locked
Search Folder Design RRS feed

  • Question

  • Hi Guys,

    I have created the following:

    1. Search Folder 1 with the following criteria:
      • Product “Windows Server 2008 R2” OR “Windows Server 2008”.
      • Update Classification “Critical Updates” OR “Security Updates”.
      • Bulletin ID: MS09 or MS10 OR MS11 or MS12
      • Expired: No
      • Superseded: No
      • Required: [^0]
    2. Created Update List
    3. Created Deployment Template
    4. Deployment Package

    1. Search Folder 2 with the following criteria:
      • Product “Windows Server 2008 R2” OR “Windows Server 2008”.
      • Update Classification “Critical Updates” OR “Security Updates”.
      • Bulletin ID: MS13
      • Date Released: Last 1 month
      • Date Revised: Last 1 month
      • Expired: No
      • Superseded: No
    2. Created Update List
    3. Created Deployment Template
    4. Deployment Package

    I am planning to patch some servers (2008 R2), most of the servers never patch regular, also I need to bring up the all the Windows Server 2008 to same patch level (only Critical and Security updates), so I create the Search Folder 1 (see above) and this will help me to apply all the download form the 2008 till 2012.

    Then I created the second Search Folder 2 for monthly Patches and this will help to apply montly patched for 2013.

    I have the following question:

    1. I am not sure if this is the best design? Any feedback is welcome.
    2. For my monthly patches after creating a Search Folder for each month and creating Update list can I use the same Deployment Package from last month, for instance when I created the Search Folder and Update List for Jan then I put it in the Deployment Package, can I use the same Deployment Package? Is any limitation for that? Or Do I need to create a new Deployment Package for each month?
    3. My last question when I provision a new Server say in Aug, do I need to all the update from Search Folder 1 and Search Folder 2 (Jan,Feb,March,April,May,Junu and July)? any recommendation on this one

    Thank you.

    Saturday, February 2, 2013 6:47 AM

Answers

  • That's not a report. That's the criteria query statement for the collection.
    • Marked as answer by Sdlan Thursday, February 7, 2013 1:30 PM
    Wednesday, February 6, 2013 4:58 AM

All replies

  • Hi - Your search folders will work to get you up and running, although you could simplify your criteria slightly. I'd suggest search folders as follows:

    Search Folder 1 - (to create a baseline upto January's patches)

    • Product: "Windows Server 2008 R2" OR "Windows Server 2008"
    • Bulletin ID: "MS"
    • Expired: No
    • Superseded: No

    Use the results to create a mandatory deployment which targets a dedicated collection that includes all your 2008 servers. Remember to suppress reboots. Do this before next weeks Patch Tuesday.

    Search Folder 2 - (to create a deployment for ongoing monthly patches)

    • Product: "Windows Server 2008 R2" OR "Windows Server 2008"
    • Bulletin ID: "MS"
    • Date Released "Last 1 Week (7 Days)"
    • Expired: No
    • Superseded: No

    Use this search folder in the week following Microsoft's patch Tuesday (Next Tuesday - 12th February 2013) to create monthly patch deployments. This deployment should target a dedicated collection and have an appriopriate availability and deadline schedule for your environment.

    To answer your questions:

    • I am not sure if this is the best design? Any feedback is welcome.

    I doubt there is a "best" design. Your environment will dictate what's best for you.

    • can I use the same Deployment Package?

    Yes

    • Is any limitation for that?

    I've read there is a hard-coded limit for deployment packages, so I separate mine into products to reduce the risk of encountering this issue. I have individual deployment packages for "Server 2003"; "Server 2008" & "Office".

    • Or Do I need to create a new Deployment Package for each month?

    No

    • My last question when I provision a new Server say in Aug, do I need to all the update from Search Folder 1 and Search Folder 2 (Jan,Feb,March,April,May,Junu and July)? any recommendation on this one

    Nope - provided you've created the deployment from "Search Folder 1" (above) and the new servers are a member of the collection that deployment targets, it'll be patched accordingly. Similarly, provided the server is a member of the collection targeted via the "Search Folder 2" method above (if different), this will also be patched accordingly.

    Many people will offer many different answers to these questions, but this apprach works for me at a basic level. I have different layers of complexity incorporated into my patching processes to cater for automatic server reboots within maintenance windows etc. As I said earlier, your enviroment will dictate what your processes need to be.


    • Edited by mvjjkc Monday, February 4, 2013 2:32 AM
    Monday, February 4, 2013 2:24 AM
  • Hi rephlexions,

     

    Thank you for your reply, I am bit confuse can I get some clarification around this:

    According to your design the Search Folder 1 will have all updates, so I can use it to patch all the Windows Server 2008, also if I have provisioned a new server say after four months I should be able to use the same Search Folder 1? Is that correct?

    For Sear Folder 2 you used Date Released "Last 1 Week (7 Days)", why did you use this? Is this because if I created a Search Folder 1 today and next week when MS release the updates so I only need 1 week of updates? Is that correct? What about next month and so on for monthly patches?

    With the Deployment Package once I created the first Deployment Package, then I can add the new monthly Deployment Package into the original Deployment Package? Is that correct? Does this get push out to the DP? Do I need to do something to refresh or it will automatically will available to the target collection?

    Also how many Deployment Templates do you have?

    Also I want to use Maintenance Windows and I do not want the server to reboot I want to reboot the server manually? Any suggestion around this?

    Thank you much!


    • Edited by Sdlan Monday, February 4, 2013 12:15 PM
    Monday, February 4, 2013 12:14 PM
  • Hi. Hope this helps:

    According to your design the Search Folder 1 will have all updates, so I can use it to patch all the Windows Server 2008, also if I have provisioned a new server say after four months I should be able to use the same Search Folder 1? Is that correct?

    No. You'd only use this search folder once - to create a baseline deployment of all updates up-to today. This deployment acts as a 'baseline' of all approved updates and will permanently target a collection of your 2008 servers. Once a server gets added to that collection, it'll be patched automatically by that 'baseline' deployment. Simple.

    For Search Folder 2 you used Date Released "Last 1 Week (7 Days)", why did you use this? Is this because if I created a Search Folder 1 today and next week when MS release the updates so I only need 1 week of updates? Is that correct? What about next month and so on for monthly patches?

    At this point - forget all about 'Search folder 1' it's fairly redundant. I use this search folder (2) every month in the week following Microsoft's monthly patch release date. The criteria never changes and it returns the current months updates that've just been released. I usually take all the updates shown here, drop them in a new update list, then create the monthly deployment. I'm guessing you're not completely familiar with Microsoft's patching schedules so this should be the first thing you build your process around. Subscribe here http://technet.microsoft.com/en-us/security/gg309152.aspx.

    With the Deployment Package once I created the first Deployment Package, then I can add the new monthly Deployment Package into the original Deployment Package? Is that correct?

    Yes, but your terminology is off slightly. An Update Package is the collection of update installers, neatly wrapped in a single package. You should use the same deployment package(s) when downloading updates. I think you mean 'Update Deployment' which is basically the advertisement for your updates. You can't add an update deployment to another update deployment, so you'll need to make use of Update Lists. The idea would be that once the deadlines from your monthly deployments expire, the updates are then considered mandatory and can then be rolled into your baseline deployment, so you'd use the Update List created from 'Search Folder 2' and drag/drop the updates into the baseline deployment (created from 'search folder 1'). Once you've done that, you can delete the update deployment and/or update lists from last month, then start on creating new deployments for the current month.

    Does this get push out to the DP? Do I need to do something to refresh or it will automatically will available to the target collection?

    If you download the updates, the distribution points will be updated.

    Also how many Deployment Templates do you have?

    Many!

    Also I want to use Maintenance Windows and I do not want the server to reboot I want to reboot the server manually? Any suggestion around this?

    When you create your deployment, ensure you've checked the "Servers" box under "Suppress the system restart on:". You can add extra levels of control with maintenance windows but I'd probably suggest you get familiar with the basics first before you go down that route.




    • Edited by mvjjkc Monday, February 4, 2013 8:37 PM
    Monday, February 4, 2013 8:16 PM
  • Hi rephlexions,

    Thank you for your time and you have been very helpful.

    1) The Search Folder 1 I used exactly as you said for baseline and the same thing for the Search Folder 2 for monthly patches.

    2) I'm guessing you're not completely familiar with Microsoft's patching schedules so this should be the first thing you build your process around?

    What do I need to know about this? Sorry about this I am new to this.

    3) The idea would be that once the deadlines from your monthly deployments expire, the updates are then considered mandatory and can then be rolled into your baseline deployment, so you'd use the Update List created from 'Search Folder 2' and drag/drop the updates into the baseline deployment (created from 'search folder 1'). Once you've done that, you can delete the update deployment and/or update lists from last month, then start on creating new deployments for the current month.

     Can you please give me an example? I just new to this process!

    4) I am still bit confused if I build a new server say in 4 month time how I am going to patch it?

    Do I need to add it to the collection which target Search Folder 1 and again add it to the collections which is targeting each monthly patches, let me explain this in more details and here my plan:

    Phase 1:

    Search Folder 1 - (to create a baseline upto January's patches)

    • Product: "Windows Server 2008 R2" OR "Windows Server 2008"
    • Update Classification “Critical Updates” OR “Security Updates”.
    • Bulletin ID: "MS"
    • Expired: No
    • Superseded: No

    Create two Collections, first one called Blank Collection with no member in it (use it with the template) and second on template called Baseline (add a few servers in to the collection) and use it to target the windows sever 2008 for the Search Folder 1

    Create a template called Baseline – Template

    • Collection:  Blank Collection (no member in it)
    • Tick All display notification on Clients
    • Tick Client Local Time
    • Duration: 2 weeks
    • Restart Setting: tick Server

    Create Update list and then take all the updates shown in Search Folder 1, drop them in a new update list called Update List - Baseline Critical and Security Updates, tick Download the files and associate with the selected software updates.

    Create Deployment Management; go to the created Update list and right click and Deploy Software Updates Deploy MGM - Baseline Critical and Security Updates and use the above template (Blank Collection)

    • Tick Date and Time and specify the date and time
    • Tick do not set a deadline for software update installation

    Time to have fun go to the new Created Deployment Deploy MGM - Baseline Critical and Security Updates and change to the targeted collection Baseline.

    Phase 2:

    Search Folder 2 - (to create a deployment for ongoing monthly patches)

    • Product “Windows Server 2008 R2” OR “Windows Server 2008”.
    • Update Classification “Critical Updates” OR “Security Updates”.
    • Bulletin ID: MS
    • Date Released: Last 1 month
    • Date Revised: Last 1 month
    • Expired: No
    • Superseded: No

    Create two Collections, first one called Monthly Blank Collection with no member in it (use it with the template) and second on template called Monthly Patches (add a few servers in to the collection) and use it to target the windows sever 2008 for the Search Folder 1

    Create a template called Monthly Patches– Template

    • Collection:  Blank Collection (no member in it)
    • Tick All display notification on Clients
    • Tick Client Local Time
    • Duration: 2 weeks
    • Restart Setting: tick Server

    Create Update list and then take all the updates shown in Search Folder 2, drop them in a new update list called Update List - Monthly Critical and Security Updates, tick Download the files and associate with the selected software updates.

    Create Deployment Management; go to the created Update list and right click and Deploy Software Updates Deploy MGM - Monthly Critical and Security Updates and use the above template (Monthly Blank Collection)

    • Tick Date and Time and specify the date and time
    • Tick do not set a deadline for software update installation

    Time to apply the month patches, created Deployment Deploy MGM - Monthly Critical and Security Updates and change the collection to the Monthly Blank Collection

    thx

    Tuesday, February 5, 2013 10:11 PM
    • Re: Patching schedules - What do I need to know about this? Sorry about this I am new to this.

    Subscribe to Microsoft's patching email via the link I provided in my last reply. That'll keep your scheduling correct.

    •  Can you please give me an example? I just new to this process!

    Not sure what else I can offer except do it for you! The example is in my last reply.

    • 4) I am still bit confused if I build a new server say in 4 month time how I am going to patch it? Do I need to add it to the collection which target Search Folder 1 and again add it to the collections which is targeting each monthly patches...

    You can have one single collection for your servers if you want. Multiple deployments can target a single collection. Just use some simple criteria to dynamically update your members for Server 2008 machines. This is set-and-forget. New servers will be automatically added to the collection - nothing for you to do. They'll then be patched automatically by the deployments that target that collection. This query will add all Server 2008 machines to your collection:

    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.Obsolete = 0 and SMS_R_System.OperatingSystemNameandVersion like "%Server%6.1%"

    Remember to update the membership on a schedule.

    Tuesday, February 5, 2013 10:53 PM
  • Thanks for your reply I learn a few things:

    1. Once the Deadline is expired then the updates become mandatory.
    2. Subscribe to Microsoft's patching email
    3. The idea would be that once the deadlines from your monthly deployments expire, the updates are then considered mandatory and can then be rolled into your baseline deployment, so you'd use the Update List created from 'Search Folder 2' and drag/drop the updates into the baseline deployment (created from 'search folder 1'). Once you've done that, you can delete the update deployment and/or update lists from last month, then start on creating new deployments for the current month.

    So I will need to drag all the updates from the Updates List in the Search Folder 2 and drop them into the Baseline Deployment package is that correct? the Baseline deployment can get bigger over the time?

    Then as you said delete update deployment from last month and I want keep the update lists for monthly report? 

    thx

    Wednesday, February 6, 2013 12:25 AM
    • Once the Deadline is expired then the updates become mandatory.

    Correct

    • Subscribe to Microsoft's patching email

    Essential :)

    • So I will need to drag all the updates from the Updates List in the Search Folder 2 and drop them into the Baseline Deployment package is that correct? the Baseline deployment can get bigger over the time?

    Correct

    • Then as you said delete update deployment from last month and I want keep the update lists for monthly report?

    You can report on the baseline deployment to get a global picture of your compliance levels based on the updates you've deployed. You don't need the update lists once you've rolled the updates into the baseline - as the name suggests, they're just a list of updates. Nothing more.

    Wednesday, February 6, 2013 1:14 AM
  • When I ran that SQL statement you gave for the report I  get this error:

    An error occurred when the report was run. The details are as follows:

    Invalid object name 'SMS_R_System'.
    Error Number: -2147217865 
    Source: Microsoft OLE DB Provider for SQL Server 
    Native Error: 208 

    Wednesday, February 6, 2013 4:55 AM
  • That's not a report. That's the criteria query statement for the collection.
    • Marked as answer by Sdlan Thursday, February 7, 2013 1:30 PM
    Wednesday, February 6, 2013 4:58 AM
  • Ok, I pasted into the new collection works fine :)

    There are 2 things I need to understand fully:

    When I created a deployment package I used an existing Deployment Template (preconfigured) then i will go to the Deployment Management right click on the new created Update Deployment  and then I will change the collection to the targeted collection, is the means the Update Deployment will still use the preconfigred Deployment Template, I get confuses because the Update Deployment is use the same settings as the Deployments Template.

    so for instance if I  want to push out the updates sometimes next week when I create the Deployment Updates in the  Scheduling section what is the best way to configure this?

    For instance if I want to push out the Updates on the 13 of feb 3am  how do you setup up the deadline?

    thx 

    Wednesday, February 6, 2013 6:09 AM
  • Thank you for your help, all good!
    Thursday, February 7, 2013 1:30 PM