Share This Post

Migration Strategy for WSUS to SCCM & Software Updates

The key to protecting an environment from incidental patching during a transition from using WSUS to using SCCM with Software Updates is to reconfigure three group policies which have an impact on SCCM software updates.

  • Specify intranet Microsoft update service location: the SCCM client sets this as a local GPO pointing to the SCCM\WSUS server.  (Note: It could be possible to set these values as domain GPO, but the trouble is that there are two SCCM servers acting as WSUS for their clients, so managing multiple GPOs would be more pain than value.)
  • Configure Automatic Updates: this will set the automatic update settings.  I’ve seen that once this was turned off in GPO, it kept the default to automatically download and install updates.  It is possible to set this to Disabled without impacting SCCM’s delivery of security updates, but it will impact delivery of FEP definition updates.  With SCCM 2007 and FEP 2010, in order for definition updates to automatically install, auto approval actually gets set in WSUS itself, so therefore disabling AU would mean no delivery of those updates and need to be re-enable in the future.
  • The final GPO is just configuration of the Automatic Updates windows service.  If the GPO disables the service, then no updates will work.  A forced enable of the service through GPO would be a good thing.

A route for the WSUS to SUP migration could look like this:

  1. Configure Automatic Updates set to Disabled
  2. Enable the AU windows service
  3. Optional: continue to disable user’s ability to get updates themselves from Windows Update
  4. Set all other WSUS related GPOs to not configured
  5. Deploy the SCCM client upgrade/changeover
  6. Later, as part of a FEP migration, use GPO to configure automatic updates to be enabled (since that will be needed for automating the definition update releases)

Filed under: How-To, SCCM

Share This Post

Hello and thanks for reading my blog (! My hope is that information I post is useful to others! If you found that a solution did help you, or if you have questions, feel free to drop a comment on the post. I primarily blog on my IT experiences with ConfigMgr and desktop engineering. I am a 10 year, seasoned professional with ConfigMgr and systems management. I co-facilitate and present for the local user group in Denver, am an active blogger on topics for ConfigMgr and systems management techniques, involved in forums for Microsoft and MyITForum, and have been a speaker for events such as BDNA's SCCM Guru Webcast Series (March 2012), the Microsoft Management Summit (April 2013), and BDNA's Microsoft Master Webcast Series (Jan. 2014).