Question:

In Action1, I enabled a setting that assumes control of Windows Updates, which reestablishes the registry path and sets NoAutoUpdate = 1 under the AU key, indicating that automatic updates are disabled. However, I’ve observed that the endpoints still appear to be communicating with the Windows Update service, as indicated by the ‘Last checked’ timestamp in the update settings, despite no new updates being installed outside of Action1’s purview.

Conversely, the servers, having undergone the same process, do not show any signs of checking in with the Windows Update service post-registry modification.

My concern is that on the upcoming Patch Tuesday, the endpoints might autonomously install new updates directly from Microsoft, despite the current settings. An additional observation post-patch removal is that the endpoints are not installing new updates, but the frequency of check-ins with Windows—every 10 minutes—is unusually high.

Could you provide clarity on this situation and advise on ensuring that the endpoints do not independently install updates? Thank you.

Answer:

When managing a network of endpoints and servers, it’s crucial to have a clear understanding of how Windows Update operates within a managed IT environment. The scenario you’ve described raises several important points about the behavior of Windows Update when third-party management tools like Action1 are in use.

Firstly, setting `NoAutoUpdate` to `1` under the `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU` registry path is a common practice to prevent Windows from performing automatic updates. This setting should, in theory, stop the endpoints from initiating updates without your approval. However, the presence of the ‘Last checked’ timestamp in the Windows Update settings suggests that while updates are not being installed automatically, the endpoints are still periodically checking in with the Windows Update service.

Endpoint vs. Server Behavior

The differing behaviors between endpoints and servers—where endpoints continue to check for updates while servers do not—can be attributed to differences in their configurations or the way the Action1 tool interacts with different types of machines. Servers often have different update policies due to their critical nature and the potential impact of unscheduled reboots.

Patch Tuesday Concerns

Your concern regarding the upcoming Patch Tuesday is valid. If the endpoints are indeed checking in with Microsoft’s update servers, there’s a risk they might download and install updates, depending on their current configuration.

Ensuring Update Compliance

To ensure that your endpoints do not independently install updates, consider the following steps:

1.

Review Group Policy Settings

: Double-check that all Group Policy settings related to Windows Update are correctly configured to prevent automatic updates.

2.

Examine Action1 Settings

: Verify that Action1’s settings are correctly applied to all endpoints. Ensure that it’s configured to prevent any communication with Windows Update servers outside of the scheduled patching by Action1.

3.

Check Network Configuration

: Ensure that your network configuration, including any firewalls or proxies, does not inadvertently allow endpoints to communicate with Windows Update servers.

4.

Monitor Update Logs

: Regularly monitor the Windows Update logs on your endpoints to verify that no updates are being downloaded or installed outside of Action1’s control.

5.

Test Endpoint Behavior

: Perform controlled tests on a subset of endpoints to observe their behavior during Patch Tuesday, ensuring that no updates are installed autonomously.

6.

Consult with Action1 Support

: If the issue persists, reaching out to Action1’s support team can provide insights specific to their tool’s interaction with Windows Update.

In conclusion, while the `NoAutoUpdate` registry setting should prevent automatic updates, the observed behavior suggests that additional steps may be necessary to ensure compliance with your update management policies. By thoroughly reviewing settings and configurations and consulting with the tool’s support team, you can gain better control over the update process and mitigate the risks associated with Patch Tuesday.