When you install configuration manager client to manage any windows device ,it will try to configure local group policy to set WSUS server settings (unless you have no GPO configured to set these settings) .If at all ,you have any GPO to configure the WSUS information ,local GPO that created by configmgr client will fail which will be logged in wuahandler.log,windowsupdate.log.
If you look at wuahandler.log, you will see error something like below. “Group policy settings were overwritten by a higher authority (domain controller) to server and policy not configured” .
So before you try to install SCCM client,it is always recommended to disable GPO settings for windows update to avoid the conflict with local GPO created by Configmgr client .More information about software update troubleshooting http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/
If you want to know more about Configmgr software update management and group policy relation ,please read Jason Sandy's explanation https://home.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
https://home.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/
In this blog post, we are going to see ,how to check 4 primarily used windows update policy settings the WSUS settings like USEWUServer,WUServer,NoAutoupdate and accept trusted publisher certs (for 3rd party patching) that are correctly configured or not before clients perform software update scan.
1.WUServer
2.UseWUServer
3.NoAutoUpdate
4.AcceptTrustedPublisherCerts
Although you can do SQL query to get the clients that are having issue with GPO conflict ,but it is always good to check the these registry keys to make sure clients are good .
AcceptTrustedPublisherCerts—> for trusting the 3rd party updates if you are using SCUP to trust adobe,flash ,java and other updates that are deployed via SCCM.
Location that store above policy settings in the client registry is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate (for both 32bit and 64bit OS)
NoAutoupdate –>is to disable auto windows update
Following is SQL query to get clients info that have issues with GPO conflict:
select distinct sys.name0 [Computer Name],os.caption0 [OS],convert(nvarchar(26),ws.lasthwscan,100) as [LastHWScan],convert(nvarchar(26),sys.Last_Logon_Timestamp0,100) [Last Loggedon time Stamp],
sys.user_name0 [Last User Name] ,uss.lasterrorcode,uss.lastscanpackagelocation from v_r_system sys
left join v_gs_operating_system os on os.resourceid=sys.resourceid
left join v_GS_WORKSTATION_STATUS ws on ws.resourceid=sys.resourceid
left join v_updatescanstatus uss on uss.ResourceId=sys.ResourceID
inner join v_FullCollectionMembership fcm on fcm.ResourceID=sys.ResourceID
where uss.lasterrorcode!='0'
--and fcm.CollectionID in('PS100140')
and sys.client0 is not NULL
and uss.LastErrorCode='-2016409966'
order by sys.name0
Now lets focus on the Configuration item/configuration baseline to create task and deploy to collection:
I have couple of blogs how to create configuration item with settings hence i am not going to show you step by step . I will go through the settings that are really important for this task.
At the end ,i also attach the exported version of configuration baseline however you might have to edit it after import due WSUS server information.
In new setting, provide the following information.
Name: WUServer (anything you like) , Setting Type Registry value .Data type: String , Hive Name:HKEY_Local_Machine ,Key Name:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Click on browse to select the registry key
Registry key: Choose the following settings.
Click Ok
Click on compliance Rules , you will see 2 conditions .
f you have multiple WSUS servers ,click on the wuserver one of ,click Edit rule,
Paste all the WSUS server locations into the one of field setting and click ok
How do you get list of all WSUS server locations ?
Run the following SQL query against your CM database.
select LastScanPackageLocation from v_UpdateScanStatus
where LastScanPackageLocation not like ''
group by LastScanPackageLocation
we now have created one setting for WUserver ,like this we need to create for 3 more entries .
For UseWUServer ,click on New ,follow the options listed below.
While you are at this page ,click on browse ,follow the path below to select the registry key
Click on Ok .
Under compliance rules ,select Report noncompliance if this setting instance is not found .
we will create the rest 2 conditions in similar way that we created for UseWUServer . All you need is point the registry key to respective value.
3.NoAutoUpdate –> SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Under compliance rules ,select Report noncompliance if this setting instance is not found
4.AcceptTrustedPublisherCerts—>SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Under compliance rules ,select Report noncompliance if this setting instance is not found
Click ok
we now set 4 conditions that required to check windows update policy settings
Click next to verify all compliance rules
Click next for the completion of configuration item wizard.
We can now create configuration baseline and deploy it to collection .
If any of the above setting is not found on the client computer, it will report as non-compliant which will help you to troubleshoot and fix software update scan issues.
Download the CB – Configuration baseline for Windows update policy settings here .
To import ,go to compliance settings – configuration baseline ,right click and import the cab file.
After you import the cab file ,don't forget to edit the configuration item and modify your WSUS server settings.
Hope this guide helps!