Jump to content


Wallacetech

SCCM SP1 CU1 WSUS

Recommended Posts

Guys.

 

Sorry for the dim post here. I am completely confused by the whole SCCM \ WSUS setup in 2012. Traditionally I have been used to a WSUS server in each of our remote locations which is a replica of the main WSUS server in our UK HQ.


Now i have had a read of forum posts that say you dont or should not configure windows clients via GPO that points to SCCM as a WSUS server. However I have also had a read of posts that say do configure the GPO settings.

 

Can anyone clear this up for me

 

Thanks in advance

 

Share this post


Link to post
Share on other sites

This is correct. There is no need to configure Configuration Manager clients using Group Policy, because the ConfigMgr Agent will configure the Software Updates options via Local Policy.

 

However, there are a couple of exceptions to this.

 

If you will be using Local Publishing (SCUP, Secunia, SolarWinds), then there is a policy setting that needs to be enabled, Allow signed updates from an intranet Microsoft update service location. This setting can be enabled via Group Policy, Local Policy, or Configuration Manager 2012 settings.

 

There is also a second option that some ConfigMgr experts recommend setting, and that is the setting Configure Automatic Updates to DISABLED. However, there are a couple of considerations with this:

1. Setting this option to disabled prevents the WUAgent from selfupdating. Historically, a functional Windows Update Agent was available as a standalone installer, and ConfigMgr environments could build packages to deploy the WUAgent outside the scope of selfupdate. However, the latest version of the Windows Update Agent is only available via selfupdate, so this option can no longer be functionally disabled, unless it is known that all WUAgents are at the current version.

2. The reason for setting this to disabled, arguably, is to prevent the client from scanning Automatic Updates. However, there are other policy settings that are expressly designed to prevent a client from scanning Automatic Updates and those settings should be used for achieving that specific objective.

 

If you're using Configuration Manager 2012, and need the local publishing setting, I would suggest doing that via ConfigMgr settings management, and keep the entire software updates configuration structure outside of Group Policy.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.