locked
Legacy WSUS GPOs & SCCM 2012 RRS feed

  • Question

  • Good Afternoon All - 

    We are in the process of introducing SCCM 2012 onto our production network.  Currently, we don't use WSUS to it's full potential, yet still have a few GP's that configure some of each workstation's update settings such as update location, frequency, reboots, etc.  Eventually, all of this will be taken over by SCCM, though.  

    Questions

    1. Will SCCM's Client / SUP settings override and Group Policy for WSUS, does a GP win out, or is it a toss up?

    2. When (assuming it's needed) do these WSUS policies need to be changed and/or disabled?  Previously, I believe that I've just disabled any existing WSUS policy and let the SCCM client configure each machine.

    3. So that there's no window where clients may NOT be configured how we want, would the best thing be to be configure SCCMSUP policy, deploy the clients, then change / disable WSUS GPOs?

    4. If SCCM is configured the way we want, is there any need for any SUP related GPO's to exist for managed clients?  (Besides the SCUP WSUS one which enables "Allow signed content from intranet Microsoft update service location”)

    Thanks for your help!


    Ben K.

    Tuesday, June 5, 2012 6:39 PM

Answers

  • I want to add a little thing to Q4)

    You should also enable "Configure Automatic Updates = Disabled". If your clients (for whatever reason) looses the ConfigMGr SUP agent settings they will back to the default settings Windows Updates. By default those settings are automatically download and install all updates 03:00 every night. This can lead to all clients downloading, installing and restarting = not the best day to be an administrator.


    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund

    • Proposed as answer by Garth JonesMVP Saturday, December 29, 2012 5:21 PM
    • Marked as answer by Garth JonesMVP Saturday, January 12, 2013 4:44 PM
    Thursday, June 7, 2012 6:22 AM
  • #1: ConfigMgr creates a local policy and those are *always* overwritten by GPO (that's a Windows mechanism)
    #2: delete or disable them
    #3: yes; clients will be managed by WSUS as long as the GPO is active.
    #4: basically there's no need for GPOs, but you should have a look at http://blog.configmgrftw.com/?p=88 and http://blog.configmgrftw.com/?p=89

    Torsten Meringer | http://www.mssccmfaq.de

    • Proposed as answer by Garth JonesMVP Saturday, December 29, 2012 5:20 PM
    • Marked as answer by Garth JonesMVP Saturday, January 12, 2013 4:44 PM
    Tuesday, June 5, 2012 8:37 PM

All replies

  • #1: ConfigMgr creates a local policy and those are *always* overwritten by GPO (that's a Windows mechanism)
    #2: delete or disable them
    #3: yes; clients will be managed by WSUS as long as the GPO is active.
    #4: basically there's no need for GPOs, but you should have a look at http://blog.configmgrftw.com/?p=88 and http://blog.configmgrftw.com/?p=89

    Torsten Meringer | http://www.mssccmfaq.de

    • Proposed as answer by Garth JonesMVP Saturday, December 29, 2012 5:20 PM
    • Marked as answer by Garth JonesMVP Saturday, January 12, 2013 4:44 PM
    Tuesday, June 5, 2012 8:37 PM
  • I want to add a little thing to Q4)

    You should also enable "Configure Automatic Updates = Disabled". If your clients (for whatever reason) looses the ConfigMGr SUP agent settings they will back to the default settings Windows Updates. By default those settings are automatically download and install all updates 03:00 every night. This can lead to all clients downloading, installing and restarting = not the best day to be an administrator.


    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund

    • Proposed as answer by Garth JonesMVP Saturday, December 29, 2012 5:21 PM
    • Marked as answer by Garth JonesMVP Saturday, January 12, 2013 4:44 PM
    Thursday, June 7, 2012 6:22 AM
  • Kent, that's what Jason Sandy's recommends in the two Blog posts that Torsten has linked in his reply...but I totally agree with what you are saying.  If you want a managed environment, then you don't want your clients going out to MS to get there updates...ever. 

    Mike...

    Thursday, June 7, 2012 2:01 PM

  • ...so why does Microsoft state you need to set this value if you want to deploy the client as a Software Update? *shrug*
    Tuesday, February 26, 2013 6:08 PM
  • I've found that even though a GPO should overwrite the Local Policy set by SCCM this isnt actually the case.

    If you look at the WUAHandler.log file you see entries for the following

    Enabling WUA Managed server policy to use server: http://MYSCCMWSUSSERVER.MYDOMAIN.COM

    Waiting for 2 mins for Group Policy to notify of WUA policy change...

    Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://GPOsetwsusserver

    Failed to Add Update Source for WUAgent of type (2) and id ({9F08A663-567F-4A1A-8F1A-F56DF97D3E66}). Error = 0x87d00692.

    theres an MS blog on the issue here

    https://blogs.technet.com/b/sus/archive/2008/12/02/wuahandler-log-failed-to-add-update-source-for-wuagent-error-0x80040692.aspx

    The options are

    1. Remove the group policy at the domain level

    or

    2. Use the same WSUS server as the Software Update Point for the SCCM as well

    Thats not very helpful in my scenerio as I'd like to keep the SCCM client installed for software metering & reporting, but i'd like the WSUS server to be set by GPO for these specific computers as their updates are managed by a vendor because of the be-spoke software running on them


    MCP, MCSE, MCSA, MCITP, MCTS, MCDST

    Wednesday, February 5, 2014 11:49 AM