Right Click to Download Collection Will Already Downloaded Updates Download Again Sccm

Introduction

In Part I I took you lot through configuring the required Server Roles & Features, WSUS Installation and Configuration, IIS settings, Folder Permissions and linking it all up into SCCM.

Now, In Part Ii i'll evidence yous how to deploy updates and properly manage the futurity with ADRs, whilst catering for the past with Baselines.

Handling Windows Updates can be tricky at the best of times.  Timing, testing and the sheer resources to complete that can exist a headache.  Nonetheless by utilising SCCM'south ADRs (Automatic Deployment Rule) and ensuring we are testing on Dev machines first can really accept the strain off.

FYI

I'm going to stick to the easiest base to build from in this guide, and go with a once monthly deployment routine.  Sure products like Endpoint Protection don't fit this then I shan't be covering them.  Also for the sake of simplicity and the length of this web log already, this won't encompass Office 365.

Likewise this mail service has been written over a few months, then please excuse a few time differences in screenshots!

Pre-Read Fabric

If you lot're new to the Cumulative model in regards to Windows 7 and eight.1, or but need a refresher on the naming conventions, I'd advise yous read Microsoft's release here.

---

What we're going to exercise

Equally hinted in the Introduction, we are going to divide our updates into two categories, and its best you sympathize this first:

Baseline

Covering the past.

A Baseline is a group of updates for a Production that have been released since Solar day 1 of its life wheel, to the electric current day.

For example, Windows 7 was released on 22nd July 2009..  The baseline I would create would concur every relevant not superseded update between and then and today.

We volition create a Baseline for each Product.  one for Windows 7, 1 for Windows ten, 1 for Server 2016, 1 for Office 2013 etc.

These Baselines will and then be deployed to collections containing clients of their relevant OS'.

ADR

Covering the futurity.

An Automatic Deployment Rule is there to create a monthly update packet.  Equally per its name, it will run automatically on a schedule we configure, and go off, download the updates nosotros pre-configured it to, and and then deploy them to the clients we tell it to.

The idea hither is every month you lot every bit an administrator should take very little easily on, and fifty-fifty if you decide to take a vacation, it volition still run on a schedule. (Merely remember to let change management know beginning!).

Collections – Prod & Dev

To actually utilize the ADRs in particular, I'll show you how to deploy your monthly updates to Evolution machines firstly, giving you time to test out the updates for any gremlins, prior to the automated deployment to Production, say, a week subsequently.

---

Setup Collections

First things first, lets setup those collections nosotros spoke about.  Granularity here is key to having full control later.

I've created a Powershell script which tin do the beneath automatically and configure the folder construction, queries and limiting collections automatically.

Create Windows Update Device Collection Download

Only for an overview:

I'd suggest splitting between Servers & Workstations, then a level deeper by Os:

Create peak level Server Device Collections which contain all Servers.  1 for Production Servers, and 1 for Development or Pre-Product Servers.

A level down, split your Server OS'south into individual folders and Device Collections.  Then a folder for Server 2016 with Dev and Prod collections.  One for Server 2012 etc.

Gear up the limiting collection for these Bone specific Device Collections to the acme level 'All Server' groups.

Exercise the same for Workstations.  All workstations at the top, with Dev & Prod.  Then each individual OS below that you wish to support.

For the OS specific collections, set a query to ensure only that Bone is included, and set an Include Collections from the Top Level.

Baseline'south

With Products like Windows 10 now being fully Cumulative, there is a off-white statement to say a Baseline isn't required for these, however, i'm going to create 1 for the sake of fullness.  Other products that are not or accept not ever been cumulative, certainly need a baseline created.

We demand to create a baseline for each Product you lot demand to update.  Windows 10, Server 2008r2, Office 2013 etc.

To do this, navigate to Software Library>Software Updates>All Software Updates

Correct of the Search Push, selectAdd together Criteria and add together the below, then hit Search;

Product = Windows ten

AND Superseded = NO

ANDUpdate Classification = Critical Updates

ORUpdate Classification = Definition Updates

ORUpdate Classification = Security Updates

ORUpdate Classification = Update Rollups

ORUpdate Classification = Updates

Please exist very careful with the 'Updates' classification – in many cases this will include 'Preview' of updates. i.eastward adjacent months rather untested updates.

This will now bear witness yous what should be all applicable updates for the selected Product.

Select a unmarried update in the list, and hit Select All –Ctrl+A.

Right click > Create Software Update Group

Give it a sensible name;

"Baseline – Windows 10 Updates – DDMMYY"

Started this web log quite a while ago…

Earlier you shoot off anywhere else, lets save this Criteria Search so yous don't have to enter them all manually again..

Now change theProduct in the search and repeat the above for all your Products.

Id suggest in one case you've done your main Products, you also do a unmarried i for the bottom categories such at Silverlight, Visual Studio etc.

Do the same with the baseline creation but add together multiple Production lines.

Call it'Baseline – Windows Update – Windows General Products'

In one case you've finished creating, let's become see what we've created..

Software Library>Software Updates>Software Update Groups

Equally alluded to at the start of this department, cumulative updates don't really fit into what we're trying to achieve with Baselines, so before going any farther.. I'd propose you view the members of each Update Group and remove whatever Cumulative Updates, or other updates you simply don't desire contained.

Untick Membership;

Download the Baseline'due south

Software Library>Software Updates>Software Update Groups

So there are all our Baseline's.  But all we've done is collect them all together and given them a name.

Lets Download them…

Correct Click > Download

Create a new Deployment Package

Requite it the same proper name as the Baseline itself

Set up the Package Source location to theSCCMDeploymentPackage location nosotros created in Part I.

Y'all will need to manually create the folder itself within the location.

ClickNext and select a Distribution Indicate\Group to send them out to

Select your Distribution Settings

Download from the Internet

Your language preference..

Summary, and Next to terminate

This part will have a little while every bit information technology runs through and downloads them all..

In one case Complete. (Cheque the bottom of this folio for any errors, if in that location are any –i'm looking at yous Windows seven-, and then repeat the procedure again until success).

You can now check the file location, and you lot will see all your downloaded updates.  Inside each binder you lot'll have the individual .cab files.

Repeat this process for each of your Software Update Groups..

..Here'south 1 I made before

Deploy the Baseline'due south

Nosotros've grouped them, we've downloaded them, we've distributed them…  Now to deploy them..

We're going to make ii deployments of each.  1 to our Dev collection, ane to Prod.

Right Click > Deploy

Name it the same again.

Equally this is the Windows 10 Baseline, select the Windows 10 Device Collection – Dev in this instance.

Side by side

Required Deployment

Side by side

Set to ' Every bit soon as possible '

Display in Software Eye, and only prove notifications for calculator restarts.

This does what it says on the tin, and is my preferred selection.

Deadline Behaviour

This tin exist used to override whatever Maintenance Windows you take set, by default, you wouldn't apply this.

Device Restart Behaviour

Tick if you want to suppress automated restarts after installation.

Write filter treatment

Windows Embedded devices just

Software Updates Deployment re-evaluation behaviour upon restart

TICK It! – This forces the customer to rescan the device after information technology has restarted for updates.  If you don't tick this, you run the risk of SCCM not beingness aware of updates existence installed later a restart, prior to the next scheduled scan.

Set alerts if you run across fit..

Download options.  Most environments will want to Download / download and install.

Read the 2nd to bottom tick box carefully and determine.  If software updates have been deployed to your clients\servers but for whatever reason they cannot access the update from a Distribution Betoken, then you tin allow them to download it from Microsoft Update.

Select an Existing Deployment Packet

The correct i nosotros created earlier…

Set to Download (although we've already done this)..

Set Language..

Stop!

Before you lot click adjacent again, hitRelieve As Template

Relieve asBaseline Default

ClickSide by side to Finish

Repeat the Deployment again, this time to the Production production specific collection.

Select 'Select Deployment Template' and hit theBaseline Default you created.

Run through all the steps ensuring its correct and end.

Until you have your Baseline deployed to both your Development and Production Device Collection.

Repeat the in a higher place for all the Baseline groups y'all accept.

For the Not-Os Specific Software Update Groups like Office, and our Windows General Products Baseline, follow the below.

Use the same Template you created, butdeploy them to the elevation level All Windows Clients& if it applies, ALL Servers.

This way, our Non-Bone Specific products volition get deployed to all Operating Systems which could house them.

---

Automated Deployment Rules

So onto patching the future.

In the same vein as Baseline's, we are going to create product specific ADRs.  Each ADR volition so be deployed to our Dev and Prod device collections accordingly.Merely the Prod deployment volition have a delayed release time of 7 days.

This ways, when our ADR runs, it volition automatically release the updates to our Dev devices, then vii days after…once you have thoroughly tested…release to our production devices.

Lets get..

Create a new Automated Deployment Rule

Give it a logical name – ADR – Windows Update – Windows 10

Description – Windows ten Monthly Updates

Select Scan for a collection to target..

Select the Development – Windows Updates – Windows ten Collection

Select Create a new Software Update Grouping and click Next.

Select Automatically deploy all software updates constitute past this dominion, and approve any license agreements.

At present we demand to set what criteria we want this ADR to match every time it runs.  i.e, what updates do we want this to find?

Engagement Released or Revised =Last 1 Month

Product =Windows 10

Superseded =No

Update Classification =Critical Updates OR Definition Updates ORFeature Packs ORSecurity Updates ORService Packs ORUpdate Rollups

Fairly self explanatory, when this runs, it'll find any updates released or revised in the last one month for Windows 10 that are not superseded, that lucifer any of those classifications.

You lot can hitPreview here, to see, well a preview of what this criteria currently matches in your update database.

ClickNext

Now for the schedule to run this ADR..

Currently, our Software Update Point Synchronisation takes place belatedly on Patch Tuesday, the 2d Tuesday of the month at 23:00.  Now, nosotros want to give it a few hours to complete earlier nosotros run the ADR.. and so that takes usa into the Second Midweek.  05:00am sounds like a reasonable time to me.

Practise Not Gear up 'Run the rule after whatsoever software update point synchronisation'.

If you practise this, you lot are tethering your ADRs to your Sync and I guarantee you one solar day down the road you lot, or someone else, volition go and manually sync your SUP, unknowingly boot off the ADRs, and with them, deployments.

As at the start, we selected the Development collection, nosotros desire these clients to update straight abroad one time the updates take been establish, for this reason selectAs shortly as possiblehere to both Available and Deadline.

A repeat of settings we configured for baselines before..

I'd advise you set up to Generate an Alarm hither.  Its good to know every calendar month what the compliance of updates are.  Set information technology to 80 per centum later 7 days, and come across if yous can ramp it upwards to xc-95 over the coming months.

Download Settings for Clients.  You may have specific requirements for boundaries\fallback, just generally most should gear up this every bit per below.

Select toCreate a new deployment package with the aforementioned name you gave it earlier.

Place its content in its own folder underSCCMDeploymentPackages with the same name.

Select the Distribution Points \ Groups to automatically distribute to when the ADR runs.

Ready toDownload software updates from the net

Set your required Languages

Over again, lets save all this as a Template before going any futher..

ADR Default

SelectNext and Closeto stop

We now have our showtime ADR.  If you lot select theDeployment Settingstab down the lesser..

Y'all will see it'southward set to deploy to our Development Windows 10 collection.  This will happen automatically on the schedule we configured.

So at present lets add to this ADR..

Right click the ADR, selectAdd together Deployment

Scan for and select ourProduction – Windows Update – Windows 10 drove

ClickAdjacent

Next once more

Now we want to fix a delay.  We desire to say, 7 Days after this ADR runs, these updates will become available to this collection.

Set theSoftware available time toSpecific Time = 7 Days

Same settings over again..

Configure Alerting..

Download Options..

Next & Close to Cease

Now selecting the Deployment Settings tab will evidence both our deployments.

Like shooting fish in a barrel way for a single ADR to manage the release of updates over a period of fourth dimension to dissimilar collections.

At present echo this process of ADR creation\deployment for each Product category you take..  Selecting the Template you lot created earlier to save a few push button presses, and ensuring you alter\select the correct reference collection each time.

Until you lot have an ADR for each Bone y'all need to back up, each with two (or more!) deployments.

For Function, yous probable want to deploy to the top level collections..  Later all, different Office versions could exist installed on any OS depending on how you manage it.

Have Office on Servers too?  Ok.. add in more than deployments..

Now for our Windows Full general Products, which we covered in Baselines.  Create an ADR in the same way, selecting the Top Level collections.

Only add in the Product categories here that you need to cover..

Silverlight, Visual Studio 2012, Report Vieweretc

Once complete, you will take a nice selection of ADRs that will practice their business on the schedule y'all configured.

Nevertheless, should you be impatient (winadmins slack members 😉) then y'all can select the ADRs and hitRun Now.

Expect this to take a little fourth dimension whilst they run..

In one case consummate, underDeployment Packages, you lot volition exist able to encounter your ADRs and Baselines all together.

UnderSoftware Update Groups you lot can run across the groups, per month in the case of ADR's for what has been created.

On each Software Update Group, y'all can see their deployments, and the dates for which they will get available to the targeted clients.

Check the 'Deployed On' time here.  My single ADR sent updates to my Development machines on 02/08/2017 (yesterday at time of writing), but the deployment to Production won't happen until 09/08/2017!

And lastly, for those of yous following forth with my naming conventions, you tin can now easily search the deployments monitoring to run into customer status for Baselines and ADRs akin.

Conclusion

And so we've patched our products for all updates released and so far with Baseline's and we've covered future releases with ADRs, whilst at the same time giving ourselves flexibility to run granular tests per OS \ Product.

As I continue this series, I'll demonstrate how this granularity and separation can exist your best friend in times when y'all exercise notice problems with updates or you just need slightly more detail in monitoring.

In Function III i'll cover Client Settings, Maintenance Windows, Group Policy configuration and HTTPS.

Thank you for reading, I hope this has helped yous, and a personal thank you to the WinAdmins SCCM Slack group for nagging me enough to consummate this blog! – If you're not a member already, I highly suggest you join!

Rich Mawdsley

---

walkerclon1975.blogspot.com

Source: https://richmawdsleyblog.wordpress.com/2017/08/04/configuring-wsus-with-sccm-current-branch-server-2016-part-ii-adrs-baselines/