XP SP2 - Automatic Updates

[KV]

I'm interested in preventing the Automatic Updates configuration screen
from popping up after rebooting from an SP2 install. The screen pops up
and asks if I want to turn on Automatic Updates. There is no bypass
option, just on/off. It fills the entire screen before coming up to the
logon prompt.

All of my computers are set to download and prompt, which is the way I
want to keep it.

So is there a way to keep this behavior and get rid of the configuration
screen?

I would really appreciate the help.

BTW, I found a way to disable the firewall. Put these lines in a .reg
file and run to disable the new Windows Firewall (This setting is only
for the new SP2 firewall. I understand it persists even through an SP2
installation. See details in this document: http://tinyurl.com/ytmue):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=dword:00000000

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

It's normal to ask that question on the first reboot, are you seeing it on
subsequent reboots. While it's been several days since I installed SP2, I
just changed to the settings you are using as a test and rebooted and I'm
not seeing that behavior here; perhaps we need more information.

Why would you use a reg hack to do something that could easily be done at
system level without using a reg hack?

 

[Sammy Castagna]

KV,
Let it set it the way it wants and change it. Right click
on my computer then on the updates tab and fix it the way
you want it.

Sammy Castagna

-----Original Message-----
I'm interested in preventing the Automatic Updates configuration screen
from popping up after rebooting from an SP2 install. The screen pops up
and asks if I want to turn on Automatic Updates. There is no bypass
option, just on/off. It fills the entire screen before coming up to the
logon prompt.

All of my computers are set to download and prompt, which is the way I
want to keep it.

So is there a way to keep this behavior and get rid of the configuration
screen?

I would really appreciate the help.

BTW, I found a way to disable the firewall. Put these lines in a .reg
file and run to disable the new Windows Firewall (This setting is only
for the new SP2 firewall. I understand it persists even through an SP2
installation. See details in this document: http://tinyurl.com/ytmue):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFire
wall][HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFire
wall\DomainProfile]

"EnableFirewall"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFire
wall\StandardProfile]
"EnableFirewall"=dword:00000000

.

 

[Torgeir Bakken \(MVP\)]

I'm interested in preventing the Automatic Updates configuration screen
from popping up after rebooting from an SP2 install. The screen pops up
and asks if I want to turn on Automatic Updates. There is no bypass
option, just on/off. It fills the entire screen before coming up to the
logon prompt.

Hi

This screen will not show up if you install SP2 in unattended mode
(using command line parameters) as GPO, SUS, or SMS does.


See "Deploying Windows XP Service Pack 2" here for
documentation on the command line parameters:

Service Pack 2 for Windows XP: Resources for IT Professionals
http://www.microsoft.com/technet/winxpsp2

 

[KV]

It's normal to ask that question on the first reboot, are you seeing it on
subsequent reboots. While it's been several days since I installed SP2, I
just changed to the settings you are using as a test and rebooted and I'm
not seeing that behavior here; perhaps we need more information.

No, I'm only seeing this screen on the first reboot after installing the
service pack. I would like to avoid this screen so the user CAN'T
change their settings.

The point, is that I have several hundred workstations that are
homogenous with respect to the AU system. I would like to keep them
that way and avoid having a certain percentage set to automatic update.

Why would you use a reg hack to do something that could easily be done at
system level without using a reg hack?

Its the best way to do it. AFAIK, its the only way to do it with my
current setup. In the official Microsoft document linked to in my
original post, I quote the following:

<quote>

Disabling the Use of Windows Firewall Across Your Network

If you decide to disable the use of Windows Firewall across your entire
network, and you are not or cannot use the Windows Firewall Group Policy
settings, you can use the Unattend.txt or Netfw.inf to disable Windows
Firewall as Windows XP SP2 is being installed. For an example of using
Unattend.txt, see Appendix E. For an example of using Netfw.inf, see
Appendix F.

Depending on your network policies, your users might elect, either
intentionally or accidentally, to install Windows XP SP 2 through
Windows Update, rather than through a central network location that
contains the modified Netfw.inf file. If this occurs, the modified
Netfw.inf file is not read during the installation and Windows Firewall
is enabled.

One solution to this possible problem is to create the registry settings
on your client computers to disable Windows Firewall before your users
have a chance to install Windows XP SP2 from Windows Update. ICF on
computers running Windows XP with SP1 and Windows XP with no service
packs installed ignores these registry settings. When the user installs
Windows XP SP2 from Windows Update and restarts their computer, Windows
Firewall reads the registry settings already in place and disables itself.

To add a registry setting on all of your computers running Windows XP,
you can use the Regini.exe or Reg.exe tools. For either tool, you create
a script file that is read by the tool to add a registry setting. The
tool has to be run in the security context of a local administrator
account.

Alternately, you can use network management software to change registry
settings on managed computers.
The registry keys to add to disable Windows Firewall for both the domain
and standard profiles are the following:

•HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
\EnableFirewall=0 (DWORD data type)
•HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
\EnableFirewall=0 (DWORD data type)

</quote>

 

[KV]

This screen will not show up if you install SP2 in unattended mode

(using command line parameters) as GPO, SUS, or SMS does.

This is exactly what I'm looking for. Thank you!

-Kevin

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

It would have helped had you stated given these parameters in your initial
post as there are simpler and less hazardous ways of disabling the firewall
in XP than hacking the registry.

Single desktop systems or even Non-Enterprise networked systems, small home
networks for example, can simply and easily turn off the XP Firewall either
in the Security Center in XP SP2, or by right clicking their connection in
Network Connections in Control panel, selecting properties, going to the
Advanced tab and making sure the "Protect my computer and network...."
options is not selected.

--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

It's normal to ask that question on the first reboot, are you seeing it on
subsequent reboots. While it's been several days since I installed SP2, I
just changed to the settings you are using as a test and rebooted and I'm
not seeing that behavior here; perhaps we need more information.

Why would you use a reg hack to do something that could easily be done at
system level without using a reg hack?

--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

I'm interested in preventing the Automatic Updates configuration screen
from popping up after rebooting from an SP2 install. The screen pops up
and asks if I want to turn on Automatic Updates. There is no bypass
option, just on/off. It fills the entire screen before coming up to the
logon prompt.

All of my computers are set to download and prompt, which is the way I
want to keep it.

So is there a way to keep this behavior and get rid of the configuration
screen?

I would really appreciate the help.

BTW, I found a way to disable the firewall. Put these lines in a .reg
file and run to disable the new Windows Firewall (This setting is only
for the new SP2 firewall. I understand it persists even through an SP2
installation. See details in this document: http://tinyurl.com/ytmue):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=dword:00000000

 

[KV]

It would have helped had you stated given these parameters in your initial
post as there are simpler and less hazardous ways of disabling the firewall
in XP than hacking the registry.

I understand the need for clarity; however, my original post was not
about the firewall. My discussion of the firewall was simply an FYI,
nothing more.

But... now that you've brought it up, why is editing the registry such a
bad thing? Sure its hazardous, but we're all professionals here, aren't
we?

IMHO, Microsoft is trying so hard to push people into upgrading that its
becoming difficult to apply their patches and updates. Microsoft is
beginning to assume that users have the latest tools at their disposal.
In my case, "hacking" the registry is the only way I've found to
achieve the desired result.

I'd venture to say that many enterprise users will simply disable the
firewall because it doesn't make sense in a corporate environment like
we have. Sure, laptops are the exception, but none of my workstations
really need the extra protection. If I add a new program, like an
antivirus program, to my workstations I don't want to fool with opening
new ports on my workstations. If I was running AD it would be
different, because I could use a group policy. But I'm not running AD,
and there are many others who still aren't. There are many like me who
still run a large number of NT4 machines.

My mention of the firewall was simply to help enterprise users easily
disable the firewall if they wish.

Single desktop systems or even Non-Enterprise networked systems, small home
networks for example, can simply and easily turn off the XP Firewall either
in the Security Center in XP SP2, or by right clicking their connection in
Network Connections in Control panel, selecting properties, going to the
Advanced tab and making sure the "Protect my computer and network...."
options is not selected.

I think I understand where you are coming from. You don't want to see
home users and non-IT people mess up their computers. That's fine by me.

Given that I'm an enterprise user, who isn't running AD, the registry is
my only alternative to walking around to all 500 workstations. At
least... that's what I think. Am I wrong?

-Kevin

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

No we are not!

This is peer to peer support and if you scan these newsgroups you'll note
that most of the users posting to them are either novices or intermediate
users and frankly, even the most advanced should stay out of the registry.
99% of the people posting to these groups don't even back up regularly and
anyone who doesn't backup NEVER belongs in the registry.

Never make such assumptions in public newsgroups.

There are a lot of very knowledgeable people here but most of the users
asking questions and just lurking should not be making the kinds of changes
in the registry that you described.

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

As to the second part of your post, no one is being forced to install this
service pack. Users have been informed well in advance that it will be
offered on Windows Update and they have the option to turn off auto update
and that certainly should be the case with Enterprise users as they need
time to eval the SP with their systems and applications.

What you do in an Enterprise environment, reg hacks and the like is your own
business but most of the people posting in these groups are average home
users or professional people in a non-technical chosen field who need and
use their computers for work. It's dangerous for most of these people to
manually make such changes, one slip of the key, one wrong keystroke and
maybe they can't re-enter Windows.

 

[KV]

No we are not!

This is peer to peer support and if you scan these newsgroups you'll note
that most of the users posting to them are either novices or intermediate
users and frankly, even the most advanced should stay out of the registry.
99% of the people posting to these groups don't even back up regularly and
anyone who doesn't backup NEVER belongs in the registry.

Never make such assumptions in public newsgroups.

There are a lot of very knowledgeable people here but most of the users
asking questions and just lurking should not be making the kinds of changes
in the registry that you described.

I'm sorry for the assumption. Is there a better official newsgroup
where I can post more detail and not worry about mom and pop? I looked
for an sp2 newsgroup, but could not find one.

 

[KV]

As to the second part of your post, no one is being forced to install this
service pack. Users have been informed well in advance that it will be
offered on Windows Update and they have the option to turn off auto update
and that certainly should be the case with Enterprise users as they need
time to eval the SP with their systems and applications.

Just because they have the option to turn off AU doesn't mean they'll do
it. I seriously doubt many people will change their settings at all,
except for enterprise users.

Even the professionals that work with me lack confidence. I don't think
they truly understand the need for updates, nor do they care. The
average user doesn't take computer security seriously at all. They'll
happily install tons of spyware and then be baffled when their computer
slows down. I'll remove the spyware and its back two weeks later. I've
had this happen to some of our programmers! So if they don't care about
spyware/adware, do you really think they are going to care about the
latest buffer overrun or IE vulnerability?

The professionals still do the majority of the work.

What you do in an Enterprise environment, reg hacks and the like is your own
business but most of the people posting in these groups are average home
users or professional people in a non-technical chosen field who need and
use their computers for work. It's dangerous for most of these people to
manually make such changes, one slip of the key, one wrong keystroke and
maybe they can't re-enter Windows.

Point taken. I'll post elsewhere next time. Any recommendations for
general XP issues?

 

[Alex Nichol]

I'm interested in preventing the Automatic Updates configuration screen
from popping up after rebooting from an SP2 install. The screen pops up
and asks if I want to turn on Automatic Updates. There is no bypass
option, just on/off. It fills the entire screen before coming up to the
logon prompt.

I don't think you can stop it (other than maybe having auto update on
at full auto before starting the installation, which I have not tried)

 

[Derek]

I have just seen a post on microsoft.public.windowsupdate where the
contributor was trying to elicit help because his computer no longer
recognised connections to his USB ports after updating to SP2. A MS MVP
replied that the originator should post to a XP Newsgroup. Now apparently
we are being dissuaded from using this group. It is obvious that there will
be many problems with SP2 perhaps it's time to start a XP Sp2 newsgroup!
Derek Nicholson

 

[KV]

I have just seen a post on microsoft.public.windowsupdate where the
contributor was trying to elicit help because his computer no longer
recognised connections to his USB ports after updating to SP2. A MS MVP
replied that the originator should post to a XP Newsgroup. Now apparently
we are being dissuaded from using this group. It is obvious that there will
be many problems with SP2 perhaps it's time to start a XP Sp2 newsgroup!
Derek Nicholson

I was surprised to find out there wasn't one.

If you go to this page: http://www.microsoft.com/technet/winxpsp2

And follow this link: IT Pro Windows XP Newsgroups

You will see this newsgroup listed. I can understand where Michael is
coming from, but I think he should see our point of view as well.

A specific SP2 newsgroup would help.

-Kevin

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

IMHO, no public newsgroup is appropriate for that particular kind of
information as most are always going to be populated by a majority of
average users. If you're a member of MSDN, I believe they have their own
newsgroups, TechNet the same and they would seem to be a more appropriate
venue, more ITs and advanced users are in those forums.

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

It might happen but SP2 as was the case with SP1 is an integrated part of
XP. Windows Update is not the appropriate place for such posts as that
group is specifically designed for issues related to Windows Update. In
other words, trouble using Windows Update not problems related to the
updates which are more appropriate for these newsgroups. While issues that
arise after SP2 update should specify that in the subject or at least in the
body of the post we can usually deal with such issues based on the specific
problem much as we do for most other issues in these newsgroups.

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

My recommendation would be to subscribe to MSDN, they have their own
community and newsgroups:
http://msdn.microsoft.com/default.aspx