Re: [mssms] April 2017 - Microsoft security updates?

2017-04-11 Thread Andre Vrankovic 
I checked mine prior, I had not updates with that classification. I believe
this is related to Windows 10.

https://blogs.technet.microsoft.com/wsus/2015/12/03/important-update-for-wsus-4-0-kb-3095113/


On Wed, Apr 12, 2017 at 10:36 AM, s kissel  wrote:

> Microsoft does not recommend turning off upgrades in SCCM environments at
> this point since that will expire all of the upgrades in SCCM environments
> until the upgrades classification is rechecked and resynced. If you really
> need to get the updates synced, you can attempt this but note that it will
> affect current deployments of updates in that classification.
> If you have a “WSUS only” environment, unchecking the upgrades
> classification temporarily will not cause issues to current deployments.
>
> Otherwise the recommendation is to retry syncs again at a later time as
> several that failed initially have gone through after a wait.
>
> --
> *From:* listsad...@lists.myitforum.com 
> on behalf of Andre Vrankovic 
> *Sent:* Tuesday, April 11, 2017 6:08:38 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] April 2017 - Microsoft security updates?
>
> Had the same issue, disabling the upgrade classification has worked for us.
>
> On Wed, Apr 12, 2017 at 7:15 AM, HELMS, DAVID C  wrote:
>
>> Thanks.  I also see that Microsoft is no longer doing the monthly
>> bulletins but now using a Security Updates portal.
>>
>>
>>
>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>> orum.com] *On Behalf Of *Steve Whitcher
>> *Sent:* Tuesday, April 11, 2017 4:49 PM
>> *To:* mssms@lists.myitforum.com
>> *Subject:* Re: [mssms] April 2017 - Microsoft security updates?
>>
>>
>>
>> ***This is an EXTERNAL email. Please do not click on a link or open any
>> attachments unless you are confident it is from a trusted source.
>> --
>>
>>
>>
>> http://myitforum.com/myitforumwp/2017/04/11/errors-during-
>> wsus-update-synchronization-for-april-2017-updates/
>>
>>
>>
>>
>>
>> On Tue, Apr 11, 2017 at 3:32 PM, HELMS, DAVID C 
>> wrote:
>>
>> Has Microsoft released the security updates for April 2017?  Not seeing
>> the April 2017 Security bulletin talking about what is being released.
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>

Re: [mssms] April 2017 - Microsoft security updates?

2017-04-11 Thread s kissel 
Microsoft does not recommend turning off upgrades in SCCM environments at this 
point since that will expire all of the upgrades in SCCM environments until the 
upgrades classification is rechecked and resynced. If you really need to get 
the updates synced, you can attempt this but note that it will affect current 
deployments of updates in that classification.
If you have a “WSUS only” environment, unchecking the upgrades classification 
temporarily will not cause issues to current deployments.

Otherwise the recommendation is to retry syncs again at a later time as several 
that failed initially have gone through after a wait.



From: listsad...@lists.myitforum.com  on behalf 
of Andre Vrankovic 
Sent: Tuesday, April 11, 2017 6:08:38 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] April 2017 - Microsoft security updates?

Had the same issue, disabling the upgrade classification has worked for us.

On Wed, Apr 12, 2017 at 7:15 AM, HELMS, DAVID C 
> wrote:
Thanks.  I also see that Microsoft is no longer doing the monthly bulletins but 
now using a Security Updates portal.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Steve Whitcher
Sent: Tuesday, April 11, 2017 4:49 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] April 2017 - Microsoft security updates?

***This is an EXTERNAL email. Please do not click on a link or open any 
attachments unless you are confident it is from a trusted source.


http://myitforum.com/myitforumwp/2017/04/11/errors-during-wsus-update-synchronization-for-april-2017-updates/


On Tue, Apr 11, 2017 at 3:32 PM, HELMS, DAVID C 
> wrote:
Has Microsoft released the security updates for April 2017?  Not seeing the 
April 2017 Security bulletin talking about what is being released.

RE: [mssms] GPO Update Disable Manual MS checks

2017-04-11 Thread Jason Sandys 
No. This choice is a feature update selection mechanism that helps determine 
what to include in the resulting update group. It is not a targeting mechanism 
and thus is not dependent on the defer updates setting on clients. You use 
collections just like you always have/do to target servicing plans/ADRs.

J

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Hyatt, Dewayne
Sent: Tuesday, April 11, 2017 12:42 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

Maybe I misunderstood then. I thought that when you define a servicing plan 
that you have to pick the update ring (CB or CBB) and that the targeted clients 
are set to either ring using defer windows updates GPO’s. This is how I was 
setting my Windows 10 clients to the CBB ring.

Is that not correct?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Tuesday, April 11, 2017 11:55 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

We just had confirmation on the back-end that not much changes here, the blog 
post is still valid, don’t set anything.

Question though, what do you mean tear down your servicing? Servicing in 
ConfigMgr has nothing to do with the issues being discussed.

J

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Hyatt, Dewayne
Sent: Tuesday, April 11, 2017 10:34 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

So since it’s patch Tuesday it looks like I’m going to have to tear down all of 
my Windows 10 servicing in SCCM so that my clients don’t go to MS for updates 
today… what fun. I was hoping that something would be fixed at least by 1703 
but your comments don’t make me very confident in that. I guess we’ll see?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Tuesday, April 11, 2017 11:13 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

And of course, it’s changed in 1703 – the “defer” option is gone and now there 
is a “pause” option. No one knows if these are the same, different, or 
something else.

J

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Hyatt, Dewayne
Sent: Tuesday, April 11, 2017 10:01 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

I’ll admit that I have been off task for a little while with other projects. I 
didn’t realize this was a daily thing ☹

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Adam Juelich
Sent: Tuesday, April 11, 2017 10:49 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

The fact that we are still having this conversation daily over the past few 
months means that Microsoft is really screwing the pooch here.



On Tue, Apr 11, 2017 at 9:42 AM, Hyatt, Dewayne 
> wrote:
Whoops… I had read that blog a while back but apparently not well enough.

I am confused now though. I am using a GPO to define what branch our Windows 10 
clients are in for Windows 10 servicing in SCCM. I thought that was the correct 
way to do it. I saw 1607 used different policies but it looked like it was 
doing the same thing. This blog said not to enable those policies.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Niall Brady
Sent: Monday, April 10, 2017 3:37 PM

To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

read this

https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/
dual scan is the cause

On Mon, Apr 10, 2017 at 7:54 PM, Hyatt, Dewayne 
> wrote:
Sorry to hijack but this is somewhat relevant.

Since we rolled out 1607 we have noticed machines are automatically getting 
updates from Microsoft update even though we have a GPO defining our SUP as the 
WSUS server. I was looking into blocking Microsoft update entirely (not sure 
that is what I want to do in our environment) and I ran across this thread.

Has anyone else seen behavior like this? We’ve had a few different locations 
report this, then my own workstation did it this morning, at that point I 
started to

Re: [mssms] April 2017 - Microsoft security updates?

2017-04-11 Thread Andre Vrankovic 
Had the same issue, disabling the upgrade classification has worked for us.

On Wed, Apr 12, 2017 at 7:15 AM, HELMS, DAVID C  wrote:

> Thanks.  I also see that Microsoft is no longer doing the monthly
> bulletins but now using a Security Updates portal.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Steve Whitcher
> *Sent:* Tuesday, April 11, 2017 4:49 PM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] April 2017 - Microsoft security updates?
>
>
>
> ***This is an EXTERNAL email. Please do not click on a link or open any
> attachments unless you are confident it is from a trusted source.
> --
>
>
>
> http://myitforum.com/myitforumwp/2017/04/11/errors-during-wsus-update-
> synchronization-for-april-2017-updates/
>
>
>
>
>
> On Tue, Apr 11, 2017 at 3:32 PM, HELMS, DAVID C  wrote:
>
> Has Microsoft released the security updates for April 2017?  Not seeing
> the April 2017 Security bulletin talking about what is being released.
>
>
>
>
>
>
>
>

[mssms] RE: Opinions Local Admin

2017-04-11 Thread Chris Barnes 
Totally agree on LAPS.

Probably the best ROI on effort for anything security related. Very easy to 
rollout.

This is probably the best guide I have seen on rolling it out.

https://flamingkeys.com/deploying-the-local-administrator-password-solution-part-1/

2nd Place would be Credential Guard.


Chris Barnes
MCSE: Private Cloud|MCSE: Cloud Platform & Infrastructure
Coretek Services | Microsoft Delivery Manager
• 248.767.4415 cell
• chris.bar...@coretekservices.com
•   http://www.coretekservices.com

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Daniel Ratliff
Sent: Tuesday, April 11, 2017 2:17 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Opinions Local Admin

Use LAPS, no question.

https://technet.microsoft.com/en-us/mt227395.aspx

https://www.microsoft.com/en-us/download/details.aspx?id=46899

Daniel Ratliff


From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John
Sent: Tuesday, April 11, 2017 1:37 PM
To: mssms@lists.myitforum.com
Subject: [mssms] Opinions Local Admin

Hi,

We are talking about creating unique local admin passwords for our systems (vs 
changing it regularly).  I’m wondering how many folks actually create unique 
local admin passwords vs just changing it regularly?


The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.

RE: [mssms] April 2017 - Microsoft security updates?

2017-04-11 Thread HELMS, DAVID C 
Thanks.  I also see that Microsoft is no longer doing the monthly bulletins but 
now using a Security Updates portal.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Steve Whitcher
Sent: Tuesday, April 11, 2017 4:49 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] April 2017 - Microsoft security updates?

***This is an EXTERNAL email. Please do not click on a link or open any 
attachments unless you are confident it is from a trusted source.


http://myitforum.com/myitforumwp/2017/04/11/errors-during-wsus-update-synchronization-for-april-2017-updates/


On Tue, Apr 11, 2017 at 3:32 PM, HELMS, DAVID C 
> wrote:
Has Microsoft released the security updates for April 2017?  Not seeing the 
April 2017 Security bulletin talking about what is being released.

Re: [mssms] April 2017 - Microsoft security updates?

2017-04-11 Thread Steve Whitcher 
http://myitforum.com/myitforumwp/2017/04/11/errors-during-wsus-update-synchronization-for-april-2017-updates/


On Tue, Apr 11, 2017 at 3:32 PM, HELMS, DAVID C  wrote:

> Has Microsoft released the security updates for April 2017?  Not seeing
> the April 2017 Security bulletin talking about what is being released.
>
>

[mssms] April 2017 - Microsoft security updates?

2017-04-11 Thread HELMS, DAVID C 
Has Microsoft released the security updates for April 2017?  Not seeing the 
April 2017 Security bulletin talking about what is being released.

[mssms] RE: Opinions Local Admin

2017-04-11 Thread Marable, Mike 
Rebuild the machine.  The desktop managers decided it was “easier” to just 
rebuild the machine than manually join it to the domain.  The most common 
reason for a machine getting knocked out of the domain is because the 
right-hand wasn’t talking to the left-hand and someone build a second machine 
with the same computer name.

Short sighted in my opinion but what do I know?  I’m just an engineer.  ;-)

Mike


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Daniel Ratliff
Sent: Tuesday, April 11, 2017 2:26 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Opinions Local Admin

What do you do for domain join issues, where local accounts are the only option?

Daniel Ratliff

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Marable, Mike
Sent: Tuesday, April 11, 2017 2:15 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Opinions Local Admin

We actually developed a utility that ran as a service to create a unique 
password for each machine and change it every day.  The algorithm factored in 
the name of the computer and the date when generating the password.

If we ever needed to use the password we had a corresponding tool that would 
calculate out what the password for a given machine was for the day.

We ran with that for at least 10 years or so, then about 2 years ago we just 
used Group Policy to disable all local accounts.

For a while we were thinking about LAPS, but opted for disabling the local 
accounts.

Mike


From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John
Sent: Tuesday, April 11, 2017 1:37 PM
To: mssms@lists.myitforum.com
Subject: [mssms] Opinions Local Admin

Hi,

We are talking about creating unique local admin passwords for our systems (vs 
changing it regularly).  I’m wondering how many folks actually create unique 
local admin passwords vs just changing it regularly?


**
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues


The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.

**
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues

[mssms] RE: Opinions Local Admin

2017-04-11 Thread Joseph Rose 
We are looking to utilize this product which will do it for you. You can either 
pay for the automation or do it manually.

https://thycotic.com/products/secret-server/


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Burke, John
Sent: Tuesday, April 11, 2017 1:37 PM
To: mssms@lists.myitforum.com
Subject: [mssms] Opinions Local Admin

Hi,

We are talking about creating unique local admin passwords for our systems (vs 
changing it regularly).  I’m wondering how many folks actually create unique 
local admin passwords vs just changing it regularly?

[mssms] RE: Opinions Local Admin

2017-04-11 Thread Daniel Ratliff 
What do you do for domain join issues, where local accounts are the only option?

Daniel Ratliff

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Marable, Mike
Sent: Tuesday, April 11, 2017 2:15 PM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Opinions Local Admin

We actually developed a utility that ran as a service to create a unique 
password for each machine and change it every day.  The algorithm factored in 
the name of the computer and the date when generating the password.

If we ever needed to use the password we had a corresponding tool that would 
calculate out what the password for a given machine was for the day.

We ran with that for at least 10 years or so, then about 2 years ago we just 
used Group Policy to disable all local accounts.

For a while we were thinking about LAPS, but opted for disabling the local 
accounts.

Mike


From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John
Sent: Tuesday, April 11, 2017 1:37 PM
To: mssms@lists.myitforum.com
Subject: [mssms] Opinions Local Admin

Hi,

We are talking about creating unique local admin passwords for our systems (vs 
changing it regularly).  I’m wondering how many folks actually create unique 
local admin passwords vs just changing it regularly?


**
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues


The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material.  If you receive this 
material/information in error,
please contact the sender and delete or destroy the material/information.

[mssms] RE: Opinions Local Admin

2017-04-11 Thread Chramosta, Steven C. 
Microsoft has a tool for that…  Local Administrator Password Solution (LAPS)



https://urldefense.proofpoint.com/v2/url?u=https-3A__www.microsoft.com_en-2Dus_download_details.aspx-3Fid-3D46899=DwIGaQ=5KGpHRm-YFpCcO8ia63njg=UcudbvjeY1oaPiC1cKlvLbmuzr1zCRMaCa9TNwZ6Ss0=t0P8Uwx_Y3S_d-hvU4vrmdoGJftaCprO9KUbHFthSV8=qL8_pDpQN08FcDCDiaSHv3r-Ima1j_FUn1hvmFVX8EU=
 





From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Burke, John

Sent: Tuesday, April 11, 2017 12:37 PM

To: mssms@lists.myitforum.com

Subject: [mssms] Opinions Local Admin



**WARNING** This message originated outside of NPPD. DO NOT click on any links 
or attachments unless you have confirmed that it is from a trusted sender.



Hi,



We are talking about creating unique local admin passwords for our systems (vs 
changing it regularly).  I’m wondering how many folks actually create unique 
local admin passwords vs just changing it regularly?

[mssms] RE: Opinions Local Admin

2017-04-11 Thread Hyatt, Dewayne 
I have been dying to implement Microsoft LAPS, but bureaucracy is holding me 
back…

Have you looked at LAPS?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Burke, John
Sent: Tuesday, April 11, 2017 1:37 PM
To: mssms@lists.myitforum.com
Subject: [mssms] Opinions Local Admin

Hi,

We are talking about creating unique local admin passwords for our systems (vs 
changing it regularly).  I’m wondering how many folks actually create unique 
local admin passwords vs just changing it regularly?

[mssms] Opinions Local Admin

2017-04-11 Thread Burke, John 
Hi,

We are talking about creating unique local admin passwords for our systems (vs 
changing it regularly).  I’m wondering how many folks actually create unique 
local admin passwords vs just changing it regularly?

RE: [mssms] GPO Update Disable Manual MS checks

2017-04-11 Thread Hyatt, Dewayne 
Maybe I misunderstood then. I thought that when you define a servicing plan 
that you have to pick the update ring (CB or CBB) and that the targeted clients 
are set to either ring using defer windows updates GPO’s. This is how I was 
setting my Windows 10 clients to the CBB ring.

Is that not correct?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Sandys
Sent: Tuesday, April 11, 2017 11:55 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

We just had confirmation on the back-end that not much changes here, the blog 
post is still valid, don’t set anything.

Question though, what do you mean tear down your servicing? Servicing in 
ConfigMgr has nothing to do with the issues being discussed.

J

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Hyatt, Dewayne
Sent: Tuesday, April 11, 2017 10:34 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

So since it’s patch Tuesday it looks like I’m going to have to tear down all of 
my Windows 10 servicing in SCCM so that my clients don’t go to MS for updates 
today… what fun. I was hoping that something would be fixed at least by 1703 
but your comments don’t make me very confident in that. I guess we’ll see?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Tuesday, April 11, 2017 11:13 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

And of course, it’s changed in 1703 – the “defer” option is gone and now there 
is a “pause” option. No one knows if these are the same, different, or 
something else.

J

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Hyatt, Dewayne
Sent: Tuesday, April 11, 2017 10:01 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

I’ll admit that I have been off task for a little while with other projects. I 
didn’t realize this was a daily thing ☹

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Adam Juelich
Sent: Tuesday, April 11, 2017 10:49 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

The fact that we are still having this conversation daily over the past few 
months means that Microsoft is really screwing the pooch here.



On Tue, Apr 11, 2017 at 9:42 AM, Hyatt, Dewayne 
> wrote:
Whoops… I had read that blog a while back but apparently not well enough.

I am confused now though. I am using a GPO to define what branch our Windows 10 
clients are in for Windows 10 servicing in SCCM. I thought that was the correct 
way to do it. I saw 1607 used different policies but it looked like it was 
doing the same thing. This blog said not to enable those policies.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Niall Brady
Sent: Monday, April 10, 2017 3:37 PM

To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

read this

https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/
dual scan is the cause

On Mon, Apr 10, 2017 at 7:54 PM, Hyatt, Dewayne 
> wrote:
Sorry to hijack but this is somewhat relevant.

Since we rolled out 1607 we have noticed machines are automatically getting 
updates from Microsoft update even though we have a GPO defining our SUP as the 
WSUS server. I was looking into blocking Microsoft update entirely (not sure 
that is what I want to do in our environment) and I ran across this thread.

Has anyone else seen behavior like this? We’ve had a few different locations 
report this, then my own workstation did it this morning, at that point I 
started to believe them ☺.

Thanks,

Dewayne

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Adam Juelich
Sent: Thursday, March 30, 2017 8:46 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

Yes, other than the GP setting to 'Disable Automatic Updates,' don't configure 
anything else related to it.

There is the User-Side GP Setting:
"Remove access to use all Windows Update features"

That should do the trick.

On Thu, Mar 30,

RE: [mssms] GPO Update Disable Manual MS checks

2017-04-11 Thread Jason Sandys 
We just had confirmation on the back-end that not much changes here, the blog 
post is still valid, don’t set anything.

Question though, what do you mean tear down your servicing? Servicing in 
ConfigMgr has nothing to do with the issues being discussed.

J

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Hyatt, Dewayne
Sent: Tuesday, April 11, 2017 10:34 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

So since it’s patch Tuesday it looks like I’m going to have to tear down all of 
my Windows 10 servicing in SCCM so that my clients don’t go to MS for updates 
today… what fun. I was hoping that something would be fixed at least by 1703 
but your comments don’t make me very confident in that. I guess we’ll see?

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys
Sent: Tuesday, April 11, 2017 11:13 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

And of course, it’s changed in 1703 – the “defer” option is gone and now there 
is a “pause” option. No one knows if these are the same, different, or 
something else.

J

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Hyatt, Dewayne
Sent: Tuesday, April 11, 2017 10:01 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

I’ll admit that I have been off task for a little while with other projects. I 
didn’t realize this was a daily thing ☹

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Adam Juelich
Sent: Tuesday, April 11, 2017 10:49 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

The fact that we are still having this conversation daily over the past few 
months means that Microsoft is really screwing the pooch here.



On Tue, Apr 11, 2017 at 9:42 AM, Hyatt, Dewayne 
> wrote:
Whoops… I had read that blog a while back but apparently not well enough.

I am confused now though. I am using a GPO to define what branch our Windows 10 
clients are in for Windows 10 servicing in SCCM. I thought that was the correct 
way to do it. I saw 1607 used different policies but it looked like it was 
doing the same thing. This blog said not to enable those policies.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Niall Brady
Sent: Monday, April 10, 2017 3:37 PM

To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

read this

https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/
dual scan is the cause

On Mon, Apr 10, 2017 at 7:54 PM, Hyatt, Dewayne 
> wrote:
Sorry to hijack but this is somewhat relevant.

Since we rolled out 1607 we have noticed machines are automatically getting 
updates from Microsoft update even though we have a GPO defining our SUP as the 
WSUS server. I was looking into blocking Microsoft update entirely (not sure 
that is what I want to do in our environment) and I ran across this thread.

Has anyone else seen behavior like this? We’ve had a few different locations 
report this, then my own workstation did it this morning, at that point I 
started to believe them ☺.

Thanks,

Dewayne

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Adam Juelich
Sent: Thursday, March 30, 2017 8:46 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

Yes, other than the GP setting to 'Disable Automatic Updates,' don't configure 
anything else related to it.

There is the User-Side GP Setting:
"Remove access to use all Windows Update features"

That should do the trick.

On Thu, Mar 30, 2017 at 7:12 AM, Daniel Ratliff 
> wrote:
Never configure any of your windows update settings with GPO, let SCCM handle 
that via local policy.

I believe the setting you want is here for Win10: 
https://miketerrill.net/2016/10/11/disable-check-online-for-updates-from-microsoft-update-in-windows-10/

For Win7, we just disable the ability to check online: 
https://weikingteh.wordpress.com/2012/09/20/how-to-disable-the-check-online-for-updates-from-microsoft-update-link-in-the-windows-update-icon-in-control-panel/

Daniel Ratliff

From:

RE: [mssms] GPO Update Disable Manual MS checks

2017-04-11 Thread Hyatt, Dewayne 
So since it’s patch Tuesday it looks like I’m going to have to tear down all of 
my Windows 10 servicing in SCCM so that my clients don’t go to MS for updates 
today… what fun. I was hoping that something would be fixed at least by 1703 
but your comments don’t make me very confident in that. I guess we’ll see?

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Jason Sandys
Sent: Tuesday, April 11, 2017 11:13 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

And of course, it’s changed in 1703 – the “defer” option is gone and now there 
is a “pause” option. No one knows if these are the same, different, or 
something else.

J

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Hyatt, Dewayne
Sent: Tuesday, April 11, 2017 10:01 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

I’ll admit that I have been off task for a little while with other projects. I 
didn’t realize this was a daily thing ☹

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Adam Juelich
Sent: Tuesday, April 11, 2017 10:49 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

The fact that we are still having this conversation daily over the past few 
months means that Microsoft is really screwing the pooch here.



On Tue, Apr 11, 2017 at 9:42 AM, Hyatt, Dewayne 
> wrote:
Whoops… I had read that blog a while back but apparently not well enough.

I am confused now though. I am using a GPO to define what branch our Windows 10 
clients are in for Windows 10 servicing in SCCM. I thought that was the correct 
way to do it. I saw 1607 used different policies but it looked like it was 
doing the same thing. This blog said not to enable those policies.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Niall Brady
Sent: Monday, April 10, 2017 3:37 PM

To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

read this

https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/
dual scan is the cause

On Mon, Apr 10, 2017 at 7:54 PM, Hyatt, Dewayne 
> wrote:
Sorry to hijack but this is somewhat relevant.

Since we rolled out 1607 we have noticed machines are automatically getting 
updates from Microsoft update even though we have a GPO defining our SUP as the 
WSUS server. I was looking into blocking Microsoft update entirely (not sure 
that is what I want to do in our environment) and I ran across this thread.

Has anyone else seen behavior like this? We’ve had a few different locations 
report this, then my own workstation did it this morning, at that point I 
started to believe them ☺.

Thanks,

Dewayne

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Adam Juelich
Sent: Thursday, March 30, 2017 8:46 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

Yes, other than the GP setting to 'Disable Automatic Updates,' don't configure 
anything else related to it.

There is the User-Side GP Setting:
"Remove access to use all Windows Update features"

That should do the trick.

On Thu, Mar 30, 2017 at 7:12 AM, Daniel Ratliff 
> wrote:
Never configure any of your windows update settings with GPO, let SCCM handle 
that via local policy.

I believe the setting you want is here for Win10: 
https://miketerrill.net/2016/10/11/disable-check-online-for-updates-from-microsoft-update-in-windows-10/

For Win7, we just disable the ability to check online: 
https://weikingteh.wordpress.com/2012/09/20/how-to-disable-the-check-online-for-updates-from-microsoft-update-link-in-the-windows-update-icon-in-control-panel/

Daniel Ratliff

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of S ConfigMgr
Sent: Thursday, March 30, 2017 12:12 AM
To: mssms@lists.myitforum.com
Subject: [mssms] GPO Update Disable Manual MS checks

Hello all,

I have deployed SUP and Patching is working as expected.

However my end users are able to use windows update, How can i block end users 
to stop installing patches from internet, I have windows 10 Enterprise and 
Professional Machines as

RE: [mssms] GPO Update Disable Manual MS checks

2017-04-11 Thread Jason Sandys 
And of course, it’s changed in 1703 – the “defer” option is gone and now there 
is a “pause” option. No one knows if these are the same, different, or 
something else.

J

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Hyatt, Dewayne
Sent: Tuesday, April 11, 2017 10:01 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

I’ll admit that I have been off task for a little while with other projects. I 
didn’t realize this was a daily thing ☹

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Adam Juelich
Sent: Tuesday, April 11, 2017 10:49 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

The fact that we are still having this conversation daily over the past few 
months means that Microsoft is really screwing the pooch here.



On Tue, Apr 11, 2017 at 9:42 AM, Hyatt, Dewayne 
> wrote:
Whoops… I had read that blog a while back but apparently not well enough.

I am confused now though. I am using a GPO to define what branch our Windows 10 
clients are in for Windows 10 servicing in SCCM. I thought that was the correct 
way to do it. I saw 1607 used different policies but it looked like it was 
doing the same thing. This blog said not to enable those policies.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Niall Brady
Sent: Monday, April 10, 2017 3:37 PM

To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

read this

https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/
dual scan is the cause

On Mon, Apr 10, 2017 at 7:54 PM, Hyatt, Dewayne 
> wrote:
Sorry to hijack but this is somewhat relevant.

Since we rolled out 1607 we have noticed machines are automatically getting 
updates from Microsoft update even though we have a GPO defining our SUP as the 
WSUS server. I was looking into blocking Microsoft update entirely (not sure 
that is what I want to do in our environment) and I ran across this thread.

Has anyone else seen behavior like this? We’ve had a few different locations 
report this, then my own workstation did it this morning, at that point I 
started to believe them ☺.

Thanks,

Dewayne

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Adam Juelich
Sent: Thursday, March 30, 2017 8:46 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

Yes, other than the GP setting to 'Disable Automatic Updates,' don't configure 
anything else related to it.

There is the User-Side GP Setting:
"Remove access to use all Windows Update features"

That should do the trick.

On Thu, Mar 30, 2017 at 7:12 AM, Daniel Ratliff 
> wrote:
Never configure any of your windows update settings with GPO, let SCCM handle 
that via local policy.

I believe the setting you want is here for Win10: 
https://miketerrill.net/2016/10/11/disable-check-online-for-updates-from-microsoft-update-in-windows-10/

For Win7, we just disable the ability to check online: 
https://weikingteh.wordpress.com/2012/09/20/how-to-disable-the-check-online-for-updates-from-microsoft-update-link-in-the-windows-update-icon-in-control-panel/

Daniel Ratliff

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of S ConfigMgr
Sent: Thursday, March 30, 2017 12:12 AM
To: mssms@lists.myitforum.com
Subject: [mssms] GPO Update Disable Manual MS checks

Hello all,

I have deployed SUP and Patching is working as expected.

However my end users are able to use windows update, How can i block end users 
to stop installing patches from internet, I have windows 10 Enterprise and 
Professional Machines as end users.


I have tried to deploy a group policy to disable

Computer Configuration\Administrative Templates\Windows Components\Windows 
Update.
1.Find and double-click Configure Automatic Updates
[0711 group policy step 
3]

2.In the resulting dialog box, select Enabled.
3.In the Options box, pull down the Configure automatic updating menu and 
select your preferred option.
[0711 group policy step 4 and 5]
4.















​
Still Updates are able to scan by user with ms site, How  can I achieve this

RE: [mssms] GPO Update Disable Manual MS checks

2017-04-11 Thread Hyatt, Dewayne 
I’ll admit that I have been off task for a little while with other projects. I 
didn’t realize this was a daily thing ☹

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Adam Juelich
Sent: Tuesday, April 11, 2017 10:49 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

The fact that we are still having this conversation daily over the past few 
months means that Microsoft is really screwing the pooch here.



On Tue, Apr 11, 2017 at 9:42 AM, Hyatt, Dewayne 
> wrote:
Whoops… I had read that blog a while back but apparently not well enough.

I am confused now though. I am using a GPO to define what branch our Windows 10 
clients are in for Windows 10 servicing in SCCM. I thought that was the correct 
way to do it. I saw 1607 used different policies but it looked like it was 
doing the same thing. This blog said not to enable those policies.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Niall Brady
Sent: Monday, April 10, 2017 3:37 PM

To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

read this

https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/
dual scan is the cause

On Mon, Apr 10, 2017 at 7:54 PM, Hyatt, Dewayne 
> wrote:
Sorry to hijack but this is somewhat relevant.

Since we rolled out 1607 we have noticed machines are automatically getting 
updates from Microsoft update even though we have a GPO defining our SUP as the 
WSUS server. I was looking into blocking Microsoft update entirely (not sure 
that is what I want to do in our environment) and I ran across this thread.

Has anyone else seen behavior like this? We’ve had a few different locations 
report this, then my own workstation did it this morning, at that point I 
started to believe them ☺.

Thanks,

Dewayne

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Adam Juelich
Sent: Thursday, March 30, 2017 8:46 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

Yes, other than the GP setting to 'Disable Automatic Updates,' don't configure 
anything else related to it.

There is the User-Side GP Setting:
"Remove access to use all Windows Update features"

That should do the trick.

On Thu, Mar 30, 2017 at 7:12 AM, Daniel Ratliff 
> wrote:
Never configure any of your windows update settings with GPO, let SCCM handle 
that via local policy.

I believe the setting you want is here for Win10: 
https://miketerrill.net/2016/10/11/disable-check-online-for-updates-from-microsoft-update-in-windows-10/

For Win7, we just disable the ability to check online: 
https://weikingteh.wordpress.com/2012/09/20/how-to-disable-the-check-online-for-updates-from-microsoft-update-link-in-the-windows-update-icon-in-control-panel/

Daniel Ratliff

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of S ConfigMgr
Sent: Thursday, March 30, 2017 12:12 AM
To: mssms@lists.myitforum.com
Subject: [mssms] GPO Update Disable Manual MS checks

Hello all,

I have deployed SUP and Patching is working as expected.

However my end users are able to use windows update, How can i block end users 
to stop installing patches from internet, I have windows 10 Enterprise and 
Professional Machines as end users.


I have tried to deploy a group policy to disable

Computer Configuration\Administrative Templates\Windows Components\Windows 
Update.
1.Find and double-click Configure Automatic Updates
[0711 group policy step 
3]

2.In the resulting dialog box, select Enabled.
3.In the Options box, pull down the Configure automatic updating menu and 
select your preferred option.
[0711 group policy step 4 and 5]
4.















​
Still Updates are able to scan by user with ms site, How  can I achieve this ?


--
Thanks,
ED


The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.

RE: [mssms] GPO Update Disable Manual MS checks

2017-04-11 Thread Hyatt, Dewayne 
For reference this is the documentation I used when we moved to 1607: 
https://technet.microsoft.com/en-us/itpro/windows/update/waas-manage-updates-configuration-manager

It seems that it contradicts the blog about dual scan.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Hyatt, Dewayne
Sent: Tuesday, April 11, 2017 10:43 AM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] GPO Update Disable Manual MS checks

Whoops… I had read that blog a while back but apparently not well enough.

I am confused now though. I am using a GPO to define what branch our Windows 10 
clients are in for Windows 10 servicing in SCCM. I thought that was the correct 
way to do it. I saw 1607 used different policies but it looked like it was 
doing the same thing. This blog said not to enable those policies.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Niall Brady
Sent: Monday, April 10, 2017 3:37 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

read this

https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/
dual scan is the cause

On Mon, Apr 10, 2017 at 7:54 PM, Hyatt, Dewayne 
> wrote:
Sorry to hijack but this is somewhat relevant.

Since we rolled out 1607 we have noticed machines are automatically getting 
updates from Microsoft update even though we have a GPO defining our SUP as the 
WSUS server. I was looking into blocking Microsoft update entirely (not sure 
that is what I want to do in our environment) and I ran across this thread.

Has anyone else seen behavior like this? We’ve had a few different locations 
report this, then my own workstation did it this morning, at that point I 
started to believe them ☺.

Thanks,

Dewayne

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Adam Juelich
Sent: Thursday, March 30, 2017 8:46 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

Yes, other than the GP setting to 'Disable Automatic Updates,' don't configure 
anything else related to it.

There is the User-Side GP Setting:
"Remove access to use all Windows Update features"

That should do the trick.

On Thu, Mar 30, 2017 at 7:12 AM, Daniel Ratliff 
> wrote:
Never configure any of your windows update settings with GPO, let SCCM handle 
that via local policy.

I believe the setting you want is here for Win10: 
https://miketerrill.net/2016/10/11/disable-check-online-for-updates-from-microsoft-update-in-windows-10/

For Win7, we just disable the ability to check online: 
https://weikingteh.wordpress.com/2012/09/20/how-to-disable-the-check-online-for-updates-from-microsoft-update-link-in-the-windows-update-icon-in-control-panel/

Daniel Ratliff

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of S ConfigMgr
Sent: Thursday, March 30, 2017 12:12 AM
To: mssms@lists.myitforum.com
Subject: [mssms] GPO Update Disable Manual MS checks

Hello all,

I have deployed SUP and Patching is working as expected.

However my end users are able to use windows update, How can i block end users 
to stop installing patches from internet, I have windows 10 Enterprise and 
Professional Machines as end users.


I have tried to deploy a group policy to disable

Computer Configuration\Administrative Templates\Windows Components\Windows 
Update.
1.Find and double-click Configure Automatic Updates
[0711 group policy step 
3]

2.In the resulting dialog box, select Enabled.
3.In the Options box, pull down the Configure automatic updating menu and 
select your preferred option.
[0711 group policy step 4 and 5]
4.















​
Still Updates are able to scan by user with ms site, How  can I achieve this ?


--
Thanks,
ED


The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.

Re: [mssms] GPO Update Disable Manual MS checks

2017-04-11 Thread Adam Juelich 
The fact that we are still having this conversation daily over the past few
months means that Microsoft is really screwing the pooch here.



On Tue, Apr 11, 2017 at 9:42 AM, Hyatt, Dewayne  wrote:

> Whoops… I had read that blog a while back but apparently not well enough.
>
>
>
> I am confused now though. I am using a GPO to define what branch our
> Windows 10 clients are in for Windows 10 servicing in SCCM. I thought that
> was the correct way to do it. I saw 1607 used different policies but it
> looked like it was doing the same thing. This blog said not to enable those
> policies.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Niall Brady
> *Sent:* Monday, April 10, 2017 3:37 PM
>
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] GPO Update Disable Manual MS checks
>
>
>
> read this
>
> https://blogs.technet.microsoft.com/windowsserver/
> 2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-
> out-to-microsoft-online/
>
> dual scan is the cause
>
>
>
> On Mon, Apr 10, 2017 at 7:54 PM, Hyatt, Dewayne  wrote:
>
> Sorry to hijack but this is somewhat relevant.
>
>
>
> Since we rolled out 1607 we have noticed machines are automatically
> getting updates from Microsoft update even though we have a GPO defining
> our SUP as the WSUS server. I was looking into blocking Microsoft update
> entirely (not sure that is what I want to do in our environment) and I ran
> across this thread.
>
>
>
> Has anyone else seen behavior like this? We’ve had a few different
> locations report this, then my own workstation did it this morning, at that
> point I started to believe them J.
>
>
>
> Thanks,
>
>
>
> Dewayne
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Adam Juelich
> *Sent:* Thursday, March 30, 2017 8:46 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* Re: [mssms] GPO Update Disable Manual MS checks
>
>
>
> Yes, other than the GP setting to 'Disable Automatic Updates,' don't
> configure anything else related to it.
>
>
>
> There is the User-Side GP Setting:
>
> "Remove access to use all Windows Update features"
>
>
>
> That should do the trick.
>
>
>
> On Thu, Mar 30, 2017 at 7:12 AM, Daniel Ratliff 
> wrote:
>
> Never configure any of your windows update settings with GPO, let SCCM
> handle that via local policy.
>
>
>
> I believe the setting you want is here for Win10:
> https://miketerrill.net/2016/10/11/disable-check-online-
> for-updates-from-microsoft-update-in-windows-10/
>
>
>
> For Win7, we just disable the ability to check online:
> https://weikingteh.wordpress.com/2012/09/20/how-to-disable-
> the-check-online-for-updates-from-microsoft-update-link-in-
> the-windows-update-icon-in-control-panel/
>
>
>
> *Daniel Ratliff*
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *S ConfigMgr
> *Sent:* Thursday, March 30, 2017 12:12 AM
> *To:* mssms@lists.myitforum.com
> *Subject:* [mssms] GPO Update Disable Manual MS checks
>
>
>
> Hello all,
>
>
>
> I have deployed SUP and Patching is working as expected.
>
>
>
> However my end users are able to use windows update, How can i block end
> users to stop installing patches from internet, I have windows 10
> Enterprise and Professional Machines as end users.
>
>
>
>
>
> I have tried to deploy a group policy to disable
>
>
>
> Computer Configuration\Administrative Templates\Windows Components\Windows
> Update.
>
> 1.Find and double-click *Configure Automatic Updates*
> [image: 0711 group policy step 3]
> 
>
>
>
> 2.In the resulting dialog box, select *Enabled.*
>
> 3.In the Options box, pull down the *Configure automatic updating* menu
> and select your preferred option.
> [image: 0711 group policy step 4 and 5]
>
> 4.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ​
>
> Still Updates are able to scan by user with ms site, How  can I achieve
> this ?
>
>
>
>
>
> --
>
> Thanks,
>
> ED
>
>
>
>
> The information transmitted is intended only for the person or entity to
> which it is addressed
> and may contain CONFIDENTIAL material. If you receive this
> material/information in error,
> please contact the sender and delete or destroy the material/information.
>
>
>
>
>
>
>
>
>
>
>
>
>
>

RE: [mssms] GPO Update Disable Manual MS checks

2017-04-11 Thread Hyatt, Dewayne 
Whoops… I had read that blog a while back but apparently not well enough.

I am confused now though. I am using a GPO to define what branch our Windows 10 
clients are in for Windows 10 servicing in SCCM. I thought that was the correct 
way to do it. I saw 1607 used different policies but it looked like it was 
doing the same thing. This blog said not to enable those policies.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Niall Brady
Sent: Monday, April 10, 2017 3:37 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

read this

https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/
dual scan is the cause

On Mon, Apr 10, 2017 at 7:54 PM, Hyatt, Dewayne 
> wrote:
Sorry to hijack but this is somewhat relevant.

Since we rolled out 1607 we have noticed machines are automatically getting 
updates from Microsoft update even though we have a GPO defining our SUP as the 
WSUS server. I was looking into blocking Microsoft update entirely (not sure 
that is what I want to do in our environment) and I ran across this thread.

Has anyone else seen behavior like this? We’ve had a few different locations 
report this, then my own workstation did it this morning, at that point I 
started to believe them ☺.

Thanks,

Dewayne

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of Adam Juelich
Sent: Thursday, March 30, 2017 8:46 AM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] GPO Update Disable Manual MS checks

Yes, other than the GP setting to 'Disable Automatic Updates,' don't configure 
anything else related to it.

There is the User-Side GP Setting:
"Remove access to use all Windows Update features"

That should do the trick.

On Thu, Mar 30, 2017 at 7:12 AM, Daniel Ratliff 
> wrote:
Never configure any of your windows update settings with GPO, let SCCM handle 
that via local policy.

I believe the setting you want is here for Win10: 
https://miketerrill.net/2016/10/11/disable-check-online-for-updates-from-microsoft-update-in-windows-10/

For Win7, we just disable the ability to check online: 
https://weikingteh.wordpress.com/2012/09/20/how-to-disable-the-check-online-for-updates-from-microsoft-update-link-in-the-windows-update-icon-in-control-panel/

Daniel Ratliff

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] 
On Behalf Of S ConfigMgr
Sent: Thursday, March 30, 2017 12:12 AM
To: mssms@lists.myitforum.com
Subject: [mssms] GPO Update Disable Manual MS checks

Hello all,

I have deployed SUP and Patching is working as expected.

However my end users are able to use windows update, How can i block end users 
to stop installing patches from internet, I have windows 10 Enterprise and 
Professional Machines as end users.


I have tried to deploy a group policy to disable

Computer Configuration\Administrative Templates\Windows Components\Windows 
Update.
1.Find and double-click Configure Automatic Updates
[0711 group policy step 
3]

2.In the resulting dialog box, select Enabled.
3.In the Options box, pull down the Configure automatic updating menu and 
select your preferred option.
[0711 group policy step 4 and 5]
4.















​
Still Updates are able to scan by user with ms site, How  can I achieve this ?


--
Thanks,
ED


The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material. If you receive this material/information 
in error,
please contact the sender and delete or destroy the material/information.

[mssms] RE: Upgrade Readiness with System Center Configuration Manager

2017-04-11 Thread Daniel Ratliff 
We are using it. It's very simple to setup. All you need is a free OMS account, 
and an Azure Subscription.

Once you setup your Azure Subscription, make sure you go into the Azure Portal 
and change the subscription to Pay as you go. We confirmed with our TAM and an 
Azure SME that there is no cost as long as the only service you add in OMS is 
Upgrade Readiness.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Enley, Carl
Sent: Tuesday, April 11, 2017 7:54 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: Upgrade Readiness with System Center Configuration Manager

I am also interested in this, and are in a similar situation where we have an 
O365 tenant but no Azure per say. I spoke to MS rep and he said that the log 
analytics ingestion service as you describe is free, you will need a CC to sign 
up though. I have not pursued this as I am hoping my company will setup a full 
Azure footprint very soon. We also have some telemetry data challenges with our 
EU side of the business we have to work out first.

Please let me know if you go down this road and what exactly was needed.

From: listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Dave West
Sent: Tuesday, April 11, 2017 4:25 AM
To: mssms@lists.myitforum.com
Subject: [mssms] Upgrade Readiness with System Center Configuration Manager

I was wondering if anyone has integrated Upgrade Readiness with System Center 
Configuration Manager?

https://docs.microsoft.com/en-gb/sccm/core/clients/manage/upgrade/upgrade-analytics

We are looking into this now and there is a requirement for Microsoft 
Operations Management Suite (OMS) for the log analytics, and I can't seem to 
find any mention of the cost of adding OMS, specifically the log analytics, 
required for Upgrade Readiness/Upgrade Analytics Connector in ConfigMgr.

We have an Office365 tenancy but no Azure AD etc. so I was wondering if anyone 
else has set this up and if so how did they handle the OMS side of things.

Dave West
Senior Operations Analyst
Service Management
Technology & Information Services | Plymouth University | Drake Circus | 
Plymouth | PL4 8AA
Tel: 01752 587247 | Email: 
dave.w...@plymouth.ac.uk | Web: 
plymouth.ac.uk/ITservices


[http://www.plymouth.ac.uk/images/email_footer.gif]

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.



The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material.  If you receive this 
material/information in error,
please contact the sender and delete or destroy the material/information.

[mssms] RE: 1702 prereq check fails

2017-04-11 Thread Daniel Ratliff 
Check the logs on the root of the site server.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Mote, Todd
Sent: Tuesday, April 11, 2017 8:08 AM
To: mssms@lists.myitforum.com
Subject: [mssms] 1702 prereq check fails

In a weird way.  I have 4 total installs, one is prod, one is qual, and the 
other two are places where I test stuff like upgrading.  All on Server 2012 R2 
single site server, all roles on the same server, SQL 2016 no SP, though I 
might give SP1 a try given some of the failures, all but prod are 1610, but the 
prereq check on all three of the non-prod ones fail with some strange results.  
I haven't run the prereq check on prod yet.  All three list the same failures.  
Is there a log somewhere I can look at with more information that what's 
provided in the checker?

Todd

[Failed]:Verifies that the site system to be upgraded meets the minimum 
operating system requirement of Windows Server 2008 R2 for site system 
installation.  (all are 2012 R2 fully patched)
[Failed]:Verifies that the SQL Server database collation settings of the tempdb 
database and site database to be upgraded are the same.  (but they are, I 
checked)
[Failed]:Verifies that no active source hierarchy is currently configured for 
migration. (these haven't been migrated from or to any other hierarchy, all 
single installs)
[Failed]:Verifies that all site servers in the hierarchy meet the Configuration 
Manager minimum version that is required for upgrade.  (this is the only site 
servers and they are all 1610)
[Failed]:No Active MP Replica detected (I have no replicas)
[Failed]:Checking whether the site system role 'System Health Validator' exists 
in the hierarchy.  (this role is not installed)
[Failed]:Checking whether there are software updates that are enabled for NAP 
(never used NAP with SU, or at all)
[Failed]:Verifies that the user account running Configuration Manager Setup has 
been granted sysadmin SQL Server role permissions on the SQL Server instance 
selected for site database installation. SQL Server sysadmin role permissions 
are required in order to create the site database and configure necessary 
database role and login permissions for Configuration Manager sites.  (the user 
I'm using has SA)
[Failed]:Checking whether there are custom Client Agent Settings that enable 
NAP (two of the sites don't have custom client settings but all of them have 
this failure)
[Failed]:Checking whether the default Client Agent Settings enable NAP (I can't 
find NAP in the default client settings)


The information transmitted is intended only for the person or entity to which 
it is addressed
and may contain CONFIDENTIAL material.  If you receive this 
material/information in error,
please contact the sender and delete or destroy the material/information.

[mssms] 1702 prereq check fails

2017-04-11 Thread Mote, Todd 
In a weird way.  I have 4 total installs, one is prod, one is qual, and the 
other two are places where I test stuff like upgrading.  All on Server 2012 R2 
single site server, all roles on the same server, SQL 2016 no SP, though I 
might give SP1 a try given some of the failures, all but prod are 1610, but the 
prereq check on all three of the non-prod ones fail with some strange results.  
I haven't run the prereq check on prod yet.  All three list the same failures.  
Is there a log somewhere I can look at with more information that what's 
provided in the checker?

Todd

[Failed]:Verifies that the site system to be upgraded meets the minimum 
operating system requirement of Windows Server 2008 R2 for site system 
installation.  (all are 2012 R2 fully patched)
[Failed]:Verifies that the SQL Server database collation settings of the tempdb 
database and site database to be upgraded are the same.  (but they are, I 
checked)
[Failed]:Verifies that no active source hierarchy is currently configured for 
migration. (these haven't been migrated from or to any other hierarchy, all 
single installs)
[Failed]:Verifies that all site servers in the hierarchy meet the Configuration 
Manager minimum version that is required for upgrade.  (this is the only site 
servers and they are all 1610)
[Failed]:No Active MP Replica detected (I have no replicas)
[Failed]:Checking whether the site system role 'System Health Validator' exists 
in the hierarchy.  (this role is not installed)
[Failed]:Checking whether there are software updates that are enabled for NAP 
(never used NAP with SU, or at all)
[Failed]:Verifies that the user account running Configuration Manager Setup has 
been granted sysadmin SQL Server role permissions on the SQL Server instance 
selected for site database installation. SQL Server sysadmin role permissions 
are required in order to create the site database and configure necessary 
database role and login permissions for Configuration Manager sites.  (the user 
I'm using has SA)
[Failed]:Checking whether there are custom Client Agent Settings that enable 
NAP (two of the sites don't have custom client settings but all of them have 
this failure)
[Failed]:Checking whether the default Client Agent Settings enable NAP (I can't 
find NAP in the default client settings)

[mssms] RE: Upgrade Readiness with System Center Configuration Manager

2017-04-11 Thread Enley, Carl 
I am also interested in this, and are in a similar situation where we have an 
O365 tenant but no Azure per say. I spoke to MS rep and he said that the log 
analytics ingestion service as you describe is free, you will need a CC to sign 
up though. I have not pursued this as I am hoping my company will setup a full 
Azure footprint very soon. We also have some telemetry data challenges with our 
EU side of the business we have to work out first.

Please let me know if you go down this road and what exactly was needed.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Dave West
Sent: Tuesday, April 11, 2017 4:25 AM
To: mssms@lists.myitforum.com
Subject: [mssms] Upgrade Readiness with System Center Configuration Manager

I was wondering if anyone has integrated Upgrade Readiness with System Center 
Configuration Manager?

https://docs.microsoft.com/en-gb/sccm/core/clients/manage/upgrade/upgrade-analytics

We are looking into this now and there is a requirement for Microsoft 
Operations Management Suite (OMS) for the log analytics, and I can't seem to 
find any mention of the cost of adding OMS, specifically the log analytics, 
required for Upgrade Readiness/Upgrade Analytics Connector in ConfigMgr.

We have an Office365 tenancy but no Azure AD etc. so I was wondering if anyone 
else has set this up and if so how did they handle the OMS side of things.

Dave West
Senior Operations Analyst
Service Management
Technology & Information Services | Plymouth University | Drake Circus | 
Plymouth | PL4 8AA
Tel: 01752 587247 | Email: 
dave.w...@plymouth.ac.uk | Web: 
plymouth.ac.uk/ITservices


[http://www.plymouth.ac.uk/images/email_footer.gif]

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.

[mssms] Upgrade Readiness with System Center Configuration Manager

2017-04-11 Thread Dave West 
I was wondering if anyone has integrated Upgrade Readiness with System Center 
Configuration Manager?

https://docs.microsoft.com/en-gb/sccm/core/clients/manage/upgrade/upgrade-analytics

We are looking into this now and there is a requirement for Microsoft 
Operations Management Suite (OMS) for the log analytics, and I can't seem to 
find any mention of the cost of adding OMS, specifically the log analytics, 
required for Upgrade Readiness/Upgrade Analytics Connector in ConfigMgr.

We have an Office365 tenancy but no Azure AD etc. so I was wondering if anyone 
else has set this up and if so how did they handle the OMS side of things.

Dave West
Senior Operations Analyst
Service Management
Technology & Information Services | Plymouth University | Drake Circus | 
Plymouth | PL4 8AA
Tel: 01752 587247 | Email: 
dave.w...@plymouth.ac.uk | Web: 
plymouth.ac.uk/ITservices


[http://www.plymouth.ac.uk/images/email_footer.gif]

This email and any files with it are confidential and intended solely for the 
use of the recipient to whom it is addressed. If you are not the intended 
recipient then copying, distribution or other use of the information contained 
is strictly prohibited and you should not rely on it. If you have received this 
email in error please let the sender know immediately and delete it from your 
system(s). Internet emails are not necessarily secure. While we take every 
care, Plymouth University accepts no responsibility for viruses and it is your 
responsibility to scan emails and their attachments. Plymouth University does 
not accept responsibility for any changes made after it was sent. Nothing in 
this email or its attachments constitutes an order for goods or services unless 
accompanied by an official order form.