Patch Settings Not Reverted When Patch Management Is Disabled

Last Modified

Thu Feb 20 16:29 GMT 2020

Description

  • I've disabled Patch Management and Windows Update still says that the settings are managed by my Administrator.
  • I've uninstalled the Windows Agent and Windows Update still says that the settings are managed by my Administrator.

Environment

  • N-able N-central
  • PME 1.1.10 (requires N-able N-central 12.2 or later)

Solution

  • With the introduction of PME version 1.1.10 we have improved the capability of the Windows Agent to properly revert the Windows Update settings to their previous state when either the agent is removed or Patch Management is removed.
  • Prior to this version there were several technical difficulties in doing this which largely resulted in the settings being left the same as the patch profile.
  • This leaves a few paths forward for existing devices to revert the settings when Patch Management or the agent are removed:
  1. Via GPO
    • Refer to our documentation on which registry settings are changed, and the associated Microsoft documentation, and simply apply a GPO to modify the necessary settings.
    • This is often the simplest method for devices that have already had the agent or Patch Management removed to get the settings corrected.
    • Registry Keys modified when Patch Management is enabled or disabled
  2. Via Scheduled Task
    • Use a Powershell or other scripting option to modify the registry keys through a scheduled task for impacted devices.
    • N-able N-central can be used to deploy to existing agents where Patch Management has been disabled.
  3. Configure reversion settings before the devices are modified (future-proofing)
    • This option involves setting up all devices for success before the agent or Patch Management are removed at some point in the future.
    • The simplest way to do this is via one of two methods:
      1. Modify the Patch Profile to force a historical capture:
        1. Set the patch profile to "Allowed for all User Accounts and Applications" then save.
        2. Leave this as-is until the agents have received their new settings.
        3. Disable Patch Management and wait for the settings to be pushed out.
        4. Enable Patch Management.
        • This will create a capture of the more permissive patch profile, but agents must be online for this to work properly.
      2. Use a GPO/Scheduled Task
        1. Disable Patch Management.
        2. Run a GPO/Scheduled Task to set the "default" settings to devices.
        3. Disable the GPO, then enable Patch Management.
        • This will capture the desired settings for future reference, but agents need to be online when Patch Management is removed so the GPO can be run.
  4. Manually.
    • In some cases a small number of devices need to be corrected and the documentation above can be used to change the registry keys manually.