At this moment we try to implement patch mgmt at a customer site.

 

Most of the patches have no problems. But patches that have to download and use seem not to work in their Windows XP workstations.

People of Kaseya support tell me for these kind of patches the patch mgmt uses Windows update methods and does not use the 'patch share' at the customers site.

So I think we need some fine tuning of group policies:

- we have to priovent WU is patching the systems
- but to much limitations (by GPO's) can prevent the systems from accessing the CAB files

To prevent the systems have no access to Windows update resources on the web we did this:

- running scripts on the workstations that set the proxy to the WebMarshal webproxy machine (proxycfg -d -p Marshal2:8082 "<local>;*.mydomain.local"))
- set some by passes to WU URLs in the WebMarshal webproxy software

I tried a to install a failed Office (CAB) patch by downloading it on machine by using a the WU website. When I was logged on as normal user (restricted, not much rights on the machine) I get error # 0x8DDD0003. It tells the administrator has restricted the access to WU.

We checked som e WU/GPO settings (see a, b, and c)

a) http://tech.chitgoks.com/2010/02/18/solution-for-windows-update-0x8ddd0003-error/ "Turn off access to all Windows Update Features" was not configured. No restrictions where found in the GP’s. But we set the entries to Disabled (in two policies)

b)

c) 

 

 

So has any one experience with fine tuning the GPO/WU settings?

Any suggestions?