Jump to content




anyweb

Updates are not being installed automatically



Recommended Posts

This guide assumes you've installed a SUP within SCCM and configured it for software updates to your clients.

You may notice that the familiar windows update icon still appears even though SCCM is handling windows updates to your client.

win_update_icon.jpg

to resolve open up Group Policy Management and right click on the Default Domain Policy, choose Edit.

expand Computer Configuration\Policies\Administrative Templates\Windows Components and then select Windows Update from the list *scroll down*

windows_components.jpg

find the setting configure automatic updates

configure_automatic_updates.jpg

right click it, choose properties and then set it to Disabled

disabled.jpg

The Windows Update Icon will disappear however you will still receive updates from Configuration Manager as normal.

to speed up clients getting this GPO open a command prompt and do gpudpate /force

cheers
anyweb

Share this post


Link to post
Share on other sites


I was wondering about this...

 

This would mean you'd also have to disable an in place WSUS policy?

 

So you don't need to configure a policy to check for updates on the WSUS, rather you shut down the updates all together and rely on the SCCM agent for regular checks?

Share this post


Link to post
Share on other sites

try it and see what happens

Share this post


Link to post
Share on other sites

Ok, this issue just affected me kind of majorly - a server whose updates were under SCCM's control applied updates and rebooted at 3am. Ouch. Am I right in thinking if this GPO is applied, SCCM's update behaviour is totally unaffected, but the annoying windows update icon with scary restart settings will cease to appear and have any effect?

 

Cheers,

MRaybone.

Share this post


Link to post
Share on other sites

i dont get it, did you use a deployment template that allowed the system to reboot ? that is why you should have at least two deployment templates

 

one for servers (no reboot) and one for workstations (reboot ok)

 

the little group policy tip merely gets rid of the windows update ICON from appearing, it doesn't stop windows updates from being deployed via configmgr,

 

can you explain what happened in your situation please ?

Share this post


Link to post
Share on other sites
can you explain what happened in your situation please ?

I received a report that a server had rebooted itself at 3am after installing updates - this happened during backup so the owners weren't too pleased...

Ater disabling Windows Update GP so that the SCCM client could take control of the Windows Update settings, the Windows Update icon started to appear in the Systray, prompting users to select a time (3:00am by default) for Automatic updates to occur. My guess is that on this particular server, someone actually just clicked OK on this prompt so the machine grabbed updates from the net and rebooted at 3am.

 

My question was that if we apply only the GP setting that you mentioned in your post, would updating via SCCM be unaffected? Simply because the other GP settings in use before prevented SCCM from taking control.

 

Things are looking ok after applying the GPO now anyway, so I think it should all be alright. :)

 

 

P.S. Sorry for the delayed replies but I think my email notifications are being blocked by our mail system somewhere.

Share this post


Link to post
Share on other sites

I use the GP and my servers update fine, same for desktops,

 

i'd advise you to test in the lab first to verify, always test everything

Share this post


Link to post
Share on other sites

Hello all,

 

I am having some trouble deploying patches in my test group. I have been poring over all of the SCCM guides and they are all excellent expecially for a visual learner like myself. The thing that makes my situation a little tricky is that we have both Microsoft System Center Essentials 2010 agents as well as SCCM 2007 R2 SP2 agents installed on all of our workstations. I attempted to deploy the latest Windows XP patches to one of my co-workers machines and the patches never showed up. I have the following in my log file:

 

<![LOG[its a WSUS Update Source type ({55895E29-8F7C-47F8-87EC-37D4787C2B13}), adding it.]LOG]!><time="16:24:44.125+420" date="05-11-2010" component="WUAHandler" context="" type="1" thread="5500" file="sourcemanager.cpp:1348">

<![LOG[Enabling WUA Managed server policy to use server: http://ourserver:8530]LOG]!><time="16:24:44.125+420" date="05-11-2010" component="WUAHandler" context="" type="1" thread="5500" file="sourcemanager.cpp:1054">

<![LOG[Waiting for 2 mins for Group Policy to notify of WUA policy change...]LOG]!><time="16:24:44.157+420" date="05-11-2010" component="WUAHandler" context="" type="1" thread="5500" file="sourcemanager.cpp:1060">

<![LOG[Group policy settings were overwritten by a higher authority (Domain Controller) to: Server https://ourserver:8531 and Policy ENABLED]LOG]!><time="16:24:45.625+420" date="05-11-2010" component="WUAHandler" context="" type="3" thread="5500" file="sourcemanager.cpp:1116">

 

When I pushed the patches out with SCE I set a deadline of 10:00 AM for the patches to be installed which was not a concern as the WSUS or SCE GPO has the option to not reboot any workstations that have users logged on. Well at 9:45 AM this morning, all of our workstation got the 15 minute reboot warning from the SCCM agent with no option to deplay the restart. So all of our workstations were rebooted at 10:00 AM causing me a lot of stress.

 

Any ideas on how to move forward?

 

Thanks,

Anthony

Share this post


Link to post
Share on other sites

sounds a bit messy, are you intending to do software updates via SCCM or not ? if not just remove the software update client agent and see does that help ?

Share this post


Link to post
Share on other sites

 

snip...

 

Any ideas on how to move forward?

 

Thanks,

Anthony

 

Remove either the SCCM or the SCE agent would be my advise and stick to 1 application for desktop management, or, as anyweb pointed out, decide which functionality you want from which application. SCE uses the same mechanisms and communication channels as SCCM so it's hard to troubleshoot. It might even be possible SCE agents are responding to SCCM policies. Not to mention SCE using group policies which could overwrite certain local policy settings used by SCCM.

 

What is the exact reasoning behind using SCE and SCCM in the same environemnt (if you don't mind my asking)?

Share this post


Link to post
Share on other sites

Remove either the SCCM or the SCE agent would be my advise and stick to 1 application for desktop management, or, as anyweb pointed out, decide which functionality you want from which application. SCE uses the same mechanisms and communication channels as SCCM so it's hard to troubleshoot. It might even be possible SCE agents are responding to SCCM policies. Not to mention SCE using group policies which could overwrite certain local policy settings used by SCCM.

 

What is the exact reasoning behind using SCE and SCCM in the same environemnt (if you don't mind my asking)?

 

quote from anyweb...sounds a bit messy, are you intending to do software updates via SCCM or not ? if not just remove the software update client agent and see does that help ?

 

Budget was the prime mover behind our decision to use SCE 2010. We are a smaller company (around 400 servers & Workstations) so I was thinking that SCE would be a good product for our size and Microsoft designed it for companies like us in mind. But we have an even smaller staff (one network manager, one desktop support tech, and me to fill in the rest.), so the three of of us wear many different hats. SCE works well for the SCOM aspects for monitoring servers and the built in WSUS was working as it should, but we were in real need to upgrade the way that we deploy images (we use Bart PE and Symantec Ghost on an external hard drive) and an aging NT4 era login script to push out software updates and collect inventory. SCE has helped with the software inventory, and we have tinkered a little with the software updating in it, but we really needed something a little better. Our Microsoft reseller added SCCM in our EA, and we were researching adding SCOM, but we could not afford it at the time, so we went with SCE. Then we discovered that we were adding more servers for new platforms (we are a financial institution and need many servers to support our many regulatory systems etc) that we anticipated so we quickly outgrew SCE's 50 server limit. I started researching a bit and remembered that we had SCCM in our agreement and wanted to check it out. We brought in a consultant to help us get it deployed and then how to use it. The problem was one business week was not quite enough time to go over all the features and aspects of SCCM, so thankfully for me, he advised me about the guides that anyweb had put together, so I started hitting those up to fill in the gaps in the training and learn how to use the product better. So now I am left with a product that does great for the monitoring, but SCCM does much better for patching and everything else, and I am not sure if we can afford SCOM for this budget cycle. So I am thinking that I will remove the SCE agents off of all the workstations and keep SCE to just maintain and monitor the servers and have the SCCM client installed on the workstations. Sorry for the book here, but I wanted to give the full reasoning behind our situation.

 

So moving forward, do you think it would be sound to have SCE agents and SCE agents only deployed on our servers and SCCM clients deployed everywhere else?

 

Thanks for the feedback!

 

Anthony

Share this post


Link to post
Share on other sites

It sounds like a plausible workaround to me. Just make sure you've got your boundaries in SCCM configured and/or maybe prevent automatic SCCM agent installation by disabling all client installation methods.

Share this post


Link to post
Share on other sites
Hi,


I have got production environment. I patches monthly windows updates and scheduled updates via SCCM 2012. Updates installed successfully at scheduled time. But some users attempted to manually uninstall some updates.


Can I force users to not uninstall any monthly updates without approval ?


or Can I force sccm to reinstall, when it find any updates removal via maually or by any users ?


Thanks


Nomi

Share this post


Link to post
Share on other sites

 

I have got production environment. I patches monthly windows updates and scheduled updates via SCCM 2012. Updates installed successfully at scheduled time. But some users attempted to manually uninstall some updates.
Can I force users to not uninstall any monthly updates without approval ?
or Can I force sccm to reinstall, when it find any updates removal via maually or by any users ?

 

First off, you should removed Admin right from end users.

Secondly, CM will automatically push out the SU again during the next deployment cycle, default is every 7 days.

Share this post


Link to post
Share on other sites

Hi,


I am having a issue in deploying windows patches in SCCM 2007.I had created an update list and downloaded the updates to a package and deployed to a collection.The distribution point is getting replicated the package and when I checking in the deployment management tab I can see in the deployment that clients needed the update but the installation is not starting.I had run the all the configuration manager actions such as Machine policy Retrieval & Evaluation cycle,Software Updates deployment evaluation cycle,Software Updates scan cycle & User policy Retrieval & Evaluation Cycle.I had created deployments for Server 2008 as well as Server 2012 BITS,WMI services are running.I had restarted the server and checked.Even in the Distribution points also the updates are not getting installed.Kindly help me to resolve this issue.


Regards


Bobby


Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×