How to Deploy Software Updates Using Microsoft SCCM (ADRs, Update Groups, and More)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi my name is Justin shellphone I'm the engineering lead at patch my PC we develop a third-party patch management solution for Microsoft SCCM prior to my current role I was also a premier field engineer at Microsoft supporting SCCM in this video I'm gonna be covering the fundamentals around software updates in SCCM I'm actually going to cover a lot of the processes that I would use in the structure that I would use when I would go on sites to different customers when I was a PFE for Microsoft so hopefully this might be helpful for you this will be great for beginners if you haven't started using software updates and it might also be helpful for those of you who are experienced to give you more information for example about how we can do things like organizing our collections and maintenance windows so we can make use of a DRS for staging our updates out in a way that will work very well so we're gonna go ahead and get started this does assume that you have a software update point installed within your site so we'll go quickly review some of the settings that I have going on if you don't have that I'll link out in the description and the accompanying blog post to a video that we did that describes installing the software update point so what we've got here we're synchronizing for Microsoft updates so that's always gonna synchronize our wsus catalog with what is available from the Microsoft Update catalog whenever we perform a synchronization the next thing that I'm going to show you is my classifications so in our lab we're doing pretty much everything except feature updates and tools so this can just vary based on what you need just make sure that you double check what your classifications are to make sure that you're getting the updates that you need the next thing we want to look at is our product so we're pretty basic within within the lab that I'm gonna be using we basically just have our core operating systems which is going to be Windows 10 so we can see that here Windows 7 Windows 8.1 Windows Defender for our definition updates and then Windows Server 2016 so that's the operating systems that I'm using here but you would just make sure that you have all the products enabled that you need to support within your environment so this looks fine for what I'm doing the next thing is your stink schedule so this is how often you're gonna synchronize your local WCS catalog that your clients are going to use when they scan within the aiccm site so I'm doing it every one day at 8 p.m. now you could schedule this based on your needs definition updates do come out about three times a day so you could possibly even go as much as every eight hours if you wanted to stay really current with those definition updates if you're using Windows Defender that looks good I think for what would be applicable for we're going to be covering today so I'll go ahead and click OK out of here and the next thing I'm going to show you is the collection structure so what I'm planning on doing for my deployments so if we go look at our collections we've got a couple of different things going on here so the first group so you can kind of tell what's going on here based on the names so the oh one this would be the first group that updates ever target so we can see this is going to be for workstation patches and this is our pilot group and it's our IT department in this collection I'm just using a direct rule to do this so I just have one staging machine that would be using for testing now you could have Kerr of course create a collection criteria you could use like a maybe an ad security group or a oh you for your testing group maybe you'd want to target your IT department first in my case is just a single machine and we'll go through that process of how we're going to set up our deployments later on the second test group that I've got here is early adopters so we've just got two computers within that group and that would be kind of the second stage of testing that we would go through and then the final one that I'm going to be using in this deployment is going to be the broad deployment so that's going to contain pretty much all my workstation so if I come here and look at this collection for the broad group and we look at the rules what we're basically doing is including all desktop and server clients now what we're doing in here is filtering to the all workstations collection so if we come and look at the all workstations that's just going to be a collection that contains any workstation based OS zero gonna be my clients like Windows seven you know when there's 8.1 and Windows 10 is what I would have here but for this collection I'm just using a query I'll show you what that looks like we're just using the discovery data from the system resource and an operating system name and version so I'll show you what that that criteria would look like in case you wanted to make it so we've got system resource operating system name and version and then we're doing the operators like and then workstation is what we're looking at and we have the wild cards there so this is gonna pull in all my workstations and that's gonna be what this collection is based off of and now since we're limiting that broad collection to this collection that's where it's filtering for just those workstations even though we have that include for all desktop and server clients the last collection that I want to show you is the maintenance windows so what I've got going on here is I'm going to apply a maintenance window to the production machines that I want to target so to look at what's going on here I want to look at the collection rules what we're doing for this maintenance window collection we are excluding the to testing groups because I don't want to apply a maintenance window so maintenance window is how we can control when patches get installed so we can say patches would only install during this maintenance window that I define so that can be helpful for kind of those broad deployments if you didn't want updates installing during the day and rebooting during the day so this is what this collection is gonna be used as so we can see what we're doing is including the all workstations collection so pretty much any any workstation is gonna fall into this maintenance window now you could of course target this on different collections based on what you might need but in my case I'm gonna have pretty much every workstation on the same maintenance window except my testing group so we can see that we're excluding that testing group for the O one and the O two testing now the exclude rule will take precedence over any include rule so for example we can see that the action number here for the maintenance window has five devices and we can see that the main workstations has eight and then our two testing has three so that that makes perfect sense because we're excluding those three from our maintenance window collection because we're gonna want updates to basically install as soon as possible so those two those three devices don't don't have to be in a maintenance window so for the maintenance window what I'm going to do here is create a daily window and I'm gonna say updates can install anytime from 6:00 p.m. to 6:00 a.m. and for that window so that should give me 12 hours here we're gonna do it every day now you can make this based on whatever you would like your machines to whatever time frame you'd want them to install and reboot now for this maintenance window I'm gonna say it only applies to software updates so for example if you were to deploy an application and have a deadline during the day that application would still install as long as you don't have any other maintenance windows for all deployments so this one will only apply to software updates so it looks good we'll go ahead and apply that and I think that that should be all we need here as far as the collection structure just to give you an idea of how we're gonna be staging out our deployments so the next thing we're gonna look at is our client policies so if we come over here we can take a quick look at the default policy so the policies that are gonna be applicable to what we're doing here for updates is gonna be the software updates policy so by default that's going to be enabled so your client should already be getting policy from config manager to have them scan against your software update point now if you have a GPO in place for a node OWS server if that GPO doesn't match the server for your software update point within SCCM it will break scanning and you basically won't get any compliance reporting in so if you do have an OU GPO you want to make sure that that's essentially removed or it's pointing to the exact software update point if you only have one in your environment you could you could basically target it to that but generally it's just bash delete that GPO and then the config manager clients gonna set that on a local policy on the devices the scan times every seven days for the scanning as well as the deployment evaluation to see if any updates have changed their compliance so that looks fine for what we're doing here now scans will happen whenever you create a deployment so just because that seven days is there for example if you deployed a software update group it's gonna initiate a scan for that if it doesn't have that scan data for that a new setting is to enable third-party software updates that would allow you if you have that configure to basically enable the local policy to get third-party updates as well as deploy the certificate out as long as your software update point is in HTTPS mode if it's not an HTTPS mode you're just gonna have to deploy that separately and I'll include a link to that documentation as well in case you have to deploy these certificates and policies via GPO here okay so that looks good the only other setting here that I didn't look at that's kind of interesting is if you have software update deployments that meet a deadline and you have other software update groups where the deadline is further out you could basically have them install all updates at once in my case I'm going to keep that know just because I'm gonna have Windows the Windows Defender deployments going out and it's going to basically target pretty much every day right away so I'm just gonna keep that know for now the next option that would be applicable what we're doing is the restart so by default when a update restart is needed and it's after that deadline once that installs they're gonna get 90 minutes here before the it forces it and then after 15 minutes they won't be able to suppress the notification so that looks good we'll quickly just go over and create one custom client device setting and what we're gonna do is we're gonna change the computer restart time and we're gonna make that eight hours so that's going to be 480 minutes and I'll set it I'll keep the default at 15 minutes where they can't suppress it so that looks good here and we're gonna call this eight-hour restart okay and what we're going to do for this policy we're going to go ahead and deploy that and we're gonna deploy that to our workstation patching so the pilot group the IT department I'm going to target to that collection and then I'm also gonna deploy it to my early adopters collection so these are going to be my two target groups that I'm going to be using to deploy updates to initially for testing the reason I'm making their restart longer is because I don't plan on using maintenance windows for these deployments and we're going to go through that through that deployment process so basically if I did target these and the updates happen during the day it would give them some additional time before we force the restart now for my other production clients I'm not going to target them with this because it wouldn't restart until they get into their maintenance window which is 6:00 p.m. until 6:00 a.m. anyways so that's I think 90 minutes there would probably be enough since it's gonna be after hours okay I think that's pretty good as far as kind of the structure of things I need to have in place before we actually go and look at myself for updates so we'll go ahead and come over to my software library and what we've got going on here we do already have our software update point synced obviously so we're gonna have updates kind of flowing in here we're gonna have our compliance data from our machines we have about ten machines in this in this lab so what I would generally do this is a pretty clean site the only thing that I currently have deploy is just the third-party updates that are coming through our third-party update catalog through patch my PC so we've got an ADR that I just didn't worry about because I'm really focusing on Microsoft updates mainly here so what we've got is basically that clean site we haven't deployed any type of Microsoft updates we've only got our updates syncing so when I would go to customer sites and kind of analyze things or do the initial setup the way that I would generally like creating my software update groups is to kind of go back to see what's needed in the past so what I would generally use there is just a search and I'm going to use a saved one and we'll kind of explain what what we're doing here so what we've got going on within this search we're basically saying let's find any updates I can take deployed off here because none of these are currently deployed and if you did want to basically reorganize for your existing site if you wanted to go into a model similar what we're doing this video you wouldn't want to filter by deployed because you might have them deployed in other update groups so what we're looking at here I like to kind of base it out by year for all the previous years before our current year so it's currently 2018 so what I'm going to do is basically look for anything for the year 2017 I'm gonna look where the update is required by at least one machine or more now this is something that you you could possibly change the reason I like making it at least one machine because I don't want to go through and download every single update for previous years if it's not needed the only downside of this you might you're gonna want to make sure that periodically you come back here and check your search because it's possible you could have a machine coming to your site that's just completely unpatched and maybe no machines needed that update when you originally ran this but now that one machine might so if you do filter by required just keep that in mind you might want to come back every once in a while to make sure that no new machines have come in where you might have an update that's not deployed for those previous years I'm looking we're superseded as no we don't want to deploy a superseded update and we've got our products for Windows 7 Windows 10 and Windows 8.1 so the way I'm going to be structuring my update groups I'm going to be basically filtering by workstation and servers now if you had different products that would be applicable to your workstations for example think about things like office so I don't have office sinking and I don't have in my lab but if you have office in here or Silverlight or any of those products that might kind of be applicable to to multiple operating systems for workstations you'd want to make sure you include those here as well the other option that you could do here if you want to get pretty specific is you can also create your update groups by OS for example so that could slightly reduce the amount of state messages that your clients are going to be sending up to the server so we do have a deep dive that kind of goes over scanning client components how state messages get sent up to the server for update compliance but I think the key thing here as long as you're maintaining your wsus catalog and doing things like declining old superseded updates and languages that you don't need I think that's going to be much more important as far as the scanning performance as compared to having a update group by OS for example but you could do that if you wanted to get pretty specific where you have like a update group for Windows seven one for Windows 10 one for Windows eight one and one for office but in my case since our environments pretty clean we're keeping up with declining those old updates and superseded things I don't think that there would really be any type of problem as far as the slightly additional scanning that you would get and the few additional state messages that you might get by having these larger update groups so what we would do now so we've got pretty much any update that's needed for our workstations for 2017 for those previous years I would like to create an update group for each of those years so I'm going to call this workstation updates - 2017 and then go ahead and create that update group now within my deployment packages so when you download Microsoft updates to your SCCM site they go into what's called a deployment package so I've I structure this the same way so I like having a different deployment package for each year that just makes troubleshooting things kind of easier if you have a package that's failing to distribute you don't have a massive amount of updates if you kind of structure this for a package each year so that's why I'm doing it here you could use your existing packages that would be fine I just generally find that kind of splitting this up can help the content processing and it's easier to troubleshoot if something was failing to distribute where you have a smaller update package now if you did want to go through the process of creating an update package you could basically right-click this update group that we just created and choose a new package now in my case what I'm doing here is just pointing out to a UNC path just like any other update package would have and I've just got a source location that mimics that folder structure that I've got so for example this one's going to that 2017 folder so you know I think I've already got all these pre downloaded just to save time but that's that's how you could go through and create a package for each of these years so what I'm going to do we'll go back to our search if that's saved it doesn't look like it let me just go run that again all software updates save searches and what we would essentially do now is go through and just change the date so we'll now go over to 2016 2016 and then search so it looks like we've got 51 for 2016 we'll go out and create that update group I'm gonna call workstation updates - 2016 copy that and that looks good we'll come back to our search and go to 15 and I'll just repeat this up until I don't have any required updates for any of the years going back so I'll go ahead and pause the video now alright so we are back so within this lab I did install an outdated Windows 8.1 and an outdated Windows 7 device and basically just had them not patched just so we could get some real type of data in here to stage these out so within my lab we basically went back to year 2013 and then that's the farthest we had to go back before we had no updates required so this looks pretty good so this is how I would initially get started with my creation of updates here and then for the current year what I would do is we would use automatic deployment rule is to create update groups for us for each month of the year so the current month is is June so what I'm gonna do is is basically go back to my search so where we were searching for the updates and we had that criteria for the date range we'll come back here and then what I'm going to do is change this to 2018 there we go and then we're gonna change this to the last day of January now for the current year one thing that I generally like to do is take out that required parameter because for the current year that you're more likely to probably need updates for devices I'm probably all of the products that you might have and the classifications so for the current year I usually just base it off of what products do I do I have enabled and and that aren't I don't base it on that required field I'm basically deploying all those updates for the current year because it's pretty likely that your machines might need them or if you don't have one that's required now you might have a machine that just hasn't scanned in for that update yet so what I'm gonna do here is go ahead and create that update group and then for the current year I like naming it 2018 - oh one for example so these are gonna be all the updates released in January so I'm going to go ahead and create that and that looks good I'm gonna repeat that process for February so we'll just search out now in the future this is just cuz we're kind of playing catch-up we're already Midway throughout the year the creation of the update groups for the current year that's gonna be handled by our ad ARS and we'll get that set up for the month of June so I'm just gonna go up until May here and and kind of create these update groups I'll pause while I complete the the update groups all right so we've completed that process so we can currently see we've got you know about five different update groups for the previous years and then we have five four updates by month for the current year so this looks really clean when we filter by name this is one of the the things that I like is to have your update groups named in a way that makes sense I would often go into environments and there were basically ad ARS that were just a ton of different ones name different things so when you actually came in here and looked at the structure you had no idea what updates were were really being placed into what update groups so I really like kind of the structure in the naming order that we're doing here for the previous years and then the updates by month for the current year there's a few reasons that we that we split out the update groups by month it's going to make sense when we go through our ad ARS and I'll kind of explain what why we do that instead of just having a single update group and have our ADR create a single update group we'll go over that and why we want to make this monthly for the current year so with that said I think we're at a point where we could jump over to our ad ARS and go through that process so the first one that I'll create is going to be my Windows Defender ad R so there's gonna be Windows Defender [Music] definition updates definitions that's what I'll name my my ad R so we'll go through the process of that first then we'll go to our patch Tuesday's update after that we're gonna use the built-in template for the definition update so the definition update we want to make sure that we add it to an existing group the main reason for that is because Windows defenders updates they come out like I said about three times a day so if we created a new update group it would just be a massive amount of update groups tick created for that for the collection we're gonna target all our workstations so for definition updates generally there's there's not really a need to go out and pilot them because it's just basically putting that definition update that's gonna be used by Windows Defender I would say it's probably a pretty low risk where we can just go out to everybody and that's how I generally would stage those out we want to make sure that we enable the deployment after this and we'll go to the next page in our lab we don't have wake-on-lan enabled there's going to be some requirements as far as forwarding traffic if you did want that enabled but that can be a good option if you didn't need to wake up clients for self software updates that can definitely help you get compliance numbers up if you're only deploying updates like during maintenance windows after hours we're gonna automatically approve the License Agreement so make sure you have that enabled and for these software updates it's going to be prefilled with us for the product that we want so it used to be called forefront I believe now that everything is under Windows Defender we'll leave both of those that won't be a problem and then for the classification it's it's automatically put definition updates for us so if we went and preview this we would see just the different definition updates that are currently active here so we'll just leave that default filter that's already pre created for us since we chose that definition template we want to make sure that we have it run after every software update point synchronization so since the definition updates changed so frequently we want to make sure we run this after every sync so in my lab we saw that we were doing that every one day so every night at 8 p.m. when we sync we're also going to automatically deploy any new definition updates for the deadline looks like the default template placed that out an hour let's see if we have minutes here nope so I assume the hours there just to kind of allow content to stage out to your dps so that might be okay to leave that in my case I'm going to make it as soon as possible just because this should go out really quickly where I don't have a lot of latency between my remote distribution points so that should probably be fine here so the available time is when the clients are actually gonna see the deployment and when they're gonna actually start downloading updates the deadline is when that you know once it becomes available when do you want the deadlines to be in our case we want these definitions to install as soon as possible what we can see here is these are the maintenance windows settings in the visual settings so for definition updates we definitely want to hide it all these are going to be happening a lot no need to show notifications but one thing that's important here for definition updates we want to get those out as soon as possible so for the deadline behavior we're gonna tell it that we're gonna allow it to install the update outside of a maintenance window because we wouldn't want to wait till 6 p.m. every day to have to get these definition updates installed so we're gonna say we're gonna go ahead and allow that definition update to install outside of that window I think that probably looks fine I'm not really concerned about restarts that should never happen I've never seen it happen for a definition update that that shouldn't be needed the alerts I'm not really worried about the alerts here we'll just keep that default we don't need to generate one here the download settings we're gonna choose to download if they're on a slow boundary we're gonna go ahead and choose to download and then if a clients are not on a boundary we're gonna allow them to fall back to a default boundary that that's allowed for fallback or a distribution point I mean so that looks fine if it's not available on any local distribution points or a fallback DP we're gonna allow it to go and download those definition updates from Windows updates so we'll keep that selected you can change that based on your needs for the deployment package I do already have one called defender so I'll just go ahead and place that in my existing package but you could go through and create a new one here if you need it to we're gonna download from the internet and we're gonna keep English here that looks good and then next what we'll do to get that started we'll go ahead and run that now and I'll show you kind of what's happening in the back ground so if we go and look at our SCCM log files there's going to be a log called rule engine dot log this is going to be the log file where you can see the ADR is being processed so we can see up here when I kick that off at 1206 we can see that let me just pause this there we go right around here we kicked it off so we can see it's going out and basically analyzing the criteria that you created any updates it's going to automatically download so we had some of the content in here and then some of it's still being downloaded so I'll pause it till that download completes all right so that ADR ran so we can see here that it created our deployment it added the different updates to it one thing that I did notice which was kind of interesting if we go and look at our update group that that created so if we've refreshed this we should have our update group for Windows Defender definitions here so this was what was automatically created and deployed I noticed we're getting a lot of superseded updates so usually there's about three or four superseded updates where these dis gets released so frequently what was interesting is I don't know why they wouldn't have excluded superseded updates in the Windows Defender or the definition template but I don't see any reason why we couldn't come in here and add that just so we don't have to download those superseded updates since there's always going to be that active one so if we come in here and say superseded equals no and then we do a preview it should eliminate all those old superseded updates so I'll go ahead and apply this will rerun this and we'll look at that rule engine and this should kick in here and we shouldn't have to redownload anything just because we should already have that so it looks like it's already done so if we come and refresh or update group what we can see now is we're all green that means that there's no old superseded update so I think this this looks good I can't think of any technical reason we would want to deploy a superseded update and why that's the default option in that template if you think of anything or find any documentation about why superseded isn't knowing that just leave a comment and I'll be sure to update that but I don't see any issue with why we couldn't just deploy the current active definition update okay so before we go through the ADR to deploy our workstation updates for the current month and when we set those deployments going forward what I'm gonna do is go ahead and get these deployments for the previous year sent out to my clients so we'll go ahead and choose deploy and I'm gonna just name this workstation updates basically copy that update group name but at the end of that I'm gonna append - broad so since these updates are own they've been validated any type of update issues at this point should have been revised that there was some type of problem so what I'm gonna do I'm gonna go ahead and start deploying these older updates directly to my broad collection now it's likely that there's probably most of your machines shouldn't need these but if you still wanted to go through a testing phase we could certainly target the pilot groups first if you felt comfortable with that but since these are old updates already validated we're gonna go ahead and just go directly to that broad collection what I'm going to do is make the deadline as soon as possible since these are all old updates in the past these machines should have already got these updates as long as you had them kind of deployed before now one thing here from my broad collection we're gonna have it so it doesn't allow the installation and restart to happen outside of the maintenance window so even though we set the deadline as soon as possible these updates would only install on our broad collection between 6:00 p.m. and 6:00 a.m. because that's the maintenance window we defined for those machines so it looks good if it's on a slope ound rear go ahead and choose to install it anyways optionally depending on what you want here you can allow it to fall back to Microsoft updates if it can't find out a local DP what I'm going to do is name this workstation update I'm going to save this as a template and I'm gonna call it workstation update so I'll just call it workstation update so I'll remove that and save that and then choose next here and then deploy so what we'll do now we'll go through all the previous years and months and choose deploy but this time what we can do is choose that template so I'm still going to give it the name now name it - broad and then would use our save template for workstation updates so this is gonna pre fill in our collection that we saved it's gonna make the required the only thing that you might have to change here's the the deadline it still puts it a week out so we'll just change that to as soon as possible just like our old one same thing with maintenance windows now one thing that I didn't do in that previous deployment is if you don't want the users to see any type of notifications you could configure to only show in software Center so if they directly open Software Center they could basically install this before the deadline if you wanted or you could show the notification where they would get a blue notification saying hey you need updates if they wanted to install them before that maintenance window opens up so I'll just leave this where they get that notification and then we'll just go through all these settings should be the same so I'll pause the video and we'll basically go through and deploy this for all the previous years as well as the previous month just to make sure we have those targeted all right so we've got all our update groups deployed so we can see all these workstation ones for the previous years as well as the months for the current year we can see that in the deployed column we've got those all sent out to our machine so this looks good so for the current month of June we'll kind of go through what an ADR would look like and how we can stage that out to our collections for testing so what I'm gonna do is go ahead and create a new ADR I'm going to name it workstation updates just like my other groupings now for the template here we're gonna choose to do a Patch Tuesday template so when we click Patch Tuesday we can see that it switched that over to create a new software update group each time this runs so I will kind of explain why I generally like you to do that for my monthly kind of workstation updates the main reason there is the if you keep adding this to an existing update group when your automatic deployment rule runs so let's say for example it runs Patch Tuesday so in our case this was June 11th and let's say that we send it out to our test collection right away and then we staged it out for our staging collection three days later and then let's say we maybe go to our broad collection say seven days or maybe even 14 days just for that testing cycle what would happen if you recreate and add it to an exhibit to an existing group each time this runs it would basically reset all your deployment so you you would basically have the previous month updates only available about half of the time because when it runs for the next month it would really rules within your product selection and it would redeploy it so I think for the typical Patch Tuesday monthly updates that's why the template is to create a new update group and I think it makes sense it also makes compliance reporting a little easier because you can go and run reports based on an update group although you can also kind of filter through some different dashboards that available or just showing you all the updates regardless a time frame but but that's why we choose to create a new update group right yeah each time it runs so what I'm going to do here is for the ADR I'm going to create my initial deployment to my pilot group and we'll come in after we create it and we're gonna add some additional ones to kind of stage it out to our additional testing groups as well as our production group so we'll go ahead and do next here we're gonna accept any license agreements for the software updates I'm going to choose the last month so we're gonna run this monthly so we want to search for any updates released within the last month there we go the last 1 month for the classifications I'm gonna go ahead and choose pretty much everything that I had that I was sinking except upgrades we wouldn't want those so I think this looks good here so we've got critical definition security update roll-ups and updates so this should cover most of probably what you would be expecting for your typical operating systems and in any applications like office this would cover the next thing we're going to add is our product so since we're only targeting workstations for this update group we're gonna go ahead and choose the workstation products that you would want to target so for example if you had office and you wanted to include that in your workstation ADR you could go ahead and select that here but in our case really the only thing that I've got here is my core os's so I've got Windows 10 Windows 7 and Windows 8.1 which is ok and we also want to add that superseded field we want to make sure that superseded equals no so we'll go ahead and preview that looks like we've got 32 different updates for Windows 7 8 and 10 for this past month we can see it if we look at the classifications looks like most of the cumulative updates for Windows 10 come in under security we do have some update roll-ups that are for Windows 7 so we good thing we had that classification enabled and then we've just got some different updates for Windows 8 1 and Windows 7 so that looks pretty good that looks like the criteria that I would want to use for deploying these so we'll go ahead and choose next year and forward schedule so we can see that since we have it it by default it checks every 30 days I think that's because we chose that option in the deployment but what I'm going to do I'm going to change this to the second Tuesday okay and then for the time so we saw that our software update point was sinking at 8:00 p.m. every night so I think if we put 10 p.m. here that should give plenty of time for our software update point to sync so two hours to basically get that metadata usually it's much faster than that since it's just the Delta sync so this should basically pick up any new updates that come out that second Patch Tuesday of the month so this should be good criteria I think for what we would be doing for this ADR and here's where we can see our software update point so it's syncing every night at 8 p.m. so when it syncs on that second Tuesday we should basically get all any new updates you know just right after 8 p.m. I would say on average I probably see update syncs maybe take 5 minutes if we've already done our initial sync probably for each month so that should be fine if you wanted to stage it out you could maybe put this on the second Wednesday if you just wanted to make sure you have some extra time to get that metadata the deployment time so for our collection that we're targeting for our testing group I'm going to make it basically as soon as possible for both of these so they're going to get policy right away so that deployment will be available right away and we're also make that deadline right away so since this is really going to be that initial staging group for just the small group of clients we're gonna get those out right away we're gonna show all notifications and we are going to allow things to happen outside of maintenance windows on our testing machines now if we actually look back at our collection these machines shouldn't be included in the maintenance window because we had that exclude on them so in theory they're not even going to be part of that 6 p.m. to 6 a.m. but just in case they were maybe in a different collection that had a maintenance window this will just make sure even if they did have one we're gonna allow that to go to our staging group anytime right when this runs they're gonna start targeting so probably you know right around 10:00 p.m. when we set this to run that's when they're basically going to start getting these when it deploys it if you want to make an in console alert you can I'll just leave the defaults here so we could get an alert if we're not 90% compliant with this deployment after seven days my download settings that all looks good how we want it the deployment package these are going to be 2018 update since that's the year that my ADR is running in we'll keep the defaults here and then run that so that looks looks good for our ADR now what we're gonna do we're going to come back in here workstation updates and under this deployment tab here at the bottom we can see this is the deployment that we just created that's going to our initial pilot group so what I'm going to do here is right-click our ADR and add a new deployment so we're going to target our second testing group so the early adopters group will target them and what we're going to do is we're gonna make it three days out so I'm going to say three days out so they're gonna get policy right away so that's gonna allow them to scan against the updates if it's a required deployment they're gonna pre download the content to the cache right when this deployment happens and then once the deadline happens after three days they're gonna go ahead and install that so even if they were offline out of your network as long as they got that initial policy they should download those updates so they should in theory be able to even do this if they were off your network when that deadline hits three days from now so that looks good for the second staging group I'm gonna go ahead and say show all notifications so they're gonna get the balloon notification saying hey things are happening I'm also gonna allow it to install and restart outside of a maintenance window and they do have that eight hour period as well that we gave them before it would actually force that restart to a one setting that I might have missed I'm not sure if I included this in the other one but if an update need to restart we're gonna choose to initiate a software update scan after the restart so we can get that compliance data coming back to us faster so that's probably not a bad option to have within your deployment I'm not worried about changing the alert you can make an alert if you wanted we're gonna choose to download and allow fallback just in my lab that's the way I'm going to set that and then which is next year so that's gonna be our second deployment now our final one is going to go to our production or broad I choose the wrong one here now that looks good so this is gonna go to our broad collection so we're gonna go over here we're gonna choose our broad deployment so this would basically be everybody any workstation any remaining workstation so that looks good will do next here we'll keep the defaults here and now for this one we're gonna make it seven days out so you could make this seven you can make this whatever you wanted 14 whatever you felt comfortable with so since the previous deployments are going out right away to our first staging collection and then three days later to kind of that next stage of more devices you you should hopefully if there was any problems you know they should be worked out probably by time you make the deadline for your for your production that you would go for kind of that broad deployment um so you should you know probably be able to work anything out there for the broad collection I'm going to choose to display it in software center and only show the restart so they're not gonna get those blue notifications when they initially get policy for this deployment now for this one we're not gonna allow anything to happen until the maintenance window so we're gonna leave both of these unchecked so no updates would install or restart until that 6:00 p.m. through 6:00 a.m. maintenance window until that happened I think everything else is good we'll go ahead and choose that option to read scan if it needs to restart for the alerts I'll go ahead and enable this on the production one I'm going to say hey if we're not 80% compliant seven days after the deadline go ahead and show me an alert of my console letting me know that I'm going to choose the download on a slow boundary and allow fall back in my lab that's how I want it and we'll do next and close so now if we go ahead and run this ATR if we come and look back at our rule engine this is we're going to see all those things happening I should kick in in a second there we go so it looks like we might have a few updates that were downloading content for so I'll kind of pause this while we wait for this to complete alright so one thing I'm noticing we're downloading a lot of content here I wasn't paying too much attention but we come in here and look at this ad our look at that preview what we can see here is we've got a lot of these kimmel updates for the previews so that's not really something I'd be interested in deploying so what we're gonna do we're gonna come back into our title filter in our ad R and what I'm going to do is add a exclude condition so if we zoom in if we do a dash and then preview preview and then if we add that filter click OK and if we preview now we can see that those preview cumulative updates for Windows 10 they're no longer showing up so you probably want to include those you know I I doubt most environments would really be interested in getting the preview ones out maybe if you wanted to create a different ad are completely and target that to maybe a testing group you could get kind of a preview of what's going to be coming out the following month so that looks good let me apply that it looks like our group is still downloading here so looks like I probably will have to wait for that to run and then I'll go ahead and come back to the video once that's done alright so I decided that I would just kill the SMS executive service so let's go back it looks like the ADR was actually about to complete when I was recycling that so let's see if that okay so it looks like it didn't run so hopefully we don't have that update group yet for that month let's see it looks like it actually did make the update group so what I'm going to do is go ahead and basically delete this one and we will come back into our ADR and we will go ahead and rerun that okay there we go so it looks like it's already had all the content pre downloaded so it went ahead and created our update group so we can see it created the update group it also created a new deployment for each of those as well so if we come back in here refresh that looks like that's successful so now we've got our new ADR for the month of April now what I like to do just because I'm like things to be pretty particular so they matched the same way I'm gonna go ahead and rename this and I'll just get rid of the description so what matches with what we manually created for those previous months so this looks good so this one what if we look we can see this was created by our ADR and what I want to show you is this deployment tab so within the deployments we're gonna have all three of those deployments going out so we can see our deployment to the pilot group we can see it was deployed you know just now and the deadline is also right away same thing for the early adopter so it was deployed right away but the deadlines we can see is three days out and then for the workstation patching we can see that the deadline is you know we can see that it's seven days out so this is kind of how we could get that testing phase but we could still have it completely automated if you wanted to create the ad ARS and have it create your update groups for you so this looks pretty good I think from the management side what we'll do let's power on a couple of machines here that are in this group all right so if we look at what we have going on we've got a few machines here now since it's it looks like it's about 12:45 a.m. here so we've got one group that's in that pilot collection so that's gonna be the Windows 8 machine and then in the stage two we've got let's see and the other collection or I'm sorry the other Windows 7 machine I think it's actually in the broad one so it's the v2 Windows 7 right here so since it's already in the maintenance window what's essentially going to happen here is the updates are gonna install on both of these but let's say for example if this was anytime after 6:00 a.m. and before 6 p.m. the updates wouldn't install on that one machine because it's in that maintenance window collection which would have that set so it only installs outside of that all right so we are jump we're over on the windows 8.1 machine and let's just see if I can kind of show you some basic details of what should happen here as far as the machines getting policy and getting the deployments now this isn't going to be too deep I did do a deep dive that pretty much covers everything that is involved in the component side of things so things like scanning we do a deep dive into WMI so that would be something I include in the video but what we can see this machine you know we just started the service it just got started up just to speed things along what we'll do is a can a policy cycle to get this guy checking girl so we can see we're getting policy here I'll wait for that to complete all right I think we've got that so now if we open our updates deployment we can see it looks like we've already started scanning and doing a bunch of stuff here let me see if I can show you what's going on we look up at the top here we go so we can see now that we got policy it's now evaluating all these different update groups that are targeting to it so we can see all these different assignments these are basically our deployments for our different update groups so this is all looking very good if we come here and look it looks like we're probably going ahead and downloading content here so we'll wait for that to kick in all right so we can see we just got the notification here so we've already got our updates kind of coming in and installing it looks like we're starting to get some additional ones flowing in here through policy we can see in the update store all these updates that are missing that are targeting it so they're gonna start flowing in on the Windows 7 machine we can also see that you know we've got a bunch of updates starting to come in here so this all looks really good I think that should cover everything that was kind of planning on I think that should kind of cover you know how you could go out stage your collections if you wanted to automate it how you could go ahead and use those 80 ARS now if you didn't want to use 80 ARS if you're just not comfortable with it you could basically go through and make those searches just like we did for the for the months for the current year but I think the way we did the ADR is here can really make sense you still have all your your testing periods before things would happen and we still have maintenance windows so we're really controlling you know when those updates would even happen on our clients so that's all I've got today I hope this video was helpful if you have any questions anything I may be missed you know feel free to leave a comment here at youtube or in the blog post reddit wherever you're seeing this at and I'll be happy to answer it thank you for watching

Info

Channel: Patch My PC

Views: 191,048

Rating: undefined out of 5

Keywords: Software Update Groups, ConfigMgr Updates, ConfigMgr, SCCM Updates, SCCM ADRs, ADRs, Software Updates, SCCM, SCCM Software Updates, ConfigMgr Software Updates, SCCM Staging Deployments, SCCM Collections, ConfigMgr Collections, Justin Chalfant, SCCM Guides, Configuration Manager Software Updates, System Center, System Center Configuration Manager, System Center Configuration Manager Software Updates

Id: 6JHJes1u8Pg

Channel Id: undefined

Length: 55min 26sec (3326 seconds)

Published: Fri Jun 22 2018