Device Search Screen UI - 'Devices'> 'Review Checklist'> 'Check Device' Query

Hey guys,

Wondering if there is a way a ‘Check device’ button could be thrown up with the ‘Scan’ and ‘Reboot’ buttons on the primary device search screen? Obviously the ‘Check Device’ name isn’t right but something that can produce the same functionality?

An example of use would be if you’ve decommissioned an old WSUS server and you would like to update devices in Automox to point to a new WSUS. A device seems to hold onto the previous Windows Update Server rather than update to point to a new host. The way I am able to fix this was to update the group policy to point to my new WSUS server and then hit the ‘Check Device’ which seems to update the local policy on a users machine (without forcing a gpupdate on their machine and interfering with a user’s day)

image image

Sadly running a scan against a device doesn’t remediate this either and its a pain if you have 100+ devices you need to update.

So unless I’m doing something wrong here; anyone else have a way to bulk update?

Cheers from upside-down land.

ʎʎʇsǝʍ

Hey ʎʎʇsǝʍ :slight_smile:
How do you have your OS PATCH MANAGEMENT group settings set for your groups? If you set the Windows Update Source to WSUS and define your new WSUS Server Address, then the devices will redirect to the new server at the next scan time. That would allow you to go into the group, and select all the devices (well up to 500 at a time) and run a scan.
That is the built-in solution

Option 2
If you don’t use the OS PATCH MANAGEMENT group settings (they are left at keep settings) you could use a Worklet to apply the new WSUS server reg values. A scan runs after the Worklet applies, and the would do the trick as well.

Hope that helps!

1 Like

¡ʎǝʞsǝlɔɔɯ˙p ʎǝH

I’ll provide an example. I am working with a group which contains devices for our fleet of workstations.
We currently have it set to point to ‘Windows Updates’ rather than WSUS just so these devices can patch without being on our network so people can patch whilst from home without needing to be on a VPN.

I have a fistful of workstations that haven’t seemed to pick up the correct update source even after a scan. I can manually remediate these devices using the ‘Check Device’ functionality however.

Cheers!

ʎʎʇsǝʍ

Hi Westyy,
We do see something that is exactly what you are seeing. The issue here is if the group setting these devices are in is set to Windows Updates and the setting is not

  1. Changing to Windows Updates
  2. Reverting back to WSUS

this is a sign of something outside of Automox impacting these. For 1 it’s usually because of a corrupt system file or security setting preventing Automox from changing these registries.

If its number 2, this is most likely a GPO that is coming in behind Automox and changing the value back. The group scans are what force these settings on endpoints and the quickest that scan happens in Automox is 6 hours which is plenty of time for something to change this back after.

We in support can take a deeper look into this for you. If you would email support@automox.com with the system names where the update source is pointing at the WSUS when you dont want it to be, we can dig into it and see if we can find something on our end to help.

1 Like

Thanks Brandon!

I’ll take a look at our group policy and see if I can find anything. Mind you we were running SCCM prior to Mox so maybe some residual local policies set on these machines.

I will hit up the support email if I come across anything in particular.

Cheers guys!

Thanks for the detail!
I was able to test in my lab today, and have an explanation to what you are seeing.

Scenario:
Device was configured to point at WSUS. Currently it is reporting that it cannot reach the WSUS server as displayed with an error icon and information under Compatibility in Device Details.

Action: Change Group settings to now set the Update Source from WSUS (or Keep device settings) to Window Update.
Action 2: Run a scan
Result: User still sees compatibility issue and appears to still be pointing at WSUS server.

What Happened:
Scan runs, and checks the current WU settings. It reports it is set to use WSUS, and that it can’t connect to the server. Then, the scan sets the new WU settings.

Because of the scan action order, it appears that the WU settings are still configured for WSUS, when it actually changed the settings. It would not run an update scan on this run through, but the settings are actually applied.

How Do you Display this actually fixed the settings in the Console?

  1. Run another scan. This time it will detect the new settings, and run a scan against WU rather than WSUS. When it completes, you will see the Compatibility status update.
    or 2) Run the Check Device option. This will run the part of the scan where it detects your settings and if it can reach the patch source.

The order of the scan processes could use a tweak… the good news is, that if you want it to show the Source has updated, you can run the scan, and then run it again. This can be done in bulk rather than dig into each device’s settings. The Compatibility status would eventually straighten itself out… but the best thing to do is probably run the scans 2 times so you get your new patch compliance from WU right away.

1 Like

Cheers man; that explains quite a bit. :slight_smile:
I’ve run a secondary scan and will check the status on a few devices.

Appreciate your help!