Does Client Security change local group policy?

Hello

We have noticed that most/all our Windows machines have the Local Group Policy "Configure automatic updates" set to Disabled, ie. Windows updates are not installed automatically and must be done manually by the user. By default all GPOs should be set to "Not configured". We are afraid this is the cause of some unpatched machines we have had.

I know that F-Secure has an Updater service, but I can't really see locally on the machine what takes care of what, so I can imagine that F-Secure has disabled Windows' updater to take care of it itself - to avoid a problem we had some time ago where F-Secure would wrongly install Delta updates alongside Windows, bricking the machine.

We're running a Samba NT4 domain that doesn't even support group policies (to my knowledge), and it's set as a Local group policy too.

Find more posts tagged with

Comments

Vad

If you see the "will be" value different from "current" in the log, it means that Software updater changes the GP for the patches installation time.

Langley

So it is not F-Secure that has changed the GP?

Vad

NoAutoUpdates current state is taken from GP.

1 - true

0 - false

-1 - failed to get the value, or not configured.

Other values shown in older logs are the result of a bug fixed some time ago.

Best regards,

Vad

Langley

Thank you for your reply, that log file is interesting to read. Is there any documentation for what the different NoAutoUpdates states mean? I can see both 1, 0, -0, and some really long numbers. I'd like to find out if there is a connection between the state, and the GPO.

Vad

Hello Langley,

F-Secure Software Updater turns Windows updates off when it initiates the procedure of patches installation, and then returns it to the initial state when it is completed.

The information about such events can be found in c:\ProgramData\F-Secure\Logs\fsoftupd\fssua.log. Example:

#1 WUS will be paused
#1 Current NoAutoUpdates state: 1, will be 1

Best regards,

Vad