As you'll recall, I posted some information about the Microsoft IT organizations implementation of WSUS and how it affected a number of users. You can read those gory details here. Well, I'm sad to say the saga continues...
To recap, I'm a mobile user. I am rarely connected to the "corporate" network. My Windows Update Client is pointed at some internal servers so it chokes if I manually try to check for updates and I am not connected via VPN.
I reported that pretty widely internally and of course on my blog. I followed up on this issue with the MSIT organization to see what they were going to do about it. Here's part of the response I got back:
"We pushed a GPO at the request of the Desktop team to address a problem with SMS V4 clients this policy was intended to fix only those clients that were experiencing the problem. The Policy is scheduled to be removed tomorrow."
That was ten days ago. The policy has not been removed. So I escalated again and this time got on the phone with one of the people involved in both the decision and implementation to explain my concerns about the implementation.
As it stands, my machine and thousands of others will remain pointed at the internal WSUS servers. As indicated in my previous post, I am at liberty to update myself from windowsupdate.microsoft.com via the new WSUS client I am now running. I would imagine this would be unacceptable to a lot of customers with highly managed desktops and fickle desktop apps. Our MSIT org thinks this is a reasonable solution for Microsoft employees since everyone is pretty much an admin on their machine anyway. I'm ok with updating myself, but wonder about another aspect.
It should be "noted" that this implementation has an undesirable side effect. No notifications. I only get notified that something is available if I VPN into our corporate network. At that point, the VPN quarantine process will complain if I am out of tolerance, or the SMS client indicates a required update must be installed, or my WU client might have a chance to pop a bubble that there are some new approved updates. In the past 10 days, we released updates to Windows Vista and I was not notified.
Long Term Solution
I expressed my concern over the notifications with the MSIT folks because I wanted to know how they plan to address mobile workers. I have my fingers crossed that they would cave and pull the GPO that forces me to look internal. No such luck.
There are a number of ways to approach this problem. One obvious one is to place the WSUS servers in a perimeter network that I can see from my home office or travel locations. Since I have the SMS client installed, it would seem prudent for that client to phone home and report back results.
As it stands, our MSIT org is listening but I don't have a solution from them (short of pulling my machine out of our managed domains). Sound familiar?
So how do you implement patch management?