(imported topic written by SystemAdmin)
As discussed in another thread, some BigFix fixlets require the Windows Update service be enabled in Windows 7/2008 because some Microsoft patches require it. http://forum.bigfix.com/viewtopic.php?id=6700
I’d like to disable Auto Updates in domain policy, but that disables the Windows Update service. Any policy that enables Auto Updates causes the computer to check for and offer updates.
Is there a BigFix-recommended configuration for Auto Updates that disables those updates without making BigFix actions fail?
(The thread I linked has the beginning of a discussion on this topic, but it was a tangential topic for that thread so I thought I’d start a new one.)
(imported comment written by SystemAdmin)
I’ve made 2 tasks, 1 that disables and 1 that enables and I just place that at the front and end of my baselines to resolve this issue. So far it seems to work happily.
(imported comment written by SystemAdmin)
With a domain policy disabling the service, I can’t count on the service staying enabled long enough for a baseline to finish.
Unfortunately I’m working under a domain policy that disables auto updates. I can add another domain policy that overrides that setting, but I have to set it to something, I can’t override a setting with “not configured”.
The people who set the domain policy are not very responsive, but they should be willing to comply with BigFix’s recommended configuration. If there is one.
(imported comment written by JackCoates91)
Hi,
The patches where this is a concern seem to require Windows Update Service to be running; this service has several configuration modes though, and I don’t believe that it must be configured to patch automatically in order to apply a patch. Perhaps the domain admins could leave the service running but set auto-installation to off?
(imported comment written by SystemAdmin)
I took a few shortcuts in my description of the problem.
The domain policy disables automatic updates, which has the effect of disabling the windows update service. I tried adding a policy to set the service startup to manual, but it didn’t work. Apparently service startup is a weaker setting than configure automatic updates. (My policy takes precedence over the other policy, but that’s only meaningful when it’s the same setting.)
In another experiment I locally configured a Win7 computer to never check for updates and set the service to automatic. Then I added it to the domain in an OU that has a test policy setting the service to manual and no policy configuring auto updates. The service changed to manual, so the test policy took effect. Eventually the service became disabled and stayed that way.
So even with cooperation from the domain admins, I don’t see a configuration that will reliably leave the windows update service enabled without allowing automatic updates to take some actions.
(imported comment written by SystemAdmin)
Sigh
very sloppy.
I have a policy action that disables the Automatic Updates service for WinXP and Win2003. For some of my experiments that action also applied to the Win7 test system.
So I don’t know when the service was being disabled by domain policy and when by BigFix action. I updated the fixlet to check OS and replaced the policy action, now I have to repeat the tests.
(imported comment written by JackCoates91)
domain policy always wins in the long run, and it sounds like the domain policy is to force the service off rather than to change settings. I don’t think the results will be predictable until that changes – I would point the domain admins at the articles referenced here: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=1775
And then here for a less drastic configuration choice: http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx
Jack