locked
SCCM 2012 WSUS question RRS feed

  • Question

  • I want to know SCCM 2012 WSUS how to automatically work just like typical WSUS server ? As I already installed WSUS in SCCM 2012 and i can synchronize the microsoft update/patch from microsoft website and create software package to deploy on particular device collection. But i am not sure how to make it work through the GPO. For typical WSUS server, i just create GPO, enable some of WSUS's GPO setting. that's !! The client will automatically get the update from WSUS server. But it seem didn't work in SCCM 2012, any missing on this ? For GPO setting on SCCM 2012, I enable "Specify intranet Microsoft update service location" and point to Software update server, enable "Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates". I wonder i whether still need to create "automatic deploy rule" in SCCM 2012 ? or only only above GPO setting enough to deploy software updated automatically ..... Pls advice. Thx !!
    Thursday, September 27, 2012 6:09 PM

Answers

All replies

  • You don't need any GPO for Software updates in ConfigMgr because the CM Client automatically creates local policies on the clients. See http://blog.configmgrftw.com/?p=88 and http://blog.configmgrftw.com/?p=89

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, September 27, 2012 6:45 PM
  • I agree with Torsten that you do not need to configure the WSUS server settings in a GPO. I personally still create a WSUS GPO with two settings (disable Automatic updates and allow signed updates from intranet locations). That way we allow updates from SCUP to bee installed and if the configmgr client is ever uninstalled the client will fack to the WSUS GPO which is Automatic Updates disabled.

    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund | Mastering ConfigMgr 2012 The Fundamentals

    Thursday, September 27, 2012 7:04 PM
  • I just still "disable Automatic updates and allow signed updates from intranet locations" setting in GPO but it seem didn't work. It is because i found some of security updated patch in SCCM's software update page but i can't find those patches have installed into client. How to make sure the SUP work in SCCM ?
    Friday, September 28, 2012 5:21 PM
  • if you want "automatic" patching in CM12, you need to create ADR's.

    CM controls the WUAgent, telling the WUAgent what to do. This includes telling the WUAgent "get patches from CM".
    So you need to create a deployment in CM, for the WUAgent to perform that deployment.
    In CM12, you can create ADR's, to automatically create deployments, so the WUAgent on clients will "auto patch".

    Setting the WU GPO's is not enough. (and isn't strictly needed at all, but it's a good option/extra as per Kent's suggestion)

    [remember that for auto patching in WSUS you have to do the GPO for the client *AND* also the auto-approve rule on WSUS?]
    [the ADR in CM12 is like doing the auto-approve on WSUS.....]


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Saturday, September 29, 2012 1:03 AM
    Saturday, September 29, 2012 1:01 AM