September 13th, 2023

Balancing User Updates with Security Best Practices

Christine Ruana
Principal Program Manager

In today’s world, it is imperative for IT administrators and organizations to manage security effectively and embrace security best practices. One common best practice involves implementing appropriate permission levels to ensure that only authorized accounts can access sensitive data and functionality. Another widely accepted best practice involves keeping software up to date with the latest security patches. Visual Studio recommends both of these security best practices as described in the online documentation for User permissions and Visual Studio and Applying Administrator Updates.

Up until now, we’ve had a bit of a catch-22 situation with respect to the Visual Studio installer, which is the tool that installs and updates the Visual Studio product. The installer requires administrator permissions to use, because it needs to write into “protected” areas of Windows. However, if the user running the installer doesn’t have the required elevated permissions, then they are blocked from using the installer’s functionality to update or modify Visual Studio. Thus, when organizations follow security best practices and limit user permissions, it can hinder the developer’s ability to acquire the latest product functionality, bug, and security fixes.

Standard Users can now update and modify Visual Studio

We are excited to announce a new feature designed especially for developers who have limited permissions on their machines. The purpose of this feature is to give developers with restricted permissions better control of their development environment by enabling them to update or modify their installation at will. In fact, this feature is the solution to one of our top developer community reported issues.

We’ve addressed this permissions friction with the most recent release of Visual Studio 2022 version 17.7.  Now, standard users – i.e. those without administrator permissions – can be granted the capability to fully utilize the installer to acquire updates and make changes to Visual Studio. An administrator must explicitly delegate control to a standard user and enable this feature by performing two discrete and simple steps on the client machine:

  1. Perform the initial install of the installer. Acquiring the installer for the first time on any client machine will always require administrator permissions.
  2. Configure the AllowStandardUserControl policy. Configuring Visual Studio policies will always require administrator permissions too.

Once these two steps are complete, then a standard user can access and execute any installer functionality – updates, modifications, and even new product installations from the Available tab.

This standard user update capability applies to all versions of Visual Studio 2017 and above, provided that that the latest installer is installed on the machine. Fortunately, we’ve made acquiring the latest installer easy, as all future releases and updates of Visual Studio will always contain the latest installer.

Other Security Management Features

Over the past several minor releases, Visual Studio has made it much easier for enterprise administrators to follow these common security best practices. For example, we recently introduced the capability for administrators to easily configure Visual Studio policies and enable automatic monthly security administrator updates using Microsoft Intune. It is also possible to automatically remove components during an update that have transitioned to an out-of-support state. We hope that this new ability for standard users to update and configure their installation will offer developers more flexibility in managing their development environment within an organization’s security best practice framework. Lastly, we have a few more complementary features planned for this space, so stay tuned in for upcoming announcements.

We welcome and value your feedback on this experience. Feel free to add comments below or submit a new problem report on the Visual Studio IT Administrator feedback page about any challenges you have or improvements you’d like to see regarding this solution. We appreciate your feedback on other topics too – you can leave a suggestion for another experience you’d like us to deliver and fill out our Customer Deployment Profile survey, so we have a better understanding of your operational environment and needs.

Author

Christine Ruana
Principal Program Manager

Christine started at Microsoft as an intern in 1991 on Word 1. She is currently a Program Manager on the Visual Studio release and acquisition team, and is focusing on helping enterprises easily acquire the product and stay secure. She lives in Redmond, Washington with two children in college and one still at home. She enjoys rock climbing and traveling and watching her peeps pursue their passions.

3 comments

Discussion is closed. Login to edit/delete existing comments.

  • Glaser, Thomas

    It seems insane to me that there are developers without local admin permissions, but nonetheless a welcome change!

  • Emma Jarek-Simard

    What a great new feature in Visual Studio! Excited to implement this with my team.

  • Eric Belden

    Awesome to see the community feedback addressed with such an effective solution!