We have deployed SUS for clients (desktops and laptops). The good part is it works reasonably well, and (surprise!) even remote (VPN) clients get their patches. Some SUS clients still get the Windows Update icon in their system tray prompting them to install new updates downloaded from Microsoft. The GPO settings specify local SUS server, install automatically at 6:00 a.m. every day and prompt for reboot.
Are the clients still getting their updates from the Windows Update Web site? (I know for sure they are getting the group policy and updates from SUS as well.) Do both update mechanisms co-exist on some PCs? How can Windows Update be completely disabled?
This was first published in November 2003