Hmm. The GPO settings are normally just for setting when the updates
are downloaded and installed. If the computer is off at the scheduled
time, updates are downloaded on the next network connection but are not
automatically installed.
Which in some cases is a good thing because the install would interrupt
computer use during presentations and you'd get that annoying window
that pops up every 10 minutes saying "Updates have been installed.
Restart now or Later." and there's no button that says Later, no leave
me alone.
You have to kill wuauclt to get the message to go away. Not a big
problem at work, but annoying as hell when I'm at home and it pops up
in the middle of a game.
What I'd *really* like is a "download auto, do not install" that
works, i.e. stores the updates in a form I can find and apply at any
time, without nagging to install them or installing them on shutdown
unless I "click the small print link to shutdown without installing".
The present SP2 logic applies so much UI pressure to install, that I'm
tempted to retreat to "notify, do not download or install", and that
means I might have to mission around the update site to find what I
need and download manually. I'm quite likely to lapse on that.
The ideal UI for "download auto, do not install" would store
downloaded updates in the location of my choosing (i.e. in my case, a
subdir within HD volume F
with a GUI front-end that lists them,
indicates whether they're installed, and has links to the /kb article
associated with each. There, I could checkbox a bunch of them to
either install, or export to USB or CDR etc.
If I export to USB, CDR etc. it would create a GUI front-end that goes
with them, than is also checkboxable, and that will install them in
the correct sequence. I could use that on arbitrary PCs, or my own PC
should I ever need to "just" re-install Windows, and so lose patches.
Each patch would be in a form that is tamper-resistant; no infectable
code (so both these and the GUI front-end would not be .EXE), and some
way of determining the integrity. There'd also be a copy of the
relevant /kb documentation within each (plain text is "cheap") that
the GUI could display, even when dealing with loose patches.
The code that operates on these would be within the system applying
the patches, not bouncing around with the patches themselves.
That leaves one conundrum; what to compare with, when it comes to
integrity checking. If the comparison data is with the patch, it can
be co-spoofed by malware invading or faking the patch. If it's on the
'net, I can't get it if offline, and malware could spoof the DNS to
redirect me to fake integrity data.
Perhaps a private/public key infrastructure would be useful here?
If serious about getting ppl to patch, that IMO is how to do it. If
you'd rather be anal about licensing, well... we reap what you sow.
-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
