locked
wsus vs sccm RRS feed

  • Question

  • Hi,

    We have an environment at a customer with around 250 clients and servers, these are 24/7 used both clients and servers, so we have to manually install ms patches. As of today, we have a gpo that is configured the machines to download the patches, but not install them. We manually RDP to the machines, and select install, then reboot, then either wait or try to use the wuauclt utility and then install the next batch of patches, reboot and so it goes untill all patches are installed.

    This takes a lot of time offcourse, but we have to do it manually due to the environment.

    If we implemented SCCM, would the machines only need to reboot 1 time? Do they get all the patches at the same time ? If not, does it need to use or wait for the next batch of patches ?

    I need some MS documentation that explains the wsus topologi, Im trying to inform the customer that it takes time for a machine to report to the wsus server about missing patches, and that the clients dont get ALL the patches at the same time.... but the customer have a hard time to understand this.

    please advice :)

    thanks for reply.


    /Regards Andreas

    Thursday, August 13, 2015 6:46 PM

Answers

  • the limitation of installing a 100 updates in one go for example is not of WSUS nor SCCM, it's the windows update client agent on the endpoints that decides how to batch updates together.  WSUS and SCCM both make all the updates available at once but the client just can't handle that.

    the update agent tries its best to determine if updates will overlap each other and it batches them together to apply as many updates as possible in one go before a reboot is required for certain components to be updated again (maybe as a pre-requisite) and for the remaining updates to install successfully.

    you will sometimes see that the agent miscalculates and a bunch of updates will eventually fail to install until a reboot takes place, then they succeed on the second run

    you can increase the interval on how often clients will report into WSUS and that will give you more accurate reporting but if you can only push out updates once a day or something, it doesn't really make much of a difference on how well WSUS is rolling up reports

    • Marked as answer by Andreas2012 Thursday, August 13, 2015 9:47 PM
    Thursday, August 13, 2015 7:40 PM

All replies

  • the limitation of installing a 100 updates in one go for example is not of WSUS nor SCCM, it's the windows update client agent on the endpoints that decides how to batch updates together.  WSUS and SCCM both make all the updates available at once but the client just can't handle that.

    the update agent tries its best to determine if updates will overlap each other and it batches them together to apply as many updates as possible in one go before a reboot is required for certain components to be updated again (maybe as a pre-requisite) and for the remaining updates to install successfully.

    you will sometimes see that the agent miscalculates and a bunch of updates will eventually fail to install until a reboot takes place, then they succeed on the second run

    you can increase the interval on how often clients will report into WSUS and that will give you more accurate reporting but if you can only push out updates once a day or something, it doesn't really make much of a difference on how well WSUS is rolling up reports

    • Marked as answer by Andreas2012 Thursday, August 13, 2015 9:47 PM
    Thursday, August 13, 2015 7:40 PM
  • Hi,

    Thanks for reply and good information.

    One last question, if the customer wants to implement SCCM, if we then choose to install patches automatically by midnight for example, will the computer then get for example 100 updates, then reboot, and when it comes up again will it then right away install the next 20 updates, reboot automatically and so on until its finished. Or will it wait X minutes before the next batch comes ?


    /Regards Andreas

    Thursday, August 13, 2015 7:48 PM
  • SCCM will install all updates and then reboots. There's options to supress reboot if needed and you can also leverage Maintenance Windows. A dedicated window where installation and reboot can occurs.

    SCCM has much more configuration than WSUS to deploy software update.


    Benoit Lecours | Blog: System Center Dudes

    Thursday, August 13, 2015 8:25 PM
  • Ok, So if i understand correct, only one reboot even if there are like 150 updates missing ?

    Thanks again :)


    /Regards Andreas

    Thursday, August 13, 2015 8:28 PM