Jump to content


Howard

Windows Updates in SCCM 2012 Implementation, LImitations and Concerns

Recommended Posts

I figured I start a new post on this. My CIO and I have been going back and forth on this question for several days now and I want to share some insight and get some opinions. We used this post as a starting point http://blogs.technet...nager-2012.aspx

 

Our Goals

  • Protect all Windows 7 Machines with the latest security patches (Builten Id:MS) and Updates
  • Protect all deployments of Mircrosoft - Now Windows Desktop (Office, Visual Studio, ETC) with latest security patches and updates
  • Protect all Windows 2008R2 Servers with the latest security patches and Updates
  • Protect all deployments of Adobe Acrobat, Adobe Reader, Adobe Flash with securty Updates and Patches
  • Deploy Latest Drivers and Updates to our Dell PC's
  • Monitor Compliance of Deployments

Implementation, Limitations & Concerns

 

All Updates

 

Create an All Update Group for Reporting Purposes. We Selected all updates and put them in this group. DO NOT DEPLOY this group to anyone. We will use it only for reporting Purposes. (Not sure exactly how yet)

 

WIndows 7 Machines

 

Inital Setup

1. Create an Initial Updates Package. We called it "Windows 7 Software Udpates - Initial". This package contained all updates up to and including 05.31.2012. Our Search Criteria consisted of:

  • Product=WIndows7
  • Expired=no
  • Superseeded=No
  • Date Released or Revised is less than or equal to 05/31/2012

This gave us at the time of writing this 286 Updates

 

2. Create The Monthly Update Package for June 2012. We called it "Windows 7 Software Updates - 2012 06" This Package contained all the updates in the month of June. Similiar Search criteria as above only different Date Range.

 

This gave us 37 More Updates

 

3. Both of these Software Updates Groups where then deployed to a "Windows 7 Machines" Device Collection we created based on the following WMI Query:

 

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%"

 

Monthly Procedure

  1. Create a New Monthly Update Package after each "Patch Tuesday" and Deploy it to our Windows 7 Machine Device Collection. (We may do an Automatic Deployment Rule for this that we can later Green Light, not sure how to yet. We are currently using an ADR for Endpoint Protection Definiton Updates)
  2. Remove all the Expired and Superseeded updates from all Deployments - Just create a search criteria for Expried and Supersceded to yes and Edit Membership. Uncheck the Check Box and they will remove themselves from your deployment group and delete themselves off the server in 7 days. Another good post about this procedure http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/software-update-content-cleanup-in-system-center-2012-configuration-manager.aspx
  3. Update the All Software Group with New Updates

 

Concern - We will never be able to delete any of our Monthly Updates or the Intitial Update package as that would create a hole in our security Updates. I.E. If a laptop left the network for 6 months and came back. I am not sure if I care, it's just that in 5 years I will have 60 of these Update Groups. I also do not know if having so many deployments will effect Client / Server Performance in anyway.

 

Microsoft - Non-Windows

 

Inital Setup

1. Create an Initial Updates Package. We called it "Microsoft Udpates - Initial". This package contained all updates up to and including 05.31.2012. Our Search Criteria consisted of:

  • Product=Expression Design 4
  • Product=Office 2010
  • Product=Visual Studio 2010
  • Expired=no
  • Superseded=No
  • Date Released or Revised is less than or equal to 05/31/2012

This gave us at the time of writing this 103 Updates

 

2. Create The Monthly Update Package for June 2012. We called it "Microsoft Updates - 2012 06" This Package contained all the updates in the month of June. Similiar Search criteria as above only different Date Range.

 

This gave us 2 More Updates

 

3. We had to create serveral deployments for this. One for each application that we deployed.

 

Concern/Question

1. Again you will not be able to delete any of these deployments for threat of creating a security hole.

2.. Should we just combine the packages and deploy them to all Windows 7 Machines? Will this create any Client/Server Performance Issues?

 

Adobe Updates

**This Assumes you have already setup SCUP and have an understanding of it. We used this youtube tutorial to get started. http://www.youtube.com/watch?v=fyEGWSFWyy0

 

SCUP

In SCUP we are going to Create 2 Publications. One for the intial Deployment and then another for the Monthly Updates. You will find that the updates here or a bit more infrequent and you may switch to a quaterly update

1. The Inital Publication we selected all updates, there were 39.

2. We assign the updates to a new Publication called "Adobe Updates - Inital"

3. We published Full Content

4. We will do the same thing for "Adobe Updates- 2012 06" ***Not 100% sure we need to seperate out these updates or if we can publish to an all encompasing group.

 

Inital Setup

1. Create an Initial Updates Package. We called it "Adobe Udpates - Initial". This package contained all updates up to and including 05.31.2012. Our Search Criteria consisted of:

  • Product=Adobe Acrobat
  • Product=Adobe Reader
  • Product=Adobe Flash Player
  • Expired=no
  • Superseded=No
  • Date Released or Revised is less than or equal to 05/31/2012

This gave us at the time of writing this 39 Updates

 

2. Create The Monthly Update Package for June 2012. We called it "Adobe Updates - 2012 06" This Package contained all the updates in the month of June. Similiar Search criteria as above only different Date Range.

 

This gave us 2 More Updates

 

3. We had to create serveral deployments for this. One for each application that we deployed.

 

Same Concerns and Questions

1. Again you will not be able to delete any of these deployments for threat of creating a security hole.

2.. Should we just combine the packages and deploy them to all Windows 7 Machines? Will this create any Client/Server Performance Issues?

 

Conclusions

 

I know I left out a bunch here, Still have to discuss Windows Server 2008 Updates and Dell Update. THe main thing we are still trying to figure out if it is OK just to have Several Big Intial Updates and then Just one Software Update for Everything. How will that effect client/server performance. I will clean this post up over time. Just wanted to get some feed back to start. Not sure if I am overthinking this or not..

Share this post


Link to post
Share on other sites

Hi everybody

 

I am also currently working on a future implementation of SCCM2012 Software Updates in our environment.

Currently we do not have SCCM in place, so this gives me the advantage of starting from scratch.

 

We will not patch any non-MS products with SCCM, so this narrows it a bit down.

The focus is clearly set on Windows 7 and Office 2010.

Anyway, to me it seems like the implementation of Software Updates in SCCM2012 is terrible. This conclusion comes from the basic fact that it is simply a mess to work with efficiently.

 

Since we are migrating our whole environment from WXP to W7, we use a base image that includes all the needed software updates to the current date. This gives at least the advantage that all the OS-patches are installed at deployment time.

Building up on this fact, we simply will patch the clients on a bi-monthly base. We will not use ADR, since I want to be in charge 100% of what, when, why, where and how.

 

Initially I have thought of the process as follows (Device Collections already created):

  1. Evaluate the needed software updates
  2. Create the corresponding Software Update Group(s) (eg. W7 Updates 2012-09 / O2012 Updates 2012-09)
  3. Download the software updates with the corresponding Deployment Package(s)
  4. Assign the software update groups to the Device Collection "Testing" (Phase0)
  5. Await feedback of test users
  6. Assign the software update groups to the Device Collection "Pilot" (Phase1)
  7. Await feedback of pilot users
  8. Assign the software update groups to the Device Collection "Production" (Phase2)

This is the basic software update cycle.

Now, because i do NOT want to have 12 Software Update Groups after one year, the idea is it to create a Software Update Group as a "Software update archive" (one for W7 and one for O2010).

These "Software update archives" will be constantly on deployment to ensure compliance throughout the environment.

 

So to make the "Software update archive" effective, the used updates (eg. from W7 Updates 2012-09) get moved to the archive as a new rollout (eg. W7 Updates 2012-10) will be set into production (Phase3).

 

It is surely not an optimal process, but IMHO there is not an optimal process when using SCCM2012 Software Updates.

 

If anybody has some thoughts about this, please feel free to share.

Share this post


Link to post
Share on other sites

The layout I am trying to do is the following being a small shop.

 

For Compliance I would like to have the montly updates downloaded to the WSUS server.

 

Create the following ADRs:

EndPoint Protection Definition Updates

Patch Tuesday Pilot

Laptops/Desktops

All Servers

 

The question I have is can I download all the updates for the month then have my ADRs grab the updates from that folder for compliance?

 

I do not want to download the same updates to different folders per ADR/Software Group. That does not seam ideal and a lot of overhead.

It is suppose to be automatic right?

 

For the All Servers ADR I do not want it to install the updates automatically so is there a way not to install the updates but advertise to the Servers that there are updates on the network?

 

I manually schedule the updates for the servers because we have several jobs that run during the night that needs these servers up and running.

Being a small shop it is not much hassle updating 5 or so servers manually.

 

Then I would like to setup a way somehow to remove updates that are 3 months old to reduce size of DB.

 

 

 

 

As I research this issue I cannot find 1 guide on how to do any of these steps but just best practice ideas, etc. I don't care about theory, I need a practical guide as I am new to this SCCM and our company never used anything like it until I got here. Once again we are a small shop so there wasn't a need at the time. However we are starting to grow and I am trying to reduce overhead to perform multiple tasks for 1 day versus all week.

 

Thank you to the person that can assist us on this or point us to a guide. I know every company is different but I would like at least a basic how to on this is how you can do this or this is where you do that, etc.

Share this post


Link to post
Share on other sites

I do not want to download the same updates to different folders per ADR/Software Group. That does not seam ideal and a lot of overhead.

It is suppose to be automatic right?

As far as I understand your question: You define the download location by defining a Deployment Package. When creating an ADR you can choose a certain Deployment Package, so the Updates get downloaded to this location.

For the All Servers ADR I do not want it to install the updates automatically so is there a way not to install the updates but advertise to the Servers that there are updates on the network?

Yes, there is. For example, you can set the generated Deployments to not "enable the deployment after this rule is run".

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...