Solved

SCCM - automatic updating with new update model?

Posted on 2016-10-27
4
69 Views
Last Modified: 2016-11-03
I'm looking to switch from stand-alone WSUS server + GPO over to SCCM for software updates.
I have it all setup on SCCM and ready to go, I'm just curious as to what the best way to transition over is...

With SCCM, should I create "collections" identical to the "groups" I had in WSUS?
Are there any particular "Client settings" I should configure for Updates and Restarts, and deploy to those collections?

Should I just approve every update that is synced to deploy to these Windows servers, or do I only need to approve the latest "rollup" ones which will obtain all previous individual KB updates?
0
Comment
Question by:garryshape
  • 2
  • 2
4 Comments
 
LVL 17

Accepted Solution

by:
Mike T earned 500 total points
ID: 41863948
Hi,

If you want to mirror WSUS groups with collections that's OK, but it depends if those groups were good in the first place. Collections are very flexible. Some basic rules:

1) Create Windows 7 (client OS) collection
2) Create Server OS collection
3) Use 1 & 2 as Limiting collections. Never use "All Systems"
4) Create Maintenance windows for servers
5) optional  Create Maintenance windows for clients if the customer does not want to be disturbed at certain hours.


With regards Client Settings, again the same pattern applies.

1) Create a new Custom settings for Workstations
2) " for laptops
3) " for servers

Each can have their own reboot schedule as you've seen. The default is 90 mins grace, and then 3 warnings. However you may find that people are away from their machine and miss the first 2 warnings and come back to see the final warning and you can't delay it. So 90 mins it too short if you have a 1hr meeting, 1 hr lunch and another 1hr meeting. Food for thought.


Question - have you migrated from WSUS to SUP or are you going to flip-over? The difference is important. You need to let SCCM do ALL approvals. If you have existing filters on WSUS some updates will never, ever appear. because they are hidden from SUP.
The cleanest way is add a new WSUS role and then never configure it at all. That way you get a clean start. Then you create Update Groups (SUGs) and deploy to the appropriate collections. "Approval" is implicit. You either download and deploy or you don't.

Since MS has moved to rollups, I believe the answer to your final question is yes to both. Create SUGs for all the old updates (2011-now), and create one new SUG for the rollup which will change monthly.

One final note, MS have changed stance and now recommend doing a clean-up of the WSUS database regularly as it gets sluggish. There's articles out there: Google "WSUS clean-up"

Mike
1
 

Author Comment

by:garryshape
ID: 41867288
I have SCCM setup separately with the WSUS role on there. Then there is a completely separate WSUS server not associated with SCCM at all.
So my understanding is that changing servers to go from WSUS to SCCM is to simply configure their client settings to use Software Update, and that will make the local ConfigMgr client on the servers force them to get updates via SCCM, overriding any settings set by GPO?
0
 
LVL 17

Assisted Solution

by:Mike T
Mike T earned 500 total points
ID: 41871974
Hi Garry,

When you install the CM client, the installer does a lot of behind the scenes work. One of those things is that it sets a local machine policy that points to your SCCM for updates. If you are already using WSUS you will be using a GPO to point to the WSUS box. Domain GPOs beat local GPOs so at this point, even if your SUP is configured and ready, the policy will be "get updates from WSUS".

To flip the switch, you need to do the following:

Make sure you install WSUS like this:
https://technet.microsoft.com/en-us/library/bb693980.aspx

Set GPO settings
Always set the Configure Automatic Update setting to Disabled.
MACHINE POLICY
admin templates\Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location as Enabled
and server as (https://XXX.XXX:8531)  << i.e. this is your SCCM Site server *NOT* WSUS


To check a machine is set  to use ConfigMgr, look at the local uahandler.log file


Ref:
https://social.technet.microsoft.com/Forums/en-US/1f6962ab-7f7a-4b1c-b950-1184b3babfaf/sccm-and-standalone-wsus-server-integration?forum=configmanagerdeployment

The bottom line: the client and CM site server both *use* WSUS but you don't configure the server OR the client to even know about WSUS. Re-configure GPOs that point to WSUS and replace with your CM name.

This is why it makes sense to just install a clean, empty WSUS role on your site server.

Mike
1
 

Author Closing Comment

by:garryshape
ID: 41872328
Awesome thanks so much.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Troubleshooting common task sequence error codes
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question