(Msg. 1) Posted: Tue Jul 22, 2008 3:09 am
Post subject: Blocking XP Service pack 3 - WSUS 2.0 in use Add to elertz Archived from groups: microsoft>public>win2000>group_policy, others (more info?)
We are using WSUS 2.0 SP1 to distribute security patches internally. We have
restricted the allowed classifications to "Critical Updates" and "Security
Updates" (no Service Packs) so this would prevent XP Service Pack 3 from
being installed via WSUS.
My concern is laptop computers that leave the office and connect to the
Internet (and to our network by VPN). Will these PC's receive Automatic
updates from Microsoft that are not part of our WSUS policy? We have a Group
Policy set for clients to point to our WSUS server to auto-download and
install patches. Will this GPO prevent the clients from getting the udpates
directly from Microsoft via AU when they are connected to the Internet (I'm
hoping so).
Another point is that currently when our users manually run
Windows/Microsoft Update they, of course, go directly to Microsoft and can
get any/all patches, service packs available from Microsoft. Is there anyway
to configure it so clients that run Windows Update will instead be directed
to the WSUS server for our approved list of updates? I'm guessing not.
If we wish to use the SPBlockerToolKit
(http://www.microsoft.com/Downloads/details.aspx?FamilyID=d7c9a07a-5267-4bd6-87d0-e2a72099edb7&displaylang=en)
to prevent users from getting XP SP3 via Window Update, is there any
conflict/potential issues with WSUS? Thank you.
(Msg. 2) Posted: Tue Jul 22, 2008 8:44 am
Post subject: Re: Blocking XP Service pack 3 - WSUS 2.0 in use Add to elertz [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Howdie!
Barkley Bees wrote:
> My concern is laptop computers that leave the office and connect to the
> Internet (and to our network by VPN). Will these PC's receive Automatic
> updates from Microsoft that are not part of our WSUS policy? We have a Group
> Policy set for clients to point to our WSUS server to auto-download and
> install patches. Will this GPO prevent the clients from getting the udpates
> directly from Microsoft via AU when they are connected to the Internet (I'm
> hoping so).
If WSUS is configured, people cannot manually download and install
Service Packs and Updates via Windows Updates. That's forbidden if
you're on WSUS with Group Policy.
> If we wish to use the SPBlockerToolKit
> (http://www.microsoft.com/Downloads/details.aspx?FamilyID=d7c9a07a-5267-4bd6-87d0-e2a72099edb7&displaylang=en)
> to prevent users from getting XP SP3 via Window Update, is there any
> conflict/potential issues with WSUS? Thank you.
There's an ADM template in the package you can extract and import. It
basically blocks the installation of SP3. You can, once you want to
install SP3 on the machines, disable the policy/revert it back to
"normal" and deploy SP3 via WSUS.
(Msg. 3) Posted: Tue Jul 22, 2008 12:01 pm
Post subject: Re: Blocking XP Service pack 3 - WSUS 2.0 in use Add to elertz [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Hi,
"Florian Frommherz [MVP]" wrote:
>
> Howdie!
>
> Barkley Bees wrote:
> > My concern is laptop computers that leave the office and connect to the
> > Internet (and to our network by VPN). Will these PC's receive Automatic
> > updates from Microsoft that are not part of our WSUS policy? We have a Group
> > Policy set for clients to point to our WSUS server to auto-download and
> > install patches. Will this GPO prevent the clients from getting the udpates
> > directly from Microsoft via AU when they are connected to the Internet (I'm
> > hoping so).
>
> If WSUS is configured, people cannot manually download and install
> Service Packs and Updates via Windows Updates. That's forbidden if
> you're on WSUS with Group Policy.
That's incorrect, they are two completely seperate policies. Simply
configuring WSUS via a GPO does nothing to stop users from *manually*
downloading patches via the windows update website. That, however, *can*
be forbidden too with a different GPO.
So the answer for the OP is: No, they will not download anything
*automatically*. But they can do it manually, unless you've forbidden it
and locked that down.
(Msg. 4) Posted: Tue Jul 22, 2008 4:32 pm
Post subject: Re: Blocking XP Service pack 3 - WSUS 2.0 in use Add to elertz [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
"Florian Frommherz [MVP]" <florian DeleteThis @frickelsoft.DELETETHIS.net> wrote in
message news:OhosKa86IHA.2220@TK2MSFTNGP06.phx.gbl...
>
> If WSUS is configured, people cannot manually download and install Service
> Packs and Updates via Windows Updates.
I've been doing that without any problem. Btw I am the administrator.
> That's forbidden if you're on WSUS with Group Policy.
Forbidden? Who forbids it? Yes, I have Automatic Updates set thru GPO.
> There's an ADM template in the package you can extract and import. It
> basically blocks the installation of SP3. You can, once you want to
> install SP3 on the machines, disable the policy/revert it back to "normal"
> and deploy SP3 via WSUS.
Or don't give anyone administrative permission (which is what everyone
should be doing). Problem solved.
(Msg. 5) Posted: Wed Jul 23, 2008 3:11 am
Post subject: Re: Blocking XP Service pack 3 - WSUS 2.0 in use Add to elertz [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Massimo Rosen wrote:
> So the answer for the OP is: No, they will not download anything
> *automatically*. But they can do it manually, unless you've forbidden it
> and locked that down.
... and remember you can't actually lock it down to the point where the users
can't bypass it if they're determined, except by not giving them administrator
accounts in the first place (in which case there's no problem).
(Msg. 6) Posted: Wed Jul 23, 2008 3:11 am
Post subject: Re: Blocking XP Service pack 3 - WSUS 2.0 in use Add to elertz [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
"Massimo Rosen" <mrosenno RemoveThis @spamcfc-it.de> wrote in message
news:4885AFDF.61EE1542@spamcfc-it.de...
> Hi,
>
> "Florian Frommherz [MVP]" wrote:
>>
>> Howdie!
>>
>> Barkley Bees wrote:
>> > My concern is laptop computers that leave the office and connect to the
>> > Internet (and to our network by VPN). Will these PC's receive Automatic
>> > updates from Microsoft that are not part of our WSUS policy? We have a
>> > Group
>> > Policy set for clients to point to our WSUS server to auto-download and
>> > install patches. Will this GPO prevent the clients from getting the
>> > udpates
>> > directly from Microsoft via AU when they are connected to the Internet
>> > (I'm
>> > hoping so).
>>
>> If WSUS is configured, people cannot manually download and install
>> Service Packs and Updates via Windows Updates. That's forbidden if
>> you're on WSUS with Group Policy.
>
> That's incorrect, they are two completely seperate policies. Simply
> configuring WSUS via a GPO does nothing to stop users from *manually*
> downloading patches via the windows update website. That, however, *can*
> be forbidden too with a different GPO.
>
> So the answer for the OP is: No, they will not download anything
> *automatically*. But they can do it manually, unless you've forbidden it
> and locked that down.
>
> CU,
> Massimo
Thanks for the reply Massimo. I realize we cannot stop users from
downloading and installing the SP's manually until we remove their local
admin rights (which we are in the process of planning for) but ahead of
that, I assume then that the best way to ensure they don't get the SP via
Windows Update would be to simply add the (NoSPupdate.adm) template to our
GPO and enable it...correct?
1. Automatic Updates - safe via GPO with clients pointed to internal WSUS.
2. Windows Update - block via GPO "NoSPupdate.adm".
3. Manual install - cannot prevent until users have admin rights removed.
All times are: Eastern Time (US & Canada) (change)
Page 1 of 1
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Home
Forums
Home
FAQ
Search
Profile
Private Messages
Log in/Register/Password
Windows Other