Hello,

I'm new to SCCM and am attempting to move from WSUS to SCCM for Software Updates. So far I haven't had a lot of luck. I've read a lot of posts here and on other forums and think I have the general setup correct.

We have an existing WSUS 3.0 server and all our workstations and servers point to this via a GPO. I have moved my workstation to another folder in AD and applied a new GPO that points to the SCCM server for updates. I have used a script to reset my workstations WSUS and have tried the "wsusutil reset" on the server. Currently, though I have created a Windows 7 deployment of patches and it should contain this month's patches, I am showing "no items found" in the software center (I have the deployment set to show messages and updates in Software Center) and in Windows Update it shows "no patches needed" though yesterday it had shown patches needed only in Windows Update.

I have the SUP setup and a collection that only contains my workstation for QA testing patches. Eventually this will contain more workstations but I'm just trying to ensure it works. I followed a couple similar step-by-step articels form windows-noob.com and another person on how to set updates up but still no luck.

I'm not even certain where to check to see where the problem may lie. In SCCM in the Monitoring/Deployments section I have the Software Update Group status as being Unknown for my workstaton though the client check passed and is active.  

My workstation WindowsUpdate.log file shows Updates found = 0. This log was cleared after I did my wsus reset on my workstaiton to ensure it hadn't left over anythign from it's previous relationship with the WSUS server.

Any ideas what I can look at to troubleshoot this problem? As I said I've read a lot of forum posts and have attempted to fix this problem on my own but now I seem to be going around in circle, time for help from peopel who actually know what they are doing. :)

Thanks!

Start with not setting group policy to SCCM server hostname for that separate OU.

SCCM client controls that part by punching local policy.

If you use GPO, even though it points to correct hostname, SCCM will log info that group policy settings were overwritten by a higher authority (Domain Controller) and will not process these updates.

Ask me how I know. I even saved my log from back in the day:

I remember that this did the trick for me.

• Edited by skywalker123 20 hours 37 minutes ago
• Marked as answer by Samuel Mason 14 hours 43 minutes ago

Interesting. I knew the SCCM client created local policy because I did run into the issue when I had the original policy in place, pointing to the WSUS server and found that out. I will unlink that GPO and force an update to see what happens. Thanks for the input!

The log snippet above from skywalker is from the wuahandler.log on the client which is the first place to check for issues. Ultimately, WindowsUpdate.log is useful as it shows WUA activity, but the WUA is only used to detect and install updates in ConfigMgr, not download or initiate installation of them and so the other moving parts must also be accounted for.

Thanks for the tip. Found my wuahandler log.. look what I found:

<![LOG[Group policy settings were overwritten by a higher authority (Domain Controller) to: Server XXXXXX and Policy ENABLED]LOG]!><time="03:48:03.011+420" date="12-17-2013" component="WUAHandler" context="" type="3" thread="832" file="sourcemanager.cpp:1013">
<![LOG[Failed to Add Update Source for WUAgent of type (2) and id ({79830AA1-16AE-428F-9498-F944F68E56E9}). Error = 0x87d00692.]LOG]!><time="03:48:03.011+420" date="12-17-2013" component="WUAHandler" context="" type="3" thread="832" file="cwuahandler.cpp:2325">

Now the server it was pointing to IS my SCCM server but figured it may still be interfering with the distribution of patches.

Ran into a little SNAFU because our standard WSUS policy is at our top OU and so I can't simply unlink my new policy. Instead I change all for the WSUS settings to Disabled to see if that helps.

Hm. That didn't help, it went back to my regular WSUS server. I love group policy but dang... it can be an issue in situations like this.

***OK I deleted the link for the WSUS policy from our OU and linked at a lower level. I went back into the registry and the local policy must have taken over as the entry is my SCCM server with the port specificed and that was not how either GPO I created had it:

HTTP ://XXXXXXXXXXXXXX:80  

I can assume this is SCCM Client taking over.

I did a WUAUCLT /detectnow but it has not shown new patches. Also not is Software Center. In looking at Windows Update the client does not seem to be forcing updates because have a warning to Turn On Automatic Updates. Does anyone have the Configure Automatic Updates section of the GPO Enabled? I turned everything to Not Configured to allow SCCM client to take over but it may have and unintended effects.

I went into an admin profile and turned on Widnows Update but it still showed no updates needed. I checked Windows Update and it shows a number of needed patches. I checked the wuahandler.og again and nothign has been written since the above snippet.

• Edited by Samuel Mason 19 hours 26 minutes ago

Now, make sure you run Software Update Scan cycle action and allow some time for client to learn what is missing.

If your deployment is configured properly (dates, times, client local time and show all notifications) and your client is part of the targeted collection, you should be fine.

Be patient from now on and let the client sit this one out for a bit since you have just established communication

• Edited by skywalker123 19 hours 19 minutes ago

OK, we'll let it think on life a bit and see. Now, opposite of your advice to be patient, is there a way to force the Software Update Scan Cycle? :) If so will this create other issues?

Thanks for all the hep so far!

wuauclt /detectnow doesn't do anything with ConfigMgr in the picture as that is specific to autonomous WUA activity.

Setting things to "Not Configured" in a GPO does not change any settings on the client unless that setting was set by that same GPO in the first place.

Here's a two-part blog post I did a while back (for 2007 but still almost completely applicable to 2012) that should address all of your questions:

http://blog.configmgrftw.com/?p=88

http://blog.configmgrftw.com/?p=89

Thank you, reading through them right now.

OK I found the Software Updates Scan Cycle in the Configuration Manager section of Control Panel, thanks to your article. I looked at the wuahandler.log and saw items very similar to your example:

<![LOG[Its a WSUS Update Source type ({79830AA1-16AE-428F-9498-F944F68E56E9}), adding it.
<![LOG[Existing WUA Managed server was already set (HTTP ://XXXXXXXXXXXX:80), skipping Group Policy registration.
<![LOG[Added Update Source ({79830AA1-16AE-428F-9498-F944F68E56E9}) of content type: 2
<![LOG[Scan results will include superseded updates only when they are superseded by service packs and definition updates.
<![LOG[Search Criteria is ((DeploymentAction=* AND Type='Software' AND CategoryIDs contains 'A38C835C-2950-4E87-86CC-6911A52C34A3') OR (DeploymentAction=* AND Type='Software' AND CategoryIDs contains 'E0789628-CE08-4437-BE74-2495B842F43B'))
<![LOG[Async searching of updates using WUAgent started.
<![LOG[Async searching completed.]
<![LOG[Successfully completed scan.

The WUA Managed Server had the same entry as the Registry which is different that our GPO so I'm sure its getting it from the Client.

I also noticed the same thing you'd mentioned regarding the Windows 7 Action Center and the "Configure Updates" message. I will use your examples to bypass that issue on our other systems via a domain GPO that turns on "Configure Automatic Updates" to the default setting.

Figured I'd update one more time... After these changes I now go into Software Center and I can see updates available! First time ever. Running through those Group Policy settings posted by Jason and the original epiphany that my altered GPO was still mucking with things, thanks skywalker123, were the breakthrough. I'm sure I'll have other questions but marking those 2 as the original answer and a valuable follow-up.

• Edited by Samuel Mason 14 hours 41 minutes ago