Update clients with Microsoft Endpoint Configration Manager

Stijn 26 Reputation points
2020-12-23T16:36:14.013+00:00

Hi,

In our enviroment we used WSUS to update our clients. So we have a GPO that the client points to the WSUS server to search for updates and download them.
As we have over 500 devices we see that WSUS doesn't really work good anymore, so we are searching for another solution.
We have Microsoft Endpoint Configuration Manager 2006 (before called SCCM), so we thought to use the Software Update Point to update our clients.
We configured the Software Update Point but we don't know or we can't find what GPO settings we need to configure for the clients.
We don't want to clients to check Windows Update but only the Software Update Point. Our clients are Windows 10 Pro / Enterprise 1803 and higher.
The updates we provide through Software Update Point is Windows 10 patches, Office 365 client patches, Office 2019 patches and Microsoft ATP definition updates.

What do I need to configure to let this work all fine?

Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Sherry Kissinger 3,801 Reputation points
    2020-12-23T21:47:52.207+00:00

    One of the easiest solutions is to not configure the GPO at all.

    The CM client will configure the settings needed via local policy (it will edit the regkeys it wants them to be). If you watch wauhandler.log on a client, you'll see it do that, and then pause to see if a GPO will overwrite it's locally set policies. If not, CM will scan using your SUP.

    If you currently have a GPO setting the WSUS policies, try setting those policies to "NotConfigured"--so that CM can set what it needs to set without having to coordinate getting the GPO just perfectly right.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. SunnyNiu-MSFT 1,696 Reputation points
    2020-12-24T08:08:51.83+00:00

    @Stijn
    Like sherry said, If you are using Software Updates in ConfigMgr, then ,this setting should be left unconfigured in your domain group policy. The ConfigMgr client agent will use a local group policy to set this value to the appropriate WSUS instance for the chosen SUP in your site/hierarchy.
    The "Do not allow update deferral policies to cause scans against Windows Update" in the Local Group Policy Editor can prevent customers from checking Windows Update and only checking software update points for updates. The group policy is configured by SCCM when you setup SUP, we don’t need to enable it manually. Like below screenshot:
    51017-14.png


    If the response is helpful, please click "Accept Answer"and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Stijn 26 Reputation points
    2020-12-28T15:06:57.683+00:00

    Thanks for the hulpfull answers.
    Do I need to add an option in the Sccm Client Device Settings?

    0 comments No comments

  3. SunnyNiu-MSFT 1,696 Reputation points
    2020-12-29T09:16:39.15+00:00

    @Stijn
    we need to enable "Enable software updates on clients" under client settings>Software Updates>Device Settings. Like below screenshot:
    51965-15.png


    If the response is helpful, please click "Accept Answer"and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments