Question: Best Practices of WSUS configuration alongside BigFix

Hi,

I’ve got a customer that is using WSUS and now planning to move to BigFix.
He asked if there are any changes that he needs to make to his environment so there will be no issues with BigFix.

As I understand, There are GPO settings that should be changed:
Computer Configuration > Windows Update policy settings
Configure Automatic Updates > Disabled

I won’t configure “Remove access to use all Windows Update features” becuase it will prevent Device Manager from automatically installing driver updates from the Windows Update website.

What do you think?

I’m not sure what your mean: “Are there any more setting that should be configured so the WSUS won’t cause 3010 exit codes with BigFix?”

The 3010 exit codes come from the installer and indicate to Windows (and Bigfix) that a restart is required to complete the installation. They are nothing to do with any combination of Bigfix & WSUS.

If I want to deploy Windows patches through BigFix and still allow the Device Manager functionality of installing drivers through Windows Update

And also making sure that the Workstation will only get Updates that were approved by BigFix

Which configuration are the best to achieve that?

I’ll be interested to see the replies to this.

I’m assuming these are all domain joined and you want to control this using Group Policy?

I’m not sure you can selectively control Windows Update like this, but you may be able to with WSUS if you block everything by default and just allow approved updates. It is a long time since I had any dealings with WSUS.

I’m not super familiar with WSUS but I’m assuming you either have a server setup for hosting updates or you have group policies in place controlling updates?. Correct me if I’m wrong. Either way if those are causing issues pushing out updates; I would assume you could clear anything that would block or stop your updates from being pushed from HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate. I’m sure there’s a more efficient way of doing this (there always is) but my first thought would be to run a baseline that would remove any policies you need gone, install needed updates, and then run a gpupdate to reapply the policies. There could be a way to configure your policy settings to allow this without having to remove anything possibly? Someone else more familiar may have to answer that. The only issue I could see happening is unwanted updates auto installing in this small time window depending on what settings were removed. Or I could be misunderstanding the issue completely, this was just my first thoughts without diving too deep.