Hi guys
I have just created Azure Update Management for my servers. Then I tried to switch the update source from SCCM to WSUS. But the Update Approval Source didn't change to WSUS, so the servers have not installed the updates even the status is "Not Compliance" and have missing updates.
Can someone let me know how I can change the Approval Source?
Many thanks
Ben
@BenNg-9774 Thanks for reaching out. I am looking into it and will update you in a while.
@BenNg-9774 how did you change the approval source? please provide ref if you have.
I used GPO to change the Windows Update Server from SCCM to WSUS.
Now the servers can get updates from WSUS instead of SCCM, but it doesn't show on Azure Update Management. So the AUM failed to install the updates from WSUS even showing missed updates.
@BenNg-9774 Welcome to Microsoft Q & A Community Forum. Azure Automation Update Management relies on the Windows Update client to download and install Windows updates. Windows machines need to be configured to report to either Windows Server Update Services or Microsoft Update. Within the Automation Update Management Portal there is a column entitled "Update Approval Source".
SCCM = VM is configured with the SCCM client which is configured with the ability to use SCCM for patching
Windows Update = install Windows OS updates only
Microsoft Update = install Windows OS updates and security updates for other Microsoft products.
This indicates where the Windows VMs get their Updates from, and the three options are as follows
| Update Approval Source | Meaning | Link |
| SCCM | SCCM client is installed and configured to use SCCM for patching | https://supportability.visualstudio.com/AzureAutomation/_wiki/wikis/Azure-Automation.wiki/586282/HT-Check-to-see-if-a-Windows-machine-is-configured-to-use-SCCM-to-get-patches |
| WSUS | Client is configured to get its patches from WSUS. Note that if a machine is configured to get its patches from WSUS AND it also has the SCCM client installed and configured for patching then this will show as SCCM | https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127499 |
| Microsoft Update | Receive updates for other Microsoft products when you update Windows is checked under Check for Updates - advanced options* | https://support.microsoft.com/en-us/topic/how-to-enable-and-to-disable-microsoft-update-90bc0156-b08e-8045-25a7-2d0543061ed2 |
| Windows Update | Receive updates for other Microsoft products when you update Windows is NOT checked under Check for Updates - advanced options* |
Within Azure Update Management we only report the setting we do not set it, however it can be changed on the Windows system using GPO and via the update settings GUI.
You can configure Receive updates for other Microsoft products when you update Windows using Group Policy. However, the setting does not take affect right away, like it does when you manual selecting the GUI option Check for Updates - advanced options
Group Policy editor
"Computer Configuration\Administrative Templates\Windows Components\Windows Update"
"Configure Automatic Updates"
"Configure automatic Updating: 7" (7 should be the value for Windows 2016 servers and higher, 3 otherwise)
"Install updates for other Microsoft products" bottom left of the pane
Applying the policy setting above result in the following registry entries. Allowing Windows Server 2016 and higher to automatically download updates (AuOptions=7) and configure the system for Microsoft Updates (versus only Windows Updates)
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
AllowMUUpdateService = 1 (REG_DWORD)
AUOptions = 7 (REG_DWORD)
NoAutoUpdate = 1 (REG_DWORD)
ScheduleInstallDay = 7 (REG_DWORD)
ScheduleInstallTime = 3 (REG_DWORD)
Below is the PowerShell script we use determine if a Windows client is configured for only "Windows Update" or "Microsoft Update"
$UpdateServiceManager = New-Object -com "Microsoft.Update.ServiceManager"
$serviceName = ""
$UpdateServiceManager.Services | foreach {
if ($_.IsRegisteredWithAU) {
$serviceId = $_.ServiceID
if ($serviceId -eq "9482f4b4-e343-43b6-b170-9a65bc822c77") {
$serviceName = "Windows Update"
} elseif ($serviceId -eq "7971f918-a847-4430-9279-4a52d1efe18d"){
$serviceName = "Microsoft Update"
}
}
}
Write-Output $serviceName
@SwathiDhanwada-MSFT Thanks for your update. However, if we uninstall the SCCM client, can we have WSUS as approval source?
4 people are following this question.
