Office Updates still report applicable after admin install
Dean Duensing
to update my client systems using the REINSTALL=ALL command line for MSIExec.
The updated files appear to have installed successfully on my test systems,
but MBSA still shows the updates as applicable. Any information on what
might cure this? Thanks!
Gerry Hickman
Apparently, Microsoft don't support scanning and detection of
Administrative installations of their own flagship products.
I'm having the same problem and I'm not pleased about it.
Even the "Office Inventory Tool" doesn't do the job properly.
--
Gerry Hickman (London UK)
dduensing
At least I can believe it isn't something I have misconfigured! :-) I
usually blame me first! Has anyone given you the "official" position from
MS? I have verified the file dates and version info on 6 of the critical
patches, they all look good, but... please let me know if you hear any
additional info1 I will post as well!
Aaron Wright
about it back in June, and Doug Neal from Microsoft replied that we
"should be getting no results for AIP-installed Office products", and
that he was investigating it. I haven't checked this newsgroup
regularly since then, so I don't know if a solution has been presented
or not. But I don't think one has.
If anyone from Microsoft is listening, what is the status of this
problem?
Secondly, there are a lot of us out that deploy Office via an
Administrative Installation Point. I chose to deploy via AIP because
it was one of the options in the Office 2003 Resource Kit book,
published by Microsoft Press. It doesn't say anything about being
unable to confirm the installation of patches with MBSA 2.0. That
information probably wasn't known at the time the book was published,
and I understand that, but that isn't our fault. What are we supposed
to do to verify Office patches once we can't use MBSA 1.2.1 anymore?
Aaron Wright
Gerry Hickman
Doug Neil's reponse to this is burried in this thread:
<http://groups.google.co.uk/group/microsoft.public.softwareupdatesvcs/browse
_thread/thread/8b6404d2830377a2/>
The official "solution" is not to use an AIP, but this isn't a good option
for large corporations and would also invalidate a huge amount of work and
strategy from other Microsoft teams such as the MSI team. LIS and OSE are a
joke, and a security risk, and should be avoided.
You were right to choose the AIP as instructed by Microsoft's own ResKit.
The only way you can make use of all the advanced management options of the
new MSI is when you use an AIP, as soon as you install a client patch you
may as well give up, but that's what the WSUS and MBSA teams are telling us
to do. The MU team, FTM team, and WGA team are promoting terrible security
practice by forcing people to use ActiveX which requires running with Admin
rights. Vista, doesn't solve it with UAC and the attack surface is the same
as it was in XP, only the legal owner of the PC (forced by Microsoft to run
as an Administrator) will be restricted! The hacker will be in heaven,
locking the legal owner out of their own PC.
Over five years from the first big Microsoft security bulletin, and
Microsoft have learned NOTHING about the basics of computer security. The
flawed 'Windows / IE / ActiveX / Admin Rights' strategy is the same in
Windows today as it was five years ago, and IE is now hooked direct into the
o/s, whereas Mozilla is not.
--
Gerry Hickman - (London UK)
"Aaron Wright" <wrig...@gmail.com> wrote in message
news:1160601115....@h48g2000cwc.googlegroups.com...