SCCM vs Ansible conflict

Question

Hi,

Currently in our environment, SCCM is used for patching windows servers & workstations. Our Active Directory has multiple OU’s which consist of sub OUs into multiple levels,

With this setup, SCCM is being utilised for patching in which one of the prerequisites is
Configure Automatic updates is disabled. This is set already in one of the domain GPO.

Now we are planning to switch over to Ansible instead of SCCM only for Windows servers.
One of the requirements from Ansible is to set Configure Automatic updates to decimal value 3.

Important thing is currently Windows servers and workstations are present in the same OU. No proper OU structure maintained to separate servers from workstations

Anybody please advise how to set this new value of 3 without disturbing the OU structure in which servers and workstations are mixed

Answer 1

Hi @SHANMUGAMSWAMINATHAN-5167，

Thanks for you reply.

As per my experience, each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO.

If we need to put specific servers in Ansible_WSUS using WMI filters, the requirement for filtering is server version. If there is an overlap in the versions between Ansible_WSUS and SCCM_WSUS setup, this method cannot be used.

Here is the article we could refer to:
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Look into gpo filters. But really the answer is to move the servers to another ou.

Answer 3

I will put the question in another way. In same OU , multiple servers ranging from 2012, 2016,2019 are present and also many workstations of windows 10 , windows 8, windows 7( enterprise & professionals) are present.

Servers are to be patched using Ansible_WSUS

Workstations are using the existing SCCM_WSUS setup.

Since both servers and workstations are in same OU , which has GPO >>>>>Configure Automatic updates is disabled existing SCCM patching setup works fine.

Now since Ansible_WSUS is being setup to patch servers only , we have a requirement of GPO>>>>>>>Configure Automatic updates to decimal value 3.

How to configure this new setting which applies only to servers?

Any help is greatly appreciated

Answer 4

Hi @SHANMUGAMSWAMINATHAN-5167，

Agree with Garth, it is better to move these servers to the other OU, so that these server could apply to the specific GPO, and it is the simpler approach.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 5

Create a new GPO with setting required for Ansible_WSUS patching and apply WMI filtering to that for only servers instead of going for separate OU

Is this path feasible to accomplish the requirement......

Any advice is greatly appreciated