none
SCCM 2007 - Can I have clients download updates but not install?

    Question

  • Hi everyone. So, we have a few Windows servers that have to be manually patched (for various reasons). What I would like to do is push Windows Updates from SCCM to those servers requiring manual patching. I want the servers to download the updates from SCCM, but not install them. Then I'd like to run a compliance report on those servers to see if those servers actually got patched. What I want to avoid is someone manually patching a server and getting the updates from Windows Update... I'd like SCCM to the be authority on what updates are available.

    As a bit of background, I didn't set this system up. I inherited it when a previous employee left the company. If I need to clarify anything, please let me know.  Thank you for your help.

    Monday, August 19, 2013 5:55 PM

All replies

  • The way to do this is to create a collection of the server.  Create the patch deployment that is set for Optional Patching.  (Available but no deadline)  If you don't want the patch install to autoreboot then set the patch to no restart the machine. 

    Then the server will have a popup that will give you the patches that you the SCCM admin is providing.

    You can't get a compliance report if they did it from WU or SCCM.  It is the same patch. 

    The only problem with pulling from Windows update is that you could get more patches that what you want to push in SCCM. 


    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com

    Monday, August 19, 2013 7:35 PM
  • Thanks for the reply, Matthew. So, for clarification: I would first create a collection for the servers which are to be manually patched (let's call it "Manual Patch"). Next, I would create a new Deployment Template for the "Manual Patch" collection, suppress restart on the "Restart Settings" tab, and set both options on the "Download Settings" tab to "Do Not Install Software Updates". Then I would create a new deployment from my monthly Update list using the "Manual Patch" template, and on the "Schedule" tab, I would set "Select the date and time..." for availability to "As soon as possible", and set "Specify whether the software updates..." to "Do not set a deadline for software update installation". If I understand correctly, doing these steps will ensure that updates will be downloaded to the servers in the "Manual Patch" collection, but they will not be automatically installed, nor the servers automatically rebooted. Is this accurate?
    Monday, August 19, 2013 9:01 PM
  • You are completly correct....


    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com

    Monday, August 19, 2013 9:31 PM
  • One small note here is that updates won't actually be downloaded though until the installation is manually initiated from the RAP.

    Also, the settings on the Download Settings tab are specific to the location of the target system.

    Finally, as long as the ConfigMgr agent is installed, there are no Windows UPdate agent GPOs in place, and you've disabled browsing to Windows Update then there's no way for admins to do an end-around on ConfigMgr Software Updates.


    Jason | http://blog.configmgrftw.com

    Monday, August 19, 2013 9:38 PM
  • Thanks for the reply, Matthew. So, for clarification: I would first create a collection for the servers which are to be manually patched (let's call it "Manual Patch"). Next, I would create a new Deployment Template for the "Manual Patch" collection, suppress restart on the "Restart Settings" tab, and set both options on the "Download Settings" tab to "Do Not Install Software Updates". Then I would create a new deployment from my monthly Update list using the "Manual Patch" template, and on the "Schedule" tab, I would set "Select the date and time..." for availability to "As soon as possible", and set "Specify whether the software updates..." to "Do not set a deadline for software update installation". If I understand correctly, doing these steps will ensure that updates will be downloaded to the servers in the "Manual Patch" collection, but they will not be automatically installed, nor the servers automatically rebooted. Is this accurate?
    These steps did not work. The updates were never made available. When the individual logged on to the servers to manually patch them, they opened the Windows Update dialogue and clicked "Check for Updates managed by your system administrator". There were none available. When the person checked online for updates, there were 8 available. What went wrong?
    Tuesday, September 17, 2013 2:47 PM
  • ConfigMgr does not makes updates available that way. The local user must go to the Run Advertised Programs applet in the Control Panel.

    Jason | http://blog.configmgrftw.com

    Tuesday, September 17, 2013 2:56 PM
  • Thanks Jason. I'm looking at the Run Advertised Programs applet, and I have it set for "All Areas" and "All Categories". There are no programs available to run. The software updates deployment is currently active. Is there something else I need to do? 

    Tuesday, September 17, 2013 3:01 PM