Legacy WSUS GPOs & SCCM 2012

Similar Messages

• WSUS and SCCM 2012

  I'm finally getting around to trying to integrate WSUS with SCCM 2012 - i.e., to begin using SCCM 2012 to manage and deploy all Microsoft updates rather than using plain old WSUS as I have in the past.
  My first impression is that it's much more complicated than using WSUS alone. That said, I'm wondering now what are the advantages of using SCCM 2012 to manage Windows Updates rather than using WSUS? So far, I've added all of this complexity to the
  process, but I'm not seeing the added benefits after having gone through all this. Anyone else agree?
  I'm about to just trash the whole thing and go back to doing it the old way. Thoughts?
  Shaun

  Jorgen summed it up nicely here:
  http://ccmexec.com/2012/08/top-11-reasons-why-you-should-use-configmgr-2012-for-managing-software-updates/
  Jason | http://blog.configmgrftw.com

• Can we re-activate Adobe patches once expired in SCUP and syncronized to WSUS and SCCM 2012 as expired?

  Hi,
  I expired a couple of Adobe patches in SCUP and published them in WSUS. They got synchronized in WSUS and SCCM as expired. After about two weeks those expired patches got cleaned from SCCM ( at least from UI).
  I want to activate them again in SCUP and re-publish as active patches in SCCM. But its not working - I've tried WSUS cleanup and  SCUP cleanup already!
  Is there any way to re-active expired patches published by SCUP in WSUS and SCCM ? & How?
  Excerpt from SCUP.Log:
  PublishItem: Item 'Reader Multi Lingual User Interface 10.1.4 Update (UpdateId:'5c22235f-a3d9-48db-95eb-a60ec1886e8e' Vendor:'Adobe Systems, Inc.' Product:'Adobe Reader')' is on the update server and is expired, no publish actions are possible.

  The key here is knowing WHY those updates were "expired" in the first place.
  Most likely they were expired because they superseded another update. If so, merely duplicating and publishing won't achieve anything, because the duplicated/re-published update will also be superseded and get promptly expired again.
  Ergo, if expired because superseded, the superseding package will need to be customized to remove the supersession references and it also will need to be republished, which also means that certain other considerations may need to be taken as well ... such
  as the fact that you now have multiple packages that will conflict with one another that no longer have the requisite supersession metadata.
  Regarding this scenario. Configuration Manager 2012 introduced the option to NOT EXPIRE superseded updates, or to defer the expiration for a specified number of days. This is not a SCUP thing; it's a ConfigMgr thing.
  Configure the ConfigMgr product to behave the way you desire. Problem solved. :)
  If YOU actually expired them in SCUP... then just UNEXPIRE them and republish. Shouldn't be any need to duplicate and republish. This is what Microsoft does all the time. Expire Update 'A' Rev 100 on Monday; publish Update 'A' Rev 101 on Patch Tuesday.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• WSUS SP2; SCCM 2012 SP1; Sync failed: WSUS update source not found

  Hi,
  I have installed the Fresh SCCM 2012 SP1 and WSUS 3.0 SP2 + KB2720211 + KB2734608. However, still the Sync is getting failed. This is what I am getting in the wsyncmgr and WCM logs:
  wsyncmgr:
  Sync failed: WSUS update source not found on site PR1. Please refer to WCM.log for configuration error details.. Source: getSiteUpdateSource
  SMS_WSUS_SYNC_MANAGER 1/9/2015 12:00:00 PM
  3668 (0x0E54)
  STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=ABC.XYZ.net SITE=PR1 PID=2724 TID=3668 GMTDATE=Fri Jan 09 18:00:00.537 2015 ISTR0="getSiteUpdateSource" ISTR1="WSUS update source not found
  on site PR1. Please refer to WCM.log for configuration error details." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
  SMS_WSUS_SYNC_MANAGER 1/9/2015 12:00:00 PM
  3668 (0x0E54)
  Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER
  1/9/2015 12:00:00 PM 3668 (0x0E54)
  WCM:
  Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)
  SMS_WSUS_CONFIGURATION_MANAGER 1/9/2015 11:19:03 AM
  4176 (0x1050)
  Checking runtime v2.0.50727... SMS_WSUS_CONFIGURATION_MANAGER
  1/9/2015 11:19:03 AM 4176 (0x1050)
  Did not find supported version of assembly Microsoft.UpdateServices.Administration.
  SMS_WSUS_CONFIGURATION_MANAGER 1/9/2015 11:19:03 AM
  4176 (0x1050)
  Checking runtime v4.0.30319... SMS_WSUS_CONFIGURATION_MANAGER
  1/9/2015 11:19:03 AM 4176 (0x1050)
  Did not find supported version of assembly Microsoft.UpdateServices.Administration.
  SMS_WSUS_CONFIGURATION_MANAGER 1/9/2015 11:19:03 AM
  4176 (0x1050)
  Supported WSUS version not found SMS_WSUS_CONFIGURATION_MANAGER
  1/9/2015 11:19:03 AM 4176 (0x1050)
  STATMSG: ID=6607 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONFIGURATION_MANAGER" SYS=ABC.XYZ.net SITE=PR1 PID=2724 TID=4176 GMTDATE=Fri Jan 09 17:19:03.489 2015 ISTR0="DEF.XYZ.net" ISTR1="" ISTR2="" ISTR3=""
  ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
  SMS_WSUS_CONFIGURATION_MANAGER 1/9/2015 11:19:03 AM
  4176 (0x1050)
  Remote configuration failed on WSUS Server.
  SMS_WSUS_CONFIGURATION_MANAGER 1/9/2015 11:19:03 AM
  4176 (0x1050)
  STATMSG: ID=6600 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONFIGURATION_MANAGER" SYS=ABC.XYZ.net SITE=PR1 PID=2724 TID=4176 GMTDATE=Fri Jan 09 17:19:03.515 2015 ISTR0="DEF.XYZ.net" ISTR1="" ISTR2="" ISTR3=""
  ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
  SMS_WSUS_CONFIGURATION_MANAGER 1/9/2015 11:19:03 AM
  4176 (0x1050)
  I have used the default port numbers 80 and 443 still the sync is failing. Please provide your advise to fix this issue.
  Regards,
  Malwinder

  WCM:
  Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)
  It's not only a matter of installing the console, but also those hotfixes on a remote server ...
  Torsten Meringer | http://www.mssccmfaq.de

• Unable to reinstall WSUS on SCCM 2012 Server

  I'm trying to reinstall WSUS on my SCCM 2012 Server after having removed the SUP role from SCCM and then following
  these steps to remove WSUS from the server. However I am not able to reinstall WSUS. I also tried all of the steps outlined
  here but no luck. Here are the results from the WSUSSSetup.log:
  2014-05-05 12:16:44  Success   MWUSSetup          Detected that setup was launched through Server Manager
  2014-05-05 12:16:45  Success   MWUSSetup          Validating pre-requisites...
  2014-05-05 12:16:45  Error     MWUSSetup          Failed to determine if an higher version of WSUS is installed. Assuming it is not... (Error 0x80070002: The system cannot find the file specified.)
  2014-05-05 12:16:45  Error     MWUSSetup          WSUS is outdated. But this will not block setup (Error 0x00000000: The operation completed successfully.)
  2014-05-05 12:19:05  Success   MWUSSetup          Initializing installation details
  2014-05-05 12:19:05  Success   MWUSSetup          Skipping Asp.Net install since not running on win2k3...
  2014-05-05 12:19:05  Success   MWUSSetup          Installing wYukon using ocsetup
  2014-05-05 12:19:05  Success   MWUSSetup          Installing Windows Internal database using ocsetup with command line as "ocsetup "WSSEE" /quiet /norestart"
  2014-05-05 12:19:16  Error     MWUSSetup          The process ocsetup "WSSEE" /quiet /norestart returned error: 0x643 (Error 0x80070643: Fatal error during installation.)
  2014-05-05 12:19:16  Error     MWUSSetup          ExecCmd failed (Error 0x80070643: Fatal error during installation.)
  2014-05-05 12:19:16  Error     MWUSSetup          Install Windows Internal database: Failed to execute "ocsetup "WSSEE" /quiet /norestart" (Error 0x80070643: Fatal error
  during installation.)
  2014-05-05 12:19:16  Error     MWUSSetup          CInstallDriver::PerformSetup: Installation of wYukon failed (Error 0x80070643: Fatal error during installation.)
  2014-05-05 12:19:16  Error     MWUSSetup          CSetupDriver::LaunchSetup: Setup failed (Error 0x80070643: Fatal error during installation.)
  2014-05-05 12:19:23  Error     MWUSSetup          DoInstall: Wsus setup failed (Error 0x80070643: Fatal error during installation.)
  I am at a loss, any suggestions would be greatly appreciated. Perhaps I can try installing SQL express and use that as my database rather than WID, since the problem appears to be with WID installation?
  Shaun

  Another question then - is it okay to have WSUS reside on the same server as SCCM, but without using SCCM SUP role to manage updates?
  I would strongly discourage it. If you're using a single Configuration Manager instance, then most notably ConfigMgr installs an SSL-enabled Management Point website which has been known to interfere with a non-SSL standalone WSUS server.
  But perhaps more importantly, looking for the long term, if at some point you determined you wanted to enable a Software Update Point, you'd be backed into the corner with your standalone WSUS already installed on the Site Server.
  Converting an in-use WSUS Server to a SUP is fraught with complications, the least of which is being without a patch management environment for some period of time whilst you "convert" from standalone WSUS to ConfigMgr Software Updates.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• WSUS with SCCM 2012 - Products Missing, and Best Practices

  Good morning all
  I am integrating SCCM with WSUS, and I have a few questions regarding products.  I've noticed when running through the "Add site system roles wizard" in SCCM 2012 console that when I go to "Products" it does NOT list a few major
  products, such as office 2013, sql server 2013, exchange 2013, etc. 
  Am I missing something? I'm sure I am...what do I need to do? 
  Also, if there are any other gotchas or best practices you all can point me in the right direction as far as managing SCCM / WSUS together i'd be greatly appreciated. 
  Thanks so much!

  Do not use WSUS Console to manage the updates. All you things you can finish is in the SCCM Console. Refer to the link posted by Jason.
  Juke Chou
  TechNet Community Support

• Internet Explorer 11 not available in WSUS/SCCM 2012

  Hi all,
  do you have any idea why Internet Explorer 11 is not available in WSUS or SCCM 2012.
  I would like to deploy it as an update and not as an application.
  I have IE 10 listed and also Cumulative Updates for IE 11.
  Is it not yet released for SCCM Deployment?
  Thank you
  Best regards

  some history..
  -=-=-
  http://support.microsoft.com/kb/2921911
  Internet Explorer 10 for Windows 7 and Windows Server 2008 R2 (KB2718695) Tuesday, October 8, 2013, ◦Metadata has changed.
  [no note of change to release channel, but I think this is when it appeared in WSUS]
  Internet Explorer 10 for Windows 7 and Windows Server 2008 R2 (KB2718695) Tuesday, March 26, 2013, Localization text changed.
  Internet Explorer 10 for Windows 7 and Windows Server 2008 R2 (KB2718695) Tuesday, March 12, 2013, Deployment: Catalog,  Classification: High Priority, Non-Security, Update Rollups
  Internet Explorer 10 for Windows 7 and Windows Server 2008 R2 (KB2718695) Tuesday, March 12, 2013, Deployment: Important/Automatic Updates,  Classification: High Priority, Non-Security, Update Rollups
  Internet Explorer 10 for Windows 7 and Windows Server 2008 R2 (KB2718695) Tuesday, March 12, 2013, Deployment: Optional/Automatic Updates,  Classification: Updates, Non-Security
  Internet Explorer 10 for Windows 7 and Windows Server 2008 R2 (KB2718695) Tuesday, March 12, 2013, Deployment: Optional/Automatic Updates and Catalog,  Classification: Updates, Non-Security
  -=-=-
  http://support.microsoft.com/kb/2662694
  Windows Internet Explorer 9 for Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista (KB982861) Tuesday, June 21, 2011, Metadata changed to offer to WSUS channel.
  Internet Explorer 9 for Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista (KB982861) Monday, March 28, 2011, Deployment: Windows Update, Microsoft Update, and Important/Automatic Updates,  Classification: High Priority, Non-Security,
  Update Rollups
  Internet Explorer 9 for Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista (KB982861) Monday, March 28, 2011, Deployment: Windows Update, Microsoft Update, and Optional Installation,  Classification: Non-Security, Updates
  Internet Explorer 9 for Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista (KB982861) Monday, March 28, 2011, Deployment: Catalog,  Classification: Non-Security, Update Rollups
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• SCCM 2012 Setting Windows Update GP's

  Hopefully this is a simple one.
  I have setup WSUS with SCCM 2012 and currently its sole purpose is for updating our WIM images however... It seems though that all of our devices that have the SCCM 2012 client installed are having their windows updates local group policy settings changed
  to our distribution point and all other setting changed to not configured(overriding the settings the admins previously had in place).
  I don't want the sccm client to make changes to the windows update local group policy... how can I accomplish this?  

  We are using a separate WSUS server to manage updates on servers and clients.
  In the near future I'll attempt to transition to the WSUS I have integrated with SCCM.
  For regular client machines we're pushing the windows update GP's but for our servers the system admin are managing those themselves depending on how they want windows updates to behave on their systems.

• GPO and SCCM 2012 Shared WSUS installation

  Hello
  At present I have a scenario where SCCM 2012 and wsus are installed on the same server and serving around 600 desktop clients.  SCCM is configured to deploy windows updates to the client machine via the sccm client, however the member servers in the
  domain do not have the sccm client installed so I have directed them to use the the WSUS installation via GPO.  The servers do appear in the wsus console but never report status and never pull down any updates.
  Should this setup be possible; to use one wsus instance for both sccm udpate distribution and direct communication from member servers?
  windowsupdate.log entries from a member server as follows:
  2014-02-04 15:10:01:172
  844 1338
  Agent ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
  2014-02-04 15:10:01:172
  844 1338
  Agent *********
  2014-02-04 15:10:01:172
  844 1338
  Agent  * Online = No; Ignore download priority = No
  2014-02-04 15:10:01:172
  844 1338
  Agent  * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0
  and DeploymentAction='Uninstallation' and RebootRequired=1"
  2014-02-04 15:10:01:172
  844 1338
  Agent  * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
  2014-02-04 15:10:01:172
  844 1338
  Agent  * Search Scope = {Machine}
  2014-02-04 15:10:01:350
  844 14d8
  AU Getting featured update notifications.  fIncludeDismissed = true
  2014-02-04 15:10:01:351
  844 14d8
  AU No featured updates available.
  2014-02-04 15:10:01:364
  844 14d8
  AU WARNING: Returning due to error from GetDownloadProgressUx, error = 0x8024000C
  2014-02-04 15:10:01:364
  844 14d8
  AU WARNING: GetInteractiveInstallProgress failed, error = 0x8024000C
  2014-02-04 15:10:01:364
  564 678
  WUApp WARNING: Call to GetInteractiveInstallProgress failed, hr=8024000C
  2014-02-04 15:10:02:692
  844 1338
  Agent  * Found 0 updates and 74 categories in search; evaluated appl. rules of 236 out of 825 deployed entities
  2014-02-04 15:10:03:234
  844 1338
  Agent *********
  2014-02-04 15:10:03:234
  844 1338
  Agent **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
  2014-02-04 15:10:03:234
  844 1338
  Agent *************
  2014-02-04 15:10:03:238
  844 1be4
  AU >>##  RESUMED  ## AU: Search for updates [CallId = {5C25CEFB-5315-4722-A422-790FBC7303B5}]
  2014-02-04 15:10:03:238
  844 1be4
  AU  # 0 updates detected
  2014-02-04 15:10:03:238
  844 1be4
  AU #########
  2014-02-04 15:10:03:238
  844 1be4
  AU ##  END  ##  AU: Search for updates [CallId = {5C25CEFB-5315-4722-A422-790FBC7303B5}]
  2014-02-04 15:10:03:238
  844 1be4
  AU #############
  Thanks in advance...

  Should this setup be possible; to use one wsus instance for both sccm udpate distribution and direct communication from member servers?
  No.
  Torsten Meringer | http://www.mssccmfaq.de

• WSUS reinstall on 2012 SCCM server post-installation task fails to run/finish

  I had to re-install WSUS on a 2012 R2 SCCM server (Windows 2012), and am running into several issues re-installing. It may help to point out that the SCCM SQL server is remote, so this isn't a WSUS / SQL 2012 issue.
  The sticky post at the top of the WSUS forum has helpful troubleshooting information, and I have tried going through this as well as many other threads on this very topic of re-installing WSUS.
  1. Roles for WSUS and WID were removed successfully. The WSUS Website was manually deleted from IIS. As this is a SCCM server, removing the IIS role is not an option.
  2. I removed the existing WID database files for SUSDB
  3. After rebooting, I verified registry keys were gone, system files were cleaned up, and deleted the program files\update services directory
  4. This isn't a permission issue, as I have clearly installed this before on this server.
  5. Registry keys, system files, and susdb files no longer exist, and the server has rebooted cleanly.
  6. I am able to add the WSUS role selecting WID, and this installs WID without any errors. At this point, simply clicking the post installation task fails, generates an empty .tmp file in my %appdata%\temp folder, and exits the MMC. 
  7. This file is blank. Absolutely empty, so I couldn't really troubleshoot any post installation tasks.
  8. Further investigation shows that the 'C:\Program Files\Update Services\Tools\' directory is gone, and isn't being
  generated.
  9. Ok... DISM /online /Cleanup-Image /Scanhealth didn't return any issues, so I copied the wsusutil out of the windows\WinSxS directory.
  10. Yey! wsusutil postinstall runs, but bombs out on the IIS portion. It generated the DB without an issue, but results
  in an IIS generation error. So, I installed WSUS on a clean 2012 install, then copied over the program files\updateServices directory to reclaim the missing files. 
  The log files show --
  2013-12-06 10:30:34  Configuring IIS...
  2013-12-06 10:30:35  Start: ConfigureWebsite
  2013-12-06 10:30:36  Configuring website on port 8530
  2013-12-06 10:30:39  System.ComponentModel.Win32Exception (0x80004005): The system cannot find the file specified
     at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo)
     at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)
     at Microsoft.UpdateServices.Administration.UseCustomWebSite.ExecuteIisCustomAction(String arguments)
     at Microsoft.UpdateServices.Administration.UseCustomWebSite.Install(Int32 portNumber)
     at Microsoft.UpdateServices.Administration.UseCustomWebSite.InstallAndConfigure(IisConfiguration& iisConfiguration, Int32 newPortNumber)
     at Microsoft.UpdateServices.Administration.PostInstall.ConfigureWebsite(Int32 portNumber)
     at Microsoft.UpdateServices.Administration.PostInstall.Run()
     at Microsoft.UpdateServices.Administration.PostInstall.Execute(String[] arguments)
  ... ok - tripple checked that network service has permissions to .net and windows\temp folders.
  netstat -a doesn't show anything running on port 8530 ( in case this was some weird port check in use)
  Which goes back to the missing directory problem -- further net searches show that this is a reoccurring issue for some OOBE... sfc /verifyonly shows ... nothing.
  What is left to be done at this point? The missing folders from the program directory seems to be a problem for some with some users right out of the box. I have read many other threads where users just formatted and started over. Not exactly a solution
  - any help out there on this issue? Any suggestions to determine what file is missing, or generating the IIS issues?

  Part of the post install tasks wanted to download some items including the tools folder.
  Can you expand on this please. The WSUS post-install tasks do not download anything, except what is acquired during the initial synchronization with Microsoft.
  Because of my group policy the WSUS server was trying to download the updates from itself even though it was not setup yet.
  What update(s) was the WSUS server trying to "download"?
  In fact, if the WSUS Server was not setup yet (but you already had a GPO in place), then the first issue here was performing deployment steps out of order.
  But still.... except for the actual installation binaries for the WSUS Server Role on a WS2008SP2/WS2008R2 system, there's nothing the WSUS server needs to get from either Windows Update or a WSUS server. This scenario is actually discussed hundreds of times
  in this forum, but complicating matters, this thread isn't about installing WSUS V3.2 on a WS2008SP2/WS2008R2 system, it's about installing WSUS v65 on a WS2012 system, so I'm a bit confused as to what the actual installation environment is that we're discussing.
  I changed the WSUS server to get it's windows updates from Microsoft and then the post install task succeeded.
  I'd really like to get some more details about what exactly in the "post-install task" was dependent upon content from WU/WSUS.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• WSUS Server settings and Migrating SCCM 2007 Clients to SCCM 2012 R2

  I am in the process of migrating a site from SCCM 2007 to SCCM 2012 R2.
  Whilst doing this I came across the following issue:
  The first issue is the workstations are woefully out of date, patch and update-wise, some have never had a patch applied as the branch IT staff are building them from the original disk. The policy is set in the SCCM 2007 client to point the machines at
  the 2007 WSUS server, which is not set to deliver any updates to 2007 clients and hasn't been for a while. So as soon as the client is installed they lose the ability to get updates from Microsoft and don't get them from the 2007 WSUS server either.
  Issue number 2 is the machines are a mixture of hand-built machines to SCCM 2007 delivered images, the SCCM image is patch using offline patching so they are somewhat up-to-date, but the hand-built machines are not and as there is no standardization on
  the Microsoft Update client settings, the IT person on-site sets it to whatever he/she feels like, as it makes no difference once the client is installed and the policy applied.
  So, when I come to update the client from 2007 to 2012, the following occurs
  The Client uninstalls, and the GPO policy settings for Windows Update are removed.
  Depending on the setup of the client initially, some machines are then going to Microsoft for their updates (literally 100s) and although the new client is installed the policy update does not fire to update the Windows Update Policy settings, sometimes
  for hours after the install finishes. My thoughts are that it just can't run the policy as it is bogged down by patches updating and, in some cases, rebooting and then updating some more.
  As a workaround I have had to go in an physically disable Microsoft Update on these machines, which stops the downloading and eventually allows the policy to apply, after which the machine then begins to receive patches from WSUS in a controlled method during
  maintenance windows.
  I have tried a number of approaches, even setting the Global Group Policy for Windows Update, but the install still removes the keys and basically sets Windows updates back to whatever it was set before the policy was applied and stays that way until the
  new client is installed and the Machine policy reapplied. This can be speeded up by initiating it on the client obviously, but that would mean going to each client or using right-click tools on each machine, which is not an option.
  What I would like to know is if there is something I am missing from my methods or is it just that I have never been on a site with such out of date workstations built in such different ways.
  Any help would be appreciated.

  First note that clients do *not* get updates from WSUS in ConfigMgr. The Windows Update Agent (WUA) must point to the WSUS integrated into ConfigMgr (by virtue of having the SUP installed on it) but this is only to make the update catalog/metadata available
  to it. Approving updates in WSUS is unsupported for ConfigMgr.
  What you've described above is all working as designed although these clients are falling into a gap between the 2007 and 2012 configuration and thus they are reaching out to Windows Update during this gap and installing updates. To prevent this, you
  need to disable automatic updates via a domain group policy. This will prevent all automated WUA activity including installing updates from any source automatically. This will not interfere with ConfigMgr Software Updates in any way though.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Cannot publish Flash Updates Verification of file signature failed for file SCUP 2011, SCCM 2012 R2 and WSUS all on same Windows Server 2012 machine

  I am attempting to distribute Adobe Flash updates using SCUP 2011, SCCM 2012 R2, WSUS ver4 and Windows Server 2012.  Everything installs without error.  I have acquired a certificate for SCUP signing from the internal Enterprise CA.  I have
  verified the signing certificate has a 1024 bit key.  I have imported the certificate into the server's Trusted Publishers and Trusted Root CA stores for the computer.  When I attempt to publish a Flash update with Full content I receive the following
  error:
  2015-02-13 23:00:48.724 UTC Error Scup2011.21 Publisher.PublishPackage PublishPackage(): Operation Failed with Error: Verification of file signature failed for file:
  \\SCCM\UpdateServicesPackages\a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4\3f82680a-9028-4048-ba53-85a4b4acfa12_1.cab
  I have redone the certificates three times with no luck.  I can import metadata, but any attempt to download content results in the verification error.
  TIA

  Hi Joyce,
  This is embarrassing, I used that very post as my guide when deploying my certificate templates, but failed to change the bit length to 2048.  Thank you for being my second set of eyes.
  I changed my certificate key bit length to 2048, deleted the old cert from all certificate stores, acquired the a new signing cert, verified the key length was 2048, exported the new cert to pfx and cer files, imported into my Trusted publishers
  and Trusted Root Authorities stores, reconfigured SCUP to use the new pfx file, rebooted the server and attempted to re-publish the updates with the following results:
  2015-02-16 13:35:44.006 UTC Error Scup2011.4 Publisher.PublishPackage PublishPackage(): Operation Failed with Error: Verification of file signature failed for file:
  \\SCCM\UpdateServicesPackages\a2aa8ca4-3b96-4ad2-a508-67a6acbd78a4\3f82680a-9028-4048-ba53-85a4b4acfa12_1.cab.
  Is there a chance this content was already created and signed with the old cert, so installing the new cert has no effect?  In ConfigMgr software updates I see 4 Flash updates, all marked Metadata Only (because they were originally published as "Automatic." 
  No Flash updates in the ConfigMgr console are marked as downloaded.  I can't find any documentation on how the process of using SCUP for downloading content for an update marked Metadata Only actually works. 
  Comments and suggestions welcome.

• SCCM 2012 on Server 2012 and WSUS 3.0 SP2 on Server 2008

  We are installing SCCM 2012 SP1 fresh into our development environment - the primary site server and the database (SQL 2012) are both being installed on Server 2012.
  We have an existing WSUS box on a Windows 2008 (not R2) server - the WSUS server version is 3.2.7600.256.  We have set this up as the software update point.
  For the purposes of this discussion, these are the server names (obviously obfuscated):
  Primary site server:  sccm.domain.local
  Database server:  sccmdb.domain.local
  WSUS server:  wsus.domain.local
  On the primary SCCM server, I've installed the WSUS user interface (Install-WindowsFeature -Name UpdateServices-UI), in order to work with the remote WSUS server.
  Updates synchronization appears to be working fine, but when I try to setup client distribution via SUP, I'm getting the following error in the Application event log:
  Log Name:      Application
  Source:        SMS Server
  Date:          8/6/2013 11:03:11 AM
  Event ID:      6613
  Task Category: SMS_WSUS_CONFIGURATION_MANAGER
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      sccm.domain.local
  Description:
  On 8/6/2013 11:03:11 AM, component SMS_WSUS_CONFIGURATION_MANAGER on computer sccm.domain.local reported:  WSUS Configuration Manager failed to publish client boot-strapper package "9D5353E5-DA80-48C3-97DE-C9C528F73A2D" with version "5.00.7804.1000"
  to the Software Updates Point.
  As well as this in the WMC.log:
  PublishApplication(9D5353E5-DA80-48C3-97DE-C9C528F73A2D) failed with error System.InvalidOperationException: Publishing operation failed because the console and remote server versions do not match.~~   at Microsoft.UpdateServices.Internal.BaseApi.Publisher.LoadPackageMetadata(String
  sdpFile)~~   at Microsoft.UpdateServices.Internal.BaseApi.UpdateServer.GetPublisher(String sdpFile)~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.PublishApplication(String sPackageId, String sSDPFile, String sCabFile)  $$<SMS_WSUS_CONFIGURATION_MANAGER><08-06-2013
  11:03:11.787+240><thread=3704 (0xE78)>
  ERROR: Failed to publish sms client to WSUS, error = 0x80131509  $$<SMS_WSUS_CONFIGURATION_MANAGER><08-06-2013 11:03:11.803+240><thread=3704 (0xE78)>
  It would seem obvious that this is because of a mismatch in versions between the WSUS server version on wsus.domain.local, compared to the UpdateServices UI on sccm.domain.local.
  Is there a way around this, without having to upgrade the WSUS server to Server 2012?
  Thanks for any thoughts you may have!

  Not really. As mentioned though, even the separate WSUS server is probably overkill. In ConfigMgr, WSUS is used to handle the update catalog and that's it. Clients do *not* report status to the WSUS instance and do *not* download updates from the WSUS instance.
  No management is ever done in WSUS.
  So, in reality, once a month, clients connect to WSUS to download the delta update catalog (delta compared to what they currently have) which usually comes out to about a few hundred KB (yes KB, not MB) -- this download is done via BITS. The server also
  syncs the catalog from the WSUS instance, via the SUP, in a similar fashion. If you are using SCEP, the frequency will be greater, but the deltas will be much smaller.
  EULAs, as needed, are also stored in WSUS and accessed by clients -- these are also quite small only a select few updates requires them.
  That's it. Standing up a dedicated WSUS instance means having a server sitting there doing almost nothing else.
  If you are concerned about load on the site server, then you should create a separate site system that contains the MP, SUP (and WSUS instance), and DP. Then, for HA purposes, you can simply build a second site system with these three roles also and HA will
  essentially be automatic (from a client functionality perspective).
  Jason | http://blog.configmgrftw.com

• SCCM 2012 R2 WSUS wsyncact error 0x8013141A

  i have new servers with Server 2012 R2, SCCM 2012 R2, and SQL 2012 SP1 CU6. SCCM will not sync with WSUS. "Synchronize Software Updates" fails and no updates appear and the scheduled sync in "SUP Component Properties"\"Sync
  Schedule" runs, the WSUS servers do not sync with their upstream servers. There are no errors in the WCM and WSUSCtrl logs. The wsyncmgr log has these errors:
  Sync failed. Could not load file or assembly '5120 bytes loaded from wsyncact, Version 5.0.0.0, Culture=-neutral, PublicKeyToken=(alphanumeric string) or one of its dependencies. Strong name validation failed. ) Exception from HRESULT: )x8013141A). Source:
  wsyncact
  STATMSG; ID-6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=(servername) SITE=(site code) PID=2704 TID=5516 GMTDATE=(date/time) ISTR1="Could not load file or assembly 'updmgrclr, Version=5.0.7958.1000, Culture=neutral,
  PublicKeyToken=(alphanumeric string)"  or one of its dependencies. Strong name validation failed. (Exception from HRESULT: 0x8013141A)" ITR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8=""
  ISTR9="" NUMATTRS=0
  Sync failed. Will retry in 60 minues.
  Moving the servers to an OU with no policies does not help. Setting registry entries to turn off strong name validation does not help.
  I did find one post that said the ports in IIS and in SCCM need to match. My do, IIS and SCCM both have 8530/8531.
  Suggestions?
  Ben JohnsonWY

  SOLVED. FINALLY!
  Do an internet search for "Keith McGuinness" and "Strong name Validation Failed (Exception from HRESULT 0x8013141A)"
  You need to create these two registry keys:
  [HKLM\Software\Microsoft\StrongName\Verification\*,123adf9123]
  [HKLM\Software\Wow6432Node\Microsoft\StrongName\Verification\*,123adf9123]
  You need to do this key pair for each 0x8013141A error you have that has a unique PublicKeyToken. Note that the "*,123adf9123" is a key, not a DWORD or anything else. Also, you have to change 123adf9123 to the PublicKeyToken(s) showing in your
  error messages within WSUS. You can then force a new sync by setting a sync time a couple minutes in the future with configure SUP under Administration\Sites.
  Note: I did this on the site server.
  Ben JohnsonWY

• SCCM 2012 SP1 WSUS/Software Update Point Synchronization error on CAS.

  Hi All, 
  Good day to all you. 
  I would like to seek all your help on this issue that i have encountering. 
  My SCCM 2012 SP1 CAS are having a synchronization error in WSUS/Software update point. The CAS have intergrated WSUS role in it. The last good synchronization was on July 16, 2014. No error log found on WCM.log and WSUSctrl.log
  Error: 
  Sync failed: UssNotFound: WebException: The request failed with HTTP status 404: Not Found.~~at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall).
  Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS
  SMS_WSUS_SYNC_MANAGER  7/22/2014 3:05:32 PM 5776 (0x1690)
  STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=MYHQKUL990707S.sdb.com SITE=C01 PID=6948 TID=5776 GMTDATE=Tue Jul 22 07:05:32.796 2014 ISTR0="Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS"
  ISTR1="UssNotFound: WebException: The request failed with HTTP status 404: Not Found.~~at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)"
  ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
  SMS_WSUS_SYNC_MANAGER  7/22/2014 3:05:32 PM 5776 (0x1690)
  Sync failed. Will retry in 60 minutes
  SMS_WSUS_SYNC_MANAGER  5776 (0x1690)
  below are wsyncmgr.log:
  Setting sync alert to active state on site C01  SMS_WSUS_SYNC_MANAGER (0x1690)
  Sync time: 0d00h01m14s SMS_WSUS_SYNC_MANAGER
  5776 (0x1690)
  Wakeup for a polling cycle SMS_WSUS_SYNC_MANAGER
  5776 (0x1690)
  Starting Sync SMS_WSUS_SYNC_MANAGER
  5776 (0x1690)
  Performing sync on retry schedule SMS_WSUS_SYNC_MANAGER
  5776 (0x1690)
  Read SUPs from SCF for MYHQKUL990707S.sdb.com  SMS_WSUS_SYNC_MANAGER 5776 (0x1690)
  Found 1 SUPs SMS_WSUS_SYNC_MANAGER
  5776 (0x1690)
  Found active SUP MYHQKUL990707S.sdb.com from SCF File.
  SMS_WSUS_SYNC_MANAGER 5776 (0x1690)
  STATMSG: ID=6701 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=MYHQKUL990707S.sdb.com SITE=C01 PID=6948 TID=5776 GMTDATE=Tue Jul 22 07:04:20.750 2014 ISTR0="" ISTR1="" ISTR2="" ISTR3=""
  ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
  SMS_WSUS_SYNC_MANAGER 7/22/2014 3:04:20 PM
  5776 (0x1690)
  Synchronizing WSUS server MYHQKUL990707S.sdb.com  SMS_WSUS_SYNC_MANAGER 5776 (0x1690)
  STATMSG: ID=6704 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=MYHQKUL990707S.sdb.com SITE=C01 PID=6948 TID=5776 GMTDATE=Tue Jul 22 07:04:21.763 2014 ISTR0="" ISTR1="" ISTR2="" ISTR3=""
  ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
  SMS_WSUS_SYNC_MANAGER 7/22/2014 3:04:21 PM
  5776 (0x1690)
  Using account sdb\SCCM-Admin to connect to WSUS Server
  SMS_WSUS_SYNC_MANAGER 5776 (0x1690)
  Synchronizing WSUS server myhqkul990707s.sdb.com ...
  SMS_WSUS_SYNC_MANAGER 440 (0x01B8)
  sync: Starting WSUS synchronization SMS_WSUS_SYNC_MANAGER
  440 (0x01B8)
  Sync failed: UssNotFound: WebException: The request failed with HTTP status 404: Not Found.~~at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall). Source:
  Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS
  SMS_WSUS_SYNC_MANAGER 7/22/2014 3:05:32 PM
  5776 (0x1690)
  STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=MYHQKUL990707S.sdb.com SITE=C01 PID=6948 TID=5776 GMTDATE=Tue Jul 22 07:05:32.796 2014 ISTR0="Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncWSUS"
  ISTR1="UssNotFound: WebException: The request failed with HTTP status 404: Not Found.~~at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)"
  ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
  SMS_WSUS_SYNC_MANAGER 7/22/2014 3:05:32 PM
  5776 (0x1690)
  Sync failed. Will retry in 60 minutes SMS_WSUS_SYNC_MANAGER
  5776 (0x1690)
  All response is much appreciated
  Thank You

  Hi,
  I recommend you look at the IIS log. Maybe it can give us some clues.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.