samba - Feb 2005 - Windows update

Hi!
How do you guys solve windows security updates? Is there a way to force windows
computers to be updated. Even more flexible is if one can update windows through
login script.

Peter Nyberg
Institutionen f?r Biokemi och Biofysik (DBB)
Sv.Arrhenius v?gen 12
106 91 Stockholm
Tel: 08-16 24 69
Mobil: 070 339 24 69
Fax 08 153679

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Peter,
look at http://www.susserver.com/
here you will find good info about hosting a sus server
or/and forcing win updates
Best Regards

Peter Nyberg schrieb:
| Hi!
| How do you guys solve windows security updates? Is there a way to
force windows
| computers to be updated. Even more flexible is if one can update
windows through
| login script.
|
| Peter Nyberg
| Institutionen f?r Biokemi och Biofysik (DBB)
| Sv.Arrhenius v?gen 12
| 106 91 Stockholm
| Tel: 08-16 24 69
| Mobil: 070 339 24 69
| Fax 08 153679
|
|
|
|
|

- --
Mit freundlichen Gruessen
Best Regards
Robert Schetterer

robert_at_schetterer.org
Munich / Bavaria / Germany
https://www.schetterer.org

\**********************************
\* gnupgp
\* public key:
\* https://www.schetterer.org/public.key
\**********************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCEc+j+Jw+56iSjEkRAoWhAJ4tO4JCH8UTeYi87HrxjTsNJnzpYgCgks3V
n9wgL/xllF7Cx4KQ5HFzhHE=U7W8
-----END PGP SIGNATURE-----

Hi Robert,
For this to work you must have AD, right?
And what if the machines are in a pure Samba+OpenLDAP environment?
Any ideas?

Best Regards,
Bruno Guerreiro

-----Original Message-----
From: Robert Schetterer [mailto:robert@schetterer.org]
Sent: ter?a-feira, 15 de Fevereiro de 2005 10:32
To: Peter Nyberg
Cc: samba@lists.samba.org
Subject: Re: [Samba] Windows update


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Peter,
look at http://www.susserver.com/
here you will find good info about hosting a sus server
or/and forcing win updates
Best Regards

Peter Nyberg schrieb:
| Hi!
| How do you guys solve windows security updates? Is there a way to
force windows
| computers to be updated. Even more flexible is if one can update
windows through
| login script.
|
| Peter Nyberg
| Institutionen f?r Biokemi och Biofysik (DBB)
| Sv.Arrhenius v?gen 12
| 106 91 Stockholm
| Tel: 08-16 24 69
| Mobil: 070 339 24 69
| Fax 08 153679
|
|
|
|
|

- --
Mit freundlichen Gruessen
Best Regards
Robert Schetterer

robert_at_schetterer.org
Munich / Bavaria / Germany
https://www.schetterer.org

\**********************************
\* gnupgp
\* public key:
\* https://www.schetterer.org/public.key
\**********************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCEc+j+Jw+56iSjEkRAoWhAJ4tO4JCH8UTeYi87HrxjTsNJnzpYgCgks3V
n9wgL/xllF7Cx4KQ5HFzhHE=U7W8
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Bruno,
no you dont need Ad,
you can host a sus server on a win 2000 machine with
a repacked pack ( normal you need a win 2000 server to install ) and use
policies to make the needed entries
to all win clients in your smb domain.
The funktion in principal to force win update is simply to
stop the update service , make new entries to reg ( like update time ,
server etc )
and start it again, this would be able in workgroups too,
all the different stuff can be found
at http://www.susserver.com/
as well some tools which would help you to force it.
I did this on a few networks wich smb/ldap domains
and it works like charme.
I installed susserver on my laptop too, so i have all
updates right with me everytime.
On http://www.winfuture.de/ ( sorry i think german )
offline packs of all patches are released periodic to make it more
simple to setup plain xp/2000 winclients offline with all patches.
They are repacked to one big exe file.
There is a tool from the german magazin CT which does
a upgrade by win versions of wget and some scripts
http://www.heise.de/ct/ftp/projekte/offlineupdate/
With http://berns.cae.wisc.edu/files/wincdman/wincdman.html
you can make slipstream win2000/XP cd with varia patches allready
include to a windows setup cd.
Best Regards
Robert




Bruno Guerreiro schrieb:
| Hi Robert,
| For this to work you must have AD, right?
| And what if the machines are in a pure Samba+OpenLDAP environment?
| Any ideas?
|
| Best Regards,
| Bruno Guerreiro
|
| -----Original Message-----
| From: Robert Schetterer [mailto:robert@schetterer.org]
| Sent: ter?a-feira, 15 de Fevereiro de 2005 10:32
| To: Peter Nyberg
| Cc: samba@lists.samba.org
| Subject: Re: [Samba] Windows update
|
|
| Hi Peter,
| look at http://www.susserver.com/
| here you will find good info about hosting a sus server
| or/and forcing win updates
| Best Regards
|
| Peter Nyberg schrieb:
| | Hi!
| | How do you guys solve windows security updates? Is there a way to
| force windows
| | computers to be updated. Even more flexible is if one can update
| windows through
| | login script.
| |
| | Peter Nyberg
| | Institutionen f?r Biokemi och Biofysik (DBB)
| | Sv.Arrhenius v?gen 12
| | 106 91 Stockholm
| | Tel: 08-16 24 69
| | Mobil: 070 339 24 69
| | Fax 08 153679
| |
| |
| |
| |
| |
|

- --
Mit freundlichen Gruessen
Best Regards
Robert Schetterer

robert_at_schetterer.org
Munich / Bavaria / Germany
https://www.schetterer.org

\**********************************
\* gnupgp
\* public key:
\* https://www.schetterer.org/public.key
\**********************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCEd7I+Jw+56iSjEkRAmnbAJ969Wt0FPwa5ussmoLvisSdtK/IpQCfSkim
NRL1O2bP2b3JlLjB+Jp0SVM=4eHU
-----END PGP SIGNATURE-----

On Tue, 15 Feb 2005 12:36:40 +0100 Robert Schetterer
<robert@schetterer.org> wrote:

RS> Hi Bruno,
RS> no you dont need Ad,
RS> you can host a sus server on a win 2000 machine with
RS> a repacked pack ( normal you need a win 2000 server to install ) and use
RS> policies to make the needed entries
RS> to all win clients in your smb domain.
RS> The funktion in principal to force win update is simply to
RS> stop the update service , make new entries to reg ( like update time ,
RS> server etc )
RS> and start it again, this would be able in workgroups too,
RS> all the different stuff can be found
RS> at http://www.susserver.com/


You could use NTCONFIG.POL to push registry changes.
Here follows an adequate .adm file for use with poledit.


------------------------------------------------------------------------
CLASS MACHINE

CATEGORY "Windows Components"

 CATEGORY "Windows Update"
	KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate\AU"
	
	POLICY "Configure Automatic Updates"
	   	VALUENAME "NoAutoUpdate"
       	VALUEOFF NUMERIC 1
		VALUEON NUMERIC 0
 
		PART "Configure automatic updating:" DROPDOWNLIST REQUIRED
		   VALUENAME "AUOptions"
		   ITEMLIST
			NAME "2 - Notify for download and notify for install"	VALUE NUMERIC
2
			NAME "3 - Auto download and notify for install"			VALUE NUMERIC	3
DEFAULT
			NAME "4 - Auto download and schedule the install"		VALUE NUMERIC	4 
		   END ITEMLIST
		END PART
	
		PART "The following settings are only required" TEXT
		END PART

		PART "and applicable if 4 is selected." TEXT
		END PART
		
		PART "Scheduled install day: " DROPDOWNLIST REQUIRED
		   VALUENAME "ScheduledInstallDay"
		   ITEMLIST
			NAME "0 - Every day"			VALUE NUMERIC	0 DEFAULT			
			NAME "1 - Every Sunday"			VALUE NUMERIC	1 
			NAME "2 - Every Monday"			VALUE NUMERIC	2 
			NAME "3 - Every Tuesday"		VALUE NUMERIC	3 
			NAME "4 - Every Wednesday"		VALUE NUMERIC	4 
			NAME "5 - Every Thursday"		VALUE NUMERIC	5 
			NAME "6 - Every Friday"			VALUE NUMERIC	6 
			NAME "7 - Every Saturday"		VALUE NUMERIC	7 
		   END ITEMLIST
		END PART
		
		PART "Scheduled install time:" DROPDOWNLIST REQUIRED
		   VALUENAME "ScheduledInstallTime"
		   ITEMLIST
			NAME "00:00"	VALUE NUMERIC	0 
			NAME "01:00"	VALUE NUMERIC	1
			NAME "02:00"	VALUE NUMERIC	2
			NAME "03:00"	VALUE NUMERIC	3 DEFAULT			
			NAME "04:00"	VALUE NUMERIC	4
			NAME "05:00"	VALUE NUMERIC	5
			NAME "06:00"	VALUE NUMERIC	6
			NAME "07:00"	VALUE NUMERIC	7
			NAME "08:00"	VALUE NUMERIC	8
			NAME "09:00"	VALUE NUMERIC	9
			NAME "10:00"	VALUE NUMERIC	10
			NAME "11:00"	VALUE NUMERIC	11
			NAME "12:00"	VALUE NUMERIC	12
			NAME "13:00"	VALUE NUMERIC	13
			NAME "14:00"	VALUE NUMERIC	14
			NAME "15:00"	VALUE NUMERIC	15
			NAME "16:00"	VALUE NUMERIC	16
			NAME "17:00"	VALUE NUMERIC	17
			NAME "18:00"	VALUE NUMERIC	18
			NAME "19:00"	VALUE NUMERIC	19
			NAME "20:00"	VALUE NUMERIC	20
			NAME "21:00"	VALUE NUMERIC	21
			NAME "22:00"	VALUE NUMERIC	22
			NAME "23:00"	VALUE NUMERIC	23
		   END ITEMLIST
		END PART
	
	END POLICY
	
	POLICY "Use corporate SUS server instead of Windows Update"

		KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate"

		ACTIONLISTON
			KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate\AU"
			VALUENAME "UseWUServer" 	VALUE NUMERIC 1
		END ACTIONLISTON

		PART "Set the intranet update service for detecting updates:"
EDITTEXT 	REQUIRED
		  VALUENAME "WUServer"
		END PART

		PART "Set the intranet statistics server:"	EDITTEXT 	REQUIRED
		  VALUENAME "WUStatusServer"
		END PART

		Part "(example: http://IntranetUpd01)" TEXT
		END PART

	END POLICY

	POLICY "Reschedule Automatic Updates scheduled installations"

		KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate\AU"
		
		PART "Wait after system startup(minutes): " NUMERIC REQUIRED
			VALUENAME "RescheduleWaitTime"
			MIN 1 
			MAX 60 
			DEFAULT 5
		END PART
			
	END POLICY
	
	POLICY "No auto-restart for scheduled Automatic Updates
installations"

	KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate\AU"
	
	  	VALUENAME "NoAutoRebootWithLoggedOnUsers"
	  	VALUEON  NUMERIC 1
	  	VALUEOFF NUMERIC 0

	END POLICY


 END CATEGORY
 
END CATEGORY
---------------------------------------------------------------------







-- 
Jean-Jacques   Moulis                              Tel:  (013) 281684
ISY                                                Fax:  (013) 139282
Link?ping University                            E-mail: jj@isy.liu.se
581 83 Link?ping

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

| Hi!
...
| login script.

The acronym for their update server is WUS?!?  That is even worse than
WinCE. ;-)


Jim C.
- --
- -----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
|---------------------------------------------------------------|
| Y!: j_c_llings            Jabber: jcllings @ njs.netlab.cz	|
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCEiDw57L0B7uXm9oRAv5MAJ92bh+ROmA0JWJd/F0RvfJz4uoMYQCfQg2J
aFrifFY3PkGCCB20DcJL5k0=BvPm
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
> For this to work you must have AD, right?
> And what if the machines are in a pure Samba+OpenLDAP environment?
> Any ideas?
Nope, you can use it in a Samba environment just like I'm doing here :)

No special setup is needed, just following the M$ instructions.

Cheers

- -------------
Kristyan Osborne - IT Technician
Longhill High School
01273 391672 / 304086

- ------
Computers are like airconditioners: They stop working properly if you open
windows.
Win95:       A 32-bit patch for a 16-bit GUI shell running on top of an
             8-bit operating system written for a 4-bit processor by a
             2-bit company who cannot stand 1 bit of competition.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFCExI1qrr+KdRYU5gRAv1qAKC6ot/Q26xV9GHjyI3GZzUdJuAXpwCdEdkK
nc/BJDZUQlLaAJh5zjNa4CQ=YNoC
-----END PGP SIGNATURE-----