Jump to content




Sign in to follow this  
Signumxsa

Fastest way to install updates



Recommended Posts

Hi All,

We are going to start to patch our servers using SCCM I have created software update groups for Server 2003, 2008 and 2012 which contains all important and critical updates for the server up until DEC 2014.However I have a problem some servers that require a manual reboot so I advertise my updates like the below:

Type of deployment : Required
installation deadline : As soon as possible
Suppress system restarts : Servers

The problem is that after the reboot I check SCCM and the client is compliant the I then go to work the next day check the SCCM console and the client shows as in progress requires reboot because it has installed more updates.

I know the problem is that some updates aren't required until a pre-req is install however is there a way to ensure that the client automatically checks SCCM server for updates every 15 minute so that I can confirm that all updates are installed.

Also from the SCCM client logs how can I confirm that there is no software updates left to install on the machine if I run the software scan cycle manually

Thanks

Share this post


Link to post
Share on other sites


I ran into the same problem with patching desktops, some recent critical patches needed a pre-req to be detected. What I did was scheduled my patches with a start time defined for each group. Also make sure you specify a deadline instead of the default so that you have full control of when patches go out. This will change based on how many patches you include. Look at the service window log or the wuaupdate log to make sure that you have enough for sccm to install the patches. if the window is too short it will say something like not enough time in service window or something link that.

 

Then a few hours later, in the middle of my patch window I deploy a powershell script that runs a policy retrieval and software update scan.

 

 

The package looks like this

 

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File ".\PolicyForce_Machine_UpdateDeploy_UpdateScan.ps1"

 

In the source folder the I have a ps1 with this inside it

 

$computer = "."

$SCCMClient = [wmiclass] "\\$computer\root\ccm:SMS_Client"

#Machine Policy Retrieval and Evaluation Cycle

$SCCMClient.TriggerSchedule("{00000000-0000-0000-0000-000000000021}")

#Software Updates Deployment Evaluation Cycle

$SCCMClient.TriggerSchedule("{00000000-0000-0000-0000-000000000108}")

#Software Updates Scan Cycle

$SCCMClient.TriggerSchedule("{00000000-0000-0000-0000-000000000108}")

 

 

 

You can do this a few ways with vb or other scripts

 

 

This shows you the actions you can do

 

http://blogs.technet.com/b/charlesa_us/archive/2015/03/07/triggering-configmgr-client-actions-with-wmic-without-pesky-right-click-tools.aspx

 

Here are a few different ways to get this accomplished, like vb and other methods.

 

http://tompaps.blogspot.com/2012/12/machine-policy-retrieval-sccm.html

 

https://blogs.technet.microsoft.com/configmgrdogs/2014/09/03/wmi-powershell-and-the-configuration-manager-client/

 

https://gallery.technet.microsoft.com/scriptcenter/ConfigMgr-Client-Action-16a364a5

hope this helps

Share this post


Link to post
Share on other sites

I know the problem is that some updates aren't required until a pre-req is install however is there a way to ensure that the client automatically checks SCCM server for updates every 15 minute so that I can confirm that all updates are installed.

 

2 options:

 

1 - Set a maintenance window on your collection so that way nothing can occur on the server unless you drop the main windows for the duration of the patching.

 

2 - Create a new "Client Setting", increase the software update cycle frequency so it checks for every 15mins as you wanted. Deploy this setting to your servers collection. Be sure to raise the priority of this setting so it takes precedence over your default client settings

 

I always use maint windows on our servers, even if to prevent a accidental deployment. I have a powershell script that then deploys my updates for me and creates maintenance windows so takes away all the manual work from me :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  


×