Jump to content


rrasco

New Machines - Installing Past Updates

Recommended Posts

I am curious, how does everyone handle patching new machines? When I join a new machine to the domain and move it to the correct OU, SCCM pushes out the client, intalls SCEP, and patches the machines with all previously deployed Update Groups through the use of ADRs.

 

My question is, what about the patches that you didn't have an Update Group for? Such as updates that were published prior to using ADRs? If you only have the product date set to last 1 day and run on Patch Tuesday, wouldn't that effectively miss all previous updates? What do you guys do to get new machines up to date prior to letting SCCM patch what it knows about?

Share this post


Link to post
Share on other sites

You have a couple of options. Ideally, your previously approved patches should still be in effect, until they expire. A lot of people also make a package for older patches, just to catch any machines that come into the environment, which are out of date.

 

For instance, you could have a package for Windows 7 security updates in the year 2012. Another package for 2013. And then, each month in 2014 will have a package, which is still applicable/active, and will get pushed to the newly joined machine. Make sense?

 

The other alternative is for your HelpDesk guys to run full Windows Update as they're deploying the machine, which I think is a pretty good thing to do.

Share this post


Link to post
Share on other sites

Hi,

I always create a "Vanilla" package with all the updates available for each OS at the time of installation of ConfigMgr 2012 to catch all computers that perhaps needs an old update, troubleshooting where an update is uninstalled and so on. Then I create the ADR's so that all future updates are deployed using them.

Automate everything!

 

/Jörgen

Share this post


Link to post
Share on other sites

This is also something I'm curious about. I inherited an sccm 2012 environment, and im working on cleaning up the install/configuration the previous guy did. Needless to say theres a lot of work to be done.

 

What do you guys do? Currently I have a baseline that has all the updates previous to January 2014, and then an update group per month until the end of the year, then i think im going to roll 2014 into my baseline and start over for 2015. I also make sure every month i delete and get rid of expired/supersceded updates. The one thing i hear from hy Helpdesk is how they have updates installing after the computer is done imaging, but I cant think of any other way to do this. I am also wondering what people do for a true "baseline" for windows updates. My security team always wants to know how were doing against the updates that are out, and im not totally sure how to set up a group to monitor this for them. Right now im just comparing it against my baseline, but again, thats not very comprehensive.

Share this post


Link to post
Share on other sites

I had a package I created once for 3 months, I had not noticed I can select for last 1 year. Maybe I missed that or they expanded the options in R2?

 

I used to manually patch the machines via WU, but I prefer when I can just join a machine to the domain and it pushes out the client, SCEP, and all previous updates. Just let the machine run for a day or so and it will get all the software deployments taken care of.

Share this post


Link to post
Share on other sites

This is also something I'm curious about. I inherited an sccm 2012 environment, and im working on cleaning up the install/configuration the previous guy did. Needless to say theres a lot of work to be done.

 

What do you guys do? Currently I have a baseline that has all the updates previous to January 2014, and then an update group per month until the end of the year, then i think im going to roll 2014 into my baseline and start over for 2015. I also make sure every month i delete and get rid of expired/supersceded updates. The one thing i hear from hy Helpdesk is how they have updates installing after the computer is done imaging, but I cant think of any other way to do this. I am also wondering what people do for a true "baseline" for windows updates. My security team always wants to know how were doing against the updates that are out, and im not totally sure how to set up a group to monitor this for them. Right now im just comparing it against my baseline, but again, thats not very comprehensive.

 

Behemyth, I think your approach is pretty common, and it's the one that I use as well.

 

I get the same question from the security team, and it's a hard one to answer. I tend to throw the question right back at them: "What specific vulnerability/update do you want to see compliance numbers for?" I don't know how you can be expected to generate a report for every single update ever released by Microsoft. Clearly, we approve/deploy all critical security updates, but the "baseline" question is a tough one.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...