Patch Management

georgedschneider
georgedschneider used Ask the Experts™
on
We recently purchased Kaseya to fulfill our patch management needs among other things.  One of the things I need to do is disable or turn off my current Autopmatic update settings that I have configured with my WSUS server through GPO in order to allow the patch management control the patching process.  If I have a GPO setting this will reset the software setting everytime the GPO is applied.  I could do a couple of things set all the GPO back to not configured and wait for group policy to be refreshed and then set the settings in the software which will push out the registry settings to the client machines.  The other option I can think of is to disable windows update altogether through gpo's.  What do you think my best bet is and how can I disbale GPO's for Automatic updates?  Should I simply set them to disabled or not configured?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
It sounds like your best bet is to set the GPO for AU to disabled. If you set it to Not Configured, you run the risk of having some "advanced" users turn on AU on their machines thinking that they're being helpful. After the computer refreshes the GPO or reboots, you'll be set.

Author

Commented:
How often is group policy refreshed on Windows 2000, XP, and 2003 machines?

Commented:
5 minutes for domain controllers and 90 minutes for everything else (servers and workstations)

Commented:
Here's the MSDN page regarding refresh times:

http://msdn.microsoft.com/en-us/library/ms813077.aspx

Just look at the "breadcrumbs" at the top of the article to see where you can adjust this via Group Policy.

Author

Commented:
I set the GPO to disbaled.  The user can however still go to Windows Update to manualy install the updates.  Its probably not a concernb but is there a way to prvent this yet still allow the kaseya patch management to utilize the Microsoft Update API to perform a patch scan which needs access to the Windows and Microsoft update sites?

Commented:
Local administrators will still be able to enable Automatic Updates in the Control Panel. Also going to the Microsoft or Windows Update website will still be allowed. If you want to block this for certain computers, you could always set an IPSec policy GPO to block those sites (Computer Configuration\Windows Settings\Security Settings\IP Security Policies). That can get a little messy though.

Does the kaseya software run in a central location and push out updates to the computers on a LAN, or does it run on all of the computers and pull updates from the Internet? I'm not familiar with it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial