RE: Automatic Updates and Users/Power Users

From: Eric McCarty (eric_at_piteduncan.com)
Date: 01/13/05

  • Next message: Benjamin D. Goldman: "RE: IIS6 on W2k3 DCs" 
    Date: Thu, 13 Jan 2005 08:37:28 -0800
To: "Stegman, William" <Bill.Stegman@transcore.com>, <focus-ms@securityfocus.com>

    Here are the registry keys I use, note the last key will prevent the machine from rebooting if users are logged on.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
    "WUServer"="http:// *removed* "
    "WUStatusServer"="http:// *removed* "

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
    "UseWUServer"=dword:00000001
    "AUOptions"=dword:00000004
    "ScheduledInstallDay"=dword:00000000
    "ScheduledInstallTime"=dword:00000003
    "NoAutoRebootWithLoggedOnUsers"=dword:00000001
     

    Eric

    -----Original Message-----
    From: Stegman, William [mailto:Bill.Stegman@transcore.com]
    Sent: Thursday, January 13, 2005 5:17 AM
    To: focus-ms@securityfocus.com
    Subject: RE: Automatic Updates and Users/Power Users

    I've noticed one annoyance with SUS and non-admin users. If you're using SUS and a GPO with the automatically download and schedule the install, only admins are able to click yes or no to the subsequent reboot screen after having the updates applied. The no button is grayed out for non-admins.

    -----Original Message-----
    From: Rasmus Rønlev [mailto:rr.its@cbs.dk]
    Sent: Wednesday, January 12, 2005 5:14 PM
    To: focus-ms@securityfocus.com
    Subject: RE: Automatic Updates and Users/Power Users

    Okey,

    If my first post gets through, that needs to be semi-disregarded, was a bit quick on the reply button there. Sorry.

    The Windows Update program/service runs as the System Account. And if it's set to automaticly download and notify it will ask anyone logged on interactively, for permission to install the downloaded patches. Since it has rights from the system account it will install updates no problem in this setting, from a normal user account and upwards. No problems at all.

    If you use SUS nothing much changes except your Windows Update service will now only download updates, that you have accepted to roll out on/from your SUS server. In this way you can potentially delay or block rolling out certain update packages, which you might not want to deploy in your enterprise. The same download/install behaviour described above will still be in effect though. I.e. you can use it for everyone with User privileges and up.

    I hope that answers the questions somewhat more to the point :)

    Regards,
    r@smus

    .
    Rasmus Rønlev
    Copenhagen Business School, ITSu
    Cell: (+45) 29612544
    Phone: (+45) 38153521
    Fax: (+45) 38153536

    -----Original Message-----
    From: Evan Mann [mailto:emann@pinnaclefinancial.com]
    Sent: 12. januar 2005 17:56
    To: focus-ms@securityfocus.com
    Subject: Automatic Updates and Users/Power Users

    If Automatic Updates is not set via GPO to contact an SUS Server but has been set to download updates and notify to install, will a user or power user be able to initiate the install?

    If Automatic Updates is set via GPO with the same download/install, but from an SUS server, does anything change?

    Essentially, how do I ensure, using Automatic Updates, with and without SUS, that a computer that the daily user only has User or Power User Access, that the updates can be installed.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Benjamin D. Goldman: "RE: IIS6 on W2k3 DCs"

    Relevant Pages

    • RE: Automatic Updates
      ... >Subject: Automatic Updates ... >critical updates from our SUS server to our Terminal ... Install Mode is to allow each user to get their own copy of a programs INI file or registry settings, ...
      (microsoft.public.win2000.termserv.apps)
    • Automatic Updates and Users/Power Users
      ... If Automatic Updates is not set via GPO to contact an SUS Server but has ... been set to download updates and notify to install, ...
      (Focus-Microsoft)
    • RE: Automatic Updates and Users/Power Users
      ... Automatic Updates and Users/Power Users ... If Automatic Updates is not set via GPO to contact an SUS Server but has been set to download updates and notify to install, will a user or power user be able to initiate the install? ...
      (Focus-Microsoft)
    • Re: Since January 18th, no high-priority updates...
      ... The crap NIS 2006 left behind /is/ the problem. ... Doesn't matter if you don't want to install it again. ... I checked about what you say (time of the Automatic Updates) and changed ... > How to configure and use Automatic Updates in Windows XP: ...
      (microsoft.public.windowsupdate)
    • Re: Problems installing update KB942615 on IE7
      ... Double-click Automatic Updates> Click on Stop ... Open the Download folder and delete its contents ... Start the Automatic Updates service: ... retry and install the erroneous update every day I had "hidden" the original ...
      (microsoft.public.windowsupdate)