SP2 downloading from Windows Update in spite of GPO

We have had this policy in place since 09/09/04 with no problem
(http://www.microsoft.com/downloads/d...displaylang=en)
We noticed SP2 downloads thru auto update since 03/09/05 and we have had to
block Windows Update sites to prevent Sp2 from installing with the default
configuration. I'm rolling out SP2 right now with a custom firewall inf to
over 2000 pc's with SMS2003, I cannot support a uncontrolled SP2 update. My
rollout is being done on a schedule where I can respond to failures rapidly,
these wildfire installs of SP2 are taxing my helpdesk resources and this
issue needs to be addressed.
I have two calls into MS now and have recieved no response.
SRZ0500310002770 and SRX050310601939. HELP!

I just ran a SMS report for the file xpsp2.exe in this directory (C:\Program
Files\WindowsUpdate\wuaudnld.tmp\cabs\com_microsof t.xp_sp_2\) there are 813
pc's listed..........


"jeff" wrote:

> We have had this policy in place since 09/09/04 with no problem
> (http://www.microsoft.com/downloads/d...displaylang=en)
> We noticed SP2 downloads thru auto update since 03/09/05 and we have had to
> block Windows Update sites to prevent Sp2 from installing with the default
> configuration. I'm rolling out SP2 right now with a custom firewall inf to
> over 2000 pc's with SMS2003, I cannot support a uncontrolled SP2 update. My
> rollout is being done on a schedule where I can respond to failures rapidly,
> these wildfire installs of SP2 are taxing my helpdesk resources and this
> issue needs to be addressed.
> I have two calls into MS now and have recieved no response.
> SRZ0500310002770 and SRX050310601939. HELP!
>

I'm getting that "redheaded stepchild" feeling. At least tell me I'm full of
CRAP!


"jeff" wrote:

> I just ran a SMS report for the file xpsp2.exe in this directory (C:\Program
> Files\WindowsUpdate\wuaudnld.tmp\cabs\com_microsof t.xp_sp_2\) there are 813
> pc's listed..........
>
>
> "jeff" wrote:
>
> > We have had this policy in place since 09/09/04 with no problem
> > (http://www.microsoft.com/downloads/d...displaylang=en)
> > We noticed SP2 downloads thru auto update since 03/09/05 and we have had to
> > block Windows Update sites to prevent Sp2 from installing with the default
> > configuration. I'm rolling out SP2 right now with a custom firewall inf to
> > over 2000 pc's with SMS2003, I cannot support a uncontrolled SP2 update. My
> > rollout is being done on a schedule where I can respond to failures rapidly,
> > these wildfire installs of SP2 are taxing my helpdesk resources and this
> > issue needs to be addressed.
> > I have two calls into MS now and have recieved no response.
> > SRZ0500310002770 and SRX050310601939. HELP!
> >

> wildfire installs of SP2

If the update is only downloading what is the problem?
It can't install automatically because there is an EULA
which AFAIK has to be accepted by an Administrator.

BTW if you are using SMS how does WU become involved?
Have you tried posting to an SMS newsgroup instead?
Perhaps there is more discussion of this issue there?
Alternatively use SUS to take control of what is offered.
Then see a SUS newsgroup.


Good luck

Robert Aldwinckle
---


"jeff" <> wrote in message news:A21E8AD1-69A1-414A-B17A-...
> We have had this policy in place since 09/09/04 with no problem
> (http://www.microsoft.com/downloads/d...displaylang=en)
> We noticed SP2 downloads thru auto update since 03/09/05 and we have had to
> block Windows Update sites to prevent Sp2 from installing with the default
> configuration. I'm rolling out SP2 right now with a custom firewall inf to
> over 2000 pc's with SMS2003, I cannot support a uncontrolled SP2 update. My
> rollout is being done on a schedule where I can respond to failures rapidly,
> these wildfire installs of SP2 are taxing my helpdesk resources and this
> issue needs to be addressed.
> I have two calls into MS now and have recieved no response.
> SRZ0500310002770 and SRX050310601939. HELP!
>

Hey Robert, thanks for the reply, we also use SUS which modifies
the registry to allow non administrators to run security patches.
We have been lucky that our user base isn't very attentive and only 300
or so out of 2000 clicked the install button, but 3/9 and 3/10 were
VERY busy days for helpdesk staff anyway. The reason I posted here
is we think this is related to the 2nd Tuesday MS schedule and that they
expired the the policy to block downloads of SP2 a month early. It would
be nice if a MS staffer would confirm or deny our theory.

"Robert Aldwinckle" wrote:

> > wildfire installs of SP2
>
> If the update is only downloading what is the problem?
> It can't install automatically because there is an EULA
> which AFAIK has to be accepted by an Administrator.
>
> BTW if you are using SMS how does WU become involved?
> Have you tried posting to an SMS newsgroup instead?
> Perhaps there is more discussion of this issue there?
> Alternatively use SUS to take control of what is offered.
> Then see a SUS newsgroup.
>
>
> Good luck
>
> Robert Aldwinckle
> ---
>
>
> "jeff" <> wrote in message news:A21E8AD1-69A1-414A-B17A-...
> > We have had this policy in place since 09/09/04 with no problem
> > (http://www.microsoft.com/downloads/d...displaylang=en)
> > We noticed SP2 downloads thru auto update since 03/09/05 and we have had to
> > block Windows Update sites to prevent Sp2 from installing with the default
> > configuration. I'm rolling out SP2 right now with a custom firewall inf to
> > over 2000 pc's with SMS2003, I cannot support a uncontrolled SP2 update. My
> > rollout is being done on a schedule where I can respond to failures rapidly,
> > these wildfire installs of SP2 are taxing my helpdesk resources and this
> > issue needs to be addressed.
> > I have two calls into MS now and have recieved no response.
> > SRZ0500310002770 and SRX050310601939. HELP!
> >
>
>
>

"jeff" <> wrote in message
news:4604F50F-B5CF-4902-A953-
....
> "Robert Aldwinckle" wrote:
>> If the update is only downloading what is the problem?
>> It can't install automatically because there is an EULA
>> which AFAIK has to be accepted by an Administrator.

> Hey Robert, thanks for the reply, we also use SUS which modifies
> the registry to allow non administrators to run security patches.

Ouch.

> We have been lucky that our user base isn't very attentive and only 300
> or so out of 2000 clicked the install button, but 3/9 and 3/10 were
> VERY busy days for helpdesk staff anyway. The reason I posted here
> is we think this is related to the 2nd Tuesday MS schedule and that they
> expired the the policy to block downloads of SP2 a month early. It would
> be nice if a MS staffer would confirm or deny our theory.

Have you checked the logs of the machines where this has occurred?
Perhaps the date on them is wrong? (I have no idea what the implementation
of this procedure is but if, for example, the code is already installed,
just waiting for the expiry date, on machines which are already ostensibly
past the expiry date the download would be allowed.) On second thought
it probably is a bit far-fetched to think that *many* machines would have
the same problem at the same time (unless they all shared a common
time server that was causing the problem <eg>).

Otherwise my (speculative) idea for SMS would be that perhaps you could
create a registry file based on what happens if you manually decline that update
and then ship that registry file to your other users, hence making it appear
that they all have declined the update. Then you would have to deal with
the case of the user could clear that by clicking on (e.g.)
Offer updates again that I have previously hidden
(bottom of the Automatic Updates dialog, via Run... control wuaucpl.cpl)
but perhaps that is controllable by a policy setting? Etc.


Good luck

Robert
---

We have done several things with scripts and GP to mitigate
the issues caused by this "unknown". MS has responded twice
to the cases I opened, once to close the first case and the second
time to tell me to call them, which I will do Monday.

The central issue is our staff spent months testing applications and
developing
a firewall policy that will work with well over 100 different vendors
and applications, some of which are extremely expensive and vital to
to Research, Patient Care and Educational programs on our campus.
Then to have hundreds of workstations install with a default firewall config
is a bit fustrating, to say nothing of the problems our users had with
applications. I really want to source this issue, as we are not finding
anything
that definitely points to a problem on our site, so the possiblilty that WU is
the source needs to be addressed and/or eliminated. We are in a enviroment
that requires that we know what is going on and to not "know" what caused this
puts my dept. in a defensive/reactive condition instead of the proactive
situation that we prefer.

"Robert Aldwinckle" wrote:

>
> "jeff" <> wrote in message
> news:4604F50F-B5CF-4902-A953-
> ....
> > "Robert Aldwinckle" wrote:
> >> If the update is only downloading what is the problem?
> >> It can't install automatically because there is an EULA
> >> which AFAIK has to be accepted by an Administrator.
>
> > Hey Robert, thanks for the reply, we also use SUS which modifies
> > the registry to allow non administrators to run security patches.
>
> Ouch.
>
> > We have been lucky that our user base isn't very attentive and only 300
> > or so out of 2000 clicked the install button, but 3/9 and 3/10 were
> > VERY busy days for helpdesk staff anyway. The reason I posted here
> > is we think this is related to the 2nd Tuesday MS schedule and that they
> > expired the the policy to block downloads of SP2 a month early. It would
> > be nice if a MS staffer would confirm or deny our theory.
>
> Have you checked the logs of the machines where this has occurred?
> Perhaps the date on them is wrong? (I have no idea what the implementation
> of this procedure is but if, for example, the code is already installed,
> just waiting for the expiry date, on machines which are already ostensibly
> past the expiry date the download would be allowed.) On second thought
> it probably is a bit far-fetched to think that *many* machines would have
> the same problem at the same time (unless they all shared a common
> time server that was causing the problem <eg>).
>
> Otherwise my (speculative) idea for SMS would be that perhaps you could
> create a registry file based on what happens if you manually decline that update
> and then ship that registry file to your other users, hence making it appear
> that they all have declined the update. Then you would have to deal with
> the case of the user could clear that by clicking on (e.g.)
> Offer updates again that I have previously hidden
> (bottom of the Automatic Updates dialog, via Run... control wuaucpl.cpl)
> but perhaps that is controllable by a policy setting? Etc.
>
>
> Good luck
>
> Robert
> ---
>
>
>