As I sat down to write this article news broke of yet another major flaw affecting Windows systems. This time it’s a remote code execution vulnerability in Remote Desktop that could be exploited by a hacker via a worm making this a particularly dangerous flaw—view the details of this vulnerability. So it’s time to get patched!The WannaCry and Petya ransomware outbreaks, which exposed system patching as one of the biggest security issues, happened 2 years ago. System administrators and security professionals got a serious, terrifying wakeup call regarding the state of their system updates. About 6 months after the attack, I wrote an article pushing for the use of SCCM as the core of a managed patching solution for the most businesses. Since then SCCM has continued to grow and change. In this article, I will cover 3 features in SCCM that will help you streamline the deployment of Windows Updates.
Automatic Deployment Rules
Automatic Deployment Rules (ADR) or the core of a managed update process in SCCM. An ADR automates 3 portions of the process:
- Creates/updates a Software Update Group – this group is created by criteria chosen during the ADR setup. It contains the updates that are relevant to the systems that are being managed such as all Windows Server 2016 updates.
- Creates/updates a Deployment – the Deployment is the process that enables the Software Update Group to be connected to the appropriate Collection of systems.
- Adds the updates the package as referenced in the ADR – this ensures that the updates are made available to the systems so they can be implemented.
Well thought out ADRs lead to a highly automated process for Windows Updates. Automation reduces complexity, enhances consistency, and provides the basis for compliance.
In a current SCCM deployment there are 3 Maintenance Window types – All Deployments, Task Sequences, and Software Updates. The relevant type in this case is the Software Updates Maintenance Window. Maintenance Windows are created through the console and applied to Collections. They are then enforced by the SCCM client on the individual system. The Maintenance Window prevents deployments from being executed except during specified times. Implementing appropriate Maintenance Windows ensures that updates are deployed on an acceptable schedule while keeping systems accessible.
Phased Deployments for Task Sequences came to SCCM as a pre-release feature in SCCM 1802. This capability was a fully released feature for both Task Sequences and application deployments in SCCM 1806. Starting in SCCM 1810 Phased Deployments have been enabled for Windows Updates as well. Phased Deployments present another approach to managing updates.
First should be noted that you cannot use an Automatic Deployment Rule with a Phased Deployment – they work differently and are separate from one another.
Phased Deployments start after a Software Update Group (SUG) is created. Once you’ve got a SUG, you can create a Phased Deployment. There are 2 ways to set up a Phased Deployment:
- Automatically create a two phase deployment – this option allows you to choose 2 Collections and apply settings for implementation.
- Manually configure all phases – this option lets you create multiple phases if, for instance, you need to do a pilot, test group, and multiple production phases.
Once you’ve chosen the path you’ll use for configuration, you’ll need to determine what percentage of update deployments need to succeed before each phase is considered successful. The default is 95% success, and this determines when successive phases will be allowed to begin. For example, If the first phase is 95% successful, the defer the second phase for 7 days and then begin that deployment.
Using Phased Deployments, you have a managed roll out and a way of automatically delaying the process if the updates aren’t deploying successfully. Also, the deferral period provides some time to ensure that the first phase of the deployment hasn’t impacted the systems.
Bottom line – SCCM provides a wealth of options for managing Windows updates and automating the process. And we haven’t touched on compliance reporting, third-party patching options, Operating System Deployment, Application Deployments, etc. There is a LOT to recommend SCCM as the tool of choice for managing your Windows update process and more.