Wallacetech Posted April 18, 2013 Report post Posted April 18, 2013 Guys. Sorry for the dim post here. I am completely confused by the whole SCCM \ WSUS setup in 2012. Traditionally I have been used to a WSUS server in each of our remote locations which is a replica of the main WSUS server in our UK HQ. Now i have had a read of forum posts that say you dont or should not configure windows clients via GPO that points to SCCM as a WSUS server. However I have also had a read of posts that say do configure the GPO settings. Can anyone clear this up for me Thanks in advance Quote Share this post Link to post Share on other sites More sharing options...
LawrenceGarvin Posted April 19, 2013 Report post Posted April 19, 2013 This is correct. There is no need to configure Configuration Manager clients using Group Policy, because the ConfigMgr Agent will configure the Software Updates options via Local Policy. However, there are a couple of exceptions to this. If you will be using Local Publishing (SCUP, Secunia, SolarWinds), then there is a policy setting that needs to be enabled, Allow signed updates from an intranet Microsoft update service location. This setting can be enabled via Group Policy, Local Policy, or Configuration Manager 2012 settings. There is also a second option that some ConfigMgr experts recommend setting, and that is the setting Configure Automatic Updates to DISABLED. However, there are a couple of considerations with this: 1. Setting this option to disabled prevents the WUAgent from selfupdating. Historically, a functional Windows Update Agent was available as a standalone installer, and ConfigMgr environments could build packages to deploy the WUAgent outside the scope of selfupdate. However, the latest version of the Windows Update Agent is only available via selfupdate, so this option can no longer be functionally disabled, unless it is known that all WUAgents are at the current version. 2. The reason for setting this to disabled, arguably, is to prevent the client from scanning Automatic Updates. However, there are other policy settings that are expressly designed to prevent a client from scanning Automatic Updates and those settings should be used for achieving that specific objective. If you're using Configuration Manager 2012, and need the local publishing setting, I would suggest doing that via ConfigMgr settings management, and keep the entire software updates configuration structure outside of Group Policy. Quote Share this post Link to post Share on other sites More sharing options...