none
SCCM Disable Automatic Updates GPO RRS feed

  • Question

  • Did some research regarding whether or not it's best practice to disable the Automatic Updates via GPO. I'm not coming up with a clear concensus.

    1. According to the SCCM 2007 book published by SAMs it explicitly says "Do not diasble the automatic updates vis GPO this will interfer with config manager software updates"

    2. Per previous forum, , Automatic Updates must be enabled to allow the client to check for new updates and install the Configuration Manager client.  You can find information about the Software Update Point client installation method at http://technet.microsoft.com/en-us/library/bb633194.aspx.

    http://social.technet.microsoft.com/forums/en-US/configmgrsum/thread/709c420a-d49b-49d4-9165-860edcf49f28/

    3. However, KB2476479

    System Center Configuration Manager 2007 clients running Windows 7 or Windows Server 2008 reboot even though deployment management settings are configured to suppress reboots.

    To resolve this issue disable the Automatic Updates policy on the Configuration Manager client computers.  To do this, apply a Group Policy to disable Automatic Updates. 

    So basically this means If I push out patches and supress the reboot, windows AU will still reboot it at 3am this sucks. Also if I don't disable AU, I get the yellow baloon showing up which is just cosmetic but still.

    From my understanding if you disable automatic updates, the windows update client will not update itself (I don't really care) nor will you get FEP definitions (not using FEP) nor can you push the sccm client automatically to new systems (I care about this)


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Tuesday, May 1, 2012 6:43 PM

Answers

All replies

  • 1. It is true that you should not disable AU by GPO, but by that it is meant specifically disabling. "Not configured" is ok.

    2. This applies if you plan to distribute the ConfigMgr client with WSUS. If you plan to use another method for client deployment then "Not configured" is still a valid setting in the AU GPO.

    3. This will happen if you have a GPO setting enabled to reboot at 3 a.m. Once again, "Not configured" lets ConfigMgr control the behaviour. I think what they mean here is that if you have a GPO controlling AU then disable the whole GPO, not each setting.

    The ConfigMgr client uses a local policy to set the settings specified in the ConfigMgr console. As you probably know, Group policies have precedence over local policies. Therefore, when GPO AU settings are set to "Enabled" they will overwrite ConfigMgr's settings.

    Tuesday, May 1, 2012 6:55 PM
  • Hmm I'm not too sure about step 3. By default all systems will reboot at 3am, I made this mistake when I transitioned from wsus to sccm and machines that didnt get the sccm client rebooted at 3am. I was supposed to disable as per best practice during the transition so you don't run into this scenario. Right now, I have Automatic updates set to not configured. However all my systems still show the yellow baloon with the 3am reboot time. From my understanding from the KB, if I release another patch via SCCM and supress the reboot for a week, AU will still reboot it at 3am.  

    SCCM Update - user waits to reboot but system auto restarts at 3am?

    http://social.technet.microsoft.com/Forums/ar/configmgrsum/thread/b854c5a7-b044-41b3-b4a0-fbf6b24aad6c

    System Center Configuration Manager 2007 clients running Windows 7 or Windows Server 2008 reboot even though deployment management settings are configured to suppress reboots

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;2476479


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Tuesday, May 1, 2012 7:25 PM
  • I did a two part blog post on this topic a while back: http://blog.configmgrftw.com/?s=software+update+group+policy&op.x=0&op.y=0 .

    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    • Marked as answer by Jamestechman Wednesday, May 2, 2012 3:58 PM
    Tuesday, May 1, 2012 8:17 PM
    Moderator
  • That was a great article, I'm a newbie to SCCM and wasn't getting a clear concensus on whether to disable vs. enable the automatic updates. You have some MS people saying enable or disable as well as MVPs saying to disable or enable. At the end I guess it's up to each's own but I like how you covered the ramifications of both in detail.

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Wednesday, May 2, 2012 3:58 PM