Solved

SCCM - automatic updating with new update model?

Posted on 2016-10-27
4
27 Views
Last Modified: 2016-11-03
I'm looking to switch from stand-alone WSUS server + GPO over to SCCM for software updates.
I have it all setup on SCCM and ready to go, I'm just curious as to what the best way to transition over is...

With SCCM, should I create "collections" identical to the "groups" I had in WSUS?
Are there any particular "Client settings" I should configure for Updates and Restarts, and deploy to those collections?

Should I just approve every update that is synced to deploy to these Windows servers, or do I only need to approve the latest "rollup" ones which will obtain all previous individual KB updates?
0
Comment
Question by:garryshape
  • 2
  • 2
4 Comments
 
LVL 16

Accepted Solution

by:
Mike T earned 500 total points
ID: 41863948
Hi,

If you want to mirror WSUS groups with collections that's OK, but it depends if those groups were good in the first place. Collections are very flexible. Some basic rules:

1) Create Windows 7 (client OS) collection
2) Create Server OS collection
3) Use 1 & 2 as Limiting collections. Never use "All Systems"
4) Create Maintenance windows for servers
5) optional  Create Maintenance windows for clients if the customer does not want to be disturbed at certain hours.


With regards Client Settings, again the same pattern applies.

1) Create a new Custom settings for Workstations
2) " for laptops
3) " for servers

Each can have their own reboot schedule as you've seen. The default is 90 mins grace, and then 3 warnings. However you may find that people are away from their machine and miss the first 2 warnings and come back to see the final warning and you can't delay it. So 90 mins it too short if you have a 1hr meeting, 1 hr lunch and another 1hr meeting. Food for thought.


Question - have you migrated from WSUS to SUP or are you going to flip-over? The difference is important. You need to let SCCM do ALL approvals. If you have existing filters on WSUS some updates will never, ever appear. because they are hidden from SUP.
The cleanest way is add a new WSUS role and then never configure it at all. That way you get a clean start. Then you create Update Groups (SUGs) and deploy to the appropriate collections. "Approval" is implicit. You either download and deploy or you don't.

Since MS has moved to rollups, I believe the answer to your final question is yes to both. Create SUGs for all the old updates (2011-now), and create one new SUG for the rollup which will change monthly.

One final note, MS have changed stance and now recommend doing a clean-up of the WSUS database regularly as it gets sluggish. There's articles out there: Google "WSUS clean-up"

Mike
1
 

Author Comment

by:garryshape
ID: 41867288
I have SCCM setup separately with the WSUS role on there. Then there is a completely separate WSUS server not associated with SCCM at all.
So my understanding is that changing servers to go from WSUS to SCCM is to simply configure their client settings to use Software Update, and that will make the local ConfigMgr client on the servers force them to get updates via SCCM, overriding any settings set by GPO?
0
 
LVL 16

Assisted Solution

by:Mike T
Mike T earned 500 total points
ID: 41871974
Hi Garry,

When you install the CM client, the installer does a lot of behind the scenes work. One of those things is that it sets a local machine policy that points to your SCCM for updates. If you are already using WSUS you will be using a GPO to point to the WSUS box. Domain GPOs beat local GPOs so at this point, even if your SUP is configured and ready, the policy will be "get updates from WSUS".

To flip the switch, you need to do the following:

Make sure you install WSUS like this:
https://technet.microsoft.com/en-us/library/bb693980.aspx

Set GPO settings
Always set the Configure Automatic Update setting to Disabled.
MACHINE POLICY
admin templates\Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location as Enabled
and server as (https://XXX.XXX:8531)  << i.e. this is your SCCM Site server *NOT* WSUS


To check a machine is set  to use ConfigMgr, look at the local uahandler.log file


Ref:
https://social.technet.microsoft.com/Forums/en-US/1f6962ab-7f7a-4b1c-b950-1184b3babfaf/sccm-and-standalone-wsus-server-integration?forum=configmanagerdeployment

The bottom line: the client and CM site server both *use* WSUS but you don't configure the server OR the client to even know about WSUS. Re-configure GPOs that point to WSUS and replace with your CM name.

This is why it makes sense to just install a clean, empty WSUS role on your site server.

Mike
1
 

Author Closing Comment

by:garryshape
ID: 41872328
Awesome thanks so much.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Article by: Leon
Software Metering within our group of companies has always been an afterthought until auditing of software and licensing became a pain point. Orchestrator and SCCM metering gave us the answer and it was an exciting process.
Microsoft Windows Server Update Service (WSUS) is free for everyone, but it lacks of some desirable features like send an e-mail to the administrator with the status of all computers on the WSUS server. This article is based on my PowerShell script …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now