question

Techshan avatar image
0 Votes"
Techshan asked SherryKissinger-ECM commented

SCCM vs Ansible conflict


Hi,

Currently in our environment, SCCM is used for patching windows servers & workstations. Our Active Directory has multiple OU’s which consist of sub OUs into multiple levels,

With this setup, SCCM is being utilised for patching in which one of the prerequisites is
Configure Automatic updates is disabled. This is set already in one of the domain GPO.

Now we are planning to switch over to Ansible instead of SCCM only for Windows servers.
One of the requirements from Ansible is to set Configure Automatic updates to decimal value 3.

Important thing is currently Windows servers and workstations are present in the same OU. No proper OU structure maintained to separate servers from workstations

Anybody please advise how to set this new value of 3 without disturbing the OU structure in which servers and workstations are mixed




windows-servermem-cm-general
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

5 Answers

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered

Hi @SHANMUGAMSWAMINATHAN-5167,

Thanks for you reply.

As per my experience, each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO.

If we need to put specific servers in Ansible_WSUS using WMI filters, the requirement for filtering is server version. If there is an overlap in the versions between Ansible_WSUS and SCCM_WSUS setup, this method cannot be used.

Here is the article we could refer to:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Techshan avatar image
0 Votes"
Techshan answered

I will put the question in another way. In same OU , multiple servers ranging from 2012, 2016,2019 are present and also many workstations of windows 10 , windows 8, windows 7( enterprise & professionals) are present.

Servers are to be patched using Ansible_WSUS

Workstations are using the existing SCCM_WSUS setup.

Since both servers and workstations are in same OU , which has GPO >>>>>Configure Automatic updates is disabled existing SCCM patching setup works fine.

Now since Ansible_WSUS is being setup to patch servers only , we have a requirement of GPO>>>>>>>Configure Automatic updates to decimal value 3.

How to configure this new setting which applies only to servers?

Any help is greatly appreciated

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Garth avatar image
1 Vote"
Garth answered

Look into gpo filters. But really the answer is to move the servers to another ou.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered Amandayou-MSFT edited

Hi @SHANMUGAMSWAMINATHAN-5167,

Agree with Garth, it is better to move these servers to the other OU, so that these server could apply to the specific GPO, and it is the simpler approach.

195971-425.png

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


425.png (6.4 KiB)
425.png (6.4 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Techshan avatar image
0 Votes"
Techshan answered SherryKissinger-ECM commented

Create a new GPO with setting required for Ansible_WSUS patching and apply WMI filtering to that for only servers instead of going for separate OU

Is this path feasible to accomplish the requirement......

Any advice is greatly appreciated

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SherryKissinger-ECM avatar image SherryKissinger-ECM ·

My opinion: yes. WMI filtering on the GPO; so the right one only applies to the servers. Plenty of examples on the internet on gpos and wmi filtering.

If you have an existing GPO that is currently meant for "all" but will soon only be meant for "workstations", you may also want to add a wmi filter to THAT existing one as well, to limit to workstations.

0 Votes 0 ·