Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 139
  • Last Modified:

SCCM - automatic updating with new update model?

I'm looking to switch from stand-alone WSUS server + GPO over to SCCM for software updates.
I have it all setup on SCCM and ready to go, I'm just curious as to what the best way to transition over is...

With SCCM, should I create "collections" identical to the "groups" I had in WSUS?
Are there any particular "Client settings" I should configure for Updates and Restarts, and deploy to those collections?

Should I just approve every update that is synced to deploy to these Windows servers, or do I only need to approve the latest "rollup" ones which will obtain all previous individual KB updates?
0
garryshape
Asked:
garryshape
  • 2
  • 2
2 Solutions
 
Mike TLeading EngineerCommented:
Hi,

If you want to mirror WSUS groups with collections that's OK, but it depends if those groups were good in the first place. Collections are very flexible. Some basic rules:

1) Create Windows 7 (client OS) collection
2) Create Server OS collection
3) Use 1 & 2 as Limiting collections. Never use "All Systems"
4) Create Maintenance windows for servers
5) optional  Create Maintenance windows for clients if the customer does not want to be disturbed at certain hours.


With regards Client Settings, again the same pattern applies.

1) Create a new Custom settings for Workstations
2) " for laptops
3) " for servers

Each can have their own reboot schedule as you've seen. The default is 90 mins grace, and then 3 warnings. However you may find that people are away from their machine and miss the first 2 warnings and come back to see the final warning and you can't delay it. So 90 mins it too short if you have a 1hr meeting, 1 hr lunch and another 1hr meeting. Food for thought.


Question - have you migrated from WSUS to SUP or are you going to flip-over? The difference is important. You need to let SCCM do ALL approvals. If you have existing filters on WSUS some updates will never, ever appear. because they are hidden from SUP.
The cleanest way is add a new WSUS role and then never configure it at all. That way you get a clean start. Then you create Update Groups (SUGs) and deploy to the appropriate collections. "Approval" is implicit. You either download and deploy or you don't.

Since MS has moved to rollups, I believe the answer to your final question is yes to both. Create SUGs for all the old updates (2011-now), and create one new SUG for the rollup which will change monthly.

One final note, MS have changed stance and now recommend doing a clean-up of the WSUS database regularly as it gets sluggish. There's articles out there: Google "WSUS clean-up"

Mike
1
 
garryshapeAuthor Commented:
I have SCCM setup separately with the WSUS role on there. Then there is a completely separate WSUS server not associated with SCCM at all.
So my understanding is that changing servers to go from WSUS to SCCM is to simply configure their client settings to use Software Update, and that will make the local ConfigMgr client on the servers force them to get updates via SCCM, overriding any settings set by GPO?
0
 
Mike TLeading EngineerCommented:
Hi Garry,

When you install the CM client, the installer does a lot of behind the scenes work. One of those things is that it sets a local machine policy that points to your SCCM for updates. If you are already using WSUS you will be using a GPO to point to the WSUS box. Domain GPOs beat local GPOs so at this point, even if your SUP is configured and ready, the policy will be "get updates from WSUS".

To flip the switch, you need to do the following:

Make sure you install WSUS like this:
https://technet.microsoft.com/en-us/library/bb693980.aspx

Set GPO settings
Always set the Configure Automatic Update setting to Disabled.
MACHINE POLICY
admin templates\Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location as Enabled
and server as (https://XXX.XXX:8531)  << i.e. this is your SCCM Site server *NOT* WSUS


To check a machine is set  to use ConfigMgr, look at the local uahandler.log file


Ref:
https://social.technet.microsoft.com/Forums/en-US/1f6962ab-7f7a-4b1c-b950-1184b3babfaf/sccm-and-standalone-wsus-server-integration?forum=configmanagerdeployment

The bottom line: the client and CM site server both *use* WSUS but you don't configure the server OR the client to even know about WSUS. Re-configure GPOs that point to WSUS and replace with your CM name.

This is why it makes sense to just install a clean, empty WSUS role on your site server.

Mike
1
 
garryshapeAuthor Commented:
Awesome thanks so much.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now