Update Orchestrator Bouncer

Summary

This solution will monitor the C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot path. If the folder for "reboot" exists, it will be renamed to reboot.bak. This prevents the update orchestrator from side-loading Microsoft patches on endpoints that are not approved via the RMM.

Note: A Task and Device group will need to be created before the monitor can be set up.

Details

Monitor Creation

Navigate to Automation > Monitors
Click "Add Monitor"

---

Monitor Configuration

• Name: Update Orchestrator Bouncer
• Description: This solution will monitor the C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot path. If the folder for "reboot" exists, it will be renamed to reboot.bak. This prevents the update orchestrator from side-loading Microsoft patches on endpoints that are not approved via the RMM.
• Type: Script
• Family: Patch Management
• Severity: Other

Conditions

• Run Script on: Schedule

• Repeat every: 3 Hours

• Script Language: PowerShell

• Script:

  Test-Path 'C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot'

• Criteria: Contains > AND > "True"

• Run Automated Task: Update Orchestrator Bouncer

Ticket Resolution

• Automatically resolve: Enabled
• Run same script as above
• Criteria: Contains > AND > "False"

Resources

Note: A Task and Device group will need to be created before the monitor can be set up.
This monitor is intentionally aimed at the Update Orchestrator group.

Dependencies

• Custom Field - PowerShell Version
• Task - PowerShell Version Information
• Device Groups - PowerShell Version

Ticketing

This solution does technically create tickets, but the tickets are designed to autoclose as soon as the machine runs the task to update PowerShell.