What's new
Forums on Intune, SCCM, and Windows 11

Welcome to the forums. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your topics and posts, as well as connect with other members through your own private inbox!

PENDING Windows updates not showing in Software Center after ADR creation

G

godofthunder77

New Member
Messages
2
Reaction score
0
Points
1
Hello,

So here is my dilemma. I just created two simple ADR's. One for Office products and one for Critical and Security updates for Windows 10 with Software Update Groups ready and deployed. Strangely my Windows updates do not show up in Software Center but my Office products do and can be installed. The client machine does require updates for 1809. There is a simple Windows Update GPO applied to make sure features are deferred and to stop clients going out to internet get updates. Has anyone seen this before? In the past, I have never had this issue. Thank you for any advice!

Brian

1586194110359.png
 
Sort by date Sort by votes
Have any of your clients ever received OS updates using this configuration? I don't know why you have all those settings defined if you're controlling updates with CM.
 
Upvote 0 Downvote
Sam Banford said:
Have any of your clients ever received OS updates using this configuration? I don't know why you have all those settings defined if you're controlling updates with CM.
Click to expand...

Hi Sam,

Thanks for the response. No this company I am working for has never used SCCM for updates. They currently use BIGFIX, however they want to move away from that. In my past experience, having a simple GPO in place reassured clients would not be able to go out to the internet and get updates and would stop any windows notification for updates or featurepacks. I can try wiping out the GPO for testing purposes for testing. Does SCCM completely stop the client\user from be able to reach out to the internet for windows updates? Mind you, all users have admin rights on their machines. YUK!

Funny thing is, I tested Office updates as well with this in place and they came through just fine in Software Center.

Brian
 
Upvote 0 Downvote
I primarily work in a disconnected environment so I cannot configure WSUS CM as the majority of you do. I currently have no settings defined for Windows Update in GP. As there's no internet to reach out to I'm not concerned with that aspect and no matter how many times someone clicks "Check for updates" it will always say there are no updates at this time because the WSUS doesn't serve updates in a CM environment. The CM client however will set local policy and at a minimum defines these:
  • Specify intranet Microsoft update service location: Enabled (should be setting it to your SUP)
  • Do not allow update deferral policies to cause scans against Windows Update: Enabled
  • Allow signed updates from an intranet Microsoft update service location: Enabled
It's explicitly stated to not set the first item listed above in GP, it will cause CM to stop serving updates to your systems if you do. You should keep in mind if you converted your WSUS to a SUP it's CM that serves the updates not WSUS. I would recommend using a new clean WSUS as your SUP rather than bring in a pre-configured one that was standalone. Setting other items via GPO probably won't have any affect on CM because for CM's purposes the WUA is only doing the initial "Hi, here's what I am, what I have, what do you have for me?" conversation. More on that later...

Preventing people from accessing Microsoft's Windows Update Server through GPO only stops them from firing it off through that UI, you said they're all admins. What's to stop them from manually browsing the Update Catalog, downloading whatever they like, and executing it? Perhaps a network ACL or IPSec Policy would assist on this. I'm getting off-track though...

Your Automatic Deployment Rule (ADR) should be enabled, with a last error code of 0x0, and deployed to a collection that contains eligible systems.
The ADR should be linked to a deployment package that contains the updates and that package should have it's content distributed to a Distribution Point (DP).
A Software Update Group (SUG) should also contain the deployment information in addition to other stats, it should be enabled.

When a CM managed system runs the Software Updates Scan Cycle it will directly communicate with your SUP and carry on a normal WUA conversation but the SUP won't send it anything directly. After this completes information about that system will be updated in the SUG... somehow.. by either the client or through MP <-> SUP conversations.. I don't really have this part nailed down and never get around to looking into it.

When the system runs the Software Updates Deployment Evaluation Cycle it will evaluate any SUG's deployed to it and pull down updates from the DP as required.
 
Last edited:
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

  • New MECM Build, Device Collections not showing devices
  • PENDING Distribution Point transfer problems
  • PENDING Problems after upgrading to CM2509
  • PENDING Failed to download_2026-01_Cumulative Update for Windows 11, version 25H2 from SCCM.
  • PENDING MECM cannot access to WSUS WID

    • Forum statistics

    Threads
    7,171
    Messages
    27,990
    Members
    18,297
    Latest member
    Kahnrym

    Latest posts

    Trending content
    Back
    Top