We start the windows update service and set it to manual before bigfix patching start and after patches get executed, services are stopped. There are many endpoints whose startup type changes to automatic and are now having OS build upgrades installed from Web. We push fixlet every time before patching to set the start up type to manual and still it changes on some machines.
Even Automatic updates(AU) in registry is set to 1 to disable Automatic updates. What can we do to fix this issue from Bigfix?
I think you’d need to investigate what is turning it back on - if it’s a Group Policy, Local Group Policy, or the user, you need to find a way to make them “stop doing that”.
Initially this was our concern too that maybe GPO is doing this but there is no GPO set on these services and it only changes for some users , not everyone. If users are changing it themselves then that we will check. I don’t think users have rights to do that in our environment but that can be validated.
Now, my only question is if we are performing Bigfix patching and we start the services keeping the startup type manual , it should not install updates automatically right?
I had a similar situation recently where machines were doing the exact same thing. It was identified as GPO, some even LGPO. We changed the GPO setting and it still occurred with certain users. Our interim solution until the investigation on GPO is complete, is to run a Policy Action which insures that the registry entry is always set to disable. If it changes, BigFix will change it back. The policy is on AU as well as NoAutoUpdate = 1.
One would need to however test it, in our scenario it works as a temp solution, but if you have a backwards and forwards between BigFix and GPO it’s going to become an uphill battle. I will post our findings once we have concluded, hopefully they can assist you.
Suggestion, if this is windows 10 which I assume it is, why don’t you set the policy to defere quality updates for xx days. In our environment we have this value set for 30 days, so when Microsoft releases the patches we can patch these using BigFix and not have to worry about clients downloading the patches from Microsoft.
It also helps with the end user experience, so they get same reboot popup and you can control more or less the reboots etc.
If you haven’t dumped the Group policies that the client is seeing, and dump the wsus logs on the client, you might want to. I found at my site the WSUS settings were being inherited from another OU. It had been like that for years, until i finally opened the WSUS logs on the client to see what actually was being set and traced it back.
One of my first fixlets in bigfix, very crude - there are much cleaner ways of doing this:
One last place to check is the windows task scheduler.
You may find a few windows update tasks scheduled to run under various scenarios, and one of them may reset the service