BigFix Patch Management + wuauserv service

Anton · May 20, 2022, 10:09am

Hi Community.

Currently, I’m trying to use Patch Management to deliver updates for Win10 machines.
We plan to block Client from accessing the “Internet” except connection to a BigFix Server.

I went through most of the Win10 released patches and see that 99% of them contains the following line:

// Is Windows Update service running?
continue if {exists running service “wuauserv” OR NOT exists service “wuauserv” whose (start type of it = “disabled”)}

Basically, it means that Windows Server Update System still need to be enabled for Client machines.

Question:
What is the best practice to configure WSUS so we have service “wuauserv” running but not performing any actions such as scanning, trying to download and install patches.
As far as I understand, we need just service “wuauserv” running and nothing else?

Best regards,
Anton.

cstoneba · May 20, 2022, 2:21pm

The wuauserv service can be stopped. It just can’t be disabled. When bigfix fixlet actionscript install a windows KB msu file, the MSU file uses wuauserv to install the kb. If the service is disabled, it won’t work.

Leave wuauserv start=manual and state=stopped and you should be good. Then BigFix will work and your WSUS won’t take action.

Anton · May 20, 2022, 7:31pm

Oh my lord… I’m 2 years in BigFix, managing 25000 machines and still need SOOOO much to learn.
Thank you very much for an explanations.

Best regards,
Anton.