Jump to content


JacobE

Need some information regarding Automatic deployment rules & offline servicing

Recommended Posts

Morning all!

 

Ok so we have recently moved to SCCM 2012 R2, and I've been asked to look into offline servicing and automatic deployment rules, I have done and have a few questions regarding both.

 

Automatic Deployment Rules

 

So first off, ADR. The idea behind it is great, set the rules up, and never have to touch the updates ever again, sounds like a dream and almost too good to be true, for our firm I believe this may be the case.

 

The reason being, we have an Infosec department which dictates which updates are required each month. So for example we typically get a list, last month it was:

 

  • MS14-011
  • MS14-012
  • MS14-013
  • MS14-014
  • MS14-015

Now, only having briefly looked at the ADR side of things, from what I can tell you cannot specify exact updates (which is fair enough, how is it going to know which updates the Infosec department wants?) but can only go by classification, severity etc. Which would ultimately result in a lot more updates being deployed than we want.

 

So my question is, if I manually create the software update group with a specific name, for example "Monthly Updates" can I setup a rule to just pull the updates from that update group and deploy those without having to touch it?

 

Or is it possible to specific a rule which will match the criteria that we need and just adjust it each month to the MS numbers?

 

Offline Servicing

 

We as a company, REALLY like the sound of this. Alongside our monthly patching we have another deployment which constantly runs which includes all updates deployed previously, the reason being so when machines are built, they see this deployment and within 24hrs of being built, are fully secure. It keeps everyone happy.

With the correct implementation of offline servicing, our machines could be fully secure from the moment they hit the log on screen.

 

Question for offline servicing is, during the process it takes the WIM file, copies it, and injects the updates into the copy of the WIM, then end result is that it gives you 2 WIM files, the original, and the new one with updates. Now, I think I know the answer to this, but I want someone with experience of it to confirm. When the process is finished, and it gives you the two WIM files...the task sequences will remain untouched won't they? So we will have to go into each task sequence and adjust the WIM file they deploy to the new one with updates?

 

Obviously I don't want this process to run over the weekend, to come in on Monday to find all the task sequences potentially using a WIM that's untested!

 

Thanks in advance for the help :)

 

Jake.

Share this post


Link to post
Share on other sites

Hi Jake,

 

You can search updates by bulletin or article ID's in the ADR - screenshot attached. All you'd need to do is add new ones in each month before the evaluation rule runs.

 

Regarding injecting drivers. For my business, i inject them every month after patches have been rolled out, and just update the DP with the existing image (I set it to do it automatically) So as you mention, after installing that .wim it should have the latest patches on and when the build finishes it should be up to date.

 

I leave the install software updates step in the TS to make sure any machines built in the interim are always downloading latest updates.

 

Regarding 2 x .wim files - not sure i follow on this. You shouldn't have to modify anything, only schedule the updates to be added into the image. You should only have to update the DP's once the image says it's successfully added the updates, unless you set it to run after successful injection of updates. You can click the image and click update status at the bottom and give you an idea of it. Also right clicking the OS image in the console and check installed updates tab.

 

ConfigMgr will mount the .wim in a temp directory and use DISM to manage the new update installations into the image. It'll also keep a backup of this, but it only keeps 1. Once it's done it then restores that .wim into the package source directory where your image already was, and then once you've updated your DP's - jobs a good un :)

 

Hope this helps.

post-24011-0-15305300-1396605254_thumb.jpg

  • Like 1

Share this post


Link to post
Share on other sites

Hi Jake,

 

You can search updates by bulletin or article ID's in the ADR - screenshot attached. All you'd need to do is add new ones in each month before the evaluation rule runs.

 

Regarding injecting drivers. For my business, i inject them every month after patches have been rolled out, and just update the DP with the existing image (I set it to do it automatically) So as you mention, after installing that .wim it should have the latest patches on and when the build finishes it should be up to date.

 

I leave the install software updates step in the TS to make sure any machines built in the interim are always downloading latest updates.

 

Regarding 2 x .wim files - not sure i follow on this. You shouldn't have to modify anything, only schedule the updates to be added into the image. You should only have to update the DP's once the image says it's successfully added the updates, unless you set it to run after successful injection of updates. You can click the image and click update status at the bottom and give you an idea of it. Also right clicking the OS image in the console and check installed updates tab.

 

ConfigMgr will mount the .wim in a temp directory and use DISM to manage the new update installations into the image. It'll also keep a backup of this, but it only keeps 1. Once it's done it then restores that .wim into the package source directory where your image already was, and then once you've updated your DP's - jobs a good un :)

 

Hope this helps.

 

Hi mate,

Thanks for the quick reply. The ADR stuff is awesome, we will run with that.

 

So after the offline servicing runs it still only shows 1 WIM available?

Share this post


Link to post
Share on other sites

In your package source directory containing your .wim - you'll see a .wim (Latest modified date) and a .wim.bak - which is your old version before updates were put in :)

 

I tend to move my .bak files across to a seperate directory. Saying that - i've never had to revert back yet.

Share this post


Link to post
Share on other sites

In your package source directory containing your .wim - you'll see a .wim (Latest modified date) and a .wim.bak - which is your old version before updates were put in :)

 

I tend to move my .bak files across to a seperate directory. Saying that - i've never had to revert back yet.

 

Ah ok, so it does mean the TS's will automatically use the new WIM.

 

OK great, I'm not sure my managers would be too happy with using untested WIM's straight away. Assuming it's easy enough to revert back if required? (I know you have never done it, but you might know the process :D)

Share this post


Link to post
Share on other sites

Yeah it's easy.

All the service does is update your current WIM file.

 

 

Ideally you'd have these security updates deployed and tested before you add the updates in. My updates go into the .wim as soon as i get a 90% deployment success rate globally. Once i see that figure, i update the .wim - and the process begins again for the next month :)

Reverting back is simply changing the .bak to a different file name and adding either as a new OS image in the console. Or modifying your existing image to look at that .wim file - then update dp's

Share this post


Link to post
Share on other sites

Yeah it's easy.

All the service does is update your current WIM file.

 

 

Ideally you'd have these security updates deployed and tested before you add the updates in. My updates go into the .wim as soon as i get a 90% deployment success rate globally. Once i see that figure, i update the .wim - and the process begins again for the next month :)

Reverting back is simply changing the .bak to a different file name and adding either as a new OS image in the console. Or modifying your existing image to look at that .wim file - then update dp's

 

Thats cool. Yeah it won't be added until the company is compliant anyway so that's not an issue. I'll put it to the heads and see what they say.

Thanks again for your help! :)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.