Jump to content


volk1234

Manage Windows Updates in work environment whith SCCM 2012

Recommended Posts

HI,

 

Can anybody tell properly how to manage Windows Updates whith SCCM in real world? not in LAB. What is the Best practice to organize update groups? And how to maintain previously created packages - how to automate deletion of not required updates from update group?

Share this post


Link to post
Share on other sites


it's different for every company, however there are scripts for deleting unused updates from packages such as this one here.

Share this post


Link to post
Share on other sites

So, how many packages i need usually ?

One for Windows updates, one for Office updates and some other updates- ?

Or i have too make packages whith criteria -requared?

Share this post


Link to post
Share on other sites

Like Niall said, it's different for every company...

 

I have found that, for my organization, the following works well:

 

1. Create a Software Update Group for the updates that you will be deploying this month along with a Deployment Package. The naming convention should have the month and year so it's easy to keep track of.

2. Create a Software Update Group named All Software Updates and a Deployment Package with the same name.

3. Deploy the Software Update Group for the current month as a WOL enabled required deployment.

4. Once the current months updates have been successfully deployed. Move the current months patches to the All Software Updates group.

5. Delete the current months Software Update Group and Deployment package.

6. Deploy the All Software Updates group to All Systems as Available with WOL disabled.

 

So, basically what we do is deploy the current months updates, then roll them up into another Software Update Group that is always set to Available just in case some machines missed the deployment. This way the users that missed the deployments can install them on their own leisure due to politics...

I hope this gives you some ideas so that you can come up with a process that works well for your organization.

  • Like 1

Share this post


Link to post
Share on other sites

For example: i have all my servers in Windwos 2008R2 collection. I had deploy windows updates whith criterias Product,Buleten ID

I had deploy Office updates to all servers- but there onle 2 servers have Office installed.

But there are still many updates needet to aplay- Report Viewer for only one server, and so on. How i must to deploy them ??

Share this post


Link to post
Share on other sites

I acutually like to bump this subject as I find myself struggling to come up with a normal or typical deployment.

 

First Question I have is for JOSH. I like the idea of pushing your updates up to all software updates group to protect you from a security hole, but what happens when you reach 500 updates. I thought there was a limit to the amount updates you could store in a group.

 

How do you deal with the managment of updates groups....i.e. dropping the expired updates form the group?

 

I think the site would benefit as a whole with a recommended procedures guide for this. In your guide on setup and setting up SCCM 2012 with Software Updates you only cover MS or security updates, it suttle but I think some people would miss it. Coming from a WSUS deployment to this is extremly frustrating because there seems like there is so much more work to do and more to think about.. I would love to see a guide that kinda gives the "best practices" for this type of user.

 

I just want to say that I think that this website is by far the best resource on the web for SCCM 2012. KUDOS.

  • Like 1

Share this post


Link to post
Share on other sites

The problem with solutions mentioned in this blog post on technet is that it seems MS thinks anyone who is an SCCM admin has only SCCM as a responsibility. Also, it mentions creating huge compliance-only update groups (not deployed) that you can check to make sure your machines are patched, but it never mentions how to patch just the ones that need it. Do I have to check this compliance and then create collections with potentially hundreds of machines that missed an update 6 months ago? Doesn't really do a great job explaining, IMHO.

 

I also found this which is an interesting read.

 

http://blogs.technet...nager-2012.aspx

Share this post


Link to post
Share on other sites

I agree with what user juice13610 wrote.

 

a properly configured wsus environment gave me the following procedure:

- manual approvement of patches on the main wsus console by admin

- auto deployment to all subsidiary wsus servers

- clients get patched

- monthly cleanup script on wsus servers removes old, unused patches, keeping the file storage requirements small

- should a client reconnect to the network after beeing offline for a long time, needed updates are re-downloaded, redistributed, and the client gets patched (because they are still in "approved" state)

 

this is pretty easy to setup and fully automatic.

 

 

with my current sccm2012 setup neither do i have a good solution for cleaning unused update files from the servers, nor is there an automatic solution for the "old client" problem.

 

to recap, according to the technet post, this is what should be done:

- create a compliance-only group to monitor patch state of clients, but dont distribute this group

- use ADR to create monthly patch groups, that are distributed and used for actual patching

- manually remove old, unused monthly patch groups when they are no longer needed

- manually update the compliance-only group each month to include the latest updates

- manually handle clients that were offline for a long time ("old client" situation)

 

i wonder that this is really the intended way to do it.

or did i misunderstand the concept? any feedback is greatly appreciated.

Share this post


Link to post
Share on other sites

I know this thread is old, but I am struggling with this exact problem right now. Has anyone been able to figure out the best way to do Windows Updates (in an automatic way instead of so many manual steps)?

 

Thanks

Share this post


Link to post
Share on other sites

I've been doing this for a while now and I've found it's just easiest for me to do it manually. I doubt I'm doing it the best way, but it has worked for me. I only have two software update groups: workstation updates and server updates. Each month I run a search for Office/Lync/Silverlight and each OS we use (Win 7/8/8.1, and Win Server 2008/2008 R2/2012). I just download those updates to their respective deployment packages (I have one for each OS and everything else gets grouped into an "Office" package) and edit their membership to make sure they are included in their respective SUGs. I then create separate deployments of each SUG to each device collection (Workstation updates to Win7/8/8.1 PCs and server updates to the others).

 

Probably not the most efficient way of doing it but I've been doing it this way for so long that I can usually get it done pretty quickly. I also like to do it manually so I can look through the updates for that month and exclude anything we may not want. This doesn't happen often, but we have wanted to exclude certain updates in the past.

Share this post


Link to post
Share on other sites

We don't worry about creating specific groups for specific platforms. The machines will only find and get the updates they need. We do our updates by past year and past 3 months. They get assigned and clients pull whatever they need. Any new machine gets the required updates no matter how they were built. It is probably 20 minutes of work max once a month.

  • Like 1

Share this post


Link to post
Share on other sites

Thanks jr19 and willisj318! I appreciate the help.

 

willisj318,

Is it an Automatic Deployment Rule that you set for past 1 year and past 3 months? If so, how often do you run the schedule?

Or do you manually push updates?

 

How do you manually push updates anyway?

Share this post


Link to post
Share on other sites

Nope. What we did was create the update group and driver package on the first run through of updates. We did this on our CAS as we will update the entire enterprise in the same fashion. I attached a screen shot.

 

Each update group is associated with its update package. As you can see some groups are broken down a bit oddly due to the 1000 update deployment limit for update groups.

 

Our old update groups are deployed and simply sit that way forever. So 2009 Updates is deployed to our patching collection, if someone builds a machine by the DVD for some reason, it gets updated fully.

 

In June we will run our update scan, create our 2014-06 update group and create two deployments. One to our test patch systems, and one to our prod systems. The updates sit in the 2014-06 update group, and the 2014 update package.

 

Once done I will go into the all updates group you see and remove any expired and superseded updates from any update group. Every few months I will remove the old month specific groups. So in June I will remove the march update group. Simply by editing it the membership to be in the main 2014 update groups and no longer the march one, then delete the march one.

 

We only keep the past 3 or 4 months because people sometimes want them for reporting. I anticipate that sometime soon we will be able to remove the 2009 and 2010 group.

 

It sounds like a lot but really takes about 20 minutes of work to do. Honestly probably not even that much.

post-14984-0-18640700-1400692861_thumb.png

  • Like 1

Share this post


Link to post
Share on other sites

Thanks so much for the info! I had to read it over a couple times (because of my simple mind :rolleyes:), but it makes good sense to do it your way.

 

One last question (I hope). Do you do anything with the "Deployment Packages" in your scenario? Or are those only if you are using ADR's??

Share this post


Link to post
Share on other sites

You always need to use Deployment Package. When you're downloading the content of a software update, you will need to download them to a Deployment Package and that package will be used to make the (content of the) updates available to the clients.

Share this post


Link to post
Share on other sites

No problem, I tried to explain it in print as well as I could. I have documentation I have done I don't mind taking out our company info and sharing if you wish. Yes what Peter said as well. They are necessary in any scenario.

Share this post


Link to post
Share on other sites

I apologize for all of the questions. Just when I think I've got the hang of it, something else comes up.

 

Ok, so I did like willisj318 said and created some Software Update Groups that include Workstation Updates. Here is how I did that:

  1. Went to Software Library --> All Software Updates
  2. Searched for:
    • Bulletin ID contains MS
    • Expired = No
    • Product = Windows 7 OR Windows 8 OR Windows XP
    • Superseded = No
    • Date Released or Revised is between 1/1/2013 and 12/31/2013
  3. When my search results came back, I did CTRL + A to select them all
  4. Right-clicked on the updates and chose Create Software Update Group
  5. Named my Software Update Group like "2013 Workstation Updates"

 

All of that worked great. HOWEVER, now how do I tie my Software Update Group to a Deployment Package? When I go to Deploy the Software Update Group, the wizard comes up, but I do not have the section called "Deployment Package" in my wizard.

 

..........Hmm, I wonder if the "Deployment Package" section is missing because I already have my updates downloaded??

 

Thanks!

Edited by jester805

Share this post


Link to post
Share on other sites

Yeah if you right-click on your selected updates and choose download, you should be able to put them into a deployment package like willisj318 says. You can either select an existing one or create a new one in this dialog. Io9nsTC.png

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...