Solved

Should I Continue to Patch Client Pc's with SCCM or Switch to WSUS?

Posted on 2010-11-11
6
1,320 Views
Last Modified: 2013-11-21
*I apologize in advance if this is hard to follow and for this being a very long question. I will try to ask this is the most clearly as I can, but please don't hesitate to ask me to clarify on things if you'dre not sure what I'm asking*

I have a server configured to just run SCCM '07 SP2, and this server also has WSUS installed as was required for the installation of SCCM '07. I'm finding that using SCCM to update client Pc's is VERY cumbersom and inconvenient for me as I have to: manually download updates, add them to update lists, sync the updates with the distribution servers (this NEEDS to be done at night as it sucks up ALL available bandwidth), and then schedule the install to the clients. My questions are the following:

1) Is it just better to use WSUS and point the client Pc to the WSUS server via GPO. There are >300 systems on the network.

2) If i keep using SCCM to deploy updates, does anything need to be configured in GPO to point the client Pc's to the SCCM server? I dont have anything setup now, and when I deploy udates via SCCM, it DOES work.

3) I'm still using Windows Updates (poining to Microsoft's Update Server) because I can't update the Client Pc's as often as updates get released. Is this bad? Should I point them to the WSUS server? Even while using SCCM to update the clients?

4) If I decide to use WSUS for client updates; what about bandwidth usage in regards to remote clients at remote locations hitting the WSUS server? Should I setup a WSUS server on each subnet. I just dont want 200 Pc's trying to download updates over one connection and flodding that connection.



I'm driving my self nuts and I feel like I'm making things much harder for myself then they need to be. I have more questions, but they're based on what answers I get for the above questions. I will also create a new thread if I have to for those ones.



Thank you for your help
0
Comment
Question by:DonaldWilliams
  • 4
  • 2
6 Comments
 
LVL 2

Expert Comment

by:SacTechGroup
ID: 34115066
1) No, SCCM uses WSUS to accomplish the task of updating, its the same thing, different management interface.  SCCM is much more powerfal than WSUS by itself but WSUS by its self might be easier to manage.
2)Yes, there are a lot of things you'll need to configure and tweak for your environment, there will be lots for WSUS to.  You'll need to get the setup guide and go through it and it might take a couple of days.
3)Is it bad?  you have no control of what updates get pushed or when or any way of knowing if computers are up to date so if any of that you consider bad...Im sure you will be shocked to find out how many updates are missing once you get all the clients reporting through the GPO... virus makers depend on machines not being patched :)
4) with both SCCM and WSUS you need to CONFIGURE bandwidth management.  What groups get what patches when and at what time, randomization of patching etc.  When you use central management like SCCM and WSUS you should only be downloading the patches 1 time, to the WSUS storage area.  then the patch is distributed locally over your LAN.  This should have minimal bandwith impact.  You should be able to do it during the day without anyone noticing!
0
 

Author Comment

by:DonaldWilliams
ID: 34116000
Your correct about your #3, I was shocked to see how many updates were reported being missing.

I just have a couple more questions:

1) Should I set up GPO to point the clients to my SCCM server, or should I just disable Windows Updates via GPO and continue to manually setup "update lists" and push the updates out via SCCM.

2) Is there anything I need to configure in the WSUS console, or can I just ignore that and do everything out of SCCM?

3) What is the difference in updateing via SCCM and WSUS? Is WSUS the automatic way for the clients to update and SCCM is the manual way?

As far as the bandwidth issue is concerned, I have another thread on that already open. :)

I just feel like having WSUS on my SCCM server is redundant. I opened up the WSUS console and saw 2K updates that needed to be approved, yet when I setup "update lists" via SCCM, and push them out, the clients update. If I can get the clients to auto check for updates on my SCCM server w/o crashing my network, that would be wonderful.
0
 
LVL 2

Accepted Solution

by:
SacTechGroup earned 500 total points
ID: 34116163
I havent used the two products together.  SCCM should provide you a new way to manage WSUS.  WSUS is free utility for just downloading and deploying updates while SCCM manages any kind of software deployment.  I believe you are still going to need to set up a GPO for WSUS following the WSUS guide.  It might make your life easier to just use WSUS if you arent doing software re-packaging and deployment - I used the old version of SCCM to repackage and deploy every single update.. acrobat/java/flash EVERYTHING!  We had a very controlled environment..

even with SCCM controlling WSUS there are still things you have to do in WSUS like subscribe to updates for certain OSes etc.  Start with just WSUS and once you get that down you can look at managing it with SCCM.

http://serverfault.com/questions/113336/what-is-the-diference-between-gpos-wsus-sccm-and-sce-in-software-and-patch-depl

WSUS is the Microsoft's basic offering for enterprise OS and Microsoft application patching. It is capable of connecting to Microsoft's update catalogue, has a small amount of configuration around scheduling rollouts by groups etc, and limited reporting details on patch deployment.

SCCM (System Centre Config Manager) is the replacement for SMS, it has SCUP (System Centre Updates Publisher) as one of it's components. This builds on top of the WSUS infrastructure and components and gives you massively more configuration and reporting, as well as having the ability to connect to other vendors' update catalogues (Adobe, Dell, HP, etc) and also deploy your own custom patches for any apps. In addition to patching, SCCM also retains all the software packaging, and deployment, OS deployment, etc of SMS.

GPOs (Group Policies) can be used for software deployment, but doesn't have any special patch-specific functions, and has very limited info/reporting on deployments

SCE (System Centre Essentials) is a cut-down SCCM for smaller businesses that shares much of the functionality of it's big brother.


more
http://www.edugeek.net/forums/o-s-deployment/31487-sccm-wsus.html
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:DonaldWilliams
ID: 34120611
Thank you for taking the time to give me all this valuable information. Let me review what you have given me and I will get back to you. If iI find that it answeres my questions, I will "accept as solution" and award the points; if not, I will be asking more questions. :)
0
 

Author Comment

by:DonaldWilliams
ID: 34168189
Can someone point me to a link (is there one) that describes EXACTLY how to setup WSUS with SCCM?

The way I have it now "works", but I don' think it is "right"....
0
 

Author Closing Comment

by:DonaldWilliams
ID: 34168235
This solution pointed me into another direction that I will follow up on.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
We were having a lot of "Heartbeat Alerts" in our SCOM environment, now "Heartbeat" in a SCOM environment for those of you who might not be familiar with SCOM is a packet of data sent from the agent to the management server on a regular basis, basic…
The view will learn how to download and install SIMTOOLS and FORMLIST into Excel, how to use SIMTOOLS to generate a Monte Carlo simulation of 30 sales calls, and how to calculate the conditional probability based on the results of the Monte Carlo …
The viewer will learn how to create two correlated normally distributed random variables in Excel, use a normal distribution to simulate the return on different levels of investment in each of the two funds over a period of ten years, and, create a …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now