THIS PRESENTATION:

• WINDOWS UPDATES VIA AUTOMATIC DEPLOYMENT RULES

• BEST PRACTICES

SYSTEM CENTER CONFIGURATION MANAGER 2012 R2

Jodie Gaver

- Working with Configuration Manager since 2010- MCTS: Administering and Deploying System Center 2012 Configuration Manager - Windows Server 2008 Active Directory Configuration- MCP

Assuming Software Update Point Role and WSUS installed and functional

Role Installed on a Site Server Check Status of Role in Monitoring

Check the Wsyncmgr.log on the Primary Site Server

To set or check Software Update Component Properties

Choose to sync from the Internet or a WSUS Server

Choose the Software Update Classifications you need

Choose which Products you need

Choose which Products you need

Choose Supersedence Rules

* Changing this will force a full SUP sync

Creating an ADR (Automatic Deployment Rule) for Windows Updates

Right-click on Automatic Deployment Rules -> Create Automatic Deployment Rule

1. Name the Rule2. Select “Patch Tuesday” for Windows Updates

*Definition Updates is for Endpoint3. Specify the target collection for deployment (Test)4. Create a new Software Update Group

Leave the default to auto approve license agreements

Filter and select criteria for the updates

Time to “Preview” and see what updates will be included Check against double-reboot or other known issue updates

Be careful on the Installation Deadline - Restarts

What do you want the User to Experience? Or Not?

Alert Preferences

Software Update Download Behavior – Important for slow or unreliable networks

Create a new Deployment Package

Add a Distribution Point or Group

Specify download location or to get updates from the Internet

Confirm the Settings and choose if you would like to Save it as a Template

Let’s confirm the ADR created the Deployment Package and that it’s on the DP If all Green -> Right-click on the ADR

and “Run Now”

After running the ADR we can see there are new updates downloaded and deployed

Check the collection that the software updates have been deployed to via ADR & verify Updates are available

Looking good!

The Updates are now showing in the Software Center with the 14 day deadline we set

Best Practices for Software Updates – Windows Updates

• Create a new software update group each time an automatic deployment rule runs for “Patch Tuesday” and for general deployment.

• There is a limit of 1000 software updates for a software update deployment.

• When you create an automatic deployment rule, you specify whether to use an existing update group or create a new update group each time the rule runs.

• When you specify criteria in an automatic deployment rule that results in many software updates, and the rule runs on a recurring schedule, choose to create a new software update group each time the rule runs to prevent the deployment from surpassing the limit of 1000 software updates per deployment.

Best Practices for Software Updates - Endpoint

• Use an existing software update group for automatic deployment rules for Endpoint Protection definition updates

• Always use an existing software update group when you use an automatic deployment rule to deploy Endpoint Protection definition updates on a frequent basis. Otherwise, you will end up with hundreds of software update groups over time.

• Generally, definition update publishers set definition updates to be expired when they are superseded by 4 newer updates. Therefore, the software update group that is created by the automatic deployment rule will never contain more than 4 definition updates for the publisher (1 active and 3 superseded).

Best Practices for Software Updates

• Do not deploy software updates that require multiple reboots via task sequence

• Exclude updates that require multiple reboots from your operating system deployment collection if you are using the software update step in task sequences.

• Deploy these updates separately or add them to your images.

• If software updates that require multiple reboots are installed via task sequence installation will fail.

• See Microsoft KB2894518 for an updated list of software updates that require multiple reboots.

For questions or to subscribe:

www.thejodie.net

More on Best Practices for Configuration Manager 2012 Software Updates