locked
Automatic Deployment Rules RRS feed

  • Question

  • Hi all,

    I'm drafting a process for patching Windows 7 clients on a schedule using ADRs. Currently we do patch clients, however I want to implement an automated process. 

    The estate has a SCCM2012 hierarchy of SCCM2012 R2 CU3 primary site, management, software update, reporting and distribution points. 1200+ Windows 7 SP1 Ent. x64 clients.

    Currently Windows client patching is not on a schedule, but does happen. We have 2 pilot groups, IT Users will receive the deployment first, if successful will be deployed to another pilot-group of standard users a week later. If successful again, an estate deployment will occur a week later. (Success rate is based on patch compliance and no reported issues from users).

    There's lots of articles on the web on how to create the rules, I would like to know what other SCCM admins are doing for patching client using ADRs, I would would like to determine in our process, number of pilots groups, evaluation and deployment frequencies etc... However I would like to incorporate our current pilot groups using ADRs and still achieve automatic Windows updates to clients with little administration as possible!

    Any advise would be great!

    Regards,

    Craig


    MCTS | MCITP | MCSA


    • Edited by Toffeenose81 Monday, August 10, 2015 2:18 PM Typo!
    Monday, August 10, 2015 2:14 PM

Answers

  • Well for me i was in a shop that wanted to have multiple pilot phase.

    So what i did was make 1 collection for each phase. Made a ADR that would automaticly deploy the software update group to the phase 1. once we receive confirmation that everything was working a SCCM admin would simply go to that software update group and deploy it to the phase 2 collection. We repeat this until all test collection told us everything was green and we would deploy to all the client collection.

    Keep in mind we have maintenance windows set in all of this as well.

    So this way we only had to do 4 action that take about 1 min to do and also you can with a quick look see if the process is working as expected. 

    • Proposed as answer by Joyce L Tuesday, August 18, 2015 3:07 AM
    • Marked as answer by Joyce L Wednesday, August 19, 2015 10:07 AM
    Monday, August 10, 2015 2:19 PM
  •  I would would like to determine in our process, number of pilots groups, evaluation and deployment frequencies etc...

    Ask a thousand companies and get a thousand answers ...

    So me personally, I like to use maintenance windows to cut the number of ADRs needed and keep intervention down.

    1. First, I'll create a single collection and associated ADR to get all my updates.  All workstations will go in here.
    2. Then Ill create a bunch of sub-collections for my various patch tiers.  Each collection will contain a maintenance windows that spans days of the month (pilot patches are everyday, production tier get patches on week3 to allow a gap from patch Tuesday, etc.)
    3. Ill then assign my computers to these new collections so their maintenance windows only allow them to patch during their assigned week.

    By doing this I end up with a single ADR, and machines patch during various weeks I permit.  It's not without it's limits of course, biggest one making sure machines are turned on during your maintenance window, but there are lots of ways to approach that.

    EDIT:  I should add I only like this for workstations ... for servers I initiate and do nearly entire process with SCO.  Unfortunately SCCM doesn't have nearly enough logic for me to automate server patching.   cluster patching, service status check before moving to another box ... etc
    • Edited by Justin.King Monday, August 10, 2015 5:33 PM
    • Proposed as answer by Joyce L Tuesday, August 18, 2015 3:07 AM
    • Marked as answer by Joyce L Wednesday, August 19, 2015 10:07 AM
    Monday, August 10, 2015 5:28 PM

All replies

  • Well for me i was in a shop that wanted to have multiple pilot phase.

    So what i did was make 1 collection for each phase. Made a ADR that would automaticly deploy the software update group to the phase 1. once we receive confirmation that everything was working a SCCM admin would simply go to that software update group and deploy it to the phase 2 collection. We repeat this until all test collection told us everything was green and we would deploy to all the client collection.

    Keep in mind we have maintenance windows set in all of this as well.

    So this way we only had to do 4 action that take about 1 min to do and also you can with a quick look see if the process is working as expected. 

    • Proposed as answer by Joyce L Tuesday, August 18, 2015 3:07 AM
    • Marked as answer by Joyce L Wednesday, August 19, 2015 10:07 AM
    Monday, August 10, 2015 2:19 PM
  •  I would would like to determine in our process, number of pilots groups, evaluation and deployment frequencies etc...

    Ask a thousand companies and get a thousand answers ...

    So me personally, I like to use maintenance windows to cut the number of ADRs needed and keep intervention down.

    1. First, I'll create a single collection and associated ADR to get all my updates.  All workstations will go in here.
    2. Then Ill create a bunch of sub-collections for my various patch tiers.  Each collection will contain a maintenance windows that spans days of the month (pilot patches are everyday, production tier get patches on week3 to allow a gap from patch Tuesday, etc.)
    3. Ill then assign my computers to these new collections so their maintenance windows only allow them to patch during their assigned week.

    By doing this I end up with a single ADR, and machines patch during various weeks I permit.  It's not without it's limits of course, biggest one making sure machines are turned on during your maintenance window, but there are lots of ways to approach that.

    EDIT:  I should add I only like this for workstations ... for servers I initiate and do nearly entire process with SCO.  Unfortunately SCCM doesn't have nearly enough logic for me to automate server patching.   cluster patching, service status check before moving to another box ... etc
    • Edited by Justin.King Monday, August 10, 2015 5:33 PM
    • Proposed as answer by Joyce L Tuesday, August 18, 2015 3:07 AM
    • Marked as answer by Joyce L Wednesday, August 19, 2015 10:07 AM
    Monday, August 10, 2015 5:28 PM
  • Thanks guys for your comments.

    Regards,

    Craig


    MCTS | MCITP | MCSA

    Tuesday, August 18, 2015 10:04 AM