Update settings affecting the time it takes before an update is installed. In cases like this, you can use the new ‘security update’ feature in MEM which will execute an expedited push of the update. To do so, open the Endpoint portal, navigate to Devices and select Windows 10 quality updates. To create a new profile, select Create profile.
Next up, we can configure the specific settings for the quality updates policy. There are two important settings here:
Workarounds
If you cannot deploy the patch, there are still workarounds available.
These workarounds are valid when:
Disabling the print spooler on clients will mean that they cannot print to local printers anymore (which is not recommended when you have a big chunk of your workforce working from home). When you are using Microsoft Endpoint Manager, you might notice that the ‘Allow Print Spooler to accept client connection’ setting is available in ADMX templates or in Settings Catalog. Unfortunately, this will not have an effect on most endpoints as this is using a Windows CSP that is only available for Windows Insiders Builds.
Applying this setting to regular Windows 10 machines will result in a ‘Not Applicable’ state (although I have seen mixed results where the system account applies). The policy is available through GPO, but a lot of our customers are AAD Joined or trying to get away from GPO’s. I backtracked the policy to the following registry key:
HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RegisterSpoolerRemoteRpcEndPoint. If this is set to a value of 2, this will disable remove connections.
Enter proactive remediations
Within MEM, we can use proactive remediations to set the right value for this registry key. Before the policy is active, the print spooler needs to be restarted. To do so, setup a new proactive remediation with the following detection script:
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\"
$RegKey = "RegisterSpoolerRemoteRpcEndPoint"
$RegValue = 2
try{
if(!(Test-Path $RegPath -ErrorAction Stop)){
Write-Host "Path doesn't exist"
Exit 1
}
$key = Get-ItemProperty -Path $RegPath | Select-Object -Property $RegKey -ErrorAction Stop
if($key."$RegKey" -eq $RegValue){
Write-Host "Key has correct value"
Exit 0
}
else{
Write-Host "Key has incorrect value or doesn't exist"
Exit 1
}
}
catch{
Write-Host "Key doesn't exist"
Exit 1
}
Within the remediation script, we’ll update the reg key and restart the print spooler to active the setting.
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\"
$RegKey = "RegisterSpoolerRemoteRpcEndPoint"
$RegValue = 2
if(!(Test-Path $RegPath -ErrorAction Stop)){
New-Item $RegPath
Write-Host "Created path"
}
try{
Set-ItemProperty -Path $RegPath -Name $RegKey -Value $RegValue
Write-Host "Key has been set"
Restart-Service -Name "Spooler" -force
Write-Host "Spooler has been reset"
}
catch{
Write-Error "Error setting key"
}
After assigning these script, the proactive remediation will run to check if the reg key has been configured correctly. If it hasn’t it will update it to correct value.