none
WSUS versus SCCM Update Distribution RRS feed

  • Question

  • Busy working more with the WSUS and SCCM intergration but to this date I cannot see any real benefit of using the SCCM Update Distribution compared to the normal WSUS management console. Also I noticed that some settings are changed on WSUS when changed on SCCM regarding software update. Is there any general administration guideline on which console to use for managing software updates. Furthermore I noticed since my SCCM is fully intergrated with WSUS (same server) WSUS does not seem to register additional clients. My GPO point to the correct server and port and I could see a steady increase in client registration on WSUS console but when I activated and configured the SCCM software updates feature that seemed to have stopped. All in all I am very confused as what administrative value the Software Update feature from SCCM offers as it seems to be only suited for pushing out updates. This can be done very well by WSUS as well and at least I have more overview in the WSUS console as to what computers have checked in, what their update status is, etc. I am running SCCM 2007 R2, WSUS 3.0 SP2 and FEP 2010 all on Windows 2008 R2.
    Wednesday, December 7, 2011 2:00 PM

All replies

  • ConfigMgr integration provides better reporting and targeting of updates.
    You should not touch the WSUS console at all after it's integrated into ConfigMgr.


    Torsten Meringer | http://www.mssccmfaq.de
    Wednesday, December 7, 2011 2:11 PM
    Moderator
  • But how do I configure/modify the auto-approval list for updates, have GPO targeting for computers enabled with different Software Update policies, etc. The default reports also only provide a handful of reporting compared to the WSUS reports. EDIT: Read the article on http://technet.microsoft.com/en-us/magazine/2007.10.updates.aspx which is easy to understand but I still do not see how I can for instance make sure that all critical updates for all OS will be downloaded, approved and deployed. This was really simple in WSUS but seems to be missing in SCCM?
    • Edited by Naraka Wednesday, December 7, 2011 2:50 PM
    Wednesday, December 7, 2011 2:25 PM
  • In general, where ConfigMgr/SUM is consuming WSUS, do not use that WSUS for anything other than ConfigMgr/SUM.
    If you have WSUS in place, and then implement ConfigMgr/SUM, you should not use that WSUS any more (it belongs to ConfigMgr now).

    ConfigMgr/SUM does not offer any form of auto-approval (excepting FCS/FEP definition updates, a very special case)

    Do not mix ConfigMgr/SUM and regular WSUS configurations. Both consume the WUA and a client machine can only be configured to a single WSUS (which includes ConfigMgr/SUM).

    WSUS offers set-and-forget. ConfigMgr does not.


    Don
    Wednesday, December 7, 2011 8:28 PM
  • So basically WSUS has more automation that ConfigMgr - simple example is that I have to add updates for deployment manually one by one, granting you can select a bunch of updates and deploy them. But by the sound ConfigMgr Update Distribution is a bigger administrative overhead because of the lack automating e.g. new critical updates for immedate deployment, no clear overview of which client has what updates installed, manual review of each single update, have to cleanup dozen deployment tasks for updates (unless they can be reusued?), etc. I am shocked that this actually works for a lot of administrators - coming from an administrative background i prefer the WSUS auto approval and deployment option. Currently I still have the auto-approval enabled in WSUS, I guess that has to be disabled and go back to manually approving updates and deploying them? This sounds for me just wrong and going backwards - maybe for some organztion this is acceptable as their internal IT governance require each patch to be tested but for smaller places this is just a waste of time which can be concentrated on other IT efforts.

    So once WSUS is part of ConfigMgr new client computers will not show up on the WSUS console - does this also mean I should disable client side targeting options on WSUS?

    Thursday, December 8, 2011 5:43 AM
  • Once you have configured SUP/ConfigMgr. correctly with templates, upates lists etc then you cean create all your monthly deployments in less than 5-10 minutes.


    Kent Agerlund | My blogs: http://blog.coretech.dk/author/kea/ and http://scug.dk/ | Twitter @Agerlund | Linkedin: /kentagerlund
    Thursday, December 8, 2011 10:49 AM
    Moderator
  • But by the sound ConfigMgr Update Distribution is a bigger administrative overhead because of the lack automating e.g. new critical updates for immedate deployment, no clear overview of which client has what updates installed, manual review of each single update, have to cleanup dozen deployment tasks for updates (unless they can be reusued?), etc. I am shocked that this actually works for a lot of administrators - coming from an administrative background i prefer the WSUS auto approval and deployment option.

     

    i agree WSUS has automation you can simply make an approval rule and then site back but it has lot of disadvantage and can bring a disaster on whole enviroment sometime as i faced yesterday at one of the client a patch from the last month installed automatically on the clients same from WSUS autoapproval without testing and 10 /25 system that installed this update got windows crashed :(.

    so basically its better to test updates monthly on test system and then deployed on production servers & client and this can be done though SCCM you can't do that with alone WSUS.

    its an administrative task to make templetes and test updates and then deploy but its a monthly task not a daily you can push 40+ updates same time on thousand of servers from SCCM and can get status from some handsome reports provided by SCCM.

    so to get saved from disaster that i see yesterday its better to used SCCM to deploy updates.

    hope it helps :)

     


    Syed Kasif | My blogs: http://syedtechblog.wordpress.com | Linkedin: /syedkashif
    • Edited by Syed Kashif Thursday, December 8, 2011 12:45 PM
    Thursday, December 8, 2011 12:44 PM
  • Very nice insight and noted - I have 'played' now more around with SUP and it does seem to start making sense. I still question however weather it was a good idea for the vendor to take out automation rules as some enviroment just do not need this type of granual control or do not have the resources at hand for a complete patch testing. I have seen in the 10 years I was in IT only once a critical update causing issues. Most of our customers have auto-approval and deployement enabled for all their critical patches and a minimum - the benefits of being protected far outweights of having a incident due to a security update not loaded in their enviroment. Also surely definitions updates should be able to be automated? Saying this I still have a couple of questions during my evaluation: 1. FEP updates don't seem to update automatically even after following all the steps - is this normal behavior? 2. If I create a download package after selecting he updates I need to create a share. Aside from having the SCCM computer account and the administrator full access to this share what other permissions are required? 3. The way I understand it update lists can be re-used, so this would be the basis of deploying new patches by just adding them to an existing update list which is part of a re-occuring deployment plan? 4. What is the deal with WSUS meta data cleanup? I still have a small amount of client showing up on the WSUS console - how can I determine which computers successfully contacting or are using the SUP instead of WSUS? 5. I had a single patch deployed which stated it is targed to 250 computers but for the last day this does not deploy or I do not know how to check this - what is the normal procedures for checking if a deployment package is not going through? 6. If I create the share for downloading the updates must I create a share for each package - can I not just reuse the share? 7. What effect will client side targeting through Group Policy do for the SUP?
    • Edited by Naraka Friday, December 9, 2011 7:33 AM
    Friday, December 9, 2011 7:06 AM