In System Center 2012 Configuration Manager Service Pack 1, we've added the ability to set multiple software update points per primary site. This change allows for placing software update points cross-forest, and providing fault tolerance without requiring an NLB. You can read more about those changes here. If you set a WSUS server on your clients through Group Policy for any reason, and you want to take advantage of the new software update point failover design in Configuration Manager SP1, you need to rethink how you specify a WSUS server on clients by using Group Policy.
The most common scenario where group policy is used to set the WSUS server on computers is when you publish the Configuration Manager client through WSUS, and need to point your computers to the WSUS server to get the client. Client publishing assumes that the Configuration Manager client does not yet exist on the clients (or has been removed), and needs to be delivered through WSUS. The problem is that the WSUS server for client publishing has to be set through Group Policy. This is a great for assigning a WSUS server to get the client deployed, but not-so great for the new software update point failover design as it impacts a client's ability to switch software update points for failover. Since the domain policy is the authority, and it's binding the client to the WSUS server set for client publishing, Configuration Manager local policy used to change the software update point for failover reasons is blocked by domain policy. However, there is a fairly easy way to solve this problem, and it's outlined here.
I use client publishing through WSUS and set the WSUS server through Group Policy. However, after the client is installed, I also want to take advantage of the new software update point failover design, which will allow my clients to failover to another software update point as needed.
How do I accomplish this without using NLB since I'm only able to set a single, logical WSUS server reference with Group Policy? That single WSUS server set through group policy will not allow Configuration Manager local policy to set an alternative software update point for failover.
There is a fairly easy way to apply a WSUS server for Configuration Manager client-publishing using group policy, and to still take advantage of software update point failover after the client is installed, and without an NLB dependency. To achieve this, you need to use Group Policy Preferences to set the WSUS server only when the Configuration Manager client doesn't exist, or isn't running.
Group Policy Preferences allow you to easily set conditional logic to configure specific settings. As an example, you can use preferences to ONLY set a specific WSUS server if the Configuration Manager client is NOT installed. If the Configuration Manager client exists, Group Policy will NOT set the WSUS server, freeing up Configuration Manager local policy to set the appropriate software update point as needed. This avoids the domain and local policy conflict, and allows software update point failover to work as designed. In general, using Group Policy Preferences is a best practice in any Configuration Manager scenario where local and group policy might conflict, and you want local group policy to trump domain policy on a particular condition. As another example, you should use Group Policy Preferences when migrating software update operations from a standalone WSUS environment to Configuration Manager.
First, let me provide a little background on Group Policy Preferences. Group Policy Preferences is available from the Group Policy Management console running on Windows Server 2008 or later, and Windows Vista SP1 or later. Group Policy Preferences will work on those same operating systems, and Windows XP SP3 is also updated with the required client-side extensions. In short, you should be all ready to begin using Group Policy Preferences --there's no dependency on upgrading domain controllers to Windows Server 2008 R2, or having all Windows 7 clients or later.
Okay, so let's walk through the steps required to use Group Policy Preferences as a way to 1) set the WSUS server for client publishing, for clients that don't have the Configuration Manager client, and 2) have that setting stop being applied once the Configuration Manager client is installed.
Configuring the Group Policy Object and Group Policy Preferences
Validating the GPO and behavior client side
Group Policy Preferences provide a great way to conditionally set a WSUS server for your initial client deployments, while still allowing Configuration Manager local policy to set the software update point on failover conditions. Traditional GPOs for setting the WSUS server are too rigid for software update point failover, as domain policy overrides Configuration Manager local policy, interfering with the ability for the client to switch software update points when needed for failover. Implementing the conditional logic outlined here for setting the WSUS server using Group Policy Preferences is a great option for both delivering the Configuration Manager client by using WSUS, and taking advantage of software update point failover after the Configuration Manager client is installed.
This posting is provided "AS IS" with no warranties, and confers no rights.
This is a great skeleton to get started, but one comment. If I read the Technet here:
It states that without UseWUServer=1 set as well, the setting being applied above will be ignored (slightly different location, refer to technet). Regardless, that reference can be used to completely re-create a clients existing WSUS policy as conditional statements
so that an environment can be "eased" into SCCM management (settings stop being applied as soon as the agent is pushed).