SCCM has the ability to deploy Microsoft patches as well as third party patches to machines with the SCCM client installed. Patches are deployed much like software. There is a package, collection, advertisement, and AD group.
The components used in patching within SCCM are:
- WSUS/SUP – The Software Update Point (SUP) is an SCCM-integrated Windows Software Update Services (WSUS) installation used in the detection of patches on client machines.
- SCUP – The System Center Update Publisher (SCUP) is the tool to allow the integration of third-party patches into WSUS and SCCM.
- DP – The Distribution Points are the set of servers that push out packages, operating systems, and patches in SCCM.
- SCCM Client – Once the Automatic Updates service on the local machine has determined the list of patches needed from the Software Update Point, the SCCM client contacts the Distribution Point to download and install them.
Once implemented in production, by default an OU administrator won’t have to do anything to have a machine added to the WSUS – Early/Normal/Late collection based up on the targeted group currently assigned to a machine by a GPO. By default all computers are a member of the Normal group and will receive patches as they normally do.
Via SCUP, we also have the ability to patch third party products such as Adobe, Dell, and HP from vendor-provided, automatically updated catalogs. In order to receive these updates your computer will need to be put into a software group.
There are three Adobe groups one for each piece of Adobe software that can be patched: Acrobat, Flash, and Reader
- A computer must have Acrobat 10 or above installed to receive patches.
- Flash can be patched if Flash is already installed or Flash can be installed if there is currently no version on the machine.
- Reader can be patched but can also be installed.
We also have the ability to patch drivers, BIOS, and firmware on Dell and HP products. When a computer is in either of the two groups they will receive ALL AVAILABLE updates for that computer hardware. It is HIGHLY recommended to test thoroughly.
- OS and Application patches will be released according the current patching schedule.
- Drivers, BIOS, and firmware will have a longer patching cycle with patches moving from Early to Normal after 2 months and to Late 2 months after that.
- Patches will be made available starting at 3 P.M. Users will have the ability to install the updates at that time. If patches are not installed by 11:59 P.M. the patches will auto install, unless there is a Maintenance Window specified.
- If a reboot is needed to complete the installation users will be notified. By default, computers WILL NOT auto reboot.
- There are two SCCM Software Update actions. The first Software Updates Scan Cycle uses the Windows Update Agent to determine which patches are needed for your machines. The second is the Software Updates Deployment Evaluation Cycle. This is when the updates are actually installed. Currently when these two actions happen are set at the site. The first one occurs at 2 AM and the second at 2:30 AM. These are just the start times of a two hour window in which clients will check in. Clients are randomly delayed a certain amount of time so all clients are not trying to check in at one time.
- As soon as the deadline is reached machines will start to install patches.
- If machines have been off, like in the case of laptops, as soon as they are turned on they will run both update cycles and begin installing patches.
Notifications: Users will not be notified of pending updates. If a reboot is needed to complete installation the standard Windows Update Notification will be displayed asking users to reboot or to delay.
Windows 10 Upgrades
Starting with Windows 10 Microsoft developed a servicing model that releases two versions of the operating system each year.
When first released Microsoft was calling their releases Current Branch (CB) and Current Branch for Business (CBB). Those names were replaced with Semi-Annual Channel (Targeted) and Semi-Annual Channel (Broad).
New version of the operating system are first released to Current Branch/ Semi-Annual Channel (Targeted). When new releases are made available for download, they are usually made available as Upgrades in WSUS/SCCM a week later. Once available in WSUS/SCCM Upgrades are deployed to computers in the Early group. The deployments are made Available for two months to allow individual users, groups, or departments time to test the upgrade processes as well as test application compatibility. After two month upgrades become mandatory.
Windows 10 1904 becomes available on April 1st. The 1904 Upgrade is deployed to the Early group with an available time of immediate and a deadline of June 1st at 3 AM.
On June 1st at 3 AM if a machine is on it will begin the install process. To complete the Upgrade a machine will need to be rebooted. SCCM WILL NOT automatically reboot a machine for Upgrades. The next time the machine reboots the Upgrade process will complete. On average it takes between 30 and 60 minutes for an Upgrade to complete. During that time the machine will be unusable.
If on June 1st at 3 AM a machine is turned off, the next time the machine is booted the Upgrade process will start. On average it takes between 30 and 60 minutes for an Upgrade to complete. During that time the machine will be unusable.
The time between something being released to Semi-Annual Channel (Targeted) and Semi-Annual Channel (Broad) is between three and four months. Once something is released to Semi-Annual Channel (Broad) and it is available in WSUS/SCCM Upgrades are deployed to computers in the Normal and Late groups. The deployments are made available for two months to allow individual users, groups, or departments time to test the upgrade processes as well as test application compatibility. After two month Upgrades become mandatory.
Windows 10 1904 becomes available to Semi-Annual Channel (Broad) on July 1st. The 1904 Upgrade is deployed to the Normal and Late groups with an available time of immediate and a deadline of September 1st at 3 AM.
On September 1st at 3 AM if a machine is on it will begin the install process. To complete the Upgrade a machine will need to be rebooted. SCCM WILL NOT automatically reboot a machine for Upgrades. The next time the machine reboots the Upgrade process will complete. On average it takes between 30 and 60 minutes for an Upgrade to complete. During that time the machine will be unusable.
A SysNews post will be made before deployments to Early and Normal/Late groups. The SysNews post will contain and available time and date as well as a deadline time or date.
To review Microsoft’s release information please visit the link below:
- If there is an issues with a patch for one or two of your machines it is recommended that a GPO be set to point those machine back at the legacy WSUS server until a work around can be found.
- If your machine in the SCCM console says client = No those machines will also have to be pointed at the legacy WSUS server until a client is installed.
- For further assistance email firstname.lastname@example.org.