RE: SuS update's

From: Free, Bob (RWF4_at_pge.com)
Date: 05/03/03

Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #135"

Previous message: Mazhar Mohammed: "RE: SuS update's"
Maybe in reply to: Ronald Balk: "SuS update's"
Next in thread: Free, Bob: "RE: SuS update's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 3 May 2003 14:39:10 -0700
To: "Ronald Balk" <rbalk@borland.com>, <focus-ms@securityfocus.com>

It depends on several factors:

1] Client platform- Some functionality is only available on XP
2] User rights- Local admin vs non-admin user logged on at the time
3] Interaction with other policies- particularly the "Remove access to use all Windows Update features" setting
4] Interaction of the varous setting combinations possible in the wuau.adm

3] Sounds most likely here [in the absense of further details]-

If you apply the user policy of "Remove access to use all Windows Update
features" the current user is always treated as a non-administrator, as far
as the Automatic Client is concerned. If you set AU configuration to either
2 or 3 in the AU policy, then the local user will never be notified that
there are updates available for download or for install. That's not
terribly good since the end result is that the updates never get installed.
Don't turn this policy unless you configure AU to do scheduled installs!!

If you set AU configuration to 4 (scheduled install) in the AU policy, then
the scheduled install will occur as intended, but the local user won't ever
see the AU tray icon, or be notified that the install is ready to occur and
have a 5 minute count-down before the install starts. The local user
(admin/non-admin) will be notified that a reboot is needed, and admin users
who are governed by the user policy will have the ability to initiate the
reboot, but will not be able to postpone the reboot. Essentially, turning
on this policy prevents users from seeing any AU notifications or
activities, with the exception of the Reboot dialog.

So if that poilcy (Remove WU Access) is set, the experience is something like-

AU is ready to install updates:
User gets no AU tray icon and is not aware that updates are ready to
install.

Scheduled install time:
User is not notified that the installs are ready to occur. If the install
is scheduled at 4pm then installation starts at 4pm instead of 4:05 since
there is no 5 minute countdown dialog.

Install requires a reboot:
User is notified that reboot is needed, and can click "Yes" to initiate the
reboot, but is not able to postpone the reboot (the "No" button is grayed
out).

++++++++++

Essentially, when the user policy is set to remove access to WU, even if the
local user is an administrator they are (a) not notified of pending installs
via the tray icon, (b) they cannot postpone the scheduled installs, and (c)
they cannot defer the reboot if one is required after an install has
occurred. The one caveat is that if this policy is in place, then there may
be issues with not allowing the user to postpone the reboot.

-----Original Message-----
From: Ronald Balk [mailto:rbalk@borland.com]
Sent: Friday, May 02, 2003 1:41 AM
To: focus-ms@securityfocus.com
Subject: SuS update's

Hi,

I have got a question about SuS from Microsoft.
Everything works fine, updates get automatically downloaded to my SuS server.
I approve the update's and they get pushed to the clients.
I have downloaded the latest administrative template for GPO (Windows Update with 4 policy's)

The problem is that when the update's get installed the user get's a dialog box
with "Update's installed, do you want to reboot now" They NO button is disabled and the YES button enabled.
this is very unlogical.. The user can not close this box..
I have enabled the "NO-auto restart" GPO. If I disabled this the user gets a notification that the computer will restart in 5 minutes.
Of course, this is not what I want.
I just want NO dialog box or a dialog box that a user can close or press NO to not reboot.

Hope you can help -;)

Cheers,

Borland BV
Ronald Balk
System Administrator NESAM
Van Heuven Goedhartlaan 935 - 1181 LD Amstelveen - The Netherlands http://www.borland.nl
Tel : +31.20.503.5104
Fax : +31.20.503.5170

About Borland
Borland Software Corporation (Nasdaq NM: BORL) is a world leader in
Platform-independent software development and deployment solutions that are designed to accelerate the entire application development lifecycle. By connecting managers, testers, designers, developers, and implementers in real time, Borland enables enterprises worldwide to define and sustain their competitive advantage. For more information, visit: http://www.borland.com or the Borland Developer Network.

This e-mail is intended only for use by the named addressee(s) and may contain confidential information. If you are not the intended recipient of this e-mail, please note any distribution or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately delete the original and any copy and destroy any printout thereof.

-----------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry`s most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-focus-ms
------------------------------------------------------------------------------

Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #135"

Previous message: Mazhar Mohammed: "RE: SuS update's"
Maybe in reply to: Ronald Balk: "SuS update's"
Next in thread: Free, Bob: "RE: SuS update's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]