Jump to content


Howard

Established Members
  • Content Count

    8
  • Joined

  • Last visited

Community Reputation

1 Neutral

About Howard

  • Rank
    Newbie
  1. I am implenting ADR for patch managment and I am having a bit of a Property filter issue. I would like to create an ADR that creates monthly deployments for my patch managment that I have control on when deploying. So I have checked Create new Software Update Group under general and cleared the "enable the deployment after this rule is run". My problem is setting up the property filters under software updates. Here are my concern: If I check "date released or revised" and set it to last 30 days, my first Software Update Group will only have Updates valid for the last 30 days. If I don't set that time frame it will create a new group each month with all the current updates and over time that will put me over the 1000 update mark esplecially if I incorprate SCUP. What should i do to set that first deployment or how should i setup my property filters? Any thoughts?
  2. I figured I start a new post on this. My CIO and I have been going back and forth on this question for several days now and I want to share some insight and get some opinions. We used this post as a starting point http://blogs.technet...nager-2012.aspx Our Goals Protect all Windows 7 Machines with the latest security patches (Builten Id:MS) and Updates Protect all deployments of Mircrosoft - Now Windows Desktop (Office, Visual Studio, ETC) with latest security patches and updates Protect all Windows 2008R2 Servers with the latest security patches and Updates Protect all deployments of Adobe Acrobat, Adobe Reader, Adobe Flash with securty Updates and Patches Deploy Latest Drivers and Updates to our Dell PC's Monitor Compliance of Deployments Implementation, Limitations & Concerns All Updates Create an All Update Group for Reporting Purposes. We Selected all updates and put them in this group. DO NOT DEPLOY this group to anyone. We will use it only for reporting Purposes. (Not sure exactly how yet) WIndows 7 Machines Inital Setup 1. Create an Initial Updates Package. We called it "Windows 7 Software Udpates - Initial". This package contained all updates up to and including 05.31.2012. Our Search Criteria consisted of: Product=WIndows7 Expired=no Superseeded=No Date Released or Revised is less than or equal to 05/31/2012 This gave us at the time of writing this 286 Updates 2. Create The Monthly Update Package for June 2012. We called it "Windows 7 Software Updates - 2012 06" This Package contained all the updates in the month of June. Similiar Search criteria as above only different Date Range. This gave us 37 More Updates 3. Both of these Software Updates Groups where then deployed to a "Windows 7 Machines" Device Collection we created based on the following WMI Query: select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%" Monthly Procedure Create a New Monthly Update Package after each "Patch Tuesday" and Deploy it to our Windows 7 Machine Device Collection. (We may do an Automatic Deployment Rule for this that we can later Green Light, not sure how to yet. We are currently using an ADR for Endpoint Protection Definiton Updates) Remove all the Expired and Superseeded updates from all Deployments - Just create a search criteria for Expried and Supersceded to yes and Edit Membership. Uncheck the Check Box and they will remove themselves from your deployment group and delete themselves off the server in 7 days. Another good post about this procedure http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/software-update-content-cleanup-in-system-center-2012-configuration-manager.aspx Update the All Software Group with New Updates Concern - We will never be able to delete any of our Monthly Updates or the Intitial Update package as that would create a hole in our security Updates. I.E. If a laptop left the network for 6 months and came back. I am not sure if I care, it's just that in 5 years I will have 60 of these Update Groups. I also do not know if having so many deployments will effect Client / Server Performance in anyway. Microsoft - Non-Windows Inital Setup 1. Create an Initial Updates Package. We called it "Microsoft Udpates - Initial". This package contained all updates up to and including 05.31.2012. Our Search Criteria consisted of: Product=Expression Design 4 Product=Office 2010 Product=Visual Studio 2010 Expired=no Superseded=No Date Released or Revised is less than or equal to 05/31/2012 This gave us at the time of writing this 103 Updates 2. Create The Monthly Update Package for June 2012. We called it "Microsoft Updates - 2012 06" This Package contained all the updates in the month of June. Similiar Search criteria as above only different Date Range. This gave us 2 More Updates 3. We had to create serveral deployments for this. One for each application that we deployed. Concern/Question 1. Again you will not be able to delete any of these deployments for threat of creating a security hole. 2.. Should we just combine the packages and deploy them to all Windows 7 Machines? Will this create any Client/Server Performance Issues? Adobe Updates **This Assumes you have already setup SCUP and have an understanding of it. We used this youtube tutorial to get started. http://www.youtube.com/watch?v=fyEGWSFWyy0 SCUP In SCUP we are going to Create 2 Publications. One for the intial Deployment and then another for the Monthly Updates. You will find that the updates here or a bit more infrequent and you may switch to a quaterly update 1. The Inital Publication we selected all updates, there were 39. 2. We assign the updates to a new Publication called "Adobe Updates - Inital" 3. We published Full Content 4. We will do the same thing for "Adobe Updates- 2012 06" ***Not 100% sure we need to seperate out these updates or if we can publish to an all encompasing group. Inital Setup 1. Create an Initial Updates Package. We called it "Adobe Udpates - Initial". This package contained all updates up to and including 05.31.2012. Our Search Criteria consisted of: Product=Adobe Acrobat Product=Adobe Reader Product=Adobe Flash Player Expired=no Superseded=No Date Released or Revised is less than or equal to 05/31/2012 This gave us at the time of writing this 39 Updates 2. Create The Monthly Update Package for June 2012. We called it "Adobe Updates - 2012 06" This Package contained all the updates in the month of June. Similiar Search criteria as above only different Date Range. This gave us 2 More Updates 3. We had to create serveral deployments for this. One for each application that we deployed. Same Concerns and Questions 1. Again you will not be able to delete any of these deployments for threat of creating a security hole. 2.. Should we just combine the packages and deploy them to all Windows 7 Machines? Will this create any Client/Server Performance Issues? Conclusions I know I left out a bunch here, Still have to discuss Windows Server 2008 Updates and Dell Update. THe main thing we are still trying to figure out if it is OK just to have Several Big Intial Updates and then Just one Software Update for Everything. How will that effect client/server performance. I will clean this post up over time. Just wanted to get some feed back to start. Not sure if I am overthinking this or not..
  3. I also found this which is an interesting read. http://blogs.technet.com/b/server-cloud/archive/2012/02/20/managing-software-updates-in-configuration-manager-2012.aspx
  4. I acutually like to bump this subject as I find myself struggling to come up with a normal or typical deployment. First Question I have is for JOSH. I like the idea of pushing your updates up to all software updates group to protect you from a security hole, but what happens when you reach 500 updates. I thought there was a limit to the amount updates you could store in a group. How do you deal with the managment of updates groups....i.e. dropping the expired updates form the group? I think the site would benefit as a whole with a recommended procedures guide for this. In your guide on setup and setting up SCCM 2012 with Software Updates you only cover MS or security updates, it suttle but I think some people would miss it. Coming from a WSUS deployment to this is extremly frustrating because there seems like there is so much more work to do and more to think about.. I would love to see a guide that kinda gives the "best practices" for this type of user. I just want to say that I think that this website is by far the best resource on the web for SCCM 2012. KUDOS.
  5. Fair point peter. I am a bit of a noob with SCCM. THe last time I used this tool was SMS so a lot has changed for me. I will do my research on Settings Management as it sounds like a powerful tool. Could you post an example of the script you are using to deploy your MSP's and take me through the workflow? For Example: Day 1 Adobe Releases Reader X 10.1.0 - You deliver the simple MSI to a target machine/user Collection Day 45 Adobe Release Reader X 10.1.1 - How do you deliver the MSP to your existing Collection. Day 90 Adobe releases Reader X 10.1.2 - How do you deliver the MSP to the same collection plus you added 100 Machines/People, how do they get the application. Do you deploy the base MSI plus Each Patch or do you only deliver 10.1.0 and the MSP for 10.1.2. What does this look like in your Software Library? What does your Collection Look Like? Are there multiple Applications are you using Packages to accomplish this? Sorry for all the questions but you have me intrigued as I thought I had this nailed already.
  6. @ Peter 33 No sure I understand what "Setting Management" is? Is that something in SCUP? My plans is to do the following: Assume 10.0.1 is already packaged because no MSP is needed. We can talk about transforms if you like but that is a separate issue. 1. msiexec /a "PATHTO\AdbeRdr1010_en_US.msi" 2. Go through the prompts and put the files in a Network Location 3. msiexec /a "NetworkPATHTO\AdbeRdr1010_en_US.msi" /p "PATHTO\AdbeRdrUpd10.11.msp 4. Create A new package called Adobe Acrobat 10.1.2 and point to the Network MSI. You will notice that the MSI is now expanded and should only be about 2 mb. This means you can not move the folders until after you create the package. 5. Supersede Adobe Acorboat 10.1.0 with Acrobat 10.1.2 and check uninstall. 6. Deploy Application to you Test Group. Now if you want to apply transform and lets say remove the desktop icon or turn off update you would simply create the transform with the ADobe Reader Customization Tool X and at Transform=Nameoftransform.mst in the Commandl ine and deploy @bennettjd With the current Adobe Strategy. You can apply the msp for 10.1.4 to the 10.1.0 package and not have any issues. You can set SCCM to Uninstall the existing package if you like in the supersede
  7. So I have official given up on trying to patch the MSI and am using the AIP/Slipstream method. My only concern is that my CCMCACHE will get significantly bigger over time.
  8. So you guys recommend either using 1. SCUP for Adobe updates or 2. using AIP and deploying a new slipstreamed MSI with the patches that supersceedes the fist package. You couldn't just use a new package that superscedes the main package with a command like this: msiexec /i "AdbeRdr1010_en_US.msi" patch="\\sccm1\SCCM Sources\Acrobat Reader 10x\AdbeRdrUpd1012.msp" /q I've tried but have run into some issues getting it to deploy.
×
×
  • Create New...