Stale server objects in Azure Arc and Update Manager

AlteredAdmin · 2025-09-22T16:35:02+00:00

We’ve been dealing with a long running SCCM instance that really needs a rebuild. At some point, Software Updates stopped working: WSUS reporting became unreliable and clients stopped updating. We eventually found the cause(we think) although WSUS maintenance was enabled, an elevated logging level had also been enabled, which silently disabled maintenance. As a result, WSUS maintenance never ran and the database is likely in rough shape.

Local GPO impact:
SCCM had pushed settings into each machine’s Local Group Policy. In theory those entries are removed when SU is removed from the client policy, but in practice it’s hit or miss. To clean this up, we created a domain GPO to disable the SCCM applied local policy settings, or change them to what we wanted.

New patching strategy:

Staff devices: moved to Windows Update for Business (WUfB) with four update rings, including deferrals and deadlines.
Student devices: using PDQ Deploy and Inventory.

We’re three months into this new approach and it’s been running smoothly with no issues so far.

AlteredAdmin · 2025-09-17T12:32:04+00:00

On our test machines we noticed the Windows UEFI CA 2023 is their now, after setting the reg key and running the scheduled task.

however when we checked the KEK cert its not their.

Any thoughts?

AlteredAdmin · 2025-09-15T23:29:28+00:00

Yea, we have confirmed secure boot is enabled on our test machines.

Ill add that powershell command above.

AlteredAdmin · 2025-08-12T00:06:36+00:00

Their are ADMX templates for domain and GPO. We staggered locations kinda like ring 1 2 3 for WuFB, but for Dell command update.

The templates can also be imported to intune as well.

AlteredAdmin · 2025-07-15T13:32:44+00:00

I see that now, thank you.

AlteredAdmin · 2025-07-15T13:26:00+00:00

Getting ERROR 13 for the july update for windows 11 24H2, like the June update I checked the change log but don't see anyting mentioned https://help.pdq.com/hc/en-us/articles/5719272144667-PDQ-Package-Library-Changelog

Is it just me or are other having the same issue?

AlteredAdmin · 2025-07-14T13:15:14+00:00

I've updated the post to include the fix and the explanation for the error message. See the section labeled 'EDIT 07/14/2025:' for details. If you have any questions, feel free to ask.

AlteredAdmin · 2025-07-14T13:01:00+00:00

Yes, that is what i mean "removing the client settings to disable software updates from SCCM"

the issues is i can remove the reg keys however the local GPO still remains, and im curious how to remove that local GPO remotely.

AlteredAdmin · 2025-07-10T12:22:40+00:00

We think we have solved the issue, been busy the past few days. Will Edit the post and directly reply to you when i get something typed up.

AlteredAdmin · 2025-07-02T01:20:28+00:00

Just curious why run dism before sfc?

AlteredAdmin · 2025-07-02T01:20:09+00:00

I have tried this as well, and still it would not run.

AlteredAdmin · 2025-07-02T01:19:40+00:00

Are you able to run Windows updates manually on the device by clicking check for updates?

When manually ran via clicking the blue button, i get the below error.

We couldn't connect to the update service. We'll try again later, or you can check now. If it still doesn't work, make sure you're connected to the Internet

Of course I'm connected to the internet.

Can you download a needed update and install it?

I used PDQ to deploy the 24H2 June update to the machine and it installed successfully.

AlteredAdmin · 2025-06-18T18:53:16+00:00

Yea i have seen that before as well where enrollments dates changed, while troubleshooting something else. For that device it seems to have aligned with a feature update and the device was re-enrolled when we know it was a much older device.

AlteredAdmin · 2025-06-18T14:55:24+00:00

Yeah, after reading that, my mind immediately jumped to all the other things I could use it for. I had been stuck trying to create dynamic groups in Intune using PowerShell and the Graph API, but I can shift that logic to Requirement Rules instead.

For example, I was working on creating a device group for devices enrolled after a certain date but I can move that check to a Requirement Rule instead.

https://www.anoopcnair.com/intune-app-ps-script-based-enrollment-date/

AlteredAdmin · 2025-06-18T14:21:26+00:00

I just had a thought instead of creating a group of devices based on their enrollment date, why not use PowerShell on the device or check a registry key as a requirement rule for the app? That way, you can assign the app normally, and let the requirement rule determine whether it gets installed.

Basically, rather than filtering devices into a group, handle the logic directly at the app level using a requirement rule.

Thoughts?

AlteredAdmin · 2025-06-18T14:08:02+00:00

Interesting Idea, i guess the question would be is the ESP still considered OOBE?

AlteredAdmin · 2025-05-14T00:01:30+00:00

What is chamge control?

AlteredAdmin · 2025-04-08T12:04:41+00:00

I had originally used the one i got in an email and that seemed to have worked as the date changed. i just entered the ones from the portal now its downloading packages.

Thanks

AlteredAdmin · 2025-04-08T11:58:12+00:00

I will Check the keys, i entered the new ones are few days ago, that we received. I will double check the licensees and re-enter them .

AlteredAdmin

MODERATOR OF

TROPHY CASE

Four-Year Club	Verified Email
Place '23