locked
Windows Server Patching RRS feed

  • Question

  • We have a requirement to start patching of Windows Server via SCCM. Apart from selecting the product classification, what other things do i need to do to successfully install patches?

    As i need to install client, do i need to add any id as admin on servers or if the server team manually installs the client then i can just push the patches from sccm?

    i have 5000 endclients and now will be patching around 1000 servers, so what should be the increase in CPU and RAM of my Primary and Remote DB (currently my primary&SQL is 4 CPU and 16 RAM)

    Any other things that i might require to patch the servers?


    • Edited by KKarun Tuesday, September 24, 2019 12:01 AM
    Monday, September 23, 2019 11:37 PM

Answers

  • Deploying software and updates is something completely different than pushing the client agent so there is no comparison here between the two activities.

    Once the ConfigMgr agent is on the system, everything goes through it.


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by KKarun Wednesday, December 11, 2019 4:18 AM
    Tuesday, December 10, 2019 3:11 PM

All replies

  • Hi,

    If you have permissions on the server on an account that you use for push today you can use that or get an account with permissions to install the client on the servers or you can of course push the client to them or let the Server Admins deploy it, the most likely have a tool/solution for it. 

    I would start with the same hardware it shouldn't make that big difference is you don't have performance issues today.. 

    I would create Maintenance windows and plan those with the server admin team so that the servers install updates and reboot at a suitable time. 

    Regards,
    Jörgen


    -- My Enterprise Mobility blog ccmexec.com -- Twitter @ccmexec

    Tuesday, September 24, 2019 5:02 AM
  • Tuesday, September 24, 2019 9:29 AM
  • i installed the client on few test vm server WS 2012 R2 and SCCM is detecting those servers now but its not saying that any patch is required for these servers.

    please advice how can i check if the SCCM server is scanning for updates and if not what can be the issue? do i need to open any ports apart from 80/443.

    Does the sccm id needs to be as admin on servers or that is not required?

    Thursday, September 26, 2019 12:24 AM
  • Kindly monitor the SCCM client logs (scanageent.log , wuahandler.log and windowsupdate.log ) for SCCM scan status, post complete the SCCM scan on client machine, you can see required updates in SCCM console.

    Ensure you have installed latest SSU on these servers 

    https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

    Friday, September 27, 2019 6:38 AM
  • Do we need to open any ports?

    or have some access to those servers for the scanning to be completed?

    Monday, September 30, 2019 7:30 AM
  • For windows update deployment below ports needs to enable

    8530 and 8531

    Check the below below

    https://blogs.technet.microsoft.com/jchalfant/deep-dive-in-microsoft-sccm-software-updates-client-and-server-components/


    Monday, September 30, 2019 7:36 AM
  • Thank you. Also , after installing the SCCM client on few servers, we are not able to do rdp.

    I found out that a local security policy was set on all the jumpboxes disabling the RDP access to the jumpboxes.

    When I remove that local policy and force policy update the RDP access is restored.

    How did the SCCM client break this? how can fix it?

    Tuesday, October 1, 2019 7:11 AM
  • There are remote desktop settings within the client settings in ConfigMgr. Thus, ConfigMgr didn't break anything, it simply configured the local policy per the settings that you have configured in your client settings.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, October 1, 2019 1:30 PM
  • what settings do i need to change so that the server team can rdp in servers without the client setting breaking the original settings.
    Tuesday, October 1, 2019 10:18 PM
  • I don't know what you mean by original settings so can't answer that.

    The client settings for remote desktop are all on the Remote tools page under the Manage Remote Desktop section: https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-settings#manage-remote-desktop-settings


    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, October 2, 2019 12:31 AM
  • Hi Jason,

    Thanks for your help. i checked and in report for scan status, i am receiving -2016409966 (Group Policy conflict) and therefore, showing scan failed.

    can you please advice on how to fix the issue?

    Monday, October 7, 2019 12:53 AM
  • You need to address exactly what the message says, your domain group policy, it's overwriting the local group policy that the ConfigMgr agent sets and thus the ConfigMgr agent disables software updates completely.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, October 7, 2019 1:56 AM
  • What permissions for the account do we need to patch servers and run reports like software/hardware metering, compliance report etc.

    Whats the best way to push clients on all servers?

     
    Monday, December 9, 2019 11:37 PM
  • For what account exactly? 

    As for client installation, best always depends on the environment, but the built-in client push can work well.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, December 10, 2019 1:12 AM
  • like the svc acount i use to push client on laptops, is able to install client on server but do i need any specific permission for that account on servers? or if the client is installed then once the WU reg key is updated with SCM server then the sccm will be able to scan missing updates and also deploy/install the updates.
    Tuesday, December 10, 2019 7:01 AM
  • Deploying software and updates is something completely different than pushing the client agent so there is no comparison here between the two activities.

    Once the ConfigMgr agent is on the system, everything goes through it.


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by KKarun Wednesday, December 11, 2019 4:18 AM
    Tuesday, December 10, 2019 3:11 PM
  • Hi Jason,

    one last question, how does the licensing work i.e if i am adding a fleet of 3000 servers in sccm for patching do i need to check anything with respect to license?

    is there anything dependent on cores or number of endpoints? if yes, how can i check.

    Does the SCCM license ever expire?


    • Edited by KKarun Tuesday, December 17, 2019 1:31 AM
    Tuesday, December 17, 2019 1:05 AM
  • Yes, management licenses for server OSes is on a per-core basis and yes this expires. ConfigMgr licensing is always (and is only) based on the number of managed endpoints (and their cores for server MLs as noted).

    You need to contact your licensing partner for explicit details.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, December 17, 2019 2:27 AM
  • Thanks Jason. So what do i need to check if i am adding servers in SCCM for patching in terms of licensing?

    How can i check the license expiration?

    i am confused as you said it depends on per-core basis.

    Tuesday, December 17, 2019 2:36 AM
  • There is nothing to check as licensing in ConfigMgr is on the honor system and not technically validated or restricted by the product. You need to contact your licensing partner to check what you need for licensing.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, December 17, 2019 4:29 AM