SP2 Auto Update client incompatible with XPSP1 GPO Settings

From: Robert E. Smith jr. (robsmith+_at_CS.CMU.EDU)
Date: 08/20/04

  • Next message: Kelly N: "XP SP2 - WU client 2.0 not properly authenticating itself against ISA Server 2000" 
    Date:         Fri, 20 Aug 2004 08:58:28 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Description of the problem:

     

    GPO's configured using XP SP1 ADM templates for Auto Update client using
    the Group Policy Management Console (w/ SP1) cause unpredictable results
    when applied to XP SP2 machines.

     

    Within our environment, we had configured three separate GPO's to
    deliver auto-update client settings to follow our Patch Management
    strategy. We had also configured an XPSP2 firewall policy to prepare
    for the service pack (RC2 template for the firewall settings).

     

    Once we started installing the Service Pack, we noticed that the
    auto-update client would shut down and the client could not be managed
    remotely via WMI or any program that used it (kind of strange, as even
    local WMI calls would throw an access denied error). Netsh and WMIC
    would both fail. Netsh would throw an error saying that local computer
    information could not be found, WMIC would fail when trying to compile
    the new MOFs, access denied error (sorry, don't have the exact fail
    code). Uninstalling SP2 or moving the machine to an OU where no GPO's
    were linked would allow these programs to function again, but several
    reboots / refreshes of the policy objects was required.

     

    After some experimentation we determined that the GPO configured to
    deliver the auto update client settings was the culprit. Each of the
    three is nearly identical, the difference being reboot options, install
    days, etc. There are a few service startup rules defined in the policy
    as well, but I don't think that they were causing the issue.

      

    We unlinked the GPO's one at a time and found that this was the problem.
    After upgrading the ADM templates and recreating the GPO's for the Auto
    Update Settings, proper functionality appears to have been restored.

     

    Bob

     

     

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----

  • Next message: Kelly N: "XP SP2 - WU client 2.0 not properly authenticating itself against ISA Server 2000"