In deploying Microsoft updates, it’s equally important to delay the updates as it is to apply them in order to prevent applying bad updates that cause unintended consequences, including the dreaded BSOD. In this post I’m going to show how to deploy MS updates using an Automatic Deployment Rule (ADR) in System Center Configuration Manager 2012 R2.
I have experimented with different patch schedules and methods over the years, and I’m going to outline what works best for me. Every month, I wait until a week after Patch Tuesday (Waiting a week gives bleeding edge users time to report issues and for Microsoft to pull the patch if necessary.) and deploy updates to my computer. If there are going to be any BSOD’s, I would rather I catch it first instead of a few hundred or thousand of my users. After I let the updates “bake” on my computer for a week and don’t encounter any issues, I deploy them to a small group of users. I pick a small group of people that are generally easy to work with and usually don’t have any pressing deadlines to meet. I sometimes refer to this group as “The canary in the coal mine”, because coal miners used a caged canary back in the old days to alert them to the presence of toxic gases because it would kill them before affecting the miners. If the canary drops dead, back out quickly! After the “canary” group bakes with these updates for a week without issue, its time to deploy the updates to the rest of your computers, including laptops. Some users will take their laptop home nightly and they may miss the collection’s maintenance window of 4 to 7 AM. For these offsite laptops, I deploy updates a week after the bulk of the users. This gives the laptop users a chance to return to the office and pick up updates during the maintenance window. If this window is missed, the only effective way to get it done is to push the updates during working hours during lunch time, and suppress a restart. This may not be ideal, but what else are you going to do if they take the laptop home every night?
In the SCCM console, select Software Library, expand Software Updates and select Automatic Deployment rules. Click the button for “Create Automatic Deployment Rule”.
Name your ADR and provide a description if you desire. Select a Deployment Template if you have created any. Select your collection, and select Create a new Software Update Group, and click Next.
On the Deployment Settings dialog, select “Use Wake-on-Lan if you desire. I don’t use this feature as all of my computers automatically power on for the 4 AM maintenance window via BIOS settings. Click Next.
On the Software Updates dialog, set your property filters to select the updates you want. In my case I exclude a particular Bulletin ID that we have found to cause problems with our deployed applications by preceeding it with a minus.
Specify the Evaluation Schedule.
Specify the Deployment Schedule.
Specify the User Experience. I prefer to select “Hide in Software Center”, and leave all boxes unchecked so that they only deploy during the collection’s maintenance window. Click Next.
Specify an alert of 90 percent and 7 days, unless you prefer otherwise.
I leave the defaults selected on the Download Settings dialog, and click Next.
Select a Deployment Package if one exists, otherwise create a new deployment package and specify the source, then click Next.
Select a your Distribution Points or Distribution Point Group.
Accept the default on the Download Location dialog, and click Next.
Make the appropriate language selection, and click Next.
Carefully review the Summary page, click Save as a Template, and click Next if you don’t need to make any changes, then click Close.
Repeat this process and for any other operating systems you manage and make changes as necessary.