Moving from WSUS to SCCM

[Kevin79]

I'm in the process of testing SUP with SCCM and we are currently using WSUS with group policy to configure the clients. Is there an easy way to have clients start using the SUP? I've created a group in AD that denies computers permission to my WSUS GPO but the only way I can get the clients to change over is to reboot them. For desktops PC's this isn't a huge issue but it is with servers. I can't reboot servers multiple times in order to get it to start using SCCM. How do I get them to read the GPO change without rebooting?

[Peter van der Woude]

You need to remove all old WSUS policies and enable the Software Updates Agent on the ConfigMgr Client. This will set a local policy which will point to the SUP/ WSUS.

[Kevin79]

Thanks. Another question. Say I have remote users that don't VPN very often. If there a way to have SCCM tell the clients to use Microsoft's WSUS servers when they aren't VPNed in instead of using the SUP?

[Peter van der Woude]

Nope, the SCCM client can only set the local policy to SUP/ WSUS... If you really want something like that, you should set a GPO (which isn't a best practice).

[67_dbc]

I am too going this route, somewhat. Now I can't fnd much info and be glad if someone could shed some light on how to handle external clients when they are not in the office or on VPN. How do you service clients if they are not on the Domain at time the Windows Updates are available from your Intranet SUP?

 

Secondly, we are going from XP to Windows 7 and they are going to be using Direct Access. Those on Direct Access require anything else special to be configured? My Environment is not configured for PKI Infrastructure so does that mean in order for clients to get updates do they requre an Internet SUP?

 

Silly statement.... but instances like McAfee if it can't fine the local ePO server it will go to McAfee for updates. Is there a way sccm clients to do the same for Windows updates?

 

Any suggestions would be greatly appreciated,

[Peter33]

Have a look at this: http://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients

Probably the only way to go to accomplish your requirements.

You can only define one update source for the wsus Clients. You can't compare this. Take Endpoint Protection for a comparasion, where you can define also several update sources.

[67_dbc]

How about having a Boundary created for those VPN connections and assign that to all my DP's Groups, will that cause problems? I do have Bits in place on my clients so that to me shouldn't be a crazy idea, would it? Reason I ask is because most people by habit would get on the VPN automatically even when they are just using Internet for browsing, just the way everyone thinks.

 

I realize it will take awhile but the effort is there. If they come into the office, then it will just finish off normally.

 

Eric

[Peter33]

This will work well enough and is the way how we handle Home Office machines at the moment.

[67_dbc]

Perfect, thanks for the replies on this!