Jump to content




anyweb

using System Center 2012 Configuration Manager - Part 9. Deploying Monthly Updates



Recommended Posts

Hi anyweb,

 

First of all... GREAT guides!

 

Small question, any idea when this part is coming:

 

 

and I'll explain how we can patch our servers using Maintenance windows

Share this post


Link to post
Share on other sites


I noticed that when I run (Run Now) the ADR everything seems to work fine but when I look under "Software Update Groups" I do not see that it was created. If it is not created will it prevent clients from downloading updates? Also it will prevent me from measuring compliance, right?

Share this post


Link to post
Share on other sites

Hi anyweb,

 

First of all... GREAT guides!

 

Small question, any idea when this part is coming:

 

thanks,

the maintenance windows post will come in the future when i get time, but the next post i've planned is for updating the CAS/Primaries/Clients to SP1, so please be patient, each and every guide I do can take days of work and it's all done in my spare time...

  • Like 1

Share this post


Link to post
Share on other sites

Another query:

How do I send the same ADR to another collection. I have office 2013 updates that at the moment are deployed via ADR to my windows 7 collection, I also want to deploy this ADR to my windows8 collection.

 

Do I have to create another ADR and point it to the office 2013 update source directory(that was created from my windows7 ADR) and then deploy this new ADR to the windows8 collection. Will this work, 2 ADRs' using the same source directory??

 

Thanks

 

 

First of all thank you for this and the other guides they have been extremely useful.

 

I am also interested in knowing if this is possible.

 

Currently I have my ADR(s) pointing to my Systems collection. As I would also like to deploy software updates as part of a PC image Deployment Task

Sequence I need to be able to deploy this/these to the "Unknown Computers" collection.

 

So pretty much the same questions as 'Rocket Man' Is there a way to do this or do I need create a duplicate ADR? If I have to create a duplicate ADR can I point this to the same share for package source?

 

Thanks

Share this post


Link to post
Share on other sites

I noticed that when I run (Run Now) the ADR everything seems to work fine but when I look under "Software Update Groups" I do not see that it was created. If it is not created will it prevent clients from downloading updates? Also it will prevent me from measuring compliance, right?

 

Ok, I now understand what my issue is here. The reason the Software Update Group (SUG) is not being created is because of the "Last 1 day" setting in the guide. There has been not updates released in the last day so there was nothing to add to the SUG. I changed this setting to the last year and as expected there were lots of updates and the SUG was created.

 

This gives rise to a few more questions:

 

1. The "Last 1 day" selection in the guide captures the updates released the prior day (Patch Tuesday) and creates a SUG for the new updates. I suppose that from the guide's stand point your system are currently all patched up to the date of implementing the ADR. My thought is that you have another means of capturing needed updates that are outside of the current monthly cycle.

 

2. What do you think about when creating the ADRs the first time you actually create the SUG for the past year to capture older updates and then change it to the recommended/desired date range? eg. Past week or month.

 

3. On this same step is there any pro or con to selecting "Superseded = NO?" It seems like that would weed out unneeded patches being downloaded.

 

It's exciting when the light bulb goes on. :) I just might become a respectable SCCM admin if I keep this up.

Share this post


Link to post
Share on other sites

Another query:

How do I send the same ADR to another collection. I have office 2013 updates that at the moment are deployed via ADR to my windows 7 collection, I also want to deploy this ADR to my windows8 collection.

 

Do I have to create another ADR and point it to the office 2013 update source directory(that was created from my windows7 ADR) and then deploy this new ADR to the windows8 collection. Will this work, 2 ADRs' using the same source directory??

 

Thanks

 

I was pulling my hair off too regarding this problem. But the solution is pretty easy. Create a unique collection for every ADR and then just add every collection you want to receive this rule as a memeber.

This way you will not have the unnecessary overhead of duplicates.

Share this post


Link to post
Share on other sites

Stupid questions:

 

So if we create an automatic task to deploy the fat Tuesday updates every month, how will you catch the updates from previous months since the OSD image was created retroactively?

 

It seems to me it would only deploy the current month.

 

Also, you have it configured to deploy all of the updates for Windows 7 in your example, but does that cover all of the MS products that may be in your environment or do you have to create separate product tasks?

 

Thanks!

Share this post


Link to post
Share on other sites
Hi


Apologies if this has already been covered elsewhere, I'm struggling to find an answer and thought I'd ask.


If I'm using ADRs for patch Tuesday against collections with a mix of 2008R2 and 2012 servers, are there any issues with deploying patches for both servers versions in the same ADR that would cause me major pain? I'm assuming the client works it out, but I haven't found anything yet to tell me how the client determines which patches in a deployment to download and deploy.


Thanks


Greg

Share this post


Link to post
Share on other sites

 

Hi
Apologies if this has already been covered elsewhere, I'm struggling to find an answer and thought I'd ask.
If I'm using ADRs for patch Tuesday against collections with a mix of 2008R2 and 2012 servers, are there any issues with deploying patches for both servers versions in the same ADR that would cause me major pain? I'm assuming the client works it out, but I haven't found anything yet to tell me how the client determines which patches in a deployment to download and deploy.
Thanks
Greg

that should work ok, however measuring compliance on that ADR will be more challenging as you are mixing updates in the same ADR, if you dont care about compliance and reporting then you should be ok, or if you think 'general' compliance is good enough.

 

Normally with servers you want to have a clear picture of what servers are patched (compliant) versus those that are not,

 

in addition to the above, the Configuration Manager client knows which software updates to isntall even if you offer it windows updates from another OS altogether.

Share this post


Link to post
Share on other sites

Thanks Anyweb. I hadn't really spent much time considering compliance reporting, but you've given me some food for thought there.

 

I appreciate the speedy helpful feedback - thanks again

 

Greg

Share this post


Link to post
Share on other sites

 

I was pulling my hair off too regarding this problem. But the solution is pretty easy. Create a unique collection for every ADR and then just add every collection you want to receive this rule as a memeber.

This way you will not have the unnecessary overhead of duplicates.

 

Thanks Peter, it does make sense when you think of it......... will try these custom ADR collections.

Not worth the risk of pointing 2 ADRs to the same source folder, it possibly may work but at the moment I have no test sites to test this at, and to be honest your suggestion sounds more practical and logical!! :D

 

Thanks

Share this post


Link to post
Share on other sites

Just a suggestion, but couldn't we manually create the Deployment Package instead of creating an entire ADR just to create it? Is there any benefit to having an ADR create it instead?

  • Like 1

Share this post


Link to post
Share on other sites

Do you mean create a SUG first then a deployment package?

This will leave it that the Deployment Package will only have the updates that you have specified and will never pull down any new ones automatically into it.

 

With an ADR you have evaluation cycle, filters, deployment all automated and depending on what filters you specify depends on what new updates gets automatically added to the deployment package and deployed at specified times i:e monthly, weekly, daily. This is all automated and the best way to do it!!

Share this post


Link to post
Share on other sites

First of all great tutorial many thanks for your hard work :)

 

Now the question i've created the ADR then disabled it en recreate the new once just you sad in this tutorial.

"retire it by right clicking on the rule and select Disable and create a new ADR"

 

But must I run the recreated ADR "run now" for one time or does it start by itself? and leave it enabled.

 

TIA,

Harmen

Share this post


Link to post
Share on other sites

 

First of all great tutorial many thanks for your hard work :)

 

thanks, always appreciated to hear that,

 

 

But must I run the recreated ADR "run now" for one time or does it start by itself? and leave it enabled.

 

the new one will run by itself on a schedule, you can run now if you want it to run immediately however, and yes you leave it enabled

Share this post


Link to post
Share on other sites

Just a suggestion, but couldn't we manually create the Deployment Package instead of creating an entire ADR just to create it? Is there any benefit to having an ADR create it instead?

 

I second this. I made some mistakes when I was creating these templates initially and I saw how these deployments were already created from previous attempts, so I just re-used them. Seems like it's a cleaner to create a deployment first, then an ADR, rather than having to go through the ADR wizard twice (albeit using a template the second time to save some steps) and then have a bunch of disabled ADRs in the console to scroll by.

 

I also found I triggered a weird error where the console crashes (.NET runtime error) when I tried to select a template.

 

But shouldn't creating a deployment then an ADR be just as good as doing ADR twice? Thanks in advance for your advice on this.

Share this post


Link to post
Share on other sites

you can do it whatever way works best for you, i'm only showing you the way I do it, if your method works, then use it (and blog it !), i'm happy to link to it here.

Share this post


Link to post
Share on other sites

you can do it whatever way works best for you, i'm only showing you the way I do it, if your method works, then use it (and blog it !), i'm happy to link to it here.

 

I get that. I just wanted to make sure I wasn't missing out on something compared to the way you do it. But cool, thank you for that. Maybe I will blog one of these days. :-)

Share this post


Link to post
Share on other sites

Excellent tutorial. It helped me get started with this months patching.

 

My experience with 2012 is about a month old so forgive me if this is already covered.

 

Current Setup

 

I have multiple collections for Software Updates: Windows Server 2008 with various maintenance windows in each of them.

 

WS2008 Automatic

WS2008 MW 1

WS2008 MW 2

WS2008 MW 3

WS2008 Manual

 

I have one ADR that will download all Windows Server 2008 patches that are required on at least one (1) system, not superseded and not expired. This ADR deploys the patches to my Automatic collection for systems that can be patched at any time.

 

My understanding is that the ADR will evaluate each collection and only download/deploy the updates required for that collection based on my criteria above

 

Is there an efficient way to download/deploy the patches to the other collections while ensuring a minimal footprint and automating the process? Do I simply create an ADR for each collection? Will the updates not get duplicated if using multiple or is it a single shared repository of updates?

Share this post


Link to post
Share on other sites

This is a similar question to what I had previously on the thread. The solution is to create an ADR collection, so you could have a server ADR collection, have one Deployment package with all server OS filtered in it and whatever other filters and then deploy this to the server ADR collection.

Just include your different server collections to the server ADR collection thus achieving minimal ADRs

Share this post


Link to post
Share on other sites

Alright, I thought about doing that but wanted to confirm if the deployments will still adhere to the maintenance windows of the included collections?

Share this post


Link to post
Share on other sites

A Maintenance Window always applies to all the machines in the collection. It doesn't matter if the deployment is connected to a different collection, with the same machine, because the Maintenance Windows still count.

Share this post


Link to post
Share on other sites

First of all, great job this is definitely the best SCCM blog I've found.

 

I am having trouble with deploying updates, the clients deployment status shows this:

 

Status: Failed to install update(s)

Error Code:0x80070005

Error Description:Access is denied.

 

Last Enforcement State: Failed to install update(s)

Last Enforcement Error Code:0x80070005

 

http://ioan.in/N2EG

 

I have a permission problem somewhere :(

 

On the clients I get:

 

Failed to download contents for update 1a571c03-31b3-440e-87ee-d4952f090d03.

 

Bundle update "20b340d0-2c5e-4600-8095-f7a5e403f1a2" failed to get content for update "cb2c36a8-437a-4be5-9780-571301b7e53f". Please check the enforcement status of update "cb2c36a8-437a-4be5-9780-571301b7e53f" to get further details.

 

Updates advance download job completed with failure for assignment {d1325882-d2d1-49c8-9e18-127f7cf51176}.

 

Any hints on this are greatly apreciated :D

Share this post


Link to post
Share on other sites

I have Stand-Alone Primary Server for SCCM 2012.

 

This is a nice step-by-step guide in here but I am not sure, it applies for stand-alone primary server. I am also not sure, if I run the PS to create Folder and collections, what may go wrong.

 

 

Can anyone please guide (step-by-step, if possible) me through to

 

 

a. Manage Monthly Windows backup, for Client OS and Server OS in monthly maintenance window or 2nd Tuesday of every month with ADR

 

 

b. Non Microsoft Update (Adobe, dell etc)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×