SCCM Software Update
PART 3 – Automatic Deployment Rules
- PART 1 – Introduction to SCCM and WSUS
- PART 2 – Software Update Point configuration
- PART 3 – Automatic Deployment Rules
- PART 4 – Create deployment packages manually
- PART 5 – Best practices
In this part I will create an Automatic Deployment Rule to update Windows Server 2012 R2. As a reminder, Automatic Deployment rule enables to create update package automatically according to some criteria such as release date, classification or language. The scheduler for creating update package can be fine-grained configured. It is possible for example to create update package automatically every second Tuesday of each month. Once the package is created, it is automatically deployed to deployment point and servers perform updates on their maintenance period. This update method should not be used on complex environment as Hyper-V cluster or Exchange infrastructure. These examples of environment need orchestrator to avoid downtime of services.
Create an automatic deployment rule
To create Automatic Deployment Rule open SCCM console, go to Software Library and right click on Automatic Deployment Rule and click on New:
So I create an Automatic Deployment Rule called « Baseline – W2012R2 » with the Patch Tuesday template. The current configuration can be saved as a template at the end. Each time a package is created, SCCM create automatically a new Software Update group. If the other option is chosen, a unique Software Update Group is created and updates are added to it. That means each time an update package is deployed, it will contain all updates even those that are already deployed. For Tuesday patching, I recommend to create new Software Update Group.
On deployment settings, specify if you want use Wake-on-LAN (useless on servers because at 99% of the time there are always switch on). Next select the desire logs detail level and the behavior about license agreements.
On software updates screen, set the criteria for choosing the updates that will be added to update package. In my example I choose updates that match these criteria:
- Release or revised on last month.
- Updates target Windows Server 2012 R2.
- Updates have to be English language.
- Updates have to be Critical updates or Definition Updates or Security Updates or Rollups or a simple update.
On evaluation schedule, specify when run the rule to make an update package. On my example, I run the rule every second Wednesday of each month (in France updates are available Wednesday because time difference).
On deployment schedule, specify the update package available time and the installation deadline. Mostly these settings should be configured regarding company security policies.
On user experience screen, set the behavior on clients side. Specify notifications level to display on Software Center, the behavior when the deadline is reached and you can suppress restart on specific devices such as server.
Alerts screen is really useful when Operation Manager monitor IT Infrastructure. It is possible to disable monitoring on servers that will be updated and generates alerts if an update fails. Also a report can be generated on Configuration Manager.
Downloads settings screen enables to configure clients’ behavior for downloading when there are on a slow link (slow site boundaries in SCCM language). For this type of clients, you can specify a fallback distribution point
On deployment package screen, you create your update package. It is necessary to specify a package source: this is the path where update binaries are stored. A folder can’t be used for more than one package source. If a deployment package already exists, you can select it.
On distribution points screen, specify SCCM distribution points where the deployment package will be sent.
On download location screen, select the source of downloading updates.
Then select the languages downloaded …
To finish confirm settings. Note that you can Save as Template your Automatic Deployment rule.
Once your Automatic Deployment Rule is created, it appears in the menu. On the same line, you can see the last error. Here the rule has run without error.
After that Automatic Deployment Rule has run, the update package is created and is deployed.
Then Software Center on clients can install updates on maintenance period. Note that you can install manually updates.