locked
Server updates via Automatic Deployment Rules RRS feed

  • Question

  • Wanting to start our Server updates for all critical and important security updates via an SCCM 2012 Automatic Deployement Rule, How does this sound?

    We have seperated our servers into 4 different days for updates to apply, each server has been granted AD group membership for that day, example Pretest, day,2, Day 3, Day 4

    I have created 4 Collections Named Windows Update Pretest, Windows Update Day 2, Windows Update 3, Windows Update Day 4 with a query against AD Group membership

    Each Collection has a maintance window recurring each month on that particular day between 8pm-4am

    I have created the first ADR rule for pretest with the below settings

    -Create a new software update group when rule runs (Does this mean i will end up with lots of software update groups after a few months?)

    - Custom Severity "Critical or Important" Date released "Last 1 Month" Product "server 2003" or "server 2008R2" Or "Server 2012". Classification "Critical updates" Or "Security Updates"

    - Evulation Schedule Each Month on the first day


    Question: With the being multiple server operating systems in the collection, will the package with the different updates only apply what is required for the server or all updates in the package?

    • Moved by TorstenMMVP Wednesday, May 29, 2013 6:16 AM moved to Security & Compliance
    Wednesday, May 29, 2013 3:36 AM

Answers


  • -Create a new software update group when rule runs (Does this mean i will end up with lots of software update groups after a few months?)----->Yes,when ever the ADR runs,it creates new Software Update Group .So number of times your rule runs=No of SU Groups.

    I would recommend to go with add to an existing software Group.

    - Custom Severity "Critical or Important" Date released "Last 1 Month" Product "server 2003" or "server 2008R2" Or "Server 2012". Classification "Critical updates" Or "Security Updates"

    - Evulation Schedule Each Month on the first day


    Question: With the being multiple server operating systems in the collection, will the package with the different updates only apply what is required for the server or all updates in the package?--->Only the updates what is required for it will be installed on the Client not all updates what are available in the package.



    Please click on "vote as Helpful" if you feel this post helpful to you.

    Eswar Koneti | Configmgr blog: www.eskonr.com | Linkedin: Eswar Koneti

    • Marked as answer by pigd0g Wednesday, June 5, 2013 2:43 AM
    Wednesday, May 29, 2013 6:00 AM

All replies

  • Yes, only required updates will be downloaded and installed.

    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund | Mastering ConfigMgr 2012 The Fundamentals

    Wednesday, May 29, 2013 5:54 AM

  • -Create a new software update group when rule runs (Does this mean i will end up with lots of software update groups after a few months?)----->Yes,when ever the ADR runs,it creates new Software Update Group .So number of times your rule runs=No of SU Groups.

    I would recommend to go with add to an existing software Group.

    - Custom Severity "Critical or Important" Date released "Last 1 Month" Product "server 2003" or "server 2008R2" Or "Server 2012". Classification "Critical updates" Or "Security Updates"

    - Evulation Schedule Each Month on the first day


    Question: With the being multiple server operating systems in the collection, will the package with the different updates only apply what is required for the server or all updates in the package?--->Only the updates what is required for it will be installed on the Client not all updates what are available in the package.



    Please click on "vote as Helpful" if you feel this post helpful to you.

    Eswar Koneti | Configmgr blog: www.eskonr.com | Linkedin: Eswar Koneti

    • Marked as answer by pigd0g Wednesday, June 5, 2013 2:43 AM
    Wednesday, May 29, 2013 6:00 AM
  • Thanks for the info, can anyone help me create a query for all servers not in AD Security Group "Day 1", "DAY 2", "Day 3", "Day 4"

    Found this example:
    select SMS_R_System.Name from  SMS_R_System where SMS_R_System.Name not in (select SMS_R_System.Name from  SMS_R_System where SMS_R_System.SystemGroupName = "DOMAIN\\Exchange Servers")

    However I need it to only query servers, and multiple groups for servers that are not in any of the 4 different update groups. That way we can capture servers where an Admin has forgot to assign a maintance group.

    Tuesday, June 4, 2013 9:04 PM
  • Put the servers in an AD group, then query for that group
    Wednesday, June 5, 2013 7:08 PM
  • Managed to use lots of select SMS_R_System.Name from  SMS_R_System where SMS_R_System.Name not in (select SMS_R_System.Name from  SMS_R_System where SMS_R_System.SystemGroupName = "DOMAIN\\Exchange Servers") AND not in etc.

    Another question, the above appears to work well however i get some clients that dont install in the maintance window. They stay in a yellow state "downloaded updates'; have changed the client settings for "Software update scan schedule" &  "Software deployment re-evaluation" to be daily at midnight to try kick start any that failed to start, however does not seem to have helped much.

    Ideally want 100% compliance when people just updates the next morning. Any ideas on why afew fail to start automatically?

    Tuesday, June 11, 2013 9:25 PM