Configuring Automatic Deployment Rules for Software Updates in SCCM 2012

In deploying Microsoft updates, it’s equally important to delay the updates as it is to apply them in order to prevent applying bad updates that cause unintended consequences, including the dreaded BSOD. In this post I’m going to show how to deploy MS updates using an Automatic Deployment Rule (ADR) in System Center Configuration Manager 2012 R2.

I have experimented with different patch schedules and methods over the years, and I’m going to outline what works best for me. Every month, I wait until a week after Patch Tuesday (Waiting a week gives bleeding edge users time to report issues and for Microsoft to pull the patch if necessary.) and deploy updates to my computer. If there are going to be any BSOD’s, I would rather I catch it first instead of a few hundred or thousand of my users. After I let the updates “bake” on my computer for a week and don’t encounter any issues, I deploy them to a small group of users. I pick a small group of people that are generally easy to work with and usually don’t have any pressing deadlines to meet. I sometimes refer to this group as “The canary in the coal mine”, because coal miners used a caged canary back in the old days to alert them to the presence of toxic gases because it would kill them before affecting the miners. If the canary drops dead, back out quickly! After the “canary” group bakes with these updates for a week without issue, its time to deploy the updates to the rest of your computers, including laptops. Some users will take their laptop home nightly and they may miss the collection’s maintenance window of 4 to 7 AM. For these offsite laptops, I deploy updates a week after the bulk of the users. This gives the laptop users a chance to return to the office and pick up updates during the maintenance window. If this window is missed, the only effective way to get it done is to push the updates during working hours during lunch time, and suppress a restart. This may not be ideal, but what else are you going to do if they take the laptop home every night?

In the SCCM console, select Software Library, expand Software Updates and select Automatic Deployment rules. Click the button for “Create Automatic Deployment Rule”.

Name your ADR and provide a description if you desire. Select a Deployment Template if you have created any. Select your collection, and select Create a new Software Update Group, and click Next.

On the Deployment Settings dialog, select “Use Wake-on-Lan if you desire. I don’t use this feature as all of my computers automatically power on for the 4 AM maintenance window via BIOS settings. Click Next.

On the Software Updates dialog, set your property filters to select the updates you want. In my case I exclude a particular Bulletin ID that we have found to cause problems with our deployed applications by preceeding it with a minus.

Specify the Evaluation Schedule.

Specify the Deployment Schedule.

Specify the User Experience. I prefer to select “Hide in Software Center”, and leave all boxes unchecked so that they only deploy during the collection’s maintenance window. Click Next.

Specify an alert of 90 percent and 7 days, unless you prefer otherwise.

I leave the defaults selected on the Download Settings dialog, and click Next.

Select a Deployment Package if one exists, otherwise create a new deployment package and specify the source, then click Next.

Select a your Distribution Points or Distribution Point Group.

Accept the default on the Download Location dialog, and click Next.

Make the appropriate language selection, and click Next.

Carefully review the Summary page, click Save as a Template, and click Next if you don’t need to make any changes, then click Close.

Repeat this process and for any other operating systems you manage and make changes as necessary.

Printing IS important in the VDI environment

I manage a Citrix XenApp system. Recently during a business lunch our sales rep told us that his customers have had “great success” with VMware Horizon View as a Citrix replacement.

From what I’ve been reading on comparisons of VMware vs Citrix VDI, VMware is a little immature at the moment. I consider Citrix XenDesktop and XenApp to be mature and complete end to end products. Profile management? Check. Universal Printing? Check. Remote access? Check. (Netscaler) Then you also have GoToMeeting, GoToWebinar, Sharefile, and MDM. At first glance it looks like it would be easy to upgrade a Citrix environment with VMware Horizon View 6. VMware’s webinar I watched recently said you just install the Horizon agent on your Citrix server to publish apps and you don’t even have to uninstall Citrix.

The reality is that VMware Horizon View 6 lacks some key features, including universal printing and profile management. To be fair, if you are doing VDI on a Windows desktop OS, VMware has universal printing. However if you are publishing a desktop or application on a server OS, no universal printing. I think I’ll stick with Citrix, thank you.

Here’s a good summary of the differences between Citrix and VMware VDI client printing support.

User changed password in AD and keeps getting locked out

I’ve noticed that Active Directory account lockouts seem to be more common these days. I believe this is a result of the use of mobile devices, with some users having multiple mobile devices.

The most common cause of account lockout is when a user changes their password and doesn’t immediately update their password on a mobile device with an email account configured for ActiveSync. I’ve even had one person tell me that they did update their password on their iPhone, then after repeated account lockouts they remembered the iPad they left at home that also had their company email account on it.

If mobile devices with ActiveSync accounts isn’t the cause, I recommend using Account Lockout Examiner, a freeware tool from Netwrix.

Netwrix Account Lockout Examiner: Alert your help desk staff about lockout events and troubleshoot account lockouts, analyzing potential causes. Accounts can be unlocked within the console, a Web-based interface or via a mobile device.

Download it here.

Best sales pitch ever!

Yesterday I attended a sales pitch for Barracuda backup appliances, hosted by SLAIT Consulting at Colonial Shooting Academy in Virginia Beach, VA. I always enjoy attending these events, if nothing else you always meet new people and get some lunch while learning about new technology.

What made this event so awesome is the fact that I love to shoot guns, and the event was at a gun store and shooting range. After lunch and the sales pitch we were given a safety brief and headed to the range. In addition to a selection of pistols, they laid out a couple of AR-15’s and an AK-47 and all the ammo you could shoot. This was the first time I had ever shot an AR or AK. It was a BLAST!

First lonely post

Today I’m recovering from a very simple mistake that could have cost me weeks of work if I hadn’t made a backup copy in VMware of my application server I am building for XenApp 7.5. I painstakingly installed and tweaked a long list of applications on Server 2008 R2 to be used for the master image in XenApp 7.5 Machine Creation Serices (MCS).

I hit a wall with an issue connecting my XenApp 7.5 DC to vSphere for the MCS connection. I submitted traces to Citrix support, who eventually called it a VMware issue. While waiting for VMware support, I decided to manually create the servers in VMware instead of using MCS so that I could forge ahead in the Citrix upgrade. I can always go back and integrate MCS after the VMware issue is resolved. I sysprepped my application server and created a vm template. After creating my first server from the template, I realized that I FORGOT TO UNCHECK “User cannot change password” for the administrator account before shutting the server down after running sysprep. Great, now I can’t login since it forces you to set the administrator password on first login, and the password can’t be changed.

What I SHOULD HAVE DONE is to clone my app server, then sysprep the clone and leave the original server intact. Thankfully I had created a backup copy of this server in the lab, so with a few clicks and a short delay I’m making progress again.

Sometimes its the simple things that can cause you the most pain.