic Shell, GPEdit and a lot more.

      I am almost ready for final cleanup and imaging/restore media.

      CyberSAR, I still am having one major issue with Anydesk.

      My mother will only be logged in on her Limited User (locked down) account and Anydesk won’t start for her under UAC (do you want to allow app to change…) w/o my Local Admin account password.

      How do you work that for your clients?

      Are they on Local Admin accounts already?

      Do I need to unlock her account enough to install Anydesk to her user account instead of my Local Admin so she has standard user permissions to it?

      I have tried using the ACT/TaskSched/Runas options and must not be doing something because it still is giving UAC prompt (with still locked down, but I gave her file permissions to the C:drive AnyDesk folders).  I have hidden C: drive from her File Explorer but not locked it out completely in Grp Policy.

      And one last, does a paid sub make Anydesk any more secure than free license?  I don’t expect to use very many sessions to trigger their commercial use filters. But I am happy to support the Company.

      Many thanks if you can point me in the right direction.

      • This reply was modified 3 months ago by  Sproots.
    • #1913612 Reply

      cyberSAR
      AskWoody Plus

      Hi Sproots,

      Not sure why you’re getting the prompt. I can’t reproduce it here and I also use it on many machines with limited user accounts.

      I usually install on the admin account and have no problems logging in on the limited accounts. I just tested on a machine here by installing in the limited user account  and it works thereafter with no interaction from the client.

      On the security settings tab I usually check allow always for interactive access then enable unattended access with a good password. Also for more security you can add your machine’s anydesk alias to the access control list – but if your alias changes due to a reinstall or new machine you’d have to walk your mom through those settings to allow you access again.

      I don’t see any difference between the paid and free versions other than number of concurrent sessions and custom alias.

       

       

    • #1915195 Reply

      Sproots
      AskWoody Plus

      Thanks,

      I think I have it sorted now.

      I was misunderstanding how to establish a connection until I re-read your post with  “All they have to do is turn on the machine”.

      I was thinking of my Mom being logged in and needing direct support at the moment and having to “turn-on” AnyDesk with a shortcut.  Trying to do that gives the UAC prompt for Admin Credentials.

      I realize now I only have to connect from my end and immediately have access to her desktop.  So I have hidden AnyDesk from the Start menu and removed the icon from the notification area as well.

      I have also used both password and whitelist and disabled all other MS RDP.

      Thanks for your help.

      • #1915354 Reply

        cyberSAR
        AskWoody Plus

        Should have mentioned this before. Include the anydesk folder in appdata/roaming in your backup routine as all remote machines, settings and passwords are stored there. Makes re-install a breeze.

        Good luck!

        • #1915546 Reply

          Sproots
          AskWoody Plus

          Okay thanks,

          I should be good, I finished up final cleanup and re-tested Skype and AnyDesk and have Macrium image backups on USB for her end as well as archive here.

          With AnyDesk I should be able to solve any issues from here before it gets bad enough to require a restore.  Plus I really locked down her account and left her only Browser, Office and MS local games.

          I didn’t lock down Firefox all the way but I locked out settings and have paid A/V running on top.  She is using ISP Webmail so hopefully they will catch the most blatant bad stuff first.

          I’ll see when she gets it and we try first Skype.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Best Update Option for Win10 setting – No Access to PC – No remote Access

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.