Hi All,
We have SCCM 2012 R2 SP1 in our environment.
In our SCCM architecture we have a Primary Site Server, a WSUS Server configured as the SUP and an SQL server running SQL Instances for the System Center Suite and a number of DP's at our remote sites.
Recently while looking at an issue with endpoint definition updates, I changed the Software Update Point configuration from 'Sync from MS Update' to point to The WSUS/SUP server (under the incorrect assumption that Updates came from the internet to WSUS then
WSUS fed them into SCCM, rather than SCCM simply using the catalogue from WSUS to create the software packages).
This completely broke all updating, made the WSUS server point to itself as it's update source rather than MS Update (and repeatedly re-set this setting if manually changed back to point to MS) and also changed the 'Specify Intranet Microsoft
update service location' local policy (at Computer Configuration/Administrative Templates/Windows Components/Windows Updates) on all machines to point to the WSUS/SUP server.
I was able to resolve the server side issue by rebooting the WSUS/SUP server and the Primary Site server, however have not been able to get the local policy item to stick on any machines. I have tried manually changing the Local Policy as well as deleting the
WUServer and WUStatusServer registry keys at HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate. If i observe the wuahandler.log on a client, I can see the update source being changed to point back to our WSUS server in both the WindowsUpdate.log and the
WUAHandler.log after manually setting it on a machine:
WUAHandler.log:
Its a WSUS Update Source type ({5E1AE15C-7CA9-4D36-896E-08EBD3E1D401}), adding it. WUAHandler 12/04/2016 3:48:13 PM 9056 (0x2360)
Unable to read existing resultant WUA policy. Error = 0x80070002. WUAHandler 12/04/2016 3:48:13 PM 9056 (0x2360)
Enabling WUA Managed server policy to use server: http:// SUPServer:80 WUAHandler 12/04/2016 3:48:13 PM 9056 (0x2360)
Waiting for 2 mins for Group Policy to notify of WUA policy change... WUAHandler 12/04/2016 3:48:13 PM 9056 (0x2360)
Waiting for 30 secs for policy to take effect on WU Agent. WUAHandler 12/04/2016 3:48:22 PM 9056 (0x2360)
Added Update Source ({5E1AE15C-7CA9-4D36-896E-08EBD3E1D401}) of content type: 2 WUAHandler 12/04/2016 3:48:52 PM 9056 (0x2360)
WindowsUpdate.log:
2016-04-12 15:37:35:769 1044 c6c Agent *********** Agent: Refreshing global settings cache ***********
2016-04-12 15:37:35:769 1044 c6c Agent * WSUS server: <NULL> (Changed)
2016-04-12 15:37:35:769 1044 c6c Agent * WSUS status server: <NULL> (Changed)
2016-04-12 15:37:35:769 1044 c6c Agent * Target group: (Unassigned Computers) (Unchanged)
2016-04-12 15:37:35:769 1044 c6c Agent * Windows Update access disabled: Yes (Unchanged)
2016-04-12 15:37:35:769 1044 c6c AU AU received policy change subscription event
2016-04-12 15:37:35:769 1044 c6c AU Sus server changed through policy.
2016-04-12 15:37:35:769 1044 c6c AU AU Refresh required....
2016-04-12 15:37:35:769 1044 c6c AU AU setting next featured software notification timeout to 2016-04-12 05:37:35
2016-04-12 15:37:35:769 1044 c6c AU Successfully wrote event for AU health state:0
2016-04-12 15:37:35:769 1044 c6c AU Can not perform non-interactive scan if AU is interactive-only
2016-04-12 15:48:22:547 1044 c6c Agent *********** Agent: Refreshing global settings cache ***********
2016-04-12 15:48:22:547 1044 c6c Agent * WSUS server: http:// SUPserver:80 (Changed)
2016-04-12 15:48:22:547 1044 c6c Agent * WSUS status server: http:// SUPserver:80 (Changed)
2016-04-12 15:48:22:547 1044 c6c Agent * Target group: (Unassigned Computers) (Unchanged)
2016-04-12 15:48:22:547 1044 c6c Agent * Windows Update access disabled: Yes (Unchanged)
2016-04-12 15:48:22:547 1044 c6c AU AU received policy change subscription event
2016-04-12 15:48:22:547 1044 c6c AU Sus server changed through policy.
2016-04-12 15:48:22:547 1044 c6c AU AU Refresh required....
2016-04-12 15:48:22:875 1044 c6c AU AU setting next featured software notification timeout to 2016-04-12 05:48:22
My understanding is that due to the machine being configured to look to WSUS/SUP for updates, the machines are unable to install updates as software packages. I have create an automatic approval rule through the WSUS console to ensure that our machines continue
to get SCEP Definitions (funny enough, i've noted that compliance for SCEP definitions has risen from ~65% to ~93% since telling WSUS to manage defintion updates).
My gut feeling is that it's the SCCM Client modifying these settings, however my SUP Component settings point to MS Update as the synchronization point.
I have run a gpupdate on several machines then interogated RSOP to determine if this is pushed out via group policy, but have been unable to find any such setting in our GPO's.
I know I can override this using Group Policy, but while the local policy is being changed every 60 odd minutes, i'd like to try and fix that problem before I go masking something with Group Policy. Any ideas on how I can fix this and restore software update functionality
to SCCM?
Regards,
Daniel.