Herwin_D Posted September 1, 2016 Report post Posted September 1, 2016 Hi All, I'm stumbeling with updates, like a lot of people and can't seem find to find a nice working solution. Situation: Multiple schedules to install updates, (say 4 collection with servers with different deadlines and installation times) new servers are NOT build with SCCM, the are deployed using MS Orchestrator to Hyper-V. In the past i was working with only updates which where needed, so my Software update group and my package only contains the needed updates (for that moment that seems the way to keep it simple, but then a new server was added, which needed other updates, so there was a lot of work to get this server up to date. so I've done the following after reading stuff on the internet, and looking at the WSUS we are currently running. Create 1 big deployment package with all updates into it. (takes space, but i'm sure all updates are there when they are needed.) Created 4 Software update groups, 1. all updates before 2013 2. all updates between 2013-2014 3. all updates 2015 4. all updates 2016 (this is appendable, so every month this one expands) The plan i had was the following: deploy 1,2,3 as available to all 4 collections, (My opinion was that when there is a maintenance window the updates are installed but this seems wrong) Now i have acomplished that if a new server is added, the SCCM client needs to be installed. Due to collection queries the new server is added to the right collection, and after a while the updates are available and we can install them. Deploy 4 as required every month. so also new servers are updated. If anybody has a good suggestion to simplify this, please help, i'm running in circles and not seeing the exit at the moment. Also i want to start using SCCM to run the installation of new servers, and want them patched with all updates. So my idea is the following: create task seqence, deploy as available to unknown computers (with password protected) and that way i can service new Servers. now the windows updates, do i need to deploy them (available) to all unknown computers, so when the task sequence is run, the updates are installed, or is it better to manually create a machine, (name and MAC) and put this one in a new collection with all updates available to this collection? Often we need to build multiple servers, so manually is not my first happy end.. Advice would be appreciated. Herwin Quote Share this post Link to post Share on other sites More sharing options...
YPCC Posted September 1, 2016 Report post Posted September 1, 2016 Heres how we do it: - Have a software update group that contains a "baseline" of patches. This means patches that are installed on all servers in the estate. So when a new server is introduced into the environment, the "baseline" will ensure that new server is brought into line with all the other servers In your case, if you have 4 different collections, with various servers, why not just create another single collection that contains all your servers and deploy the baseline to that. Furhtermore, do you have any patching mechanism in place for new server that are bought online at all? For example in my organisation, when a new server is created and added into SCCM, we add the server to a collection that has server patches deployed to it. We leave it in that collection for 24hours so it takes all the patches, we then remove it from the collection and pass the server over to the business owner. You could automate all of this with powershell (we have using VmWare powercli and sccm powershell cmdlets) Quote Share this post Link to post Share on other sites More sharing options...
Herwin_D Posted September 2, 2016 Report post Posted September 2, 2016 YPCC, At this moment, our patching mechanism is manual with WSUS. it's killing and taking a lot of extra work hours.. So i want to automate that. All new servers are brought up to patch level with WSUS. but I want to use SCCM for it. I need to patch 500 + servers in different time frames, where the servers also rely on eachother (so DB needs to be restarted then the web/app server) etc. So bunch of servers only can be serviced like monday evening, where others only can be serviced friday night. I dont want to have all peeps who create servers, demolish my SCCM environment, by putting servers into collections and forget to take them out.. and when SH*t happens, they blame the SCCM admin :-) (which is me..) I just want to create a nice working environment with all happy admins/users. When you say you have a baseline of patches, a SUG can only contain 1000 records (max) so how do you handle that, for servers, I can offline service the wim file, but for office? do you keep all patches in the baseline? Maybe I'm thinking in a to difficult way, but this is how I see it.. Quote Share this post Link to post Share on other sites More sharing options...
