- SCCM Software Update PART 1 – Introduction to SCCM and WSUS
- SCCM Software Update PART 2 – Software Update Point configuration
- SCCM Software Update PART 3 – Automatic Deployment Rules
- SCCM Software Update PART 4 – Create deployment packages manually
- SCCM Software Update PART 5 – Best practices
In this part I will create an Automatic Deployment Rule to update Windows Server 2012 R2. As a reminder, Automatic Deployment rule enables to create update package automatically according to some criteria such as release date, classification or language. The scheduler for creating update package can be fine-grained configured. It is possible for example to create update package automatically every second Tuesday of each month. Once the package is created, it is automatically deployed to deployment point and servers perform updates on their maintenance period. This update method should not be used on complex environment as Hyper-V cluster or Exchange infrastructure. These examples of environment need orchestrator to avoid downtime of services.
Create an automatic deployment rule
To create Automatic Deployment Rule open SCCM console, go to Software Library and right click on Automatic Deployment Rule and click on New:
So I create an Automatic Deployment Rule called « Baseline – W2012R2 » with the Patch Tuesday template. The current configuration can be saved as a template at the end. Each time a package is created, SCCM create automatically a new Software Update group. If the other option is chosen, a unique Software Update Group is created and updates are added to it. That means each time an update package is deployed, it will contain all updates even those that are already deployed. For Tuesday patching, I recommend to create new Software Update Group.
On deployment settings, specify if you want use Wake-on-LAN (useless on servers because at 99% of the time there are always switch on). Next select the desire logs detail level and the behavior about license agreements.
On software updates screen, set the criteria for choosing the updates that will be added to update package. In my example I choose updates that match these criteria:
- Release or revised on last month.
- Updates target Windows Server 2012 R2.
- Updates have to be English language.
- Updates have to be Critical updates or Definition Updates or Security Updates or Rollups or a simple update.
On evaluation schedule, specify when run the rule to make an update package. On my example, I run the rule every second Wednesday of each month (in France updates are available Wednesday because time difference).
On deployment schedule, specify the update package available time and the installation deadline. Mostly these settings should be configured regarding company security policies.
On user experience screen, set the behavior on clients side. Specify notifications level to display on Software Center, the behavior when the deadline is reached and you can suppress restart on specific devices such as server.
Alerts screen is really useful when Operation Manager monitor IT Infrastructure. It is possible to disable monitoring on servers that will be updated and generates alerts if an update fails. Also a report can be generated on Configuration Manager.
Downloads settings screen enables to configure clients’ behavior for downloading when there are on a slow link (slow site boundaries in SCCM language). For this type of clients, you can specify a fallback distribution point
On deployment package screen, you create your update package. It is necessary to specify a package source: this is the path where update binaries are stored. A folder can’t be used for more than one package source. If a deployment package already exists, you can select it.
On distribution points screen, specify SCCM distribution points where the deployment package will be sent.
On download location screen, select the source of downloading updates.
Then select the languages downloaded …
To finish confirm settings. Note that you can Save as Template your Automatic Deployment rule.
Once your Automatic Deployment Rule is created, it appears in the menu. On the same line, you can see the last error. Here the rule has run without error.
After that Automatic Deployment Rule has run, the update package is created and is deployed.
Then Software Center on clients can install updates on maintenance period. Note that you can install manually updates.
Very useful information, thanks.
Thank you I appreciate 🙂
How Granular do you get? For example do you differentiate Itanium, x64, and x86 (for Legacy OS’s)? Do you create one baseline for each OS? Also, what do your device collections look like? In other words do you apply the baseline on a per-OS basis, or do you follow a lifecycle of, say, “Lab –> test –> Production” on an OS by OS basis. Good article — appreciate it
Hi Steve,
In automatic deployment rule you can add Itanium, X64 or X86 updates. This will be the target Operating System that will download and install update regarding its architecture.
I create one baseline for all OS. As above, the target Operating System will download and install update regarding its version. Next you can create a collection by environment (LAB, VAL, PROD). Then you play with maintenance windows to apply patch in good order.
Hope I have helped you.
Great feedback — thank you Romain!
If you have the sync schedule for the second Wednesday, sometimes that is before the second Tuesday so what schedule doesn’t work well – don’t know what the best solution is. Run manually or use a powershell script?
Hi Andrew,
When it is this kind of month, I run the synchronization manually. I think this kind of month where the second tuesday is after the second wednesday occurs one time per year.
Will the ADR only make the software available to the device collection based on the Maintenance window set for that collection. For example, my ADR ran at 9am, and under Deployment Schedule -> Software available time -> ASAP, but the Maitenance Window on the Collection is set for 5pm-6pm. Will i see the software in Software center after 9am, or at 5pm?
Hi,
From my understanding of maintenance window, it affects only the machine reboot and the time when the deployment occurs. So in your case, the Automatic Deployment Rule run at 9AM. SCCM and WSUS checks if there are new available updates related to your filter and update the Software Update Group. Then the Software Update Group is distributed to distribution point. Next machines download new updates. To finish, servers apply updates in the time of the maintenance window and reboot in the time of the maintenance window (even if you configure ASAP).
Cheers, Romain.