Circumventing your Network Administrator?

So over the weekend the IT powers that be changed their windows update policy. I no longer have control over when my computer decides to interrupt what I'm in the middle of, close everything down and restart.

I'm tilting at windmills in trying to remove the restriction from my computer. Apparently some other employees aren't conscientious/intelligent enough to manage updates on their own, so the have ruined it for everyone (me). Everything on update scheduling is greyed out, and now "managed by your administrator."

So what's the work around? Put the Windows update server on Symantec's block list?

I'm not looking to do anything too nefarious, I just want to control when MY computer updates.

Best thing to not have it interrupt you is to reboot the computer when you are done for the day, and leave it on at night. They're probably using WSUS. Unless they're being openly hostile with installation deadlines, or setting a stupid installation time policy, you shouldn't have it rebooting during the day. Complain about interruptions.

So as someone who has administered Windows and virus software updates for distribution to PC's jist email or call in a ticket to have them adjust the reboot schedule for your machine.

The software I used let me give users the option to extend the countdown time for after hours rebooting, the admins there should have the same options there, so let them know its interrupting your work, let your boss know, he may be having the same thoughts as you.

Ultimately though, even though you say it's YOUR computer, it's not, it's the companies. The admins are just trying to protect their machine and network by updating and patching any security holes in the software installed. Yeah I know it sucks, but sometimes that's the way the cookie crumbles.

P.S. Admins hate users who try to circumvent or block their admining.

PIITB?

In reply to t25torx:

Well, the companies-ish owns it, my boss/department does, at least the State/Fed does. I'm grant funded, as was the computer. Funds were give to IT to order a computer I speced. They of course received it before me, diddled with it for a bit, put Office on it, then gave it to me.

In hind sight I should have just use my P-card and purchased the computer and software myself, but I was new, and didn't know there were work arounds. There are quite a few laptops that IT has no control over, that have been bought outside of their dominion.

If you can edit the registry with regedit you can do this: http://www.makeuseof.com/tag/disable-forced-restarts-windows-update/

Mike wrote: Complain about interruptions.

Be like Mike!

This costs the company money when it updates while you are working, or rather not working. IT needs to manage the update schedule. At my office, all updates are done overnight. Never interruptions during working hours.

In reply to Mike:

They currently have it set at 3:00 PM every day. We're officially here until 4:30 PM, I'm often here until 5:30 or 6:00 PM.

I thought I had help. I misread the title.

Actually, based on the timing of your complaint it sounds like your IT folks are approving the updates with a one-week deadline. Choosing the one-week option presets the deadline to the evening. The updates came out a week before yesterday, the deadline would have passed last night, and if your computer was off last night, it would have booted this morning, waited a few minutes, and started the install.

Leaving your computer on for the weekend that follows the second Tuesday of the month is probably a good strategy if your it team can't give you better advice.

What t25torx said. Put in a ticket to get the time changed to the middle of the night and you should be good.

bigdaddylee82 wrote: In reply to Mike: They currently have it set at 3:00 PM every day. We're officially here until 4:30 PM, I'm often here until 5:30 or 6:00 PM.

They should fix it for you, but best workaround here, in my opinion:

Let's say you have lunch at noon. At 11:45, enter the following in the run dialog on your computer:

wuauclt /detectnow

Your computer will check for and download updates.

When you stand up to leave, hit reboot on your computer. Updates should happen while you're away.

bigdaddylee82 wrote: In reply to Mike: They currently have it set at 3:00 PM every day. We're officially here until 4:30 PM, I'm often here until 5:30 or 6:00 PM.

What kind of masochistic IT minion sets up their systems to update in the middle of a work day? I've been on more than one 2am conference call rolling out new software on servers. If anything they'd set it to install at reboot, or at night. I do not miss working in an office, I am my own IT (and my own boss).

bigdaddylee82 wrote: In reply to Mike: They currently have it set at 3:00 PM every day. We're officially here until 4:30 PM, I'm often here until 5:30 or 6:00 PM.

Complain about the restarts and this time setting specifically. The automatic reboots can also be disabled. WSUS has a wide range of options for this and they chose the most disruptive and ham-fisted one.

If they must have updates with forced automatic restarts happen during the day for some reason, they should schedule it during the lunch hour.

Could they have intended 3:00 AM (middle of the night) not 3:00 PM (middle of the afternoon)

I know more than one generally smart adult who is still challenged by AM/PM

1. Download whatever Linux LiveCD you feel like.
2. Install that E36 M3.
3. Set yourself up as SOLE administrator.
4. If anybody ever asks for the root password, punch them in the junk and run.

This is my standard procedure every time I start a new job. (Note: I haven't had to use step 4 yet, so YMMV.)

As a sysadmin / network admin....

Don't berkeley with your machine settings. please. even if you know what you are doing.

But, I'm going with JohnRW1621. I would say they are 12 hours off on their window.

Take the IT guys a pizza (even Ceasars) and explain the situation. We are usually an easily bribed crew and respond to the nice people WAY FASTER than the pissy/angry ones.

It should be a quick/easy process assuming you don't work for a very large company that requires sign-offs on anything touched network-wise.

Edit:

This is one of my companies. We have a Saturday afternoon maintenance window starting at 2pm (ie 14:00) It downloads the updates, waits to install them, and reboots if needed. I need to test it, but machines on the LAN should wakeup for the process.

Jay wrote: 1. Download whatever Linux LiveCD you feel like. 2. Install that E36 M3. 3. Set yourself up as SOLE administrator. 4. If anybody ever asks for the root password, punch them in the junk and run. This is my standard procedure every time I start a new job. (Note: I haven't had to use step 4 yet, so YMMV.)

That's a fairly good way to test if there's anything you could do on your company's computer to get you fired. Unless you work in the IT department you certainly shouldn't be installing any OSes on any company equipment.

Installing a whole different OS without authorization is easily in the top 5 worst things you could do on a company PC, if you group "intentionally executing/installing some kind of malware" and "running a remote access system without authorization" into single catch-all items.

circumventing policy and in concert IT security not a recipe for longevity at that organizaiton

If you can't get traction on getting the schedule changed (the be nice and bribe piece is very true), then set a recurring calendar reminder for the second Tuesday of every month to remind you to patch and reboot your system at your leisure that week to avoid hitting their scheduled reboot.

Speaking as someone who's had to manage updates on a large number of workstations, they didn't get the timing wrong (though I generally use SCCM which allows more scheduling options to reduce the impact). 3pm is generally the best time to catch systems online prior to going home or being turned off. This is after weeks of popups reminding the users to reboot the systems themselves. I'm not saying you're ignoring the pop-ups as it seems you're pretty savvy, but as you said, not everyone is and it only takes one system that isn't compliant/vulnerable to take out a corporate network (or worse).

slefain wrote:

bigdaddylee82 wrote: In reply to Mike: They currently have it set at 3:00 PM every day. We're officially here until 4:30 PM, I'm often here until 5:30 or 6:00 PM.

What kind of masochistic IT minion sets up their systems to update in the middle of a work day?

Sufficiently advanced incompetence is indistinguishable from malice.

bigdaddylee82 wrote: In reply to t25torx: Well, the companies-ish owns it, my boss/department does, at least the State/Fed does. I'm grant funded, as was the computer. Funds were give to IT to order a computer I speced. They of course received it before me, diddled with it for a bit, put Office on it, then gave it to me. In hind sight I should have just use my P-card and purchased the computer and software myself, but I was new, and didn't know there were work arounds. There are quite a few laptops that IT has no control over, that have been bought outside of their dominion.

There's currently a holy war going on at my university between the "normal" IT (who handle all academic affairs) and "health care" IT. Naturally, the research campus (where I work) is the new Israel. HCIS has recently banned labs from ordering their own computer by P-card and is attempting to manage everyone's workstation.

One of these managed workstations ran an FPLC (fast protein liquid chromatography instrument; very expensive pumps for purifying expensive preps of proteins). Said workstation restarted for Windows updates in the middle of a run, destroying the sample. Said workstation is no longer managed by HCIS.

The solution is to talk to your IT department to ensure there is a policy in writing for when updates will and won't happen. Sometimes, there are worse consequences than waiting for a reboot to finish.

In reply to Fueled by Caffeine:

If you worked here you might understand. Our own administrators circumvent them, a lot of PCs IT has never seen, and only know of their existence if they check what's on the network. Each department here does their own thing, and the IT umbrella has a lot of holes in it. Maybe it's an IT parasol instead of an umbrella. We have a field laptop that was purchased by one of my coworkers, outside of IT, we don't use it much, but they don't have any control over it.

If I did something, and anyone cared to notice/say something, I "might" be told, something like "don't do that again," but that'd be the extent of it.

There's at least three great IT guys, the others should have found another field, or retired already, they've not been relevant since XP was phased out.

I was still typing when Kylini posted, but that reminded me, that IT has no control over the computer in our lab. I pulled it out of storage this past Spring, set it up, and installed all 280-something Windows updates from 4 years in storage all by myself.

IT just happens to have control over the computer I use the most.

GameboyRMH wrote:

Jay wrote: 1. Download whatever Linux LiveCD you feel like. 2. Install that E36 M3. 3. Set yourself up as SOLE administrator. 4. If anybody ever asks for the root password, punch them in the junk and run. This is my standard procedure every time I start a new job. (Note: I haven't had to use step 4 yet, so YMMV.)

That's a fairly good way to test if there's anything you could do on your company's computer to get you fired. Unless you work in the IT department you certainly shouldn't be installing any OSes on any company equipment. Installing a whole different OS without authorization is easily in the top 5 worst things you could do on a company PC, if you group "intentionally executing/installing some kind of malware" and "running a remote access system without authorization" into single catch-all items.

3 for 3 so far (in terms of major academic research institutes I've worked at.) My current workstation was delivered to me in its factory box with instructions on how to connect it to the network written on a piece of paper. It has now been updated with four(!) extra monitors, a second network card, a second HDD, and a perfectly good Radeon HD card that other people in my workplace attempted to throw away. In my field it's generally expected that researchers will know how they want their own computers set up.

To be fair, if I were at a place that demanded I used windows 10 & microsoft office all day I would walk anyway. Life's too short for that.

My company has a great IT department. They actually seem to view employees as customers to make happy rather than adversaries. Every time I've called for whatever dumb reason, they've gone out of their way to help. There are always random things getting updated but I've always been able to defer reboots if necessary.

If you use a computer on their network, it does have to have all the crap on it (enforced at the MAC address level - nothing happens when you plug a random machine in) BUT they happily set me up with an "outernet" drop in my office so I could use a variety of non-compliant machines. They even have their stuff together enough to do the provisioning remotely (I'm at a 50 person site, we have about 7500 employees) from the main office. Come to think of it, I was even issued a non-compliant workstation with no grief, just a sticker on it that I was responsible for conforming to policy before hooking up to the corporate network.