Jump to content


Kops

Update compliance in need of serious attention

Recommended Posts

A couple months ago I inherited responsibility for our System Center Config Mgr environment from a previous systems admin who left the organization. There was no hand-off of the system, so I basically just picked it up, read a few things online and jumped into managing it. I tackled a few of the high priority issues for us which were getting images deployed through SCCM as well as updating the Software Library to have more relevant packages and up to date applications for our users. Now I need to get software updates in a better state, as we seem to have very low compliance numbers (7% :unsure: ).

 

In hopes of getting some help here, I have gathered as much info as I can from our current config.

 

 

SUP Settings (looks OK to me)
- Synchronize from Microsoft Update
- All classifications (critical, definition, etc)
- Products
- Windows 7, 8.1
- Adobe Acrobat/Reader/Flash
- Microsoft Office 2010/2013, Visual Studio 2010/2012/2013
- Sync schedule everyday at 3am
- Immediately expire superseded updates

 

Automatic Deployment Rules (might need attention)
- Level 1 / Level 2 / Level 3
- Level 1 = Systems Administrators / HelpDesk (approx 25 PCs)
- Level 2 = Software Developers (approx 40 PCs)
- Level 3 = Rest of company (approx 450 PCs)

- Deployment schedule
- Level 1 available as soon as possible, deadline after 7 days
- Level 2 available after 7 days, deadline after 14 days
- Level 3 available after 14 days, deadline after 21 days
- Add to an existing Software group (Level 1/Level 2/Level 3)
- Enable deployment after rule is run
- Search Criteria

- Custom Severity = None
- Date released/revised = Last 6 months
- Superseded = No
- Update Classification = Critical or Security
- Evaluation sync schedule every 1 day
- Deployment schedule
- Level 1 available as soon as possible, deadline after 7 days
- Level 2 available after 7 days, deadline after 14 days
- Level 3 available after 14 days, deadline after 21 days
- Deployment package Windows Critical and Security Updates

 

However the issue is that compliance is still very low, see attached update_compliance.png.

 

As I see things, this should be setup to automatically deploy these updates, but I might be missing some pieces. I can provide log files/any more info it will assist.

I am open to completely reworking this if there is a better practice!

 

Appreciate you taking the time to read my question

post-25027-0-85269600-1423066594_thumb.png

Share this post


Link to post
Share on other sites


The problem also is that everytime you change the deployment group it has to then re-evaluate everything again to determine the compliance of the group at its current state.

 

What this means is that when you are daily checking and making changes to the group it is starting all over again on evaluating the machines in the environment.

 

I do my updates twice a month with a 2 week gap between my IT staff and Everyone else. I do a Patch Tuesday Package which I don't deploy for 2 weeks after its release to my IT staff first. I put a 7 day Deadline on all of my packages. I then have an entire month package for say January 2015 which would go to all my production workstations.

 

To break it down basically.

1. Pre-Production (IT Staff) gets an update package for 2 weeks of testing. If no issues come up or are reported then 2 weeks later that same package then goes to Production (everyone).

2. Packages are created for Patch-Tuesday and End of Month.

 

 

I don't have any auto-deployment rules setup for general updates. I only use it for Endpoint currently and it runs every 8 hours. Microsoft releases endpoint updates 3x a day every 8 hours starting at 3:00am. My schedule starts at 3:30am and goes every hours after that.

 

Here are my endpoint settings. As you can see I also change the source list to go to MS directly first rather than my system to lessen the traffic coming in to my server.

e7fqti.jpg

Share this post


Link to post
Share on other sites

First off, I appreciate you taking some time to read through my issues and lend a hand. I'm very appreciative for the help I receive from this community :)

 

I would start by using the compliance reports instead of the console for that kind of information. It will also provide a better view on your real compliance.

 

I ran some compliance reports through the Monitoring tab and this does provide much better insight. I'm able to see which users/computers are compliant which will be a great breakdown going forward. However, I am still seeing very low compliance numbers. See compliance1.png

 

 

I would check group policy to ensure the correct policy settings for SCCM are being applied.

 

I can definitely look into this - I wasn't familiar with any group policy required for SCCM?

 

The problem also is that everytime you change the deployment group it has to then re-evaluate everything again to determine the compliance of the group at its current state.

 

What this means is that when you are daily checking and making changes to the group it is starting all over again on evaluating the machines in the environment.

 

I do my updates twice a month with a 2 week gap between my IT staff and Everyone else. I do a Patch Tuesday Package which I don't deploy for 2 weeks after its release to my IT staff first. I put a 7 day Deadline on all of my packages. I then have an entire month package for say January 2015 which would go to all my production workstations.

 

To break it down basically.

1. Pre-Production (IT Staff) gets an update package for 2 weeks of testing. If no issues come up or are reported then 2 weeks later that same package then goes to Production (everyone).

2. Packages are created for Patch-Tuesday and End of Month.

 

 

I don't have any auto-deployment rules setup for general updates. I only use it for Endpoint currently and it runs every 8 hours. Microsoft releases endpoint updates 3x a day every 8 hours starting at 3:00am. My schedule starts at 3:30am and goes every hours after that.

 

Here are my endpoint settings. As you can see I also change the source list to go to MS directly first rather than my system to lessen the traffic coming in to my server.

e7fqti.jpg

 

I think I would like to move to a more manual approach similar to what you are describing, where I can take all the updates that were released per month and create a group, and manually deploy these rather than relying on the auto-rules. I can see in our Software Update Groups that this might have been done in the past - there are groups named January 2013 Updates, February 2013 Updates (with veyr high compliance numbers), but there are also auto-deployment rules setup for Level 1/2/3, which was confusing. See monthlyupdates.png.

 

Can anyone advise how an approach for moving to that sort of update system?

 

Again, your time is much appreciated!

post-25027-0-79062900-1423768367_thumb.png

post-25027-0-64121800-1423769030_thumb.png

Share this post


Link to post
Share on other sites

First off, I appreciate you taking some time to read through my issues and lend a hand. I'm very appreciative for the help I receive from this community :)

 

I can definitely look into this - I wasn't familiar with any group policy required for SCCM?

You're most welcome. :)

 

Basically with the group policy you want to make sure the policies under Computer Configurations > Policies > Administrative Templates > Windows Components Windows Update are left as "Not configured" or at the most if you only have one SUP and IBCM (internet based client management) you can probably enable "Allow signed updates from an intranet Microsoft update service location".

 

The reason for this AFAIK is when the software update cycle is ran it updates the local group policy settings according to the local of the device. For instance we utilise IBCM to ensure the compliance for our devices to the latest MS critical and security updates, when the software update cycle is run while on the intranet it sets the SUP as the server name however if the update cycle is run while connected via the internet it will change the SUP to the public hostname for the server and connect via SSL and validate via certs.

 

Long story short, the less configuration on these group policy settings the better haha.

 

Cheers,

Hynesy

 

PS: I didn't proof read so I hope it makes sense/reads ok.

Share this post


Link to post
Share on other sites

I checked out this area of our policy, and we do have one option Specify Intranet Microsoft updates Service Location is enabled, with a link pointing to our SCCM server.

 

I think I have an idea as to whats going on. After looking at our Software Update Groups closer, we have groups called 2012 Updates, followed by January 2013 Updates, February 2013 Updates, March-May 2013 Updates and then no more. This is when the previous admin left. It looks to me like they were deploying updates monthly and this stopped when nobody was really responsible for the SCCM environment.

 

I am going to do the following: Go to All Software Updates, filter by January 2015 release date, selecting those and creating a January 2015 Update Group, and deploying that to our Level 1 device collection. I think this is how it was intended to be setup.

 

If I'm right, I'll have to try to figure out what the automatic deployment rules are really doing...

Share this post


Link to post
Share on other sites

I checked out this area of our policy, and we do have one option Specify Intranet Microsoft updates Service Location is enabled, with a link pointing to our SCCM server.

If it's just that enabled and you're not using internet based client management you should be good on that front.

 

 

I am going to do the following: Go to All Software Updates, filter by January 2015 release date, selecting those and creating a January 2015 Update Group, and deploying that to our Level 1 device collection. I think this is how it was intended to be setup.

Did the previous SCCM admin not utilise automatic deployment rules? (unless I'm reading this wrong?)

Share this post


Link to post
Share on other sites

We are using 4 ADRs, but my understanding of how they are used is not great. We have 3 ADRs for Level 1, Level 2, and Level 3 updates, configured as per below, and 1 ADR for Windows Protection (differences in config shown in red below)

 

- Add to an existing Software Update Group, Enabled the deployment after this rule is run

- Create New Software Update Group, Enable the deployment after this rule is run

- Automatically deploy all software updates found by this rule, and approve any license agreements

- Date released = Last 6 months, Superseded = No, Update class = Critical or Security Updates

- Date Released = Last 1 day, Product Forefront Security Client, or Windows Defender

- Run this rule every day

- Deployment (varies per level, Level 1 is available ASAP and 7 day deadline, Level 2 is 7 days and 14 day deadline, Level 3 is 14 day and 21 day deadline)
- Deployment available every 2 hours, deadline ASAP

- Deployment Package = Windows Critical and Security Updates

- Deployment package = Windows Protection Updates

 

I'd really like to be able to break this down into a sort of workflow...

 

1. Updates are sync'd from MS to SCCM every day

2. ADR Level X WSUS takes critical/security updates and applies them to Level X WSUS Software Update Group

3. etc..

 

But I get lost in this process fairly quickly.

 

I was under the impression that updates were a fully automated process but with compliance being shown at 7% I'm thinking there must be a manual process that isn't being done.

 

Can anyone help me understand the typical process that this might follow?

Share this post


Link to post
Share on other sites

If you're running updates to match patch Tuesday why not have the schedule set to run every second Tuesday of the month after MS releases the patches? Just remember to adjust to your time zone, I'm in Australia so I have it set to run at 6pm on every second Wednesday which is about 2 hours after MS releases the patches IIRC. With that said there is nothing terribly wrong here that I can see.

 

If you log onto one of the servers/computers not getting the updates and open software centre are the updates listed at all?

 

Trying to troubleshoot these issues are always going to be hard when you don't have complete understanding of the process involved. I'd probably start by creating a very small pilot group and follow the guide here so you can walk yourself through the entire process to get a better understanding of the whole thing. If the pilot group works you know its nothing more than a misconfigured ADR.

 

Windows-Noob is a great site for SCCM 2012 resources, I would also have a look here as they list of great resources.

 

Cheers,

Hynesy

Share this post


Link to post
Share on other sites

So the reason your compliance numbers are so low is because your ADR's are adding the new updates they find to an existing group which is causing the group to constantly have to re-evaluate. Depending on the activity on your clients and how often they are on the network as well as how often you are running your compliance checks it takes some time to get the numbers back.

 

One way to do the ADR's would be to run them once per month and have them create a new group everytime they are ran. This will leave the old group with its compliance numbers so that it won't re-evaluate on you. Once a quarter or 1/2 year or full year you can take the groups and combine them down to a single group covering a larger time period.

 

For instance I take my update groups once they reach 85% compliance and merge them into a bigger group for the entire quarter and then finally the entire year. (with the amount of updates lately though this is more difficult to merge due to the cap of 1000).

 

veu9gz.jpg

 

I haven't moved the November and December 2014 into the year group yet because of the updates limit per group. You can see my ADR group which is the Microsoft Forefront Endpoint one has low compliance because of the constant changes to the group and it having to re-evaluate constantly. Basically the same situation that you are having.

Share this post


Link to post
Share on other sites

Thanks for the reply Garrett, interesting thoughts. What you've said might explain a few things..

 

We have an ADR for Critical/Security updates only that runs every day, and adds to an existing software update group (to avoid creating new groups everyday) - this is the one with the low compliance. I've now created another ADR to run every second wednesday for regular windows updates and to create a new group each time, so I'll monitor how that reports compliance and see how that goes.

 

If I report out of Monitoring > Reports, the compliance numbers actually look great. It just seems to be in the Software Update Group area that shows them very low.

Share this post


Link to post
Share on other sites

The way to tell your entire environment compliance would be to go to Software Library > Software Updates > Software Update Groups. The compliance numbers there are for the entire environment regardless of deployment.

 

To see the compliance isolated to a deployment then you'd have to run a report based on a given collection of machines as you are probably already doing.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...