What's new
Forums on Intune, SCCM, and Windows 11

Welcome to the forums. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your topics and posts, as well as connect with other members through your own private inbox!

SOLVED SCCM Windows Updates

Status
Not open for further replies.
H

Hassan Almanasrah

Member
Messages
16
Reaction score
0
Points
1
Hi Prajwaldesai

Many thanks for your guidances and support, I cam up with some questions for the part of pushing updates using SCCM 2012 which are below:
1. In your post, Automatic update is enabled using GPO, isn't it better to be disabled?
2. In Some comments on the post, discussion for is it necessary to us GPO of Windows updates for client or not. Can you please provide final decision if the two GPO settings regarding Windows update are necessary or not in the case we use SCCM 2012 for windows updates which integrates for sure WSUS, but not WSUS Explicitly.
3. Why the serach criteria for Windows updates includes Bulletin ID as mandatory, while I can see some KBs in the lab with Bullitin ID, why these updates are neglected ???
4. Could you please provide post explaining the below points:
  • KB updates statistics: when we click on update circle appears on the right showing (Compliant, Required, Not required, Unknown), What are meanings? How are being evaluated? Evaluation is done for all Assets or the Assets related to the update?
  • Next to Bulletin ID, there are Required, Installed and Percent Compliant columns, how these are laso evaluated and is it accurate.
Also, the posts are showing how SUP is installed and configured and how Updates are installed, distributed and deployed, But the Best practice strategy is not provided. What I mean is how often updates being checked, like WSUS every Tuesday?? How the next bunch of updates are deployed?? Where to save the downloaded updates, is it to the first time we download or to create new folder for each group of update What the action will be done, if PC has been re-imaged? should it be added to special collection that will be deployed with all previous windows updates? and then moved to the correct collection?

Again many thanks for your support, waiting your kind feedback.
 
Sort by date Sort by votes
1. Yes you could disable it or leave the GPO settings unconfigured.
2. GPO is not required if SCCM is used for deploying updates. If you are using WSUS to deploy updates, GPO settings needs to be configured. This is basically to tell the clients that from where to download the updates.
3. If an update has a Bulletin ID it's a Security Update, if it doesn't have a Bulletin ID it's not a security Update. So in any organization security and critical updates are always deployed. This is not mandatory, you could simply download the updates and deploy it to collection.
4. This can be answered, just post the question in the forums.

The posts are showing how SUP is installed and configured and how Updates are installed, distributed and deployed, But the Best practice strategy is not provided. ---- In this case you make use of ADR - http://prajwaldesai.com/create-automatic-deployment-rule-in-sccm-2012-r2/

Where to save the downloaded updates, is it to the first time we download or to create new folder for each group of update - I would leave this to user to sort these things.

What the action will be done, if PC has been re-imaged? should it be added to special collection that will be deployed with all previous windows updates? and then moved to the correct collection? - The aim of post was to show how to deploy windows updates using SCCM. PC being re-imaged is something that doesn't happen frequently and such questions can be answered in the forums. All these possibilities cannot be covered in a single post.
 
Upvote 0 Downvote
Thanks for the reply.
Regarding ADR, I guess it is not the best practice to push any new update to the environment without performing test in PreProduction environment.
My question is what is the best strategy and empowered by example or scenario, that we will clear my mis-understanding if I am the only one is confused with this topic. Also, it will be beneficial for all the attendees of your Forum ;)

I will post another post regarding the Re-imaged PC case. Again Many thanks for the kind cooperation.
 
Upvote 0 Downvote
@Hassan Almanasrah - True. Any updates that you push to prod must be first tested in a test environment. Software update deployment process is always done in two ways, Manual or Automatic. You must determine what deployment strategy to use in your environment. For example, you might create the automatic deployment rule and target a collection of test clients. After you verify that the software updates are installed on the test group, you can change the collection in the automatic deployment rule to a target collection that includes a larger set of clients.

More info here - https://technet.microsoft.com/en-in/library/gg682168.aspx#BKMK_DeploymentWorkflows
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

  • PENDING Problems after Upgrading to ConfigMgr 2503
  • PENDING MDT integration still working in SCCM 2509?
  • PENDING SCCM failed update, restored but thinks its still on the new version - SQL issue?
  • What's New in Microsoft Intune November 2025 Update
  • PENDING CMG certificate issue HRESULT = 0x80072f8f

    • Forum statistics

    Threads
    7,131
    Messages
    27,848
    Members
    18,145
    Latest member
    Rothgar

    Latest posts

    Trending content
    Back
    Top