How to Deploy Software Updates Using Microsoft SCCM (ADRs, Update Groups, and More)
ฝัง
- เผยแพร่เมื่อ 4 ก.ค. 2024
- In this video guide, we will be covering how you can deploy software updates in Microsoft SCCM. This covers important aspects of deploying updates such as collection structure, maintenance windows, automatic deployment rules (ADRs), deadlines, and much more. This will be a great follow up from my last blog Deep Dive in Microsoft SCCM Software Updates Client and Server Components
Additional notes and resources please review the accompanying blog post here setupconfigmgr.com/how-to-dep...
Introduction: (0:00)
Review Software Update Point Settings (Classifications, Products, Sync): (1:02)
Collection Structure for Software Updates: (2:54)
Maintenance Window for Broad Deployment Collection: (5:24)
Review Client Policies for Software Updates and Restarts: (8:16)
Review Software Update Metadata: (12:34)
Create Software Update Groups for Previous Years: (13:33)
Creating Software Update Group for the Current Year by Month: (20:29)
Create ADR for Windows Defender Definitions: (23:50)
Review the ADR log RuleEngine.log: (29:09)
Deploy the yearly Software Update Groups to the Broad Collection: (31:45)
Create ADR to Create Monthly Software Update Groups Going Forward: (35:24)
Review Multiple ADR Deployments for Testing Stages and Production: (50:23)
#SCCM #ConfigMgr #Patching - วิทยาศาสตร์และเทคโนโลยี
I have already watched this video more than 10 times and still watching while working on my ADR. Excellent video with lots of information !
Such a knowledgeable bloke on SCCM. Not annoying and very easy to understand
Thanks for the feedback!
Bravo. Once I broke down everything you said in this video, I received a FULL understanding of ADR's, sequence of events, and how to troubleshoot it. Thank you
5 Year old video still came in handy today. Thank you so much for what you do!
Very detailed, informative and concise. Provided a lot of much needed information and clarity for a young SCCM Admin. Thank you
Thanks for watching.
I have learned a lot in SCCM just watching your videos. Awesome videos.
Thanks for watching!
Great clear and concise. Very easy to listen to unlike a lot out there that is heavily accented or sounding monotone and boring.
Thanks for watching!
I am new to SCCM and this video saved me so much time trying to figure this all out on my own! Thanks!
Awesome!
Agreed! Same here!!!
same here
Thank you for sharing the video, I like everything about the video. Your pace, clarity, informational. I will start implementing this information to my environment. Thanks buddy.
Thanks for watching!
Thank you for sharing your expertise. Another great video.
Thanks for watching!
Excellent by far the best SCCM video I have seen
Glad they are helpful for you!
Top notch video and explanation here. Great job man!!
Thanks for the feedback!
dude thank you so much for this made more sense then the course material.
You're welcome glad it helped!!
Simply Amazing contents! Thank you.
Keep up the great work! 👍
Good informative video.
Personally when creating multiple ADR's I specify the Custom Severity NONE in the software update criteria. This means that should you encounter an issue with an update during testing, you can modify the individual update and change the custom severity so that the remaining ADR's do not schedule it for deployment and cause issues in the wider estate.
It may have been pertinent to mention that when using a maintenance window, if there is an update which has a possible run-time which is equal to or greater than the window it will not install (this is the same for leaving Applications with the default 2 hour run-time but creating maint windows of only 1 hour).
Thanks for the feedback and providing some insights of your process!
Thumps up bro. great video.
Thanks!
These videos are amazing for learning SCCM. If doing the monthly ADR model, is there a way to set the 3 different deployments automatically, or would that need to be done each month.
Thanks for the feedback!
Really Good Video and Thank You.
Glad you liked it!
Thank you for the video. One question: For the production environment collection, if you leave the option for the updates to be available as soon as possible, even with the installation deadline for 7 days, the updates will appears on the Software Center right? Isn´t it dangerous because the users can see them and force the installations before those updates get tested. What do you think? All my best from Brazil.
I would consider anyone who decides to manually install updates before the deadline if you choose to have them visible in software center a "test client" :). You certainly could hide it in software Center if you don't want them to have the option or delay available time.
Great video, thanks.
Anthony Crotty thanks!
Hi Justin, thank you so much for the great video. the BEST one. i do have a question about the three deployments methods. what if there is something wrong for the update installation or it has some issue/impact for the client during the test collection, how can i stop or cancel it would deploy to the production collection? Do i have to manually delete the deployment(3days postpone and 7 days postpone ones) from the software update group? thanks.
You would need to remove is disable the deployment for the software update group.
Thank you very much for this great detailed videos!
Its hard to overstate my satisfaction ;-)
Just one question remains from SCCM 1910 perspective:
Is there a good explanation how to configure phased deployment?
Do I need to deploy to every phase and then configure phased deployment on top?
Can I use phased deployment AND ADR in combination? Because that would automate the whole Update process.
Thanks in advance!
Phased deployment may be a future video.
most helpful video ever
Thanks for watching
Thanks Justin!!!!!!!!!
You're welcome
Hello Justin,
Thank you for these videos. It enhanced my understanding of SCCM. In following your ADR for patch Tuesday I have a question. My SCCM I have two collections "Workstation Updates 2019-01 and 2019-2" created and deployed. I'm now getting ready for March with the patch Tuesday ADR. You referenced a "Workstation 2018" collection when you created the ADR. Did you create a 2018 yearly collection to reference off of? Being this video was created in June of 2018? Thanks!
I don't believe I would have had a collection specific to a year maybe it was the update group name?
@@PatchMyPC My Bad... Deployment Package... You referenced a "Microsoft Updates 2018" deployment package, @ 42:45 in video. I only have 2018 and monthly for 2019 right now.
@@FreeJackCO Did you ever get an answer to this question?
Hello, great video thank you. One question though.
Your video shows a good way to keep things organized from the start. However, very few people get to implement SCCM from scratch. It would be nice to see a video of how to safely cleanup SCCM software updates, groups, deployment packages, and ADR's (without 3rd party tools). I like that you showed where content was being stored in the file system, and I too would want to make sure / learn how to confirm that disk space is being cleaned up (when appropriate) when cleaning up software update related items in SCCM.
Disk space cleanup would really just be deleting expired, superseded, not deployed updates from deployment packages.
Awesome Content Justin, not to boast about myself :P but i have been following exactly the same procedure for my customers as well
Awesome!
Hi Justin, How would you do the Server updates. Would you put Server Updates into same Development package as Workstation or Would you create new Development package for Servers.
Generally, I would say this is more a preference decision. I would say most customers I have worked with usually do split workstations or servers, but either option will work. Just be aware it's recommended not to exceed 1k updates per update group.
Good work Justin Chalfant
Thanks!
Thank for making these videos. My SCCM knowledge has increased thanks to you. Please keep on making quality videos like this.
I would like to ask regarding the Automatic Update Rules. Is it a good practice to create a new ADR for Microsoft Office 2016 updates and create a separate MS Office 2016 deployment package instead of using the Windows 10 ADR and the same deployment package?
I would say it's more preference. I wouldn't want the deployment package to get super big though just because it's harder to troubleshoot if the package ever has issues distributing.
@@PatchMyPC Thanks for your response. I think I am going to seperate Office 2016 and EP Defender definitions ADRs and separate them in different Deployment Packages. I have inherited an SCCM environment trying to clean up the ADRs, SUGs and there is only one Deployment Package for all Win10 updates which the ADR is putting all Win10 updates, Office 2016, and Defender definitions all into one Deployment Package.
Great video as usual. I hope you can answer this question. What share and NTFS permissions are on your sccm\Sources folder?
The site server computer account would need to have at least read permissions to access the source content
@@PatchMyPC Awesome! Thank you for a very quick response :-)
Any chance you have a video on software update deployments using Task Sequence? Due to the ESU 2008 patching prerequisites I'd like to create a task sequence that applies all the prerequisite patches in order with reboot and recall steps if at all possible.
I don't think I have anything this specific.
Hello Justin. Thank you for the video. Really Informative. How about configuring updates for the server OS. Do you have a video around this or will be a same process as workstations? Thank you very much.
Its the same process
Hello Justin,
Does ADR looking for updates from SUP database what we already declined and have clean database or polling all updates straight from Microsoft?
Thanks,
Tomas
ADR's would query against the SCCM DB.
This is great! Totally copied this for our deployment process. I wonder if there is a video for 3rd party and Server methodologies...
Thanks for watching!
Hello Justin,
My plan is to split my Windows Updates by OS and Products. Would it be ok to do Software Update Groups like from 01/01/2009 - 12/31/2017 in one group per OS and per Product and then split to months from 2018?
Regards,
Tomas
That's fine, it's really about what's easiest and makes most sense for you.
Great video, this helped me a lot, thanks!
But one question remains: do you have any idea why Software Updates provided this way show up in the Windows Update mechanism but not in the Software Center? Everything was downloaded and installed according to plan (not mandatory) but the Software Center remained empty. Applications packaged are shown and can be installed ... thanks again, much appreciated.
Are updates being auto-approved in WSUS?
Hello, it is possible to use custom notifications when setting up ADR update with any software (Slack, Chrome, Zoom and so on)?
Hi Justin. Thank you for another great video. If I want to rename my software update groups to match yours, will it break anything? Kind regards
Nope :)
Thank you very much for the reply. Can I rename my software update collections as well or is there a caveat?
That's fine as well
Hello Justin,
I've got another question. When you create a ADR, where do the downloaded updates reside? Is there a special folder? You can select a folder when you create the previous years but is this an option for the monthly patch Tuesday ADRs? Thanks
The package source location for the deployment package you choose.
@@PatchMyPC Ah! Yes. I see it now! Thanks!
Hi Justin, hopefully last question: Can I rename my deployment packages as well?
Yeah that's fine.
Thanks a lot for your videos. One question if I can. Why do you set the maintenance windows in the night? Software installation and possible restart are executed anyway? I mean, even if the PC is off? But in that case in the morning, when user restart his PC it has to wait the installation.. Probably I miss something...
It was just any example. Many company's set it after hours so that doesn't interrupt users during work hours.
@@PatchMyPC so they leave PC always ON ?
It depends. Some may use WOL or Device wakeup features to power on devices. Some may not use maintenance windows at all and give longer restart countdowns just depends.
@@PatchMyPC ther is not an option to let the user postpone restart in a x hours (afrer deadline)? (thanks Patch my PC your videos open my eyes..)
Thanks Justin. Quick question, what is happening with the Deployment Package (content, distribution etc.) for both cases when ADR is set to "Create a new Software Update Group" and "Add to an existing Software Update Group"? Will it content grow every time it will find new updates or it will remove the old one automatically? Thank you and will be great to have a new video for the new way of MS patching :)
That's just where updates get downloaded and stored for being distributed. Expired updates should clean up after a little bit.
Sorry Justin, one more and it may look weird... For example if I want to make sure the automatic Win Updates deployment is happening at 5:00 PM and I don't want it automatically to happen outside of my maintenance window which is 5:00 to 7:00 PM, then I set the deadline for 5:00 PM. But in the same time I want to allow user to run in manually before 5:00 PM if user wants. Is there a way to allow this? Thanks for your prompt response.
thanks man
Thanks for watching!
what version is this ? my one is 2016 (1606) and i don't have windows 10 in the drop down boxes and 2016 server like you do... also i don't have Software updates under administration...
1802, you may need to wait for your first software update point synchronisation from the Windows update catalogue, before you see all products in your software update point.
Hey Justin, First off Great Videos I have watched them all. Now on to the question. I am setting up ADR and do not have the template shown for Definition updates. where might I acquire this?
Choose the "SCEP and Windows Defender Antivirus Updates" option, do you see that?
@@PatchMyPC Yes, I have that option did not know they changed it. Thanks for the help.
@@antmug99 yeah, looks like it was just renamed.
Do manual software updates download using the connection of my PC with Config Manager installed or use the SCCM server connection. The reason I ask is because I tried and my client was not logged into our webfilter and the downloads kept failing. When I logged into the filter to look up troubleshooting they started downloading. I ran a wireshark and see a bunch of traffic to and from Microsoft right now.
It depends on how you configure it, clients could download it directly from the Internet or in most cases they would use your distribution points, but it's all configurable in the deployment
Hello Justin,
Great video, best one I've seen yet. What did you do to collect all your log files in one location?! I hate having to dig around different locations for them. Do you have a video or any information on that?
thanks~
Not sure I follow. What log files did I collect in one location?
@@PatchMyPC at 28:54 you have a folder D:\SCCM\Logs; I was under the impression that you aggregated all the logs here. I've seen people do something similar when deploying OS's and save the logs files to a network share. I thought you moved all your server side logs to a single folder. at 52:25, on your 8.1 workstation I saw a log folder on the desktop too. Maybe I was incorrect thinking that.
@@stevenf6885 That's my main sccm site server install folder D:\SCCM
@@PatchMyPC I guess I misunderstood what I saw. Nonetheless, I'm looking at expanding our SCCM environment to patching and this video was very helpful. Shortly after we'd like to start doing 3rd party patches with SCCM. The patch my pc catalog was recommended, so I'll be looking in to that in the future.
Great video. Thanks. Loving you videos on SCCM. Can you please make a video on MBAM or bitlocker with windows 10 please
I'm sure I can at some point in the near future.
Do it!
Ok sir
Hello Justin,
I get confused between Maintenance Windows (SCCM Server), Business Hours on Software Center on Client Computer and Computer Restart settings on Client Setting on Sccm Server.
SCCM Client by default does have Business Hours from Monday-Friday 5AM-10PM.
I have Maintenance Window Daily from 6PM-10PM
In school we have policy to shutdown computers at 10PM
Example.
I want to push Windows Updates as soon as possible after 8PM. How I can achieve this?
On my research I understand that these Windows Updates never will install in my scenario, is that right?
Windows updates should be installed on Windows Maintenance window but because client/user does have Business Hours from 5AM-10PM so updates won't take place...? So then should try to install after Business Hours after 10PM but because computers are set to shutdown at 10PM will miss this target as well.
Justin, could you please make a video with more in detail with different scenarios how Business Hours, Maintenance Windows and Computer Restart settings does play together.
Thanks,
Tomas
I will keep this in mind for a future topic!
Very helpfull.
Glad it was helpful!
Hi, the package which is under deployment packages is that the one which we did SUG? Once we create SUG are we going to download it manualy or how it is.?
It depends on if you are using ADRs or.manually creating SUGs
Such a good video! One question tho:
Is it normal, that my clients who „Error encountered“ in the Windows 10 Update settings window? Without WSUS and SCCM the enduser could see if the device is up-to-date.
Can you explain me, if this behavior is expected?
Can you post a screenshot?
Patch My PC Sure:
ibb.co/rfd2FzM
ibb.co/kQd6npy
Thank you for having a look!
It must be due to group policy over ruling
hi dear, this really very informative video, i wanna ask one thing , is it necessary to disable automatic updates service of each nodes, because we are going to update them by using SCCM , OR is it ok to have windows update service running on every nodes although we are using SCCM kindly do answer this question i am waiting
Thank You!
It's fine to just leave it on SCCM should handle pointing the machine to the local wsus server for scanning so it shouldn't matter.
Can I filter the updates for x64 in title to reduce the disk space from windows updates? There are no x86 products in the environment.
I'm pretty sure this is now a built in filter for one of the latest SCCM CB builds.
What Sharing and Security permissions are for Sources folder?
The computer account of your site server will need to have read NTFS and share permissions.
Hello Justin,
Do I need Windows Defender Definition Updates if I use Trend Micro OfficeScan?
I know that Trend Micro OfficeScan will disable Windows Defender Virus & Threat Protection but other options in Windows Defender Security Center still will be active, like: Account protection, Firewall & network protection, App & browser control, Device security, Device perormance health and Family options.
So I am thinking if Windows Defender Virus & Threat Protection is disabled by Trend Micro OfficeScan do I need these Definition updates for other Windows Defender options or these definition updates are only for Virus & threat protection?
Do I need Windows Malicious Software Removal Tool even if Trend Micro OfficeScan is installed?
Thanks,
Tomas
I wouldn't think you need Defender definitions if you use another AV. The Windows Malicious SOftware Removal tool is different you could still deploy those.
How much disk space is it requested for download the updates? It's like WSUS that needs a local disk to centralize all the updates?
Not much, the download of updates will go to the deployment package location not the WSUSContent folder so the UNC may need more space depending on how much you download
Do you have a video on how to setup all these different device collections or a good book to get? All the books I see are out dated.
Collections will really vary on the environment and how you want to patch.
It finally sunk in. Sorry to bother you. : )
Hello Justin, Can you explain why you created a collection named maintenance window to apply maintenance windows policies? Every collection has a tab in which you could set this, hasn't it? And if you deploy software updates on other collections how do they get that maintenance window policy? I'm a little bit confused. BTW these videos are very helpful!! Thank you
Organization, when using a lot of maintenance windows it can make sense I think to separate them out. Not required though.
@@PatchMyPC Hey Justin, like giav01 mentions, although the maintenance window is applied on "Maintenance" collection, when deploying the ADRs, you still use the "Broad" collection. So, how is the maintenance window applied, when the ADR package is installed?
In schedule time mentioned is local client time or the primary site time zone, senario when the primary site server and clients are in different time zone
Client
Dear Master, Please let me know at which point we can use set priority scope and uses of the that option ?
I don't understand the question, can you elaborate a little more? Thanks
Hello, great video. But I cant make another deployment for my ADR. "ADD Deployment" is missing in context menu.
What SCCM build are you on?
I had the same issue. I was clicking on the IT Pilot deployment and not the main one "Workstation Updates" up top.
@@PatchMyPC SCCM 2012 R2 SP1 (5.00.8239.1000), meanwhile i´ve found this feature is available only on 1511 version and above. :(
So if you are planning to use software center there is no need to configure the GPO?
That's right
Seems basic but for some reason I am having issues selecting all. I am in a VM but what buttons do I need to click to select all? Thanks
I just use Control + A to select all
Hi,
I configure following settings for software update
1. install wsus
2. install sccm software update
3. created client policy in sccm and set software update settings and then deploy to all clients
After doing all this my clients are still downlaod updates from microsoft, Do I need to configure gpo to point all my machine to wsus server or should client policy be created local wsus policy.
May be related to boundary groups
I have WSUS installed and I manage the download of the updates through it and via GPO.
I'd implement SCCM to automatize and schedule the installation of the updates for all the servers (60virtual and 10physical).
When you activate the synchronization automatically every day in the first steps of the video, does it have precedence over GPO and WSUS?
I want to schedule the download + installation but not auto-reboot for a group of servers and download + installation with an automatic reboot for another group of servers.
Is it possible to configure all via SCCM?
A GPO pointing to another WSUS server will take precedence over the client trying to configure it to the SCCM SUP.
Did you implement and any article? I also have WSUS and gpos and would like to SCCM to take over...but clients says Group policy conflict due to older gpo conflict with what's policies SCCM wants to set. Specify source is disabled and what recommendations are there so that I don't break gpo that apply to other server
I have default domain policy that has automatically updates and specify source and others disabled
could you make a video on "how to upgrade client with sccm update" like 1809 to 1903 or so it would be awesome
setupconfigmgr.com/windows-10-servicing-and-in-place-upgrades-in-microsoft-sccm
I seem to be having this issue where SCCM is unable to see how many updates are required and or are installed on a device. :\
Check your scan logs updatedeployment.log scanagent.log
We have a collection of servers that we want to push updates to but can not restart automatically because they support 24 hours services or need manual intervention after a reboot. So we schedule time with the users for updates and reboots. How can I just push the updates and make sure they don't reboot? We'll take care of the reboot later when we schedule our downtime.
You can suppress restarts on your deployment for servers.
Hello sir. I'm getting awfully close to uninstalling the SUP role as well as WSUS in general, then rebuilding the whole thing. We've been trying to push critical updates pertaining to a zero-day exploit this past May to every site we can, but the overwhelming majority of them are stuck in Unknown. When you look at the Deployment status in Monitoring, they're all under the Unknown tab at Client check passed/Active. We've spent the last few days trying to find any patterns with these machines, from group policies conflicts to repushing agents to commonalities between wuahandler logs among various machines, and we've come up with nothing conclusive.
Was wondering if I could elicit your opinion sir.
What's scanagent say on the clients?
@@PatchMyPC You embarrass me sir. Of COURSE I didn't look at scanagent. if I had, I might've noticed the "Source not current" message which, although not an error, aroused my suspicion. That might've led me to this:
www.reddit.com/r/SCCM/comments/6d330l/scanagentlog_sources_are_not_current/?BD&Search&Bing&PSR1
Which led me to put the SUP in the Default Boundary Group. Which fixed the issue. I'm watching the Unknown count drop in real time. Fell about 300 in the last 25 minutes.
Thank you so much sir.
Please make a video on Office 365 Servicing and trouble shooting (rollback specific build)
Thanks will keep that one in mind.
I have a question to ask an engineer. Recently, one of my government agency customers, when they installed SCCM, they would crash. That is to say, after the SCCM was executed, the system did not have any action. This is probably What could be the problem?
i created a new software update group to deploy security updates for windows server 2012 but it shows not downloaded? please suggest .
There is not enough context in the question for us to provide anything helpful
Thank
You're welcome
Is there a way to download the updates only for servers, and then manually install the updates from the Software Center so that we can schedule updates during a specific time window?
You can just make the deployment available.
I'm assuming you mean the "Type of Deployment" as "Available" on the "Deployment Settings" tab, is this correct? And then use Software Center to install the updates as needed manually.
@@hughmcdaid9060 correct
I noticed that this setting does not appear to be available for a deployment created by an ADR, is this correct?
@@hughmcdaid9060 yes, adr's must be required.
Hi, Thank you very much for this Video. I was looking for some help with Windows Update but this answer most of my questions.
I have some other questions which I ddint get the awnser, if you can please let me know.
1. If 2018 is over do you go back and create new group for 2018 and delete all of the other monthly ones.
2. If you remove any updates e.g. the one you remove preview one. Does it get deleted from "Development Package"
3. I cretaed some ADR which works very well but for some reason after few days all of the data gets deleted from Development Package and when I try to re-run the ADR i Can see log which show message that update is already downloaded.
Once again thank you so much for this video, it is one of the best videos on sccm
1. Yeah, that's what I would generally do.
2. If they were previously downloaded, they won't auto remove from the deployment package. You could go delete non-deployed updates from the deployment packages after SUG cleanups.
3. ruleengine.log may help.
@@PatchMyPC Thank you for reply. I check the ruleengine.log which show that updates already exist but the location where development package is located it doesnt have any data inside it. e.g. Contents 17184351 is already present in the package "xxx001BF". Skipping download. No new update was added to the package. Package "xxx001BF" would not be updated.
@@sarwanamajid that looks normal if the update is already downloaded
@@PatchMyPC The Problem was that someone deleted the Development package folder. Which Sccm doesnt recreates it unelse you re-do the package
Justin,
I have an issue and maybe you can point me in the right direction to figure out what is wrong. I have your setup deployed on my SCCM. Last month's ADRs worked without issues and the clients all received the updates. This month, the ADR ran but the latest updates for May are not included. I looked at the settings in and ADR and did a preview of the Software Updates and the May updates are showing up but not in the update group it created. Any idea why?
I think I know why... The ADR is set to pull updates from last month. Meaning all of April. It appears the clean up script "Invoke-DGASoftwareUpdateMaintenance" I ran prior to the ADR superseded and deleted April's updates. Then the ADR would not have any April updates to grab anymore. I need to adjust SCCM to keep the updates a but longer.
It probably ran before the updates were synced into your site.
@@PatchMyPC - Right you are... I now need to make some adjustments to get back April's updates, or create a new update group and deployment to push April and May updates to get back in sync... What is weird is just April updates were removed by the script. I still see March.
And this month started on a Wednesday. So the second Tuesday and Wednesday are off.
I have followed the videos and have everything set up correctly. My machines are not getting the updates. I have tried setting group policy to my sccm server, and also let SCCM set the local computer policy and nothing seems to work. Are there any special settings that I need to have in place for SCCM to be able to push these updates to my test computer and have the computer pick them up and install them? Thanks in advance for your assistance.
I assume you have SUGs targetting the device? Are you getting compliance data back from devices when looking at all software updates?
@@PatchMyPC , I'm having the exact same issue. I have SUGs targeting my collection and I see compliance coming back but updates are not being installed.
What's updatesdeployment.log showing on the client.
@@PatchMyPC says added to targeted list of deployments.
Check out setupconfigmgr.com/deep-dive-in-microsoft-sccm-software-updates-client-and-server-components this should help you understand the flow and troublshoot why updates don't show up.
dumb question... are there possibilities to automatic patch third party applications? I only see Windows Updates in every case.
great video - i am looking for a guide how to deploy updates to clients that are connected over vpn and these clients should download updates from Microsoft and not from VPN. Do you have such a video ? We have constant problems because clients are often only 1 day in office and they go home without installing the latest updates. Corona made this "nice to have" a "must have". Thank you very much for sharing your knowledge!
This guide may help miketerrill.net/2020/03/18/forcing-configuration-manager-vpn-clients-to-get-patches-from-microsoft-update/. Mike knows his stuff and I think this is applicable.
I need the same for SCCM 2309...any changes with respect to both CMG and vpn scenario??
At 38:18, you say you wouldn't want the "Upgrades", why is that?
Upgrades won't work through adr's you would need to create a servicing plan for those.
@@PatchMyPC Thanks for quick reply :)
Hello sir. I just stood up a brand new install of 2103. Against a software update deployment, I'm getting an installation error on about half my workstations (not affecting servers much), and I wanted to know if you'd come across it:
"0X80D02002. Delivery Optimization: Download of a file saw no progress within the defined period." Googling around hasn't been terribly helpful. I was told to recreate the ADRs and the deployment packages, which I did to no avail.
On an affected client, WUAHandler shows "Unexpected HRESULT for downloading complete: 0x80d02002".
The Delivery Optimization Client setting is not set apart from the default client settings, where it is set to No.
Would love your opinion sir.
This was fixed by turning off "Enable Dynamic Update for feature updates" in the Software Updates client setting.
Thanks for the update
Surely today in 2024, with WIndows 10/11, it's no longer required to go back years and years right ? They are all cummulative updates or superseding updates.
On the Video, you have created the include and exclude (membership rules) You have told us how to create the include query, not the exclude one. Can you please share that how that is done Please ??
It's a built in rule when you add collection rules. You can just choose it and then select the collection you want to use for the exclude rule.
thank you
Hello Justin,
You have mentioned on video about old WSUS GPO that should be removed or to point to new SCCM server.
My current WSUS GPO is like this:
Allow Automatic Updates immediate installation - Enabled
Automatic Updates detection frequency - Enabled - Check for updates at the following interval (hours): 2
Configure Automatic Updates - Enabled
Scheduled install day: 6 - Every Friday
Scheduled install time: 20:00
Enable client-side targeting - Enabled
Target group name for this computer Workstations
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates - Enabled
No auto-restart with logged on users for scheduled automatic updates installations - Enabled
Reschedule Automatic Updates scheduled installations - Disabled
Specify intranet Microsoft update service location - Enabled
Set the intranet update service for detecting updates: WSUS.xxxx.internal:8531
Set the intranet statistics server: WSUS.xxxx.internal:8531
Turn on recommended updates via Automatic Updates - Enabled
Should I change only Set the intranet update service for detecting updates and Set the intranet statistics server policies to SCCM and leave all the rest policies?
Thanks,
Tomas
Pretty much all the other policies about install time etc. won't apply to ConfigMgr updates since the deployment time and options are in the SUG deployment. It's probably fine just to not have anything set. The ConfigMgr client will set the instranet update location to the SUP for scanning.
Does anyone know where can I download the SCCM? TIA.
www.microsoft.com/en-us/evalcenter/evaluate-microsoft-endpoint-configuration-manager-technical-preview/
This is a stupid question, Is there a free online test lap to test or practice sccm?
There may be I haven't tried looking.
@@PatchMyPC umm yeah.. tq
Have you tried the Microsoft virtual academy? mva.microsoft.com/. Also, the best training is to actually do. Using Justin's instructions to build a test lab is the best way to learn. Unless of course yo don't have the hardware, then MVA would be the way. Good luck
@@theduke8767Thank you.. I haven't tried mva.. but let me check..
I'm burning up this channel today. Do you have suggestions on how to configure SCCM to grab the weird patches. Like the latest Intel processor patch that Microsoft released in May 2019. My test system that talks directly to Microsoft downloaded it. SCCM has to listing.
Is the update available in the SCCM all software updates?
My bad. Says "Intel - net" dated 12-2018.. Date is weird.
Great video - 33:10 tho :P
Thanks for watching
what I don't understand why do we create update groups for past years and current months while we are going to use ADR?
Primary for compliance reporting by month / year. You can use a different method if that's easier.
Updates are cumulative, why would we want to store all these, or was it not the case 5 years ago
That's my doubt too@@Noursbear
@@Noursbearthat's my doubt too
Hi, If you download a updates in Jan 2020 but they get expired/Superseded in Mar 2020.
What do you do with these updates?
how do you clean your DP's from old expired/Superseded which are already downlaod?
What should be the max size for each Development Package as my keep getting Corrupted when it gets to 100GB ?
You can just delete the expired updates from the deployment package. Bryan Dam also has a script that can automate this
Justin, great videos overall but unfortunately this video did not age well and an update to it would be much appreciated. The fact of the matter is Patch Tuesday is a dead concept. Back in 2018 it may have still applied but updates are now deployed all the time and your ADRs would be missing critical updates. I will explain. Your ADR runs Second Tuesday of every month. The first time it runs would be 7/10/2018, the second time it runs would be 8/14/2018. If your ADR is looking only for updates within the last 1 month, the ADR would only pull updates back to 7/14/2018 and it would miss any updates after the first time it runs on 7/10/2018 and any update after that till 7/14/2018. I believe at this point in ADRs the Date Released or Revised is almost pointless since updates are so randomized as to when they come out you'll miss several updates. Best Bet I believe would be
Custom Severity: Critical, Important, Moderate, or None. (Then if a rogue update comes out you mark it as Low severity and it will be excluded from your ADR), Language English, Product Windows 10 (Create a seperate ADR per product), Superseded No, Title "-Malicious" "-Edge" (I exclude the Malicious software removal tool and have a seperate ADR for it which applies to everything, same thing with edge) Update Classification (All of them except Upgrades, That way I don't push Feature Updates to machines and I'll manually create a feature update deployment and let end users know their machines will be upgraded), and Required >=1 (then you are only getting the updates that are actually needed by end user PCs, If the following week an update is needed by 1 machine, it will still be captured by the ADR the next week) Some would add Deployed = No to make sure you aren't selected an update that already has been deployed, problem could be that another ADR for a different product like Windows 11 may have already pulled that update and deployed it to a collection that your Windows 10 devices aren't in preventing them from getting the update. Problem with not doing it would also mean you could very well be redeploying the same updates over and over again because you have stale data in the console that is still showing an update is needed but not being installed because a laptop has been sitting offline for a month. My guess is Deployed = No should be set and if there are updates that fall between multiple machines like Malicious Software Removal Tool then it should have its own ADR. Those are my thoughts at the moment but I'm hoping someone who may have a different experience would provide me with some useful insight as I'm more than interested in setting this up the best way possible. Thank you!
Great video. Thanks.
Thanks for watching!