This is a known problem with Windows Update that will hopefully be addressed in a future release. Basically, because of the new integration with the Automatic Updates service, there is some kind of problem where the service tries to figure out who the current interactive user is, and it gets confused by the fact that Windows Update is running under a different context. (I don’t work on the Windows Update team, so that’s my best attempt at relaying what I remember of what they told me 😉 ).
Whilst I think this is annoying, I do like the fact that Automatic Update will no longer nag me to install things that I have already downloaded via Windows Update, which is what used to happen in the past. Personally, if I can’t be bothered logging off and back on as Administrator, I just download and install the patches directly from the bulletins, then re-run Windows Update to ensure I’ve got everything I need.
As for the SAFER — as you probably know, (but disabled for Administrators) and everything works fine from my RunAs-ed Admin account… I have found that sometimes changes you make in the secpol MMC snap-in never actually get updated in the registry, so you have to go hive-diving and slash and burn some registry keys (obviously not supported, etc.).
But the real issue (as described in my ) is that although the download packages from are signed, they are basically self-extracting installers and the bits *inside* the package are not signed, so the self-extractor runs but then the actual update program bombs 🙁
Update 14th October 1:45 PST:
After re-reading Jeroen’s comment, I realised that he was actually talking about a different issue — that is, why can’t you run Windows Update as a non-administrator full stop (or “period” as an American might say). Well, Windows Update updates the operating system, and that’s something that non-administrators should not be allowed to do, even if the updates are “for the good of the system.”
For example, what if you are a lowly user on a Terminal Server and the update breaks a mission-critical application that other users on the machine are trying to run? That’s not a very good situation to be in…