How to do windows updates with the Xcitium platform?

QuickSilverST · January 12, 2023, 1:05pm

Hello,

Anyone here has advice on the best way to manage windows updates and to stop machines from doing windows updates automatically? I have the procedure to disable windows updates. Machines keep on doing updates on their own regardless of if we approve updates or not.

Thnx

ilgaz · January 12, 2023, 2:47pm

hi @QuickSilverST , you can turn off OS patching and 3rd party patching separately from Profiles → Patch Management section.

QuickSilverST · January 12, 2023, 11:34pm

Hey, thank you for the reply. I did read the documentation, but how it looks to me is if you use this section in the profile, it completely disabled updating even when you do approve or run procedures to do updates it won’t update, or am i mistaking here?

itg · January 14, 2023, 10:48pm

@ilgaz I think what @QuickSilverST is asking is - how do you ensure that updates are applied ONLY via Itarian. I.e. how to stop the device doing automatic updates or how to stop the end user from clicking ‘check for updates’ in Windows and installing them.

@QuickSilverST Correct me if I’m wrong, that’s just how I read your question. I too would like the answer to this

QuickSilverST · January 15, 2023, 10:00am

@itg Yes, your spot on. In all the years I been using this platform it’s always been an issue. Regardless of if you approve and install updates via the platform, they get installed anyways.

itg · January 20, 2023, 5:28pm

Hi @ilgaz

Do you have any updates on this?

alphayash · January 22, 2023, 11:21pm

How to do the updates?

nivedithab · January 23, 2023, 9:15am

hi @alphayash

you can update the windows automatically rom Profiles → Patch Management section.

Thank you

QuickSilverST · January 23, 2023, 6:23pm

Hi, this is only to enable/disable patching but not to stop auto updates and only to do updates by platform.

alphayash · January 24, 2023, 7:44pm

Thanks for the reply Man!!

itg · January 28, 2023, 12:15am

@ilgaz Bumping this thread for a response to my question above.

Many thanks

myr · February 1, 2023, 4:11am

The approve/deny function under the Patch Management has no effect on the workstation. This is because it does not know about ITarian patch management server. Basically the patch management feature is useless and cannot be used in an enterprise environment. I have given many feedback in the past and I am fed up.

So this is what I have done in our environment.

Disable the ability of the user to click on “Check for Updates” on the workstation by By enabling the Group Policy setting under Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features .
Created a Monitor that will disable the Windows Update service if its running. Note that its required because if you disable the service then “WaaS Medic” service feature will automatically enable it and do the windows update without your knowledge. So creating a monitor to keep disabling the Windows Update service is a must.

Now when you really want to install the patch then do it with the help of the PROCEDURE. In that procedure the very first step that you need to do is ENABLE the Windows Update service and then peform the patching procedure. Make sure that you do this with Maintenance Window and ensure the setting for “Disable Monitors” is enabled.

You can use the Powershell module PowerShell Gallery | PSWindowsUpdate 2.2.0.3

itg · February 1, 2023, 9:10pm

@myr Thanks for your comprehensive walkthrough. That’s really helpful!

Although it’s slightly disconcerting to see yet another person who has had the same issues with patch management. Can @ilgaz chime in here? There’s been no response to our previous queries.