tag:blogger.com,1999:blog-8210675588153120371.post3657299239263644536..comments2023-06-16T08:21:16.286-05:00Comments on A Cup of IT: SCCM: How to structure Software UpdatesZeusABJhttp://www.blogger.com/profile/09421603730258946485noreply@blogger.comBlogger81125tag:blogger.com,1999:blog-8210675588153120371.post-85693304325102479512018-02-19T12:38:20.693-06:002018-02-19T12:38:20.693-06:00Agreed!Agreed!ZeusABJhttps://www.blogger.com/profile/09421603730258946485noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-69586155982015743382018-02-17T18:26:01.530-06:002018-02-17T18:26:01.530-06:00I manage a 10k client environment... mostly win10....I manage a 10k client environment... mostly win10...<br /><br />I have 3 basic sugs. Apps,workstation and server. 2 copies of each... one for current month and the other previous.<br /><br />This keeps me under the 1k limit easy... usually around 500 each.<br /><br />I then deploy apps+workstation to all workstations and apps+server sugs to servers.<br /><br />Depending how controlled your environment and imaging is you could cut older updates and redeploy if they are ever needed again.Danhttps://www.blogger.com/profile/03341938373926862545noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-72951781509675423762017-10-04T20:57:02.974-05:002017-10-04T20:57:02.974-05:00No problem, best of luck to you Craig.No problem, best of luck to you Craig.ZeusABJhttps://www.blogger.com/profile/09421603730258946485noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-17391633557183757892017-10-04T20:34:19.594-05:002017-10-04T20:34:19.594-05:00Thanks ever so much for that :)Thanks ever so much for that :)Craighttps://www.blogger.com/profile/10172084894297123243noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-58020027340963433852017-10-01T19:02:34.979-05:002017-10-01T19:02:34.979-05:00Hi Craig,
Well my company is actually fairly smal...Hi Craig,<br /><br />Well my company is actually fairly small and we only have a single cluster that consists of two physical servers (everything else is virtual). So I'm probably not the right person to ask about that, but (basically) what I do is set those server to auto-install/manual reboot. Once our deadline hits I wait an hour or so, remote into Server B and reboot it. I then wait for Server B to recover. Once its back up I remote into Server A roll the services to Server B, Reboot Server A and wait for Server A to recover. The next month I flip that process. You probably have a more complex environment than that. If so I'd recommend looking into a recent SCCM feature called "Cluster-Aware Updating (CAU)". I think it only works with Server 2012 R2 and higher so if you are on anything earlier than that it may not be an option, but (point being) SCCM has some options for you on that front.ZeusABJhttps://www.blogger.com/profile/09421603730258946485noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-32980655229324671372017-10-01T18:11:33.759-05:002017-10-01T18:11:33.759-05:00Hi ZeusABJ,
Fantastic job on this blog post. I wa...Hi ZeusABJ,<br /><br />Fantastic job on this blog post. I was wondering how you manage Server reboots and especially Servers in clusters? Do you manually manage all server reboots or do you have some automation in place?<br /><br />Thank you very much in advance <br />CraigCraighttps://www.blogger.com/profile/10172084894297123243noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-50700671572178216382017-08-07T12:22:35.031-05:002017-08-07T12:22:35.031-05:00Glad you found it useful!Glad you found it useful!ZeusABJhttps://www.blogger.com/profile/09421603730258946485noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-61206764112493923402017-08-07T02:43:05.268-05:002017-08-07T02:43:05.268-05:00I agree with every line you've written in this...I agree with every line you've written in this post and have been implementing the same methodology on many customer sites. If only I had seen this back in the day, it would have saved me a LOT of head scratching :) Anonymoushttps://www.blogger.com/profile/04422927530835147879noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-77666452558386172702017-07-27T15:48:16.360-05:002017-07-27T15:48:16.360-05:00Hi BarryS,
Well first there is no such thing as a...Hi BarryS,<br /><br />Well first there is no such thing as an "archiving deployment job", I just refer to a SUG that contains updates I have previously an "Archive SUG". As for a job that deploys "forever", well any deployment you never delete (technically) runs "forever" so there you go. <br /><br />So in a nutshell just create a SUG containing all the updates you have already deployed to all yoru systems and leave it deployed indefinitely. There's your "archiving deployment job that will run forever."<br /><br />Easy! ;)ZeusABJhttps://www.blogger.com/profile/09421603730258946485noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-34387635517601472892017-07-27T14:00:42.441-05:002017-07-27T14:00:42.441-05:00I am new to SCCM and do not know how to create an ...I am new to SCCM and do not know how to create an archiving deployment job that will run forever. I created a deployment job but it finished and is no longer listed on the SUP.BarryShttps://www.blogger.com/profile/06756189644528938624noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-32570513981210325962017-05-15T15:27:24.809-05:002017-05-15T15:27:24.809-05:00This comment has been removed by a blog administrator.Anonymoushttps://www.blogger.com/profile/02249111509135257076noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-31266774409502172422017-04-10T18:06:18.354-05:002017-04-10T18:06:18.354-05:00I'm really not sure I'm qualified to answe...I'm really not sure I'm qualified to answer that question as the highest server count I've ever had to deal with is 300. That being said I have dealt with client collections in excess of 2000. As for the reporting? that catches up when the database catches up. I usually wait 24-48 hours for my reports to catch up then I evaluate the results and take action is needed. Sorry, I know thats not much help but its all I can give on this subject. ZeusABJhttps://www.blogger.com/profile/09421603730258946485noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-19439386273381473582017-04-10T14:43:10.105-05:002017-04-10T14:43:10.105-05:00I have a question. when our company was much small...I have a question. when our company was much smaller and had less servers years ago, all of the servers were bunched into one collection and patched at the same time each month, then a separate reboot program published out hours later. What we've noticed is that as the server count has increased over the years (hundreds more) this approach no longer is sufficient. engineers wait up all night long for sccm update reports to refresh and show accurate data as to what has patched and rebooted successfully as opposed to what still needs a reboot. will the reports refresh faster if we patched into smaller collections for servers? whats a good number of servers to have in each collection to patch to? I hope that makes sense. Unknownhttps://www.blogger.com/profile/02623706093951028931noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-58221281505124013872017-03-22T22:30:29.016-05:002017-03-22T22:30:29.016-05:00Nice, thanks for the follow-up Matt.Nice, thanks for the follow-up Matt.ZeusABJhttps://www.blogger.com/profile/09421603730258946485noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-73515945621268057112017-03-21T23:12:09.202-05:002017-03-21T23:12:09.202-05:00So after a month of testing, here's the result...So after a month of testing, here's the results:<br />If you are doing a simple deployment such as to all workstations / servers etc. then using 1 deployment package / Static SUG works fine. the behaviour is pretty much exactly like deploying SCEP / Defender updates. the SUG will only ever have a handful of updates while older ones are expired and should be automatically cleaned up by SCCM eventually. ADR will run, SUG / Package will update with new patch list, deployment will commence.<br /><br />However, If you are going to do a staged deployment, eg: Pilot Workstations then Prod Workstations or Dev Servers then QA then Prod via configuring additional deployments for the ADR, this approach wont work unless you manage to deploy everything prior to the next scheduled run time of the ADR. This is because if you have additional deployments configured, when the rule is run again, the SUG and package is updated which will then deploy to any previous additional deployments that were triggered which obviously isnt good if you are trying to enforce a Dev->QA->Prod deployment method using additional deployments.<br /><br />Hopefully that makes sense! based on the above I have configured my environment as per the below:<br /><br />All ADRs create a new SUG and use an existing Package. SUGS will still need to be manually deleted as they empty out (patches expire and get removed). My ADR SUGs use a filter by product and where required is more than 0 (to cover multiple branches / channels of the product) with superseded and expired set to No<br /><br />Workstations:<br />ADR to run on patch tuesday and deploy to pilot workstations +1 week after patch Tuesday to allow time for patches to be pulled back by MS if there are issues<br />Additional Deployment to Production Workstations +3 weeks after Patch Tuesday to allow 2 weeks testing in Pilot (I have an extended pilot as with the new cumulative update model you cannot uninstall individual patches, its all or nothing).<br /><br />Office 365 Client updates (Current Channel):<br />Exactly the same configuration as Workstation deployments<br /><br />Servers:<br />ADR to run on patch tuesday and deploy to pilot workstations +1 week after patch Tuesday to allow time for patches to be pulled back by MS if there are issues. Additional Deployments to deploy to QA servers +2 weeks after patch tuesday and Production +3 weeks after patch tuesday. The ADR then kicks off on the next patch Tuesday and goes through the Dev->QA-Prod cycle again without affecting previous deployments.Matthttps://www.blogger.com/profile/05484354738713186491noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-70144854319540499102017-02-10T18:15:33.299-06:002017-02-10T18:15:33.299-06:00Let me know how it works out. I bet (even with a s...Let me know how it works out. I bet (even with a simple environment like that) you still wind up needing some sort of system to break up the updates. I'm currently working on getting Windows 10 deployed on over 700 machines myself as well so maybe we'll both find out soon enough.<br /><br />;)ZeusABJhttps://www.blogger.com/profile/09421603730258946485noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-30277246373631221532017-02-10T13:19:26.616-06:002017-02-10T13:19:26.616-06:00Agreed, It all depends on the environment. In my s...Agreed, It all depends on the environment. In my situation its all Windows 10, Office 365 and Windows Defender, All of which are Cumulative based updates now, so I would assume it would be safe to deploy in the manner I described above so long as we have a Static SUG with all previous updates prior to the Cumulative update strategy being made official. I do also include the Required >0 condition for updates so it covers Windows 10 machines that are being rolled up to the next release via a Deployment Ring.Matthttps://www.blogger.com/profile/18017468489323353851noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-67061495917967373302017-02-08T12:35:41.040-06:002017-02-08T12:35:41.040-06:00Yes I've thought about this as well (as implie...Yes I've thought about this as well (as implied in my above 'August 19, 2016' reply) to a question posed by Andrew. It would be wonderful if that were the case but (so far) most of the updates in my older SUGs have not ben expired by Microsoft so I have left them in production. You also have to factor in all the other products serviced by Microsoft Update beyond just the OS (in our case Office, SQL Server, Dynamics CRM, etc). This may change at some point but (for now) I'm finding that my organizational structure is still needed (for us at least). The main point is keep your SUGs under 1000 updates. Thats the whole point of all of this.<br /><br />I guess as with all things SCCM-based, the best solution probably depends on the environment in question.ZeusABJhttps://www.blogger.com/profile/09421603730258946485noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-24580666899443866692017-02-08T10:52:06.455-06:002017-02-08T10:52:06.455-06:00Hi, so I'm curious, now that Microsoft have ch...Hi, so I'm curious, now that Microsoft have changed patching to Cumulative updates only, all of this would now technically be moot after Dec 2016 right? We should be able to compress this all down to 1 static SUG for every update up to the end of Dec 2016, then use a monthly ADR to use an existing package as Cumulative updates will supersede previous ones. Thoughts?Matthttps://www.blogger.com/profile/18017468489323353851noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-24028313904188610672016-10-15T11:21:51.212-05:002016-10-15T11:21:51.212-05:00We control our server updates and reboots with a m...We control our server updates and reboots with a maintenance window. All our servers auto-update and auto-reboot the third Sunday of every month between 7PM-11PM (funny thing thats tomorrow night, in fact). ZeusABJhttps://www.blogger.com/profile/09421603730258946485noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-14200891172752189042016-10-14T12:31:24.475-05:002016-10-14T12:31:24.475-05:00are you only patching client OS? just wondering ab...are you only patching client OS? just wondering about Year-Auto-No-Reboot on a server that cant be good?<br />Anonymoushttps://www.blogger.com/profile/13089136405289597052noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-74068661370699855022016-10-06T12:45:23.502-05:002016-10-06T12:45:23.502-05:00Hi Andrew. Unfortunately no, I have not encountere...Hi Andrew. Unfortunately no, I have not encountered this issue. When I'm stumped I usually find my answers here:<br /><br />https://social.technet.microsoft.com/Forums/en-us/home?category=systemcenter2012configurationmanagerZeusABJhttps://www.blogger.com/profile/09421603730258946485noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-63381060595049384622016-10-05T12:37:34.523-05:002016-10-05T12:37:34.523-05:00Hi Zeus,
I'm in the middle of testing out upd...Hi Zeus,<br /><br />I'm in the middle of testing out updates based on your methods and I'm having a strange issue. I've deployed all years SUG's to a test collection. All except for the 2014 deployment is working. I've been scratching my head on this for days now and I can't figure it out. All of the SUG's and deployments are identical (except for the content of course), yet none of my Windows 7 test machines will download/install the 2014 updates.<br /><br />The only error message I can see in any of the logs is in the WindowsUpdate.log:<br /><br />2016-10-05 08:46:19:171 932 b98 Agent WARNING: Failed to evaluate Installed rule, updateId = {189A8F50-0C3A-4FDF-8BC2-BC23A3EB11FB}.101, hr = 80242013<br /><br />This update ID points to KB982861 which isn't even in ANY of my SUG's so I'm not sure what's going on. These are brand new Windows 7 VM's.<br /><br />The UpdatesDeployment.log sees that there are 313 updates, but it doesn't even bother downloading/installing them. There are no maintenance windows or anything and the deployment is configured for "Required - As soon as possible."<br /><br />Have you ever seen anything like this?Andrewhttps://www.blogger.com/profile/05161506808387076502noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-49306256898058738362016-09-06T06:49:41.423-05:002016-09-06T06:49:41.423-05:00This comment has been removed by a blog administrator.Laxmi Raihttps://www.blogger.com/profile/09593378389096840395noreply@blogger.comtag:blogger.com,1999:blog-8210675588153120371.post-70847594086762216562016-08-19T09:35:09.779-05:002016-08-19T09:35:09.779-05:00Windows N00b has a great article on this with scre...Windows N00b has a great article on this with screenshots:<br /><br />https://www.windows-noob.com/forums/topic/4467-using-sccm-2012-in-a-lab-part-6-deploying-software-updates/ZeusABJhttps://www.blogger.com/profile/09421603730258946485noreply@blogger.com