Remove Uninstall Status from WSUS/SCCM

Before synchronizing our WSUS and SCCM services, we had a Vista update in SCCM with an approval of "Approved for Removal."  Now that the synchronization has been setup and complete, the clients are successfully reporting and pulling updates through SCCM.  I've gone into WSUS and changed the approval for that update tp "Install."  I also deployed the update through SCCM.  The problem I am having is that the update is being removed afterword and is showing in the clients recent update list as "(Uninstall)."  I am guessing that the clients did not receive the approval status change in WSUS because they now report to SCCM instead.  Is there anyway to fix this?
abyss0208Asked:
Who is Participating?
 
abyss0208Connect With a Mentor Author Commented:
It turns out the WSUS IIS settings had been screwed up during hardening of the settings.  Once it was fixed the clients started reporting to WSUS again and it received the reversal of the approval for that particular update.  Clients are continuing to receive new Microsoft Updates from SCCM.

Thanks for suggestions.
0
 
merowingerCommented:
Why do you use SCCM and WSUS at the same time?!
0
 
abyss0208Author Commented:
We only manage our patches now through SCCM.  The WSUS is still required to pull the updates from Microsoft and get synched to the WSUS.
0
 
fr0nkCommented:
Don't even open the WSUS console when you're using SCCM to handle your updates. It is almost impossible not to screw something when using both (SCCM and WSUS console) at the same time.

The behaviour of your client entirely depends on the policy the client gets.

When you enable the appropriate software update client component the client will create a LOCAL GPO and tries to apply it. However, if there's any GPO in your domain that is applying any different setting, the client will complain about it in the WUAHandler.log with the string:
Group policy settings were overwritten by a higher authority (Domain Controller)

So there's no way the local policy from the agent can win when a different GPO is coming from your domain.
When you enable software updates, the WSUS client is only being used for reporting the patch level, not for installing the patches.

Do the following:
- Reinstall the Software Updates Point. During the installation the SUP will configure the WSUS. Don't touch the WSUS afterwards.
- On that particular client, uninstall the agent (ccmsetup.exe /uninstall -> ccmsetup.exe is located on your Site server in the shared installation directory of SCCM inside a "Client" directory).
- Try to manually remove this particular patch on the client
- Reinstall the client agent and observe WUAhandler.log


Hope this helps
0
 
abyss0208Author Commented:
Problem corrected itself after resetting permissions in IIS.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.