Question:

My concern escalates as Patch Tuesday approaches, fearing that the endpoints might autonomously install updates directly from Microsoft. Although a recent test, post-removal of certain patches, confirmed no new installations during a check-in, the operational log suggests checks are occurring every 10 minutes, which seems unusually frequent.

I would greatly appreciate any insights or guidance on this matter. Thank you.”

Answer:

As Patch Tuesday draws near, it’s understandable to feel apprehensive about the possibility of endpoints independently installing updates from Microsoft, especially after taking steps to centralize and control patch management through a tool like Action1. Your observations indicate that, despite setting `NoAutoUpdate` to 1, endpoints are still checking in with the Windows Update service, albeit without installing any updates.

This behavior can be attributed to the Windows Update client’s design, which, even when automatic updates are disabled, will still periodically check for updates to maintain the system’s update readiness. The frequency of these checks can be influenced by several factors, including system policies and background intelligence service settings.

The key here is the distinction between checking for updates and installing them. The Windows Update client’s checks do not necessarily mean that updates will be installed without your authorization. However, to alleviate your concerns, consider the following steps:

: Ensure that the Group Policy settings for Windows Update are correctly configured to prevent automatic installations. This includes verifying that the `Configure Automatic Updates` policy is set to `2 – Notify for download and notify for install` or disabled.

2.

Examine Scheduled Tasks

: Look for any scheduled tasks that may trigger the Windows Update client to check for updates more frequently than desired.

3.

Monitor Update Logs

: Regularly review the Windows Update logs to track the update check-ins and ensure that no installations are occurring outside of the Action1 management scope.

4.

Patch Tuesday Strategy

: Formulate a clear strategy for Patch Tuesday that includes manual checks and controlled rollouts of updates through Action1, ensuring that you maintain oversight of the update process.

5.

Communication with Microsoft Support

: If the frequency of the checks remains a concern, reaching out to Microsoft Support for clarification on the expected behavior of the Windows Update client in your specific configuration may provide additional peace of mind.

By taking these proactive measures, you can better manage your network’s update process and reduce the risk of unwanted installations, ensuring that Patch Tuesday passes without incident.

In conclusion, while the Windows Update client’s behavior may seem alarming at first glance, understanding its operation and implementing stringent controls can help you navigate the complexities of patch management with confidence.