RE: SuS update's

From: Free, Bob (RWF4_at_pge.com)
Date: 05/06/03

Next message: Lucas Zaichkowsky: "RE: p2p and ISA"

Previous message: Marc Fossi: "Article Announcement: Auditing Web Site Authentication, Part Two"
Maybe in reply to: Ronald Balk: "SuS update's"
Next in thread: David Fike - ADCS Inc.: "RE: SuS update's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 5 May 2003 15:18:21 -0700
To: "Ronald Balk" <rbalk@borland.com>

>What you describe is exactly how I have it..
>So there is no possibility to enable the NO button so users (local admins) can postpone the
>reboot with this setup ?

If you are using the "Remove access to use all Windows Update features" GPO, I don't think you can get around it.

Instead, we use the "Remove links and access to Windows Update" Group Policy setting (located in User Configuration\Administrative Templates\Start Menu and Taskbar)[enabled], then Automatic Updates will continue to work for updates from your server running SUS. Users with this policy set will not be able to get other updates from the Windows Update Web site that you have not approved on your server running SUS. The links are removed from the client and if someone goes to WU automatically by following a link on a web page or types in the url, they get-

Access Denied
Network policy settings prevent you from using Windows Update to download and install updates on your computer.
If you believe you have received this message in error, please check with your system administrator.

If this policy is not enabled, the Windows Update icon will remain on the Start menu for local administrators to visit the Windows Update Web site. This Windows Update icon will allow local administrative users to install software available on Windows Update that the Software Update Service administrator has not approved. This happens even if you have specified that Automatic Updates should get approved updates from the server running SUS.

The SUSSP1 release notes don't go into enough detail on policy interactions, the Deployment guide covers it better.

http://www.microsoft.com/windows2000/docs/SUS_Deployguide_sp1.doc

HTH

-----Original Message-----
From: Ronald Balk [mailto:rbalk@borland.com]
Sent: Monday, May 05, 2003 6:22 AM
To: Free, Bob
Subject: RE: SuS update's

What you describe is exactly how I have it..
So there is no possibility to enable the NO button so users (local admins) can postpone the reboot with this setup ?

Ronald

-----Original Message-----
From: Free, Bob [mailto:RWF4@pge.com]
Sent: zaterdag 3 mei 2003 23:39
To: Ronald Balk; focus-ms@securityfocus.com
Subject: RE: SuS update's

It depends on several factors:

1] Client platform- Some functionality is only available on XP 2] User rights- Local admin vs non-admin user logged on at the time 3] Interaction with other policies- particularly the "Remove access to use all Windows Update features" setting 4] Interaction of the varous setting combinations possible in the wuau.adm

3] Sounds most likely here [in the absense of further details]-

If you apply the user policy of "Remove access to use all Windows Update features" the current user is always treated as a non-administrator, as far as the Automatic Client is concerned. If you set AU configuration to either 2 or 3 in the AU policy, then the local user will never be notified that there are updates available for download or for install. That's not terribly good since the end result is that the updates never get installed. Don't turn this policy unless you configure AU to do scheduled installs!!

If you set AU configuration to 4 (scheduled install) in the AU policy, then the scheduled install will occur as intended, but the local user won't ever see the AU tray icon, or be notified that the install is ready to occur and have a 5 minute count-down before the install starts. The local user
(admin/non-admin) will be notified that a reboot is needed, and admin users who are governed by the user policy will have the ability to initiate the reboot, but will not be able to postpone the reboot. Essentially, turning on this policy prevents users from seeing any AU notifications or activities, with the exception of the Reboot dialog.

So if that poilcy (Remove WU Access) is set, the experience is something like-

AU is ready to install updates:
User gets no AU tray icon and is not aware that updates are ready to install.

Scheduled install time:
User is not notified that the installs are ready to occur. If the install is scheduled at 4pm then installation starts at 4pm instead of 4:05 since there is no 5 minute countdown dialog.

Install requires a reboot:
User is notified that reboot is needed, and can click "Yes" to initiate the reboot, but is not able to postpone the reboot (the "No" button is grayed out).

++++++++++

Essentially, when the user policy is set to remove access to WU, even if the local user is an administrator they are (a) not notified of pending installs via the tray icon, (b) they cannot postpone the scheduled installs, and (c) they cannot defer the reboot if one is required after an install has occurred. The one caveat is that if this policy is in place, then there may be issues with not allowing the user to postpone the reboot.

-----Original Message-----
From: Ronald Balk [mailto:rbalk@borland.com]
Sent: Friday, May 02, 2003 1:41 AM
To: focus-ms@securityfocus.com
Subject: SuS update's

Hi,

I have got a question about SuS from Microsoft.
Everything works fine, updates get automatically downloaded to my SuS server. I approve the update's and they get pushed to the clients. I have downloaded the latest administrative template for GPO (Windows Update with 4 policy's)

The problem is that when the update's get installed the user get's a dialog box with "Update's installed, do you want to reboot now" They NO button is disabled and the YES button enabled. this is very unlogical.. The user can not close this box.. I have enabled the "NO-auto restart" GPO. If I disabled this the user gets a notification that the computer will restart in 5 minutes. Of course, this is not what I want. I just want NO dialog box or a dialog box that a user can close or press NO to not reboot.

Hope you can help -;)

Cheers,

Borland BV
Ronald Balk
System Administrator NESAM
Van Heuven Goedhartlaan 935 - 1181 LD Amstelveen - The Netherlands http://www.borland.nl
Tel : +31.20.503.5104
Fax : +31.20.503.5170

About Borland
Borland Software Corporation (Nasdaq NM: BORL) is a world leader in
Platform-independent software development and deployment solutions that are designed to accelerate the entire application development lifecycle. By connecting managers, testers, designers, developers, and implementers in real time, Borland enables enterprises worldwide to define and sustain their competitive advantage. For more information, visit: http://www.borland.com or the Borland Developer Network.

This e-mail is intended only for use by the named addressee(s) and may contain confidential information. If you are not the intended recipient of this e-mail, please note any distribution or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately delete the original and any copy and destroy any printout thereof.

-----------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry`s most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-focus-ms
------------------------------------------------------------------------------

Next message: Lucas Zaichkowsky: "RE: p2p and ISA"

Previous message: Marc Fossi: "Article Announcement: Auditing Web Site Authentication, Part Two"
Maybe in reply to: Ronald Balk: "SuS update's"
Next in thread: David Fike - ADCS Inc.: "RE: SuS update's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]