SCCM uses the WSUS Client for patch install and validation. You cannot have both Microsoft Update and SCCM Patching enabled. SCCM Shuts off attempting to use the Windows Update agent on the system if there is a policy in place either from a local policy or from an active Directory policy.
You will see this in the client's SCCM WUAHander.log log file. When you switch from Microsoft Update to SCCM (WSUS) the windows update catalog database has to be re-built because they are from different update sources and can corrupt it. I have seen where the database corrupts by the users manually forcing a windows update scan from Microsoft when the SCCM Client is managing it. You really need to choose 1 method and stay with that method or you're going to find yourself chasing down those systems to rebuild the Windows Update database all the time. One last statement on all of that; * If you decide to go with Windows Update directly from Microsoft, you will no longer have any valid Patching statistics in SCCM for those systems. * You have absolutely no control over what patches are sent to those systems and applied. Rick J. Jones Wireless from AT&T Domestic Desktop Application Management D: (425) 288-6240 C: (206) 419-1104 From: [email protected] [mailto:[email protected]] On Behalf Of Miller, Todd Sent: Wednesday, April 02, 2014 11:18 AM To: [email protected] Subject: RE: [mssms] Exclude a group of machines from having updates managed by SCCM I will use client settings applied to collections in 2012, however, I am pretty certain multiple client settings is not a feature of SCCM 2007, which is what I am using at the moment. The GPO suggestion led me to the solution I think. There is a GPO item called "Specify Intranet Microsoft update service location" which I'm pretty sure SCCM manipulates to point to the SUP. If I set a GPO for this item as "disabled", it appears to make the client use the Microsoft servers for updates and ignore SCCM settings. Anyway, on testing when I set this value in the GPO and then forced an update, the client immediately started downloading updates from Windows Updates (and not WSUS.) What I am less certain about is whether I have created a dueling policies situation where SCCM policies apply every couple of hours and set the value back to the SUP and then GPO applies and removes that, or if SCCM will see that the value is set in the GPO and will not attempt to override the domain provided policy. I've rebooted the test system and also forced Machine Policy updates to the SCCM agent and the value seems to be locked to what's in the GPO. The registry value manipulated by the GPO is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer which is set to 0 to force connection to Windows Update. It is set to 1 when using an internal WSUS\SUP. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Rich Coulter Sent: Wednesday, April 02, 2014 12:52 PM To: <[email protected]<mailto:[email protected]>> Subject: Re: [mssms] Exclude a group of machines from having updates managed by SCCM Why not just create an AD security group and collection that queries the AD group. Add your Win7x86 clients to the AD group. Use the Exclude Collection rules and add it to you Prod security updates collection? Rich Sent from my iPhone On Apr 2, 2014, at 11:37 AM, "Miller, Todd" <[email protected]<mailto:[email protected]>> wrote: I have an OU of machines that have the SCCM agent, however for these machines I want them to apply updates from Microsoft Windows Updates rather than having their updates managed by SCCM. Is there a way to have a small number of clients ignore any Windows Updates settings and just go out to Microsoft for their updates as if they had never heard of SCCM and WSUS? My scenario is this. We have allowed 10 or so Windows 7 x86 machines onto the domain for various reasons, while the other 20,000 systems are all Win7 64bit. Rather than check in 32 bit updates every month and all the overhead that entails for a fraction of a percent of machines, I would just like to force those 10 machines to go out to Microsoft for patches. I still want the SCCM agent to collect HW/SW inventory for those machines though. I have a GPO set to force the machines to apply updates once a week, but their definition of what updates to apply seems to be coming from the MP/WSUS server still. They don't find any updates because I have never checked in/approved any 32 bit patches. Can I "opt-out" a set of machines from the SCCM patching system and allow them to go back out to MS Windows Update while keeping the SCCM agent installed? Can a GPO override the settings from SCCM? It seems like it's an all or nothing thing. Currently on SCCM 2007, but am interested if 2012 changes the answer as that is only a month or two away. ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________ CONFIDENTIALITY NOTICE: This electronic mail transmission (including any accompanying attachments) is intended solely for its authorized recipient(s), and may contain confidential and/or legally privileged information. If you are not an intended recipient, or responsible for delivering some or all of this transmission to an intended recipient, be aware that any review, copying, printing, distribution, use or disclosure of the contents of this message is strictly prohibited. If you have received this electronic mail message in error, please delete it from your system without copying it, and contact sender immediately by Reply e-mail, or by calling 913-307-2300, so that our address records can be corrected. Although this e-mail and any attachments are believed to be free of any virus or other defect that might negatively affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by the sender for any loss or damage arising in any way in the event that such a virus or defect exists. ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________
