none
How do I prevent servers getting/installing updates from the internet but continue to get SCCM 2012 Windows Updates?

    Pregunta

  • Hi,

    We are using SCCM 2012 with SP1 to deploy Windows Update.  How do I make sure that my servers won't get automatic updates (the default 3AM rule) without preventing SCCM to deploy updates to them?

    I checked my servers and the current status is turn off.  But I want to make sure this never gets enabled by accident.  OTherwise my servers will be downloading and installing updates at 3am.

    Thanks!

    miércoles, 03 de abril de 2013 17:45

Respuestas

  • That setting is more specifically for if WSUS is managing the updates (manually or via GPO).  If you are using SCCM, then it and the SCCM Agent on the workstation are in control and instruct the Windows Update Agent what to do and when.

    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    • Marcado como respuesta SwissMiss123 miércoles, 03 de abril de 2013 23:54
    miércoles, 03 de abril de 2013 23:53

Todas las respuestas

  • You could use Compliance Manager in SCCM to validate the WSUS Service is disabled and if it finds it enabled, to turn it back off.  You could target this rule just at the Servers you want no patches to be pushed to (SCCM, WSUS or otherwise).

    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    miércoles, 03 de abril de 2013 22:31
  • Thanks David!  However, to my understanding Windows Update service is needed by SCCM for SUS update and Endpoint Protection...  I'm not sure how exactly but the service is being used so I can't really stop it, correct?

    miércoles, 03 de abril de 2013 23:15
  • I guess I'm not understanding what you were looking for.  If you are controlling via SCCM, then the schedule is controlled by your Deployment there.  You can set Maintenance Window's if you need to further ensure patching only happens at certain times for the servers.  Some info on Maintenance Windows here (http://allthingsconfigmgr.wordpress.com/2012/06/13/configmgr-101-maintenance-windows/).

    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    miércoles, 03 de abril de 2013 23:33
  • Hi David,

    Thanks.  Sorry for the confusion.  My question was... SCCM is the one responsible for pushing Windows Updates to our servers.  It has the SUS role as well and all is working fine. 

    What I am trying to avoid is for the server to "suddenly" change settings in this area (see picture).  How do I prevent this from changing to "Install Updates Automatically (recommended) or I don't have to worry about it because SCCM is already controlling this?use as long as there is no group policy about Windows Update then I'm fine?


    • Editado SwissMiss123 miércoles, 03 de abril de 2013 23:44
    miércoles, 03 de abril de 2013 23:44
  • That setting is more specifically for if WSUS is managing the updates (manually or via GPO).  If you are using SCCM, then it and the SCCM Agent on the workstation are in control and instruct the Windows Update Agent what to do and when.

    David Coulter | http://DCtheGeek.blogspot.com | @DCtheGeek

    • Marcado como respuesta SwissMiss123 miércoles, 03 de abril de 2013 23:54
    miércoles, 03 de abril de 2013 23:53
  • Thanks David. It was just confusing that if I go to my Control Panel --> Windows Update --> That (picture above were it says "recommended") is what I saw! So I got worried that Internet Updates will still go through our system although SCCM is already taking care of our updates.
    miércoles, 03 de abril de 2013 23:57