In System Center 2012 Configuration Manager Service Pack 1, we've added the ability to set multiple software update points per primary site.  This change allows for placing software update points cross-forest, and providing fault tolerance without requiring an NLB.  You can read more about those changes hereIf you set a WSUS server on your clients through Group Policy for any reason, and you want to take advantage of the new software update point failover design in Configuration Manager SP1, you need to rethink how you specify a WSUS server on clients by using Group Policy. 

The most common scenario where group policy is used to set the WSUS server on computers is when you publish the Configuration Manager client through WSUS, and need to point your computers to the WSUS server to get the client.  Client publishing assumes that the Configuration Manager client does not yet exist on the clients (or has been removed), and needs to be delivered through WSUS.  The problem is that the WSUS server for client publishing has to be set through Group Policy.  This is a great for assigning a WSUS server to get the client deployed, but not-so great for the new software update point failover design as it impacts a client's ability to switch software update points for failover.  Since the domain policy is the authority, and it's binding the client to the WSUS server set for client publishing, Configuration Manager local policy used to change the software update point for failover reasons is blocked by domain policy. However, there is a fairly easy way to solve this problem, and it's outlined here. 

Scenario Overview

 I use client publishing through WSUS and set the WSUS server through Group Policy.  However, after the client is installed, I also want to take advantage of the new software update point failover design, which will allow my clients to failover to another software update point as needed. 

How do I accomplish this without using NLB since I'm only able to set a single, logical WSUS server reference with Group Policy?  That single WSUS server set through group policy will not allow Configuration Manager local policy to set an alternative software update point for failover.

Solution

There is a fairly easy way to apply a WSUS server for Configuration Manager client-publishing using group policy, and to still take advantage of software update point failover after the client is installed, and without an NLB dependency.  To achieve this, you need to use Group Policy Preferences to set the WSUS server only when the Configuration Manager client doesn't exist, or isn't running. 

Group Policy Preferences allow you to easily set conditional logic to configure specific settings.  As an example, you can use preferences to ONLY set a specific WSUS server if the Configuration Manager client is NOT installed.  If the Configuration Manager client exists, Group Policy will NOT set the WSUS server, freeing up Configuration Manager local policy to set the appropriate software update point as needed.  This avoids the domain and local policy conflict, and allows software update point failover to work as designed.  In general, using Group Policy Preferences is a best practice in any Configuration Manager scenario where local and group policy might conflict, and you want local group policy to trump domain policy on a particular condition.  As another example, you should use Group Policy Preferences when migrating software update operations from a standalone WSUS environment to Configuration Manager.

First, let me provide a little background on Group Policy Preferences.  Group Policy Preferences is available from the Group Policy Management console running on Windows Server 2008 or later, and Windows Vista SP1 or later.   Group Policy Preferences will work on those same operating systems, and Windows XP SP3 is also updated with the required client-side extensions.  In short, you should be all ready to begin using Group Policy Preferences --there's no dependency on upgrading domain controllers to Windows Server 2008 R2, or having all Windows 7 clients or later.

Okay, so let's walk through the steps required to use Group Policy Preferences as a way to 1) set the WSUS server for client publishing, for clients that don't have the Configuration Manager client, and 2) have that setting stop being applied once the Configuration Manager client is installed.

Configuring the Group Policy Object and Group Policy Preferences

  1. In Group Policy Management, create a new GPO.  In this example, we'll just name it CMClientPublishing.
  2. Choose to Edit the CMClientPublishing GPO just created, which will open Group Policy Management Editor.
  3. Under Computer Configuration |Preferences | Windows Settings | Registry, choose New | Registry Item.
  4. Choose the action of "Replace" for this setting.  Choosing replace here will change the registry value if it exists, or create it if it doesn't, in both cases setting it to your defined WSUS server for client deployment.
  5. Set the Hive to HKEY_LOCAL_MACHINE.
  6. Set (or browse) the Key Path to SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
  7. Set the Value name to WUServer.
  8. Set the Value type to REG_SZ.
  9. Set the value data to the WSUS server addressed used for client publishing.  In this example we'll just use http://SUP1.CONTOSO.COM 
    1. NOTE:  When validating these steps in a lab, it's best to just set a bogus entry in this value, so that it's easy to see in the client validation steps that GPO sets this value when no Configuration Manager client exists, and when the client exists, the real software update point is set.  In production, the client publishing WSUS server is likely already a valid software update point, so Configuration Manager local policy may set the same WUServer as set by this GPO.  Remember, the key scenario we're addressing with these steps is supporting software update point failover, so the client is able to freely switch between software update points, which is not possible unless GPO is only applied when the Configuration Manager client doesn't exist.
  10. Now we'll set the conditional logic we use to set the WUServer value above.
  11. In the property page where you just set the key values, go to the "Common" tab.
  12. Choose Item level targeting, and then click the Targeting button. 
    1. Note:  An alternative and very simple approach here is to simply select "Apply Once and do not reapply" and you're done.  This would take care of newly imaged clients coming on to the network, and then getting the WSUS server where client publishing was delivered from, but then never reapplying that WSUS value, and thus never conflicting with the Configuration Manager client setting the software update point/WSUS server through local policy.
  13. In the Targeting editor, choose New Item | Registry Match
  14. Under Item Options, choose Is Not, so that policy is only applied on the non-existence of the ConfigMgr client (the key set in the next step).
  15. Set the Match type to key exists, the Hive to HKEY_LOCAL_MACHINE, and the key path to SYSTEM\CurrentControlSet\services\CcmExec
  16. Back in Group Policy Management, link the GPO to the relevant domain or a specific OU.  In this example, I just link it to the domain by right clicking on the domain | Link an existing GPO, and selecting the CMClientPublishing GPO we just created and edited.

Validating the GPO and behavior client side

  1. On a client without Configuration Manager installed, from the command line run GPUPDATE, and then run GPRESULT /R (or RSOP.MSC) and look for the application of the CMClientPublishing GPO we created in the last step, under Applied Group Policy Objects.
  2. On the computer with no Configuration Manager client, validate that the WSUS server used for client publishing (http://SUP1.CONTOSO.COM in this "bogus entry" example) is set as the WUServer value in HKLM\SOFTWARE\Policies\Windows\WindowsUpdate.
  3. Install the Configuration Manager client with at least one software update point configured in the Configuration Manager primary site.
  4. After the client installation is complete, and all components are installed and enabled, force a software update scan cycle from the Configuration Manager control panel applet on the client.  After a couple of minutes, go the registry HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and check the value of the WUServer.  It will now be configured to the software update point address as configured and set by Configuration Manager.
  5. Rerun GPUPDATE again, and re-check the registry.  You’ll see that the logic we set with Group Policy Preferences is honored, and the WUServer value persists to the setting configured by Configuration Manager with local policy.
  6. In a production implementation of Group Policy Preferences, the WSUS server set by the GPO may be the same as the one set by Configuration Manager.  The key here is that the client is now able to freely switch between the software update points defined in software update point failover and not fail to scan as a higher authority (domain policy) is setting the WUServer to a single value.  Applying the Group Policy Preferences logic outlined here, assures that the WUServer is only set and maintained by group policy when the Configuration Manager client does not exist.

Wrap Up

Group Policy Preferences provide a great way to conditionally set a WSUS server for your initial client deployments, while still allowing Configuration Manager local policy to set the software update point on failover conditions.  Traditional GPOs for setting the WSUS server are too rigid for software update point failover, as domain policy overrides Configuration Manager local policy, interfering with the ability for the client to switch software update points when needed for failover.  Implementing the conditional logic outlined here for setting the WSUS server using Group Policy Preferences is a great option for both delivering the Configuration Manager client by using WSUS, and taking advantage of software update point failover after the Configuration Manager client is installed.

--Jason Githens

This posting is provided "AS IS" with no warranties, and confers no rights.