Disabled Automatic Updates are still running
I have DISABLED Automatic Updates via the services.msc on about 100 servers. I however have noticed a few are back to running. Shouldn't disabling the service do the trick? On a few of these servers when running the services.msc I see the Automatic Updates have changed from DISABLED back to AUTOMATIC...how is this happening?
I assume someone turned it on on purpose. Never tried if it is re-enabled if someone surfs to Microsoft's Windows Update site.
To answer your 2nd question:
Disabling a service is not logged at all.
Starting or stopping a service creates information event id 7036 from source Service Control Manager in SYSTEM event log.
To answer your 2nd question:
Disabling a service is not logged at all.
Starting or stopping a service creates information event id 7036 from source Service Control Manager in SYSTEM event log.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
wow!
I've already disabled the service on over 100 servers and only a small amount - maybe 3 have the services restarted already.
since I'll have to log back into the servers to do this task, do you by chance know the registry key value for this so I can distribute?
Can you pls explain the relevance of this?
NO drives on the server which receive backups of other computers are monitored in system restore
I don't quite get how this pertains to Windows Updates? Can you explain further? Thanks.
I've already disabled the service on over 100 servers and only a small amount - maybe 3 have the services restarted already.
since I'll have to log back into the servers to do this task, do you by chance know the registry key value for this so I can distribute?
Can you pls explain the relevance of this?
NO drives on the server which receive backups of other computers are monitored in system restore
I don't quite get how this pertains to Windows Updates? Can you explain further? Thanks.
"I don't quite get how this pertains to Windows Updates? "
It doesn't -- I merely said -- "while you are there ..." it was FYI, in case you didn't know -- most do NOT.
I repeat, disabling the service only pertains to the login you used to disable the service. If another SYSTEM service (like a backup) starts, it will not have that service disabled, therefore the service will restart if that SYSTEM (not user) login has the service set to load on start up.
You MUST login as ADMIN rights, and simply do what I said -- it is easy enough, even on 100 systems.
But if you must have registry settings, here they are --
System Key: [HKEY_LOCAL_MACHINE\Softwa
Value Name: NoAutoUpdate, AUOptions, ScheduledInstallDay, ScheduledInstallTime
Data Type: REG_DWORD (DWORD Value)
[HKEY_LOCAL_MACHINE\SOFTWA
"NoAutoUpdate"=dword:00000
Here is a link to a .REG file to do the same --
windowsitpro.com/article/a
If you are using WSUS (which you did not specify) there are too MANY settings to list, see this --
technet2.microsoft.com/Win
It doesn't -- I merely said -- "while you are there ..." it was FYI, in case you didn't know -- most do NOT.
I repeat, disabling the service only pertains to the login you used to disable the service. If another SYSTEM service (like a backup) starts, it will not have that service disabled, therefore the service will restart if that SYSTEM (not user) login has the service set to load on start up.
You MUST login as ADMIN rights, and simply do what I said -- it is easy enough, even on 100 systems.
But if you must have registry settings, here they are --
System Key: [HKEY_LOCAL_MACHINE\Softwa
Value Name: NoAutoUpdate, AUOptions, ScheduledInstallDay, ScheduledInstallTime
Data Type: REG_DWORD (DWORD Value)
[HKEY_LOCAL_MACHINE\SOFTWA
"NoAutoUpdate"=dword:00000
Here is a link to a .REG file to do the same --
windowsitpro.com/article/a
If you are using WSUS (which you did not specify) there are too MANY settings to list, see this --
technet2.microsoft.com/Win
ASKER
we currently do not have WSUS incorporated, but it's a work in progress.
I have logged into the servers w/domain admin rights and disabled the service, but you're saying that doesn't matter?
If I do initiate the registry key value, what's the difficulty level or reversing?
a few of the servers which run production software can't allow the Updates b/c they interfere. I can see running a registry key value for those servers where it's imperative.
what's your input? what would you do?
I have logged into the servers w/domain admin rights and disabled the service, but you're saying that doesn't matter?
If I do initiate the registry key value, what's the difficulty level or reversing?
a few of the servers which run production software can't allow the Updates b/c they interfere. I can see running a registry key value for those servers where it's imperative.
what's your input? what would you do?
"but you're saying that doesn't matter?"
No I am saying a service disable pertains ONLY for that login.
"what's your input? what would you do?"
Since you already spent the time to disable the service on all servers, I personally would take the time to login to all servers one by one as ADMIN, and I would manually stop updates on all of them. Once you do this for admin, it is done for all logins and services. Remember, each will need a reboot to work. Sure it may be an inconvenience, but windows is NOT like linux, it takes reboots for key system changes to work.
If you are comfortable doing this with a registry update file pushed to the servers, fine. I would not be.
Finally I would definitely NOT NOT NOT install WSUS. You have no idea the problems it has caused people coming here in desperation to EE for fixes, and the only fix is to remove it an rebuild the OS.
No I am saying a service disable pertains ONLY for that login.
"what's your input? what would you do?"
Since you already spent the time to disable the service on all servers, I personally would take the time to login to all servers one by one as ADMIN, and I would manually stop updates on all of them. Once you do this for admin, it is done for all logins and services. Remember, each will need a reboot to work. Sure it may be an inconvenience, but windows is NOT like linux, it takes reboots for key system changes to work.
If you are comfortable doing this with a registry update file pushed to the servers, fine. I would not be.
Finally I would definitely NOT NOT NOT install WSUS. You have no idea the problems it has caused people coming here in desperation to EE for fixes, and the only fix is to remove it an rebuild the OS.
ASKER
you've given great advice!
I'll keep you posted!
I'll keep you posted!
ASKER
After much IT discussion, we have voted on the registry entry..
just want to confirm something...
this value does not currently exist on the servers:
HKLM\Software\Policies\Mic
but this does:
HKLM\SOFTWARE\Microsoft\Wi
There is also this key, but does not contain the WindowsUpdate or AU entries:
HKLM\Software\Policies\Mic
Should they be created?
In testing by disabling the updates via the control panel, this key changes value to 1:
[HKEY_LOCAL_MACHINE\SOFTWA
"AUOptions"=dword:00000001
what am I missing here?
just want to confirm something...
this value does not currently exist on the servers:
HKLM\Software\Policies\Mic
but this does:
HKLM\SOFTWARE\Microsoft\Wi
There is also this key, but does not contain the WindowsUpdate or AU entries:
HKLM\Software\Policies\Mic
Should they be created?
In testing by disabling the updates via the control panel, this key changes value to 1:
[HKEY_LOCAL_MACHINE\SOFTWA
"AUOptions"=dword:00000001
what am I missing here?
First, you have to realize that the specific registry keys are in different places on W2K, W2003, XP and Vista -- they might all perform the same function for each OS, but M$ gets some jollies by making the registry keys with different paths PER OS, to get the same result.
SO everything you test will have to be OS specific -- i.e. test W2000 changes only on a 2000 registry, and likewise for 2003 and XP, and whatever OS -- the keys are all different on each OS.
Knowing that, the solution is simple, if a little time consuming. For ANY particular OS, you set the updates to "ON" then use regedit, and export the registry to a file = updateon.reg
Then you change the updates to OFF, then rerun regedit, and export the registry to a new file called updatesoff.reg.
Then run a command prompt using this terminology (fc - file compare, built into the OS ) --
fc updateson.reg updatesoff.reg >diffs.reg
Now the file diffs.reg gives you the keys you want to use to turn the auto updates off. You make that into a standard registry file to change the registry, and push it to all the clients.
Task done. Here is how to make a registry file --
support.microsoft.com/kb/3
www.computerperformance.co.uk/Registry/registry_hacks_reg.htm
www.techsupportforum.com/microsoft-support/windows-xp-support/263150-batch-file-change-registry.html
www.computerperformance.co.uk/vista/vista_reg_create.htm
Good luck !!
SO everything you test will have to be OS specific -- i.e. test W2000 changes only on a 2000 registry, and likewise for 2003 and XP, and whatever OS -- the keys are all different on each OS.
Knowing that, the solution is simple, if a little time consuming. For ANY particular OS, you set the updates to "ON" then use regedit, and export the registry to a file = updateon.reg
Then you change the updates to OFF, then rerun regedit, and export the registry to a new file called updatesoff.reg.
Then run a command prompt using this terminology (fc - file compare, built into the OS ) --
fc updateson.reg updatesoff.reg >diffs.reg
Now the file diffs.reg gives you the keys you want to use to turn the auto updates off. You make that into a standard registry file to change the registry, and push it to all the clients.
Task done. Here is how to make a registry file --
support.microsoft.com/kb/3
www.computerperformance.co.uk/Registry/registry_hacks_reg.htm
www.techsupportforum.com/microsoft-support/windows-xp-support/263150-batch-file-change-registry.html
www.computerperformance.co.uk/vista/vista_reg_create.htm
Good luck !!
ASKER