Hello!

I am in the middle of configuration auto-updates with SCCM. I have a bunch of critical servers, which could not be scheduled for autoupdates because each downtime window must be approved before. First I wanted to create collection for them without any maintenance windows, depoy updates to this collection and manually install updates in approved window. However, later I discovered, that updates can be installed any time at non-business hours if no maintenance windows specified. I have some ideas how to resolve that, but need help to configure SCCM this way:

1) Completely prohibit updates installation for collection (Is it possible to do this on server side only?)

2) Update critical servers withouts SCCM. (Can I update these servers from WSUS or SCCM  without CM client and SCCM collection's membership, or I need another WSUS to achieve this?)

Hi,

1. you can deploy a custom setting to this collection that turns off the Software Updaet client in SCCM, note that the servers will contact MS update if not GPO's are configured correctly instead.

2. No, you need another WSUS.

Regards,
Jrgen

Will it work if I assign to collection non-recurring maintenance window with time in the past?

Is your goal to prevent admins from manually installing the updates outside of the maintenance window? If so, then no, manual activity is not subject to maintenance windows.

Actually vice versa. I want to prevent any activity of Configuration Manager autoupdating for the collection of servers, and simultaneously give admins right to install updates (which SCCM will have in deployment for this collection, but will not install) manually.

Then simply deploy them without a deadline. No maintenance window needed.

But without maintenance windows updates are deployed during non-business hours at any time, while I need to prevent any automatic installations and use SCCM only for updates approval.