GPO Vs Default Client Settings SCCM/SCEP

Question

Team,

I recently started working on SCCM . I have a lot of confusion regarding the Group Policy Settings when we are using SCCM for Windows Update/Patch Deployment/EndPoint Definitions update.

Need clarity regarding  below points..

  1. Do we actually need GPO here.
  2. Will Default Client Settings are sufficient.
  3. I read in some blogs about different GPO for Workstations & Servers within the SCCM environment.
  4. Do we configure GPO to control additional Windows Update Settings…like Disable Windows Update Notification , Disable All Update settings.
  5. How do i make the Best use of Maintenance Windows.
  6. Need some Best Practices on this….I understand it varies from Org. to Org… But collectively  what should be the BEST PRACTICES for these settings in SCCM Environment.

If anybody can share the(just) settings followed in their organisation(may be) or within their Test Environment.

Thanks

solved 0
Deepak Verma 5 months 10 Answers 123 views Beginner 0

Answers ( 10 )

  1. Hello Deepak,

    Just a follow-up if you need anymore information or we are good here to close this thread.

    • Team,
      Just few points…..Need clarification…

      I want to achieve below settings either via SCCM preferably (if possible) or via GPO

      * When users click on ‘Check for Updates’ it should point to my defined SUP.
      *Disable ‘Check online for Update from Microsoft Update’ . Any consequences..
      *Disable ‘All Windows update features’ . Any consequences of this..

      Thanks

  2. Question :How do i make the Best use of Maintenance Windows?
    Answer : By default sccm has capable to do the software updates deployment in maintenance window.

    You can configure the setting in SCCM respective collection itself. For more refer link.

    https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/collections/use-maintenance-windows

    Thanks
    Karthikeyan

  3. Questions : What needs to configured in GPO level for SCCM to do patching?
    Answer : Enable only SCCM related ports for both inbound and outbound. example ports
    (8530,8531,80,443,10123,135 and other sccm ports).
    https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/ports

  4. Hi,

    You have put all questions in one request. Let me answer your question one by one.

    Question: GPO Setting is required to point the WSUS URL for SCCM Tool?

    Answer : No. GPO setting is required only if you use WSUS server to patch the client machines because using WSUS tool. it’s agentless based management tool. So you need to point the SUP server to client.
    For SCCM tool is purely agent based communication tool. So based on your boundary and boundary group client will automatically comes to know which one is your SUP point server url and that will automatically update on client side registry.

    Still if you added SUP URL in GPO that will conflict your SCCM client.

  5. Hi,

    You have put all questions in one request. Let me answer your question one by one.

    Question: GPO Setting is required to point the WSUS URL for SCCM Tool?

    Answer : No. GPO setting is required only if you use WSUS server to patch the client machines because using WSUS tool. it’s agentless based management tool. So you need to point the SUP server to client.
    For SCCM tool is purely agent based communication tool. So based on your boundary and boundary group client will automatically comes to know which one is your SUP point server url and that will automatically update on client side registry.

    Still if you added SUP URL in GPO that will conflict your SCCM client.

    Questions : What needs to configured in GPO level for SCCM to do patching?
    Answer : Enable only SCCM related ports for both inbound and outbound. example ports
    (8530,8531,80,443,10123,135 and other sccm ports).
    https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/ports

    Question :How do i make the Best use of Maintenance Windows?
    Answer : By default sccm has capable to do the software updates deployment in maintenance window.

    You can configure the setting in SCCM respective collection itself. For more refer link.

    https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/collections/use-maintenance-windows

    Thanks
    Karthikeyan

  6. Hi,

    You have put all questions in one request. Let me answer your question one by one.

    Question: GPO Setting is required to point the WSUS URL for SCCM Tool?

    Answer : No. GPO setting is required only if you use WSUS server to patch the client machines because using WSUS tool. it’s agentless based management tool. So you need to point the SUP server to client.
    For SCCM tool is purely agent based communication tool. So based on your boundary and boundary group client will automatically comes to know which one is your SUP point server url and that will automatically update on client side registry.

    Still if you added SUP URL in GPO that will conflict your SCCM client.

    Questions : What needs to configured in GPO level for SCCM to do patching?
    Answer : Enable only SCCM related ports for both inbound and outbound. example ports
    (8530,8531,80,443,10123,135 and other sccm ports).
    https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/ports

    Question :How do i make the Best use of Maintenance Windows?
    By default sccm has capable to do the software updates deployment in maintenance window.

    You can configure the setting in SCCM respective collection itself. For more refer link.

    https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/collections/use-maintenance-windows

    Thanks
    Karthikeyan

  7. Hi Deepak,

    GPO is not required to manage Servers and Desktop with SCCM for windows update deployments,

    In SCCM client setting policy need to design as per you org requirements.

    find below link for SCCM client settings.
    https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/about-client-settings

    Check below link for maintenance window options for collections
    https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/collections/use-maintenance-windows

  8. These are great questions.

    Do we actually need GPO here.
    – You set a GPO to point your clients to look at your SUP. This is helpful when your end users click “Check for Updates” in Windows Update on their own. It’ll force them to look at your internal WSUS/SUP.
    https://snipboard.io/TOLF1g.jpg

    Will Default Client Settings are sufficient.
    – Yes, you do need to enable the check in Client Settings.
    https://snipboard.io/OKeEg6.jpg

    I read in some blogs about different GPO for Workstations & Servers within the SCCM environment.
    – You can use the same GPO for both if you decide to use one. It’s all based on the applicability to the OUs you decide to apply it to.

    Do we configure GPO to control additional Windows Update Settings…like Disable Windows Update Notification , Disable All Update settings.
    – No. This is all managed from SCCM.

    How do i make the Best use of Maintenance Windows.
    – You set Maintenance Windows (MW) on collections, preferably on server collections. MWs are used to control when software updates and applications can install and when reboots should take place. This is helpful when you only can reboot servers after hours.
    https://snipboard.io/jltXZw.jpg

    Need some Best Practices on this….I understand it varies from Org. to Org… But collectively what should be the BEST PRACTICES for these settings in SCCM Environment.
    – This is quite an open ended question. I would suggest you create individual ask entries, so we can better answer them accordingly.

    Watch my session on patching which I delivered at Microsoft Ignite. It should help you understand more. Don’t forget to subscribe to my channel.
    https://youtu.be/G3aSDgTIdOc

    Best answer
  9. Hello Deepak,

    Answers in-line.

    Do we actually need GPO here. ————— NO
    Will Default Client Settings are sufficient. ——————————-Yes
    I read in some blogs about different GPO for Workstations & Servers within the SCCM environment. ———————Not required anymore after CB 1710.
    Do we configure GPO to control additional Windows Update Settings…like Disable Windows Update Notification , Disable All Update settings.————–Yes we can configure but the same can be taken care from SCCM too.
    How do i make the Best use of Maintenance Windows.————— This will get you started. https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/collections/use-maintenance-windows
    Need some Best Practices on this….I understand it varies from Org. to Org… But collectively what should be the BEST PRACTICES for these settings in SCCM Environment.——————-Depends what you want to achieve using SCCM. Please elaborate more what you are trying to do.
    If anybody can share the(just) settings followed in their organisation(may be) or within their Test Environment.———————– Again this depends. The Major settings we talk about is client setting. This will help.
    https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/about-client-settings

    This one for Software Update.
    https://docs.microsoft.com/en-us/mem/configmgr/sum/get-started/manage-settings-for-software-updates

    If you can be more specific what you are trying to achieve it will be easy for us to guide.

Leave an answer

Sorry, you do not have a permission to answer to this question .