Share via

WSUS - SUP - FOCAL

Duchemin, Dominique 2,006 Reputation points
2022-07-21T21:03:51.86+00:00

Hello,

I will have to move some servers from WSUS to FOCAL.
223248-2022-07-21-13-49-26-wsus-sup-focal.png

When I tried two weeks ago by removing the GPO (doing the WSUS Settings) servers were going to:

  • SCCM - 3 of them
  • FOCAL - 2 of them
  • WSUS - remaining 12!!

So I reapply the WSUS GPO and it took over 7 days to get the 17 servers back to WSUS Settings !!!

  • Will the reverse (from the current WSUS to FOCAL) take the same time?
  • Why SCCM interfere ?

Thanks,
Dom

Microsoft Configuration Manager
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adam J. Marshall 9,041 Reputation points MVP
    2022-07-21T21:20:11.96+00:00
    1 person found this answer helpful.
  2. Adam J. Marshall 9,041 Reputation points MVP
    2022-07-26T22:04:49.897+00:00

    Scope of the GPO probably has Authenticated Users in it.

    1 person found this answer helpful.
    0 comments
  3. Duchemin, Dominique 2,006 Reputation points
    2022-07-21T21:37:30.617+00:00

    Thanks for this first step.
    I cleared the registries... but after the gpupdate it comes back to its original settings not the one expected.

    SUP should be disabled by the MEMCM Custom Client settings before the removal of the key by your script.

    1. Disable SUP in Custom Client Setting
    2. Remove WSUS:
      Remove-Item 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -Force -Recurse
      gpupdate /force
      Restart-Service -name "Windows Update"
    3. Push FOCAL POINT

    I noticed that the step 2 is done within 30 minutes for some machines and not yet done for others after hours !!!! it ran but nothing happened for hours !!!!

    I know that latency exist also when we are deploying GPO the registry got updated only after 7 days!!! is it the same latency I am waiting on...?

    I started by removing 4 machines from the Active Directory Group which is propagating the GPO for the WSUS Settings...
    I did it on
    RMOB01 7/21/2022 10:46:00 PM (UTC)
    RWEB01 7/21/2022 11:36:00 PM (UTC)
    SMOB01 7/21/2022 11:38:16 PM (UTC)
    SWEB01 7/21/2022 11:36:25 PM (UTC)

    By 7/22/2022 01:00 AM (UTC) I tried to remove using "Remove-Item 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -Force -Recurse" but the policy was reapplied within minutes !!! when could I be sure it is complete and I could start removing the registries....

    we are 7/22/2022 5:15 PM and still getting the GPO setting when running GPUPDATE /Force after 24 hours the policy was removed...

    Thanks,
    Dom

    0 comments
  4. Duchemin, Dominique 2,006 Reputation points
    2022-07-25T20:47:03.89+00:00

    Hello,

    There is a Security Filtering Group:
    224565-2022-07-25-13-26-57-gpo-filtering.png

    The Target group name for this computer is set:
    224500-2022-07-25-13-28-46-gpo-settings.png

    If I do:
    Remove-Item 'HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate' -Force -Recurse
    gpupdate /force
    Restart-Service -name "Windows Update"
    A machine not in the Target group: AXPCRRHMOB01

    224518-2022-07-25-13-24-55-gpo-group.png

    Why does the machine is still receiving the settings from the GPO!!!
    224558-2022-07-25-13-39-14-axpcrrhmob01-excluded.png

    Why?

    Thanks,
    Dom

    0 comments
  5. Duchemin, Dominique 2,006 Reputation points
    2022-08-04T14:11:40.007+00:00

    Apparently it is a timing issue as after 7 days all the machines got the GPO changes applied

    Thanks,
    Dom

    0 comments