0

SCCM is the method we deploy Windows updates to clients. We have a portion of computers that have a local group policy setting under:

Local Computer policy > Administrative Templates > Windows Components > Windows update

The setting is called "Specify intranet Microsoft update service location"

Basically the wuahandler.log is complaining of :

Enabling WUA Managed server policy to use server: http://servername.domain.local:8530

Group policy settings were overwritten by a higher authority (Domain Controller) to: Server https://servername.domain.local:8531 and Policy ENABLED

Failed to Add Update Source for WUAgent of type (2) and id ({C2F93D44-EAB3-4D5E-9330-7806157D92AD}). Error = 0x87d00692.

I can see that for whatever reason SCCM is not modifying the local group policy and its causing a conflict.

The pc's that have no issue have both the local group policy and policies under hklm > policies > windows update as the correct name (with port 8531).

I am basically asking how can i change the "specify intranet microsoft update service location ' using powershell or an automated method to remediate the 300 pc's that have a mismatched port number. modifying the HKLM keys under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate ive already taken care of. But this is not doing anything to resolve my issue.

any help would be appreciated.

George
  • 143
  • 1
  • 1
  • 7

2 Answers2

1

There are many articles all over the web on using PowerShell and local policy management. Just search for them. Using a string like 'PowerShell manage local policy' and you will get a long list to consume.

There is even a module via the MS PowershellGallery.com for Local Policy Management.

Find-Module -Name 'PolicyFileEditor' | 
Save-Module -Path "$env:USERPROFILE\Documents\WindowsPowerShell\Modules" -Force
Install-Module -Name 'PolicyFileEditor'

And blogged about its use is here:

How to manage Local Group Policy with Powershell

You can even just secedit.

Take a look at this Q&A

So, sure you can mess with Local Policy, be if your SCCM settings getting overridden by a higher authority, then any setting you'd do wit PowerShell would as well.

Lenz
  • 13
  • 3
postanote
  • 15,138
  • 2
  • 14
  • 25
0

Please make sure that in case of SCCM/MECM or installations with system user (NT-Authority\System) you do not use -Scope CurrentUser, otherwise you will have the same problem as described here: https://github.com/PowerShell/PowerShellGetv2/issues/651

In a system context Install-Module does not create a Documents folder in the system profile if -Scope CurrentUser is used.

If you want to use -Scope CurrentUser anyway, you have to create the folder "C:\Windows\system32\config\systemprofile\Documents\PowerShell\Modules" or at least "C:\Windows\system32\config\systemprofile\Documents" first, so that the module is installed for the system user.

Lenz
  • 13
  • 3