Remember, ConfigMgr (both 2007 and 2012) set local policy. GPO always wins. It always, always wins over local policy.
From: Miller, Todd Sent: Wednesday, April 2, 2014 1:17 PM To: [email protected] I will use client settings applied to collections in 2012, however, I am pretty certain multiple client settings is not a feature of SCCM 2007, which is what I am using at the moment. The GPO suggestion led me to the solution I think. There is a GPO item called “Specify Intranet Microsoft update service location” which I’m pretty sure SCCM manipulates to point to the SUP. If I set a GPO for this item as “disabled”, it appears to make the client use the Microsoft servers for updates and ignore SCCM settings. Anyway, on testing when I set this value in the GPO and then forced an update, the client immediately started downloading updates from Windows Updates (and not WSUS.) What I am less certain about is whether I have created a dueling policies situation where SCCM policies apply every couple of hours and set the value back to the SUP and then GPO applies and removes that, or if SCCM will see that the value is set in the GPO and will not attempt to override the domain provided policy. I’ve rebooted the test system and also forced Machine Policy updates to the SCCM agent and the value seems to be locked to what’s in the GPO. The registry value manipulated by the GPO is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer which is set to 0 to force connection to Windows Update. It is set to 1 when using an internal WSUS\SUP. From: [email protected] [mailto:[email protected]] On Behalf Of Rich Coulter Sent: Wednesday, April 02, 2014 12:52 PM To: <[email protected]> Subject: Re: [mssms] Exclude a group of machines from having updates managed by SCCM Why not just create an AD security group and collection that queries the AD group. Add your Win7x86 clients to the AD group. Use the Exclude Collection rules and add it to you Prod security updates collection? Rich Sent from my iPhone On Apr 2, 2014, at 11:37 AM, "Miller, Todd" <[email protected]> wrote: I have an OU of machines that have the SCCM agent, however for these machines I want them to apply updates from Microsoft Windows Updates rather than having their updates managed by SCCM. Is there a way to have a small number of clients ignore any Windows Updates settings and just go out to Microsoft for their updates as if they had never heard of SCCM and WSUS? My scenario is this. We have allowed 10 or so Windows 7 x86 machines onto the domain for various reasons, while the other 20,000 systems are all Win7 64bit. Rather than check in 32 bit updates every month and all the overhead that entails for a fraction of a percent of machines, I would just like to force those 10 machines to go out to Microsoft for patches. I still want the SCCM agent to collect HW/SW inventory for those machines though. I have a GPO set to force the machines to apply updates once a week, but their definition of what updates to apply seems to be coming from the MP/WSUS server still. They don’t find any updates because I have never checked in/approved any 32 bit patches. Can I “opt-out” a set of machines from the SCCM patching system and allow them to go back out to MS Windows Update while keeping the SCCM agent installed? Can a GPO override the settings from SCCM? It seems like it’s an all or nothing thing. Currently on SCCM 2007, but am interested if 2012 changes the answer as that is only a month or two away. Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. CONFIDENTIALITY NOTICE: This electronic mail transmission (including any accompanying attachments) is intended solely for its authorized recipient(s), and may contain confidential and/or legally privileged information. If you are not an intended recipient, or responsible for delivering some or all of this transmission to an intended recipient, be aware that any review, copying, printing, distribution, use or disclosure of the contents of this message is strictly prohibited. If you have received this electronic mail message in error, please delete it from your system without copying it, and contact sender immediately by Reply e-mail, or by calling 913-307-2300, so that our address records can be corrected. Although this e-mail and any attachments are believed to be free of any virus or other defect that might negatively affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by the sender for any loss or damage arising in any way in the event that such a virus or defect exists. Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you.
