RE: SuS update's

• Previous message: Duston Sickler: "RE: p2p and ISA"
• Maybe in reply to: Ronald Balk: "SuS update's"
• Next in thread: Williamson, Scott: "RE: SuS update's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Free, Bob'" <RWF4@pge.com>, Ronald Balk <rbalk@borland.com>, focus-ms@securityfocus.com
Date: Tue, 6 May 2003 09:37:01 -0700 

In regards to this SuS topic, I am having several issues myself with my SuS
server. I currently have it running on a machine on our network, and I have
applied a Group Policy to only 1 OU with 7 workstations for testing
purposes. These workstations are all Win2K Pro with SP3. The SuS server is
updated with the most current Windows Update files as of today, and I can
see that the workstations in this OU are querying the SuS server for their
Windows Updates, but they are not downloading or installing the updates. If
I check my updates against the actual Microsoft Update website, it shows our
workstations all have 5 critical updates to download, and these 5 updates
are indeed located on my SuS server as well. I have the policy configured to
auto download and schedule the install for everyday at 21:00, and to
auto-reboot 5 minutes after installation to complete the updates. As I
stated, my question is why are the workstations not downloading the updates,
but they are querying the SuS server? I am getting the query information
from the C:\winnt\windows update.txt file on each workstation. Any help is
immensely appreciated.

David Fike
Network Technician
ADCS Inc.
13970 Stowe Drive
Poway, CA 92064
(858) 848-2000 Ext. 1502
DFike@adcs.com

-----Original Message-----
From: Free, Bob [mailto:RWF4@pge.com]
Sent: Saturday, May 03, 2003 2:39 PM
To: Ronald Balk; focus-ms@securityfocus.com
Subject: RE: SuS update's

It depends on several factors:

1] Client platform- Some functionality is only available on XP
2] User rights- Local admin vs non-admin user logged on at the time
3] Interaction with other policies- particularly the "Remove access to use
all Windows Update features" setting
4] Interaction of the varous setting combinations possible in the wuau.adm

3] Sounds most likely here [in the absense of further details]-

If you apply the user policy of "Remove access to use all Windows Update
features" the current user is always treated as a non-administrator, as far
as the Automatic Client is concerned. If you set AU configuration to either
2 or 3 in the AU policy, then the local user will never be notified that
there are updates available for download or for install. That's not
terribly good since the end result is that the updates never get installed.
Don't turn this policy unless you configure AU to do scheduled installs!!

If you set AU configuration to 4 (scheduled install) in the AU policy, then
the scheduled install will occur as intended, but the local user won't ever
see the AU tray icon, or be notified that the install is ready to occur and
have a 5 minute count-down before the install starts. The local user
(admin/non-admin) will be notified that a reboot is needed, and admin users
who are governed by the user policy will have the ability to initiate the
reboot, but will not be able to postpone the reboot. Essentially, turning
on this policy prevents users from seeing any AU notifications or
activities, with the exception of the Reboot dialog.

So if that poilcy (Remove WU Access) is set, the experience is something
like-

AU is ready to install updates:
User gets no AU tray icon and is not aware that updates are ready to
install.

Scheduled install time:
User is not notified that the installs are ready to occur. If the install
is scheduled at 4pm then installation starts at 4pm instead of 4:05 since
there is no 5 minute countdown dialog.

Install requires a reboot:
User is notified that reboot is needed, and can click "Yes" to initiate the
reboot, but is not able to postpone the reboot (the "No" button is grayed
out).

++++++++++

Essentially, when the user policy is set to remove access to WU, even if the
local user is an administrator they are (a) not notified of pending installs
via the tray icon, (b) they cannot postpone the scheduled installs, and (c)
they cannot defer the reboot if one is required after an install has
occurred. The one caveat is that if this policy is in place, then there may
be issues with not allowing the user to postpone the reboot.

-----Original Message-----
From: Ronald Balk [mailto:rbalk@borland.com]
Sent: Friday, May 02, 2003 1:41 AM
To: focus-ms@securityfocus.com
Subject: SuS update's

Hi,

I have got a question about SuS from Microsoft.
Everything works fine, updates get automatically downloaded to my SuS
server.
I approve the update's and they get pushed to the clients.
I have downloaded the latest administrative template for GPO (Windows Update
with 4 policy's)

The problem is that when the update's get installed the user get's a dialog
box
with "Update's installed, do you want to reboot now" They NO button is
disabled and the YES button enabled.
this is very unlogical.. The user can not close this box..
I have enabled the "NO-auto restart" GPO. If I disabled this the user gets a
notification that the computer will restart in 5 minutes.
Of course, this is not what I want.
I just want NO dialog box or a dialog box that a user can close or press NO
to not reboot.

Hope you can help -;)

Cheers,

Borland BV
Ronald Balk
System Administrator NESAM
Van Heuven Goedhartlaan 935 - 1181 LD Amstelveen - The Netherlands
http://www.borland.nl
Tel : +31.20.503.5104
Fax : +31.20.503.5170

About Borland
Borland Software Corporation (Nasdaq NM: BORL) is a world leader in
Platform-independent software development and deployment solutions that are
designed to accelerate the entire application development lifecycle. By
connecting managers, testers, designers, developers, and implementers in
real time, Borland enables enterprises worldwide to define and sustain their
competitive advantage. For more information, visit: http://www.borland.com
or the Borland Developer Network.

This e-mail is intended only for use by the named addressee(s) and may
contain confidential information. If you are not the intended recipient of
this e-mail, please note any distribution or copying of this e-mail is
strictly prohibited. If you have received this e-mail in error, please
immediately delete the original and any copy and destroy any printout
thereof.

----------------------------------------------------------------------------
-
FastTrain has your solution for a great CISSP Boot Camp. The industry`s most

recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL
INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-focus-ms
----------------------------------------------------------------------------

--
----------------------------------------------------------------------------
-
FastTrain has your solution for a great CISSP Boot Camp. The industry`s most
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL
INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-focus-ms
----------------------------------------------------------------------------
--
This electronic message and any attachments contain information which is
confidential and may be legally privileged. The information is intended
solely for the individual or entity named above and access by anyone else is
unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you have
received the message in error, and delete it. Thank you.
-----------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry`s most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-focus-ms
------------------------------------------------------------------------------

• Previous message: Duston Sickler: "RE: p2p and ISA"
• Maybe in reply to: Ronald Balk: "SuS update's"
• Next in thread: Williamson, Scott: "RE: SuS update's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]