Disasble a system from getting updates without locking it?

Is there a way to stop a Win7 system from getting patches and updates via BigFix, without resorting to locking the system in the registry?
Is there a console system lock, or does it use the registry only to lock?
I could just remove the Besclient, but prefer not to.

Thanks

You could unsubscribe them from any site that has patches or baselines.

Other than that, locking is your only option.

1 Like

You can use the console to push out the registry change – is that what you’re doing currently?

1 Like

I use a custom setting on the client to set/clear a value for “PatchWindow”, and send out my patching actions with a constraint based on the PatchWindow value. That allows me to send out a single patching action targetting all of my systems, and then change the PatchWindow value on individual groups of machines when I want their patches to execute.

In BigFix there are multiple ways of doing anything. To understand your requirement I think you need to define WHY you wish to lock the endpoints. Is it ONLY patches you don’t wish to have run? Or other actions as well?

I can understand that you do not wish to remove the BES client, but is this only because you may wish to perform some function on the endpoint at a later time? If you want to run lets say inventory scans, but otherwise do not wish the endpoint to take other actions, then I would say LOCKING your endpoint may be the best approach, while creating a LOCK OVERRIDE site (adding this site via the Admin Tool) s you can place Fixlets (such as inventory scans) to run out of this site (limit access to this site) as Actions from this site would OVERRIDE the lock setting.

Now back to your Question on HOW to LOCK an endpoint. Can you RIGHT CLICK on an endpoint and lock it?

If you do NOT see this setting, then you system is set to only allow locking at the client level. Which is done in the BES Admin tool (not recommend). See below the “Action Lock Controller: client” ← this means you can’t control locking from the console ----

If you CAN do this, then you can lock and track any locked machines with this setting (even make a Task/Fixlet to target multiple machines). Just remember, that when/IF you un-lock it, the endpoint will start to process any and all open actions against it. Hence why i like to use the LOCK OVERRIDE site -

anything I put in this site will run on endpoints even if locked.

1 Like