Export (0) Print
Expand All

Troubleshooting Group Policy Configuration for Software Updates

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

When a Configuration Manager 2007 client is configured to use the software updates client agent, it is automatically configured with a local Group Policy setting that specifies the Configuration Manager active software update point. The Group Policy setting used is the intranet Microsoft update service location, specified as a Windows Update computer administrative template.

Because this configuration uses a local Group Policy setting, it is suitable for workgroup clients and for clients that belong to a different Active Directory forest from the site server.

However, a local Group Policy setting will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager 2007 client failing to obtain software updates using Configuration Manager. This section provides troubleshooting information to help you resolve issues related to Group Policy that prevents software updates from working in Configuration Manager 2007.

If Configuration Manager 2007 clients fail to obtain software updates from Configuration Manager and they have an Active Directory Group Policy setting configured for software update point based client installation, a likely reason is that the Active Directory Group Policy object is incorrectly configured.

The software updates feature automatically configures a local Group Policy setting for the Configuration Manager 2007 client so that it is configured with the software update point source location and port number. Both the server name and port number is required for the software updates client to find the software update point.

If an Active Directory Group Policy setting is applied to computers for software update point client installation, this overrides the local Group Policy setting. Unless the value of the setting is exactly the same (server name and port), this causes the Configuration Manager 2007 software updates feature to fail on the client.

The following entries appear in the software updates log file WUAHandler.log:

[Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://server and Policy ENABLED]LOG

Solution

The software update point for client installation and software updates must be the same server, and specified in the Active Directory Group Policy setting with the correct name format and with the port information (for example, http://server1.contoso.com:80 if the site system server is not configured to use a fully qualified domain name and is using the default Web site).

For more information, see How to Install Configuration Manager Clients Using Software Update Point Based Installation.

If Configuration Manager 2007 clients continue to download software updates from an existing WSUS server rather than install them using Configuration Manager, examine the resultant set of policies for the clients using a tool such as the Resultant Set of Policy (RSoP) or the Microsoft Group Policy Management Console (GPMC).

If these clients have an Active Directory Group Policy object assigned to them that specifies a WSUS server that is not their active software update point (using the correct name format and port), it will override the local Group Policy setting configured by the Configuration Manager software updates feature.

The Group Policy setting used is Specify intranet Microsoft update service location and it is located in Computer Configuration / Administrative Templates / Windows Components / Windows Update.

When an Active Directory Group Policy setting overrides the local Group Policy setting, the following entries appear in the software updates log file WUAHandler.log:

[Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://server and Policy ENABLED]LOG

Solution

Reconfigure Active Directory Group Policy such that Configuration Manager clients are not assigned an Active Directory Group Policy object that specifies a WSUS server other than their active software update point. For example, reconfigure the Active Directory Group Policy setting to Not Configured, or move computers to an organizational unit (OU) that does not have this Group Policy setting applied.

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft