Hello,
We are currently rolling out BigFix patching to our environment that has been using WSUS for the past few years. What I’m currently seeing on endpoints is a reboot prompt from both BigFix (once a patch baseline is completed) as well as a reboot prompt from Windows asking users to reboot. These machines are in a computer group in WSUS that does not have any approved updates pointed to it. My question: Is there anyway to disable the windows 7 reboot prompt so that only the BigFix message is displayed? From my own experience, if you select “Take all actions” and do not interact with the reboot prompt that windows 7 displays, your machine will not reboot.
I’ve tried looking elsewhere to disable this message via registry to no avail.
Thanks in advance!
Did you ever find a solution to this?
Yes, there is a way. You need to configure the Group Policy settings at Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update
Set “Configure Automatic Updates” to “Disabled”. Leaving it as “Not Configured” allows the other settings - in particular “Delay Restart for scheduled installations” and “Re-prompt for restart with scheduled installations” to remain in effect. Even though “Automatic Updates” itself did not apply the patches, under the hood BigFix still uses the Windows Update Agent so these other policies are applied.
If you don’t want to apply it as a Domain GPO, you can apply it as Local Group Policy (as long as the Domain policy is “Not Configured”; Local GPO will not override Domain GPO). I’m using the following Relevance Check to detect that a change is needed:
/* Windows Update is enabled - via Local Settings, or Local GPO, or GPO */ (if exists (key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" of native registry) whose (exists (value "DisableWindowsUpdateAccess" of it) whose (it as integer = 1)) then false else if exists (key "HKEY_LOCAL_MACHINE\SYSTEM\Internet Communication Management\Internet Communication" of native registry) whose (exists (value "DisableWindowsUpdateAccess" of it) whose (it as integer = 1)) then false else if exists (key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry) whose (exists (value "NoAutoUpdate" of it) whose (it as integer = 1)) then false else if exists (key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry) whose (exists (value "AUOptions" of it) whose (it as integer < 4)) then false else exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" of native registry) whose (exists (value "AUOptions" of it) whose (it as integer > 3))) /* OR one or more of the schedule options is not blocked by local GPO */ OR exists values ("AUOptions";"ScheduledInstallDay";"ScheduledInstallTime") of keys "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry OR not exists values "NoAutoUpdate" whose (it as integer = 1) of keys "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry OR not exists values "IncludeRecommendedUpdates" whose (it as integer = 0) of keys "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry
Check BigFix.me for a reference on where to download Apply_GPO_Delta.exe. I configure my Local GPO with the following:
action uses wow64 redirection false
delete __createfile
createfile until EOF_EOF_EOF
; ----------------------------------------------------------------------
; PARSING COMPUTER POLICY
; Source file: registry.pol
Computer
Software\Policies\Microsoft\Windows\WindowsUpdate
DisableWindowsUpdateAccess
DWORD:1
; Removes all existing “Windows Update” settings
Computer
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
*
DELETEALLVALUES
Computer
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
DWORD:1
Computer
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
DELETE
Computer
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
ScheduledInstallDay
DELETE
Computer
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
ScheduledInstallTime
DELETE
Computer
Software\Policies\Microsoft\Windows\WindowsUpdate\AU
IncludeRecommendedUpdates
DWORD:0
; PARSING COMPLETED.
; ----------------------------------------------------------------------
EOF_EOF_EOF
delete regpol.txt
move __createfile regpol.txt
waithidden __Download\Apply_LGPO_Delta.exe regpol.txt /error apply_lgpo_delta.err
// Regardless of whether we try to force a GPUpdate, the registry may not update until reboot
runhidden gpupdate.exe /target:computer /wait:0
//MIGHT be able to complete & verify without rebooting. Wait up to 10 minutes for the registry keys to be put in place,
// then give up and mark it as "reboot required"
pause while {(if exists (key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" of native registry) whose (exists (value "DisableWindowsUpdateAccess" of it) whose (it as integer = 1)) then false else if exists (key "HKEY_LOCAL_MACHINE\SYSTEM\Internet Communication Management\Internet Communication" of native registry) whose (exists (value "DisableWindowsUpdateAccess" of it) whose (it as integer = 1)) then false else if exists (key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry) whose (exists (value "NoAutoUpdate" of it) whose (it as integer = 1)) then false else if exists (key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry) whose (exists (value "AUOptions" of it) whose (it as integer < 4)) then false else exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" of native registry) whose (exists (value "AUOptions" of it) whose (it as integer > 3)) /* OR one or more of the schedule options is not blocked by local GPO */ OR exists values ("AUOptions";"ScheduledInstallDay";"ScheduledInstallTime") of keys "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry OR not exists values "NoAutoUpdate" whose (it as integer = 1) of keys "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry OR not exists values "IncludeRecommendedUpdates" whose (it as integer = 0) of keys "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry) AND (now - active start time of action) < (10 * minute)}
if {if exists (key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate" of native registry) whose (exists (value "DisableWindowsUpdateAccess" of it) whose (it as integer = 1)) then false else if exists (key "HKEY_LOCAL_MACHINE\SYSTEM\Internet Communication Management\Internet Communication" of native registry) whose (exists (value "DisableWindowsUpdateAccess" of it) whose (it as integer = 1)) then false else if exists (key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry) whose (exists (value "NoAutoUpdate" of it) whose (it as integer = 1)) then false else if exists (key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry) whose (exists (value "AUOptions" of it) whose (it as integer < 4)) then false else exists (key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" of native registry) whose (exists (value "AUOptions" of it) whose (it as integer > 3)) /* OR one or more of the schedule options is not blocked by local GPO */ OR exists values ("AUOptions";"ScheduledInstallDay";"ScheduledInstallTime") of keys "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry OR not exists values "NoAutoUpdate" whose (it as integer = 1) of keys "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry OR not exists values "IncludeRecommendedUpdates" whose (it as integer = 0) of keys "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" of native registry}
action requires restart "GPO_Disable_WindowsUpdate"
endif
Unfortunately, thats not an option for our rollout just yet. We are still using the WSUS environment for a second metric on reporting if the endpoint is fully patched so we need the device to still check in, even though no patches are approved for the container they are in.
Thanks for that information though, it may come in handy in the future.
Couldn’t you keep it in an OU when you build the machine to manage and deploy all patches from BF that also has the Automatic Updates disabled. Then move it to another OU after that just has analysis on it but patch deployment turned off in WSUS?
Not for this type of a rollout, no. These are not new builds, but machines already in production that were pointed to WSUS. To get the machine to report to both WSUS and BigFix, the GPO that is in place to configure the client to talk to our WSUS server has to stay active with the “Configure Automatic Updates” setting enabled on the client. If its disabled, the client will no longer check in to WSUS. Which, if that were the case right now, we would have never realized (as we did today) that KB3119142 doesn’t correlate to any fixlets in BigFix. Because WSUS had the patch in its database, our machines reported that this patch was needed for the clients. We have a PMR open on the issue but we don’t want things like that slipping under the radar while we are trying to roll out to our Enterprise.
Good to know. As of now, our infrastructure works as so: Laptop Imaged and machine put in a ‘Staging’ OU > WSUS patches it to current patch completion > we move it to a different OU (based on dept) where the same patches are being sent as well and all configured as Automatic Updates.
Current BigFix would be to have laptop imaged and put into the same “staging OU” with Automatic Updates ‘Disabled’ > Push 3-4 Baselines of Windows Updates and another baseline of 3rd party software to the laptop > Move to respectful dept OU. From there I guess it would depend on if we still have WSUS up and running whether or not it would then receive patches BigFix missed. Is there a way to have it still talk to WSUS and be analyzed without having patches installed? I will go look,
I wonder how many people are running WSUS side by side with BF for patching?
What your asking is exactly what we are doing, so the answer is yes. You just need to have the machines check into a container in WSUS that has all patches declined for that container. Then, they will periodically check in with WSUS to verify what patches are still needed, even if they arent approved. This is what gave us the indicator that BigFix was missing a patch that WSUS had readily available.
1 Like
Since I replied to this thread I’ve done a few things - First was to add the group policy “Disable - Configure Automatic Updates” to our “Staging” OU (where newly imaged Win7 laptops get automatically placed in AD) - I did this to stop the constant nag of reboots from Windows after I install a Baseline of Windows Updates from BigFix. Does this also stop the machines that that policy applies to from even checking into WSUS?
Then I went into WSUS and selected all the previously ‘Approved Updates’ for that same OU and changed them all to “Not Approved”, just for that same “Staging OU”.
I think in order to then get the machine to check back in with WSUS, I need to “Enable - Configure Automatic Updates” so that the machine knows to reach out to WSUS.