ESR 115 Windows - background update without user ever logging in or launching FF?
Hello,
We want to run Firefox in our environment which is constantly scanned by a security scanner, and deducts points for applications which have a vulnerability that has an available patch, but the patch has not been installed. These are on shared Windows terminal servers. Firefox is one of two browsers, Edge being the other one.
If users do not launch firefox at least once, then Firefox never gets updated.
Yes, we have the background update service installed, but it sets itself to manual, and if I try to start it, it simply gives the error "error 1: incorrect function"
How can we configure Firefox 115ESR to be able to run this service automatically, check for updates, and install, without a user on a particular terminal server ever having launched the application once?
Todas las respuestas (9)
is this really that difficult?
Our background updater requires the user to have started Firefox once. Does it work in that case?
Mike - in my testing, I found that the Windows scheduled task for firefox background updates was created automatically when the *first* person launches firefox on that particular server.
However, to my surprise, the scheduled task is set to only run when that first user is logged on, and it runs only in that first user's context too - rather than SYSTEM and to run whether or not a particular user is logged on (see attached image).
Also, subsequent users who launch Firefox on that same server, do not get a Scheduled Task under their own username and context. Is this by design, do you know? In order to keep down scheduled task bloat?
Our terminal server pool randomly puts logging in users on whatever server has the least load at that moment, and then signs them out automatically after 12 hours so that the next business day, they will again get load-balanced.
This means that that each user is relatively unlikely to ever get put back onto the same server again. And firefox background updates, therefore, will never work on that server because the scheduled task is waiting, forever, for that user to sign in again so that it will run in that user's context.
We do our patch management with SCCM/MECM (Microsoft's Configuration Manager program) and of course I could just make a new deployed package for every new version of Firefox ESR that comes out, but I was really hoping to just use Firefox's built-in updater and avoid the tedious task of making and deploying new MSI files for every release of FF.
But yes, to answer your question - for the specific scenario you are describing where the first user to launch Firefox on a server, stays logged into that server for the 7 hours auto-repeat that the Scheduled Task is set to in Windows, then yes, background update works.
That is great for a single user computer that is signed into all the time by that single user, (I know it works great because of course I use Firefox on my personal machine :-) )but for the Enterprise, it does not work for us at all unfortunately.
I have perused the ADMX files for Firefox for Enterprise but I have yet to find a way around this issue.
We also have the problem with "run task only when user is logged on" (SCCM Infrastructure with over 20.000 Clients)
First time starting Firefox: We were able to solve this problem with our Active Setup script. (Start Firefox, wait five seconds, end process --> Background Task is created for the user).
However, we would also like to have the task run when the user is not logged in, but we cannot find a setting for this. (For example, we changed the interval from 7 hours to 30 minutes in the mozilla.cfg). Is there a way to change this?
Thanks in advance.
daniel.schauer said
We also have the problem with "run task only when user is logged on" (SCCM Infrastructure with over 20.000 Clients) First time starting Firefox: We were able to solve this problem with our Active Setup script. (Start Firefox, wait five seconds, end process --> Background Task is created for the user).
Daniel - are your 20,000 clients all mostly single-user workstation-OS, or server-OS? So that active script startup is just for that particular first user who logs on - as I mention in my post, if a SECOND user logs onto that same computer, does the active setup script create a second background task for them?
I noticed that without any special active setup configuration, second users (and beyond) who launch firefox do not get a background update task. In my multi-user server OS environment, it's functionally useless unfortunately since we have dozens of servers and hundreds of users getting randomly load balanced to them.
See text below
Modificadas por daniel.schauer el
We have mostly physical single-user workstations (besides Citrix and VmWare, which I am not responsible for because I work in client management) in our environment, on which we distribute our scripted packages via SCCM.
Our Active Setup works in such a way that it is executed once for each user who is currently logging in. In other words, if five users log in, an Active Setup is performed for each of these users. For this purpose, a REG key is created in the registry in the user-hive. If this is present, Active Setup is no longer executed. (For example: https://www.itninja.com/blog/view/active-setup-concept)
With this we were also able to solve the problem with the missing task, since Firefox creates it on the user side after the first start.
However, we have not yet been able to solve the update problem with logged-out users. Maybe someone else here has input?
It's been a month since the last entry, is there really no official help on this manageable problem? Is there a way to install updates to logged-out users?
With best regards
I spoke to the team and for various reasons, updating Firefox requires that a user profile has been created.