Blocking XP Service pack 3 - WSUS 2.0 in use

[Barkley Bees]

We are using WSUS 2.0 SP1 to distribute security patches internally. We have
restricted the allowed classifications to "Critical Updates" and "Security
Updates" (no Service Packs) so this would prevent XP Service Pack 3 from
being installed via WSUS.

My concern is laptop computers that leave the office and connect to the
Internet (and to our network by VPN). Will these PC's receive Automatic
updates from Microsoft that are not part of our WSUS policy? We have a Group
Policy set for clients to point to our WSUS server to auto-download and
install patches. Will this GPO prevent the clients from getting the udpates
directly from Microsoft via AU when they are connected to the Internet (I'm
hoping so).

Another point is that currently when our users manually run
Windows/Microsoft Update they, of course, go directly to Microsoft and can
get any/all patches, service packs available from Microsoft. Is there anyway
to configure it so clients that run Windows Update will instead be directed
to the WSUS server for our approved list of updates? I'm guessing not.

If we wish to use the SPBlockerToolKit
(http://www.microsoft.com/Downloads/...7a-5267-4bd6-87d0-e2a72099edb7&displaylang=en)
to prevent users from getting XP SP3 via Window Update, is there any
conflict/potential issues with WSUS? Thank you.

 

[Florian Frommherz [MVP]]

Howdie!

My concern is laptop computers that leave the office and connect to the
Internet (and to our network by VPN). Will these PC's receive Automatic
updates from Microsoft that are not part of our WSUS policy? We have a Group
Policy set for clients to point to our WSUS server to auto-download and
install patches. Will this GPO prevent the clients from getting the udpates
directly from Microsoft via AU when they are connected to the Internet (I'm
hoping so).

If WSUS is configured, people cannot manually download and install
Service Packs and Updates via Windows Updates. That's forbidden if
you're on WSUS with Group Policy.

If we wish to use the SPBlockerToolKit
(http://www.microsoft.com/Downloads/...7a-5267-4bd6-87d0-e2a72099edb7&displaylang=en)
to prevent users from getting XP SP3 via Window Update, is there any
conflict/potential issues with WSUS? Thank you.

There's an ADM template in the package you can extract and import. It
basically blocks the installation of SP3. You can, once you want to
install SP3 on the machines, disable the policy/revert it back to
"normal" and deploy SP3 via WSUS.

cheers,

Florian

 

[Massimo Rosen]

Hi,

Howdie!



If WSUS is configured, people cannot manually download and install
Service Packs and Updates via Windows Updates. That's forbidden if
you're on WSUS with Group Policy.

That's incorrect, they are two completely seperate policies. Simply
configuring WSUS via a GPO does nothing to stop users from *manually*
downloading patches via the windows update website. That, however, *can*
be forbidden too with a different GPO.

So the answer for the OP is: No, they will not download anything
*automatically*. But they can do it manually, unless you've forbidden it
and locked that down.

CU,
Massimo

 

[Harry Johnston [MVP]]

So the answer for the OP is: No, they will not download anything
*automatically*. But they can do it manually, unless you've forbidden it
and locked that down.

... and remember you can't actually lock it down to the point where the users
can't bypass it if they're determined, except by not giving them administrator
accounts in the first place (in which case there's no problem).

Harry.

 

[John]

If WSUS is configured, people cannot manually download and install Service
Packs and Updates via Windows Updates.

I've been doing that without any problem. Btw I am the administrator.

That's forbidden if you're on WSUS with Group Policy.

Forbidden? Who forbids it? Yes, I have Automatic Updates set thru GPO.

There's an ADM template in the package you can extract and import. It
basically blocks the installation of SP3. You can, once you want to
install SP3 on the machines, disable the policy/revert it back to "normal"
and deploy SP3 via WSUS.

Or don't give anyone administrative permission (which is what everyone
should be doing). Problem solved.

 

[Barkley Bees]

Hi,



That's incorrect, they are two completely seperate policies. Simply
configuring WSUS via a GPO does nothing to stop users from *manually*
downloading patches via the windows update website. That, however, *can*
be forbidden too with a different GPO.

So the answer for the OP is: No, they will not download anything
*automatically*. But they can do it manually, unless you've forbidden it
and locked that down.

CU,
Massimo

Thanks for the reply Massimo. I realize we cannot stop users from
downloading and installing the SP's manually until we remove their local
admin rights (which we are in the process of planning for) but ahead of
that, I assume then that the best way to ensure they don't get the SP via
Windows Update would be to simply add the (NoSPupdate.adm) template to our
GPO and enable it...correct?

1. Automatic Updates - safe via GPO with clients pointed to internal WSUS.
2. Windows Update - block via GPO "NoSPupdate.adm".
3. Manual install - cannot prevent until users have admin rights removed.