BortFrenzy
New Member
- Messages
- 2
- Reaction score
- 0
- Points
- 1
Let me start with this: I am still fairly new to Configuration manager overall so thanks in advance for bearing with me on this.
I've been working in an SCCM/MECM environment for a while now that has been running for some time. I noticed some of the updates were not being brought in like they should. We wanted to start testing some systems on Windows 11. We've had some sync issues for a while now with WSUS, and I was able to finally get that rolling. Then I was able to get Windows 11 to show up and accept the licensing in WSUS in order to get it over into MECM. Shortly after that, I started getting reports of Windows 11 being deployed. I did not have a deployment set up in configuration manager.
Steps we took while troubleshooting were to block Windows updates at the firewall level, and use group policy to block Windows updates, but it kept installing on our computers. I finally went into WSUS, and declined Windows 11 which caused the installs to stop almost immediately.
Upon investigation, we have a GPO set under Comp Config > Admin Templates > Win Components> Win Updates that is pointing our machines to our MECM server as an "intranet Microsoft update service location". The specific port our systems are looking towards point right to WSUS on the server, so my guess is the clients were bypassing MECM and grabbing any approved updates from WSUS.
What I am confused about is that there is no policy for this in our corporate policy. The winning policy is "Local Group Policy".
Should I disable "Specify intranet Microsoft update service location" with a GPO? Does that default get set during the imaging process, and is it necessary? Do I need those ports to point to SCCM instead? And for reference, our WSUS setup and Configuration manager live on the same server.
Hopefully that all makes sense, but please ask any questions, and I will do my best to answer.
I've been working in an SCCM/MECM environment for a while now that has been running for some time. I noticed some of the updates were not being brought in like they should. We wanted to start testing some systems on Windows 11. We've had some sync issues for a while now with WSUS, and I was able to finally get that rolling. Then I was able to get Windows 11 to show up and accept the licensing in WSUS in order to get it over into MECM. Shortly after that, I started getting reports of Windows 11 being deployed. I did not have a deployment set up in configuration manager.
Steps we took while troubleshooting were to block Windows updates at the firewall level, and use group policy to block Windows updates, but it kept installing on our computers. I finally went into WSUS, and declined Windows 11 which caused the installs to stop almost immediately.
Upon investigation, we have a GPO set under Comp Config > Admin Templates > Win Components> Win Updates that is pointing our machines to our MECM server as an "intranet Microsoft update service location". The specific port our systems are looking towards point right to WSUS on the server, so my guess is the clients were bypassing MECM and grabbing any approved updates from WSUS.
What I am confused about is that there is no policy for this in our corporate policy. The winning policy is "Local Group Policy".
Should I disable "Specify intranet Microsoft update service location" with a GPO? Does that default get set during the imaging process, and is it necessary? Do I need those ports to point to SCCM instead? And for reference, our WSUS setup and Configuration manager live on the same server.
Hopefully that all makes sense, but please ask any questions, and I will do my best to answer.
Last edited:
