locked
SCCM 2012 Updates, GPO and Client Registry settings RRS feed

  • Question

  • Hello,

    I have always set via gpo windows updates undefined and also the following registry keys on computers with sccm 2012 client

    We are in the process of migrating from sccm 2007 to 2012.  One thing we discovered was it was not a good idea to set wsus approve updates automatically as this will automatically push out updates to computers.  So I unapproved all updates and will approve them through sccm 2012, when the next round of updates need to be pushed out.

    The newly sccm 2012 OSD built windows 7 systems with the registry key above no longer received the windows updates from the internet, but the ones from 2007 did, without the registry keys above.  I suggested pushing out the registry keys above to the other systems, but the other sccm admin said that was not necessary, as the sccm 2012 client took care of preventing the updates from come through windows updates, pointing it to the correct Primary server and site.  He couldn't explain why the newly migrated sccm 2007 to 2012 clients were pulling in updates from the internet and said it must be a setting that was not turned on in the Primary sccm 2012 server. The only setting I found under Client settings, software updates was enable software updates on clients, which was set to YES.

    First of all, are the registry keys necessary and are the correct ones specified above?

    Second, if they aren't necessary, why are the migrated PCs pulling down updates from the internet?

    I have seen so many contradicting statements on the internet about this subject. Thanks so much for your help. 

    Thanks,

    Mark

    Saturday, August 29, 2015 6:15 PM

Answers

  • Note that you aren't really disabling Windows Updates, you are disabling "Automatic Updates". Also, setting the registry values mentioned above is the same thing as setting a GPO as that's exactly what setting a GPOS does.

    Also, you should never ever approve updates in WSUS. ConfigMgr does *not* use or rely on this in any way and as you've observed, this *will* cause the WUA to install updates all by itself if Automatic Updates is not disabled -- exactly as happened to you. In fact, you shouldn't in general ever go into the WSUS console at all to do anything (except perform clean up tasks).

    If you have automatic updates enabled (which of course is the default) and the clients aren't pointed to your WSUS server, they have one choice ... go to the Internet. This is a common scenario to have happen when one version of the client agent is uninstalled and then a new version is installed as you've described which reinforces what the others have said about disabling "automatic updates" via GPO on any and all systems managed by ConfigMgr.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Sunday, August 30, 2015 3:05 AM
  • Those registry settings are not required. The ConfigMgr client will take care of the required settings via local policies. That the clients are downloading from the Internet can be caused by a) a configuration in the deployment, which allows the client to download from the Internet when the content is not available, or b) the default behavior of an Internet client, as an Internet client looks for content on Microsoft Update by default.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Saturday, August 29, 2015 8:23 PM
  • it doesn't hurt to have automatic updates always disabled, Configuration Manager will still push out updates fine.
    Saturday, August 29, 2015 9:11 PM
  • Agreed - most people will either have a Group Policy that disables Windows Updates or one that sets the WUServer value to your Configuration Manager 2012 instance that is running WSUS to stop clients from inadvertently getting updates from the Internet.

    As mentioned before in the thread - disabling Windows Updates via GP will not affect Software Updates delivered by Configuration Manager as the local Configuration Manager client will set the required settings locally.

    The only potential downside to disabling Windows Updates is that the Windows OS will not pull Windows Update Client version updates from the WSUS instance. This was a problem for a while as Microsoft stopped releasing the agent updates as a separate download (people would deploy the updates client version as a package with Configuration Manager). However, earlier this year, that changed with them releasing a stand alone updater to fix issues with Windows 7 x86 operating systems and memory issues due to the large number of updates that now apply to that OS.

    Cheers

    Damon




    Saturday, August 29, 2015 9:19 PM

All replies

  • Those registry settings are not required. The ConfigMgr client will take care of the required settings via local policies. That the clients are downloading from the Internet can be caused by a) a configuration in the deployment, which allows the client to download from the Internet when the content is not available, or b) the default behavior of an Internet client, as an Internet client looks for content on Microsoft Update by default.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Saturday, August 29, 2015 8:23 PM
  • it doesn't hurt to have automatic updates always disabled, Configuration Manager will still push out updates fine.
    Saturday, August 29, 2015 9:11 PM
  • Agreed - most people will either have a Group Policy that disables Windows Updates or one that sets the WUServer value to your Configuration Manager 2012 instance that is running WSUS to stop clients from inadvertently getting updates from the Internet.

    As mentioned before in the thread - disabling Windows Updates via GP will not affect Software Updates delivered by Configuration Manager as the local Configuration Manager client will set the required settings locally.

    The only potential downside to disabling Windows Updates is that the Windows OS will not pull Windows Update Client version updates from the WSUS instance. This was a problem for a while as Microsoft stopped releasing the agent updates as a separate download (people would deploy the updates client version as a package with Configuration Manager). However, earlier this year, that changed with them releasing a stand alone updater to fix issues with Windows 7 x86 operating systems and memory issues due to the large number of updates that now apply to that OS.

    Cheers

    Damon




    Saturday, August 29, 2015 9:19 PM
  • Thanks to everyone that responded!! I just recently updated sccm 2012 r2 to r2 sp1 and then applied CU1.  Is it the CU1 that fixed the issue mentioned above? A great majority of my clients are running sp1 cu1 (maybe a few hundred running just sp1). Seems I would be safe just to disable automatic updates via gpo and forget the registry keys. All of my Clients are windows 7 x64.

    Thanks again

    Mark

    Saturday, August 29, 2015 11:52 PM
  • Note that you aren't really disabling Windows Updates, you are disabling "Automatic Updates". Also, setting the registry values mentioned above is the same thing as setting a GPO as that's exactly what setting a GPOS does.

    Also, you should never ever approve updates in WSUS. ConfigMgr does *not* use or rely on this in any way and as you've observed, this *will* cause the WUA to install updates all by itself if Automatic Updates is not disabled -- exactly as happened to you. In fact, you shouldn't in general ever go into the WSUS console at all to do anything (except perform clean up tasks).

    If you have automatic updates enabled (which of course is the default) and the clients aren't pointed to your WSUS server, they have one choice ... go to the Internet. This is a common scenario to have happen when one version of the client agent is uninstalled and then a new version is installed as you've described which reinforces what the others have said about disabling "automatic updates" via GPO on any and all systems managed by ConfigMgr.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Sunday, August 30, 2015 3:05 AM