Hi everyone, Jeramy Skidmore here. Recently I had a case where the Windows Update Service (wuauserv) was disabled in the environment for all servers but after installing System Center 2012 Endpoint Protection (SCEP) it was found that the Windows Update service became enabled every morning between 12:00am and 1:00am.
What we found was that this behavior was due to the new Configuration Manager client, not SCEP. There is new functionality in the System Center 2012 Configuration Manager client where a scheduled task runs CCMEVAL.EXE every morning between 12AM and 1AM.
CCMEVAL does the following:
◦Verifies that the WinMgmt service exists ◦Verifies that the WinMgmt startup type is Automatic (and changes it to Automatic if necessary) ◦Verifies that WinMgmt is running (and starts it if necessary) ◦Tests read/write functionality to the WMI repository (restarts the service if there is a problem with read/write) ◦Performs a WMI Repository Integrity test ◦Verifies BITS exists ◦Verifies BITS is set to Automatic or Manual (and changes to Automatic if necessary) ◦Verifies CCM client prerequisites ◦Verifies CCM client installation (and reinstalls if necessary) ◦Verifies CCMEXEC exists ◦Verifies CCMEXEC is set to automatic (and changes if necessary) ◦Verifies CCMEXEC is running (and starts if necessary) ◦Performs a WMI Event Sink test (and restarts CCMEXEC if the test fails) ◦Verifies the LPPSVC service (Microsoft Policy Platform service) is set to manual ◦Verifies MsMpSvc is set to Automatic (and sets it to automatic) ◦Verifies MsMpSvc is running (and starts it if necessary) ◦Verifies NisSrv is set to manual (and sets it if necessary) ◦Verifies Wuauserv is set to Automatic · If the machine OS is less than 6.2, and Wuauserv is disabled, remediation changes the startup type to automatic. · If the machine OS is 6.2 or greater, and the Wuauserv is disabled, remediation changes the startup type to manual. ◦Verifies CmRcService (CCM remote control service) is set to automatic (and sets it if necessary) ◦Verifies CmRcService is running (and starts if necessary) ◦Verifies ConfigMgr Wake-Up Proxy service is running (and starts if necessary) ◦Verifies health of SQL CE database
So this was what was enabling our Windows Update Service every day. To prevent this from happening we can exclude clients from remediation via a Registry change on the client:
1. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\CcmEval\NotifyOnly. 2. Change the value to True
When set to True, the client computer will not automatically remediate any problems that are found, however you will still be alerted in the Monitoring workspace about any problems with this client. More information and alternate methods for disabling remediation on selected machines can be found at http://blogs.technet.com/b/seanm/archive/2012/12/20/configuration-manager-client-health-disable-automatic-remediation-for-selected-machines.aspx
When set to False (the default setting), the client computer will automatically remediate problems when they are found and you will be alerted in the Monitoring workspace. For more information see How to Configure Client Status in Configuration Manager at http://technet.microsoft.com/en-us/library/hh338432.aspx.
Jeramy Skidmore | Support Escalation Engineer | Management and Security Division
Get the latest System Center news on Facebook and Twitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/ System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/ System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/ System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
Windows Intune: http://blogs.technet.com/b/windowsintune/ WSUS Support Team blog: http://blogs.technet.com/sus/ The AD RMS blog: http://blogs.technet.com/b/rmssupp/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/ The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ The Forefront TMG blog: http://blogs.technet.com/b/isablog/ The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/