 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Windows 2000 / Group Policy / July 2008Blocking XP Service pack 3 - WSUS 2.0 in use
We are using WSUS 2.0 SP1 to distribute security patches internally. We have restricted the allowed classifications to "Critical Updates" and "Security Updates" (no Service Packs) so this would prevent XP Service Pack 3 from being installed via WSUS. My concern is laptop computers that leave the office and connect to the Internet (and to our network by VPN). Will these PC's receive Automatic updates from Microsoft that are not part of our WSUS policy? We have a Group Policy set for clients to point to our WSUS server to auto-download and install patches. Will this GPO prevent the clients from getting the udpates directly from Microsoft via AU when they are connected to the Internet (I'm hoping so). Another point is that currently when our users manually run Windows/Microsoft Update they, of course, go directly to Microsoft and can get any/all patches, service packs available from Microsoft. Is there anyway to configure it so clients that run Windows Update will instead be directed to the WSUS server for our approved list of updates? I'm guessing not. If we wish to use the SPBlockerToolKit (http://www.microsoft.com/Downloads/details.aspx?FamilyID=d7c9a07a-5267-4bd6-87d0 -e2a72099edb7&displaylang=en) to prevent users from getting XP SP3 via Window Update, is there any conflict/potential issues with WSUS? Thank you. Howdie! > My concern is laptop computers that leave the office and connect to the > Internet (and to our network by VPN). Will these PC's receive Automatic [quoted text clipped - 3 lines] > directly from Microsoft via AU when they are connected to the Internet (I'm > hoping so). If WSUS is configured, people cannot manually download and install Service Packs and Updates via Windows Updates. That's forbidden if you're on WSUS with Group Policy. > If we wish to use the SPBlockerToolKit > (http://www.microsoft.com/Downloads/details.aspx?FamilyID=d7c9a07a-5267-4bd6-87d0 -e2a72099edb7&displaylang=en) > to prevent users from getting XP SP3 via Window Update, is there any > conflict/potential issues with WSUS? Thank you. There's an ADM template in the package you can extract and import. It basically blocks the installation of SP3. You can, once you want to install SP3 on the machines, disable the policy/revert it back to "normal" and deploy SP3 via WSUS. cheers, Florian  SignatureMicrosoft MVP - Group Policy eMail: prename [at] frickelsoft [dot] net. blog: http://www.frickelsoft.net/blog. Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste Hi, > Howdie! > [quoted text clipped - 9 lines] > Service Packs and Updates via Windows Updates. That's forbidden if > you're on WSUS with Group Policy. That's incorrect, they are two completely seperate policies. Simply configuring WSUS via a GPO does nothing to stop users from *manually* downloading patches via the windows update website. That, however, *can* be forbidden too with a different GPO. So the answer for the OP is: No, they will not download anything *automatically*. But they can do it manually, unless you've forbidden it and locked that down. CU, Massimo > So the answer for the OP is: No, they will not download anything > *automatically*. But they can do it manually, unless you've forbidden it > and locked that down. ... and remember you can't actually lock it down to the point where the users can't bypass it if they're determined, except by not giving them administrator accounts in the first place (in which case there's no problem). Harry. > Hi, > [quoted text clipped - 26 lines] > CU, > Massimo Thanks for the reply Massimo. I realize we cannot stop users from downloading and installing the SP's manually until we remove their local admin rights (which we are in the process of planning for) but ahead of that, I assume then that the best way to ensure they don't get the SP via Windows Update would be to simply add the (NoSPupdate.adm) template to our GPO and enable it...correct? 1. Automatic Updates - safe via GPO with clients pointed to internal WSUS. 2. Windows Update - block via GPO "NoSPupdate.adm". 3. Manual install - cannot prevent until users have admin rights removed. > If WSUS is configured, people cannot manually download and install Service > Packs and Updates via Windows Updates. I've been doing that without any problem. Btw I am the administrator. > That's forbidden if you're on WSUS with Group Policy. Forbidden? Who forbids it? Yes, I have Automatic Updates set thru GPO. > There's an ADM template in the package you can extract and import. It > basically blocks the installation of SP3. You can, once you want to > install SP3 on the machines, disable the policy/revert it back to "normal" > and deploy SP3 via WSUS. Or don't give anyone administrative permission (which is what everyone should be doing). Problem solved. |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.