out of date definintions, limited accounts, and WSUS/SUS servers

[Guest]

I haven't seen a definitive answer from Microsoft for these problems people
are having. Is this a confirmed bug?

Also, will the automated updates work in the following circumstances:

1) If the operator is using a limited user account.
2) If the computer is subscribed to a local SUS or WSUS server for its
updates.

thanks

 

[Bill Sanderson MVP]

Your second point is the cause of a great many of the "cannot update"
messages in these groups.

In fact, Windows Defender definition updates CAN BE offered by WSUS (but not
by SUS)--if the administrator goes through several configuration steps to
enable them.

First point is the same as with any other critical update offered via
AutoUpdate--I believe this can work via RunAs, but I haven't looked at what
happens in detail. I do have an office that runs as limited users, but each
employee also knows the administrator password, and uses it when needed.

In all the cases you cite, the behavior is the same as with any other
critical update offered via Windows Update and AutoUpdate.

There are some failures that are (relatively) unique to Windows
Defender--the incomplete/repeating offer syndrome, for example. However,
much of the gnashing of teeth here is simply the change of mechanism between
beta1 and beta2. There are lots of folks on corporate networks running an
app that isn't approved for their environment, that are now upset because
the update path is blocked--as it should be, by corporate policy.

 

[Gary Flynn]

Your second point is the cause of a great many of the "cannot update"
messages in these groups.

In fact, Windows Defender definition updates CAN BE offered by WSUS (but not
by SUS)--if the administrator goes through several configuration steps to
enable them.

My bad. I assumed the WD updates wouldn't be carried in WSUS since
it is classified as a "consumer product". I didn't even look. I just
went in and approved the signature updates through WSUS so we'll
see what happens.

First point is the same as with any other critical update offered via
AutoUpdate--I believe this can work via RunAs, but I haven't looked at what
happens in detail. I do have an office that runs as limited users, but each
employee also knows the administrator password, and uses it when needed.

Automatic updates work with a non-administrator account because the
service has a high enough privilege. Runas is only needed when
doing a manual update through a visit to the Microsoft windows
update web site. So I expect the WD updates to work through WSUS even
if the operator is using an unprivileged account.

In all the cases you cite, the behavior is the same as with any other
critical update offered via Windows Update and AutoUpdate.

There are some failures that are (relatively) unique to Windows
Defender--the incomplete/repeating offer syndrome, for example. However,
much of the gnashing of teeth here is simply the change of mechanism between
beta1 and beta2. There are lots of folks on corporate networks running an
app that isn't approved for their environment, that are now upset because
the update path is blocked--as it should be, by corporate policy.

Thanks, Bill. I should have checked our WSUS server first.

 

[Bill Sanderson MVP]

There are a couple of different places you need to change things in
WSUS--there are messages in the public WSUS newsgroup, or in the .networks
groups here--giving more detail.


--