SUP Client Install w/o future Windows Automatic Update Agent Reboot Window

[surfincow]

Hello,

 

I'm having an issue trying to figure out the correct combination of GPO settings in regards to the Windows Update Agent and Configuration Manager.

 

In our environment, we use the Software Update Based Client Installation Method. There is a GPO configured that points the computers to the WSUS server that holds the client. If the client is not installed, WUA detects it as being required and installs it. It works great.

 

The problem I am running into is that because WUA is enabled on the computer (to receive the initial client installation) when I deploy monthly MS patches, the end user not only gets the reboot window from ConfigMgr, but also from WUA.

 

I'm seeing conflicting information regarding if WUA should be enabled or not if you are using ConfigMgr for updates. However; since WUA needs to be turned on for this particular client installation method, turning it off isn't much of an option. (and I can't imagine it is part of the design that users are expected to see two different reboot windows after patches are installed).

 

Basically I need to know what the minimum required GPO settings are so that:

1. The client is installed via WSUS if not currently installed (happens ASAP without any user notification)
2. Once the client is installed, the only reboot/update notification the end user receives is from the ConfigMgr client
3. In addition, allowing signed updates from an intranet MS Update service point needs to be enabled (I know how to do that but mentioning it in case it affects any of the other requirements).

 

WSUS is on the same server as ConfigMgr.

 

So is this possible? I can't imagine that it is not, just not sure how to set it up.

 

 

Thanks

[Peter van der Woude]

I think these blog posts by Jason should help you out (even though it's written for CM2007, it's still the same for CM2012 except for the FEP part):

• http://blog.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
• http://blog.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

[surfincow]

Hello,

 

I actually saw these yesterday and they are part of the confusion.

 

In the 2nd blog, it talks about disabling automatic updates. If this is disabled, then SUP based client install won't work. Since one of the installation methods provided is a SUP based install, this needs to be enabled.

 

So is it by design then that using the SUP based install methods the end user will see the reboot window presented by the WUA agent and also by ConfigMgr? That seems odd.

 

 

Thoughts?

[giftedwon]

The easist thing to do is edit your existing GPO and disable all options under windows updates. Just leave ' specify intranet location' and that will be

yoursupserver:8530. As the GPO updates on your workstations, the Windows update Option will go away. Updates will then be presented VIA Software Center. Then in the SCCM Console Query workstations that Don't have the client installed, and install them!

[surfincow]

Hello,

 

Thank you for your reply but it does not address the client installation method we've chosen to use. If there is not the option to install the client via WSUS, then the client won't get installed. Our environment is such that the push install from the console will not work. I've found the GPO install of the client to be flakey as well. The only method that works well is the SUP Client Install.

 

So again if we are using this method to install the client, that means that the workstation will always display both the configmgr reboot window, and the WUA reboot window?