Jump to content


anyweb

using System Center 2012 Configuration Manager - Part 9. Deploying Monthly Updates

Recommended Posts

ADR works fine but there seems to be an issue with excluding updates. I don't wanna let the Internet Explorer 9 updates. I use the Title=-"Internet Explorer 9" or Title=-Internet Explorer 9 neither one of them work.

Some one has an idea on the syntax I should use?

 

 

I do a work around by setting the custom severity and set it to low for IE9 and on the ADR I ask only for those with custom severity set to NONE. Not really automatic... Works much better in WSUS...

Thanks a lot for your help

  • Like 1

Share this post


Link to post
Share on other sites

Stupid questions:

 

So if we create an automatic task to deploy the fat Tuesday updates every month, how will you catch the updates from previous months since the OSD image was created retroactively?

 

It seems to me it would only deploy the current month.

 

Also, you have it configured to deploy all of the updates for Windows 7 in your example, but does that cover all of the MS products that may be in your environment or do you have to create separate product tasks?

 

Thanks!

 

 

Products: Do I need to create another ADR for Bing Bar, and one for Forefront Client Security... Each Microsoft Product with it's own ADR and it's own collection?

 

I am tempted to find a way to schedule a daily rule to approve and download those updates that show as "Required."

Share this post


Link to post
Share on other sites

ADR works fine but there seems to be an issue with excluding updates. I don't wanna let the Internet Explorer 9 updates. I use the Title=-"Internet Explorer 9" or Title=-Internet Explorer 9 neither one of them work.

 

Some one has an idea on the syntax I should use?

 

 

I do a work around by setting the custom severity and set it to low for IE9 and on the ADR I ask only for those with custom severity set to NONE. Not really automatic... Works much better in WSUS...

 

Thanks a lot for your help

 

 

I created a folder for "Delayed" updates and moved Internet Explorer 9 to the sub folder. The ADR rules do not apply to the sub folders.

 

This may not be the "right" answer, but it is working in my test environment.

Share this post


Link to post
Share on other sites

I have a question on the Evaluation schedule and the Deployment Schedules and how they interact.

 

When you set your custom schedule to have the ADR run on Patch tuesday, there are 2 dates. The START date, which is when the rule goes into effect, and the Recurrence pattern, which tells it to run on the 2nd tuesday every month going forward. The deployment Schedule, which is when the updates are to be available for install, might have a delay of 10 days. But that 10 days is based on the START date, not the run date. So I might create my rule on April 1, schedule it to run on April 7, and deploy after 10 days. But that means my deployment date is April 10.

 

I had THOUGHT that the ADR runs again every month and pushes out a new deployment on that month. But if I'm understanding this right now, this means the ADR is really just updating an existing package/deployment and setting a 're-run' deployment flag on the clients to re-run that package again every month. So, the deployment schedule on ADR's is NOT a repeating schedule like the eval is. It's a one time only delay that applies only the first time the rule is run.

 

This means that if I want to wait 1 week to deploy packages from Patch Tuesday, the ONLY way I can manage this is to set maintenance windows every month for 1 week after patch tuesday. If I do not have maintenance windows in place, patches will install on workstations immediately after the rule runs and the updates become available to workstations next month.

 

Am I reading this right?

Share this post


Link to post
Share on other sites

I setup the ADR per the instructions in this posting. All seemed to be going well... workstations started to download the updates at the end of the day. This morning, most of the PCs have downloaded the updates, but not a single one has installed them. I rebooted my PC to see if it would help. It did not. I ran an update check and it says I am up to date. (Wireshark confirms its going to the SCCM server). I confirmed that SCCM thinks I have fully downloladed the updates. I then went out to Microsoft to check for my updates, and sure enough I still need the same updates that I downloaded from the SCCM.

 

Questions:

1. Where on the PC are the updates downloaded to? - They do not seem to be in the SCCM cache

2. Why are some still downloading updates after 8+ hours? - XP had a much smaller update total size, had fewer PC's to download to but none say downloaded. (I reran a summary nd did a refresh several times)

3. What triggers the install of these updates? - An updates check thinks I am up to date (Wireshark confirms its going to the SCCM server).

4. Once this is working, will I have to do anything else on each patch Tuesday?

 

Thank you,

 

C68

 

 

Edit: I am also seeing a weird, possible error, in Wireshark.

post-19819-0-97456200-1365688833_thumb.jpg

post-19819-0-90802100-1365688892_thumb.jpg

post-19819-0-38590700-1365695398_thumb.jpg

Share this post


Link to post
Share on other sites

My windows 7 have downloaded the updates and will start to install them next week.

 

WIndows XP says it is still downloading the updates, which were a lost fewer in size and count then 7, but not a single XP box has the updates in the ccmcache. There were 6 updates for about 33 megs that started to download two days ago over a GB connection. Still the folders in the ccmcache are empty for that day. (6 of them).

 

What gives?

Share this post


Link to post
Share on other sites

Thanks for taking the time to write this guide, it was quite helpful and easy to grasp.

 

I have made some minor changes to suit my purpose by deploying the update to a master collection (prefix with ADR) which includes the second set of collections below. This allow me to distribute the updates to test systems automatically as well as production systems based on their maintenance windows.

 

ADR:Software Updates - Windows Server 2008 R2

 

_Preproduction ADR:Software Updates - Windows Server 2008 R2 Automatic

Software Updates - Windows Server 2008 R2 Automatic

Software Updates - Windows Server 2008 R2 Maintenance Window [Fri 10pm - 4am]

Software Updates - Windows Server 2008 R2 Maintenance Window [sat 10pm - 4am]

 

I do however have a question in regards to the best practice for systems that require manual interaction. Would I ...

 

1) Update the existing software update group and create a new deployment set the deployment to be available rather than required?

2) Create a new ADR with a deadline of 30 days and uncheck default behavior settings for software installation and check to supress restarts?

3) ???

 

I am more inclined to use process 1 as that is the simplest to manage unless there is an easier way.

 

These updates would target the following collection: Software Updates - Windows Server 2008 R2 Manual

Share this post


Link to post
Share on other sites

Silly question, and maybe I missed a post.. In SCCM 2007 we had our monthly patch collections structured in groups, ie.

 

Group 4

- Office 1

- Office 2

Group 3

- Office 3

- Office 4

Group 4

- Office 5

 

And we would push our monthly updates to group 4, group 3 etc.

 

In Sccm 2012 we are now unable to create sub collections. Does that now mean that if we want to accompliush the same task we need to break out each office into individual collections?

post-16629-0-78030600-1366404054_thumb.jpg

Share this post


Link to post
Share on other sites

ADR works fine but there seems to be an issue with excluding updates. I don't wanna let the Internet Explorer 9 updates. I use the Title=-"Internet Explorer 9" or Title=-Internet Explorer 9 neither one of them work.

 

Some one has an idea on the syntax I should use?

 

 

I do a work around by setting the custom severity and set it to low for IE9 and on the ADR I ask only for those with custom severity set to NONE. Not really automatic... Works much better in WSUS...

 

Thanks a lot for your help

 

Does anyone have a solution? I am having the same problem. I have tried everything to exclude some items and it does not work.

 

I have set the search text for title to be:

 

-"Beta" and -"Malicious" and -"Internet Explorer 10"

 

However, I still get the same list of updates with or without the search text setting.

Share this post


Link to post
Share on other sites

I'm making an assumption that when creating the ADR and I get to the Download Location settings that I would want to download software updates from the internet or is there a location that should already contain those updates from the WSUS setup? These guides have been extremely helpful. Thanks.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.