Anyone here has advice on the best way to manage windows updates and to stop machines from doing windows updates automatically? I have the procedure to disable windows updates. Machines keep on doing updates on their own regardless of if we approve updates or not.
Hey, thank you for the reply. I did read the documentation, but how it looks to me is if you use this section in the profile, it completely disabled updating even when you do approve or run procedures to do updates it won’t update, or am i mistaking here?
@ilgaz I think what @QuickSilverST is asking is - how do you ensure that updates are applied ONLY via Itarian. I.e. how to stop the device doing automatic updates or how to stop the end user from clicking ‘check for updates’ in Windows and installing them.
@QuickSilverST Correct me if I’m wrong, that’s just how I read your question. I too would like the answer to this
@itg Yes, your spot on. In all the years I been using this platform it’s always been an issue. Regardless of if you approve and install updates via the platform, they get installed anyways.
The approve/deny function under the Patch Management has no effect on the workstation. This is because it does not know about ITarian patch management server. Basically the patch management feature is useless and cannot be used in an enterprise environment. I have given many feedback in the past and I am fed up.
So this is what I have done in our environment.
Disable the ability of the user to click on “Check for Updates” on the workstation by By enabling the Group Policy setting under Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features .
Created a Monitor that will disable the Windows Update service if its running. Note that its required because if you disable the service then “WaaS Medic” service feature will automatically enable it and do the windows update without your knowledge. So creating a monitor to keep disabling the Windows Update service is a must.
Now when you really want to install the patch then do it with the help of the PROCEDURE. In that procedure the very first step that you need to do is ENABLE the Windows Update service and then peform the patching procedure. Make sure that you do this with Maintenance Window and ensure the setting for “Disable Monitors” is enabled.
@myr Thanks for your comprehensive walkthrough. That’s really helpful!
Although it’s slightly disconcerting to see yet another person who has had the same issues with patch management. Can @ilgaz chime in here? There’s been no response to our previous queries.