locked
Can we apply Automatic Deployment Rule to individual collections? RRS feed

  • Question

  • Hello,

    I created multiple collections by splitting "Windows XP" workstations. I would like to deploy Monthly Updates (Path Tuesday) by collection. i.e., I don't want to deploy updates to all Windows XP workstations at once, instead to individual collections.

    What is the best practice to deploy Updates to individual collections? Do I need to create multiple ADR's for each collection that I want to deploy? If yes, it will download duplicate updates into group, right?

    Any further help would be greatly appreciated. Thank you!

    Thursday, January 3, 2013 11:36 PM

Answers

  • Correct. Maintenance Windows override everything at a client level. The server does not take this into account when displaying times in the console and neither does the software center on the client.

    Be careful of using 2nd Friday. The 2nd Friday isn't always after the 2nd Tuesday.


    Jason | http://blog.configmgrftw.com

    Friday, January 4, 2013 6:09 PM

All replies

  • Updates are *not* downloaded into update groups -- there is no connection between downloading updates and update groups. Updates are downloaded into Update Packages which have no connection to Update Groups. Clients are assigned updates from an update group and download the updates from *any* available update package that contains the necessary update(s).

    So, yes, you could create multiple ADRs; however, that would create identical update groups which really makes no sense. You have two options (IMO):

     - Add additional deployments to the one update group created by the ADR

     - Set your ADR to create a deployment to an all workstations collection and then use your granular collections to assign maintenance windows to control when clients actually install updates

    Ultimately though, why don't you want to deploy the updates all at once? This is common practice. Software Updates accounts for this in a handful of ways including through automatic schedule randomization (up to two hours after the actual deadline I believe) and clients pre-downloading updates (using BITS) as soon as the deployment is available.


    Jason | http://blog.configmgrftw.com

    Friday, January 4, 2013 1:48 AM
  • Jason,

    Thanks for your prompt reply.

    As per my understanding:

    1. Create an ADR by setting it to use an existing update group every month
    2. Add additional deployments to the existing Update Group.

    I didn't quite understand " Set your ADR to create a deployment to an all workstations collection and then use your granular collections to assign maintenance windows to control when clients actually install updates"

    Friday, January 4, 2013 2:14 AM
  • Correct for option 1.

    For option 2, here's an article about maintenance windows: http://msdn.microsoft.com/en-us/library/cc145449.aspx (it's for 2007 but is still applicable to 2012).


    Jason | http://blog.configmgrftw.com

    Friday, January 4, 2013 3:21 AM
  • Okay. Now I got it. But I'm little bit confused while I'm reading this. In that link, they mentioned to create one ADR first and then disable it after we ran it once. Create a second ADR. Any thoughts?
    Friday, January 4, 2013 1:28 PM
  • Niall's simply using the initial ADR to create a deployment package and then disabling it. The new rule he creates then is set to use the deployment package created by the first ADR. If, per his example, you don't do this, the ADR will create a new Update Package every single time it runs instead of using the same one. This is just personal preference based upon what you are deploying and doesn't specifically affect your question or my answer.

    Jason | http://blog.configmgrftw.com

    Friday, January 4, 2013 3:48 PM
  • I got it. I think his steps won't apply to SP1 since the new ADR wizard provide an option to choose whether to 'Add to an existing Software Update Group' or 'Create a new Software Update Group'. I've chosen to 'Add to an existing...'

    Can you please correct me if I'm thinking in wrong direction?

    I'm trying to do this:

    1. Create "All Windows 7 Workstations" primary collection
    2. Create required sub collections (like for each location/center)
    3. Set Maintenance Window for each sub collection (let's say Batch 1 is scheduled on 2nd weekend, Batch 3 is scheduled on 3rd weekend etc.)
    4. Create a single ADR (to use with existing Software Update Group) pointing (deploying) it to "All Windows 7 Workstations" with Patch Tuesday timing.
    5. Create deployments for each sub collection under the 'Software Update Group' created by ADR - I think I don't need to perform these additional deployments for sub collections since I already set Maintenance Window timings for each of these sub collections, right?
    6. Keep the 'ADR' as active.

    Friday, January 4, 2013 5:02 PM
  • First, note that my 2 options stated above are just that, two *different* options. You should pick one or the other, not both.

    For your steps above, you can't create sub-collections in 2012 but there's really no need to. All you need is a single All Workstations collection that the ADR creates a deployment for. Then, you need a completely separate set of collections that you divide up based upon your timing requirements and apply separate maintenance windows to these. That's it.

    One point you may be confusing is the maintenance windows have no context and are not limited by the collections they are created on. A maintenance window created on a collection is applied to every client in that collection. The clients then evaluate *every* deployment applicable to it, regardless of what collection the deployment was deployed to  be assigned to the client, against the maintenance window. Clients have no concept of what collection they are in or what collection a deployment is applicable to.

    Another often confused point is that clients can be members of zero, one, or many collections. Collections are not a directory and a clients do not exist within a collection. They are members of specific collections based upon the rules of that collection and thus can meet the rules of any number of different collections.

    Thus, the clients with be assigned the updates based on the deployment to the All Workstations collection. But, they won't actually perform the installation of the update until they are within a maintenance window as defined by their other collection membership.


    Jason | http://blog.configmgrftw.com

    Friday, January 4, 2013 5:41 PM
  • Jason,

    I really appreciate for your prompt responses.

    "All you need is a single All Workstations collection that the ADR creates a deployment for. Then, you need a completely separate set of collections that you divide up based upon your timing requirements and apply separate maintenance windows to these. That's it."

    - I exactly did that.

    ---------------------

    1. Created an ADR --> All Workstations --> Patch Tuesday (2nd Tuesday on Every Month at 7PM) --> Deployment Deadline: 7 days
    2. Created separate set of collections and set different maintenance timings.
    3. Batch 1 --> Every 2nd Friday at 9PM
    4. Batch 2 --> Every 3rd Friday at 9PM
    • When the SCCM ran the ADR on coming Tuesday (1/8/2013), the ADR will download all updates to an existing Software Update Group at 7PM.
    • The updates will be available set to 'As soon as possible'
    • The 'deadline' set to 7 days.

    But workstations in 'Batch 1' won't be installed any updates until Maintenance Windows triggers which is set to 2nd Friday at 9PM

    Right?

    -----------------------------------------

    Since I manually ran the ADR for the first time, updates on workstations shows "Scheduled to install after 1/11/2013 11:56:00 AM"

    When I change the time on workstation to 1/12/2013 12:00:00 AM, it shows "Past due - updates will be installed"

    -----------------------------------------

    I'm assuming that updates will be installed at Maintenance Window that I set on 'those set of collections - Batch 1 and Batch 2", right?



    Friday, January 4, 2013 5:56 PM
  • Correct. Maintenance Windows override everything at a client level. The server does not take this into account when displaying times in the console and neither does the software center on the client.

    Be careful of using 2nd Friday. The 2nd Friday isn't always after the 2nd Tuesday.


    Jason | http://blog.configmgrftw.com

    Friday, January 4, 2013 6:09 PM
  • Hurry. Finally I'm in right track! Thanks for your help!
    Friday, January 4, 2013 6:59 PM
  • Thanks for this thread Guys!

    I was exactly confused like Sadda. John's explanation on how collections and maintenance windows work helped me a lot in creating a proper patch scenario.

    Thursday, February 21, 2013 8:58 AM