SCCM Patching

SCCM has the ability to deploy Microsoft patches as well as third party patches to machines with the SCCM client installed. Patches are deployed much like software. There is a package, collection, advertisement, and AD group.

The components used in patching within SCCM are:

  • WSUS/SUP – The Software Update Point (SUP) is an SCCM-integrated Windows Software Update Services (WSUS) installation used in the detection of patches on client machines.
  • SCUP – The System Center Update Publisher (SCUP) is the tool to allow the integration of third-party patches into WSUS and SCCM.
  • DP – The Distribution Points are the set of servers that push out packages, operating systems, and patches in SCCM.
  • SCCM Client – Once the Automatic Updates service on the local machine has determined the list of patches needed from the Software Update Point, the SCCM client contacts the Distribution Point to download and install them.

Once implemented in production, by default an OU administrator won’t have to do anything to have a machine added to the WSUS – Early/Normal/Late collection based up on the targeted group currently assigned to a machine by a GPO. By default all computers are a member of the Normal group and will receive patches as they normally do.

Via SCUP, we also have the ability to patch third party products such as Adobe, Dell, and HP from vendor-provided, automatically updated catalogs. In order to receive these updates your computer will need to be put into a software group.

There are three Adobe groups one for each piece of Adobe software that can be patched: Acrobat, Flash, and Reader

  • A computer must have Acrobat 10 or above installed to receive patches.
  • Flash can be patched if Flash is already installed or Flash can be installed if there is currently no version on the machine.
  • Reader can be patched but can also be installed.

We also have the ability to patch drivers, BIOS, and firmware on Dell and HP products. When a computer is in either of the two groups they will receive ALL AVAILABLE  updates for that computer hardware.  It is HIGHLY recommended to test thoroughly.

Scheduling:

  • OS and Application patches will be released according the current patching schedule.
  • Drivers, BIOS, and firmware will have a longer patching cycle with patches moving from Early to Normal after 2 months and to Late 2 months after that.
  • Patches will be made available starting at 3 P.M. Users will have the ability to install the updates at that time. If patches are not installed by 11:59 P.M. the patches will auto install, unless there is a Maintenance Window specified.
  • If a reboot is needed to complete the installation users will be notified. By default, computers WILL NOT auto reboot.
  • There are two SCCM Software Update actions. The first Software Updates Scan Cycle uses the Windows Update Agent to determine which patches are needed for your machines. The second is the Software Updates Deployment Evaluation Cycle. This is when the updates are actually installed. Currently when these two actions happen are set at the site. The first one occurs at 2 AM and the second at 2:30 AM. These are just the start times of a two hour window in which clients will check in. Clients are randomly delayed a certain amount of time so all clients are not trying to check in at one time.
  • As soon as the deadline is reached machines will start to install patches.
  • If machines have been off, like in the case of laptops, as soon as they are turned on they will run both update cycles and begin installing patches.

Notifications: Users will not be notified of pending updates. If a reboot is needed to complete installation the standard Windows Update Notification will be displayed asking users to reboot or to delay.

Troubleshooting:

  • If there is an issues with a patch for one or two of your machines it is recommended that a GPO be set to point those machine back at the legacy WSUS server until a work around can be found.
  • If  your machine in the SCCM console says client = No those machines will also have to be pointed at the legacy WSUS server until a client is installed.
  • For further assistance email activedirectory_patching@help.ncsu.edu.