How I automate patching desktops

update automation

It takes a long time to setup but worth it, computers should
not get policies they don’t need, at some point things will start stuffing up. I
have split desktops into 3 categories that suit our environment. Pilot get updates straight away and will reboot at night. Prod and PUC get updates 7 days later and have different reboot requirements.

Group

Deadline

User notifications

Deadline behaviour outside maintenance window

Device restart behaviour

Pilot

Asap

All

SW Updates Install

Yes

Prod

7 days

None

SW Updates Install

Suppressed

PUC (Public Use computers such as Labs)

7 days

None

SW Updates Install

Yes

I then split these groups into collections based on OS or
Office version requirements, so we have Office 2007, Office 2010, Office 2013,
Windows XP, Windows 7 x86, Windows 7 x64, Windows 8 x64.

A Pilot, PUC and PROD collection should be made so you can
limit the collections with it. These collections will vary in your environment.

Based on that you should have 21 collections - see ‘rules
and queries’ at the end for the messy queries

SUM-WORKSTATIONS-PROD–Office 2007

SUM-WORKSTATIONS-PROD–Office 2010

SUM-WORKSTATIONS-PROD–Office 2013

SUM-WORKSTATIONS-PROD–Windows XP

SUM-WORKSTATIONS-PROD–Windows 7 x86

SUM-WORKSTATIONS-PROD–Windows 7 x64

SUM-WORKSTATIONS-PROD–Windows 8 x64

SUM-WORKSTATIONS-PILOT–Office 2007

SUM-WORKSTATIONS- PILOT–Office 2010

SUM-WORKSTATIONS- PILOT–Office 2013

SUM-WORKSTATIONS- PILOT–Windows XP

SUM-WORKSTATIONS- PILOT–Windows 7 x86

SUM-WORKSTATIONS- PILOT–Windows 7 x64

SUM-WORKSTATIONS- PILOT–Windows 8 x64

SUM-WORKSTATIONS-PUC–Office 2007

SUM-WORKSTATIONS- PUC–Office 2010

SUM-WORKSTATIONS- PUC–Office 2013

SUM-WORKSTATIONS- PUC–Windows XP

SUM-WORKSTATIONS- PUC –Windows 7 x86

SUM-WORKSTATIONS- PUC–Windows 7 x64

SUM-WORKSTATIONS- PUC–Windows 8 x64

Update: 

Limit your pilot collections to a group of user's primary computers using this collection query

 

[code language="sql"]
Select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client FROM SMS_R_System JOIN SMS_UserMachineRelationship ON SMS_R_System.Name=SMS_UserMachineRelationship.ResourceName JOIN SMS_R_User ON SMS_UserMachineRelationship.UniqueUserName=SMS_R_User.UniqueUserName WHERE SMS_UserMachineRelationship.Types=1 AND SMS_R_User.UserGroupName="DOMAIN\SCCM Software Updates Pilot User Group"
[/code]

 

Thanks Powersheller

Next you create a Software Update Group (the current
baseline of approved updates) for each Office/OS Version and a deployments for
each based on the rules from the first table.

Then you create Automatic Deployment rules for each
collection based (to run on Patch Tuesday/Wednesday Australia time) on the
rules from above and what type updates you want released in the last 3 weeks.  They should be set to create a new software update group each time. See ‘rules and queries’ for what I have used.

You can also create an EndPoint Protection definitions ADR, however that should be set to use the existing software update group as the updates always superseed each time.

Rules and Queries:

Query Name

Query

Office 2007

See attachment

Office 2010

See attachment

Office 2013

See attachment

Windows XP

See attachment

Windows 7 x86

See attachment

Windows 7 x64

See attachment

Windows 8 x64

See attachment

Attachment - Download

Rule Name

Rules

Office 2007

Date Released or revised: Last 3 weeks

Product: “Office 2007”

Title: 32-Bit

Update Classification: “Critical Updates” OR “Security Updates” OR
“Updates” OR “Definition Updates”

Office 2010

Date Released or revised: Last 3 weeks

Product: “Office 2010”

Title: 32-Bit

Update Classification: “Critical Updates” OR “Security Updates” OR
“Updates” OR “Definition Updates”

Office 2013

Date Released or revised: Last 3 weeks

Product: “Office 2013”

Title: 32-Bit

Update Classification: “Critical Updates” OR “Security Updates” OR
“Updates” OR “Definition Updates”

Windows 7 x86

Date Released or revised: Last 3 weeks

Product: “Windows 7”

Title: -x64

Update Classification: “Critical Updates” OR “Security Updates” OR
“Updates”

Windows 7 x64

Date Released or revised: Last 3 weeks

Product: “Windows 7”

Title: x64

Update Classification: “Critical Updates” OR “Security Updates” OR
“Updates”

Windows 8 x64

Date Released or revised: Last 3 weeks

Product: “Windows 8” OR “Windows 8.1”

Title: x64

Update Classification: “Critical Updates” OR “Security Updates” OR
“Updates”

 

 

6 Comments

  1. Excellent Info. I will try to do the same at home lab and then perform at work to make the updates worth the effort.

    Thanks

  2. Great tips, Thanks!
    SCCM's blank canvas approach to updates can become a big hurdle.
    You can also add -Designer -Server to the ADR Office Rules' criteria for Title, so that you avoid updates for Project Server, SharePoint Server and SharePoint Designer.

    • Author

      Thanks! Will update my rules.

      Also just realized today if the month starts on a Wednesday such as October we (Australia) are a week early so I've set reminders for
      April 15, July 15 and then June 15 in 2016 to initiate the rules from the console.

  3. great info..the attachment is gone..could you please reupload..

Leave a Comment

Your email address will not be published. Required fields are marked *

*