tecxx Posted September 5, 2012 Report post Posted September 5, 2012 I agree with what user juice13610 wrote. a properly configured wsus environment gave me the following procedure: - manual approvement of patches on the main wsus console by admin - auto deployment to all subsidiary wsus servers - clients get patched - monthly cleanup script on wsus servers removes old, unused patches, keeping the file storage requirements small - should a client reconnect to the network after beeing offline for a long time, needed updates are re-downloaded, redistributed, and the client gets patched (because they are still in "approved" state) this is pretty easy to setup and fully automatic. with my current sccm2012 setup neither do i have a good solution for cleaning unused update files from the servers, nor is there an automatic solution for the "old client" problem. to recap, according to the technet post, this is what should be done: - create a compliance-only group to monitor patch state of clients, but dont distribute this group - use ADR to create monthly patch groups, that are distributed and used for actual patching - manually remove old, unused monthly patch groups when they are no longer needed - manually update the compliance-only group each month to include the latest updates - manually handle clients that were offline for a long time ("old client" situation) i wonder that this is really the intended way to do it. or did i misunderstand the concept? any feedback is greatly appreciated. Quote Share this post Link to post Share on other sites More sharing options...
jester805 Posted May 21, 2014 Report post Posted May 21, 2014 I know this thread is old, but I am struggling with this exact problem right now. Has anyone been able to figure out the best way to do Windows Updates (in an automatic way instead of so many manual steps)? Thanks Quote Share this post Link to post Share on other sites More sharing options...
jr19 Posted May 21, 2014 Report post Posted May 21, 2014 I've been doing this for a while now and I've found it's just easiest for me to do it manually. I doubt I'm doing it the best way, but it has worked for me. I only have two software update groups: workstation updates and server updates. Each month I run a search for Office/Lync/Silverlight and each OS we use (Win 7/8/8.1, and Win Server 2008/2008 R2/2012). I just download those updates to their respective deployment packages (I have one for each OS and everything else gets grouped into an "Office" package) and edit their membership to make sure they are included in their respective SUGs. I then create separate deployments of each SUG to each device collection (Workstation updates to Win7/8/8.1 PCs and server updates to the others). Probably not the most efficient way of doing it but I've been doing it this way for so long that I can usually get it done pretty quickly. I also like to do it manually so I can look through the updates for that month and exclude anything we may not want. This doesn't happen often, but we have wanted to exclude certain updates in the past. Quote Share this post Link to post Share on other sites More sharing options...
willisj318 Posted May 21, 2014 Report post Posted May 21, 2014 We don't worry about creating specific groups for specific platforms. The machines will only find and get the updates they need. We do our updates by past year and past 3 months. They get assigned and clients pull whatever they need. Any new machine gets the required updates no matter how they were built. It is probably 20 minutes of work max once a month. 1 Quote Share this post Link to post Share on other sites More sharing options...
jester805 Posted May 21, 2014 Report post Posted May 21, 2014 Thanks jr19 and willisj318! I appreciate the help. willisj318, Is it an Automatic Deployment Rule that you set for past 1 year and past 3 months? If so, how often do you run the schedule? Or do you manually push updates? How do you manually push updates anyway? Quote Share this post Link to post Share on other sites More sharing options...
willisj318 Posted May 21, 2014 Report post Posted May 21, 2014 Nope. What we did was create the update group and driver package on the first run through of updates. We did this on our CAS as we will update the entire enterprise in the same fashion. I attached a screen shot. Each update group is associated with its update package. As you can see some groups are broken down a bit oddly due to the 1000 update deployment limit for update groups. Our old update groups are deployed and simply sit that way forever. So 2009 Updates is deployed to our patching collection, if someone builds a machine by the DVD for some reason, it gets updated fully. In June we will run our update scan, create our 2014-06 update group and create two deployments. One to our test patch systems, and one to our prod systems. The updates sit in the 2014-06 update group, and the 2014 update package. Once done I will go into the all updates group you see and remove any expired and superseded updates from any update group. Every few months I will remove the old month specific groups. So in June I will remove the march update group. Simply by editing it the membership to be in the main 2014 update groups and no longer the march one, then delete the march one. We only keep the past 3 or 4 months because people sometimes want them for reporting. I anticipate that sometime soon we will be able to remove the 2009 and 2010 group. It sounds like a lot but really takes about 20 minutes of work to do. Honestly probably not even that much. 1 Quote Share this post Link to post Share on other sites More sharing options...
jester805 Posted May 21, 2014 Report post Posted May 21, 2014 Thanks so much for the info! I had to read it over a couple times (because of my simple mind ), but it makes good sense to do it your way. One last question (I hope). Do you do anything with the "Deployment Packages" in your scenario? Or are those only if you are using ADR's?? Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted May 21, 2014 Report post Posted May 21, 2014 You always need to use Deployment Package. When you're downloading the content of a software update, you will need to download them to a Deployment Package and that package will be used to make the (content of the) updates available to the clients. Quote Share this post Link to post Share on other sites More sharing options...
willisj318 Posted May 21, 2014 Report post Posted May 21, 2014 No problem, I tried to explain it in print as well as I could. I have documentation I have done I don't mind taking out our company info and sharing if you wish. Yes what Peter said as well. They are necessary in any scenario. Quote Share this post Link to post Share on other sites More sharing options...
jester805 Posted May 21, 2014 Report post Posted May 21, 2014 (edited) I apologize for all of the questions. Just when I think I've got the hang of it, something else comes up. Ok, so I did like willisj318 said and created some Software Update Groups that include Workstation Updates. Here is how I did that: Went to Software Library --> All Software Updates Searched for: Bulletin ID contains MS Expired = No Product = Windows 7 OR Windows 8 OR Windows XP Superseded = No Date Released or Revised is between 1/1/2013 and 12/31/2013 When my search results came back, I did CTRL + A to select them all Right-clicked on the updates and chose Create Software Update Group Named my Software Update Group like "2013 Workstation Updates" All of that worked great. HOWEVER, now how do I tie my Software Update Group to a Deployment Package? When I go to Deploy the Software Update Group, the wizard comes up, but I do not have the section called "Deployment Package" in my wizard. ..........Hmm, I wonder if the "Deployment Package" section is missing because I already have my updates downloaded?? Thanks! Edited May 21, 2014 by jester805 Quote Share this post Link to post Share on other sites More sharing options...
