Jump to content


volk1234

Manage Windows Updates in work environment whith SCCM 2012

Recommended Posts

I agree with what user juice13610 wrote.

 

a properly configured wsus environment gave me the following procedure:

- manual approvement of patches on the main wsus console by admin

- auto deployment to all subsidiary wsus servers

- clients get patched

- monthly cleanup script on wsus servers removes old, unused patches, keeping the file storage requirements small

- should a client reconnect to the network after beeing offline for a long time, needed updates are re-downloaded, redistributed, and the client gets patched (because they are still in "approved" state)

 

this is pretty easy to setup and fully automatic.

 

 

with my current sccm2012 setup neither do i have a good solution for cleaning unused update files from the servers, nor is there an automatic solution for the "old client" problem.

 

to recap, according to the technet post, this is what should be done:

- create a compliance-only group to monitor patch state of clients, but dont distribute this group

- use ADR to create monthly patch groups, that are distributed and used for actual patching

- manually remove old, unused monthly patch groups when they are no longer needed

- manually update the compliance-only group each month to include the latest updates

- manually handle clients that were offline for a long time ("old client" situation)

 

i wonder that this is really the intended way to do it.

or did i misunderstand the concept? any feedback is greatly appreciated.

Share this post


Link to post
Share on other sites

I've been doing this for a while now and I've found it's just easiest for me to do it manually. I doubt I'm doing it the best way, but it has worked for me. I only have two software update groups: workstation updates and server updates. Each month I run a search for Office/Lync/Silverlight and each OS we use (Win 7/8/8.1, and Win Server 2008/2008 R2/2012). I just download those updates to their respective deployment packages (I have one for each OS and everything else gets grouped into an "Office" package) and edit their membership to make sure they are included in their respective SUGs. I then create separate deployments of each SUG to each device collection (Workstation updates to Win7/8/8.1 PCs and server updates to the others).

 

Probably not the most efficient way of doing it but I've been doing it this way for so long that I can usually get it done pretty quickly. I also like to do it manually so I can look through the updates for that month and exclude anything we may not want. This doesn't happen often, but we have wanted to exclude certain updates in the past.

Share this post


Link to post
Share on other sites

We don't worry about creating specific groups for specific platforms. The machines will only find and get the updates they need. We do our updates by past year and past 3 months. They get assigned and clients pull whatever they need. Any new machine gets the required updates no matter how they were built. It is probably 20 minutes of work max once a month.

  • Like 1

Share this post


Link to post
Share on other sites

Thanks jr19 and willisj318! I appreciate the help.

 

willisj318,

Is it an Automatic Deployment Rule that you set for past 1 year and past 3 months? If so, how often do you run the schedule?

Or do you manually push updates?

 

How do you manually push updates anyway?

Share this post


Link to post
Share on other sites

Nope. What we did was create the update group and driver package on the first run through of updates. We did this on our CAS as we will update the entire enterprise in the same fashion. I attached a screen shot.

 

Each update group is associated with its update package. As you can see some groups are broken down a bit oddly due to the 1000 update deployment limit for update groups.

 

Our old update groups are deployed and simply sit that way forever. So 2009 Updates is deployed to our patching collection, if someone builds a machine by the DVD for some reason, it gets updated fully.

 

In June we will run our update scan, create our 2014-06 update group and create two deployments. One to our test patch systems, and one to our prod systems. The updates sit in the 2014-06 update group, and the 2014 update package.

 

Once done I will go into the all updates group you see and remove any expired and superseded updates from any update group. Every few months I will remove the old month specific groups. So in June I will remove the march update group. Simply by editing it the membership to be in the main 2014 update groups and no longer the march one, then delete the march one.

 

We only keep the past 3 or 4 months because people sometimes want them for reporting. I anticipate that sometime soon we will be able to remove the 2009 and 2010 group.

 

It sounds like a lot but really takes about 20 minutes of work to do. Honestly probably not even that much.

post-14984-0-18640700-1400692861_thumb.png

  • Like 1

Share this post


Link to post
Share on other sites

Thanks so much for the info! I had to read it over a couple times (because of my simple mind :rolleyes:), but it makes good sense to do it your way.

 

One last question (I hope). Do you do anything with the "Deployment Packages" in your scenario? Or are those only if you are using ADR's??

Share this post


Link to post
Share on other sites

I apologize for all of the questions. Just when I think I've got the hang of it, something else comes up.

 

Ok, so I did like willisj318 said and created some Software Update Groups that include Workstation Updates. Here is how I did that:

  1. Went to Software Library --> All Software Updates
  2. Searched for:
    • Bulletin ID contains MS
    • Expired = No
    • Product = Windows 7 OR Windows 8 OR Windows XP
    • Superseded = No
    • Date Released or Revised is between 1/1/2013 and 12/31/2013
  3. When my search results came back, I did CTRL + A to select them all
  4. Right-clicked on the updates and chose Create Software Update Group
  5. Named my Software Update Group like "2013 Workstation Updates"

 

All of that worked great. HOWEVER, now how do I tie my Software Update Group to a Deployment Package? When I go to Deploy the Software Update Group, the wizard comes up, but I do not have the section called "Deployment Package" in my wizard.

 

..........Hmm, I wonder if the "Deployment Package" section is missing because I already have my updates downloaded??

 

Thanks!

Edited by jester805

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.