Windows XP Service Pack 2

[Gary van Heerden]

Let me start by saying that I totally support what you guys are doing, but I
have to ask if you have given proper consideration to what the effects are
going to be for large corporate environments...

Here in Africa bandwidth comes at a huge premium, and we simply can't afford
the amounts of bandwidth that you guys can, with a network of 10,000 users,
it is very very expensive.



By turning on auto update, or enforcing the decision to do this, you are
directly causing systems to go and be updated individually; this now means
that I have 10, 000 clients connecting to Windows update and trying to
download the latest patch, lets use MS04 -011 which is 6.5 Meg, and the
problem becomes unmanageable, my ISA server will cache the patch which
prevents it from traversing the Internet link, but it must now traverse my
WAN 9000 times.



We currently use SUS very effectively, and our WAN traffic is minimal due to
this apart from the traveling users that now pull their updates across the
WAN, DFS does not solve this problem for me, and if it can help I would like
to know how.



I am assuming that I can control this via GPO's and that I can override the
setting that the user chooses, however I have been burnt by GPO's already,
and have noticed that in my environment, Windows 2000 AD 2000 that many GPO
settings that are available with tools like GPMC which are 2003 tools
settings made have no effect.



I therefore have to ask if I make these GPO changes if they will actually
take effect on the XP desktops.



The next big concern I have is on the XP SP2 Firewall.

As stated above, I have no control over this with my 2000 GPO's and by
turning on the firewall in XP SP2 you are going to prevent management
systems like SMS from connecting to these devices that we are trying to
manage. I will be unable to even ping the device because by default ICMP is
turned off.

I will be unable to remotely manage these devices, and things like file
sharing, (which I consider a pain) will stop working, I am now going to be
inundated with helpdesk calls regarding allowing certain traffic types and
users are probably going to simply click the top option (because they don't
understand) which turns the rule off.



Very simply put, what tools are you putting at my disposal to manage this
environment, and protecting the users from themselves, as well as helping me
protect my WAN and the associated traffic level increases I am going to
see.???



Thanks

Gary

 

[Will Denny]

Hi Gary

As you know - or perhaps don't know - SP2 is only at a 'Preview' stage.
This means that it shouldn't installed onto any production PCs. Have you
read the appropriate articles:

"Windows XP Service Pack 2 "
http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx

"Welcome to Windows XP SP2 Technical Preview Newsgroups"
http://communities.microsoft.com/newsgroups/default.asp?icp=xpsp2&slcid=us

--

Will Denny
MS-MVP Windows - Shell/User


| Let me start by saying that I totally support what you guys are doing, but
I
| have to ask if you have given proper consideration to what the effects are
| going to be for large corporate environments...
|
| Here in Africa bandwidth comes at a huge premium, and we simply can't
afford
| the amounts of bandwidth that you guys can, with a network of 10,000
users,
| it is very very expensive.
|
|
|
| By turning on auto update, or enforcing the decision to do this, you are
| directly causing systems to go and be updated individually; this now means
| that I have 10, 000 clients connecting to Windows update and trying to
| download the latest patch, lets use MS04 -011 which is 6.5 Meg, and the
| problem becomes unmanageable, my ISA server will cache the patch which
| prevents it from traversing the Internet link, but it must now traverse my
| WAN 9000 times.
|
|
|
| We currently use SUS very effectively, and our WAN traffic is minimal due
to
| this apart from the traveling users that now pull their updates across the
| WAN, DFS does not solve this problem for me, and if it can help I would
like
| to know how.
|
|
|
| I am assuming that I can control this via GPO's and that I can override
the
| setting that the user chooses, however I have been burnt by GPO's
already,
| and have noticed that in my environment, Windows 2000 AD 2000 that many
GPO
| settings that are available with tools like GPMC which are 2003 tools
| settings made have no effect.
|
|
|
| I therefore have to ask if I make these GPO changes if they will actually
| take effect on the XP desktops.
|
|
|
| The next big concern I have is on the XP SP2 Firewall.
|
| As stated above, I have no control over this with my 2000 GPO's and by
| turning on the firewall in XP SP2 you are going to prevent management
| systems like SMS from connecting to these devices that we are trying to
| manage. I will be unable to even ping the device because by default ICMP
is
| turned off.
|
| I will be unable to remotely manage these devices, and things like file
| sharing, (which I consider a pain) will stop working, I am now going to be
| inundated with helpdesk calls regarding allowing certain traffic types and
| users are probably going to simply click the top option (because they
don't
| understand) which turns the rule off.
|
|
|
| Very simply put, what tools are you putting at my disposal to manage this
| environment, and protecting the users from themselves, as well as helping
me
| protect my WAN and the associated traffic level increases I am going to
| see.???
|
|
|
| Thanks
|
| Gary
|
|

 

[Roger Abell [MVP]]

You should be posting SP 2 feedback to the SP 2 newsgroups.

Each point of concern you have mentioned is taken into account
in the planned SP 2 release. There are updates to adm files for
control of the autoupdate and firewall features in SP 2. You will
be able to continue use of your Sus. Once Wus releases you
will have improved control and reporting of update delivery also.

When you are editing a GPO you must pay attention to the policy
annotations that state to what client OS version the policy is
applicable. All W2k policies work everywhere, but there are XP
policies that do not work (nor do harm) on Wk2, and also W2k3
policies that do not work (nor do harm) on W2k or XP.

It sounds to me like you should get comfortable with using GPO
as this is the vehicle for controlling XP SP 2 features in a corp
world. If you have not yet, you should start using GPMC also.

 

[Will Denny]

I posted the link to SP2 NGs, but...

--

Will Denny
MS-MVP Windows - Shell/User


| You should be posting SP 2 feedback to the SP 2 newsgroups.
|
| Each point of concern you have mentioned is taken into account
| in the planned SP 2 release. There are updates to adm files for
| control of the autoupdate and firewall features in SP 2. You will
| be able to continue use of your Sus. Once Wus releases you
| will have improved control and reporting of update delivery also.
|
| When you are editing a GPO you must pay attention to the policy
| annotations that state to what client OS version the policy is
| applicable. All W2k policies work everywhere, but there are XP
| policies that do not work (nor do harm) on Wk2, and also W2k3
| policies that do not work (nor do harm) on W2k or XP.
|
| It sounds to me like you should get comfortable with using GPO
| as this is the vehicle for controlling XP SP 2 features in a corp
| world. If you have not yet, you should start using GPMC also.
|
| --
| Roger Abell
| Microsoft MVP (Windows Server System: Security)
| MCDBA, MCSE W2k3+W2k+Nt4
| | > Let me start by saying that I totally support what you guys are doing,
but
| > I
| > have to ask if you have given proper consideration to what the effects
are
| > going to be for large corporate environments...
| >
| > Here in Africa bandwidth comes at a huge premium, and we simply can't
| > afford
| > the amounts of bandwidth that you guys can, with a network of 10,000
| > users,
| > it is very very expensive.
| >
| >
| >
| > By turning on auto update, or enforcing the decision to do this, you are
| > directly causing systems to go and be updated individually; this now
means
| > that I have 10, 000 clients connecting to Windows update and trying to
| > download the latest patch, lets use MS04 -011 which is 6.5 Meg, and the
| > problem becomes unmanageable, my ISA server will cache the patch which
| > prevents it from traversing the Internet link, but it must now traverse
my
| > WAN 9000 times.
| >
| >
| >
| > We currently use SUS very effectively, and our WAN traffic is minimal
due
| > to
| > this apart from the traveling users that now pull their updates across
the
| > WAN, DFS does not solve this problem for me, and if it can help I would
| > like
| > to know how.
| >
| >
| >
| > I am assuming that I can control this via GPO's and that I can override
| > the
| > setting that the user chooses, however I have been burnt by GPO's
| > already,
| > and have noticed that in my environment, Windows 2000 AD 2000 that many
| > GPO
| > settings that are available with tools like GPMC which are 2003 tools
| > settings made have no effect.
| >
| >
| >
| > I therefore have to ask if I make these GPO changes if they will
actually
| > take effect on the XP desktops.
| >
| >
| >
| > The next big concern I have is on the XP SP2 Firewall.
| >
| > As stated above, I have no control over this with my 2000 GPO's and by
| > turning on the firewall in XP SP2 you are going to prevent management
| > systems like SMS from connecting to these devices that we are trying to
| > manage. I will be unable to even ping the device because by default ICMP
| > is
| > turned off.
| >
| > I will be unable to remotely manage these devices, and things like file
| > sharing, (which I consider a pain) will stop working, I am now going to
be
| > inundated with helpdesk calls regarding allowing certain traffic types
and
| > users are probably going to simply click the top option (because they
| > don't
| > understand) which turns the rule off.
| >
| >
| >
| > Very simply put, what tools are you putting at my disposal to manage
this
| > environment, and protecting the users from themselves, as well as
helping
| > me
| > protect my WAN and the associated traffic level increases I am going to
| > see.???
| >
| >
| >
| > Thanks
| >
| > Gary
| >
| >
|
|

 

[Roger Abell [MVP]]

but what Will ?

--
Roger

I posted the link to SP2 NGs, but...

--

Will Denny
MS-MVP Windows - Shell/User


| You should be posting SP 2 feedback to the SP 2 newsgroups.
|
| Each point of concern you have mentioned is taken into account
| in the planned SP 2 release. There are updates to adm files for
| control of the autoupdate and firewall features in SP 2. You will
| be able to continue use of your Sus. Once Wus releases you
| will have improved control and reporting of update delivery also.
|
| When you are editing a GPO you must pay attention to the policy
| annotations that state to what client OS version the policy is
| applicable. All W2k policies work everywhere, but there are XP
| policies that do not work (nor do harm) on Wk2, and also W2k3
| policies that do not work (nor do harm) on W2k or XP.
|
| It sounds to me like you should get comfortable with using GPO
| as this is the vehicle for controlling XP SP 2 features in a corp
| world. If you have not yet, you should start using GPMC also.
|
| --
| Roger Abell
| Microsoft MVP (Windows Server System: Security)
| MCDBA, MCSE W2k3+W2k+Nt4
| | > Let me start by saying that I totally support what you guys are doing,
but
| > I
| > have to ask if you have given proper consideration to what the effects
are
| > going to be for large corporate environments...
| >
| > Here in Africa bandwidth comes at a huge premium, and we simply can't
| > afford
| > the amounts of bandwidth that you guys can, with a network of 10,000
| > users,
| > it is very very expensive.
| >
| >
| >
| > By turning on auto update, or enforcing the decision to do this, you
are
| > directly causing systems to go and be updated individually; this now
means
| > that I have 10, 000 clients connecting to Windows update and trying to
| > download the latest patch, lets use MS04 -011 which is 6.5 Meg, and
the
| > problem becomes unmanageable, my ISA server will cache the patch which
| > prevents it from traversing the Internet link, but it must now
traverse
my
| > WAN 9000 times.
| >
| >
| >
| > We currently use SUS very effectively, and our WAN traffic is minimal
due
| > to
| > this apart from the traveling users that now pull their updates across
the
| > WAN, DFS does not solve this problem for me, and if it can help I
would
| > like
| > to know how.
| >
| >
| >
| > I am assuming that I can control this via GPO's and that I can
override
| > the
| > setting that the user chooses, however I have been burnt by GPO's
| > already,
| > and have noticed that in my environment, Windows 2000 AD 2000 that
many
| > GPO
| > settings that are available with tools like GPMC which are 2003 tools
| > settings made have no effect.
| >
| >
| >
| > I therefore have to ask if I make these GPO changes if they will
actually
| > take effect on the XP desktops.
| >
| >
| >
| > The next big concern I have is on the XP SP2 Firewall.
| >
| > As stated above, I have no control over this with my 2000 GPO's and by
| > turning on the firewall in XP SP2 you are going to prevent management
| > systems like SMS from connecting to these devices that we are trying
to
| > manage. I will be unable to even ping the device because by default
ICMP
| > is
| > turned off.
| >
| > I will be unable to remotely manage these devices, and things like
file
| > sharing, (which I consider a pain) will stop working, I am now going
to
be
| > inundated with helpdesk calls regarding allowing certain traffic types
and
| > users are probably going to simply click the top option (because they
| > don't
| > understand) which turns the rule off.
| >
| >
| >
| > Very simply put, what tools are you putting at my disposal to manage
this
| > environment, and protecting the users from themselves, as well as
helping
| > me
| > protect my WAN and the associated traffic level increases I am going
to
| > see.???
| >
| >
| >
| > Thanks
| >
| > Gary
| >
| >
|
|