Assuming they're on a network you control, probably around as hard as upside-down ternet.
Wait, what if you were to redirect the download links for the automatic updates to a Linux installer? Assuming Microsoft's security is still as lax as it was during the XP era, you could get this to work without much difficulty.
Alas, the narrow window of time in which a novice could reasonably be expected to install Linux without undue hassle came to an end with UEFI and SecureBoot.
Linux distributions work fine with UEFI a Secure Boot[1]. Maybe even better than with BIOS and MBR, because now, there is no excuse to just overwrite the MBR. OS Installers are supposed to just add an entry into UEFI boot manager.
[1] Secure Boot comes into play only when 1) you use distribution in SecureBoot enforcing mode (RHEL, CentOS, Fedora) and 2) want to build your own kernel modules. Then, you have to enroll your Machine Owner Key into UEFI and sign your modules with it. However, building kernel modules is not something that grandma is going to do. For normal use, all the mainstream distributions come with a signed bootloader (shim.efi).
