New Microsoft Update Model & SCCM Automatic Deployment Rule Filters

-
When Microsoft introduced the new Windows servicing changes in 2016, everyone was confused. Why are we all being forced to change the way we have managed updates for years? Change is bad!

There are three types of monthly updates for the impacted products (my opinion for enterprise use is color coded, green good / red bad) in the new monthly update model:
  • Option 1 is the Security Only Quality Update which is just security updates for the month.
  • Option 2 is the Security Monthly Quality Rollup which contains updates for the month, along with all previous months back to October 2016... think of this like a monthly service pack.
  • Option 3 is the Preview of Monthly Quality Rollup which is released one week after Patch Tuesday and contains everything from Option 2, along with a preview of all the non-security features slated for Option 2 next month. Think of this like a beta or early release.
Products impacted by these update models: 
  • Windows 7 / Server 2008 (and higher)
  • .NET Framework,
  • Internet Explorer
    • Included in Windows Security Monthly Quality Rollup, but not included in the Security Only Quality Update.
    • Updates minor revisions only, it won't do an upgrade from IE 10 to IE 11 for you as this is a major revision.
How do you make an Automatic Deployment Rule that only includes the Security Monthly Quality Rollup? Create your rule and set the filtering on the Title of the update to exclude Security Only, Preview, and then non-rollup updates for .NET and IE. Set your rule to run every second Tuesday and you're good to go! Here is an example rule for Windows Server 2012 R2 that will pull the Security Monthly Quality Rollup for Windows & .NET along with the Windows Malicious Software Removal Tool and a few other pre-October 2016 updates.
*Title filtering says to use the syntax -"Preview" as opposed to -%Preview% but the % method seems to work a million times better when filtering out a particular keyword or phrase.

What happens if you deploy the Security Only Quality Update and the Security Monthly Quality Rollup at the same time? Each of these requires a reboot after installation and if there is a reboot pending, whatever one runs second will have to wait until after that reboot occurs. Once the first update runs, the SCCM client reports back to the site that the first update was successful (flags it as compliant on reporting), but the second update is either failed or still pending (flags it as required on reporting throwing off the compliance numbers for that deployment package) until the reboot has completed and the SCCM client realizes it already has all the updates in either update.

 Another great article on the new update methodology can be found on Microsoft's Enterprise Mobility & Security Blog.


Want to find some great custom reports for update compliance reporting by collections? Check out this great custom dashboard that shows update compliance over at https://sccm-zone.com/sccm-dashboard-498dcdfd2e62

Comments

  1. Rudy | Twitter: @PHYSX51June 29, 2017 at 8:48 AM

    ADR filter for Windows 7 Security Monthly Quality Rollup:

    Product: "Windows 7"
    Required: >=1
    Superseded: No
    Title: -%Security Only% OR -%Preview% OR -%Security Update For Microsoft .NET% OR -%Cumulative Security Update For Internet Explorer% OR -%Update for Windows 7%

    ReplyDelete

Post a Comment

Popular posts from this blog

CMPivot to check Services and start them (with a little help)

-
Image
Have you ever needed to get a really fast real-time look at if a service is running on a set of servers or workstations? Open CMPivot against a collection, type in your query, and send it. Seconds later you get real-time answers to your query for any online device. Queries for CMPivot run on 42 devices at once, until all devices you're querying have responded.  The last time my organization did server updates, I (and a trusty super awesome coworker) had to verify if a couple of SQL services were running on a small collection of servers. As we were manually checking these one by one, I came up with the idea that it would be incredibly helpful to use CMPivot.  The below query in CMPivot will return all devices where a SERVICE with the name containing SQL is NOT RUNNING and the service's start type is AUTO. In other words, if a service with SQL in the same is supposed to be automatically running and it's not, this query tells us. Service | where Name contains 'sql'
Read more

Run Scripts with Parameters in MEMCM (R.I.P. SCCM)

-
Image
How do you use Parameters in MEMCM's (R.I.P. SCCM) Run Scripts? How do you use Parameters on the Run Scripts  feature? You get three guesses, but the first two don't count. That's right, you create a script with standard PowerShell Parameters and you build it out in MEMCM. In your MEMCM console, navigate to Software Library > Overview > Scripts. If you're not familiar with Run Scripts  in MEMCM, check out my previous Blog articles on it. Click on Create Script . In the Create Script Wizard  that pops up input a Script Name , pick between PowerShell or PowerShell in your Script Language , import or paste in your script with Parameters, and click on Next . My demo script for this article ( scroll alllll the way down, it's at the bottom ) is about an 8 out of 10 on the cool factor, and about a 3 out of 10 on the usefulness factor. Long story short, the script will make a computer talk. There are two Parameters that you can input, one for "what do y
Read more

SCCM CMPivot and Run Scripts

-
Image
What is CMPivot? What are Scripts? Why do I care about either of them? I recently attended MMS 2019 and took a great session from Jason Sandys and Tom Degreef on CMPivot and Run Scripts. They dove deep into the technical aspects of both of these somewhat new "fast channel" features of SCCM. Full disclaimer: I do not know everything and I may occasionally not know as much as you. Test everything you see here on a LAB environment and make sure you fully understand it. If you have any suggestions for improving this post, please feel free to drop a comment and I'll give you some kudos for your edit. Over simplified, CMPivot is a near real-time (not milliseconds, but usually seconds, and definitely no more than a few minutes) way to query information about your systems. You can find out literally anything about any system within your reach. Scripts pairs nicely with CMPivot because it is a real-time way to run scripts against your query results, or just another old col
Read more