Re: Laptop patch management
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/20/04
- Next message: yves: "Firewalls Can’t Secure Everything"
- Previous message: Steven L Umbach: "Re: lsass.exe error-- causing re-boot"
- In reply to: NK: "Laptop patch management"
- Next in thread: Oli Restorick [MVP]: "Re: Laptop patch management"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 20 Mar 2004 02:02:42 GMT
There is a newsgroup dedicated to SUS where you may want to post -
Microsoft.public.softwareupdatesvcs, but it is my understanding that if you do not
configure an internal intranet SUS server that the computer will go to Windows Update
instead. You could create an OU for the vpn laptops and put them in that OU with a
GPO configured to do scheduled updates and not configure an intranet server. Since
this is a computer policy, it will work regardless if the user is a local
administrator or not UNLESS they remove their machine from the domain which you
should make clear to them that is not allowed and be sure to not let regular domain
users add their machines to the domain by removing authenticated users from the "add
workstations to the domain" user right in the Domain Controllers Security Policy. If
your laptop users do not need to be local administrators, it still makes sense to
remove them from the local administrators group. --- Steve
"NK" <anonymous@discussions.microsoft.com> wrote in message
news:5ECB681F-716A-406D-873C-FAB7BE832D7F@microsoft.com...
> Hello,
> I apologize for the long message, but I am sure many admins struggle with this
issue. I am having some difficulties with laptop patch management. I was hoping that
we could discuss best practices/methods to improve the situation. My patch management
process for desktops and laptops is substantially different. My desktop users obtain
patches using SUS. They have only user privileges. Patches are installed on a
schedule specified by group policy and they are forced to comply with this schedule.
Laptop users, on the other hand, have far fewer restrictions. They have domain
accounts that are members of the local admin group on their machines. They are
supposed to use Windows Update to install patches but many of them don't. They VPN in
on an irregular schedule. I would really like to have a method to force them to
install patches.
>
> As local admin, the user can disable or ignore the AutoUpdate client. If I were to
take away their administrative privileges and make them Power Users instead, is there
any method available of forcing them to download updates on a schedule from
WindowsUpdate.com? Through group policy is it possible to configure the autoupdate
client to seek updates from WindowsUpdate.com and install patches on a schedule? If I
were to configure the AU client on the console as admin and then give them the
laptop, would they be forced to install the patches when logged in as Power Users?
>
> I look forward to your suggestions and comments.
>
> Thanks!
> NK
- Next message: yves: "Firewalls Can’t Secure Everything"
- Previous message: Steven L Umbach: "Re: lsass.exe error-- causing re-boot"
- In reply to: NK: "Laptop patch management"
- Next in thread: Oli Restorick [MVP]: "Re: Laptop patch management"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
