none
Patch Management SCCM 2012

    Question

  • Hi,

    I have few questions with respect to patch management through SCCM 2102, it give you a brief idea about the setup, this is what we have done:

    Seperate server with WSUS and SUP role installed. Single Primary Server

    We enabled Software Update clinet settings for a group of machines and I understand that this policy will create a local polcy in Windows update to point to the WSUS/SUP server - If I remove a machine from this group will that change the local policy on the respective machine?

    If both Specify intranet Mocrosoft update service location & Configure Automatic Updates are set to not configured will the machine still connect to windows update and download the patches without any administrative interventions?

    We wanted to have the patch management controlled only through SCCM - Can I disable the Configure Automatic Update ? or is it advisible to enable the Turn Off access to all Windows Update features ?

    When we click on Check for update on local machine, the result comes up with status "Windows is up to date", I hope this check is againt SCCM server ?

    Appreciate if someone can clarify me these questions...Many thanks!

    Raj

    Sunday, August 31, 2014 3:02 AM

Answers

All replies

    • When ConfigMgr client settings are not targeted to a client anymore, those settings will not be automatically reverted.
    • A machine without GPO's and ConfigMgr client settings is by default able to update via Windows Update.
    • You can set Configure Automatic Update to disabled to prevent any updates from WSUS (like an agent update), other GPO's should be left untouched (unless you're also using SCUP).
    • That check for updates is done with whatever is configured as the update source.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Sunday, August 31, 2014 6:26 AM
  • Sunday, August 31, 2014 2:07 PM
  • Thanks for the clarifications...with respet to the below point you mentioned:

    You can set Configure Automatic Update to disabled to prevent any updates from WSUS (like an agent update), other GPO's should be left untouched (unless you're also using SCUP).

    What we see on the workstations is that, users get a link to check the update online and install the same, we do not wanted this to happen and I think the only option is to enable theTurn Off access to all Windows Update features I presume ?... any other thoughts?

    We are planning to implement IBCM, so I'm unsure if I enable theTurn Off access to all Windows Update features, or disable  Configure Automatic Update  how can the clinet go to the internt to downlod the update if the DPs are not reachable

    Many Thanks,

    Raj

    Sunday, August 31, 2014 3:18 PM
  • First, please read the blog posts I've linked to above.

    Yes, setting the turn off access to Windows Update is generally a good thing to do. It does not disable Windows Update in any way, it just prevents users from using Windows Update.

    Yes, disabling the Configure Auto Update setting is also generally a good thing to do. This setting does not turn off the WUA though, it simply prevents it from autonomously performing activity which is not needed for use with ConfigMgr where all update activity is triggered by the ConfigMgr client agent (once again, read the blog posts).

    For clients that are on the Internet, they will *always* try to download updates from Microsoft first and not your Internet facing DP -- this is by default and not configurable -- thus your DPs availability on the Internet doesn't matter (unless the client can't reach Microsoft for some reason then it will try to fall back to your Internet facing DP).


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Sunday, August 31, 2014 6:31 PM
  • Many thanks for clarifying these points, very much appreciated Jason :)
    Monday, September 01, 2014 7:00 PM