question

NICKPOZZA-2852 avatar image
0 Votes"
NICKPOZZA-2852 asked RitaHu-MSFT edited

How to force clean AD from SCCM server.

We had tried out a version of SCCM server and have removed it, but apparently, it was not removed correctly from the domain. Computers from the domain are still getting registry settings for Windows Update Service. I have done a gpresult /h on a client computer to determine what GPO is applying the setting but there is no reference to this server any GPO settings that are applied.

As a temp fix, I had added a setting to delete these two registry entries, but I know this is not correct. Anyone able to provide assistance.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServer - http://sccmsrv01.domain.local
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServer - http://sccmsrv01.domain.local

There may be other settings that are applying but these are preventing computers to contact Microsoft servers.

mem-cm-updates
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EswarKoneti-MVP avatar image
0 Votes"
EswarKoneti-MVP answered

Are these clients assigned to the new site already that manages the patching? if so, they will update the wsus entries automatically. but if you have created a GPO and stamped the values into the registry, you will have to get rid of it (GPO) else they always take high priority over the local gpo (Configmgr creates a local gpo with wsus entries).

Thanks,
Eswar
www.eskonr.com


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

Please take a look at my guide here:

https://www.ajtek.ca/wsus/reset-windows-update-gpo-settings/

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NICKPOZZA-2852 avatar image
0 Votes"
NICKPOZZA-2852 answered

The SCCM server is no longer in existence in our domain. The server was removed but must have been removed incorrectly. We are trying to use Microsoft public update server, not an internal server. I have gone through all GPO's that exist in the domain and those that are being applied to the specific client PC that I am working on. None show they are applying these wsus server settings.

If i disable the GPO that deletes these registry entries and do a gpupdate /force the registry entries re-appear. Where are they being applied from? If I do a gpresult /h on the client PC and then do a ctrl-f and search for http://sccmsrv01.domain.local no results are found.

Should I be looking into ASDI edit or something?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered NICKPOZZA-2852 commented

Did you read my guide? It explains that.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes after running the commands I check the registry and they were removed. Upon rebooting the machine the registry settings came back.

These settings are being applied by the domain but I don't know how and where.

0 Votes 0 ·
NICKPOZZA-2852 avatar image
0 Votes"
NICKPOZZA-2852 answered

I believe I have figured out the problem. Now to figure out mas deployment of setting to all computers.

I did a google search of UseWUServer registry key to look up what this setting actually does. I came across this post - https://social.technet.microsoft.com/Forums/en-US/f349ce2e-7363-4047-825e-6bcecce1af2e/updates-through-microsoft-instead-of-sccm-or-wsus?forum=configmgrgeneral

That person stated this question - With SCCM setting the local policy for update location, is there a way to set a GPO that would override the local policy but still go to Microsoft for their updates instead of an internal WSUS server?

I pulled up the local group policy on this client PC and sure enough the WSUS server settings were there. After setting them to not configured, GPupdate /force and reboot settings are gone for good.

Again what would be the appropriate way to apply this to all PC's on the domain?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NICKPOZZA-2852 avatar image
0 Votes"
NICKPOZZA-2852 answered Amandayou-MSFT commented

Thoughts on this option to reset all local group policies?

https://www.windowscentral.com/how-reset-local-group-policy-objects-their-default-settings-windows-10

  1. Open Start.

  2. Search for Command Prompt, right-click the top result, and select the Run as administrator option.

  3. Type the following command to reset all the Group Policy settings and press Enter:

  4. RD /S /Q "%WinDir%\System32\GroupPolicyUsers" && RD /S /Q "%WinDir%\System32\GroupPolicy"

Type the following command to update the changes in the Local Group Policy console and press Enter:

  1. gpupdate /force

(Optional) Restart your computer.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thanks for your sharing. You could accept your answer by clicking "Accept Answer" to help others who have the same issues.

Best regards,
Amanda

0 Votes 0 ·
AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered NICKPOZZA-2852 commented

Is the SCCM client installed? Remove it, then wipe the registry again and try again.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No there is no SCCM Client installed.

0 Votes 0 ·
AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered NICKPOZZA-2852 commented

Any other RMM clients? Like SolarWinds?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, Logmein Central.

0 Votes 0 ·
AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered NICKPOZZA-2852 commented

Uninstall it for testing and see if it resolves it after removing the registry key again.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I appreciate your assistance in try to resolve this problem. But I strongly disbelieve this has anything to do with RMM as this was put in place from the SCCM server that was tested out. Also, we just moved to Logmein Central just recently from a previous RMM.

Unless you have other ideas involving the domain, I will wait for others to chime in.

Again thank you for your assistance.

0 Votes 0 ·
AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered NICKPOZZA-2852 edited

If you run

 gpresult /h gpo.htm

And it shows that you don't have that setting set up, it is being pegged by a RMM system.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Correct When I do a search in that gpo.htm for the http://sccmsrv01.domain.local - 0 results are found. However, http://sccmsrv01.domain.local is listed in the Local grp policy on the client machine. The previous RMM did not have settings to control WSUS settings or any Windows Update settings. The new RMM does but only works with Microsoft public update server, not a private wsus. With the previous RMM we did use an internal wsus (different server name then the SCCM server) but not the SCCM. Once we removed the GPO for the internal WSUS that is when this SCCM setting was discovered. The SCCM server did not last longer then 30 days before it was removed but I thought it was not removed correctly as the settings were still being applied.

Once I cleared the Local grp policy from the client machine the http://sccmsrv01.domain.local is no longer being applied.

I am trying to figure a way to apply this to all PC's connected to the domain just to be sure these SCCM settings are not preventing computers from contacing MS update server. I dont want to touch every computer by hand if needed.

0 Votes 0 ·